Some tips when using PHP

Tram Ho


  • PHP programming has increased rapidly since its humble beginnings in 1995. Since then, PHP has become the most popular programming language for Web applications. Many popular websites are built with PHP and most of the source code and Web projects are built with popular languages.
  • This tutorial is aimed at people who have just started learning PHP and are ready to roll up their sleeves and code.
  • Here are some great techniques that PHP developers should learn and use every time they program.
  • These tips will speed up proficiency and make the code cleaner and more optimized for performance.


1. Avoid SQL Injection

  • For example, when a user enters login information and clicks login, the user’s information is sent to the server via a POST request which is then assigned to an SQL statement. The code will look like this:

  • Assuming that the data sent to email=" [email protected] " and password="12345678" , the query will look like this:

  • This is the case if the user entered correctly, what if the user intentionally entered wrong?

  • The query results will be as below, users only need to enter the email to be able to access.

So how to avoid SQL Injection attacks

  • Never trust the user input.
  • Validate data on server side: Use the mysql_real_escape_string() function to remove characters that may affect SQL statements.

2. Differences between comparison operators

  • This is a good tip, but needs a practical example that demonstrates when a non-rigorous comparison can cause problems.
  • If you use strpose() to determine if a substring exists in a string (it returns FALSE if no substring is found and returns the first occurrence of substring), the result is yes. Misleading:

  • Because the substring Chris appears at the beginning of ‘Chris & Sean’, strpose() returns exactly 0, indicating the first position in the string.
  • Because the conditional statement treats this as a Boolean, it returns FALSE. and the result will be Chris is not an author. -> Logically wrong
  • This can be corrected by a rigorous comparison:

3. Shortcut The Else

  • Check user is not admin? based on username.

  • The above code looks fine, but if the developer then adds another role.

  • In the above code, if the user provided the runer’s name in the condition auth($username) == 'mod' then $ admin has not been initialized. This may result in unwanted results or security holes.
  • Additionally, a case similar to $moderator not initialized when running the auth($username) == 'admin' .
  • By initializing $admin and $moderator first to avoid this situation.

  • Should create a function to handle users allowed to view a specific page.

  • If you want to reduce the number of lines, you can join the following condition.

  • You can reduce the whole function to a single join condition

  • Finally, the function may be reduced to a return

  • If your goal is to reduce the number of lines, you’re done. However, the code look very lie, confusing.
  • This brings us to the tip that will return immediately if the condition is met.

  • Although it uses more lines of code, it is very simple, easy to understand and useful when your logic is more complex.

4. Always use {} after the conditional expression

  • See the following example:

  • You had the birthday list on 21 May and then called the party(TRUE); function party(TRUE);

  • But not party(TRUE); function party(TRUE); Always run without the date('d M') == '21 May' condition date('d M') == '21 May' .
  • Therefore, it is advisable to use {} after the conditional expression even if there is only one command line in it.

5. Functions str_replace (), ereg_replace () and preg_replace ()

  • If you use regular expressions, ereg_replace() and preg_replace() will be faster than str_replace . Because str str_replace does not support pattern matching.
  • The choice between string functions and regular expression functions is appropriate for the purpose, not faster.
  • If you need to match a pattern, use the regular expression function ereg_replace , preg_replace .
  • If you need to match the string use str_replace .

6. Be careful when using the triad operator.

  • See the following example:

  • The author wants $host = htmlentities($host) if the string length is greater than 0, but instead accidentally does the opposite.

7. Use a Framework to develop web applications

8. Use isset () instead of strlen ()

  • See the following example:

  • When you consider strings as arrays, each character in the string is an element in the array.
  • By determining whether a particular element exists, you can determine if the string is at least many characters long. (Note that the first character is the 0 element, so $ username [5] is the sixth character in $ username).
  • Reason: The function isset() will be faster than strlen() because strlen() is a function also isset() is a language construct more .


Share the news now

Source : Viblo