Secure PHP Development- P15

Secure PHP Development- P15: Welcome to Secure PHP Development: Building 50 Practical Applications. PHPhas come a long way since its first incarnation as a Perl script. Now PHP is a powerfulWeb scripting language with object-oriented programming support. Slowlybut steadily it has entered the non-Web scripting arena often reserved for Perl andother shell scripting languages. Arguably, PHP is one of the most popular Web platforms.
Nội dung trích xuất từ tài liệu:
Secure PHP Development- P15Chapter 3PHP Best PracticesIN THIS CHAPTER ◆ Best practices for naming variables and functions or methods ◆ Best practices for functions or methods ◆ Best practices for database ◆ Best practices for user interface ◆ Best practices for documentation ◆ Best practices for configuration managementTHE APPLICATION CODE PRESENTED in this book uses a set of programming practicesthat qualify as best practices for any PHP application development. This chapterdiscusses these practices. Familiarizing yourself with them will ease the learningcurve for the applications discussed in the rest of the book.Best Practices for Naming Variablesand FunctionsTop software engineers know that good variable, function (or method), and classnames are necessary for the maintainability of the code. A good name is one thatconveys meaning related to the named function, object, class, variable, etc.Application code becomes very difficult to understand if the developers don’t usegood, meaningful names. Take a look at the following code sample:42 Part I: Designing PHP Applications function outputDisplayMsg($outTextMsgData = null) { echo $outTextMsgData; } ?> Now look at the same code segment with meaningful names for variables and functions: The second version is clearly easier to understand because showMessage is a bet- ter name for the outputDisplayMsg function. Now let’s look at how you can use easy-to-understand names for variables, functions (or methods), and classes. When creating a new variable or function name (or method), ask yourself the following questions: ◆ What is the purpose of this variable? In other words, what does this vari- able hold? ◆ Can you use a descriptive name that represents the data the variable holds? ◆ If the descriptive name appears to be too long, can you use meaningful abbreviations? For example, $textMessage is as good as $txtMsg. Names exceeding 15 characters probably need to be reconsidered for abbreviation. Chapter 3: PHP Best Practices 43 After you determine a name, follow these rules: ◆ Use title casing for each word in multiword names. However, the very first word should be lowercase. For example, $msgBody is a better name then $msgbody, $messageBODY, or $message_body. Single word names should be kept in lowercase. For example, $path and $data are single word variables. ◆ Use all capital letters to name variables that are “constant like” — in other words, variables that do not change within the application. For example, if you read a variable from a configuration file, the name of the variable can be in all uppercase. To separate uppercase words, use under- score character (for example, use $TEMPLATE_DIR instead of $TEMPLATE- DIR). However, when creating constants it is best to use define() function. For example, define(PI, 3.14) is preferred over $PI = 3.14. The defined constant PI cannot be changed once defined whereas $PI can be changed. ◆ Use verbs such as get, set, add, delete, modify, update, and so forth in naming your function or method. For example, getSomething(), setSomething(), and modifySomething() are better function names than accessSomething(), storeSomething(), and editSomething(), respectively.Best Practices for Function/MethodIn this section I discuss a set of practices that will improve your function or methodcode.Returning arrays with careWhen your function (or method) returns an array, you need to ensure that thereturn value is a defined array because the code from which the function is calledis expecting an array. For example, review the following bad code segment.// BADfunction getData(){ $stmt = “SELECT ID, myField1, myField2 from myTable”; $result = $this->dbi->query($stmt);44 Part I: Designing PHP Applications if ($result != NULL) { while($row = $result->fetchRow()) { $retArray[$row->ID] = $row; } } return $retArray; } In this example, the function called getData() returns an array called $retArray when the SQL statement executed returns one or more rows. The func- tion works fine if the SQL select statement always returns at least one row. However, it returns nothing when the SQL statement returns no rows. In such a case, the following code segment, which calls the function, produces a PHP warn- ing message: error_reporting(E_AL ...