Hello, I have been learning php, by just plugging away at it.
I was hoping someone could point me in the right direction in regards to security, flow and general best practices?
Thanks.
Hello, I have been learning php, by just plugging away at it.
I was hoping someone could point me in the right direction in regards to security, flow and general best practices?
Thanks.
Use a freely available framework such as:
and follow the standards specified by that framework.
Take a look at a reputable open source software, that is known for good code.
Look at Kohana's source, or any of the others from Billy ONeal's answer.
I wouldn't recommend using CI's source as a guide - as I think it still supports PHP4, so some of the code will be useless to learn - unless you plan on writing PHP4 code, which is a bad idea if you are only learning now.
Do not look at WordPress, you will pick up some terrible habits.
Also, while I think of it, learn about OO, and the difference with procedural code.
Good programming is irrelevant of language. I suggest you start studying software development concepts such as object oriented programming, design patterns, separation of concerns, reuse, encapsulation, testing and refactoring. Start at any of those and keep "plugging" away at the list and you will get better.
PHP specific - learn the accepted coding standard, such as PEAR's or Zend's. After you've assimilated some of the concepts, pick up a good reference such as one of the top frameworks mentioned in the other answers - Zend Framework, CakePHP, Symfony among others.
To provide something other than "use a framework" or "look at a framework," here are quick rule-of-thumb PHP-specific practices I've found that make a big difference.
PDO
and abstract it into a class (or use an existing class). Do not use mysql_query
or such functions.<?php if($x) { ?> HTML here <?php } ?>
(using HEREDOC syntax helps enormously with this).__autoload
magic method to limit includesThese alone would be night-and-day transformation of a lot of ugly PHP code I see. Then there are the obvious language agnostic rules such as consistent naming conventions, self-documenting code, etc.
Why does everyone attack php? Many many excellent sites run off it. At least until they get big enough to merit an overhaul.
99% of the internet is just throw away sites that don't get much traffic, compared to sites like facebook or amazon, so why should they care to learn a language more sophisticated, stable, or strict, if php gets the job done in a cost effective way that is no less stable or secure for what is needed?
Most of the sites I build run off Kohana - a branch from codeigniter. Both are useful. Who cares if CI uses php4. What if you get hired by a web firm that has archaic sites? Guess what - you will need to know php4. That complaint is like saying you no longer need to know tabled html... until you have to design and code a newsletter template for some big company. Then what? Crash course it with google searches?
I say the RIGHT way to use PHP is to follow examples. Yeah wordpress has some awful habits, but it works and is only one of the most successful platforms out there. What does that tell you?
I would say you could learn a lot from a framework like Kohana - and even CI - since both have decent security methods that are not hard to follow. Things like database escaping and xss filtering. It will ween you into OO programming if you are not familiar and both have a decent userbase so you will not get stuck with no answers.
Don't let these guys scare you. for beginners PHP is a good move. Eventually something like Java or objective C will be more beneficial for jobs and application, but learn it when you get there.
The PHP community has never really been strong at offering up any development guidelines or advocating best practices. In the pre-framework days typical php code written by most devs was very amateurish and disorganized - see the Wordpress source code. But PHP is a good language for web apps. It was made for the web and you can write good professional code with it if you want to. It's trendy to bash it but disregard that stuff.
Anyway, like the others have said here your best bet is to use a framework. Being a newbie, it will be important for you to pick a framework that is well documented and has a strong community to help you get over the hump. Here's my rundown of the major php frameworks:
Codeigniter => popular, fast, good docs and community. very easy to learn. v2.0 hasn't officially been released but is ready for production use and is php5 only. You can use the same documentation that is on the CI site for v1.7. The versions are very similar except 2.0 drops php 4 support finally. here is the download for 2.0: http://bitbucket.org/ellislab/codeigniter/
YII => Really gaining momentum despite it's goofy name. It's a fast performer with GREAT documentation and a ton of features. A new book is out too. The community is so-so but growing. This framework imo takes a lot from rails. There a web-based code generation tool and it uses active record. http://yiiframework.com/
you can build apps a lot quicker with YII due to the code-gen and active record but it will be a bit harder to learn than CI. You may find it getting in your way a bit more too as you try to do everything the YII way. CI is more flexible - gives you the foundation you need w/o getting in your way. So for now i'd recommend codeigniter.
good luck!
It is possible to code well in PHP. Probably the best resource I've seen so far as to just how is here in StackOverflow: browse the questions marked PHP.
In no particular order, some specific things to help you on your way from my years programming in PHP:
Enable Notices and then make sure you don't write code that triggers them. PHP's default install doesn't enable Notices, which is fine for a Production environment, but bad for a Development environment. Unfortunately, their default php.ini
file doesn't seem to know which it is being an example for.
Similarly, make sure you have magic_quotes
and register_globals
both turned off. They are both designed for more simple and naive programming times and today create more problems than they solve.
Initialize variables before you use them. This also means array elements. If your code isn't sure if the variable or element exists, use isset()
and array_key_exists()
.
Pick or develop a sensible coding style and stick with it. You don't need to be frugal with whitespace or linebreaks.
Check for variables you are expecing to be there. This is a tricky one. A great example of this is when processing a HTTP POST that may have a lot of variable elements. Figure out what should be in $_POST
and look for that. Don't assume that what is submitted is always going to be what is supposed to be submitted.
Along the same lines, check for the correct values, not the incorrect values. If you need a variable to have a valid value, look for what constitutes a valid value before proceeding, not what might be an invalid value to throw away. For example, if you need a submitted variable to be an integer, then check it's an integer, don't check for a null-string as a null-string isn't the only invalid value!
Separate database access, logic and presentation (this is often called Model-View-Controller programming). Another way of putting that is that you shouldn't be comixing code that is processing ther last POST request with HTML markup being emitted with SQL queries. Most frameworks will enforce this.
If you're not using a framework that provides an Object layer, you will be rolling your own SQL. Either use prepared statements, or use the DB's own quoting function for strings, not addslashes()
.
It was very easy in PHP 4 to use a lot of memory because structures got copied, not referenced. PHP 5 largely solves this specific problem, but it can still happen with strings. This also doesn't address the tendancy of some APIs to create large structures.