10 Tips That Every PHP Newbie Should Know I wish I had known these 10 tips the day I started working with PHP. Instead of learning them through painstaking process, I could have been on my way to becoming a PHP programmer even sooner! This article is presented in two parts and is intended for folks who are new to PHP. Tip 1: MySQL Connection Class The majority of web applications I've worked with over the past year have used some variation of this connection class: Simply edit the variables and include this in your files. This doesn't require any knowledge or special understanding to use. Once you've added it to your repertoire, you won't likely need to create a new connection class any time soon. Now you can get to work and quickly connect to your database without a lot of extra markup: Quote: Tip 2: Dealing with Magic Quotes PHP "automagically" can apply slashes to your $_POST data for security purposes. It's an important measure to prevent SQL injections. However, slashes in your scripts can wreak havoc. This is an easy method for dealing with them. The way to handle the slashes is to strip them from our variables. However, what if the magic quotes directive is not enabled? The script above checks to see if magic quotes is enabled. If they are, it will determine if your $_POST data is an array (which it likely is) and then it will strip the slashes accordingly. Understand that this is not true 'validation'. Be sure to validate all your user-submitted data with regular expressions (which is the most common way to do so). More information about magic quotes: http://www.php.net/ magic_quotes/ More information about SQL injection: http://www.php.net/manual/en/securit...injection.php/ More information about regular expressions: http://www.php.net/pcre/ Tip 3: Safely Query Database with mysql_real_escape_string When you are ready to query your database you will need to escape special characters (quotes for instance) for safety's sake by adding slashes. We apply these before we insert variables into our database. Once again, we need to determine which version of PHP you are running first: Quote: More information about mysql_real_escape_string: http://www.php.net/ mysql_real_escape_string/ More information about SQL injection: http://php.belnet.be/manual/en/security.database.sql- injection.php Tip 4: Debugging If you search the forum there are many good threads with rules about debugging. The single most important thing you can do is ask PHP to report errors and notices to you by adding this line at the beginning of your scripts: Quote: The exit command stops your script from executing any further so you can specifically review your query results. More information about error_reporting: http://www.php.net/ error_reporting/ More information about print_r; http://www.php.net/print_r/ Tip 5: Writing Functions (and Classes) Initially I thought that tackling functions and classes would be difficult--thankfully I was wrong. Writing a function is something I urge all newbies to start doing immediately--it's really that simple. You are instantly involved in understanding how to produce more efficient code in smaller pieces. Where you might have a line of code that reads like this: Quote: echo makePrefix($rs['prefix']) . $rs['name'] . ' ' . $rs['last_name']; Now that you've written this function, you can use it in many different projects! An easy way to describe classes is to think of it as a collection of functions that work together. Writing a good class requires an understanding of PHP 5's new OOP structure, but by writing functions you are well on your way to some of the greater powers of PHP. More information about writing functions: http://www.php.net/manual/en/language.functions.php More information about writing classes: http://www.php.net/manual/en/language.oop5.php Another CNP from PBD
Wow... Fantastic tips. As a newbie these tips are really useful to me... Thats why I give you green...
Ehhh... I'm not sure why you're making a class for the DB connection, but use the normal mysql_* functions for the rest? There's no need (or point) for doing that. I'd suggest using the built-in mysqli class, which is as easy as: $db = new mysqli('hostname', 'username', 'password', 'database'); PHP: No copying and pasting weird database connection classes. www.php.net/mysqli_connect Furthermore, your example is incorrect: $db = new $DB; PHP: It should read: $db = new DB; PHP: As for the second "tip"... : function magicQuotes($post) { if (get_magic_quotes_gpc()) { if (is_array($post) { return array_map('stripslashes',$post); } else { return stripslashes($post); } } else { return; // magic quotes are not ON so we do nothing } } PHP: Return nothing if they're disabled? So how'd you use this function? $_POST = magicQuotes($_POST); PHP: And if they're disabled, $_POST would be null... And last, I only count 5.
I'm going to have to side with nico_swd on this one. The DB class seems unnecessary and I can't understand how you would get your magic_quotes function to work properly. Honestly, I hate magic_quotes and always turn it off because all it really is is a safety net for newbs that don't validate/sanitize properly, and there's no excuse for that. On that note, I absolutely agree that mysql_real_escape_string should be used before putting any user input into an SQL query, and it's really quite disturbing how often this is left out. I give it an 'A' for effort, but untill you have a little more experience under your belt it's just the blind leading the blind.
Believe me, when you're dealing with large applications, DB class will help you a lot. Say you need to execute something everytime a query is executed say you want to log the query and error for debugging, you can do it in a snap if you have a DB class. Another advantage of this is you can easily switch from one DB software to another say MySQL to PostgreSQL, considering all the SQL queries are standard.
No one disagreed with that... the opposite. We're referring to the class HE posted, which is ridiculous and completely pointless.
I see.. I didn't notice how he executes his query. Still using mysql_query instead of a method in the class. Anyway, it's a start.
these tips are very usefull . they are helpfull because sometimes we just ignore these and it creates a havoc on site. I must say the major problem in php based applications are memory management . Regards Alex
For the DB class to be useful as a separate class, a singleton would have made more sense. With that being said, the mysqli class would still be more appropriate. Good idea overall, the execution just needs a little work.
Eh, but people still have to find more than half of the way themselves... and walk over broken bridges, lol. Yes. I suggest you use all his codes, all the time!
The journey of a thousand miles begins with the first step, and it would be a shame for PHP newbs to start walking in the wrong direction. While his ideas are nice in spirit, in letter they fail. That isn't to say we can't learn something from them though... 10... er, 5 PHP Tips that every PHP newbie should know (redux) Tip 1: Don't reinvent the wheel. Odds are, whatever menial, repetitive task you have to perform in your code, someone has already made a function, class, or library for it. And it's better than anything you could write.* Tip 2: Never trust your web app to secure itself, because 1) it adds unnecessary overhead to everything you do and 2) it's no replacement for proper coding habits. If you aren't taking steps to secure your app, magic_quotes isn't going to save you anyway. Tip 3: If you didn't provide it, it isn't safe. Clean and validate everything that is user provided and/or can be manipulated, including the GET, POST, SERVER, COOKIE, and (in certain cases) SESSION arrays. If you don't know if it's safe or not, assume it isn't. The use of standard PHP sanitization functions like mysql_real_escape_string() is the very least you should be doing. Tip 4: Never print error messages on a live (production) site. At the very least it's ugly, and at the worst it's like handing hackers a roadmap for getting into your site. Either use a custom error hander to manage messages (preferred) or just print them to a text log. Tip 5: Functions are your friends, classes are your best friends. Once you learn how to use those your code will be cleaner, smaller, and much more managable. You'll find they cut down on the time you spend in development as well. *That doesn't mean that you should only use other people's code, because you'll never learn that way. See how they did it and learn from people with more experience than you. You'll pick up on good coding practices and learn aspects of PHP that you never knew existed. One day, when you need a custom class/CMS/framework for your big project, you'll know exactly what to do.