Stop shipping var_dump() to production — enforce it with PHPStan

We’ve all done it.

You add a quick var_dump() or dd() while debugging…
and somehow it survives code review 😅

Or worse:

• someone uses DB::raw() where it shouldn’t be used
• a controller starts calling repositories directly
• architecture rules slowly fall apart

The problem

PHPStan is great — but enforcing custom rules like this is not trivial.

You either:

• write a custom PHPStan rule (time-consuming)
• or use something limited like banned functions

What I wanted

I needed something that could:

• ban specific functions (var_dump, dd)
• restrict certain method calls
• enforce architecture boundaries
• be configurable without writing PHP code

The solution

I built a small PHPStan extension that lets you define forbidden patterns:

parameters:
  forbidden_node:
    nodes:
      - type: Expr_FuncCall
        functions: [var_dump, dd]

Now PHPStan reports:

Forbidden function var_dump() used in App\Service\UserService.php:42

Why this is useful

You can enforce rules like:

• ❌ no debug functions in production
• ❌ no direct DB calls in controllers
• ❌ no cross-layer violations
• ❌ no unsafe patterns

Repo

👉 https://github.com/rajmundtoth0/phpstan-forbidden-nodes

---

Curious how others handle this — do you enforce rules like this in your projects?