SlideShare a Scribd company logo

Coding Best practices (PHP)

Christian Baune
Christian Baune

Best practices and pointers

Technology
1 of 24
Download to read offline
BEST PRACTICES For IT Teams and PHP DEVS
Controllers Should Be Skin
Abuse SERVICES
ABUSE SERVICES
CONTROLLERS TOO
IOC TIME
RECEIVE AND DON’T ASK
AVOID - new -
BAD, BAD, BAD
GOOD
BETTER
Taht’s all we really have to know
SECURITY
XSS
Sanitize input URLs: url_encode Value attribute (html): html_special_chars See: https://www.owasp.org/index.php/XSS_(Cross_ Site_Scripting)_Prevention_Cheat_Sheet
SQL INJECTION
Dependency injection is nice, SQL injection not so ALWAYS use bound parameters IF you need to build SQL Queries, use a builder. Don’t “roll your own” Use PDO. Use PDO::quote to escape literals in `IN` clause. If these are numbers, use `intval()` or `floatval`. Do not trust data, even from database.
Other security tips ● Use secure cookies (http://cookiecontroller.com/internet-cookies/secure-cookies/) ● Sign your cookies & encrypt them ! (httpOnly & secure attributes + hmac signature & AES encryption) ● Check on UI and backend (Hiding a button is not enough to prevent an action) ●
UNSORTED
Know your stuff ● DO IT RIGHT : www.phptherightway.com ● DO IT SECURE : https://www.owasp.org/ ● RTFM : http://be2.php.net/manual/en/ ● CS can help : https://sourcemaking.com/
Teams are smarter than individuals ● Reuse components ○ http://symfony.com/components ○ http://www.yiiframework.com/extensions/ ● Don’t reinvent the wheel ○ Involve standards ■ https://tools.ietf.org/ ■ http://www.php-fig.org/psr/ ■ https://www.jcp.org/en/jsr/overview (yes, you can borrow from other technos!) ● Don’t re-implement the framework ○ Eg. $_SERVER[‘REQUEST_METHOD’]==’POST’ ? $repo->save($user) : $repo->get($user->id) ● Don’t misuse framework hooks (Eg. save entities in a “validate” method)
Handle error and unusual activity properly ● Log odd events with at least a “WARNING” level; ● Throw exceptions on exceptional situations; ○ Create your own exceptions unless you can reuse an existing one; ○ Log details which can help debugging; ● With good logging, reading the code becomes optional; ● Do not attempt to “automagically” fix some “bad call” ○ If you don’t know : good place for throwing an exception ! ● Validate input on public methods; ● All “switch” have to feature a “default” case; ● Bail out as early as possible; (if ... return)
Tricks ● Feel compelled to make a comment ? → make a function ! ● Too many indents ?→ make a function or bail out early ! ● Using break ? → make a function ! ● Need to inherit more than one class ? → use composition ! ● Too many controller dependencies ? → split your controller ! ● Code hard to read ? → good naming, functions ! ● Troubles to use a class ?→ Don’t use magic methods (__get, __invoke, …) ! (Magic methods should be used to make proxies and advanced stuff)

Recommended

Exception Handling In Java 15734
Exception Handling In Java 15734Exception Handling In Java 15734
Exception Handling In Java 15734
madhurendra pandey
 
Exception handling in java
Exception handling in javaException handling in java
Exception handling in java
Khulna University of Engineering & Technology (KUET)
 
Exception handling in java
Exception handling in javaException handling in java
Exception handling in java
Adil Mehmoood
 
exception handling
exception handlingexception handling
exception handling
Manav Dharman
 
summarizer16fev16_Exceptions
summarizer16fev16_Exceptionssummarizer16fev16_Exceptions
summarizer16fev16_Exceptions
Filipe Morais Jorge
 
Don't get stung - an introduction to the OWASP Top 10
Don't get stung - an introduction to the OWASP Top 10Don't get stung - an introduction to the OWASP Top 10
Don't get stung - an introduction to the OWASP Top 10
Barry Dorrans
 
13 javascript techniques to improve your code
13 javascript techniques to improve your code13 javascript techniques to improve your code
13 javascript techniques to improve your code
Surendra kumar
 
Exception handling in java
Exception handling in javaException handling in java
Exception handling in java
Elizabeth alexander
 

