PHP Best Practices Bangalore PHP Users Meetup 31 st October 2009 http://www.meetup.com/Bangalore-PHP-Users

Overview About this talk Coding Standard Documentation Sub Version General Practices

About this talk

Coding Standard

Documentation

Sub Version

General Practices

About this talk Common good practises for coding PHP Tips for clean PHP code How to avoid common mistakes Tricks and Tips Tools to ease your work

Common good practises for coding PHP

Tips for clean PHP code

How to avoid common mistakes

Tricks and Tips

Tools to ease your work

Use a Coding Standard

Why use coding standard? Consistency Readability Maintainability Collaboration

Consistency

Readability

Maintainability

Collaboration

Okay, I’LL Create one…

Learn from others Don’t invent your own standard. All the issue has been debated to death. Use an established standard Stick to an standard you establish, don’t mix

Don’t invent your own standard. All the issue has been debated to death.

Use an established standard

Stick to an standard you establish, don’t mix

What choices exist? PEAR Coding Standards http://pear.php.net/manual/en/standards.php Zend Framework Coding Standards http://framework.zend.com/manual/en/coding-standard.html eZcomponents Coding Standards http://ez.no/products/ez_publish/documentation/development/standards/php

PEAR Coding Standards

http://pear.php.net/manual/en/standards.php

Zend Framework Coding Standards

http://framework.zend.com/manual/en/coding-standard.html

eZcomponents Coding Standards

http://ez.no/products/ez_publish/documentation/development/standards/php

Some Zend Framework standards Derived from PEAR standards One class, one file Underscore in class name map to directory separators: Zend_Controller_Action: Zend/Controller/Action.php

Derived from PEAR standards

One class, one file

Underscore in class name map to directory separators:

Zend_Controller_Action:

Zend/Controller/Action.php

Some Zend Framework standards Naming conventions: Class name are MixedCase – Zend_Pdf Method name are camelCase - filterInput() Constants are ALL_CAPS – SET_TIME Properties and variables are camelCase Private and protected member are _underscorePrefixed

Naming conventions:

Class name are MixedCase – Zend_Pdf

Method name are camelCase - filterInput()

Constants are ALL_CAPS – SET_TIME

Properties and variables are camelCase

Private and protected member are _underscorePrefixed

Some Zend Framework standards Layout Conventions: No closing ?> tag for files containing only code Indentation: spaces only, no tabs;4 spaces per level of indentation No shell style comments(#) Keep lines no more than 75-80 characters long

Layout Conventions:

No closing ?> tag for files containing only code

Indentation: spaces only, no tabs;4 spaces per level of indentation

No shell style comments(#)

Keep lines no more than 75-80 characters long

Example

Any tool to check coding standards? PHP_CodeSniffer is one such tool: PHP_CodeSniffer is a PHP5 script that tokenises and "sniffs" PHP, JavaScript and CSS files to detect violations of a defined coding standard. Your own coding standards. Subversion integration http://pear.php.net/manual/en/package.php.php-codesniffer.php

PHP_CodeSniffer is one such tool:

PHP_CodeSniffer is a PHP5 script that tokenises and "sniffs" PHP, JavaScript and CSS files to detect violations of a defined coding standard.

Your own coding standards.

Subversion integration

http://pear.php.net/manual/en/package.php.php-codesniffer.php

PHP_CodeSniffer Example Default uses PEAR style coding standard

PHP_CodeSniffer Example

Documentation

Documentation Documentation is the most boring work Don't have time!

Documentation is the

most boring work

Don't have time!

Documentation You don’t have time to code? Re-read your code 6 month after you wrote it! Think about people who have to use your code Code should communicate its purpose The better the names, the fewer comments.

You don’t have time to code?

Re-read your code 6 month after you wrote it!

Think about people who have to use your code

Code should communicate its purpose

The better the names, the fewer comments.

