CodeClarityLab / Glossary
Ctrl K
← Home ← Codex ← DEBT
Browse by Category
+ added · updated 7d
Pages
Terms of Use About Contribute 🧠Logic graph Contact
← Back to glossary

Code Review

General PHP 5.0+ Beginner
debt(d7/e5/b5/t5)
d7 Detectability Operational debt — how invisible misuse is to your safety net

Closest to 'only careful code review or runtime testing' (d7). The irony: poor code review practices are themselves only detectable through meta-review or team retrospectives. While GitHub/GitLab can show PRs merged without review, and detection_hints mention 'review comments only about style not logic', no automated tool reliably catches rubber-stamping or superficial reviews. You need careful observation of team patterns to detect dysfunction.

e5 Effort Remediation debt — work required to fix once spotted

Closest to 'touches multiple files / significant refactor in one component' (e5). Fixing poor code review culture requires changing team habits, updating PR templates, creating checklists, training reviewers, and potentially restructuring how work is broken into PRs. The quick_fix suggests a checklist approach, but implementing effective review practices across a team is more than a one-line change—it's a process overhaul affecting multiple workflows.

b5 Burden Structural debt — long-term weight of choosing wrong

Closest to 'persistent productivity tax' (b5). Code review applies to all PHP contexts (web, cli, queue-worker) per applies_to. A dysfunctional review process becomes a persistent drag: either rubber-stamping lets bugs through constantly, or overly pedantic reviews slow every PR. The practice shapes team velocity and knowledge distribution over time, but doesn't quite 'define the system's shape' architecturally.

t5 Trap Cognitive debt — how counter-intuitive correct behaviour is

Closest to 'notable trap' (t5). The misconception field states clearly: 'Code review is primarily about catching bugs. Research shows reviews catch fewer bugs than automated testing — their real value is knowledge sharing, consistency enforcement, and collective code ownership.' This is a documented gotcha that most experienced developers eventually learn, but newcomers consistently overweight bug-catching and underweight the social/knowledge benefits.

About DEBT scoring → scored by claude-opus-4-5-20251101 · 2026-05-06 · reviewed by human

Also Known As

PR review pull request review peer review code inspection

TL;DR

A systematic peer examination of source code before merging, catching bugs, sharing knowledge, and enforcing standards.

Explanation

Code review is one of the most cost-effective quality practices: bugs caught at review are orders of magnitude cheaper to fix than in production. Effective reviews focus on correctness, security, design quality, and knowledge transfer — not style (automate that with linters). Reviewers should ask: Does this code do what it claims? Are edge cases handled? Are there security implications? Is it testable? Timely reviews (within hours, not days) and a respectful culture are essential. Pair programming can replace some async review in high-trust teams.

Common Misconception

Code review is primarily about catching bugs. Research shows reviews catch fewer bugs than automated testing — their real value is knowledge sharing, consistency enforcement, and collective code ownership.

Why It Matters

Code review catches bugs, spreads knowledge, and enforces standards before code reaches production — it is the highest-leverage quality practice a team can adopt. Reviews also document why decisions were made, which is often more valuable than the code itself.

Common Mistakes

  • Reviewing style and formatting instead of logic and design — automate style with linters, save human attention for intent.
  • Approving large PRs without reading them carefully to avoid conflict — large PRs should be split, not rubber-stamped.
  • Leaving vague comments ("fix this") without explanation or suggestion — reviewers should explain the problem and propose a direction.
  • Treating code review as a gate rather than a conversation — the goal is shared understanding, not gatekeeping.

Avoid When

  • Using code review as a gatekeeping ritual that blocks merges for trivial style issues — automate style with linters.
  • Reviewing 1000-line PRs — large reviews are ineffective; keep PRs small and focused.
  • Reviewing without running the code or tests — a review that only reads the diff misses runtime behaviour.
  • Nitpicking in a way that demoralises authors — distinguish must-fix blocking issues from optional suggestions.

When To Use

  • Every change to a shared codebase — a second pair of eyes catches bugs, design issues, and missing test cases.
  • Enforcing architectural decisions and conventions that cannot be automated.
  • Knowledge sharing — reviewers learn the codebase and authors learn from reviewer expertise.
  • Security-sensitive changes — a dedicated security review catches vulnerabilities that functional review misses.

Code Examples

✗ Vulnerable 
// Code review anti-patterns:
// Reviewer: 'LGTM' after 30 seconds on a 500-line PR
// No review checklist — misses security, performance, edge cases
// Author defensive about feedback — treats review as criticism
// PRs too large — impossible to review meaningfully
// No review culture — all PRs merged by author without review

// Better:
// PRs < 400 lines
// Checklist: correctness, security, tests, naming, edge cases
// Reviewer explains why, not just what to change
✓ Fixed 
# Security-focused code review checklist (PHP)

# Authentication & Authorisation
[ ] Session regenerated after login
[ ] Every endpoint has authorisation check
[ ] Sensitive actions require re-authentication

# Input Handling
[ ] All user input validated before use
[ ] No raw user input in SQL queries
[ ] HTML output escaped with htmlspecialchars()
[ ] File uploads: MIME check + random filename + outside webroot

# Cryptography
[ ] Passwords: password_hash()/password_verify() — not md5/sha1
[ ] Tokens: random_bytes() — not rand()/uniqid()
[ ] Sensitive comparisons: hash_equals()

# Error Handling
[ ] display_errors = Off in production
[ ] No stack traces in API responses
[ ] Errors logged internally, not exposed

# Dependencies
[ ] composer audit passes with no critical CVEs
Added 15 Mar 2026
Edited 25 Mar 2026
Views 58

Curated in Warsaw under one editorial standard. 1,506 terms, single voice.  About this reference →

Rate this term
No ratings yet
🤖 AI Guestbook educational data only
| |
Last 30 days
0 pings T 0 pings W 1 ping T 0 pings F 1 ping S 0 pings S 0 pings M 0 pings T 1 ping W 0 pings T 4 pings F 2 pings S 0 pings S 4 pings M 1 ping T 0 pings W 0 pings T 1 ping F 2 pings S 1 ping S 0 pings M 1 ping T 0 pings W 0 pings T 0 pings F 1 ping S 0 pings S 1 ping M 0 pings T 0 pings W
Agents 0
No pings yet today
No pings yesterday
Scrapy 11 Perplexity 9 Ahrefs 7 Amazonbot 7 Unknown AI 4 Google 3 SEMrush 3 Claude 2 Bing 1 Meta AI 1 Sogou 1 PetalBot 1
Also referenced
Static Analysis 106 Test-Driven Development (TDD) 69 Pair Programming 48
How they use it
crawler 46 crawler_json 3 pre-tracking 1
Related categories
testing 3.2k general 3k
DEV INTEL Tools & Severity
🔵 Info ⚙ Fix effort: Medium
⚡ Quick Fix
Review for correctness first, then readability — use a checklist: security, error handling, test coverage, naming, and performance implications
📦 Applies To
PHP 5.0+ web cli queue-worker
🔗 Prerequisites
🔍 Detection Hints
PRs merged without review; review comments only about style not logic; no security checklist
Auto-detectable: ✗ No github gitlab phpstan semgrep
⚠ Related Problems
🤖 AI Agent
Confidence: Low False Positives: High ✗ Manual fix Fix: Medium Context: File Tests: Update
✓ schema.org compliant