Advertisement
Roundups

Are You Making These 10 PHP Mistakes?

by

One of the best things about PHP is that it's a great language to just "dive into", thanks to its wide-ranging popularity. Anyone with the ability to hit "Search" on Google can quickly create a program. However, this also lends to a major criticism of PHP: it's almost too easy to find and reproduce bad code.

Here are 10 PHP mistakes that any programmer, regardless of skill level, might make at any given time. Some of the mistakes are very basic, but trip up even the best PHP programmer. Other mistakes are hard to spot (even with strict error reporting). But all of these mistakes have one thing in common: They're easy to avoid.

Take the time and make sure that your PHP is secure, clean and running smoothly by checking your site for these common PHP blunders.

1. Single quotes, double quotes

It's easy to just use double quotes when concatenating strings because it parses everything neatly without having to deal with escaping characters and using dot values. However, using single quotes has considerable performance gains, as it requires less processing.

Consider this string:

# $howdy = 'everyone'; 
# $foo = 'hello $howdy'; 
# $bar = "hello $howdy";

$foo outputs to "hello $howdy" and $bar gives us "hello everyone". That's one less step that PHP has to process. It's a small change that can make significant gains in the performance of the code.


Photo by dantaylor.

2. Semicolon after a While

It's funny how one little character can create havoc in a program, without even being reported to the PHP error logs! Such as it is with semicolons and While statements.

Codeutopia has an excellent example of this little error, showing that these nasty errors don't even get reported (even to E_ALL!), as it quietly falls into a silent loop.

$i = 0;
while($i < 20); {
  //some code here
  $i++;
}

Omit the ; after the while statement, and your code is in the clear.


Photo by RTPeat.

3. NOT Using database caching

If you're using a database in your PHP application, it is strongly advised that you at least use some sort of database caching. Memcached has emerged as the most poplar caching system, with mammoth sites like Facebook endorsing the software.

Memcached is free and can provide very significant gains to your software. If your PHP is going into production, it's strongly advised to use the caching system.

4. Missing Semicolon After a Break or a Continue

Like #2, a misused semicolon can create serious problems while silently slipping off into the shadows, making it quite difficult to track the error down.

If you're using a semicolon after a "break" or "continue" in your code, it will convince the code to output a "0" and exit. This could cause some serious head scratching. You can avoid this by using braces with PHP control structures (via CodeUtopia).


Photo by ed_gaillard.

5. Not Using E_ALL Reporting

Error reporting is a very handy feature in PHP, and if you're not already using it, you should really turn it on. Error reporting takes much of the guesswork out of debugging code, and speeds up your overall development time.

While many PHP programmers may use error reporting, many aren't utilizing the full extent of error reporting. E_ALL is a very strict type of error reporting, and using it ensures that even the smallest error is reported. (That's a good thing if you're wanting to write great code.)

When you're done developing your program, be sure to turn off your reporting, as your users probably won't want to see a bunch of error messages on pages that otherwise appear fine. (Even with the E_ALL error reporting on they hopefully won't see any errors anyway, but mistakes do happen.)


Photo by Eliya.

6. Not Setting Time Limits On PHP Scripts

When PHP scripts run, it's assumed that they'll eventually finish in a timely manner. But every good programmer knows that nothing should be assumed in a piece of code. Nothing makes a program crankier than an unresponsive script.

You can get around this issue by simply setting a time limit on the script (set_time_limit). While it may seem like a trivial thing, it's always clever to prepare for the worst.

7. Not Protecting Session ID's

A very common PHP security mistake is not protecting session ID's with at least some sort of encryption. Not protecting these Session ID's is almost as bad as giving away a user's passwords. A hacker could swoop in and steal a session ID, potentially giving him sensitive information. MT Soft an example of how to protect Session ID's with sha1:

if ($_SESSION['sha1password'] == sha1($userpass)) {   // do sensitive things here

}

Adding the shai1 to the ($userpass) gives an added bit of security to the session. Sha1 isn't a bulletproof method, but it's a nice barrier of security to keep malicious users at bay.

8. Not Validating Cookie Data

How much trust do you put into cookies? Most people don't think twice about the seemingly-harmless bit of data that's passed by a cookie. The name "cookie" itself is associated Milk, nap time and Santa, for crying out loud! How could a cookie possibly harmless?

If you're not validating cookie data, you're opening your code to potential harmful data. You should use htmlspecialchars() or mysql_real_escape_string() to validate the cookie before storing it in a database.

9. Not Escaping Entities

Many times PHP programmers are too trusting with data, especially data generated by user. It's imperative to sanitize data before it goes into any sort of storage, like a database.

Source Rally shows us how to correctly escape entities in things like forms. Instead of using this:

echo $_GET['username'];

You can validate the data by using htmlspecialchars() (or htmlentities()) like so:

echo htmlspecialchars($_GET['username'], ENT_QUOTES);

10. Using Wrong Comparison Operators

While comparison operators are an extremely basic part PHP programming, mixing these up in your code is certain to bork your program. As the German proverb states, the Devil is in the details.

Being familiar with the often-misused operators like =, ==, != , are absolutely critical to PHP programming. Taking the time to really understand the differences will greatly speed up your programming and yield less bugs to debug.



Photo by Foxtongue.
Related Posts
  • Code
    Web Development
    Securely Handling User's Login CredentialsSecure wide retina preview
    Consider the following tips on how to properly secure your user's login credentials.Read More…
  • Code
    Web Development
    Laravel Unwrapped: Session, Auth and CacheLaravel wide retina preview
    Join me as we learn how to use Laravel's component-based system, Illuminate. Additionally, we'll see how to utilize service providers, Laravel's manager system, the Session, Auth, and Cache components, and the Store, Guard, and Repository libraries.Read More…
  • Code
    Creative Coding
    Using WordPress for Web Application Development: A ReviewApplication foundation 400
    Over the past few months, we've been taking a look at all of the features and aspects that make WordPress a potential foundation for application development. In fact, we've spent roughly 15 articles talking about all that WordPress offers. And though we'll be reviewing each of the points in this email, perhaps the biggest thing to take away that building web applications using WordPress is different than using many of the popular frameworks that are currently available namely because WordPress isn't a framework.Read More…
  • Code
    ASP.NET
    Preventing Code InjectionCsrf dotnet retina preview
    Often, websites seem to exist primarily to put something into a database in order to pull it out later. While other database methods, such as NoSQL, have gained popularity in recent years, data for many websites still resides in the traditional SQL database. This data often consists of valuable personal information such as credit card numbers and other personal information of interest to identity thieves and criminals. Hackers therefore always look to get this data. One of the most common targets of these attacks is the SQL databases that lie behind many web applications through a process of SQL Injection.Read More…
  • Code
    Creative Coding
    Using WordPress For Web Application Development: Available Features, Part 7: CachingApplication foundation 400
    When it comes to building web applications, one of the most important things that we have to constantly be mindful of is performance. As they say, performance is a feature. And regardless of if you're a designer, developer, or a user, you know this intuitively to be true: When it comes to applications, we hate waiting. We get frustrated when things don't perform fast enough, or we have to wait longer than we believe that we should.Read More…
  • Code
    Creative Coding
    Using WordPress for Web Application Development: Features: SessionsApplication foundation 400
    In this series, we're taking a look at how it's possible to build web applications using WordPress. Thus far, we've talked about how WordPress is a foundation (rather than a framework), its architecture, how we need to conceptually think of it when approaching it especially coming from other languages, and then we began talking about the components that make up a basic web application.Read More…