AI-Assisted Code Review: Claude for Laravel Quality

Code review remains one of the most effective ways to catch bugs, security vulnerabilities, and architectural problems before they reach production. But human reviewers have limitations: we get tired, miss patterns across large changesets, and bring our own blind spots to every review. AI-assisted code review does not replace human judgment---it augments it, catching the mechanical issues that humans often miss while freeing developers to focus on design, architecture, and business logic.

After 14 years of PHP and Laravel development, I have integrated Claude into my code review workflow with significant results. This guide shares practical prompts, real-world security scenarios, and strategies for integrating AI review into your Laravel development process. For developers building Laravel applications with Claude Code, see my Laravel development workflow guide for complementary code generation patterns.

Why AI Code Review Complements Human Review

Human and AI reviewers catch fundamentally different types of issues. Understanding these differences helps you leverage both effectively.

What AI Reviewers Excel At

• Pattern Recognition at Scale: Claude can scan hundreds of files for consistent anti-patterns that would take humans hours to identify
• Security Vulnerability Detection: AI does not get bored checking for SQL injection, XSS, or CSRF issues in every controller method
• Framework Convention Violations: Identifying departures from Laravel best practices across an entire codebase
• N+1 Query Detection: Spotting missing eager loading that causes performance problems
• Code Consistency: Flagging style inconsistencies, naming convention violations, and structural deviations

What Human Reviewers Excel At

• Business Logic Validation: Does this implementation actually solve the problem correctly?
• Architectural Decisions: Is this the right abstraction level? Does it fit the overall system design?
• Context and Intent: Understanding why code exists and whether the approach makes sense
• Team Dynamics: Code review as mentorship and knowledge sharing
• Edge Cases from Domain Knowledge: Knowing that "this scenario actually happens on the third Tuesday of every month"

The most effective code review combines both: AI handles the mechanical checks, humans focus on design and correctness.

Effective Prompts for Laravel Code Review

The quality of AI code review depends entirely on prompt quality. Generic "review this code" prompts produce generic responses. Specific, structured prompts yield actionable feedback.

General Code Quality Review Prompt

Review this Laravel controller for code quality issues. Focus on:

1. PSR-12 coding standard violations
2. Laravel convention violations (naming, structure, patterns)
3. Missing type declarations (PHP 8.2+ features)
4. Error handling completeness
5. Single Responsibility Principle adherence
6. Potential for code duplication

Provide specific line numbers and concrete suggestions for each issue found.
Do not suggest changes that would alter functionality without explicitly noting the behavioral change.

```php
// Paste controller code here

### Security-Focused Review Prompt

Perform a security audit of this Laravel code. Check for:

1. SQL Injection vulnerabilities (including query builder misuse)
2. XSS vulnerabilities (unescaped output, raw HTML)
3. Mass assignment vulnerabilities ($fillable/$guarded issues)
4. Authentication/authorization bypasses
5. CSRF protection gaps
6. Sensitive data exposure (logging, responses, error messages)
7. File upload security issues
8. Command injection risks

For each issue found:

• Explain the vulnerability and how it could be exploited
• Provide the corrected code
• Rate severity as Critical, High, Medium, or Low

// Paste code here

### Performance Review Prompt

Analyze this Laravel code for performance anti-patterns:

1. N+1 query problems (missing eager loading)
2. Queries inside loops
3. Missing database indexes (based on query patterns)
4. Inefficient collection operations
5. Missing caching opportunities
6. Memory-intensive operations on large datasets
7. Redundant database queries

For each issue:

• Show the problematic code
• Explain the performance impact
• Provide the optimized solution with eager loading, chunking, or caching as appropriate

Assume this code runs in production with thousands of records.

// Paste code here

### Laravel-Specific Architecture Review

Review this code for Laravel architectural best practices:

1. Controller responsibilities (should be thin, delegating to services)
2. Form Request usage for validation and authorization
3. Policy implementation for authorization logic
4. Service class patterns for business logic
5. Repository pattern usage (if applicable to this codebase)
6. Event/listener patterns for side effects
7. Job queuing for long-running operations
8. Resource classes for API responses

This codebase follows: [specify your patterns, e.g., "Repository pattern for data access, Service classes for business logic, Form Requests for all validation"]

// Paste code here

## Detecting Security Vulnerabilities

Security vulnerabilities in Laravel applications often hide in plain sight. Claude can systematically identify issues that busy developers overlook.

### SQL Injection Detection

Despite Laravel's query builder protections, SQL injection vulnerabilities still occur---particularly in raw queries and validation rules.

**Vulnerable Pattern:**