Recommended

Exception Handling In Java 15734
Exception Handling In Java 15734Exception Handling In Java 15734
Exception Handling In Java 15734
madhurendra pandey
 
Exception handling in java
Exception handling in javaException handling in java
Exception handling in java
Khulna University of Engineering & Technology (KUET)
 
Exception handling in java
Exception handling in javaException handling in java
Exception handling in java
Adil Mehmoood
 
exception handling
exception handlingexception handling
exception handling
Manav Dharman
 
summarizer16fev16_Exceptions
summarizer16fev16_Exceptionssummarizer16fev16_Exceptions
summarizer16fev16_Exceptions
Filipe Morais Jorge
 
Don't get stung - an introduction to the OWASP Top 10
Don't get stung - an introduction to the OWASP Top 10Don't get stung - an introduction to the OWASP Top 10
Don't get stung - an introduction to the OWASP Top 10
Barry Dorrans
 
13 javascript techniques to improve your code
13 javascript techniques to improve your code13 javascript techniques to improve your code
13 javascript techniques to improve your code
Surendra kumar
 
Exception handling in java
Exception handling in javaException handling in java
Exception handling in java
Elizabeth alexander
 
Let's PHP in a better way! - Coding Recommendations.
Let's PHP in a better way! - Coding Recommendations.Let's PHP in a better way! - Coding Recommendations.
Let's PHP in a better way! - Coding Recommendations.
Leekas Shep
 
Standard Coding, OOP Techniques and Code Reuse
Standard Coding, OOP Techniques and Code ReuseStandard Coding, OOP Techniques and Code Reuse
Standard Coding, OOP Techniques and Code Reuse
Rayhan Chowdhury
 
Coding standards php
Coding standards phpCoding standards php
Coding standards php
sagarrautray777
 
PHP Static Code Review
PHP Static Code ReviewPHP Static Code Review
PHP Static Code Review
Damien Seguy
 
Php Code Audits (PHP UK 2010)
Php Code Audits (PHP UK 2010)Php Code Audits (PHP UK 2010)
Php Code Audits (PHP UK 2010)
Damien Seguy
 
Web UI performance tuning
Web UI performance tuningWeb UI performance tuning
Web UI performance tuning
Andy Pemberton
 
Functions - complex first class citizen
Functions - complex first class citizenFunctions - complex first class citizen
Functions - complex first class citizen
Vytautas Butkus
 
Modular & Event driven UI Architecture
Modular & Event driven UI ArchitectureModular & Event driven UI Architecture
Modular & Event driven UI Architecture
Vytautas Butkus
 
PHP CODING STANDARDS
PHP CODING STANDARDSPHP CODING STANDARDS
PHP CODING STANDARDS
Asheesh Sharma
 
Coding Standard And Code Review
Coding Standard And Code ReviewCoding Standard And Code Review
Coding Standard And Code Review
Milan Vukoje
 
PHPcon Poland - Static Analysis of PHP Code – How the Heck did I write so man...
PHPcon Poland - Static Analysis of PHP Code – How the Heck did I write so man...PHPcon Poland - Static Analysis of PHP Code – How the Heck did I write so man...
PHPcon Poland - Static Analysis of PHP Code – How the Heck did I write so man...
Rouven Weßling
 
JavaScript and UI Architecture Best Practices
JavaScript and UI Architecture Best PracticesJavaScript and UI Architecture Best Practices
JavaScript and UI Architecture Best Practices
Siarhei Barysiuk
 
Modern Static Code Analysis in PHP
Modern Static Code Analysis in PHPModern Static Code Analysis in PHP
Modern Static Code Analysis in PHP
Vladimir Reznichenko
 
Refactoring Legacy Code
Refactoring Legacy CodeRefactoring Legacy Code
Refactoring Legacy Code
Adam Culp
 
Component Based UI Architecture - Alex Moldovan
Component Based UI Architecture - Alex MoldovanComponent Based UI Architecture - Alex Moldovan
Component Based UI Architecture - Alex Moldovan
ITCamp
 
Modern UI Architecture_ Trends and Technologies in Web Development
Modern UI Architecture_ Trends and Technologies in Web DevelopmentModern UI Architecture_ Trends and Technologies in Web Development
Modern UI Architecture_ Trends and Technologies in Web Development
Suresh Patidar
 
