Php Best Practices


Published on

Covered some of the Best Practices.


Published in: Technology
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Php Best Practices

  1. 1. PHP Best Practices Bangalore PHP Users Meetup 31 st October 2009
  2. 2. Overview <ul><li>About this talk </li></ul><ul><li>Coding Standard </li></ul><ul><li>Documentation </li></ul><ul><li>Sub Version </li></ul><ul><li>General Practices </li></ul>
  3. 3. About this talk <ul><li>Common good practises for coding PHP </li></ul><ul><li>Tips for clean PHP code </li></ul><ul><li>How to avoid common mistakes </li></ul><ul><li>Tricks and Tips </li></ul><ul><li>Tools to ease your work </li></ul>
  4. 4. Use a Coding Standard
  5. 5. Why use coding standard? <ul><li>Consistency </li></ul><ul><li>Readability </li></ul><ul><li>Maintainability </li></ul><ul><li>Collaboration </li></ul>
  6. 6. Okay, I’LL Create one…
  7. 7. Learn from others <ul><ul><li>Don’t invent your own standard. All the issue has been debated to death. </li></ul></ul><ul><ul><li>Use an established standard </li></ul></ul><ul><ul><li>Stick to an standard you establish, don’t mix </li></ul></ul>
  8. 8. What choices exist? <ul><li>PEAR Coding Standards </li></ul><ul><li> </li></ul><ul><li>Zend Framework Coding Standards </li></ul><ul><li> </li></ul><ul><li>eZcomponents Coding Standards </li></ul><ul><li> </li></ul>
  9. 9. Some Zend Framework standards <ul><li>Derived from PEAR standards </li></ul><ul><li>One class, one file </li></ul><ul><li>Underscore in class name map to directory separators: </li></ul><ul><li>Zend_Controller_Action: </li></ul><ul><li>Zend/Controller/Action.php </li></ul>
  10. 10. Some Zend Framework standards <ul><li>Naming conventions: </li></ul><ul><li>Class name are MixedCase – Zend_Pdf </li></ul><ul><li>Method name are camelCase - filterInput() </li></ul><ul><li>Constants are ALL_CAPS – SET_TIME </li></ul><ul><li>Properties and variables are camelCase </li></ul><ul><li>Private and protected member are _underscorePrefixed </li></ul>
  11. 11. Some Zend Framework standards <ul><li>Layout Conventions: </li></ul><ul><li>No closing ?> tag for files containing only code </li></ul><ul><li>Indentation: spaces only, no tabs;4 spaces per level of indentation </li></ul><ul><li>No shell style comments(#) </li></ul><ul><li>Keep lines no more than 75-80 characters long </li></ul>
  12. 12. Example
  13. 13. Any tool to check coding standards? <ul><li>PHP_CodeSniffer is one such tool: </li></ul><ul><li>PHP_CodeSniffer is a PHP5 script that tokenises and &quot;sniffs&quot; PHP, JavaScript and CSS files to detect violations of a defined coding standard. </li></ul><ul><li>Your own coding standards. </li></ul><ul><li>Subversion integration </li></ul><ul><li> </li></ul>
  14. 14. PHP_CodeSniffer Example Default uses PEAR style coding standard
  15. 15. PHP_CodeSniffer Example
  16. 16. Documentation
  17. 17. Documentation <ul><li>Documentation is the </li></ul><ul><li> most boring work </li></ul><ul><li>Don't have time! </li></ul>
  18. 18. Documentation <ul><li>You don’t have time to code? </li></ul><ul><li>Re-read your code 6 month after you wrote it! </li></ul><ul><li>Think about people who have to use your code </li></ul><ul><li>Code should communicate its purpose </li></ul><ul><li>The better the names, the fewer comments. </li></ul>
  19. 19. What choices exist? <ul><li>Source Documentation </li></ul><ul><ul><li>phpDocumentor </li></ul></ul><ul><ul><li> </li></ul></ul><ul><ul><li>Doxygen </li></ul></ul><ul><ul><li>http:// / </li></ul></ul><ul><li>End User Documentation </li></ul><ul><ul><li>DocBook </li></ul></ul><ul><ul><li> </li></ul></ul>
  20. 20. Documentation <ul><li>phpDocumentor </li></ul><ul><li>Derived from Javadoc, written in PHP. </li></ul><ul><li>phpDocumentor tags are the most used standard for generating documentation from php source code </li></ul><ul><li>Other documentation generators, such as Doxygen, support these same tags. Don’t invent your own tags. </li></ul><ul><li>Supported by a number of different IDEs. Zend Studio is perhaps the most prevalent. </li></ul><ul><li>Command line or web interface. </li></ul><ul><li>Not only HTML, but also .chm or PDF </li></ul>
  21. 21. Documentation <ul><li>phpDocumentor example </li></ul>
  22. 22. Documentation <ul><li>phpDocumentor example </li></ul>
  23. 23. Documentation
  24. 24. Documentation
  25. 25. Source Control
  26. 26. Why do I need it? <ul><li>How do i know if somebody did something? </li></ul><ul><li>How do others know i did something? </li></ul><ul><li>How do i get my updates from others? </li></ul><ul><li>How do i push my updates out to others? </li></ul><ul><li>Do we have the old version? </li></ul><ul><li>What changed? </li></ul>
  27. 27. What choices exist? <ul><li>Distributor Source Control: </li></ul><ul><li>Developers works on their own repositories and share changesets </li></ul><ul><ul><li>Git </li></ul></ul><ul><ul><li>Darcs </li></ul></ul><ul><ul><li>Arch </li></ul></ul><ul><li>Non-Distributed Source Control </li></ul><ul><li>Developer work on local checkouts, and check in to a central repository </li></ul><ul><ul><li>Subversion </li></ul></ul>