```php
<?php

// VULNERABLE: Direct string interpolation in raw query
public function search(Request $request)
{
    $term = $request->input('term');

    // This is vulnerable to SQL injection
    $results = DB::select("SELECT * FROM products WHERE name LIKE '%$term%'");

    return view('search.results', compact('results'));
}

// VULNERABLE: Column name injection in orderBy
public function index(Request $request)
{
    $sortColumn = $request->input('sort', 'created_at');

    // Attacker can inject: "created_at; DROP TABLE users; --"
    return Product::orderBy($sortColumn)->paginate(25);
}

Prompt to Detect:

Analyze this controller for SQL injection vulnerabilities.
Check raw queries, dynamic column names, orderBy clauses, and validation rules that use database queries.
Show how each vulnerability could be exploited and provide secure alternatives.

```php
// Paste controller code

**Secure Implementation:**

```php
<?php

public function search(Request $request)
{
    $term = $request->input('term');

    // SECURE: Use parameter binding
    $results = DB::select(
        "SELECT * FROM products WHERE name LIKE ?",
        ['%' . $term . '%']
    );

    // BETTER: Use query builder
    $results = Product::where('name', 'like', '%' . $term . '%')->get();

    return view('search.results', compact('results'));
}

public function index(Request $request)
{
    $sortColumn = $request->input('sort', 'created_at');

    // SECURE: Whitelist allowed columns
    $allowedColumns = ['created_at', 'name', 'price', 'updated_at'];

    if (!in_array($sortColumn, $allowedColumns, true)) {
        $sortColumn = 'created_at';
    }

    return Product::orderBy($sortColumn)->paginate(25);
}

XSS Vulnerability Detection

Laravel's Blade templating escapes output by default, but developers often bypass this protection without realizing the security implications.

Vulnerable Patterns:

<?php

// In Controller
public function show(Post $post)
{
    return view('posts.show', [
        'post' => $post,
        'userHtml' => $post->user->bio, // Raw HTML from user input
    ]);
}

{{-- In Blade Template --}}

{{-- VULNERABLE: Using raw output for user content --}}
<div class="bio">{!! $userHtml !!}</div>

{{-- VULNERABLE: Unescaped JavaScript context --}}
<script>
    var userName = "{{ $post->user->name }}";  // XSS if name contains quotes
    var userId = {{ $post->user->id }};
</script>

{{-- VULNERABLE: Href attribute injection --}}
<a href="{{ $post->external_link }}">Read More</a>

Prompt to Detect:

Review this Blade template and controller for XSS vulnerabilities.
Check for:
1. {!! !!} usage with user-controlled data
2. JavaScript context escaping issues
3. URL/href attribute injection
4. HTML attribute injection

```blade
// Paste Blade template

// Paste related controller

**Secure Implementation:**

```blade
{{-- SECURE: Sanitize HTML if rich text is required --}}
<div class="bio">{!! clean($userHtml) !!}</div>  {{-- Using htmlpurifier --}}

{{-- SECURE: JSON encode for JavaScript context --}}
<script>
    var userName = @json($post->user->name);
    var userId = @json($post->user->id);
</script>

{{-- SECURE: Validate URL scheme --}}
@if(Str::startsWith($post->external_link, ['http://', 'https://']))
    <a href="{{ $post->external_link }}">Read More</a>
@endif

Mass Assignment Detection

Mass assignment vulnerabilities allow attackers to modify fields they should not have access to.