Code review guidelines
Code review guidelinesCode review guidelines
Code review guidelines
Lalit Kale
 
UI Architecture & Web Performance
UI Architecture & Web PerformanceUI Architecture & Web Performance
UI Architecture & Web Performance
Kyle Simpson
 
Selenium Architecture
Selenium ArchitectureSelenium Architecture
Selenium Architecture
rohitnayak
 
Content Design, UI Architecture and Content-UI-Mapping
Content Design, UI Architecture and Content-UI-MappingContent Design, UI Architecture and Content-UI-Mapping
Content Design, UI Architecture and Content-UI-Mapping
Wolfram Nagel
 
Coding for production
Coding for productionCoding for production
Coding for production
jehiah
 
Presentation on Top 10 Vulnerabilities in Web Application
Presentation on Top 10 Vulnerabilities in Web ApplicationPresentation on Top 10 Vulnerabilities in Web Application
Presentation on Top 10 Vulnerabilities in Web Application
Md Mahfuzur Rahman
 

More Related Content

Viewers also liked

Php Code Audits (PHP UK 2010)
Php Code Audits (PHP UK 2010)Php Code Audits (PHP UK 2010)
Php Code Audits (PHP UK 2010)
Damien Seguy
 
Web UI performance tuning
Web UI performance tuningWeb UI performance tuning
Web UI performance tuning
Andy Pemberton
 
Modern UI Architecture_ Trends and Technologies in Web Development
Modern UI Architecture_ Trends and Technologies in Web DevelopmentModern UI Architecture_ Trends and Technologies in Web Development
Modern UI Architecture_ Trends and Technologies in Web Development
Suresh Patidar
 
Content Design, UI Architecture and Content-UI-Mapping
Content Design, UI Architecture and Content-UI-MappingContent Design, UI Architecture and Content-UI-Mapping
Content Design, UI Architecture and Content-UI-Mapping
Wolfram Nagel
 

Viewers also liked (20)

Let's PHP in a better way! - Coding Recommendations.
Let's PHP in a better way! - Coding Recommendations.Let's PHP in a better way! - Coding Recommendations.
Let's PHP in a better way! - Coding Recommendations.
 
Standard Coding, OOP Techniques and Code Reuse
Standard Coding, OOP Techniques and Code ReuseStandard Coding, OOP Techniques and Code Reuse
Standard Coding, OOP Techniques and Code Reuse
 
Coding standards php
Coding standards phpCoding standards php
Coding standards php
 
PHP Static Code Review
PHP Static Code ReviewPHP Static Code Review
PHP Static Code Review
 
Php Code Audits (PHP UK 2010)
Php Code Audits (PHP UK 2010)Php Code Audits (PHP UK 2010)
Php Code Audits (PHP UK 2010)
 
Web UI performance tuning
Web UI performance tuningWeb UI performance tuning
Web UI performance tuning
 
Functions - complex first class citizen
Functions - complex first class citizenFunctions - complex first class citizen
Functions - complex first class citizen
 
Modular & Event driven UI Architecture
Modular & Event driven UI ArchitectureModular & Event driven UI Architecture
Modular & Event driven UI Architecture
 
PHP CODING STANDARDS
PHP CODING STANDARDSPHP CODING STANDARDS
PHP CODING STANDARDS
 
Coding Standard And Code Review
Coding Standard And Code ReviewCoding Standard And Code Review
Coding Standard And Code Review
 
PHPcon Poland - Static Analysis of PHP Code – How the Heck did I write so man...
PHPcon Poland - Static Analysis of PHP Code – How the Heck did I write so man...PHPcon Poland - Static Analysis of PHP Code – How the Heck did I write so man...
PHPcon Poland - Static Analysis of PHP Code – How the Heck did I write so man...
 
