As we have discussed earlier about PHP CODE LAYOUT and SQL CODE GUIDELINES, we continue discussing the common PHP software development guidelines.
1) USAGE INSTRUCTIONS/TIPS (RECOMMENDED)
a) Include: Use include_once unless include is architecturally required. Use include_once where output is not critical to the subsequent business logic within the page. In other words, if there is an error in the included file, the rest of the page will execute.
Static files containing HTML, CSS, etc can be called using include_once.
b) Require: Use require_once everywhere unless require is architecturally required.Use require_once where file called within page is critical for the rest of the page or business logic.Code files such as a class file, database connection file, etc MUST be called using require_once. Because, if there is an error loading external file, the rest of the page will not execute.
c) Single & Double quotes: In strings, single-quotes inform PHP parser that everything inside is character. So even a variable name inside single quotes is printed as is rather than its value. This also saves parser time. So use single-quotes when strings don’t have variables embedded.Unlike single-quotes, double-quotes allow PHP parser to scan entire string for variables,which consumes more parser time. So use them when really required. For example SQL queries can be embedded in double quotes.
d) Braces: Braces should be used even at places where they are optional. When using braces with control structures or statements, keep them in the same column. For example,
for(i<0; i<=n; i++)
{
&
}
if (a< b)
{
.....
}
else
{
if (x == 1)
{
.....
}
}
In other words, (1) braces must be the only character in their line. And, (2) starting & ending braces (within the same control statement, loop or condition) must be vertically Confidential aligned.
e) Square brackets: As a practice, anything inside square brackets should be inside single quotes. Apart from being good programming practice, there is also execution speed advantage. For example, Using $row[‘id’] is much faster than using $row[id].
f) Function: As far as possible, create functions within classes.
g) Classes: There must be one class per file.
h) Declaration and Scope of variables
i) Global variables: should be defined in a common include file
ii) Module level variables: should be defined within a module.
iii)Page level variables: should be defined at the beginning of the page (This needs special care as declaration of variables such variables in random manners renders code unreadable and prone to errors.)
i) Hard coded URLs and file paths
i) Use relative URLs as far as possible to improve portability
ii) If still absolute URLs are required create variables for all paths if possible in a single include file.
AVOID USING HARD CODED PATH EVEN IF IT OCCURS ONLY ONCE IN CODE.
j) Mixing of PHP and HTML (echo vs embedded HTML)
i) Avoid mixing of php code and HTML as much as possible. Mixing should be at most for loops and display conditions unless unavoidable
ii) Where mixing code and HTML keep HTML blocks intact.
e.g. Incorrect usage:
?>
In a very simple scenario above any dream weaver will display invalid tags, rendering page useless for designer. The point here is that if start of table is in HTML so should be end as below:
<?php echo some content ?> |
k) Function Assignment: In a loop if you are checking for a condition that involves a function, it is always better to assign the function value to a variable and check against the value. This is prevent the overhead of the function executing everything during the cycle of the for loop. Like below:
Incorrect Usage
for($i=0; $i < count($array); $i++)
{
echo ”test”;
}
Correct Usage
$count_check = count($array);
for($i=0; $i < $count_check; $i++)
{
echo ”test”;
}
2) SECURITY (REQUIRED):
Follow any of the following to sanitize variables from passing them into SQL queries.
a) Use mysql_real_escape_string() or mysql_escape_string() to escape special characters in a string prior to passing it in a query.
b) Also use htmlentities() and html_entity_decode() to prevent HTML injections from open form fields.
c)Do not directly pass server variables like GET, POST, FILES, SESSION, ENV, SERVER,REQUEST, etc into SQL queries. They all MUST be initialized and sanitized.
For example,Correct method $id = trim($_GET['id']);
if (is_number ( $id ) )
{
SELECT first_name, last_name FROM users WHERE user_id =.$id;
}
Incorrect method
SELECT first_name, last_name FROM users WHERE user_id = $_GET['id'] ;
Please click Software Outsourcing
iPhone Application Development
