A few PHP tips

[JmZ]

I'm a little bored so here's a few tips for those of you who are learning PHP, already know it or think you're an expert in it, lol.

Don't close the <?php tag
Reason being, it increases the chance that you'll some day accidentally have some whitespace after it, meaning headers get sent when you probably don't want them to. Obviously if you're writing HTML in your code too, close the tags but if it's just a pure PHP script then don't.

Don't use shorttags (<?)
Not all hosts have these enabled and they're generally frowned upon by professional PHP programmers. You want your code to be portable and never to error, so use the full tags even if it means typing more. This includes echoing variables in your HTML, <?php echo $var; ?>, NOT <?=$var?>. Yes it's longer but it is worth it.

Suppressing errors/warnings with @
Never do this. If you need to do this, rethink your code because it's not good enough. Errors and warnings are there for a reason, deal with them, fix them, don't just use the @ and ignore them.

Use PDO for interacting with MySQL or other database systems
A lot of people still use the mysql_ library functions (e.g. mysql_query), don't. They are old, outdated and far less useful than the likes of PDO and mysqli. Instead, use PDO or mysqli, the difference of the two being that the latter only works with MySQL while the former works with a bunch of different database systems.

Prepare queries with PDO
If you do decide to use PDO, prepare your queries, don't execute them straight off, even if you only run the query once. Preparing queries has a huge benefit when you're running the same query multiple times as it is much faster and more efficient. If running the query once, it will be slightly slower (microseconds) than executing it directly but will be much safer as parameters are escaped automatically.

Make everything safe
When I code something, I have a habit of closing off every possible vulnerability as I write them. Do the same. If you're ever outputting data which is user input, use htmlspecialchars/htmlentities. If you're passing user input to some function which takes an integer, make sure it is an integer, check it or force it to be one (intval or typecasting). The same goes for other data types.

File upload security
If you're coding some script which has file upload functionality, e.g. some sort of image host script, then take security measures. Don't rely on the contents of $_FILES ever, the user can modify headers to put what they want in here (e.g. spoof the size, mime type, etc). Check the filesize of the actual file on disk in /tmp (filesize function), also store files in a directory above the public html one.

Path security
If for some reason you end up handling paths given by the user (e.g. if a user passes a path to a local file and your script then does something to the file), use realpath() to get the real path of it and make sure it's in the directory it should be in (so people can't enter things like '../../blah' or '/etc/passwd'). Or alternatively, if there's only ever one directory it should be in, simply get the basename() and prepend the path it should be in.

Serving large files
This is one mistake most filehosts make, they serve the file through PHP (this isn't true for the big ones like FSO). Try not to serve a large file through PHP, it'll have ridiculous memory usage and such, serve it as a file through the web server instead, if possible.

Don't overcomplicate
I used to know a guy, he'd write every PHP script he ever made in OO (object-oriented) code, no matter how small it was. Don't do this please, the use of OO decreases the performance compared to procedural code, always. If you have a small script, keep it procedural, don't make a bunch of classes for it.

Keep HTML separate
Last but not least, keep your HTML as far away from your code as possible. Do all your PHP, then as the last possible thing, include the HTML from a separate HTML file. Don't put PHP inline in your HTML, do all the processing and functionality before the HTML is even touched. This way, you keep the "template" clean and easy to edit, as it contains no programming logic, just markup.

Hopefully this stuff is helpful for some anyway.

JmZ Reviewed by JmZ on 23rd Nov 2011. A few PHP tips I'm a little bored so here's a few tips for those of you who are learning PHP, already know it or think you're an expert in it, lol. Don't close the <?php tag Reason being, it increases the chance that you'll some day accidentally have some whitespace after it, meaning headers get sent when you probably don't want them to. Obviously if you're writing HTML in your code too, close the tags but if it's just a pure PHP script then don't. Don't use shorttags (<?) Not all hosts have these Rating: 5

[BlaZe]

Very nice for a beginner like me

[Apathetic]

PDO would be the most important to use when dealing with databases - love prepared statements Thanks your the tips.