Top 10 Rookie Mistakes in PHP

About Simeon Franklin

Software Dev for about 12 years
Desktop C/VB/C++/Delphi, then web Perl/PHP/Javascript/Python
recently became full-time Python instructor for Marakana.com
http://simeonfranklin.com / @simeonfranklin

My PHP Experience

Long-time PHP dev from PHP/FI, switched fully to Django ~ php 5.2
~8 years of PHP development
wrote my own crappy CMS, past master of PEAR, Zend Framework
I used to write about PHP - http://metapundit.net/tech_blog/?tag=php

My top 10 list

arbitrary unscientific opinions
designed to make you think (after top 4)
On to the opinions!

#1 - Not learning php

Know the language. Syntax. stdlib. Configuration. Tools.

== and ===
array_* and the strings functions (substr, strpos, strstr)
magic_quotes_gpc
php -a

#2 - Not paying attention to security

Keep security in mind. Understand:

SQL injection ($sql = "select * from foo where user=" . $_GET["user"];)
Code injection. (<h1>Welcome <?php echo $username; ?></h1>)
Escape all user input. (include "content/" . $_GET["pagename"];)

#3 - Mixing everything up

<html>
 <head>
  <title>Show Users</title>
 </head>
 <body>
 <h1>Users</h1>n
  <ul>
  <?php
    $link = mysql_connect('mysql_host', 'mysql_user', 'mysql_password');
    mysql_select_db('my_database');
    $query = 'SELECT * FROM user order by username';
    $result = mysql_query($query)
    echo "<table>\n"; // Bonus points for putting html in your php in your html
    while ($row = mysql_fetch_object($result)) {
        echo "\n<tr>\t\t<td>$row->username</td></tr>\n";
    }
    echo "</table>\n";
 ?>
 </body>
</html>

#4 - micro-benchmarking

STOP IT!

my oldest complaint
don’t argue about whether " or ' is .001% faster
write code that expresses your intent most clearly and elegantly.
web apps are slow at well known bottlenecks (db, filesystem, network)
"optimizing your code" seems to be a popular newbie fixation that is actually a waste of time
see also: http://www.sitepoint.com/phpbench-live-php-benchmarks-best-practices/

#5 - using a template engine

One form that sends email that has 20 lines of PHP form handling code and 1.2M of PHP code for Smarty, 4 directories for config, template source, compiled templates, and cached templates. Or you could do

<html>
 <head>
  <title>Show Users</title>
 </head>
 <body>
 <h1>Users</h1>
  <ul>
  <table>
  <?php foreach($users as $row): ?>
        <tr>
          <td><?php echo($row->username); ?></td> <!-- XSS -->
        </tr>
  <?php endforeach; ?>
  </table>
 </body>
</html>

You do know about alernative syntax? Read the docs! http://goo.gl/Vm2zo

#6 - not using a template engine

For sites that have

many pages
multiple shared design
changes made by non-programmers

I like twig

http://twig.sensiolabs.org/

{% extends "index.html" %}

{% block content %}
<table>
    {% foreach user in users %}
    <tr>
      <td>{{ row.username }}</td><!-- No XSS -->
    </tr>
    {% endforeach %}
</table>
{% endblock %}

#7 - reusing code

Typical newbie development process:

Problem: I want to show users in two columns
Solution: I know Google!
New Problem: copy-n-paste abomination

For example

http://goo.gl/Ft8LV

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<title>Wallpaperama Tutorials - Display Number of Colums from a Database</title>
</head>
<body>
<h1 align="center">Display Number of Colums from a Database</h1>
<hr />
<?php
# ************* SCRIPT BY WALLPAPERAMA.COM/FORUMS ***************

################### S T A R T C O N F I G U R A T I O N ######################

# SET THE NUMBER OF COLUMS IN THE TABLE
$number_of_colums=3;

# SET YOUR MYSQL HOSTNAME, USERNAME, PASSWORD AND DATABASENAME
$db = mysql_connect("MYSQL_hostname", "user_name", "password");
mysql_select_db("database_name",$db);

# ENTER NAME OF TABLE TO BE displayed
$table_name = "topics"; // change to whatever table you want to get data from
$field_name = "topic_title"; // change to whatever field name from the $table_name

################### E N D C O N F I G U R A T I O N ######################


####################################################################################
#################### STOP HERE - NO NEED TO CHANGE FROM THIS POIN #################
####################################################################################
$sql = "SELECT $field_name FROM $table_name";
$result = mysql_query($sql ,$db);
$total_records = mysql_num_rows($result);
$num_rows = ceil($total_records / $number_of_colums);

if ($result)
{
if ($myrow = mysql_fetch_array($result))
{
do
{

?><table width="100%" border="0" cellspacing="5" cellpadding="5">
<tr>
<?php
do
{
if ($newrowcount == $number_of_colums)
{
$newrowcount = 0;
?><tr>

