10 PHP Mistakes

1. Single quotes, double quotes
# $howdy = ‘everyone’;
# $foo = ‘hello $howdy’;
# $bar = “hello $howdy”;

$foo outputs to “hello $howdy” and $bar gives us “hello everyone”. That’s one less step that PHP has to process. It’s a small change that can make significant gains in the performance of the code.

2. Semicolon after a While
$i = 0;
while($i < 20); {
//some code here
$i++;
}

Omit the ; after the while statement, and your code is in the clear.

3. NOT Using database caching
If you’re using a database in your PHP application, it is strongly advised that you at least use some sort of database caching. Memcached has emerged as the most poplar caching system, with mammoth sites like Facebook endorsing the software.

Memcached is free and can provide very significant gains to your software. If your PHP is going into production, it’s strongly advised to use the caching system.

4. Missing Semicolon After a Break or a Continue
Like #2, a misused semicolon can create serious problems while silently slipping off into the shadows, making it quite difficult to track the error down.

If you’re using a semicolon after a “break” or “continue” in your code, it will convince the code to output a “0” and exit. This could cause some serious head scratching. You can avoid this by using braces with PHP control structures (via CodeUtopia).

5. Not Using E_ALL Reporting
Error reporting is a very handy feature in PHP, and if you’re not already using it, you should really turn it on. Error reporting takes much of the guesswork out of debugging code, and speeds up your overall development time.

While many PHP programmers may use error reporting, many aren’t utilizing the full extent of error reporting. E_ALL is a very strict type of error reporting, and using it ensures that even the smallest error is reported. (That’s a good thing if you’re wanting to write great code.)

When you’re done developing your program, be sure to turn off your reporting, as your users probably won’t want to see a bunch of error messages on pages that otherwise appear fine. (Even with the E_ALL error reporting on they hopefully won’t see any errors anyway, but mistakes do happen.)

6. Not Setting Time Limits On PHP Scripts
When PHP scripts run, it’s assumed that they’ll eventually finish in a timely manner. But every good programmer knows that nothing should be assumed in a piece of code. Nothing makes a program crankier than an unresponsive script.

You can get around this issue by simply setting a time limit on the script (set_time_limit). While it may seem like a trivial thing, it’s always clever to prepare for the worst.

7. Not Protecting Session ID’s
A very common PHP security mistake is not protecting session ID’s with at least some sort of encryption. Not protecting these Session ID’s is almost as bad as giving away a user’s passwords. A hacker could swoop in and steal a session ID, potentially giving him sensitive information. MT Soft an example of how to protect Session ID’s with sha1:

if ($_SESSION[‘sha1password’] == sha1($userpass)) {   // do sensitive things here

}

Adding the shai1 to the ($userpass) gives an added bit of security to the session. Sha1 isn’t a bulletproof method, but it’s a nice barrier of security to keep malicious users at bay.

8. Not Validating Cookie Data
How much trust do you put into cookies? Most people don’t think twice about the seemingly-harmless bit of data that’s passed by a cookie. The name “cookie” itself is associated Milk, nap time and Santa, for crying out loud! How could a cookie possibly harmless?

If you’re not validating cookie data, you’re opening your code to potential harmful data. You should use htmlspecialchars() or mysql_real_escape_string() to validate the cookie before storing it in a database.

9. Not Escaping Entities
Many times PHP programmers are too trusting with data, especially data generated by user. It’s imperative to sanitize data before it goes into any sort of storage, like a database.

Source Rally shows us how to correctly escape entities in things like forms. Instead of using this:

echo $_GET[‘username’];

You can validate the data by using htmlspecialchars() (or htmlentities()) like so:

echo htmlspecialchars($_GET[‘username’], ENT_QUOTES);

10. Using Wrong Comparison Operators
While comparison operators are an extremely basic part PHP programming, mixing these up in your code is certain to bork your program. As the German proverb states, the Devil is in the details.

Being familiar with the often-misused operators like =, ==, != , are absolutely critical to PHP programming. Taking the time to really understand the differences will greatly speed up your programming and yield less bugs to debug.

Sumber : http://net.tutsplus.com/articles/are-you-making-these-10-php-mistakes/

3 Comments »

  1. 1
    xisoiax Says:

    Point 7 seems to be a bit stupit, how should it work:
    “if ($_SESSION[‘sha1password’] == sha1($userpass)) { // do sensitive things here

    }”
    If somebody “hacks” a SESSION this “trick” dont save you, I cannot imagine any case.
    Simplest thing to do is:
    “session_start();
    session_regenerate_id(TRUE);”
    This will force the attacker to react very fast, only negative thing is, that reloading the page(manually) makes problems.
    The stolen SESSION_ID will be the old one.
    To make it secure you will need an Browsermarker, too..
    Your example makes only sence if you use it as Browsermarker, in this case its not good to use an userpassword, just use an Browsersignitur

    • 2
      kuswarno Says:

      Yes, i agree with u. This is not a good example or a bulletproof method to save our site. But the point is, always protect your session value with encryption.

  2. 3
    wappy Says:

    #6. If yo’re using Apache it’s easier to “play” with .htaccess:
    php_value max_execution_time 200
    Otherwise you can start with #1 on 10-apache-mistakes: not using Apache (kidding)


RSS Feed for this entry

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: