Post on 15-Jan-2015
description
PHP Best PracticesPHP Best Practices
Bangalore PHP Users MeetupBangalore PHP Users Meetup
3131stst October 2009 October 2009http://www.meetup.com/Bangalore-PHP-Usershttp://www.meetup.com/Bangalore-PHP-Users
OverviewOverview
► About this talkAbout this talk► Coding StandardCoding Standard► DocumentationDocumentation► Sub VersionSub Version► General PracticesGeneral Practices
About this talkAbout this talk
► Common good practises for coding PHPCommon good practises for coding PHP► Tips for clean PHP codeTips for clean PHP code► How to avoid common mistakesHow to avoid common mistakes► Tricks and TipsTricks and Tips► Tools to ease your workTools to ease your work
Use a Coding Use a Coding StandardStandard
Why use coding standard?Why use coding standard?
► ConsistencyConsistency► ReadabilityReadability► MaintainabilityMaintainability► CollaborationCollaboration
Okay, I’LL Create one…Okay, I’LL Create one…
Learn from othersLearn from others
Don’t invent your own standard. All the Don’t invent your own standard. All the issue has been debated to death.issue has been debated to death.
Use an established standardUse an established standard
Stick to an standard you establish, don’t Stick to an standard you establish, don’t mixmix
What choices exist?What choices exist?
► PEAR Coding StandardsPEAR Coding Standardshttp://pear.php.net/manual/en/standards.phphttp://pear.php.net/manual/en/standards.php
► Zend Framework Coding StandardsZend Framework Coding Standardshttp://framework.zend.com/manual/en/coding-standard.htmlhttp://framework.zend.com/manual/en/coding-standard.html
► eZcomponents Coding StandardseZcomponents Coding Standards
http://ez.no/products/ez_publish/documentation/development/standahttp://ez.no/products/ez_publish/documentation/development/standards/phprds/php
Some Zend Framework Some Zend Framework standardsstandards
►Derived from PEAR standardsDerived from PEAR standards►One class, one fileOne class, one file►Underscore in class name map to Underscore in class name map to
directory separators:directory separators:
Zend_Controller_Action:Zend_Controller_Action:
Zend/Controller/Action.phpZend/Controller/Action.php
Some Zend Framework Some Zend Framework standardsstandards
Naming conventions:Naming conventions:►Class name are MixedCase – Zend_PdfClass name are MixedCase – Zend_Pdf►Method name are camelCase - Method name are camelCase -
filterInput()filterInput() ►Constants are ALL_CAPS – SET_TIMEConstants are ALL_CAPS – SET_TIME►Properties and variables are camelCaseProperties and variables are camelCase►Private and protected member are Private and protected member are
_underscorePrefixed_underscorePrefixed
Some Zend Framework Some Zend Framework standardsstandards
Layout Conventions:Layout Conventions:►No closing ?> tag for files containing No closing ?> tag for files containing
only codeonly code► Indentation: spaces only, no tabs;4 Indentation: spaces only, no tabs;4
spaces per level of indentationspaces per level of indentation►No shell style comments(#)No shell style comments(#)►Keep lines no more than 75-80 Keep lines no more than 75-80
characters longcharacters long
ExampleExample
Any tool to check coding Any tool to check coding standards?standards?
PHP_CodeSniffer is one such tool:PHP_CodeSniffer is one such tool:► PHP_CodeSniffer is a PHP5 script that PHP_CodeSniffer is a PHP5 script that
tokenises and "sniffs" PHP, JavaScript and tokenises and "sniffs" PHP, JavaScript and CSS files to detect violations of a defined CSS files to detect violations of a defined coding standard. coding standard.
► Your own coding standards.Your own coding standards.► Subversion integrationSubversion integration►
http://pear.php.net/manual/en/package.php.http://pear.php.net/manual/en/package.php.php-codesniffer.phpphp-codesniffer.php
PHP_CodeSniffer ExamplePHP_CodeSniffer ExampleDefault uses PEAR style coding standard
PHP_CodeSniffer ExamplePHP_CodeSniffer Example
DocumentationDocumentation
DocumentationDocumentation
► Documentation is Documentation is the the
most boring workmost boring work
► Don't have time!Don't have time!
DocumentationDocumentation
►You don’t have time to code?You don’t have time to code?►Re-read your code 6 month after you Re-read your code 6 month after you
wrote it!wrote it!►Think about people who have to use Think about people who have to use
your codeyour code►Code should communicate its purposeCode should communicate its purpose►The better the names, the fewer The better the names, the fewer
comments.comments.
What choices exist?What choices exist?
