Coding Guidelines

Table of contents
1. Files
i. File Format
ii. Filename
2. Skeleton
3. PHP Tags
i. Open Tag
ii. Close Tag
iii. Open/Close Tag
iv. Short Open Tag
v. Short Echo Tag
4. End of File
5. Namespaces
i. Namespace Declaration
ii. Namespace Name
iii. Multiple Namespaces
iv. Magic Constant
6. Comments
i. Single-line Comments
ii. Multi-line Comments
iii. Header Comments
iv. Divider Comments
v. Comments
vi. Blocks of Code
vii. Ambiguous Numbers
viii.External Variables
7. Includes
i. Include/Require Once
ii. Parenthesis
iii. Purpose of Include
8. Formatting
i. Line Length
ii. Line Indentation
iii. Blank Lines
iv. Text Alignment
v. Trailing Whitespace
vi. Keywords
vii. Variables
viii.Global Variables

1
 ix. Constants
x. Statements
xi. Operators
xii. Unary Operators
xiii.Concatenation Period
xiv.Single Quotes
xv. Double Quotes
9. Functions
i. Function Name
ii. Function Prefix
iii. Function Call
iv. Function Arguments
v. Function Declaration
vi. Function Return
10. Control Structures
i. If, Elseif, Else
ii. Switch, Case
iii. While, Do While
iv. For, Foreach
v. Try, Catch
11. Classes
i. Class File
ii. Class Namespace
iii. Class Name
iv. Class Documentation
v. Class Definition
vi. Class Properties
vii. Class Methods
viii.Class Instance
12. Best Practices
i. Variable Initialization
ii. Initialization/Declaration Order
iii. Globals
iv. Explicit Expressions
v. Good To Have
13. PHP Security
i. Cross-site scripting (XSS)
ii. SQL Injection Attacks
iii. Cross site request forgery XSRF/CSRF
iv. Session Hijacking
v. Hide Files from the Browser

2
 vi. Securely Upload Files
vii. Log all Errors and Hide in Production
viii. Use URL encoding
ix. Avoid remote file inclusion

1. Files

This section describes the format and naming convention of PHP files.

File Format

1. Character encoding MUST be set to UTF-8 without BOM

○ Sublime.app → File › Save with Encoding › UTF-8
2. Line endings MUST be set to Unix (LF)
○ Sublime.app → View › Line Endings › Unix

Filename

1. Letters MUST be all lowercase

○ e.g. autoloader.php
2. Words MUST be separated with a hyphen/ underscore
○ e.g. app-config.php

Note: This will vary depending on the Framework.

2. Skeleton
This section showcases a barebones PHP file with its minimum requirements.

Line by line breakdown:

● Line 1: PHP open tag

● Line 2: Blank line
● Line 3: Your code
● Line 4: Blank line

3
 ● Line 5: End-of-file comment
● Line 6: Blank line

<?php

// your code

// EOF

3. PHP Tags
This section describes the use of PHP tags in PHP and PHP/HTML files.

1. Open tag MUST be on its own line and MUST be followed by a blank line
○ i.e. <?php ↵ ↵ ...
2. Close tag MUST NOT be used in PHP files
○ i.e. no ?>
3. Open/close tag MUST be on one line in PHP/HTML files
○ i.e. <?php ... ?>
4. Short open tag MUST NOT be used
○ i.e. <? → <?php
5. Short echo tag SHOULD be used in PHP/HTML files
○ i.e. <?php echo → <?=

1. Open Tag
Open tag MUST be on its own line and MUST be followed by a blank line.

✖ Incorrect
<?php print_welcome_message();

↳ Incorrect because <?php is not on its own line.

<?php
print_welcome_message();

↳ Incorrect because <?php is not followed by a blank line.

✔ Correct
<?php

4
 print_welcome_message();

2. Close Tag
Close tag MUST NOT be used in PHP files.

✖ Incorrect
<?php

print_welcome_message();

?>

↳ Incorrect because ?> was used.

✔ Correct
<?php

print_welcome_message();

3. Open/Close Tag
Open/close tag MUST be on one line in PHP/HTML files.

✖ Incorrect
<div>
<h1><?php
print_welcome_message();
?></h1>
</div>

↳ Incorrect because <?php and ?> are not on one line.

✔ Correct
<div>
<h1><?php print_welcome_message(); ?></h1>
</div>

4. Short Open Tag

Short open tag MUST NOT be used.

5
✖ Incorrect
<?

print_welcome_message();

↳ Incorrect because <? was used instead of <?php.

✔ Correct
<?php

print_welcome_message();

5. Short Echo Tag

Short echo tag SHOULD be used in PHP/HTML files.

~ Acceptable
<div>
<p><?php echo get_welcome_message(); ?></p>
</div>

↳ Acceptable, but <?= should be used over <?php echo when possible.

✔ Preferred
<div>
<p><?= get_welcome_message(); ?></p>
</div>

4. End of File
This section describes how every PHP file must end.

End-of-file comment:

● MUST be included at the end of a file

○ i.e. // EOF
● MUST be on its own line
○ i.e. ↵ // EOF
● MUST be surrounded by blank lines
○ i.e. ... ↵ ↵ // EOF ↵

6
✖ Incorrect
<?php

print_welcome_message();

↳ Incorrect because // EOF is missing.

<?php

print_welcome_message(); // EOF

↳ Incorrect because // EOF is not on its own line.

<?php

print_welcome_message();
// EOF

↳ Incorrect because // EOF is not surrounded by blank lines.

✔ Correct
<?php

print_welcome_message();

// EOF

5. Namespaces
This section describes how to use one or more namespaces and their naming
convention.

1. Namespace declaration MUST be the first statement and MUST be followed

by a blank line
○ i.e. <?php ↵ ↵ namespace MyCompany; ↵ ↵ ...
2. Namespace name MUST start with a capital letter and MUST be camelcase
○ e.g. namespace MyCompany;
3. Multiple namespaces MUST use the curly brace syntax
○ i.e. namespace MyCompany { ... }
4. Magic constant SHOULD be used to reference the namespace name
○ i.e. __NAMESPACE__

1. Namespace Declaration

7
 Namespace declaration MUST be the first statement and MUST be followed by a
blank line.

✖ Incorrect
<?php

print_welcome_message();

namespace MyCompany;

// EOF

↳ Incorrect because namespace MyCompany; is not the first statement.

<?php

namespace MyCompany;
print_welcome_message();

// EOF

↳ Incorrect because namespace MyCompany; is not followed by a blank line.

✔ Correct
<?php

namespace MyCompany;

print_welcome_message();

// EOF

2. Namespace Name
Namespace names MUST start with a capital letter and MUST be camelcase.

✖ Incorrect
<?php

namespace myCompany;

// EOF

8
 ↳ Incorrect because myCompany does not start with a capital letter.

<?php

namespace MyCOMPANY;

// EOF

↳ Incorrect because MyCOMPANY is not written in camelcase.

✔ Correct
<?php

namespace MyCompany;

// EOF

3. Multiple Namespaces
Multiple namespaces MUST use the curly brace syntax.

✖ Incorrect
<?php

namespace MyCompany\Model;

namespace MyCompany\View;

// EOF

↳ Incorrect because there are two namespaces and the curly brace syntax was not
used.

✔ Correct
<?php

namespace MyCompany\Model {
// model body
}

namespace MyCompany\View {
// view body
}

9
 // EOF

4. Magic Constant
Magic constant SHOULD be used to reference the namespace name.

~ Acceptable
<?php

namespace MyCompany\Model {
// model body
}

namespace MyCompany\View {
$welcome_message = MyCompany\View\get_welcome_message();
}

// EOF

↳ Acceptable, but using __NAMESPACE__ instead of MyCompany\View is preferred.

✔ Preferred
<?php

namespace MyCompany\Model {
// ModuleOne body
}

namespace MyCompany\View {
$welcome_message = __NAMESPACE__ . '\\' . get_welcome_message();
}

// EOF

6. Comments
This section describes how comments should be formatted and used.

1. Single-line comments MUST use two forward slashes

○ e.g. // My comment
2. Multi-line comments MUST use the block format
○ i.e. /** ↵ * My comment ↵ */

10
 3. Header comments SHOULD use the block format
○ i.e. /** ↵ * Name of code section ↵ */
4. Divider comments SHOULD use the block format with asterisks in between
○ i.e. /** 75 asterisks */
5. Comments MUST be on their own line
○ i.e. ↵ // My comment
6. Blocks of code SHOULD be explained or summarised
○ e.g. // Compare user accounts from export against expired
accounts in system
7. Ambiguous numbers MUST be clarified
○ e.g. // 1,000 processable records per hour API limit
8. External variables MUST be clarified
○ e.g. // Database object included in file.php

1. Single-line Comments
Single-line comments MUST use two forward slashes.

✖ Incorrect
<?php

/* This is a comment */

// EOF

↳ Incorrect because it uses /* and */ for a single-line comment.

11
✔ Correct
<?php

// This is a comment

// EOF

2. Multi-line Comments
Multi-line comments MUST use the block format.

✖ Incorrect
<?php

// This is a
// multi-line
// comment

// EOF

↳ Incorrect because it uses // for a multi-line comment.

✔ Correct
<?php

/**
* This is a
* multi-line
* comment
*/

// EOF

3. Header Comments
Header comments SHOULD use the block format.

<?php

/**
* Global application settings
*/

12
 define('SETTING_ONE', '');
define('SETTING_TWO', '');
define('SETTING_THREE', '');

// EOF

4. Divider Comments
Divider comments SHOULD use the block format with 75 asterisks in between.

✖ Incorrect
<?php

/**#######################################################################*/

// EOF

↳ Incorrect because it uses # instead of *.

<?php

/*************/

// EOF

↳ Incorrect because it uses 10 instead of 75 *.

✔ Correct
<?php

/**
* Beginning + Middle + End
* 3 stars + 75 stars + 2 slash = 80 character line limit
*/

/****************************************************************************
**/

// EOF

5. Comments
Comments MUST be on their own line.

13
✖ Incorrect
<?php

print_welcome_message(); // Prints welcome message

// EOF

↳ Incorrect because // Prints welcome message is not on its own line.

✔ Correct
<?php

// Prints welcome message

print_welcome_message();

// EOF

6. Blocks of Code
Blocks of code SHOULD be explained or summarised.

~ Acceptable
<?php

foreach ($users as $user) {

if ($expr1) {
// ...
} else {
// ...
}
if ($expr2) {
// ...
} elseif ($expr3) {
// ...
} else {
// ...
}
// ...
}

// EOF

↳ Acceptable, but block of code should be explained or summarised.

14
✔ Preferred
<?php

/**
* Get active website bloggers with profile photo for the author page.
* If no photo exists on the website, check intranet.
* If neither location has a photo, send a user email to upload one.
*/
foreach ($users as $user) {
if ($expr1) {
// ...
} else {
// ...
}
if ($expr2) {
// ...
} elseif ($expr3) {
// ...
} else {
// ...
}
// ...
}

// EOF

7. Ambiguous Numbers
Ambiguous numbers MUST be clarified.

✖ Incorrect
<?php

while ($expr && $x < 1000) {

// ...
}

// EOF

↳ Incorrect because 1000 is not clarified.

✔ Correct
<?php

// Script times out after 1,000 records

15
 while ($expr && $x < 1000) {
// ...
}

// EOF

8. External Variables
External variables MUST be clarified.

✖ Incorrect
<?php

include_once 'some-file.php';

// ...

foreach($users as $user) {
// ...
}

// EOF

↳ Incorrect because source of $users is not clear.

✔ Correct
<?php

include_once 'some-file.php';

// ...

// $users from some-file.php

foreach($users as $user) {
// ...
}

// EOF

7. Includes
This section describes the format for including and requiring files.

1. Include/require once SHOULD be used

16
 ○ i.e. include → include_once, require → require_once
2. Parenthesis MUST NOT be used
○ e.g. include_once('file.php'); → include_once 'file.php';
3. Purpose of include MUST be documented with a comment
○ e.g. // Provides WordPress environment ↵ require_once
'wp-load.php';

1. Include/Require Once
Include/require once SHOULD be used.

~ Acceptable
<?php

include 'some-file.php';
require 'some-other-file.php';

// EOF

↳ Acceptable, but _once should be appended to include and require if possible.

✔ Preferred
<?php

include_once 'some-file.php';
require_once 'some-other-file.php';

// EOF

2. Parenthesis
Parenthesis MUST NOT be used.

✖ Incorrect
<?php

include_once('some-file.php');
require_once('some-other-file.php');

// EOF

17
 ↳ Incorrect because include_once and require_once are used with parenthesis.

✔ Correct
<?php

include_once 'some-file.php';
require_once 'some-other-file.php';

// EOF

3. Purpose of Include
Purpose of include MUST be documented with a comment.

✖ Incorrect
<?php

require_once 'some-file.php';

// EOF

↳ Incorrect because there is no comment as to what some-file.php does or provides.

