CodeClarityLab / Glossary
Ctrl K
← CodeClarityLab Home
Browse by Category
+ added · updated 7d
⚖ Terms of Use
← Back to glossary

AI Function Calling & Tool Use

ai_ml PHP 8.0+ Advanced
debt(d5/e5/b5/t7)
d5 Detectability Operational debt — how invisible misuse is to your safety net

Closest to 'specialist tool catches it' (d5). The detection_hints list semgrep as the tool, with automated detection of unvalidated tool arguments, SQL/shell commands built from model-provided arguments. This is a specialist SAST tool, not a default linter — it requires custom rules to flag missing validation on LLM-provided inputs. Runtime misuse (e.g. subtly wrong arguments that pass type checks but are semantically dangerous) may still slip through, pushing toward d6, but the explicit semgrep pattern match keeps it at d5.

e5 Effort Remediation debt — work required to fix once spotted

Closest to 'touches multiple files / significant refactor in one component' (e5). The quick_fix says to define strict JSON schemas and validate all tool arguments — but in practice this means adding validation layers to every tool handler, implementing confirmation steps for write operations (common_mistakes), and potentially refactoring how tool results are processed. For a single tool it's e3, but real-world function calling typically involves multiple tools across the application, making it a multi-file refactor within the AI integration component.

b5 Burden Structural debt — long-term weight of choosing wrong

Closest to 'persistent productivity tax' (b5). Function calling applies across web, cli, and queue-worker contexts. Once you adopt AI tool use, every new tool requires schema definitions, validation logic, and safety checks. The pattern becomes a persistent tax: each new capability added to the agent requires careful schema design, input sanitisation, and testing. It doesn't quite define the system's shape (b7-b9), but it creates an ongoing structural commitment that affects multiple work streams as the agent's capabilities grow.

t7 Trap Cognitive debt — how counter-intuitive correct behaviour is

Closest to 'serious trap — contradicts how a similar concept works elsewhere' (t7). The misconception field is telling: developers believe 'function calling gives the LLM direct database access' when in fact the LLM only returns arguments and your code controls execution. This is a serious conceptual trap because the name 'function calling' strongly implies the model calls functions, mirroring how function calls work everywhere else in programming. Developers coming from any programming background will assume the model executes code, not that it merely suggests structured arguments. Combined with common_mistakes like not treating LLM arguments as untrusted input (contradicting the trust model developers have for their own function arguments), this is a genuine t7 trap.

About DEBT scoring → scored by claude-opus-4-6 · 2026-05-06 · reviewed by human

Also Known As

function calling tool use AI tools AI agent structured output

TL;DR

LLMs requesting execution of application-defined functions — the model returns structured arguments; the application controls execution and must validate inputs.

Explanation

Function calling flow: define tools with name/description/JSON schema, send to LLM with the user message, LLM responds with tool_use block (function name + arguments), application executes the function, return result to LLM, LLM generates final response. The LLM decides when to call tools — your application controls execution. Treat LLM-provided arguments as untrusted user input. PHP: Anthropic and OpenAI PHP SDKs both support tool definitions.

Watch Out

The model controls which function is called and what arguments it passes — treat all LLM-generated arguments as untrusted user input and validate accordingly.

Common Misconception

Function calling gives the LLM direct database access — the LLM only returns arguments; your application code controls whether and how to execute, with full opportunity to validate and sanitise inputs.

Why It Matters

Function calling enables AI agents that do real work — a PHP application defining database query, email, and calendar tools lets Claude orchestrate complex multi-step tasks without hardcoding every workflow.

Common Mistakes

  • Not validating LLM-provided arguments — treat as untrusted input
  • Giving LLMs write access without confirmation steps
  • Overly broad tool descriptions — vague descriptions cause unnecessary calls
  • Not handling malformed or missing tool arguments gracefully

Avoid When

  • Do not trust the LLM-supplied arguments as safe input — always validate and sanitise before executing the function.
  • Avoid exposing functions that perform irreversible operations (delete, send email, charge card) without a confirmation step.
  • Do not use function calling as a shortcut for executing arbitrary code or SQL provided by the model.

When To Use

  • Use function calling when you need the LLM to extract structured data (dates, filters, search parameters) from natural language.
  • Apply it to replace brittle regex/JSON parsing of free-text LLM output — the model returns validated structured arguments.
  • Use for tool orchestration in agents where each tool has a well-defined schema the model can select and populate.

Code Examples

💡 Note
The bad example passes a raw SQL string from the LLM directly to the database — the fix exposes a safe named function with typed parameters that the application controls.
✗ Vulnerable 
// Direct SQL from LLM — injection risk:
$toolCall = $response->content[0];
$db->query($toolCall->input['query']); // Never do this!
✓ Fixed 
foreach ($response->content as $block) {
    if ($block->type === 'tool_use' && $block->name === 'searchGlossary') {
        // Validate and sanitise — treat as untrusted:
        $query = substr(strip_tags($block->input['query'] ?? ''), 0, 100);
        $result = $this->glossary->search($query); // Safe parameterised search
    }
}

Tags

ai llm php
Added 16 Mar 2026
Edited 5 Apr 2026
Views 28

Curated in Warsaw under one editorial standard. 1,445 terms, single voice.  About this reference →

Rate this term
No ratings yet
🤖 AI Guestbook educational data only
| |
Last 30 days
0 pings F 2 pings S 0 pings S 1 ping M 0 pings T 0 pings W 0 pings T 0 pings F 0 pings S 2 pings S 0 pings M 0 pings T 0 pings W 0 pings T 0 pings F 2 pings S 0 pings S 1 ping M 0 pings T 0 pings W 0 pings T 2 pings F 1 ping S 0 pings S 0 pings M 0 pings T 0 pings W 0 pings T 0 pings F 1 ping S
Agents 1
No pings yesterday
Amazonbot 8 Perplexity 6 ChatGPT 3 Unknown AI 3 Google 2 Ahrefs 1 SEMrush 1
Also referenced
Using AI APIs in PHP 47 AI API Cost Management 39 AI Security 33 LLM Context Window 26
How they use it
crawler 22 crawler_json 2
Related categories
ai_ml 1k
DEV INTEL Tools & Severity
🟠 High ⚙ Fix effort: Medium
⚡ Quick Fix
Define tools with strict JSON schemas and validate all tool arguments before executing — the model may pass unexpected types or values; treat every tool input as untrusted
📦 Applies To
PHP 8.0+ any web cli queue-worker
🔗 Prerequisites
🔍 Detection Hints
Tool function executing with no input validation; SQL or shell commands built from model-provided arguments without sanitisation
Auto-detectable: ✓ Yes semgrep
⚠ Related Problems
🤖 AI Agent
Confidence: Medium False Positives: Medium ✗ Manual fix Fix: Medium Context: File Tests: Update
CWE-74
✓ schema.org compliant