►Source DocumentationSource Documentation phpDocumentorphpDocumentor
http://phpdoc.orghttp://phpdoc.org DoxygenDoxygen
http://www.stack.nl/~dimitri/doxygen/http://www.stack.nl/~dimitri/doxygen/
►End User DocumentationEnd User Documentation DocBookDocBook
http://www.docbook.org/http://www.docbook.org/
DocumentationDocumentation
phpDocumentorphpDocumentor► Derived from Javadoc, written in PHP.Derived from Javadoc, written in PHP.► phpDocumentor tags are the most used phpDocumentor tags are the most used
standard for generating documentation from standard for generating documentation from php source codephp source code
► Other documentation generators, such as Other documentation generators, such as Doxygen, support these same tags. Don’t Doxygen, support these same tags. Don’t invent your own tags.invent your own tags.
► Supported by a number of different IDEs. Supported by a number of different IDEs. Zend Studio is perhaps the most prevalent.Zend Studio is perhaps the most prevalent.
► Command line or web interface.Command line or web interface.► Not only HTML, but also .chm or PDFNot only HTML, but also .chm or PDF
DocumentationDocumentation
phpDocumentor examplephpDocumentor example
DocumentationDocumentation
phpDocumentor examplephpDocumentor example
DocumentationDocumentation
DocumentationDocumentation
Source ControlSource Control
Why do I need it?Why do I need it?
►How do i know if somebody did How do i know if somebody did something?something?
►How do others know i did something?How do others know i did something?►How do i get my updates from others?How do i get my updates from others?►How do i push my updates out to How do i push my updates out to
others?others?►Do we have the old version?Do we have the old version?►What changed?What changed?
What choices exist?What choices exist?
► Distributor Source Control:Distributor Source Control:Developers works on their own repositories Developers works on their own repositories and share changesetsand share changesets GitGit DarcsDarcs ArchArch
► Non-Distributed Source ControlNon-Distributed Source ControlDeveloper work on local checkouts, and Developer work on local checkouts, and check in to a central repositorycheck in to a central repository SubversionSubversion
Please enter commit Please enter commit messagemessage
General PracticesGeneral Practices► Essential INI SettingsEssential INI Settings► My Top Two PHP SecurityMy Top Two PHP Security
PracticesPractices
Set register_globals = OffSet register_globals = Off
Set magic_quotes = Off Set magic_quotes = Off
There are three php.ini settings that relate to magic_quotes: There are three php.ini settings that relate to magic_quotes:
; Magic quotes; Magic quotes;;
; Magic quotes for incoming GET/POST/Cookie data.; Magic quotes for incoming GET/POST/Cookie data.magic_quotes_gpc = Offmagic_quotes_gpc = Off
; Magic quotes for runtime-generated data, e.g. data from SQL, from exec(), etc.; Magic quotes for runtime-generated data, e.g. data from SQL, from exec(), etc.magic_quotes_runtime = Offmagic_quotes_runtime = Off
; Use Sybase-style magic quotes (escape ' with '' instead of \').; Use Sybase-style magic quotes (escape ' with '' instead of \').magic_quotes_sybase = Offmagic_quotes_sybase = Off
Example:- “This is my code’s string” gets converted to “This is my code\’s string”Example:- “This is my code’s string” gets converted to “This is my code\’s string”
Set error_reporting = E_ALL | Set error_reporting = E_ALL | E_STRICTE_STRICT
► STRICT messages will help you to use STRICT messages will help you to use the latest and greatest suggested the latest and greatest suggested method of coding, for example warn method of coding, for example warn you about using deprecated functions. you about using deprecated functions.
►Available since PHP 5.0Available since PHP 5.0►Production:Production:
display_errors = Offdisplay_errors = Off log_errors = onlog_errors = on error_log = path/logs/php_error.logerror_log = path/logs/php_error.log
Set short_open_tag = 0Set short_open_tag = 0
► If you want to use PHP in combination with If you want to use PHP in combination with XML, you can disable this option in order to XML, you can disable this option in order to use <?xml ?> inline.use <?xml ?> inline.
► Otherwise, you can print it with PHP, for Otherwise, you can print it with PHP, for example: <?php echo '<?xml example: <?php echo '<?xml version="1.0"?>'; ?>version="1.0"?>'; ?>
► Safe to use <?php ?> tagSafe to use <?php ?> tag► Might be deprecated, But no news yet on Might be deprecated, But no news yet on
php.netphp.net► Good practice is to use <?php ?> tagGood practice is to use <?php ?> tag
No direct access to the No direct access to the php.iniphp.ini
Use htaccess directive:Use htaccess directive:► php_flagphp_flag
php_flag is reserved for boolean values, like php_flag is reserved for boolean values, like register_globals and magic_quotes_gpc.register_globals and magic_quotes_gpc.