✔ Correct
<?php

// Provides XYZ framework

require_once 'some-file.php';

// EOF

8. Formatting
This section outlines various, general formatting rules related to whitespace and text.

1. Line length MUST NOT exceed 80 characters, unless it is text

○ i.e. |---- 80+ chars ----| → refactor expression and/or break list
values
2. Line indentation MUST be accomplished using tabs
○ i.e. function func() { ↵ ⇥ ... ↵ }
3. Blank lines SHOULD be added between logical blocks of code

18
 ○ i.e. ... ↵ ↵ ...
4. Text alignment MUST be accomplished using spaces
○ i.e. $var · · · = ...;
5. Trailing whitespace MUST NOT be present after statements or serial comma
break or on blank lines
○ i.e. no ... · · ↵ · ↵ ...
6. Keywords MUST be all lowercase
○ e.g. false, true, null, etc.
7. Variables MUST be all lowercase and words MUST be separated by an
underscore
○ e.g. $welcome_message
8. Global variables MUST be declared one variable per line and MUST be
indented after the first
○ e.g. global $var1, ↵ ⇥ $var2;
9. Constants MUST be all uppercase and words MUST be separated by an
underscore
○ e.g. WELCOME_MESSAGE
10. Statements MUST be placed on their own line and MUST end with a
semicolon
○ e.g. welcome_message();
11. Operators MUST be surrounded by a space
○ e.g. $total = 15 + 7;, $var .= '';
12. Unary operators MUST be attached to their variable or integer
○ e.g. $index++, --$index
13. Concatenation period MUST be surrounded by a space
○ e.g. echo 'Read:' . $welcome_message;
14. Single quotes MUST be used
○ e.g. echo 'Hello, World!';
15. Double quotes SHOULD NOT be used
○ e.g. echo "Read: $welcome_message"; → echo 'Read: ' .
$welcome_message;

1. Line Length
Line length MUST NOT exceed 80 characters, unless it is text.

✖ Incorrect
<?php

if(in_array('Slumdog Millionaire', $movies) && in_array('Silver Linings

Playbook', $movies) && in_array('The Lives of Others', $movies) &&
in_array('The Shawshank Redemption', $movies)) {
// if body
}

19
 // EOF

↳ Incorrect because expression exceeds 80 characters and should be refactored.

<?php

$my_movies = array('Slumdog Millionaire', 'Silver Linings Playbook', 'The

Lives of Others', 'The Shawshank Redemption');

// EOF

↳ Incorrect because arguments exceed 80 characters and should be placed on their

own line.

~ Acceptable
<?php

$text = 'Lorem ipsum dolor sit amet, consectetur adipiscing elit. Donec
posuere rutrum tincidunt. Duis lacinia laoreet diam, nec consectetur magna
facilisis eget. Quisque elit mauris, auctor quis vulputate id, sagittis nec
tortor. Praesent fringilla lorem eu massa convallis ultricies. Maecenas
lacinia porta purus, sollicitudin condimentum felis mollis a. Proin sed augue
purus. Quisque scelerisque eros vitae egestas porta. Suspendisse vitae purus
justo. Pellentesque justo nunc, luctus quis magna sit amet, venenatis rutrum
ante. Nam eget nisi ultricies, sodales lectus vel, luctus dui. Cras
pellentesque augue vitae nulla laoreet convallis. Mauris ut turpis mollis,
elementum arcu eu, semper risus. Mauris vel urna ut felis blandit dictum.
Aliquam sit amet tincidunt arcu. Nunc et elit quam. Aliquam hendrerit magna
ut lacus semper consequat blandit eu ipsum.';

// EOF

↳ Acceptable because line length was exceeded due to text, not code.

✔ Correct
<?php

$my_movies = array(
'Slumdog Millionaire',
'Silver Linings Playbook',
'The Lives of Others',
'The Shawshank Redemption'
);

$has_all_movies = true;

20
 foreach($my_movies as $my_movie) {
if(!in_array($my_movie, $movies)) {
$has_all_movies = false;
}
}

if($has_all_movies) {
// if body
}

$some_long_variable = get_something_else(
'from_some_other_function',
'another_long_argument'
);

// EOF

2. Line Indentation
Line indentation MUST be accomplished using tabs.

✖ Incorrect
<?php

function print_welcome_message() {
echo WELCOME_MESSAGE;
}

// EOF

↳ Incorrect because spaces are used to indent echo WELCOME_MESSAGE; instead of a

tab.

✔ Correct
<?php

function print_welcome_message() {
echo WELCOME_MESSAGE;
}

// EOF

3. Blank Lines

21
 Blank lines SHOULD be added between logical blocks of code.

~ Acceptable
<?php

$my_movies = array(
'Slumdog Millionaire',
'Silver Linings Playbook',
'The Lives of Others',
'The Shawshank Redemption'
);
$has_all_movies = true;
foreach($my_movies as $my_movie) {
if(!in_array($my_movie, $movies)) {
$has_all_movies = false;
}
}
if($has_all_movies) {
// if body
}

// EOF

↳ Acceptable, but can make scanning code more difficult.

✔ Preferred
<?php

$my_movies = array(
'Slumdog Millionaire',
'Silver Linings Playbook',
'The Lives of Others',
'The Shawshank Redemption'
);

$has_all_movies = true;

foreach($my_movies as $my_movie) {
if(!in_array($my_movie, $movies)) {
$has_all_movies = false;
}
}

if($has_all_movies) {
// if body
}

// EOF

22
4. Text Alignment
Text alignment MUST be accomplished using spaces.

✖ Incorrect
<?php

$movie_quotes = array(
'slumdog_millionaire' => 'When somebody asks me a question, I
tell them the answer.',
'silver_linings_playbook' => 'I opened up to you, and you judged
me.',
'the_lives_of_others' => 'To think that people like you ruled
a country.',
'the_shawshank_redemption' => 'Get busy living, or get busy dying.'
);

// EOF

↳ Incorrect because tabs are used instead of spaces to vertically align =>.

<?php

$movie_quotes = array(
'slumdog_millionaire' => 'When somebody asks me a question, I tell
them the answer.',
'silver_linings_playbook' => 'I opened up to you, and you judged me.',
'the_lives_of_others' => 'To think that people like you ruled a
country.',
'the_shawshank_redemption' => 'Get busy living, or get busy dying.'
);

// EOF

↳ Incorrect because spaces are used instead of tabs to indent array keys.

✔ Correct
<?php

$movie_quotes = array(
'slumdog_millionaire' => 'When somebody asks me a question, I
tell them the answer.',
'silver_linings_playbook' => 'I opened up to you, and you judged
me.',
'the_lives_of_others' => 'To think that people like you ruled a
country.',
'the_shawshank_redemption' => 'Get busy living, or get busy dying.'

23
 );

// EOF

5. Trailing Whitespace
Trailing whitespace MUST NOT be present after statements or serial comma break
or on blank lines.

✖ Incorrect
<?php

$quotes_exist = false;

print_welcome_message();

// EOF

↳ Incorrect because there are two spaces after $quotes_exist = false;.

<?php

$my_movies = array(
'Slumdog Millionaire',
'Silver Linings Playbook',
'The Lives of Others',
'The Shawshank Redemption'
);

// EOF

↳ Incorrect because there is a space after ,.

<?php

$quotes_exist = false;

print_welcome_message();

// EOF

↳ Incorrect because there are two spaces on the blank line below $quotes_exist =
false;.

24
✔ Correct
<?php

$quotes_exist = false;

print_welcome_message();

// EOF

<?php

$my_movies = array(
'Slumdog Millionaire',
'Silver Linings Playbook',
'The Lives of Others',
'The Shawshank Redemption'
);

// EOF

6. Keywords
Keywords MUST be all lowercase.

✖ Incorrect
<?php

$is_true = FALSE;
$is_false = TRUE:
$movie_quote = NULL;

// EOF

↳ Incorrect because FALSE, TRUE and NULL are not all lowercase.

