gazette
|
Coders Corner
|
The 10 Commandments of PHP Programming
PHP supercedes Perl as the language of choice for serious Web development. It's quick, easy to learn, and powerful enough to do 98% of what you'll ever need done. These commandments, you'll notice mirror the Perl Commandments in a lot of cases, as the two languages have a lot in common, and therefore, these points can't be hammered home hard enough.
- Thou Shalt turn "REGISTER GLOBALS" off.
It's flat-out security risk. Turn it off now and learn how to read and react to user input without simply turning the "$_GET" or "$_POST" arrays back into individual global variables.
- Thou Shalt check all user input for validity and security.
Use either escapeshellarg or a simple regex such as: "preg_replace ("/[^A-Za-z0-9]/","",$variablename);" before sending user input to a command line/shell application or into your database. It's doubly important to check user input when basing file operations on it. As an example, if you're allowing something like "language=french" in the Query String, and are then looking for a file called "/data/languages/$language", be careful that someone doesn't change the Query String to "../../../../../../etc/passwd" or you could be in big-time trouble. Make use of is_numeric or is_string, and addslashes before sending user input into your database.
- Thou Shalt write thy code using accepted coding standards.
You're not the only one that will ever have to read, edit, debug, or modify your source code. Follow the standards, and you'll make everyone's life a lot easier.
- Thou Shalt use object oriented programming.
OOP is the way to be. It's more organized, more portable, and by it's nature, more modular. Get out of the dark ages and get object oriented.
- Thou Shalt not require pear or other external server modules in commercial applications.
Not everyone has a dedicated server, and therefore will not likely be able to install the modules you require. Don't shut out part of your potential customer base by being too lazy to write things from scratch.
- Thou Shalt use templates and not inline PHP.
Leave the HTML out of your PHP, and the PHP out of your HTML. Put all of the intelligence and smarts into modules and libraries, and let your end user/designer use full HTML templates to achieve their look and feel. Do not embed PHP into HTML. It's crude, hideous, hard to debug, and quite frankly, the mark of a true amateur. You might take a look at the iWeb ds/X API, which will accommodate this task, as well as provide a stable platform from which to begin your application. When you must include HTML within your application, use a "Here Doc" or an extended string to define it. There's nothing worse than having to wade through line after line of escaped quotes or 15 echo statements in a row.
- Thou Shalt use database abstraction.
PHP has an army of database specific commands. If you rely on, for example, mySQL_xxxx()" to handle your database operations, your application will not run without extensive modification for your users that rely on postgres, oracle, or mssql. Use a database abstraction layer, such as the iWeb ds/X API or PHP's built in DBx Functions.
- Thou Shalt hide all non .php files.
Any data files that need to be created or written to should be stored safely behind the document root of the Web site. Similarly, if you're using libraries and are following the recommend naming convention by giving them an .inc extension, make sure that they, too, are tucked in behind the Document Root. This ensures that someone with a curious mind cannot simply open up a data file or a library file in their browser (.inc files will render as plain text in a browser). If you are unable to do this due to access restrictions or "open_basedir" restrictions, then rename your include files with a .php extension so that they're not viewable, and put your data behind a .htaccess file to hide them from prying eyes. Trust me, people will seek out and find files that you think are hidden away safely. Do your best to stifle them.
- Thou Shalt learn Perl if you do not know it already.
PHP's roots are based in Perl. In fact, PHP makes use of Perl regular expressions in a number of its built in functions. Regular Expressions are extremely powerful, and if used properly, many times faster than PHP native equivalents. Learning both languages will make you a better programmer, as you can better optimize your PHP code to take advantage of it's Perlish features.
- Thou Shalt be nice to the perl guys, and equally mean to the .NET crowd.
Perl certainly has it's place. In my opinion, Perl is still the language of choice for hard core programming such as big number crunching reports, searching, things requiring big-time horsepower, or anything server level or admin oriented. PHP excels at quick-hitting apps, high traffic apps, and because it's a Web-specific language, should be the language of choice for most online database driven applications. .NET is a pig, as is everything else out of Redmond. Keep letting them have it ;)
|
Read the Coders Corner section from the
Last Issue or in the
Following Issue
JimWorld Member comments and feedback ...
Add your own comment ....
|
Sponsored Links
|
