Home / API docs / PHP Lint API
Dev Tools

PHP Lint API

POST /api/lint/php $0.002 per call USDC on Base · x402

PHP lint: POST {code}, get the bugs back with line numbers. Deterministic static analysis — code is never executed, no AI. Catches SQL injection (request data interpolated into query strings), the removed mysql_* API, unbalanced braces, '+' string concat, = vs == in conditions, type-juggling loose comparisons, eval/extract on request data, unused variables, leftover var_dump. Understands PHP tags, heredocs, interpolation. Max 128 KB.

Parameters

NameInDescription
codebodyrequiredPHP source to lint, max 128 KB

Example request

curl -X POST "https://api.webbersites.com/api/lint/php" \
  -H "Content-Type: application/json" \
  -d '{"code":"<?php\n$q = \"SELECT * FROM users WHERE id = $_GET[id]\";\n$rows = mysql_query($q);"}'
# first call returns 402 + payment requirements; an x402 client pays and retries automatically

Example response

{
    "language": "php",
    "syntax": {
        "ok": true,
        "errors": []
    },
    "issues": [
        {
            "line": 2,
            "severity": "error",
            "rule": "security/sql-injection",
            "message": "request data ($_GET/$_POST/...) interpolated directly into an SQL string",
            "hint": "use prepared statements with bound parameters (PDO/mysqli)"
        }
    ],
    "counts": {
        "error": 2,
        "warning": 0,
        "info": 0
    },
    "verdict": "errors"
}
MCP tool: post_lint_php — via npx -y webbersites-x402-mcp (local, key stays on your machine) or the remote endpoint https://api.webbersites.com/mcp.

How payment works

There is no signup and no API key. Call the endpoint; it replies 402 Payment Required with machine-readable payment requirements. Your client signs a USDC transfer authorization (EIP-3009, gasless) and retries with the X-PAYMENT header — @x402/fetch does this automatically. See the overview for a working snippet.