✔ Correct
<?php

$is_true = false;
$is_false = true:
$movie_quote = null;

// EOF

25
7. Variables
Variables MUST be all lowercase and words MUST be separated by an underscore.
Or camel case.

✖ Incorrect
<?php

$welcome_Message = '';
$Welcome_Message = '';
$WELCOME_MESSAGE = '';

// EOF

↳ Incorrect because $welcome_Message, $Welcome_Message and $WELCOME_MESSAGE are

not all lowercase.

<?php

$welcomemessage = '';

// EOF

↳ Incorrect because welcome and message are not using camelCase.

✔ Correct

26
 <?php

$welcomeMessage = '';
// or $welcome_message = '';

// EOF

8. Global Variables
Global variables MUST be declared one variable per line and MUST be indented
after the first.

✖ Incorrect
<?php

global $app_config, $cache, $db_connection;

// EOF

↳ Incorrect because $app_config, $cache and $db_connection are together on one

line.

<?php

global $app_config,
$cache,
$db_connection;

// EOF

↳ Incorrect because $db_connection and $cache are not indented once.

✔ Correct
<?php

global $app_config,
$cache,
$db_connection;

// EOF

27
9. Constants
Constants MUST be all uppercase and words MUST be separated by an
underscore.

✖ Incorrect
<?php

define('welcome_Message', '');
define('Welcome_Message', '');
define('welcome_message', '');

// EOF

↳ Incorrect because welcome_Message, Welcome_Message and welcome_message are not

all uppercase.

<?php

define('WELCOMEMESSAGE', '');

// EOF

↳ Incorrect because WELCOME and MESSAGE are not separated with an underscore.

✔ Correct
<?php

define('WELCOME_MESSAGE', '');

// EOF

10. Statements
Statements MUST be placed on their own line and MUST end with a semicolon.

✖ Incorrect
<?php

$quotes_exist = false; print_welcome_message();

// EOF

28
 ↳ Incorrect because $quotes_exist = false; and print_welcome_message(); are on
one line.

<div>
<h1><?= print_welcome_message() ?></h1>
</div>

↳ Incorrect because print_welcome_message() is missing a semicolon.

✔ Correct
<?php

$quotes_exist = false;
print_welcome_message();

// EOF

<div>
<h1><?= print_welcome_message() ?></h1>
</div>

11. Operators
Operators MUST be surrounded by space.

✖ Incorrect
<?php

$total=3+14;
$string='Hello, World! ';
$string.='Today is a good day!';

// EOF

↳ Incorrect because there is no space surrounding the =, + or .= sign.

✔ Correct
<?php

$total = 3 + 14;
$string = 'Hello, World! ';

29
 $string .= 'Today is a good day!';

// EOF

12. Unary Operators

Unary operators MUST be attached to their variable or integer.

✖ Incorrect
<?php

$index ++;
-- $index;

// EOF

↳ Incorrect because there is a space before ++ and after --.

✔ Correct
<?php

$index++;
--$index;

// EOF

13. Concatenation Period

Concatenation period MUST be surrounded by a space.

✖ Incorrect
<?php

echo 'Hello, World! Today is '.$date.'!';

// EOF

↳ Incorrect because there is no space surrounding ..

✔ Correct

30
 <?php

echo 'Hello, World! Today is ' . $date . '!';

// EOF

14. Single Quotes

Single quotes MUST be used.

✖ Incorrect
<?php

echo "Hello, World!";

// EOF

↳ Incorrect because "Hello, World!" is not written with single quotes.

✔ Correct
<?php

echo 'Hello, World!';

// EOF

15. Double Quotes

Double quotes SHOULD NOT be used.

~ Acceptable
<?php

echo "Hello, World! Today is $date!";

// EOF

↳ Acceptable, but burries the $date variable, which is why single quotes are
preferred.

<?php

31
 echo "Hello, World! He's watching movies and she's reading books.";

// EOF

↳ Acceptable when long pieces of text have apostrophies that would need to be
escaped.

✔ Preferred
<?php

echo 'Hello, World! Today is ' . $date . '!';

echo 'Hello, World! He\'s watching movies and she\'s reading books.';

// EOF

9. Functions

This section describes the format for function names, calls, arguments and
declarations.

1. Function name MUST be all lowercase and words MUST be separated by an

underscore
○ e.g. function welcome_message() {
2. Function prefix MUST start with verb
○ e.g. get_, add_, update_, delete_, convert_, etc.
3. Function call MUST NOT have a space between function name and open
parenthesis
○ e.g. func();
4. Function arguments
○ MUST NOT have a space before the comma
○ MUST have a space after the comma
○ MAY use line breaks for long arguments
○ MUST then place each argument on its own line

32
 ○ MUST then indent each argument once
○ MUST be ordered from required to optional first
○ MUST be ordered from high to low importance second
○ MUST use descriptive defaults
○ MUST use type hinting
○ e.g. func($arg1, $arg2 = 'asc', $arg3 = 100);
5. Function declaration MUST be documented using phpDocumentor tag style
and SHOULD include
○ Short description
○ Optional long description, if needed
○ @access: private or protected (assumed public)
○ @author: Author name
○ @global: Global variables function uses, if applicable
○ @param: Parameters with data type, variable name, and description
○ @return: Return data type, if applicable
6. Function return
○ MUST occur as early as possible
○ MUST be initialised prior at top
○ MUST be preceded by blank line, except inside control statement
○ i.e. if (!$expr) { return false; }

1. Function Name
Function names MUST be all lowercase and words MUST be separated by an
underscore.

✖ Incorrect
<?php

get_Welcome_Message();
Get_Welcome_Message();
GET_WELCOME_MESSAGE();

// EOF

↳ Incorrect because the function names are not all lowercase.

<?php

getwelcomemessage();

// EOF

33
 ↳ Incorrect because get, welcome and message are not separated with an underscore.

✔ Correct
<?php

get_welcome_message();

// EOF

2. Function Prefix
Function prefix MUST start with a verb.

✖ Incorrect
<?php

active_users();
network_location($location1, $location2);
widget_form($id);

// EOF

↳ Incorrect because functions are not prefixed with a verb.

✔ Correct
<?php

get_active_users();
move_network_location($location1, $location2);
delete_widget_form($id);

// EOF

3. Function Call
Function calls MUST NOT have a space between function name and open
parenthesis.

✖ Incorrect
<?php

34
 print_welcome_message ();

// EOF

↳ Incorrect because there is a space between get_welcome_message and ().

✔ Correct
<?php

print_welcome_message();

// EOF

4. Function Arguments
Function arguments:

● MUST NOT have a space before the comma

● MUST have a space after the comma
● MAY use line breaks for long arguments
● MUST then place each argument on its own line
● MUST then indent each argument once
● MUST be ordered from required to optional first
● MUST be ordered from high to low importance second
● MUST use descriptive defaults
● MUST use type hinting

✖ Incorrect
<?php

my_function($arg1 , $arg2 , $arg3);

// EOF

↳ Incorrect because there is a space before ,.

<?php

my_function($arg1,$arg2,$arg3);

// EOF

35
↳ Incorrect because there is no space after ,.