JavaScript and UI Architecture Best Practices
JavaScript and UI Architecture Best PracticesJavaScript and UI Architecture Best Practices
JavaScript and UI Architecture Best Practices
 
Modern Static Code Analysis in PHP
Modern Static Code Analysis in PHPModern Static Code Analysis in PHP
Modern Static Code Analysis in PHP
 
Refactoring Legacy Code
Refactoring Legacy CodeRefactoring Legacy Code
Refactoring Legacy Code
 
Component Based UI Architecture - Alex Moldovan
Component Based UI Architecture - Alex MoldovanComponent Based UI Architecture - Alex Moldovan
Component Based UI Architecture - Alex Moldovan
 
Modern UI Architecture_ Trends and Technologies in Web Development
Modern UI Architecture_ Trends and Technologies in Web DevelopmentModern UI Architecture_ Trends and Technologies in Web Development
Modern UI Architecture_ Trends and Technologies in Web Development
 
Code review guidelines
Code review guidelinesCode review guidelines
Code review guidelines
 
UI Architecture & Web Performance
UI Architecture & Web PerformanceUI Architecture & Web Performance
UI Architecture & Web Performance
 
Selenium Architecture
Selenium ArchitectureSelenium Architecture
Selenium Architecture
 
Content Design, UI Architecture and Content-UI-Mapping
Content Design, UI Architecture and Content-UI-MappingContent Design, UI Architecture and Content-UI-Mapping
Content Design, UI Architecture and Content-UI-Mapping
 

Similar to Coding Best practices (PHP)

Django Web Application Security
Django Web Application SecurityDjango Web Application Security
Django Web Application Security
levigross
 
How NOT to build Drupal Sites - Sai Tanay
How NOT to build Drupal Sites - Sai TanayHow NOT to build Drupal Sites - Sai Tanay
How NOT to build Drupal Sites - Sai Tanay
Drupal Camp Delhi
 
OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADF
OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADFOWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADF
OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADF
Brian Huff
 
What Are We Still Doing Wrong
What Are We Still Doing WrongWhat Are We Still Doing Wrong
What Are We Still Doing Wrong
afa reg
 
Web Security: What's wrong, and how the bad guys can break your website
Web Security: What's wrong, and how the bad guys can break your websiteWeb Security: What's wrong, and how the bad guys can break your website
Web Security: What's wrong, and how the bad guys can break your website
Andrew Sorensen
 
You shouldneverdo
You shouldneverdoYou shouldneverdo
You shouldneverdo
daniil3
 
SiestaTime - Defcon27 Red Team Village
SiestaTime - Defcon27 Red Team VillageSiestaTime - Defcon27 Red Team Village
SiestaTime - Defcon27 Red Team Village
Alvaro Folgado Rueda
 

Similar to Coding Best practices (PHP) (20)

Coding for production
Coding for productionCoding for production
Coding for production
 
Presentation on Top 10 Vulnerabilities in Web Application
Presentation on Top 10 Vulnerabilities in Web ApplicationPresentation on Top 10 Vulnerabilities in Web Application
Presentation on Top 10 Vulnerabilities in Web Application
 
Let's talk Security
Let's talk SecurityLet's talk Security
Let's talk Security
 
User Credential handling in Web Applications done right
User Credential handling in Web Applications done rightUser Credential handling in Web Applications done right
User Credential handling in Web Applications done right
 
Django Web Application Security
Django Web Application SecurityDjango Web Application Security
Django Web Application Security
 
How NOT to build Drupal Sites - Sai Tanay
How NOT to build Drupal Sites - Sai TanayHow NOT to build Drupal Sites - Sai Tanay
How NOT to build Drupal Sites - Sai Tanay
 
OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADF
OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADFOWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADF
OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADF
 
What Are We Still Doing Wrong
What Are We Still Doing WrongWhat Are We Still Doing Wrong
What Are We Still Doing Wrong
 
XP Days 2019: First secret delivery for modern cloud-native applications
XP Days 2019: First secret delivery for modern cloud-native applicationsXP Days 2019: First secret delivery for modern cloud-native applications
XP Days 2019: First secret delivery for modern cloud-native applications
 
Flipping the script
Flipping the scriptFlipping the script
Flipping the script
 
Developing Better Software
Developing Better SoftwareDeveloping Better Software
Developing Better Software
 
Writing clean code
Writing clean codeWriting clean code
Writing clean code
 
Top Ten Tips For Tenacious Defense In Asp.Net
Top Ten Tips For Tenacious Defense In Asp.NetTop Ten Tips For Tenacious Defense In Asp.Net
Top Ten Tips For Tenacious Defense In Asp.Net
 