Vulnerable Pattern:

<?php

namespace App\Models;

use Illuminate\Database\Eloquent\Model;

class User extends Model
{
    // DANGEROUS: No fillable/guarded defined
    // All attributes are mass assignable
}

// In Controller
public function update(Request $request, User $user)
{
    // VULNERABLE: Attacker can set is_admin=true
    $user->update($request->all());

    return redirect()->back();
}

Prompt to Detect:

Review these Laravel models and controllers for mass assignment vulnerabilities.
Check for:
1. Models missing $fillable or $guarded
2. Controllers using $request->all() for updates
3. Sensitive fields that should not be mass assignable (is_admin, role, permissions, balance)
4. Form Requests that do not properly filter input

```php
// Paste models and controllers

**Secure Implementation:**

```php
<?php

namespace App\Models;

use Illuminate\Database\Eloquent\Model;

class User extends Model
{
    // SECURE: Explicitly define mass assignable fields
    protected $fillable = [
        'name',
        'email',
        'bio',
        'avatar',
    ];

    // Sensitive fields are NOT in $fillable:
    // is_admin, role_id, email_verified_at, password
}

// In Controller
public function update(UpdateUserRequest $request, User $user)
{
    // SECURE: Use validated data from Form Request
    $user->update($request->validated());

    return redirect()->back();
}

CSRF Protection Gaps

CSRF vulnerabilities occur when state-changing operations do not verify request origin.

Prompt to Detect:

Review this Laravel application for CSRF protection gaps:

1. Routes that should use POST/PUT/DELETE but use GET
2. API routes that perform state changes without proper authentication
3. AJAX endpoints missing CSRF token handling
4. Webhook endpoints that need alternative authentication

```php
// Paste routes and controllers

## Identifying Performance Anti-Patterns

Performance issues compound quickly in Laravel applications. AI review catches patterns that cause database overload, memory exhaustion, and slow response times.

### N+1 Query Detection

The N+1 problem is Laravel's most common performance issue. Claude can identify missing eager loading across your entire codebase.

**Problematic Pattern:**

```php
<?php

public function index()
{
    // BAD: Causes N+1 queries
    $posts = Post::all();

    return view('posts.index', compact('posts'));
}

{{-- Each iteration triggers a new query --}}
@foreach($posts as $post)
    <h2>{{ $post->title }}</h2>
    <p>By: {{ $post->author->name }}</p>  {{-- Query 1 --}}
    <p>Category: {{ $post->category->name }}</p>  {{-- Query 2 --}}
    <p>Comments: {{ $post->comments->count() }}</p>  {{-- Query 3 --}}
@endforeach

Detection Prompt:

Analyze this code for N+1 query problems.

For each controller method:
1. Identify all relationships accessed in the view
2. Check if those relationships are eager loaded
3. Identify nested relationship access (e.g., $post->author->company->name)
4. Check for queries inside loops

Provide the optimized query with proper eager loading.

```php
// Paste controller

// Paste corresponding Blade template

**Optimized Solution:**

```php
<?php

public function index()
{
    // GOOD: Eager load all needed relationships
    $posts = Post::with([
        'author:id,name',
        'category:id,name',
        'comments' => fn($query) => $query->select('id', 'post_id'),
    ])
    ->select(['id', 'title', 'author_id', 'category_id', 'created_at'])
    ->paginate(25);

    return view('posts.index', compact('posts'));
}

Query Inside Loop Detection

Queries inside loops indicate serious performance problems, especially with batch operations.

Problematic Pattern:

<?php

public function updatePrices(Request $request)
{
    $products = Product::all();

    foreach ($products as $product) {
        // BAD: Query inside loop
        $supplier = Supplier::find($product->supplier_id);

        $newPrice = $supplier->base_price * $product->markup;

        // BAD: Individual update query for each product
        $product->update(['price' => $newPrice]);
    }

    return redirect()->back()->with('success', 'Prices updated');
}

Detection Prompt:

Identify queries inside loops in this code.
Check for:
1. Eloquent queries inside foreach/for/while loops
2. Individual save/update calls that could be batched
3. Relationship access that triggers lazy loading in loops
4. Collection methods that trigger queries (load, refresh)

Show how to refactor using:
- Eager loading
- Batch updates
- Collection mapping
- Raw queries where appropriate

```php
// Paste code

**Optimized Solution:**

```php
<?php

public function updatePrices(Request $request)
{
    // GOOD: Single query with join, batch update
    $products = Product::with('supplier:id,base_price')
        ->select(['id', 'supplier_id', 'markup', 'price'])
        ->get();

    $updates = $products->map(function ($product) {
        return [
            'id' => $product->id,
            'price' => $product->supplier->base_price * $product->markup,
        ];
    });

    // Batch update using upsert (Laravel 8+)
    Product::upsert(
        $updates->toArray(),
        ['id'],
        ['price']
    );

    return redirect()->back()->with('success', 'Prices updated');
}

Missing Index Detection

Claude can infer missing indexes from query patterns in your code.