<?php

my_other_function($arg1_with_a_really_long_name,
$arg2_also_has_a_long_name,
$arg3
);

// EOF

↳ Incorrect because $arg1_with_a_really_long_name is not on its own line.

<?php

my_other_function(
$arg1_with_a_really_long_name,
$arg2_also_has_a_long_name,
$arg3
);

// EOF

↳ Incorrect because arguments are not indented once.

<?php

function get_objects($type, $order = 'asc', $limit) {

// ...
}

// EOF

↳ Incorrect because $type, $order and $limit are not in order of required to optional.

<?php

function get_objects($limit, $order, $type) {

// ...
}

// EOF

↳ Incorrect because $limit, $order and $type are not in order of importance.

<?php

function get_objects($type, $order = true, $limit = 100) {

36
 // ...
}

// EOF

↳ Incorrect because true is not a descriptive default for $order.

<?php

function add_users_to_office($users, $office) {

// ...
}

// EOF

↳ Incorrect because $users and $office are missing their data type.

✔ Correct
<?php

my_function($arg1, $arg2, $arg3);

my_other_function(
$arg1_with_a_really_long_name,
$arg2_also_has_a_long_name,
$arg3
);

function get_objects($type, $order = 'asc', $limit = 100) {

// ...
}

function add_users_to_office(array $users, Office $office) {

// ...
}

// EOF

5. Function Declaration
Function declaration MUST be documented using phpDocumentor tag style and
SHOULD include:

● Short description
● Optional long description, if needed
● @access: private or protected (assumed public)

37
 ● @author: Author name
● @global: Global variables function uses, if applicable
● @param: Parameters with data type, variable name, and description
● @return: Return data type, if applicable

✖ Incorrect
<?php

function my_function($id, $type, $width, $height) {

// ...
return $Photo;
}

// EOF

↳ Incorrect because my_function is not documented.

✔ Correct
<?php

/**
* Get photo from blog author
*
* Lorem ipsum dolor sit amet, consectetur adipiscing elit. Ut id volutpat
* orci. Etiam pharetra eget turpis non ultrices. Pellentesque vitae risus
* sagittis, vehicula massa eget, tincidunt ligula.
*
* @access private
* @author Firstname Lastname
* @global object $post
* @param int $id Author ID
* @param string $type Type of photo
* @param int $width Photo width in px
* @param int $height Photo height in px
* @return object Photo
*/
function my_function($id, $type, $width, $height) {
// ...
return $Photo;
}

// EOF

6. Function Return

38
 Function return:

● MUST occur as early as possible

● MUST be initialised prior at top
● MUST be preceded by blank line, except inside control statement

✖ Incorrect
<?php

function get_object() {
$var = false;
if($expr1) {
// ...
if($expr2) {
// ...
}
}

return $var;
}

// EOF

↳ Incorrect because get_object does not return as early as possible.

<?php

function get_movies() {
// ...

return $movies;
}

// EOF

↳ Incorrect because $movies is not initialised at top.

<?php

function get_movies() {
$movies = array();
// ...
return $movies;
}

// EOF

39
 ↳ Incorrect because return $movies is not preceded by blank line.

✔ Correct
<?php

function get_object() {
$var = false;
if (!$expr1) {
return $var;
}
if (!$expr2) {
return $var;
}
// ...

return $var;
}

// EOF

<?php

function get_movies() {
$movies = array();
// ...

return $movies;
}

// EOF

10. Control Structures

This section defines the layout and usage of control structures. Note that this section
is separated into rules that are applicable to all structures, followed by specific rules
for individual structures.

● Keyword MUST be followed by a space

○ e.g. if (, switch (, do {, for (
● Opening parenthesis MUST NOT be followed by a space
○ e.g. ($expr, ($i
● Closing parenthesis MUST NOT be preceded by a space
○ e.g. $expr), $i++), $value)
● Opening brace MUST be preceded by a space and MUST be followed by a
new line

40
 ○ e.g. $expr) {, $i++) {
● Structure body MUST be indented once and MUST be enclosed with curly
braces (no shorthand)
○ e.g. if ($expr) { ↵ ⇥ ... ↵ }
● Closing brace MUST start on the next line
○ i.e. ... ↵ }
● Nesting MUST NOT exceed three levels
○ e.g. no if ($expr1) { if ($expr2) { if ($expr3) { if ($expr4) {
... }}}}

In addition to the rules above, some control structures have additional requirements:

1. If, Elseif, Else

○ elseif MUST be used instead of else if
○ elseif and else MUST be between } and { on one line
2. Switch, Case
○ Case statement MUST be indented once
■ i.e. ⇥ case 1:
○ Case body MUST be indented twice
■ i.e. ⇥ ⇥ func();
○ Break keyword MUST be indented twice
■ i.e. ⇥ ⇥ break;
○ Case logic MUST be separated by one blank line
■ i.e. case 1: ... break; ↵ ↵ case 2: ... break;
3. While, Do While
4. For, Foreach
5. Try, Catch
○ catch MUST be between } and { on one line

1. If, Elseif, Else

● elseif MUST be used instead of else if
● elseif and else MUST be between } and { on one line

✖ Incorrect
<?php

if ($expr1) {
// if body
} else if ($expr2) {
// elseif body
} else {
// else body
}

41
 // EOF

↳ Incorrect because else if was used instead of elseif.

<?php

if ($expr1) {
// if body
}
elseif ($expr2) {
// elseif body
}
else {
// else body
}

// EOF

↳ Incorrect because elseif and else are not between } and { on one line.

<?php

$result1 = if ($expr1) ? true : false;

if($expr2)
$result2 = true;

// EOF

↳ Incorrect because structure body is not wrapped in curly braces.

✔ Correct
<?php

if ($expr1) {
// if body
} elseif ($expr2) {
// elseif body
} else {
// else body
}

if ($expr1) {
$result1 = true;
} else {
$result1 = false;

42
 }

if ($expr2) {
$result2 = true;
}

// EOF

2. Switch, Case
● Case statement MUST be indented once
● Case body MUST be indented twice
● Break keyword MUST be indented twice
● Case logic MUST be separated by one blank line

✖ Incorrect
<?php

switch ($expr) {
case 0:
echo 'First case, with a break';
break;

case 1:
echo 'Second case, which falls through';
// no break
case 2:
case 3:
case 4:
echo 'Third case, return instead of break';
return;

default:
echo 'Default case';
break;
}

// EOF

↳ Incorrect because case 0 thru default are not indented once.

<?php

switch ($expr) {
case 0:
echo 'First case, with a break';
break;

43
 case 1:
echo 'Second case, which falls through';
// no break
case 2:
case 3:
case 4:
echo 'Third case, return instead of break';
return;

default:
echo 'Default case';
break;
}

// EOF

↳ Incorrect because echo, break and return are not indented twice.

<?php

switch ($expr) {
case 0:
echo 'First case, with a break';
break;
case 1:
echo 'Second case, which falls through';
// no break
case 2:
case 3:
case 4:
echo 'Third case, return instead of break';
return;
default:
echo 'Default case';
break;
}

// EOF

↳ Incorrect because case 0, case 1 thru case 4, and default are not separated by
one blank line.