What choices exist? Source Documentation phpDocumentor http://phpdoc.org Doxygen http:// www.stack.nl/~dimitri/doxygen / End User Documentation DocBook http://www.docbook.org/

Source Documentation

phpDocumentor

http://phpdoc.org

Doxygen

http:// www.stack.nl/~dimitri/doxygen /

End User Documentation

DocBook

http://www.docbook.org/

Documentation phpDocumentor Derived from Javadoc, written in PHP. phpDocumentor tags are the most used standard for generating documentation from php source code Other documentation generators, such as Doxygen, support these same tags. Don’t invent your own tags. Supported by a number of different IDEs. Zend Studio is perhaps the most prevalent. Command line or web interface. Not only HTML, but also .chm or PDF

phpDocumentor

Derived from Javadoc, written in PHP.

phpDocumentor tags are the most used standard for generating documentation from php source code

Other documentation generators, such as Doxygen, support these same tags. Don’t invent your own tags.

Supported by a number of different IDEs. Zend Studio is perhaps the most prevalent.

Command line or web interface.

Not only HTML, but also .chm or PDF

Documentation phpDocumentor example

phpDocumentor example

Documentation phpDocumentor example

phpDocumentor example

Documentation

Documentation

Source Control

Why do I need it? How do i know if somebody did something? How do others know i did something? How do i get my updates from others? How do i push my updates out to others? Do we have the old version? What changed?

How do i know if somebody did something?

How do others know i did something?

How do i get my updates from others?

How do i push my updates out to others?

Do we have the old version?

What changed?

What choices exist? Distributor Source Control: Developers works on their own repositories and share changesets Git Darcs Arch Non-Distributed Source Control Developer work on local checkouts, and check in to a central repository Subversion

Distributor Source Control:

Developers works on their own repositories and share changesets

Git

Darcs

Arch

Non-Distributed Source Control

Developer work on local checkouts, and check in to a central repository

Subversion

Please enter commit message

General Practices Essential INI Settings My Top Two PHP Security Practices

Essential INI Settings

My Top Two PHP Security

Practices

Set register_globals = Off

Set magic_quotes = Off There are three php.ini settings that relate to magic_quotes: ; Magic quotes ; ; Magic quotes for incoming GET/POST/Cookie data. magic_quotes_gpc = Off ; Magic quotes for runtime-generated data, e.g. data from SQL, from exec(), etc. magic_quotes_runtime = Off ; Use Sybase-style magic quotes (escape ' with '' instead of '). magic_quotes_sybase = Off Example:- “This is my code’s string” gets converted to “This is my code’s string”

There are three php.ini settings that relate to magic_quotes:

; Magic quotes

;

; Magic quotes for incoming GET/POST/Cookie data.

magic_quotes_gpc = Off

; Magic quotes for runtime-generated data, e.g. data from SQL, from exec(), etc.

magic_quotes_runtime = Off

; Use Sybase-style magic quotes (escape ' with '' instead of ').

magic_quotes_sybase = Off

Example:- “This is my code’s string” gets converted to “This is my code’s string”

Set error_reporting = E_ALL | E_STRICT STRICT messages will help you to use the latest and greatest suggested method of coding, for example warn you about using deprecated functions. Available since PHP 5.0 Production: display_errors = Off log_errors = on error_log = path/logs/php_error.log

STRICT messages will help you to use the latest and greatest suggested method of coding, for example warn you about using deprecated functions.

Available since PHP 5.0

Production:

display_errors = Off

log_errors = on

error_log = path/logs/php_error.log

Set short_open_tag = 0 If you want to use PHP in combination with XML, you can disable this option in order to use <?xml ?> inline. Otherwise, you can print it with PHP, for example: <?php echo '<?xml version=&quot;1.0&quot;?>'; ?> Safe to use <?php ?> tag Might be deprecated, But no news yet on php.net Good practice is to use <?php ?> tag

If you want to use PHP in combination with XML, you can disable this option in order to use <?xml ?> inline.

Otherwise, you can print it with PHP, for example: <?php echo '<?xml version=&quot;1.0&quot;?>'; ?>

Safe to use <?php ?> tag

Might be deprecated, But no news yet on php.net

Good practice is to use <?php ?> tag

No direct access to the php.ini Use htaccess directive: php_flag php_flag is reserved for boolean values, like register_globals and magic_quotes_gpc. example:- php_flag register_globals Off php_value php_value for things that are not boolean, like error_reporting and error_log. example:- php_value error_log /var/www/logs/php_errors.log

Use htaccess directive:

php_flag

php_flag is reserved for boolean values, like register_globals and magic_quotes_gpc.

example:- php_flag register_globals Off

php_value

php_value for things that are not boolean, like error_reporting and error_log.

