Discuss New Concept,New Technic,New Tools, Including EAI,BPM,SOA,Tibco,IBM MQ,Tuxedo, Cloud,Hadoop,NoSQL,J2EE,Ruby,Scala,Python, Performance,Scalability,Distributed,HA, Social Network,Machine Learning.

June 2, 2013  Tagged with: , ,

original:https://phpbestpractices.org/

## Last revised & maintainers

This document was last reviewed on March 8, 2013. It was last changed on May 8, 2013.

It’s maintained by me, Alex Cabal. I’ve been writing PHP for a long time now, and currently I run Scribophile, an online writing group for serious writersWriterfolio, an easy online writing portfolio for freelancers, and Standard Ebooks, a publisher of illustrated, DRM-free public domain ebooks. On occasion I freelance for projects and clients that interest me.

Drop me a line if you think I can help you with something, or with suggestions or corrections to this document.

## Introduction

PHP is a complex language that has suffered years of twists, bends, stretches, and hacks. It’s highly inconsistent and sometimes buggy. Each version has its own unique features, warts, and quirks, and it’s hard to keep track of what version has what problems. It’s easy to see why it gets as much hate as it does sometimes.

Despite that, it’s the most popular language on the web today. Because of its long history, you’ll find lots of tutorials on how to do basic things like password hashing and database access. The problem is that out of five tutorials, you have a good chance of finding five totally different ways of doing something. Which way is the “right” way? Do any of the other ways have subtle bugs or gotchas? It’s really hard to find out, and you’ll be bouncing around the internet trying to pin down the right answer.

That’s also one of the reasons why new PHP programmers are so frequently blamed for ugly, outdated, or insecure code. They can’t help it if the first Google result was a four-year-old article teaching a five-year-old method!

This document tries to address that. It’s an attempt to compile a set of basic instructions for what can be considered best practices for common and confusing issues and tasks in PHP. If a low-level task has multiple and confusing approaches in PHP, it belongs here.

#### What this is

It’s a guide suggesting the best direction to take when facing one of the common low-level tasks a PHP programmer might encounter that are unclear because of the many options PHP might offer. For example: connecting to a database is a common task with a large amount of possible solutions in PHP, not all of them good ones—thus, it’s included in this document.

It’s a series of short, introductory solutions. Examples should get you up and running in a basic setting, and you should do your own research to flesh them out into something useful to you.

It points to what we consider the state-of-the-art of PHP. However, this means that if you’re using an older version of PHP, some of the features required to pull off these solutions might not be available to you.

This is a living document that I’ll do my best to keep updated as PHP continues to evolve.

#### What this isn’t

This document is not a PHP tutorial. You should learn the basics and syntax of the language elsewhere.

It’s not a guide to common web application problems like cookie storage, caching, coding style, documentation, and so on.

It’s not a security guide. While it touches upon some security-related issues, you’re expected to do your own research when it comes to securing your PHP apps. In particular, you should carefully review any solution proposed here before implementing it. Your code is your own fault.

It’s not an advocate of a certain coding style, pattern, or framework.

It’s not an advocate for a certain way of doing high-level tasks like user registration, login systems, etc. This document is strictly for low-level tasks that, because of PHP’s long history, might be confusing or unclear.

It’s not a be-all and end-all solution, nor is it the only solution. Some of the methods described below might not be what’s best for your particular situation, and there are lots of different ways of achieving the same ends. In particular, high-load web apps might benefit from more esoteric solutions to some of these problems.

## What PHP version are we using?

### PHP 5.3.10-1ubuntu3.6 with Suhosin-Patch, installed on Ubuntu 12.04 LTS.

PHP is the 100-year-old tortoise of the web world. Its shell is inscribed with a rich, convoluted, and gnarled history. In a shared-hosting environment, its configuration might restrict what you can do.

In order to retain a scrap of sanity, we’re going to focus on just one version of PHP. As of April 30, 2013, that version is PHP 5.3.10-1ubuntu3.6 with Suhosin-Patch. This is the version of PHP you’ll get if you install it using apt-get on an Ubuntu 12.04 LTS server. In other words, it’s the sane default used by many.