✔ Correct
<?php

switch ($expr) {
case 0:
echo 'First case, with a break';

44
 break;

case 1:
echo 'Second case, which falls through';
// no break
case 2:
case 3:
case 4:
echo 'Third case, return instead of break';
return;

default:
echo 'Default case';
break;
}

// EOF

3. While, Do While

✔ Correct
<?php

while ($expr) {
// structure body
}

do {
// structure body;
} while ($expr);

// EOF

4. For, Foreach

✔ Correct
<?php

for ($i = 0; $i < 10; $i++) {

// for body
}

foreach ($iterable as $key => $value) {

// foreach body
}

45
 // EOF

5. Try, Catch

✖ Incorrect
<?php

try {
// try body
}
catch (FirstExceptionType $e) {
// catch body
}
catch (OtherExceptionType $e) {
// catch body
}

// EOF

↳ Incorrect because catch is not between } and { on one line.

✔ Correct
<?php

try {
// try body
} catch (FirstExceptionType $e) {
// catch body
} catch (OtherExceptionType $e) {
// catch body
}

// EOF

11. Classes
This section describes class files, names, definitions, properties, methods and
instantiation.

1. Class file MUST only contain one definition and MUST be prefixed with class-
○ i.e. class User → class-user.php, class Office → class-office.php
2. Class namespace MUST be defined and MUST include vendor name

46
 ○ e.g. namespace MyCompany\Model;, namespace MyCompany\View;,
namespace MyCompany\Controller;
3. Class name MUST start with a capital letter and MUST be upper camelcase
○ e.g. MyCompany
4. Class documentation MUST be present and MUST use phpDocumentor tag
style
○ i.e. @author, @global, @package
5. Class definition MUST place curly braces on their own line
○ i.e. class User ↵ { ↵ ... ↵ }
6. Class properties
○ MUST follow variable standards
○ MUST specify visibility
○ MUST NOT be prefixed with an underscore if private or protected
○ e.g. $var1;, private $var2;, protected $var3;
7. Class methods
○ MUST follow function standards
○ MUST specify visibility
○ MUST NOT be prefixed with an underscore if private or protected
○ e.g. func1(), private func2(), protected func3()
8. Class instance
○ MUST start with capital letter
○ MUST be camelcase
○ MUST include parenthesis
○ e.g. $user = new User();, $OfficeProgram = new OfficeProgram();

1. Class File
Class file MUST only contain one definition and MUST be prefixed with class-.

✖ Incorrect
Filename: class-user.php

<?php

namespace MyCompany\Model;

class User
{
// ...
}

class Office
{
// ...
}

47
 // EOF

↳ Incorrect because User and Office are defined in one file.

Filename: user.php

<?php

namespace MyCompany\Model;

class User
{
// ...
}

// EOF

↳ Incorrect because filename is not prefixed with class-.

✔ Correct
Filename: class-user.php

<?php

namespace MyCompany\Model;

class User
{
// ...
}

// EOF

Filename: class-office.php

<?php

namespace MyCompany\Model;

class Office
{
// ...
}

// EOF

48
2. Class Namespace
Class namespace MUST be defined and MUST include vendor name.

✖ Incorrect
<?php

class User
{
// ...
}

// EOF

↳ Incorrect because there is no namespace defined.

<?php

namespace Model;

class User
{
// ...
}

// EOF

↳ Incorrect because vendor name is missing in the namespace name.

✔ Correct
<?php

namespace MyCompany\Model;

class User
{
// ...
}

// EOF

3. Class Name
Class names MUST start with a capital letter and MUST be camelcase.

49
✖ Incorrect
<?php

namespace MyCompany\Model;

class officeProgram
{
// ...
}

// EOF

↳ Incorrect because officeProgram does not start with a capital letter.

<?php

namespace MyCompany\Model;

class Officeprogram
{
// ...
}

// EOF

↳ Incorrect because Officeprogram is not camelcase.

✔ Correct
<?php

namespace MyCompany\Model;

class OfficeProgram
{
// ...
}

// EOF

4. Class Documentation
Class documentation MUST be present and MUST use phpDocumentor tag style.

✖ Incorrect

50
 <?php

namespace MyCompany\Model;

class User
{
// ...
}

// EOF

↳ Incorrect because User is missing documentation.

<?php

namespace MyCompany\View;

/**
* User View
*/
class User
{
// ...
}

// EOF

↳ Incorrect because User is missing phpDocumentor tags.

✔ Correct
<?php

namespace MyCompany\View;

/**
* User View
*
* @author Firstname Lastname
* @global object $post
* @package MyCompany\API
*/
class User
{
// ...
}

// EOF

51
5. Class Definition
Class definition MUST place curly braces on their own line.

✖ Incorrect
<?php

namespace MyCompany\Model;

class User {
// ...
}

// EOF

↳ Incorrect because { is not on its own line.

✔ Correct
<?php

namespace MyCompany\Model;

class User
{
// ...
}

// EOF

6. Class Properties
Class properties:

● MUST follow variable standards

● MUST specify visibility
● MUST NOT be prefixed with an underscore if private or protected

✖ Incorrect
<?php

namespace MyCompany\Model;

class User
{

52
 // Public
$var1;

// Protected
$var2;

// Private
$var3;
}

// EOF

↳ Incorrect because visibility is not specified for $var1, $var2 and $var3.

<?php

namespace MyCompany\Model;

class User
{
public $var1;
protected $_var2;
private $_var3;
}

// EOF

↳ Incorrect because protected and private properties are prefixed with _.

✔ Correct
<?php

namespace MyCompany\Model;

class User
{
public $var1;
protected $var2;
private $var3;
}

// EOF

7. Class Methods
Class methods:

53
 ● MUST follow function standards
● MUST specify visibility
● MUST NOT be prefixed with an underscore if private or protected

✖ Incorrect
<?php

namespace MyCompany\Model;

class User
{
// ...

// Public
function get_var1() {
return $this->var1;
}

// Protected
function get_var2() {
return $this->var2;
}

// Private
function get_var3() {
return $this->var3;
}
}

// EOF

↳ Incorrect because visibility is not specified for get_var1(), get_var2() and

get_var3().

<?php

namespace MyCompany\Model;

class User
{
// ...

public function get_var1() {

return $this->var1;
}

protected function _get_var2() {

return $this->var2;
}

54
 private function _get_var3() {
return $this->var3;
}
}

// EOF

↳ Incorrect because protected and private methods are prefixed with _.

✔ Correct
<?php

namespace MyCompany\Model;

class User
{
// ...

public function get_var1() {

return $this->var1;
}

protected function get_var2() {

return $this->var2;
}

private function get_var3() {

return $this->var3;
}
}

// EOF

8. Class Instance
Class instance:

● MUST follow variable standards

● MUST include parenthesis

✖ Incorrect
<?php

55
 $OfficeProgram = new OfficeProgram;

// EOF

↳ Incorrect because new OfficeProgram is missing parenthesis.

