I’ve been coming across lots of PHP Scripts of late that have been written such that they “work” in the sense that they do what was intended in most cases…BUT if you have your test server set so it whinges about every single error, you get to see more than what was intended. OR if a server setting is different to the one it was developed on strange annoying things can happen.

Hosting Servers have their error level reporting set high enough to not show most “errors or warnings” that might be generated. Most errors are saved in an error log but the warnings are generally ignored… and generally ignored by new programmers.

PHP out of the box is a fairly easy language to use BUT it also has many traps. Fortunately I’ve been taught by a pretty good ( so he doesn’t get a big head) Mentor who may not know this but he had instilled some stuff that has actually stuck in my head.

So this post is really just one to cover the basics that anyone writing PHP code should be aware of.

Don’t use short PHP Tags
… I see <? being used all over the place. Don’t do it! Add on the remaining php so it’s <?php. Not all servers have short tags enabled and for the sake of a few extra keypresses… It’s not going to kill you!

The Other Short tag used is <?= instead of <?php echo. Again this isn’t guaranteed to work on all servers.

DO NOT Trust ANY user Input to the point of seeming to being excessively paranoid!
Examples are things like $_POST. If you’ve got a form that’s passing a field called name via the post method, don’t do things like

if($_POST['name']) {
// do something here
}

You cannot be sure $_POST[‘name’] exists. You cannot be sure $_POST['name'] contains what is expected. In this case we’d be expecting a name which is a string. DO we want to allow Numbers. DO we want to allow other kinds of characters? Usually the answer is NO!
So if you’ve decided that your name entry is to only contain alphabetic characters – test the contents to make sure that is what you are expecting. If it’s not – tell the user “Hey none of that nonsense thanks – Try again and use (a-z) (A-Z) (space) characters only.” Well maybe not a message that long but you get the idea!

Alot of frameworks will use something like the following…
$name = isset($_POST['name'])? $_POST['name']: ” ; which just checks that $_POST['name'] exists. Either way our variable $name gets assigned something instead of PHP having to guess.

Then you can perform your verification checks on the contents.

You could also use something like
$data['name'] = isset($_POST['name'])? $_POST['name']: ” ;
and create an array if that’s easier for you to process in your application.

Don’t forget those quotes!

Oh and one more thing I often see is $_POST[name] without the quotes. PHP will think that name is a constant but will GUESS it’s a field name. So always put in the quotes around any named array entry.

I could write for hours on this.. but for now, just be aware of this.

Initializing Your Variables.
PHP will issue a Warning if it sees a variable being used that hasn’t been assigned. For the most part, these get ignored as just being a pest. PHP will “guess” when it needs to and most times it might get it right but sometimes it won’t… Sounds like a source of potential bugs to me!

So if you have
$name = $_POST['name'] and $_POST['name'] doesn’t exist, PHP will guess it’s an empty ‘something’. So there’s no real way to know what $name will be! And that is why it’s safer and better practice to make it something that you’ve decided it will be. Just like we did above.

Seeing the Errors…
When you are developing or debugging a script it’s a good idea to have error reporting turned on. So you can find the issues and remove them.
One suggested way is to use the following…
<?php error_reporting(E_ALL); ini_set(“display_errors”, 1); include(“file_with_errors.php”); ?>
Reference: http://php.net/manual/en/errorfunc.configuration.php

WHAT IF…

As a programmer, one question you should always be asking is “What if…”

 

Well I’ll leave that there for now. I’ll add more to this topic later on.

Cheers

Tim

 

On the "off chance" that you actually liked this post,
how about liking us on Facebook?...


Powered By Facebook Like Post Plugin