tags:

views:

480

answers:

6
+10  Q: 

What are the PHP-specific antipatterns that you know of?

PHP as a Blunt Instrument

I hear PHP getting bashed around a lot lately. In quite a few projects, I have seen insane php code bases - so bad you really wonder if the person was on hallucinogenic drugs when they wrote the code. Sometimes, I wonder what the code would have been like if the initial developers had a bit more guidance as to what not to do.

However, I have also seen some very well organized PHP projects that were done in 100% OOP and were a pleasure to maintain, but they were not written by "php programmers."

I give all of our junior devs a link to Java Anti-Patterns. One of the nice things about that page is the Java-specific examples because there are many features of Java that lend themselves to common mistakes. I was hoping to find a similar list for php, but a google search did not reveal anything meaningful.

There are a few questions already out there for what a developer should know when programming PHP, but I wanted to focus on the negative.

What are the common things you have seen in PHP that should be avoided and what is a common solution to doing the same thing in a better way?

Some of the obvious examples to me that I think will be mentioned but aren't PHP specific:

  • Don't concatenate SQL. Use prepare statements or proper escaping.
  • Don't blindly embed PHP into HTML - use templating/MVC.
  • Don't blindly post raw unfiltered user input - scrub it for XSS attacks.
  • Don't manually try to parse all of your POSTs and GETs - use a web framework.

Here would be some examples that I would consider PHP specific:

  • Don't have too many layers of file include/require linking and try to avoid conditional linking. Rather, have a sane naming convention and be consistent with your organization.
  • Don't use PHPs raw database API unless you can help it, instead use a database framework like ADODB instead.
  • Don't overuse PHP's dynamic typing by setting the variable to a string in one place and a boolean somewhere else, then expecting the boolean tests to make sense.

So, what are your favorite PHP don'ts and how do you do it right?

+4  A: 

How Is PHP Done the Right Way? covers a lot of these issues.

cletus  2009-04-27 12:34:58
I wonder why that question didn't come up in my search. Maybe the title didn't lend itself to being found. hmnn...
Elijah  2009-04-27 12:36:12
Holy ****, that's a long (and decent) read
altCognito  2009-04-27 12:48:34
+8  A: 

I disagree with this one:

  • Don't blindly embed PHP into HTML - use templating/MVC.

PHP is a templating language. While I agree with the concept of implementing MVC, I don't see why there should be a requirement to implement a yet another DSL around producing web output.

altCognito  2009-04-27 12:36:28
+1 I agree. If a page is a pretty complex, you should use mvc, but it's simple enough mvc for page's design can be overkill especially if you are using your custom framework (the next person who will work on your code probably will damn you :D)
Alekc  2009-04-27 12:42:14
I like the way CodeIgniter does it - but in the framework it essentially becomes the view. So what do you do when you need an internationalized version of your page with different fonts, layout and marketing content for your new market when you don't have interchangeable views?
Elijah  2009-04-27 12:42:41
Don't you just love it how there's a boat load of templating languages out there, implemented in PHP?
roe  2009-04-28 07:06:38
By the same logic, if PHP is a "templating language," then I should scoff at you for using it to write business logic. Using templates allows you to a) be more expressive with less verbosity and b) offer a secure way for untrusted users to create content. Of course plain PHP can often be used directly as the template layer (and usually is the best option), but that doesn't make it the end-all.
konforce  2010-08-14 15:46:22
+1 Good points @konforce.
altCognito  2010-08-16 12:22:44
+2  A: 

One of my favourite DON'Ts would have to be:

$query = 'select * from users where username = ' . $_POST['username'];

Can it get much scarier than that?

karim79  2009-04-27 12:42:19
yes it can, $_REQUEST['username']...
roe  2009-04-27 12:47:06
$query='SELECT * FROM users WHERE username=\''.$_COOKIE['username'].'\' AND password=\''.$_COOKIE['password'].'\'';The same error, but nobody suspects anything wrong in $_COOKIE.
tstenner  2009-04-27 12:49:30
@roe, $_REQUEST is scarier! I was going for the idea of directly using super-globals in queries as opposed to $_POST specifically, should have made that clear.
karim79  2009-04-27 13:11:55
+1  A: 
  1. Never EVER use a $_GET or $_POST without checking it and cleaning it up.
  2. Read about how to set up the php.ini right.
  3. Never put variables into raw SQL.
  4. If you use frameworks, use the ones with less dependencies.
  5. Stop over-generalization.
  6. Distribute your code on the php files. In most cases there is no real need to put everything into one index.php.
  7. Reduce complexity before writing code.
  8. Respect the fact that it is a web application. (Try to be RESTful.) It's not a desktop application. So stop putting everything into $_SESSION.
  9. At least one comment line for every 10 lines of code. You WILL read that after a year. I promise!
  10. Code like a girl - make it nice to read.
MrFox  2009-04-27 20:26:22
A: 

If I had to include a favourite don't it has to be the one posted by karim79:

$query = 'select * from users where username = ' . $_POST['username'];

Many developers in PHP keep stuck in structured age. PHP supports classes and objects since a while ago, I just don't get why people keep hard coding PHP into html, without templates or nothing at all.

I believe that developers from other languages, like .NET or Java have earned the right to criticize the language if so many developers keep programming like that. PHP is a very great language, very flexible, still a little junior but is growing, but many just don't get it, all they want is to solve by making the old classic copy & paste.

David Conde  2010-08-14 15:12:31
A: 
  • use SPL
  • use PDO instead of using mysql_query or pg_query or others
  • always use the filter extension on user input
Yorirou  2010-08-14 15:22:59

related questions

IDE suggestions: Eclipse IDE vs. Zend Studio ( confused )
MySQL/Apache Error in PHP MySQL query
Lightweight IDE for Linux
What PHP framework would you choose for a new application and why?
Why is my ternary expression not working?
How can I get at the matches when using preg_replace in PHP?
Mechanisms for tracking DB schema changes
Wordpress theme development offline tools
Using object property as default for method property
How can I get the authenticated user name under Apache using plain HTTP authentication and PHP?
Make XAMPP/Apache serve file outside of htdocs
How do you debug PHP scripts?
PHP Variables passed by value or by reference?
Best way to implement unit testing in PHP
Connect PHP to an AS/400
Best way to access Exchange using PHP?
PHP Session Security
How do I access a remote form in php?
What's the best way to generate a tag cloud from an array? (using h1 through h6 for sizing)
Apache/PHP: error_log per Virtual Host?
How do I track file downloads with apache/PHP
How would you access Object properties from within an object method?
Flat File Databases in PHP
Best way to allow plugins for a PHP application
Latest information on PHP upcoming releases