  28. 28. Please enter commit message
  29. 29. General Practices <ul><li>Essential INI Settings </li></ul><ul><li>My Top Two PHP Security </li></ul><ul><li>Practices </li></ul>
  30. 30. Set register_globals = Off
  31. 31. Set magic_quotes = Off <ul><li>There are three php.ini settings that relate to magic_quotes: </li></ul><ul><li>; Magic quotes </li></ul><ul><li>; </li></ul><ul><li>; Magic quotes for incoming GET/POST/Cookie data. </li></ul><ul><li>magic_quotes_gpc = Off </li></ul><ul><li>; Magic quotes for runtime-generated data, e.g. data from SQL, from exec(), etc. </li></ul><ul><li>magic_quotes_runtime = Off </li></ul><ul><li>; Use Sybase-style magic quotes (escape ' with '' instead of '). </li></ul><ul><li>magic_quotes_sybase = Off </li></ul><ul><li>Example:- “This is my code’s string” gets converted to “This is my code’s string” </li></ul>
  32. 32. Set error_reporting = E_ALL | E_STRICT <ul><li>STRICT messages will help you to use the latest and greatest suggested method of coding, for example warn you about using deprecated functions. </li></ul><ul><li>Available since PHP 5.0 </li></ul><ul><li>Production: </li></ul><ul><ul><li>display_errors = Off </li></ul></ul><ul><ul><li>log_errors = on </li></ul></ul><ul><ul><li>error_log = path/logs/php_error.log </li></ul></ul>
  33. 33. Set short_open_tag = 0 <ul><li>If you want to use PHP in combination with XML, you can disable this option in order to use <?xml ?> inline. </li></ul><ul><li>Otherwise, you can print it with PHP, for example: <?php echo '<?xml version=&quot;1.0&quot;?>'; ?> </li></ul><ul><li>Safe to use <?php ?> tag </li></ul><ul><li>Might be deprecated, But no news yet on </li></ul><ul><li>Good practice is to use <?php ?> tag </li></ul>
  34. 34. No direct access to the php.ini <ul><li>Use htaccess directive: </li></ul><ul><li>php_flag </li></ul><ul><li>php_flag is reserved for boolean values, like register_globals and magic_quotes_gpc. </li></ul><ul><li>example:- php_flag register_globals Off </li></ul><ul><li>php_value </li></ul><ul><li>php_value for things that are not boolean, like error_reporting and error_log. </li></ul><ul><li>example:- php_value error_log /var/www/logs/php_errors.log </li></ul>
  35. 35. My Top Two PHP Security Practices <ul><li>Top Two PHP Security Practices, expressed in </li></ul><ul><li>four words: </li></ul><ul><li>Filter input </li></ul><ul><li>Escape output </li></ul><ul><li>- Chris Shiflett </li></ul>
  36. 36. Filter Input <ul><li>Don't trust external data, The rule #1 of every developer Should be &quot;Filter All Foreign Data&quot; </li></ul><ul><li>With the delivery of PHP 5.2.0, this got a lot easier, because PHP included, by default, the Filter library. </li></ul><ul><li>Manual - http:// /filter </li></ul><ul><li>Downloads - </li></ul><ul><li>Filter homepage - </li></ul>
  37. 37. Filter library examples <ul><li>$email   =  filter_input(INPUT_POST, 'name', FILTER_VALIDATE_EMAIL); </li></ul><ul><li>$age     =  filter_input(INPUT_POST, 'age', FILTER_VALIDATE_INT); </li></ul><ul><li>$url     =  filter_input(INPUT_COOKIE, 'url', FILTER_VALIDATE_URL);  </li></ul><ul><li>$raw_msg = filter_input(INPUT_POST, 'msg', FILTER_UNSAFE_RAW); </li></ul><ul><li>$options = array('options'=> array('min_range'=>7, 'max_range'=>77)); </li></ul><ul><li>$age = filter_input(INPUT_POST, 'age', FILTER_VALIDATE_INT,$options); </li></ul><ul><li>filter_has_var(INPUT_POST, 'submit') </li></ul><ul><li>is same as </li></ul><ul><li>isset($_POST['submit']) </li></ul>
  38. 38. <ul><li>With properly filtered input, you're already pretty well protected against malicious attacks. </li></ul><ul><li>The only remaining step is to escape it such that the format of the input doesn't accidentally interfere with the format of the SQL statement. </li></ul><ul><li>INSERT INTO MyTable (MyColumn) VALUES ('My Dear Aunt Sally's Picnic Basket') </li></ul>Escaping Output
  39. 39. Escaping Output <ul><li>Use dedicated escaping function provided by the database </li></ul><ul><li>interface: </li></ul><ul><li>MySQL </li></ul><ul><ul><li>mysql_real_escape_string() </li></ul></ul><ul><li>PostgreSQL </li></ul><ul><ul><li>pg_escape_string() </li></ul></ul><ul><ul><li>pg_escape_bytea() </li></ul></ul><ul><li>SQLite </li></ul><ul><ul><li>sqlite_escape_string() </li></ul></ul><ul><li>Other databases </li></ul><ul><ul><li>ADOdb, qstr function - </li></ul></ul><ul><ul><li>PEAR, quote function - </li></ul></ul><ul><li> </li></ul>
  40. 40. Questions? <ul><li>Thanks for your attention </li></ul>
  41. 41. Contact <ul><li>Slides will be on slideshare </li></ul><ul><ul><li> </li></ul></ul><ul><li>Contact options </li></ul><ul><ul><li> </li></ul></ul><ul><ul><li>Blog: </li></ul></ul><ul><li>Follow me on twitter: </li></ul><ul><ul><li>@ansarahmed </li></ul></ul><ul><ul><li>@phpbangalore </li></ul></ul>