I am learning PHP (I know HTML very well, and also some VB, JS, SQL) and would like to ingrain good habits from the start. There was a great post the other day about good CSS practices which is a great help for beginners. Can someone tell me/point me in the direction of good practices? Especially regarding security - I know that's a big issue with php. Thanks!
-- Indent your code. -- Comment it regularly (it helps you and further developers) -- Name your variables appropriately when needed. ie. $Name,$Age etc. not $n,$a. -- Keep it tidy. Try and space it well if needed.
To obtain the values of posted variables, always assume that REGISTER_GLOBALS is set to off, i.e use $_POST['name'] instead of $name
I need to comment it so I know what is going on Is there a set thing you do for each input? Like remove slashes, remove empty spaces, check for overflows (i saw a script somewhere, removed /n++ or whatever makes a new line aswell as some other stuff... apparently it can make the script break somehow) Ok great I was wondering about this! I thought <?php was needed because <? is shorthand and doesnt work on all setups, but heaps of people just use <? I love neat! I'll keep the variable names in mind, eventually if I'll be wondering what $n and $a equal eventually Ok, so what does that mean? Can I go: $name = $_POST['name'] print $name; Or should I always use $_POST['name'] instead of $name? What's magic quotes?
As long as you declare the variable somewhere in your script it's fine to reference it anywhere else, such as your print example.
Magic quotes : these are quotes that are magic... lol br.php.net/manual/en/security.magicquotes.php ... read this
-Indent your code, keep it neat and easy to read. Make your own standards for indenting. -Keep the code constant -Name variables, functions and classes in a standard way mine....... classes className or ClassName functions functionName or FunctionName variables var_name, using underscores to separate words -Stay organized -Don't over comment your code -Make the code work for you, don't always work for the code eg, make things more automatic etc. -Work in the best interest of usability, don't sacrifice the true functionality of the code for other things. -Optimize your code for loading speed and file size -Always think of security, protect your self, make sure your script is as safe as you can possibly make it, try to hack your own scripts. Always think: "Is there some way anyone could hack this code?". Ask experienced people who know more about hacking than you. Clinton
Use contol constant ( define(SITE777, TRUE); for example ) and check this value in each included file: <?php if(SITE777 !== TRUE) exit; //code ?> Set error_reporting to 0 after debug. Never show warning (or even notices). To make sure that hacker cann't see paths in this notices. If your script use setup wizard do not forgot to remove install.php from web space. Also, I can advice to keep all includes (classes, libs and so on) out of web space (if hoster allow this)
if(SITE777 !== TRUE) // if the constant SITE777 is not set to true exit; // exit from the script (without any output) PHP: !== and === check value and type wheras != and == do not check type so : the expression ("20" == 20) is true the expression ("20" === 20) is false
It depends on the input. If you have asked for a number, then it is a good idea to do something like this: $number = (int)$_POST['number']; PHP: If you are going to redisplay the user input for any reason, then make sure that the code does not have any XSS vulnerabilities. If you are saving text to the database, the use mysql_real_escape_string() There are lots of thing to consider when designing a webpage using php. Check this out for more info: http://uk.php.net/manual/en/security.php Brew