Detection Prompt:

Analyze these Eloquent queries and suggest database indexes.

For each query:
1. Identify columns used in WHERE clauses
2. Identify columns used in ORDER BY
3. Identify foreign key columns
4. Suggest composite indexes for common query patterns

Format output as Laravel migrations.

```php
// Paste models and controllers with queries

**Example Output:**

```php
<?php

// Based on query analysis, suggested indexes:

return new class extends Migration
{
    public function up(): void
    {
        Schema::table('orders', function (Blueprint $table) {
            // For: Order::where('user_id', $id)->where('status', 'pending')
            $table->index(['user_id', 'status']);

            // For: Order::where('created_at', '>=', $date)->orderBy('total')
            $table->index(['created_at', 'total']);

            // For: Order::where('status', 'shipped')->whereNotNull('tracking_number')
            $table->index(['status', 'tracking_number']);
        });
    }
};

Reviewing Laravel-Specific Patterns

Laravel has strong conventions. AI review helps enforce consistency across your codebase.

Controller Thickness Review

Fat controllers indicate missing abstractions. Claude identifies responsibilities that should move to services, actions, or form requests.

Detection Prompt:

Analyze this controller for Single Responsibility violations.

Identify code that should move to:
1. Form Requests (validation, authorization)
2. Service classes (business logic)
3. Action classes (single-purpose operations)
4. Events/Listeners (side effects like notifications, logging)
5. Jobs (long-running operations)
6. Policies (authorization logic)

Show the refactored structure with example code for each extracted class.

```php
// Paste fat controller

### Service Class Pattern Review

Service classes should encapsulate business logic without becoming "god classes."

**Review Prompt:**

Review this service class for architectural issues:

1. Is it focused on a single domain concern?
2. Does it have too many dependencies (constructor parameters)?
3. Are there methods that belong in different services?
4. Is business logic properly separated from infrastructure concerns?
5. Are return types consistent and well-defined?

Suggest refactoring if the class exceeds 300 lines or has more than 5 dependencies.

// Paste service class

### Form Request Review

Form Requests should handle validation and authorization consistently.

**Review Prompt:**

Review these Form Requests for Laravel best practices:

1. Are all validation rules complete and secure?
2. Is the authorize() method properly implemented?
3. Are custom error messages provided where helpful?
4. Are validation rules using appropriate types (string, integer, array)?
5. Are there duplicate rules across Form Requests that could be extracted?
6. Are nested array validations properly handled?

// Paste Form Requests

## Integrating AI Review into CI/CD Pipelines

Automated AI code review catches issues before they reach human reviewers, reducing review burden and catching problems earlier.

### GitHub Actions Integration

Create a workflow that reviews pull requests automatically:

```yaml
# .github/workflows/ai-code-review.yml
name: AI Code Review

on:
  pull_request:
    types: [opened, synchronize]
    paths:
      - 'app/**/*.php'
      - 'routes/**/*.php'
      - 'resources/views/**/*.blade.php'

jobs:
  ai-review:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
        with:
          fetch-depth: 0

      - name: Get changed files
        id: changed-files
        uses: tj-actions/changed-files@v44
        with:
          files: |
            app/**/*.php
            routes/**/*.php

      - name: Run AI Security Review
        if: steps.changed-files.outputs.any_changed == 'true'
        env:
          ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }}
        run: |
          # Install Claude CLI or use API directly
          pip install anthropic

          # Create review script
          python scripts/ai_review.py \
            --files "${{ steps.changed-files.outputs.all_changed_files }}" \
            --output review-results.md

      - name: Post Review Comments
        uses: actions/github-script@v7
        with:
          script: |
            const fs = require('fs');
            const review = fs.readFileSync('review-results.md', 'utf8');

            if (review.includes('CRITICAL') || review.includes('HIGH')) {
              github.rest.pulls.createReview({
                owner: context.repo.owner,
                repo: context.repo.repo,
                pull_number: context.issue.number,
                body: review,
                event: 'REQUEST_CHANGES'
              });
            } else {
              github.rest.pulls.createReview({
                owner: context.repo.owner,
                repo: context.repo.repo,
                pull_number: context.issue.number,
                body: review,
                event: 'COMMENT'
              });
            }

Review Script Example

# scripts/ai_review.py
import anthropic
import sys
import argparse

def review_file(client, file_path: str, content: str) -> str:
    """Review a single PHP file for security and quality issues."""

    prompt = f"""Review this Laravel PHP code for security vulnerabilities and code quality issues.