You might find that some of these solutions work on different or older versions of PHP. If that’s the case, it’s up to you to research the implications of subtle bugs or security issues in these older versions.

### Use the phpass library to hash and compare passwords.

Tested with phpass 0.3.

Hashing is the standard way of protecting a user’s password before it’s stored in a database. Many common hashing algorithms like md5 and even sha1 are unsafe for storing passwords, because hackers can easily crack passwords hashed using those algorithms.

The most secure way of hashing passwords is to use the bcrypt algorithm. The open-source phpass library provides that functionality in an easy-to-use class.

#### Gotchas

• Not passing the PDO::PARAM_INT parameter when binding integer variables can sometimes cause PDO to quote them. This can screw up certain MySQL queries. See this bug report.
• Not having set names utf8mb4 as your first query might cause Unicode data to be stored incorrectly in your database, depending on your configuration. You can leave that part out if you’re absolutely sure your Unicode implementation is bulletproof.
• Enabling persistent connections can possibly lead to weird concurrency-related issues. This isn’t a PHP problem, it’s an app-level problem. Persistent connections are safe to use as long as you consider the consequences. See this Stack Overflow question.
• Even if you use set names utf8mb4, make sure that your actual database tables are in the utf8mb4 character set!
• You can execute more than one SQL statement in a single execute() call. Just separate the statements with semicolons, and beware of this bug, which isn’t fixed in the version of PHP this document applies to.

## PHP tags

### Use <?php ?>.

There are a few different ways to delimit blocks of PHP: <?php ?>, <?= ?>, <? ?>, and <% %>. While the shorter ones might be more convenient to type, the only one that’s guaranteed to work on all PHP servers is <?php ?>. If you ever plan on deploying your PHP to a server whose configuration you can’t control, then you should always use <?php ?>.

If you’re only coding for yourself and have control over the PHP configuration you’ll be using, you might find the shorter tags to be more convenient. But remember that <? ?> might conflict with XML declarations and <% %> is actually ASP style.

Whatever you choose, make sure you stay consistent!

#### Gotchas

• When including a closing ?> tag in a pure PHP file (for example, in a file that only contains a class definition),make sure not to leave any trailing newlines after it. While the PHP parser safely “eats” a single newline character after the closing tag, any other newlines might be outputted to the browser and possibly confuse things if you’re outputting any HTTP headers later.
• When writing a web app, make sure not to leave a newline between any closing ?> tag and the html <!doctype> tag. In correct HTML, the <!doctype> tag must be the first thing in a file—any spaces or newlines before it will invalidate the tag!

PHP provides several ways to auto-load files containing classes that haven’t yet been loaded. The older way is to use a magic global function called __autoload(). However you can only have one __autoload() function defined at once, so if you’re including a library that also uses the __autoload() function, then you’ll have a conflict.

The correct way to handle this is to name your autoload function something unique, then register it with thespl_autoload_register() function. This function allows more than one __autoload() function to be defined, so you won’t step on any other code’s own __autoload() function.

#### Example

 1 2 3 4 5 6 7 8 9 10 11 12 13 14 

## Single vs. double quotes from a performance perspective

### It doesn’t really matter.

A lot of ink has been spilled about whether to define strings with single quotes (‘) or double quotes (“). Single-quoted strings aren’t parsed, so whatever you’ve put in the string, that’s what will show up. Double-quoted strings are parsed and any PHP variables in the string are evaluated. Additionally, escaped characters like \n for newline and \t for tab are not evaluated in single-quoted strings, but are evaluated in double-quoted strings.

Because double-quoted strings are evaluated at run time, the theory is that using single-quoted strings will improve performance because PHP won’t have to evaluate every single string. While this might be true on a certain scale, for the average real-life application the difference is so small that it doesn’t really matter. So for an average app, it doesn’t matter what you choose. For extremely high-load apps, it might matter a litte. Make a choice depending on what your app needs, but whatever you choose, be consistent.

