Main Page Content
Php Guidelines
I see a lot of very badly written PHP code around, most of which I have been guilty for myself,
so I thought I'd write a tutorial to help people get the most out of PHP -- and maybe not makethe mistakes I did." And ' Are Very Different
I see a lot of this:
$name = "Bill";
That isn't efficient; the whole point of double quotes is to allow interpolation. Meaning, PHP
checks anything within double quotes for a variable. Like so:echo "My name is $name";
If you do:
$name = "Bill";
Then PHP checks the contents of the double quotes for a variable to interpolate. This makes
your scripts SLOWER, in small scripts this isn't noticeable, it isn't a big difference, but inlarge, complex scripts this extra work for PHP can be very noticeable. Get into the habit of doing:$name = 'Bill';
"Hey, PHP, I'm not using double quotes, I'm using single quotes here, don't even bother checking
for something to interpolate."This reduces the work PHP has to do to parse your script, increasing efficiency, especially in
larger scripts. Get into the habit — use quotes correctly.These rules apply to everything, echo, functions, strings, everything.
SetCookie('name', 'Bill');
Not:
SetCookie("name", "Bill");
Another thing you can do is use single quotes even when using a variable, like so:
$name = 'Bill';
Apparently, PHP scripts parse faster this way. One other advantage of this is:
echo "<a href=\"http://www.evolt.org\">Evolt</a>";
Look familiar? Use single quotes and you don't have to escape double quotes.
echo '<a href="http://www.evolt.org">Evolt</a>';
Works fine, and saves you having to escape those annoying quotes.
Get used to it, I wish I'd have been told that when I started with PHP.
Jump from PHP Mode
I also see a lot of this:
<?php
echo "<table align=\"center\"><tr><td>My name is $name</td></tr></table>";
?>
No, don't do that. One of the great features of PHP is its ability to jump in and out of PHP
mode. It has actually been shown that jumping from PHP mode when outputting data actuallyincreases your script's parse speed, so your script will be faster. Do this:<?php
?>
<table align="center"><tr><td>My name is <?=$name?></td></tr></table>
Leave "PHP Mode" and print out the content, if you need to use more PHP code, just jump back in!
<?=$name?>
This is a short-hand in PHP for:
<?php echo $name; ?>
Jump into PHP Mode, echo out the data contained in the variable then jump back out of PHP mode.
Use it, it makes scripts easier to read, easier to edit, it's just a lot easier and efficient.register_globals Off
Another mistake I see around a lot is people writing scripts that will not work if register_globals is off.
In the next release of PHP register_globals will be off by default, so you need to start writing your scripts with this in mind.Having register_globals off is no big deal. I mean how hard is it to write:
$_POST['username']
Rather than:
$username
Not very. It's also a lot more secure, as it stops users being able to pass variables to your script through the query string and the like. If they stuck:
?name=Jester
Into their address bar, "Jester" would not be available in $name. It would be available in $_GET['name'] or $HTTP_GET_VARS['name']. So they can't pass variables that could twist the behaviour of your scripts.
Note: If you have register_globals off, ensure you have track_vars on. Track_vars makes all environment variables available in the arrays: $HTTP_SERVER_VARS ($_SERVER also, for newer versions of PHP), $HTTP_COOKIE_VARS, $HTTP_POST_VARS ($_POST also) and $HTTP_GET_VARS {$_GET also). Using these arrays instead of the normal variables isn't much extra work for more security.
Sessions in PHP also perform a lot better with register_globals off. Take a look at a snippet of code.
$username = $_POST['uname'];
To register a session variable many people use this method (I have in the past), you don't need to, if you have register_globals off you can merely do:
$_SESSION['username'] = $_POST['uname'];
You see, in the first part code PHP needs to know that the variable is being registered as a session variable. In the second we are using the $_SESSION array, PHP knows if we store something in this it is a session variable, we don't need to "register" it, and the variable will now be available to you -- without you having to pass it through the query string and form inputs -- until you destroy it; like so:
unset($_SESSION['username']);
With MySQL
Another mistake a lot of people make is when they extract data from a database. For anyone familiar with PHP and MySQL, you will be familiar with the following function:
"mysql_fetch_array() is an extended version of mysql_fetch_row(). In addition to storing the data in the numeric indices of the result array, it also stores the data in associative indices, using the field names as keys."
The above is taken from the function description on php.net. So it's saying, when we use mysql_fetch_array() we are fetching two arrays: one containing indices, and one containing associative references to the field names in your database. Why? If you want indices, you will use mysql_fetch_row(), right? We use mysql_fetch_array() when we want the associative references. It's a lot easier when using associative references, yet we have this spare array taking up space and diminishing the efficiency of our code. Luckily those nice people at PHP have an array that fetches an associative array, and only that:
mysql_fetch_assoc() fetches an associative array. If you want only that, use this function, if you want indices, use mysql_fetch_row(). If for some reason you need both, then you should use mysql_fetch_array(). Don't assign variables you won't use.
References
PHP is going places, it's a great language, in my opinion second-to-none when it comes to dynamic webpages. Let's use it to its full potential.
-Jester
