DEV Community: Rajmund The latest articles on DEV Community by Rajmund (@rajmundtoth0). https://dev.to/rajmundtoth0 https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3863295%2F2adf5b82-e1f2-4df5-afbe-66958d984569.png DEV Community: Rajmund https://dev.to/rajmundtoth0 en Stop shipping var_dump() to production — enforce it with PHPStan Rajmund Mon, 06 Apr 2026 06:43:40 +0000 https://dev.to/rajmundtoth0/stop-shipping-vardump-to-production-enforce-it-with-phpstan-kpa https://dev.to/rajmundtoth0/stop-shipping-vardump-to-production-enforce-it-with-phpstan-kpa <h1> Stop shipping <code>var_dump()</code> to production — enforce it with PHPStan </h1> <p>We’ve all done it.</p> <p>You add a quick <code>var_dump()</code> or <code>dd()</code> while debugging…<br> and somehow it survives code review 😅</p> <p>Or worse:</p> <ul> <li>someone uses <code>DB::raw()</code> where it shouldn’t be used</li> <li>a controller starts calling repositories directly</li> <li>architecture rules slowly fall apart</li> </ul> <h2> The problem </h2> <p>PHPStan is great — but enforcing <em>custom rules like this</em> is not trivial.</p> <p>You either:</p> <ul> <li>write a custom PHPStan rule (time-consuming)</li> <li>or use something limited like banned functions</li> </ul> <h2> What I wanted </h2> <p>I needed something that could:</p> <ul> <li>ban specific functions (<code>var_dump</code>, <code>dd</code>)</li> <li>restrict certain method calls</li> <li>enforce architecture boundaries</li> <li>be configurable without writing PHP code</li> </ul> <h2> The solution </h2> <p>I built a small PHPStan extension that lets you define forbidden patterns:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>parameters: forbidden_node: nodes: - type: Expr_FuncCall functions: [var_dump, dd] </code></pre> </div> <p>Now PHPStan reports:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Forbidden function var_dump() used in App\Service\UserService.php:42 </code></pre> </div> <h2> Why this is useful </h2> <p>You can enforce rules like:</p> <ul> <li>❌ no debug functions in production</li> <li>❌ no direct DB calls in controllers</li> <li>❌ no cross-layer violations</li> <li>❌ no unsafe patterns</li> </ul> <h2> Repo </h2> <p>👉 <a href="https://github.com/rajmundtoth0/phpstan-forbidden-nodes" rel="noopener noreferrer">https://github.com/rajmundtoth0/phpstan-forbidden-nodes</a></p> <p>Curious how others handle this — do you enforce rules like this in your projects?</p> php laravel phpstan ast