Php Best Practices

PHP Best Practices Bangalore PHP Users Meetup 31 st October 2009 http://www.meetup.com/Bangalore-PHP-Users

Overview About this talk Coding Standard Documentation Sub Version General Practices

About this talk Common good practises for coding PHP Tips for clean PHP code How to avoid common mistakes Tricks and Tips Tools to ease your work

Why use coding standard? Consistency Readability Maintainability Collaboration

Learn from others Don’t invent your own standard. All the issue has been debated to death. Use an established standard Stick to an standard you establish, don’t mix

What choices exist? PEAR Coding Standards http://pear.php.net/manual/en/standards.php Zend Framework Coding Standards http://framework.zend.com/manual/en/coding-standard.html eZcomponents Coding Standards http://ez.no/products/ez_publish/documentation/development/standards/php

Some Zend Framework standards Derived from PEAR standards One class, one file Underscore in class name map to directory separators: Zend_Controller_Action: Zend/Controller/Action.php

Some Zend Framework standards Naming conventions: Class name are MixedCase – Zend_Pdf Method name are camelCase - filterInput() Constants are ALL_CAPS – SET_TIME Properties and variables are camelCase Private and protected member are _underscorePrefixed

Some Zend Framework standards Layout Conventions: No closing ?> tag for files containing only code Indentation: spaces only, no tabs;4 spaces per level of indentation No shell style comments(#) Keep lines no more than 75-80 characters long

Any tool to check coding standards? PHP_CodeSniffer is one such tool: PHP_CodeSniffer is a PHP5 script that tokenises and "sniffs" PHP, JavaScript and CSS files to detect violations of a defined coding standard. Your own coding standards. Subversion integration http://pear.php.net/manual/en/package.php.php-codesniffer.php

PHP_CodeSniffer Example Default uses PEAR style coding standard

Documentation Documentation is the most boring work Don't have time!

Documentation You don’t have time to code? Re-read your code 6 month after you wrote it! Think about people who have to use your code Code should communicate its purpose The better the names, the fewer comments.

What choices exist? Source Documentation phpDocumentor http://phpdoc.org Doxygen http:// www.stack.nl/~dimitri/doxygen / End User Documentation DocBook http://www.docbook.org/

Documentation phpDocumentor Derived from Javadoc, written in PHP. phpDocumentor tags are the most used standard for generating documentation from php source code Other documentation generators, such as Doxygen, support these same tags. Don’t invent your own tags. Supported by a number of different IDEs. Zend Studio is perhaps the most prevalent. Command line or web interface. Not only HTML, but also .chm or PDF

Documentation phpDocumentor example

Why do I need it? How do i know if somebody did something? How do others know i did something? How do i get my updates from others? How do i push my updates out to others? Do we have the old version? What changed?

What choices exist? Distributor Source Control: Developers works on their own repositories and share changesets Git Darcs Arch Non-Distributed Source Control Developer work on local checkouts, and check in to a central repository Subversion

General Practices Essential INI Settings My Top Two PHP Security Practices

Set magic_quotes = Off There are three php.ini settings that relate to magic_quotes: ; Magic quotes ; ; Magic quotes for incoming GET/POST/Cookie data. magic_quotes_gpc = Off ; Magic quotes for runtime-generated data, e.g. data from SQL, from exec(), etc. magic_quotes_runtime = Off ; Use Sybase-style magic quotes (escape ' with '' instead of \'). magic_quotes_sybase = Off Example:- “This is my code’s string” gets converted to “This is my code\’s string”

Set error_reporting = E_ALL | E_STRICT STRICT messages will help you to use the latest and greatest suggested method of coding, for example warn you about using deprecated functions. Available since PHP 5.0 Production: display_errors = Off log_errors = on error_log = path/logs/php_error.log

Set short_open_tag = 0 If you want to use PHP in combination with XML, you can disable this option in order to use <?xml ?> inline. Otherwise, you can print it with PHP, for example: <?php echo '<?xml version="1.0"?>'; ?> Safe to use <?php ?> tag Might be deprecated, But no news yet on php.net Good practice is to use <?php ?> tag

No direct access to the php.ini Use htaccess directive: php_flag php_flag is reserved for boolean values, like register_globals and magic_quotes_gpc. example:- php_flag register_globals Off php_value php_value for things that are not boolean, like error_reporting and error_log. example:- php_value error_log /var/www/logs/php_errors.log

My Top Two PHP Security Practices Top Two PHP Security Practices, expressed in four words: Filter input Escape output - Chris Shiflett

Filter Input Don't trust external data, The rule #1 of every developer Should be "Filter All Foreign Data" With the delivery of PHP 5.2.0, this got a lot easier, because PHP included, by default, the Filter library. Manual - http:// www.php.net /filter Downloads - http://pecl.php.net/get/filter Filter homepage - http://pecl.php.net/filter

Filter library examples $email = filter_input(INPUT_POST, 'name', FILTER_VALIDATE_EMAIL); $age = filter_input(INPUT_POST, 'age', FILTER_VALIDATE_INT); $url = filter_input(INPUT_COOKIE, 'url', FILTER_VALIDATE_URL); $raw_msg = filter_input(INPUT_POST, 'msg', FILTER_UNSAFE_RAW); $options = array('options'=> array('min_range'=>7, 'max_range'=>77)); $age = filter_input(INPUT_POST, 'age', FILTER_VALIDATE_INT,$options); filter_has_var(INPUT_POST, 'submit') is same as isset($_POST['submit'])

With properly filtered input, you're already pretty well protected against malicious attacks. The only remaining step is to escape it such that the format of the input doesn't accidentally interfere with the format of the SQL statement. INSERT INTO MyTable (MyColumn) VALUES ('My Dear Aunt Sally's Picnic Basket') Escaping Output

Escaping Output Use dedicated escaping function provided by the database interface: MySQL mysql_real_escape_string() PostgreSQL pg_escape_string() pg_escape_bytea() SQLite sqlite_escape_string() Other databases ADOdb, qstr function - http://adodb.sourceforge.net/ PEAR, quote function - http://pear.php.net/ http://shiflett.org/blog/2006/jan/addslashes-versus-mysql-real-escape-string

Questions? Thanks for your attention

Contact Slides will be on slideshare http://slideshare.net/ansarahmed Contact options Email:ansarahmed8@gmail.com/ansarahmed_8@yahoo.co.in Blog: http://ansarahmed.blogspot.com Follow me on twitter: @ansarahmed @phpbangalore

Php Best Practices

More Related Content

Viewers also liked (10)

Similar to Php Best Practices (20)

Recently uploaded (20)

Php Best Practices