Web Security: What's wrong, and how the bad guys can break your website
Web Security: What's wrong, and how the bad guys can break your websiteWeb Security: What's wrong, and how the bad guys can break your website
Web Security: What's wrong, and how the bad guys can break your website
 
You shouldneverdo
You shouldneverdoYou shouldneverdo
You shouldneverdo
 
TDD in Python With Pytest
TDD in Python With PytestTDD in Python With Pytest
TDD in Python With Pytest
 
Spaghetti gate
Spaghetti gateSpaghetti gate
Spaghetti gate
 
SiestaTime - Defcon27 Red Team Village
SiestaTime - Defcon27 Red Team VillageSiestaTime - Defcon27 Red Team Village
SiestaTime - Defcon27 Red Team Village
 
Brutal refactoring, lying code, the Churn, and other emotional stories from L...
Brutal refactoring, lying code, the Churn, and other emotional stories from L...Brutal refactoring, lying code, the Churn, and other emotional stories from L...
Brutal refactoring, lying code, the Churn, and other emotional stories from L...
 
How to write good quality code
How to write good quality codeHow to write good quality code
How to write good quality code
 

Recently uploaded

Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
UK Journal
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
panagenda
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
Igalia
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Roshan Dwivedi
 
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Principled Technologies
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
Principled Technologies
 

Recently uploaded (20)

AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024
 

Coding Best practices (PHP)

  • 1. BEST PRACTICES For IT Teams and PHP DEVS
  • 6.
  • 11. GOOD
  • 13. Taht’s all we really have to know
  • 15. XSS
  • 16. Sanitize input URLs: url_encode Value attribute (html): html_special_chars See: https://www.owasp.org/index.php/XSS_(Cross_ Site_Scripting)_Prevention_Cheat_Sheet
  • 18. Dependency injection is nice, SQL injection not so ALWAYS use bound parameters IF you need to build SQL Queries, use a builder. Don’t “roll your own” Use PDO. Use PDO::quote to escape literals in `IN` clause. If these are numbers, use `intval()` or `floatval`. Do not trust data, even from database.
  • 19. Other security tips ● Use secure cookies (http://cookiecontroller.com/internet-cookies/secure-cookies/) ● Sign your cookies & encrypt them ! (httpOnly & secure attributes + hmac signature & AES encryption) ● Check on UI and backend (Hiding a button is not enough to prevent an action) ●
  • 21. Know your stuff ● DO IT RIGHT : www.phptherightway.com ● DO IT SECURE : https://www.owasp.org/ ● RTFM : http://be2.php.net/manual/en/ ● CS can help : https://sourcemaking.com/
  • 22. Teams are smarter than individuals ● Reuse components ○ http://symfony.com/components ○ http://www.yiiframework.com/extensions/ ● Don’t reinvent the wheel ○ Involve standards ■ https://tools.ietf.org/ ■ http://www.php-fig.org/psr/ ■ https://www.jcp.org/en/jsr/overview (yes, you can borrow from other technos!) ● Don’t re-implement the framework ○ Eg. $_SERVER[‘REQUEST_METHOD’]==’POST’ ? $repo->save($user) : $repo->get($user->id) ● Don’t misuse framework hooks (Eg. save entities in a “validate” method)
  • 23. Handle error and unusual activity properly ● Log odd events with at least a “WARNING” level; ● Throw exceptions on exceptional situations; ○ Create your own exceptions unless you can reuse an existing one; ○ Log details which can help debugging; ● With good logging, reading the code becomes optional; ● Do not attempt to “automagically” fix some “bad call” ○ If you don’t know : good place for throwing an exception ! ● Validate input on public methods; ● All “switch” have to feature a “default” case; ● Bail out as early as possible; (if ... return)
  • 24. Tricks ● Feel compelled to make a comment ? → make a function ! ● Too many indents ?→ make a function or bail out early ! ● Using break ? → make a function ! ● Need to inherit more than one class ? → use composition ! ● Too many controller dependencies ? → split your controller ! ● Code hard to read ? → good naming, functions ! ● Troubles to use a class ?→ Don’t use magic methods (__get, __invoke, …) ! (Magic methods should be used to make proxies and advanced stuff)