Language focus

AI code review for PHP

PHP powers everything from Laravel APIs to legacy WordPress plugins where type juggling and include paths decide security. CodeCritic reviews your diff with emphasis on SQL construction, session handling, and framework lifecycle hooks that pass syntax checks yet fail on hostile input.

Laravel & SymfonyWordPressPSR stacksPaste or GitHub PRFree tier

Online paste review · All languages

Review focus

What we look for in PHP changes

PHP bugs often hide in loose comparisons, unvalidated array keys, and autoloaded classes that differ between CLI and FPM. The model is steered toward those runtime paths, not PSR-12 spacing.

  • SQL injection: query builders bypassed with raw fragments, `ORDER BY` assembled from request params, and `DB::unprepared` with interpolated values.
  • Type coercion traps: `==` vs `===` on request input, `empty()` treating `"0"` as empty, and JSON decoded to objects without schema validation.
  • Laravel-specific: mass assignment on guarded models, policy checks skipped on API resources, queue jobs serialized with stale model state, and `env()` outside config cache.
  • Symfony and DI: services imported with wrong scope, event subscribers firing in unexpected order, and forms that disable CSRF on internal routes exposed publicly.
  • File and path handling: `include` with user-influenced segments, `move_uploaded_file` without extension allowlists, and `unlink` races in temp directories.
  • WordPress hooks: capability checks missing on AJAX handlers, `$wpdb->prepare` misused with placeholders, and options autoloaded into every request without size limits.

AI review does not replace WAF tuning, PCI scope analysis, or plugin marketplace security review. Use it as a fast second pass; owners still approve merge.

Stacks

Common PHP codebases we see

Laravel & Lumen

Route model binding without authorization, Sanctum token abilities too broad, and Horizon workers sharing Redis databases across environments.

Symfony & API Platform

Serializer groups exposing internal fields, voter logic duplicated across controllers, and Messenger handlers without deduplication keys.

CMS & plugins

Shortcode eval patterns, direct `$_GET` usage in admin screens, and cron hooks that assume single-threaded execution.

Workflow

Run a PHP review in minutes

Paste a controller, service, or plugin file to validate signal, then connect GitHub when the team wants PR-level automation.
  1. 1

    Paste or connect a repo

    Sign up, open a new review, and paste a route handler, Eloquent model method, or WordPress hook callback. Connect GitHub for ongoing PR reviews.

  2. 2

    Let detection set context

    CodeCritic reads namespaces and framework imports so findings reference Laravel, Symfony, or plain PHP patterns you deploy.

  3. 3

    Triage by severity

    Issues arrive grouped with short explanations. Prioritize injection, auth bypass, and data-loss risks before cosmetic notes.

  4. 4

    Scale to PR comments

    Enable GitHub integration so the same engine comments on pull requests your team already merges through.

How to use it

PHP review without drowning in noise

Paste a request path end to end: controller, form request validation, and the query it runs - not an isolated trait with no callers.

Keep PHPStan, Psalm, and PHPCS in CI. CodeCritic focuses on behavior: "this comparison accepts magic hash strings" beats array alignment.

Note your PHP version and strict_types setting in the PR description when pasting snippets from mixed legacy and modern modules.

GitHub integration keeps feedback on the diff your team already discusses in review comments.

Paid tiers add API automation when every deploy to production should trigger the same scan.

Confirm critical SQL and auth findings with a feature test - AI can miss custom middleware that normalizes input before validation runs.

Details: Integrations, Limitations, Pricing.

Code patterns

PHP examples worth reviewing

Small slices from real PRs. Paste similar units in the browser or run on the GitHub diff that contains them.

SQL fragment concatenation

$sql = "SELECT * FROM users WHERE email = '" . $_GET['email'] . "'";

Sample findings

Typical PHP review output

Blocking

SQL injection via query string

User input is interpolated into SQL. Use prepared statements with bound parameters.

Before

"WHERE email = '" . $_GET['email'] . "'"

Suggested direction

$stmt = $pdo->prepare('SELECT * FROM users WHERE email = ?');
$stmt->execute([$_GET['email']]);

Illustrative patterns from real review categories. Your output depends on diff size, language, and context.

Before you merge PHP

  • Context size: Include validation rules, middleware, and route definitions when the change affects who can call an endpoint.
  • Comparisons: Re-read every loose comparison on request data; prefer strict checks and explicit casts.
  • Secrets: Ensure config values are not logged, var_dumped, or returned in error JSON during debug modes.
  • Human owner: Assign a reviewer who knows the hosting layout (FPM pools, opcache) the diff depends on.

FAQ

PHP code review FAQ

Yes. Include framework imports and familiar class names so feedback stays anchored to the stack you run, not generic PHP tutorials.

Try AI code review on your PHP

Start free in the browser, then connect GitHub when the team wants reviews on every pull request.

How it works