## define() vs. const

### Use define() unless readability, class constants, or micro-optimization are concerns.

Traditionally in PHP you would define constants using the define() function. But at some point PHP gained the ability to also declare constants with the const keyword. Which one should you use when defining your constants?

The answer lies in the little differences between the two methods.

1. define() defines constants at run time, while const defines constants at compile time. This gives const a very slight speed edge, but not one worth worrying about unless you’re building large-scale software.
2. define() puts constants in the global scope, although you can include namespaces in your constant name. That means you can’t use define() to define class constants.
3. define() lets you use expressions both in the constant name and in the constant value, unlike const which allows neither. This makes define() much more flexible.
4. define() can be called within an if() block, while const cannot.

#### Example

 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 

Because define() is ultimately more flexible, it’s the one you should use to avoid headaches unless you specifically require class constants. Using const generally results in more readable code, but at the expense of flexibility.

Whichever one you use, be consistent!

## Caching PHP opcode

### Use APC.

In a standard PHP installation, each PHP script is compiled and executed every time it’s accessed. Spending time compiling the same script over and over and lead to performance issues on larger sites.

The solution is an opcode cache. An opcode cache is a system that remembers the compiled version of each script so that the server doesn’t have to waste time compiling over and over. Typically they’re also smart enough to detect when a script has changed, so you don’t have to manually clear the cache in case you update your PHP source.

There are several PHP opcode caches available, notably eacceleratorxcache, and APC. APC is officially supported by the PHP project, is the most active, and is the easiest to install. It also provides an optionalmemcached-like persistent key-value store. For these reasons, it’s the one you should be using.

#### Installing APC

You can install APC on Ubuntu 12.04 by running this command in your terminal:

sudo apt-get install php-apcNo further configuration is necessary.

#### Using APC as a persistent key-value store

APC also provides memcached-like functionality transparently to your scripts. The big plus over actually using memcached is that APC is integrated into the PHP core, so you won’t have another moving part to maintain on your server, and the PHP developers are actively working on it. On the other hand APC is not a distributed cache; if you need that feature, you must use memcached.

#### Example

 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 

#### Gotchas

• If you’re not using PHP-FPM (for example you’re using mod_php or mod_fastcgi), each PHP process will have its unique APC instance, including key-value store. This can lead to synchronization problems in your app code if you’re not careful.

## PHP and Memcached

### If you need a distributed cache, use the Memcached client library. Otherwise, use APC.

A caching system can often improve your app’s performance. Memcached is a popular choice and it works with many languages, including PHP.

However, when it comes to accessing a Memcached server from a PHP script, you have two different and very stupidly named choices of client library: Memcache and Memcached. They’re different libraries with almost the same name, and both are used to access a Memcached instance.

It turns out that the Memcached library is the one that best implements the Memcached protocol. It includes a few useful features that the Memcache library doesn’t, and seems to be the one most actively developed.

However if you don’t need to access a Memcached instance from a series of distributed servers, then use APC instead. APC is supported by the PHP project, has much of the same functionality as Memcached, and has the added bonus of being an opcode cache, which impoves the performance of your PHP scripts.

#### Installing the Memached client library

After you install the Memcached server, you need to install the Memcached client library. Without the library, your PHP scripts won’t be able to communicate with the Memcached server.

You can install the Memcached client library on Ubuntu 12.04 by running this command in your terminal:

sudo apt-get install php5-memcached

Check out the entry on opcode caches to read more about using APC as a Memcached alternative.

## PHP and regex

### Use the PCRE (preg_*) family of functions.

PHP has two different ways of using regular expressions: the PCRE (Perl-compatible, preg_*) functions and thePOSIX (POSIX extended, ereg_*) functions.

Each family of functions uses a slightly different flavor of regular expression. Luckily for us, the POSIX functions have been deprecated since PHP 5.3.0. Because of this, you should never write new code using the POSIX functions. Always use the PRCE functions, which are the preg_* functions.

