Error Identifier: backtick.notAllowed
Every error reported by PHPStan has an error identifier. Here’s a list of all error identifiers. In PHPStan Pro you can see the error identifier next to each error and filter errors by their identifiers.
Code example #
<?php declare(strict_types = 1);
$output = `ls -la`;
Why is it reported? #
The backtick operator (`) in PHP executes shell commands, which is equivalent to calling shell_exec(). This rule from the phpstan-strict-rules package disallows the backtick operator because it obscures the fact that a shell command is being executed, making code harder to review for security issues. The backtick syntax is less explicit than the function call equivalent and can be easily overlooked during code review.
This rule is provided by the phpstan-strict-rules package.
How to fix it #
Replace the backtick operator with an explicit shell_exec() call:
<?php declare(strict_types = 1);
-$output = `ls -la`;
+$output = shell_exec('ls -la');
How to ignore this error #
You can use the identifier backtick.notAllowed to ignore this error using a comment:
// @phpstan-ignore backtick.notAllowed
codeThatProducesTheError();You can also use only the identifier key to ignore all errors of the same type in your configuration file in the ignoreErrors parameter:
parameters:
ignoreErrors:
-
identifier: backtick.notAllowedRules that report this error #
- PHPStan\Rules\DisallowedConstructs\DisallowedBacktickRule [1] phpstan/phpstan-strict-rules