example:- php_flag register_globals Offexample:- php_flag register_globals Off ► php_value php_value
php_value for things that are not boolean, php_value for things that are not boolean, like error_reporting and error_log.like error_reporting and error_log.
example:- php_value error_log /var/www/logs/php_errors.logexample:- php_value error_log /var/www/logs/php_errors.log
My Top Two PHP SecurityMy Top Two PHP Security Practices Practices
Top Two PHP Security Practices, Top Two PHP Security Practices, expressed inexpressed in
four words:four words:► Filter inputFilter input► Escape outputEscape output
- - Chris ShiflettChris Shiflett
Filter InputFilter Input
►Don't trust external data, The rule #1 of Don't trust external data, The rule #1 of every developer Should be "Filter All every developer Should be "Filter All Foreign Data"Foreign Data"
►With the delivery of PHP 5.2.0, this got a With the delivery of PHP 5.2.0, this got a lot easier, because PHP included, by lot easier, because PHP included, by default, the Filter library. default, the Filter library.
►Manual - http://www.php.net/filterManual - http://www.php.net/filter►Downloads - http://pecl.php.net/get/filterDownloads - http://pecl.php.net/get/filter►Filter homepage - Filter homepage -
http://pecl.php.net/filterhttp://pecl.php.net/filter
Filter library examplesFilter library examples► $email = $email = filter_input(INPUT_POST, 'name', FILTER_VALIDATE_EMAIL);filter_input(INPUT_POST, 'name', FILTER_VALIDATE_EMAIL);
► $age = $age = filter_input(INPUT_POST, 'age', FILTER_VALIDATE_INT);filter_input(INPUT_POST, 'age', FILTER_VALIDATE_INT);
► $url = $url = filter_input(INPUT_COOKIE, 'url', FILTER_VALIDATE_URL); filter_input(INPUT_COOKIE, 'url', FILTER_VALIDATE_URL);
► $raw_msg = filter_input(INPUT_POST, 'msg', FILTER_UNSAFE_RAW); $raw_msg = filter_input(INPUT_POST, 'msg', FILTER_UNSAFE_RAW); ► $options = $options = array('options'=> array('min_range'=>7, 'max_range'=>77));array('options'=> array('min_range'=>7, 'max_range'=>77));
$age$age = filter_input(INPUT_POST, 'age', FILTER_VALIDATE_INT,$options); = filter_input(INPUT_POST, 'age', FILTER_VALIDATE_INT,$options);
► filter_has_var(INPUT_POST, 'submit') filter_has_var(INPUT_POST, 'submit')
is same as is same as
isset($_POST['submit'])isset($_POST['submit'])
►With properly filtered input, you're With properly filtered input, you're already pretty well protected against already pretty well protected against malicious attacks. malicious attacks.
►The only remaining step is to escape it The only remaining step is to escape it such that the format of the input such that the format of the input doesn't accidentally interfere with the doesn't accidentally interfere with the format of the SQL statement. format of the SQL statement.
INSERT INTO MyTable (MyColumn) VALUES ('My Dear Aunt Sally's Picnic INSERT INTO MyTable (MyColumn) VALUES ('My Dear Aunt Sally's Picnic
Basket')Basket')
Escaping OutputEscaping Output
Escaping OutputEscaping Output
Use dedicated escaping function provided by the Use dedicated escaping function provided by the database database
interface:interface:► MySQLMySQL
mysql_real_escape_string()mysql_real_escape_string()► PostgreSQLPostgreSQL
pg_escape_string()pg_escape_string() pg_escape_bytea()pg_escape_bytea()
► SQLiteSQLite sqlite_escape_string()sqlite_escape_string()
► Other databasesOther databases ADOdb, qstr function - http://adodb.sourceforge.net/ADOdb, qstr function - http://adodb.sourceforge.net/ PEAR, quote function - http://pear.php.net/PEAR, quote function - http://pear.php.net/
http://shiflett.org/blog/2006/jan/addslashes-versus-mysql-real-escape-stringhttp://shiflett.org/blog/2006/jan/addslashes-versus-mysql-real-escape-string
Questions?Questions?
Thanks for your attentionThanks for your attention
ContactContact
► Slides will be on slideshareSlides will be on slideshare http://slideshare.net/ansarahmedhttp://slideshare.net/ansarahmed
► Contact optionsContact options Email:ansarahmed8@gmail.com/Email:ansarahmed8@gmail.com/
ansarahmed_8@yahoo.co.inansarahmed_8@yahoo.co.in Blog: http://ansarahmed.blogspot.comBlog: http://ansarahmed.blogspot.com
► Follow me on twitter:Follow me on twitter: @ansarahmed@ansarahmed @phpbangalore@phpbangalore