Xdebug — Debugging & Profiling
Also Known As
Xdebug
PHP debugger
PHP profiler
TL;DR
The essential PHP debugging extension providing step debugging, stack traces, code coverage, and profiling output.
Explanation
Xdebug is the standard PHP debugging and profiling tool. It integrates with IDEs (PhpStorm, VS Code) via DAP (Debug Adapter Protocol) for step-through debugging, variable inspection, and breakpoints. In profiling mode it generates cachegrind files readable by KCacheGrind or WebGrind. It powers PHPUnit's code coverage reports (requires xdebug.mode=coverage). Key modes: debug (step debugging), profile (performance analysis), trace (full execution trace), coverage. Never run Xdebug in production — it adds significant overhead and exposes a remote debugging port.
Watch Out
⚠ Disable Xdebug in production environments — it degrades performance and can expose a step-debugger port if xdebug.remote_connect_back is enabled.
Common Misconception
✗ Xdebug can be left enabled in production for emergency debugging. Xdebug has a significant performance overhead (up to 10x slower) and exposes detailed stack traces. It must never run in production — use proper logging and error tracking (Sentry, Bugsnag) instead.
Why It Matters
Xdebug provides step debugging, code coverage, and profiling — without it, PHP debugging relies on var_dump and guesswork, making complex bugs orders of magnitude slower to diagnose.
Common Mistakes
- Installing Xdebug in production — it adds significant overhead and exposes debug endpoints.
- Not configuring xdebug.mode = debug,coverage in php.ini — leaving it on develop mode without specific mode misses features.
- Not setting xdebug.start_with_request = trigger — without it, every request tries to connect to the debugger.
- Using var_dump as a substitute for a debugger — Xdebug step debugging shows the full call stack and variable state at any point.
Avoid When
- Never install Xdebug on a production server — it significantly degrades performance and exposes debugging interfaces.
- Disable xdebug.remote_enable and xdebug.mode=off in any non-development environment.
When To Use
- Use Xdebug in local development for step debugging, profiling, and code coverage.
- Use Xdebug's profiler output with KCacheGrind/QCacheGrind to identify performance bottlenecks.
Code Examples
✗ Vulnerable
; php.ini — Xdebug in production:
[xdebug]
zend_extension=xdebug.so
xdebug.mode=develop,debug
xdebug.start_with_request=yes ; Every request tries to debug — massive overhead
xdebug.client_host=localhost ; Should never be active in production
✓ Fixed
; Xdebug 3 configuration
[xdebug]
zend_extension = xdebug
xdebug.mode = debug,coverage
xdebug.start_with_request = trigger ; activate only when triggered (not every request)
xdebug.client_host = host.docker.internal
xdebug.client_port = 9003
; VS Code step debugging:
; 1. Install PHP Debug extension
; 2. Set breakpoint
; 3. Start listening (F5)
; 4. Trigger request with XDEBUG_SESSION cookie or ?XDEBUG_SESSION=1
; Code coverage (PHPUnit):
$ phpunit --coverage-html=coverage/
; Requires xdebug.mode = coverageTags
🤝 Adopt this term
£79/year · your link shown here
Added
15 Mar 2026
Edited
31 Mar 2026
Views
28
🤖 AI Guestbook educational data only
|
|
Last 30 days
Agents 1
No pings yesterday
Amazonbot 7
Perplexity 7
Ahrefs 2
Unknown AI 2
Majestic 1
Google 1
Also referenced
How they use it
crawler 20
Related categories
⚡
DEV INTEL
Tools & Severity
🔵 Info
⚙ Fix effort: Low
⚡ Quick Fix
Use xdebug.mode=debug for step debugging, xdebug.mode=coverage for code coverage reports, xdebug.mode=profile for performance profiling — never enable all modes in production
📦 Applies To
PHP 5.0+
web
cli
🔗 Prerequisites
🔍 Detection Hints
xdebug enabled in production php.ini; xdebug.mode=debug on production server; coverage reports not generated in CI
Auto-detectable:
✓ Yes
phpunit
phpstan
⚠ Related Problems
🤖 AI Agent
Confidence: Low
False Positives: Medium
✗ Manual fix
Fix: Low
Context: File
CWE-94