<?php
}
?><td>
<?php


################### DISPLAY cell info ##########
?><a href="#"><?php echo $myrow[$field_name]; ?></a><?php
################### DISPLAY cell info ##########



?></td>


<?php

$newrowcount++;
if ($newrowcount == $number_of_colums) {echo"</tr>";}
}
while ($myrow = mysql_fetch_array($result));

?></tr></table><?php


} while ($myrow = mysql_fetch_array($result));

}

}
?>
<div align="center">
<p align="left"><a href="http://www.wallpaperama.com/forums">&lt; &lt; Go back to forums </a><br />
</p>
<p>Hosting by <a href="http://www.webune.com">Webune.com</a></p>
</div>
</body>
</html>

Make it Stop!

Why is this bad?

somebody else’s mistakes
all in one file, mysql mixed up with display logic
requisite bad indenting and spelling mistakes
does it actually work?
do you understand why it works? If you don’t, will you be able to debug it?

#8 - not reusing code

Do the first lines in every php file start with

include "mylibrary.php";

Do you have your own library of wrapper functions around mysql? Your own hand-rolled url parser? Autoloading class? Form utilities? User authentication?

Use libraries!

Libraries are composed of code meant to be reused. It helps if it is popular (and therefore tested). It would be nice if it could easily be installed, had good docs, a bug list, etc.

Whenever you find yourself writing code that does something not directly related to your business logic look for a library. Examples:

database (Adodb or redbean)
charting (pChart or libChart)
PEAR (many components - caching, DB, Email, Authentication, etc)
or even look at http://www.phpclasses.org/browse/ (YMMV)

#9 - using a framework

PHP for me is still the ideal tool for the quick-n-dirty web application, for adding dynamic portions to a static web page or writing small web applications.

It works best using a webserver as a front controller - urls map to files and mod_rewrite lets us make that relationship as complicated as we want.

Exploring the app is easy: the "views" are .php pages whose name probably matches a url.

$ ls -lh
total 52K
drwxr-x--- 4 app app 4.0K Aug 17  2010 templates/
drwxr-x--- 4 app app 4.0K Aug 17  2010 lib/
-rw-r--r-- 1 app app 2.3K Aug 17  2010 index.php
-rw-r--r-- 1 app app 3.1K Aug 17  2010 users.php
-rw-r--r-- 1 app app 2.3K Aug 17  2010 homepage.php
-rw-r--r-- 1 app app 3.1K Feb  3  2011 photos.php
-rw-r--r-- 1 app app  163 Feb  1  2011 .htacces

Do you know where to go to change the users photo page? How to figure out what url maps to users.php?

And on the other hand

Visit http://framework.zend.com/manual/en/learning.quickstart.intro.html

Download the sample app. What file controls what shows up on the front page?

$ ls -lh
total 24K
drwxr-xr-x 8 simeon simeon 4.0K 2010-02-03 08:08 application
drwxr-xr-x 3 simeon simeon 4.0K 2010-02-03 08:09 data
drwxr-xr-x 2 simeon simeon 4.0K 2010-02-03 08:40 library
drwxr-xr-x 2 simeon simeon 4.0K 2010-02-03 08:30 public
drwxr-xr-x 2 simeon simeon 4.0K 2010-02-03 08:12 scripts
drwxr-xr-x 4 simeon simeon 4.0K 2010-02-02 13:54 tests

$ ls -lh application/
total 28K
-rw-r--r-- 1 simeon simeon  242 2010-02-03 08:07 Bootstrap.php
drwxr-xr-x 2 simeon simeon 4.0K 2010-02-08 12:33 configs
drwxr-xr-x 2 simeon simeon 4.0K 2010-02-03 08:20 controllers
drwxr-xr-x 2 simeon simeon 4.0K 2010-02-03 08:19 forms
drwxr-xr-x 3 simeon simeon 4.0K 2010-02-03 08:03 layouts
drwxr-xr-x 3 simeon simeon 4.0K 2010-02-03 08:33 models
drwxr-xr-x 4 simeon simeon 4.0K 2010-02-02 13:54 views

#10 - not using a framework

But if you’re writing a multi-user application (not a site, an application) all that complexity turns out to be necessary. And probably better designed than evolved, by you, as you get overwhelmed by complexity.

But you still might be better off with CodeIgniter.

#11 - bonus

Don’t forget to learn Javascript. And JQuery. And CSS. Don’t forget about HTML5…

Being a web developer means being a generalist - embrace it.