✔ Correct
<?php

$OfficeProgram = new OfficeProgram();

// EOF

12. Best Practices

1. Variable initialization SHOULD occur prior to use and SHOULD occur early
○ e.g. $var1 = '';, $var2 = 0;
2. Initialization/declaration order
○ MUST lead with globals, follow with constants, conclude with local
variables
○ MUST lead with properties and follow with methods in classes
○ MUST lead with public, follow with protected, conclude with private
methods in classes
○ SHOULD be alphabetical within their type
○ i.e. global $var1;, define('VAR2', '');, $var3 = 0;
3. Globals SHOULD NOT be used
○ i.e. no global $var;
4. Explicit expressions SHOULD be used
○ e.g. if ($expr === false), while ($expr !== true)
5. E_STRICT reporting MUST NOT trigger errors
○ i.e. do not use deprecated functions, etc.

1. Variable Initialization
Variable initialization SHOULD occur prior to use and SHOULD occur early.

~ Acceptable
<?php

$movies = get_movies();

// EOF

56
 ↳ Acceptable, but $movies should be initialised prior to use.

<?php

if ($expr) {
// ....
}

$movies = array();
$movies = get_movies();

// EOF

↳ Acceptable, but $movies should be initialised earlier.

✔ Preferred
<?php

$movies = array();

if ($expr) {
// ....
}

$movies = get_movies();

// EOF

2. Initialization/Declaration Order
Initialization/declaration order:

● MUST lead with globals, follow with constants, conclude with local variables
● MUST lead with properties and follow with methods in classes
● MUST lead with public, follow with protected, conclude with private methods
in classes
● SHOULD be alphabetical within their type

✖ Incorrect
<?php

define('ENVIRONMENT', 'PRODUCTION');

57
$id = 0;

global $app_config;

// EOF

↳ Incorrect because $app_config is not first, ENVIRONMENT not second, and $id not
third.

<?php

namespace MyCompany\Model;

class Office
{
public function get_name() {
// ...
}

private $name;
}

// EOF

↳ Incorrect because get_name() is declared before $name.

<?php

namespace MyCompany\Model;

class Office
{
private $id;
private $name;
private $status;

private function get_name() {

// ...
}

public function get_id() {

// ...
}

protected function get_status() {

// ...
}
}

// EOF

58
 ↳ Incorrect because get_id() is not first, get_status() not second, and get_name()
not third.

~ Acceptable
<?php

global $db_connection,
$app_config,
$cache;

define('MODE', 1);
define('ENVIRONMENT', 'PRODUCTION');

$id = 0;
$firstname = '';
$lastname = '';

// EOF

↳ Acceptable, but the globals and constants should be in alphabetical order.

<?php

function get_movies() {
// ...
}

function get_actors() {
// ...
}

// EOF

↳ Acceptable, but get_actors should be declared before get_movies.

✔ Correct
<?php

global $app_config,
$cache,
$db_connection;

define('ENVIRONMENT', 'PRODUCTION');
define('MODE', 1);

59
 $id = 0;
$firstname = '';
$lastname = '';

// EOF

<?php

namespace MyCompany\Model;

class Office
{
private $id;
private $name;
private $status;

public function get_id() {

// ...
}

protected function get_status() {

// ...
}

private function get_name() {

// ...
}
}

// EOF

✔ Preferred
<?php

function get_actors() {
// ...
}

function get_movies() {
// ...
}

// EOF

3. Globals
Globals SHOULD NOT be used.

60
~ Acceptable
<?php

$pdo = new PDO('mysql:host=localhost;dbname=test', $user, $pass);

function get_user($id) {
global $pdo;
// ...
}

// EOF

↳ Acceptable, but global variables should be avoided.

✔ Preferred
<?php

function get_database_object() {
return new PDO('mysql:host=localhost;dbname=test', $user, $pass);
}

function get_user($id) {
$pdo = get_database_object();
// ...
}

// EOF

4. Explicit Expressions
Explicit expressions SHOULD be used.

~ Acceptable
<?php

if ($expr == true) {
// ...
}

// EOF

↳ Acceptable, but === could be used here instead.

✔ Preferred

61
 <?php

if ($expr === true) {

// ...
}

// EOF

5. Good to have

✔ Correct
● Controller must not IDEALLY and CONCEPTUALLY contain any database
queries. If you have some queries in the controller itself then it will take away
some key advantages of the MVC architecture such as Code Segregation and so
on.
● Ideally your Model Classes (M) must contain DB queries and any interactions
with DB via DB objects. A model ideally represents a Table in the DB or a file
used for io
● Views (V) must contain HTML with very little PHP. In most conditions only loops
and conditional statements are used
● Controller Classes (C) must contain all the business logic of your application,
error handlers and so on.

12. PHP Security

1. Cross-site scripting (XSS)

Cross site scripting is a type of malicious web attack in which an external script is
injected into the website’s code or output. The attacker can send infected code to the
end user while the browser can not identify it as a trusted script. This attack occurs
mostly in the places where the user has the ability to input and submit data. The
attack can access cookies, sessions and other sensitive information about the
browser. Let’s look at the example of a GET request which is sending some data
through URL:

62
 URL: http://example.com/search.php?search=<script>alert('test')</script>

$search = $_GET['search'] ?? null;

echo 'Search results for '.$search;

You can figure out this attack by using htmlspecialchars. Also by using
ENT_QUOTES, you can escape single and double quotes.

$search = htmlspecialchars($search, ENT_QUOTES, 'UTF-8');

echo 'Search results for '.$search;

Meanwhile, XSS attacks can also execute via attributes, encoded URI schemes and
code encoding.

2. SQL Injection Attacks

The SQL injection is the most common attack in PHP scripting. A single query can
compromise the whole application. In SQL injection attack, the attacker tries to alter
the data you are passing via queries. Suppose you are directly processing user data
in SQL queries, and suddenly, an anonymous attacker secretly uses different
characters to bypass it. See the below-mentioned SQL query:

$sql = "SELECT * FROM users WHERE username = '" . $username . "';

The $username can contain altered data which can damage the database including
deleting the whole database in the blink of an eye. So, what’s the solution? PDO. I
recommend that you always use prepared statements. PDO helps you in securing
SQL queries.

$id = $_GET['id'] ?? null;

The connection between the database and application is made with the below
statement:

$dbh = new PDO('mysql:dbname=testdb;host=127.0.0.1', 'dbusername',

'dbpassword');

63
You can select a username based on the above ID but wait! Here SQL code ‘GET
data’ gets injected in your query. Be careful to avoid such coding and use prepared
statements instead:

$sql = "SELECT username, email FROM users WHERE id = ".$id." ;

foreach ($dbh->query($sql) as $row) {

printf ("%s (%s)\n", $row['username'],

$row['email']);

Now you can avoid the above SQL injection possibility by using

$sql = "SELECT username, email FROM users WHERE id = :id";

$sth = $dbh->prepare($sql, [PDO::ATTR_CURSOR => PDO::CURSOR_FWDONLY]);

$sth->execute([':id' => $id]);

$users = $sth->fetchAll();

Also, a good practice is to use ORM like doctrine or eloquent, as there is the least
possibility of injecting SQL queries in them. Read more on Documentation

Prevention is better than cure. You must take the following precautions as these are
the best ways to prevent SQL injection in php:

● To avoid SQL injections, user input should be authenticated for a definite set
of rules for syntax, type, and length.
● While giving administrative rights to the database to particular users, try to
give the least rights in order to avoid any future attacks on sensitive data.
● If a user is given rights for a specific application, make sure that he does not
access the application unnecessarily.
● Removing unused stored procedures may also help in the prevention of SQL
injections.
● Be careful when using stored procedures as they are easily exploited.

