Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Coding Best practices (PHP)

146 views

Published on

Best practices and pointers

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Coding Best practices (PHP)

  1. 1. BEST PRACTICES For IT Teams and PHP DEVS
  2. 2. Controllers Should Be Skin
  3. 3. Abuse SERVICES
  4. 4. ABUSE SERVICES
  5. 5. CONTROLLERS TOO
  6. 6. IOC TIME
  7. 7. RECEIVE AND DON’T ASK
  8. 8. AVOID - new -
  9. 9. BAD, BAD, BAD
  10. 10. GOOD
  11. 11. BETTER
  12. 12. Taht’s all we really have to know
  13. 13. SECURITY
  14. 14. XSS
  15. 15. Sanitize input URLs: url_encode Value attribute (html): html_special_chars See: https://www.owasp.org/index.php/XSS_(Cross_ Site_Scripting)_Prevention_Cheat_Sheet
  16. 16. SQL INJECTION
  17. 17. Dependency injection is nice, SQL injection not so ALWAYS use bound parameters IF you need to build SQL Queries, use a builder. Don’t “roll your own” Use PDO. Use PDO::quote to escape literals in `IN` clause. If these are numbers, use `intval()` or `floatval`. Do not trust data, even from database.
  18. 18. Other security tips ● Use secure cookies (http://cookiecontroller.com/internet-cookies/secure-cookies/) ● Sign your cookies & encrypt them ! (httpOnly & secure attributes + hmac signature & AES encryption) ● Check on UI and backend (Hiding a button is not enough to prevent an action) ●
  19. 19. UNSORTED
  20. 20. Know your stuff ● DO IT RIGHT : www.phptherightway.com ● DO IT SECURE : https://www.owasp.org/ ● RTFM : http://be2.php.net/manual/en/ ● CS can help : https://sourcemaking.com/
  21. 21. Teams are smarter than individuals ● Reuse components ○ http://symfony.com/components ○ http://www.yiiframework.com/extensions/ ● Don’t reinvent the wheel ○ Involve standards ■ https://tools.ietf.org/ ■ http://www.php-fig.org/psr/ ■ https://www.jcp.org/en/jsr/overview (yes, you can borrow from other technos!) ● Don’t re-implement the framework ○ Eg. $_SERVER[‘REQUEST_METHOD’]==’POST’ ? $repo->save($user) : $repo->get($user->id) ● Don’t misuse framework hooks (Eg. save entities in a “validate” method)
  22. 22. Handle error and unusual activity properly ● Log odd events with at least a “WARNING” level; ● Throw exceptions on exceptional situations; ○ Create your own exceptions unless you can reuse an existing one; ○ Log details which can help debugging; ● With good logging, reading the code becomes optional; ● Do not attempt to “automagically” fix some “bad call” ○ If you don’t know : good place for throwing an exception ! ● Validate input on public methods; ● All “switch” have to feature a “default” case; ● Bail out as early as possible; (if ... return)
  23. 23. Tricks ● Feel compelled to make a comment ? → make a function ! ● Too many indents ?→ make a function or bail out early ! ● Using break ? → make a function ! ● Need to inherit more than one class ? → use composition ! ● Too many controller dependencies ? → split your controller ! ● Code hard to read ? → good naming, functions ! ● Troubles to use a class ?→ Don’t use magic methods (__get, __invoke, …) ! (Magic methods should be used to make proxies and advanced stuff)

×