example:- php_value error_log /var/www/logs/php_errors.log

My Top Two PHP Security Practices Top Two PHP Security Practices, expressed in four words: Filter input Escape output - Chris Shiflett

Top Two PHP Security Practices, expressed in

four words:

Filter input

Escape output

- Chris Shiflett

Filter Input Don't trust external data, The rule #1 of every developer Should be &quot;Filter All Foreign Data&quot; With the delivery of PHP 5.2.0, this got a lot easier, because PHP included, by default, the Filter library. Manual - http:// www.php.net /filter Downloads - http://pecl.php.net/get/filter Filter homepage - http://pecl.php.net/filter

Don't trust external data, The rule #1 of every developer Should be &quot;Filter All Foreign Data&quot;

With the delivery of PHP 5.2.0, this got a lot easier, because PHP included, by default, the Filter library.

Manual - http:// www.php.net /filter

Downloads - http://pecl.php.net/get/filter

Filter homepage - http://pecl.php.net/filter

Filter library examples $email = filter_input(INPUT_POST, 'name', FILTER_VALIDATE_EMAIL); $age = filter_input(INPUT_POST, 'age', FILTER_VALIDATE_INT); $url = filter_input(INPUT_COOKIE, 'url', FILTER_VALIDATE_URL); $raw_msg = filter_input(INPUT_POST, 'msg', FILTER_UNSAFE_RAW); $options = array('options'=> array('min_range'=>7, 'max_range'=>77)); $age = filter_input(INPUT_POST, 'age', FILTER_VALIDATE_INT,$options); filter_has_var(INPUT_POST, 'submit') is same as isset($_POST['submit'])

$email = filter_input(INPUT_POST, 'name', FILTER_VALIDATE_EMAIL);

$age = filter_input(INPUT_POST, 'age', FILTER_VALIDATE_INT);

$url = filter_input(INPUT_COOKIE, 'url', FILTER_VALIDATE_URL);

$raw_msg = filter_input(INPUT_POST, 'msg', FILTER_UNSAFE_RAW);

$options = array('options'=> array('min_range'=>7, 'max_range'=>77));

$age = filter_input(INPUT_POST, 'age', FILTER_VALIDATE_INT,$options);

filter_has_var(INPUT_POST, 'submit')

is same as

isset($_POST['submit'])

With properly filtered input, you're already pretty well protected against malicious attacks. The only remaining step is to escape it such that the format of the input doesn't accidentally interfere with the format of the SQL statement. INSERT INTO MyTable (MyColumn) VALUES ('My Dear Aunt Sally's Picnic Basket') Escaping Output

With properly filtered input, you're already pretty well protected against malicious attacks.

The only remaining step is to escape it such that the format of the input doesn't accidentally interfere with the format of the SQL statement.

INSERT INTO MyTable (MyColumn) VALUES ('My Dear Aunt Sally's Picnic Basket')

Escaping Output Use dedicated escaping function provided by the database interface: MySQL mysql_real_escape_string() PostgreSQL pg_escape_string() pg_escape_bytea() SQLite sqlite_escape_string() Other databases ADOdb, qstr function - http://adodb.sourceforge.net/ PEAR, quote function - http://pear.php.net/ http://shiflett.org/blog/2006/jan/addslashes-versus-mysql-real-escape-string

Use dedicated escaping function provided by the database

interface:

MySQL

mysql_real_escape_string()

PostgreSQL

pg_escape_string()

pg_escape_bytea()

SQLite

sqlite_escape_string()

Other databases

ADOdb, qstr function - http://adodb.sourceforge.net/

PEAR, quote function - http://pear.php.net/

http://shiflett.org/blog/2006/jan/addslashes-versus-mysql-real-escape-string

Questions? Thanks for your attention

Thanks for your attention

Contact Slides will be on slideshare http://slideshare.net/ansarahmed Contact options Email:ansarahmed8@gmail.com/ansarahmed_8@yahoo.co.in Blog: http://ansarahmed.blogspot.com Follow me on twitter: @ansarahmed @phpbangalore

Slides will be on slideshare

http://slideshare.net/ansarahmed

Contact options

Email:ansarahmed8@gmail.com/ansarahmed_8@yahoo.co.in

Blog: http://ansarahmed.blogspot.com

Follow me on twitter:

@ansarahmed

@phpbangalore