64
3. Cross site request forgery XSRF/CSRF

The CSRF attack is quite different to XSS attacks. In a CSRF attack, the end user
can perform unwanted actions on the authenticated websites and can transfer
malicious commands to the site to execute any undesirable action. CSRF can’t read
the request data and mostly targets the state changing request by sending any link
or altered data in HTML tags. It can force the user to perform state changing
requests like transferring funds, changing their email addresses etc. Let’s see this
URL in which GET requests is sending money to another account:

GET http://bank.com/transfer.do?acct=TIM&amount=100 HTTP/1.1

Now if someone wants to exploit the web application he/she will change the URL
with name and amount like this

http://bank.com/transfer.do?acct=Sandy&amount=100000

Now this URL can be sent via email in any file, Image etc and the attacker might ask
you to download the

file or click on the image. And as soon as you do that, you instantly end up with
sending a huge amount of money you never knew about.

4. Session Hijacking

Session hijacking is a particular type of malicious web attack in which the attacker
secretly steals the session ID of the user. That session ID is sent to the server where
the associated $_SESSION array validates its storage in the stack and grants
access to the application. Session hijacking is possible through an XSS attack or
when someone gains access to the folder on a server where the session data is
stored.

To prevent session hijacking always bind sessions to your IP address to:

$IP = getenv ( "REMOTE_ADDR" );

Watch for it when working on localhost as it doesn’t provide you the exact IP but :::1
or :::127 type values. You should invalidate (unset cookie, unset session storage,

65
remove traces) sessions quickly whenever a violation occurs and should always try
not to expose IDs under any circumstances.

For cookies, the best practice is to never use serialize data stored in a cookie.
Hackers can manipulate cookies easily, resulting in adding variables to your scope.
Safely delete the cookies like this:

setcookie ($name, "", 1);

setcookie ($name, false);

unset($_COOKIE[$name]);

The first line of the code ensures that the cookie expires in the browser, the second
line depicts the standard way of removing a cookie (thus you can’t store false in a
cookie). The third line removes the cookie from your script.

5. Hide Files from the Browser

If you have used micro-frameworks of PHP, then you must have seen the specific
directory structure which ensures the placement of files properly. Frameworks allow
to have different files like controllers, models, configuration file(.env) etc in that
directory, but most of the time the browser doesn’t process all the files, yet they are
available to see in the browser. To resolve this issue, you must not place your files in
the root directory but in a public folder so that they are not accessible all the time in
the browser.

6. Securely Upload Files

File uploading is a necessary part of any user data processing application. But
remember at some points, files are also used for XSS attacks as I have already
explained above in the article. Returning to the basics, always use the POST request
in the form and declare the property enctype=”multipart/form-data” in <form> tag.
Then validate the file type using finfo class like this:

$finfo = new finfo(FILEINFO_MIME_TYPE);

$fileContents = file_get_contents($_FILES['some_name']['tmp_name']);

66
$mimeType = $finfo->buffer($fileContents);

Developers can create their own custom and ultra-secure file validation rules, but
some frameworks like Laravel, Symfony and codeigniter already have pre-defined
methods to validate file types.

Let’s look at another example. The HTML of form should be like this:

<form method="post" enctype="multipart/form-data" action="upload.php">

File: <input type="file" name="pictures[]" multiple="true">

<input type="submit">

</form>

And upload.php contains the following code:

foreach ($_FILES['pictures']['error'] as $key => $error) {

if ($error == UPLOAD_ERR_OK) {

$tmpName = $_FILES['pictures']['tmp_name'][$key];

$name = basename($_FILES['pictures']['name'][$key]);

move_uploaded_file($tmpName, "/var/www/project/uploads/$name");

Properly declaring the UPLOAD_ERR and basename() may prevent directory

traversal attacks, but few other validations – like file size, file rename and store
uploaded files in private location – are also required to strengthen the security of the
applications.

7. Log all Errors and Hide in Production

67
Once you have developed the website and deployed it on live server. The first thing
you must do is disable the display of errors, because hackers might get the same
valuable information from the errors. Set this parameter in your php.ini file:

display_errors=Off

Now, after making display off, log PHP errors to a specific file for future needs:

log_errors=On

error_log=/var/log/httpd/php_scripts_error.log

Obviously, you can change the file name as you want.

8. Use URL encoding & encryption

PHP gives developers the urlencode function to safely generate valid URLs.
According to the PHP documentation, the function is convenient when encoding a
string to be used in a query part of a URL.

Imagine that user input is used for generating a URL. In that case, you can use the
urlencode function to generate a safe URL.

<?php

echo '<a href="mylink?user=', urlencode($userID), '">';

?>

Dynamically encrypted URLs (combined with cryptographically protected HTML

forms) prevent anyone from sending illegal requests or malicious user data to the
application server. Absolutely no internal information about the Web application is
revealed to potential attackers. Attackers cannot see the request details or the URL
parameters because they are encrypted.

Example:

68
✖ Incorrect

https://www.beatoapp.com/user/63535

✔ Correct

https://www.beatoapp.com/user/hgdgfj253426

9. Avoid remote file inclusion

Never accept user input for requiring a file. The example below shows a required
statement that uses user-generated input and enables remote file inclusion.

✖ Incorrect
<?php

$page = $_GET['location']
require($page . ".php");

?>

In this case, a user can input a malicious path such as ../../../etc/passwd and display
the contents of the passwd file on a Linux/Unix server. Therefore, never accept user
input for requiring a page. If you still want to accept user input for opening a file,
make sure to validate the user input.

Furthermore, use the open_basedir function. A better solution would be to specify

the possible choices using a switch statement.

Note: The open_basedir function allows you to limit the files that PHP can access in
your filesystem. If you set the open_basedir function to the root of your project, this
means it can only access files in the root of your project and downward.

In case a malicious user gains access to your server via PHP and tries to access
sensitive files such as /etc/passwd, the open_basedir function will prevent this.

69
 For example, if the input matches home, you navigate the user to the homepage.
See the example below, which illustrates a conditional switch for navigating the user.
If the page doesn’t exist, we show an error page.

✔ Correct

<?php

$page = $_POST['page'];
if ($page == "home") {
require("./pages/home.php");
} elseif ($page == "contact") {
require("./pages/contact.php");
} else {
require("./pages/error.php");
}

?>

70