Download to read offline
![Teams are smarter than individuals ● Reuse components ○ http://symfony.com/components ○ http://www.yiiframework.com/extensions/ ● Don’t reinvent the wheel ○ Involve standards ■ https://tools.ietf.org/ ■ http://www.php-fig.org/psr/ ■ https://www.jcp.org/en/jsr/overview (yes, you can borrow from other technos!) ● Don’t re-implement the framework ○ Eg. $_SERVER[‘REQUEST_METHOD’]==’POST’ ? $repo->save($user) : $repo->get($user->id) ● Don’t misuse framework hooks (Eg. save entities in a “validate” method)](https://image.slidesharecdn.com/bestpractices-161007130210/75/Coding-Best-practices-PHP-22-2048.jpg)
Uploaded byChristian Baune
Coding Best practices (PHP)
For IT teams and PHP devs, the document provides best practices and tips for building secure and maintainable code. Key points include: 1) Sanitize all input to prevent XSS and SQL injection attacks. 2) Follow security best practices such as using prepared statements and encryption. 3) Leverage existing frameworks and components instead of reinventing functionality. 4) Handle errors and exceptions properly through logging and exceptions.
Coding Best practices (PHP)
- 1. BEST PRACTICES For ITTeams and PHP DEVS
- 2.
- 3.
- 4.
- 5.
- 7.
- 8.
- 9.
- 10.
- 11.
- 12.
- 13. Taht’s all wereally have to know
- 14.
- 15.
- 16. Sanitize input URLs: url_encode Valueattribute (html): html_special_chars See: https://www.owasp.org/index.php/XSS_(Cross_ Site_Scripting)_Prevention_Cheat_Sheet
- 17.
- 18. Dependency injection isnice, SQL injection not so ALWAYS use bound parameters IF you need to build SQL Queries, use a builder. Don’t “roll your own” Use PDO. Use PDO::quote to escape literals in `IN` clause. If these are numbers, use `intval()` or `floatval`. Do not trust data, even from database.
- 19. Other security tips ●Use secure cookies (http://cookiecontroller.com/internet-cookies/secure-cookies/) ● Sign your cookies & encrypt them ! (httpOnly & secure attributes + hmac signature & AES encryption) ● Check on UI and backend (Hiding a button is not enough to prevent an action) ●
- 20.
- 21. Know your stuff ●DO IT RIGHT : www.phptherightway.com ● DO IT SECURE : https://www.owasp.org/ ● RTFM : http://be2.php.net/manual/en/ ● CS can help : https://sourcemaking.com/
- 22. Teams are smarterthan individuals ● Reuse components ○ http://symfony.com/components ○ http://www.yiiframework.com/extensions/ ● Don’t reinvent the wheel ○ Involve standards ■ https://tools.ietf.org/ ■ http://www.php-fig.org/psr/ ■ https://www.jcp.org/en/jsr/overview (yes, you can borrow from other technos!) ● Don’t re-implement the framework ○ Eg. $_SERVER[‘REQUEST_METHOD’]==’POST’ ? $repo->save($user) : $repo->get($user->id) ● Don’t misuse framework hooks (Eg. save entities in a “validate” method)
- 23. Handle error andunusual activity properly ● Log odd events with at least a “WARNING” level; ● Throw exceptions on exceptional situations; ○ Create your own exceptions unless you can reuse an existing one; ○ Log details which can help debugging; ● With good logging, reading the code becomes optional; ● Do not attempt to “automagically” fix some “bad call” ○ If you don’t know : good place for throwing an exception ! ● Validate input on public methods; ● All “switch” have to feature a “default” case; ● Bail out as early as possible; (if ... return)
- 24. Tricks ● Feel compelledto make a comment ? → make a function ! ● Too many indents ?→ make a function or bail out early ! ● Using break ? → make a function ! ● Need to inherit more than one class ? → use composition ! ● Too many controller dependencies ? → split your controller ! ● Code hard to read ? → good naming, functions ! ● Troubles to use a class ?→ Don’t use magic methods (__get, __invoke, …) ! (Magic methods should be used to make proxies and advanced stuff)