---
title: Exceptions must be thrown
description: Datadog, the leading service for cloud-scale monitoring.
breadcrumbs: >-
  Docs > Datadog Security > Code Security > Static Code Analysis (SAST) > SAST
  Rules > Exceptions must be thrown
---

# Exceptions must be thrown

{% callout %}
# Important note for users on the following Datadog sites: app.ddog-gov.com

{% alert level="danger" %}
This product is not supported for your selected [Datadog site](https://docs.datadoghq.com/getting_started/site.md). ().
{% /alert %}

{% /callout %}

## Metadata{% #metadata %}

**ID:** `php-best-practices/exception-must-be-thrown`

**Language:** PHP

**Severity:** Warning

**Category:** Error Prone

## Description{% #description %}

This rule in PHP static analysis is important for ensuring that your code behaves as expected during runtime. It mandates that any exception that is created must also be thrown using the `throw` keyword. This rule is critical because creating an exception object without throwing it does not interrupt the flow of execution. Potential errors or issues that an exception is supposed to handle might go unnoticed, leading to unexpected behavior or bugs.

Non-compliance with this rule could lead to code that silently fails or behaves inconsistently, making it difficult to debug or maintain. When you create an exception, ensure that you also throw it using the `throw` keyword. This will interrupt the normal flow of execution and allow the exception to be caught and handled appropriately.

For instance, instead of writing `new Exception('Not secure');`, you can write `throw new Exception('Not secure');`. This ensures that the exception is properly thrown and can be caught in a higher level of your code. This is a good coding practice as it makes your code more robust and easier to maintain.

## Non-Compliant Code Examples{% #non-compliant-code-examples %}

```php
<?php
if (notSecure()) {
    new Exception('Not secure');
}
?>
```

## Compliant Code Examples{% #compliant-code-examples %}

```php
<?php
if (notSecure()) {
    throw new Exception('Not secure');
}

if (notSecure()) {
    throw (new AuthorizationException($msg, $code));
}

if (notSecure()) {
    $exception = new AuthorizationException($msg, $code);
    $exception->withStatus($status);
    throw $exception;
}
?>
```

```php
<?php
$mockClient->expects($this->once())
  ->method('doSomething')
  ->willThrowException(new MyException());
$mockClient->expects($this->once())
  ->method('doSomething')
  ->will($this->throwException(new MyException()));
?>
```
  Seamless integrations. Try Datadog Code SecurityDatadog Code Security 
{% icon name="icon-external-link" /%}