## Serving PHP from a web server

### Use PHP-FPM.

There are several ways of configuring a web server to serve PHP. The traditional (and terrible) way is to use Apache’s mod_php. Mod_php attaches PHP to Apache itself, but Apache does a very bad job of managing it. You’ll suffer from severe memory problems as soon as you get any kind of real traffic.

Two new options soon became popular: mod_fastcgi and mod_fcgid. Both of these keep a limited number of PHP processes running, and Apache sends requests to these interfaces to handle PHP execution on its behalf. Because these libraries limit how many PHP processes are alive, memory usage is greatly reduced without affecting performance.

Some smart people created an implementation of fastcgi that was specially designed to work really well with PHP, and they called it PHP-FPM. Prior to PHP 5.3.3 you had to jump through a lot of hoops to install it, but luckily for us, PHP-FPM is included in the PHP core as of PHP 5.3.3, so installing it in Ubuntu 12.04 is really easy.

The following example is for Apache 2.2.22, but PHP-FPM also works for other web servers like Nginx.

#### Installing PHP-FPM and Apache

You can install PHP-FPM and Apache on Ubuntu 12.04 by running these command in your terminal:

sudo apt-get install apache2-mpm-worker libapache2-mod-fastcgi php5-fpmsudo a2enmod actions alias fastcgiNote that we must use apache2-mpm-worker, not apache2-mpm-prefork or apache2-mpm-threaded.

Next, we’ll configure our Apache virtualhost to route PHP requests to the PHP-FPM process. Place the following in your Apache configuration file (in Ubuntu 12.04 the default one is /etc/apache2/sites-available/default).

 1 2 3 4 5 6      AddHandler php5-fcgi .php     Action php5-fcgi /php5-fcgi     Alias /php5-fcgi /usr/lib/cgi-bin/php5-fcgi     FastCgiExternalServer /usr/lib/cgi-bin/php5-fcgi -host 127.0.0.1:9000 -idle-timeout 120 -pass-header Authorization 

Finally, restart Apache and the FPM process:

sudo service apache2 restart && sudo service php5-fpm restart

## Sending email

### Use PHPMailer.

Tested with PHPMailer 5.1.

PHP provides a mail() function that looks enticingly simple and easy. Unfortunately, like a lot of things in PHP, its simplicity is deceptive and using it at face value can lead to serious security problems.

Email is a set of protocols with an even more tortured history than PHP. Suffice it to say that there are so many gotchas in sending email that just being in the same room as PHP’s mail() function should give you the shivers.

PHPMailer is a popular and well-aged open-source library that provides an easy interface for sending mail securely. It takes care of the gotchas for you so you can concentrate on more important things.

#### Gotchas

• If you don’t specify a time zone, DateTime::__construct() will set the resulting date’s time zone to the time zone of the computer you’re running on. This can lead to spectacular headaches later on. Always specify the UTC time zone when creating new dates unless you really know what you’re doing.
• If you use a Unix timestamp in DateTime::__construct(), the time zone will always be set to UTC regardless of what you specify in the second argument.
• Passing zeroed dates (e.g. “0000-00-00″, a value commonly produced by MySQL as the default value in a DateTime column) to DateTime::__construct() will result in a nonsensical date, not “0000-00-00″.
• Using DateTime::getTimestamp() on 32-bit systems will not represent dates past 2038. 64-bit systems are OK.

## Checking if a value is null or false

### Use the === operator to check for null and boolean false values.

PHP’s loose typing system offers many different ways of checking a variable’s value. However it also presents a lot of problems. Using == to check if a value is null or false can return false positives if the value is actually an empty string or 0. isset() checks whether a variable has a value, not whether that value is null or false, so it’s not appropriate to use here.

The is_null() function accurately checks if a value is null, and the is_bool() function checks if it’s a boolean value (like false), but there’s an even better option: the === operator. === checks if the values are identical, which is not the same as equivalent in PHP’s loosely-typed world. It’s also slightly faster than is_null() and is_bool(), and can be considered by some to be cleaner than using a function for comparison.

#### Example

 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 

#### Gotchas

• When testing the return value of a function that can return either 0 or boolean false, like strpos(), always use === and !==, or you’ll run in to problems.