Focus on:
1. SQL Injection vulnerabilities
2. XSS vulnerabilities
3. Mass assignment issues
4. N+1 query problems
5. Missing validation
6. Authorization bypasses

For each issue found, specify:
- Severity: CRITICAL, HIGH, MEDIUM, or LOW
- Line number (approximate)
- Description of the issue
- Recommended fix

File: {file_path}

```php
{content}

If no issues found, respond with "No issues detected." """

response = client.messages.create(
    model="claude-sonnet-4-20250514",
    max_tokens=2000,
    messages=[{"role": "user", "content": prompt}]
)

return response.content[0].text

def main(): parser = argparse.ArgumentParser() parser.add_argument('--files', nargs='+', required=True) parser.add_argument('--output', required=True) args = parser.parse_args()

client = anthropic.Anthropic()
results = []

for file_path in args.files:
    with open(file_path, 'r') as f:
        content = f.read()

    review = review_file(client, file_path, content)
    results.append(f"## {file_path}\n\n{review}\n")

with open(args.output, 'w') as f:
    f.write("# AI Code Review Results\n\n")
    f.write("\n".join(results))

if name == "main": main()

### Pre-Commit Hook Integration

For immediate feedback during development:

```bash
#!/bin/bash
# .git/hooks/pre-commit

# Get staged PHP files
STAGED_FILES=$(git diff --cached --name-only --diff-filter=ACM | grep '\.php$')

if [ -z "$STAGED_FILES" ]; then
    exit 0
fi

echo "Running AI security check on staged files..."

# Quick security-only review (faster, focused)
for FILE in $STAGED_FILES; do
    RESULT=$(claude --print "Quick security review of this Laravel code. Only report CRITICAL or HIGH severity issues:" < "$FILE")

    if echo "$RESULT" | grep -q "CRITICAL"; then
        echo "CRITICAL security issue detected in $FILE:"
        echo "$RESULT"
        exit 1
    fi
done

echo "AI security check passed."
exit 0

Limitations and When Human Review is Essential

AI code review has significant limitations. Understanding these prevents over-reliance and missed issues.

When Human Review is Essential

Business Logic Correctness

AI cannot verify that code correctly implements business requirements. A controller that perfectly follows all conventions might still calculate discounts wrong or apply promotions to the wrong products.

<?php

// AI sees: Clean code following patterns
// Human sees: Wrong business logic - discount should be 10%, not 1%
public function applyDiscount(Order $order): void
{
    $discount = $order->subtotal * 0.01; // Is this correct?
    $order->update(['discount' => $discount]);
}

Architectural Decisions

Should this feature use events or direct calls? Should you add a new service or extend an existing one? These decisions require understanding of the broader system that AI lacks.

Context-Dependent Security

AI might flag "vulnerabilities" that are actually intentional:

<?php

// AI might flag this as "missing authorization"
// But this is a public API endpoint by design
public function publicStats(): JsonResponse
{
    return response()->json([
        'total_users' => User::count(),
        'total_posts' => Post::where('published', true)->count(),
    ]);
}

Team and Project Context

• "We always do it this way because of legacy integration requirements"
• "This violation is intentional due to performance constraints"
• "This code is scheduled for removal next sprint"

AI Review Blind Spots

Hallucinated Methods and Classes

Claude sometimes references Laravel methods or classes that do not exist, particularly when suggesting fixes. Always verify suggested code compiles and works.

Outdated Pattern Suggestions

AI training data may include deprecated patterns. For Laravel, always specify your version:

Review this Laravel 11 code. Do not suggest patterns deprecated in Laravel 10+.

False Positives in Complex Logic

AI may flag safe code as vulnerable when the safety comes from application-level constraints:

<?php

// AI might flag $type as unsanitized in orderBy
// But $type comes from an enum, making it safe
public function index(Request $request)
{
    $type = SortType::from($request->input('sort', 'date'));

    return Invoice::orderBy($type->column())->paginate();
}

Cost-Effective Strategies for AI Code Review

AI API costs can escalate quickly without proper management. For comprehensive strategies on managing Claude Code costs and optimizing token usage, see my token management guide. These strategies maximize value while controlling expenses.

Tiered Review Approach

Not all code needs the same level of scrutiny:

Tier 1 (Every PR): Security-focused quick scan
- Use Claude Haiku for speed and cost
- Focus only on security vulnerabilities
- ~$0.01-0.05 per review

Tier 2 (Feature PRs): Full quality review
- Use Claude Sonnet for balance
- Include performance, patterns, security
- ~$0.10-0.30 per review

Tier 3 (Critical Systems): Deep analysis
- Use Claude Opus for thorough review
- Multi-pass review with different focuses
- ~$0.50-2.00 per review

Caching and Deduplication

Do not re-review unchanged code:

import hashlib
import json
from pathlib import Path

CACHE_FILE = Path(".ai-review-cache.json")

def get_file_hash(content: str) -> str:
    return hashlib.sha256(content.encode()).hexdigest()

def load_cache() -> dict:
    if CACHE_FILE.exists():
        return json.loads(CACHE_FILE.read_text())
    return {}

def should_review(file_path: str, content: str) -> bool:
    cache = load_cache()
    current_hash = get_file_hash(content)

    if file_path in cache and cache[file_path] == current_hash:
        return False  # Already reviewed, skip

    return True

Batch Similar Files

Review related files together for context and efficiency:

# Group controllers with their Form Requests and Policies
review_groups = {
    'user_management': [
        'app/Http/Controllers/UserController.php',
        'app/Http/Requests/UpdateUserRequest.php',
        'app/Policies/UserPolicy.php',
    ],
    'orders': [
        'app/Http/Controllers/OrderController.php',
        'app/Http/Requests/StoreOrderRequest.php',
        'app/Services/OrderService.php',
    ],
}

# Review each group in a single API call
for group_name, files in review_groups.items():
    combined_content = "\n\n".join([
        f"// File: {f}\n{Path(f).read_text()}"
        for f in files
    ])

    review_result = review_code_batch(combined_content)

Focus Reviews on High-Risk Areas

Prioritize AI review budget on code that matters most:

• Authentication and authorization logic
• Payment processing and financial calculations
• User input handling and validation
• API endpoints exposed to external systems
• Database migrations and schema changes
• Third-party integration code

Lower priority (human review may suffice):

• View templates with no logic
• Configuration files
• Test files
• Documentation

Key Takeaways

AI-assisted code review transforms how teams maintain code quality at scale. The key principles for effective implementation:

• AI complements, not replaces, human review: Use AI for mechanical checks, humans for design and business logic validation
• Prompt quality determines review quality: Invest time crafting specific, structured prompts for your codebase
• Security review benefits most from AI: Consistent, tireless scanning for vulnerabilities across every changeset
• CI/CD integration multiplies value: Automated review on every PR catches issues before human reviewers see the code
• Know the limitations: AI hallucinates, has knowledge cutoffs, and cannot understand business context
• Control costs with tiered approaches: Not every file needs deep analysis with expensive models

The future of code review is hybrid. AI handles the tedious pattern-matching while humans focus on what they do best---understanding intent, evaluating design, and making judgment calls that require broader context.

---

Looking to improve code quality in your Laravel application? I specialize in Laravel development with 14 years of PHP experience, including AI-assisted development workflows and security auditing. My Laravel Development services include comprehensive code reviews, security audits, and team training on modern development practices. Schedule a free consultation to discuss your project.

---

Related Reading:

• Laravel API Development Best Practices: A Complete Guide
• Migrating Legacy Laravel Apps: Lessons from 14 Years of PHP Development
• Claude Code for Legacy Codebases: A Practitioner's Complete Guide
• Contact Form Security: Best Practices for Spam Protection

External Resources:

• Laravel OWASP Cheat Sheet - OWASP Foundation
• Claude Code Best Practices - Anthropic Engineering
• Laravel Security Best Practices 2025 - CodeTap
• AI Coding Tips for Laravel Developers - Laravel Official Blog