Thursday, April 12, 2012

What are the PHP-specific antipatterns that you know of?

PHP as a Blunt Instrument

I hear PHP getting bashed around a lot lately. In quite a few projects, I have seen insane php code bases - so bad you really wonder if the person was on hallucinogenic drugs when they wrote the code. Sometimes, I wonder what the code would have been like if the initial developers had a bit more guidance as to what not to do.

However, I have also seen some very well organized PHP projects that were done in 100% OOP and were a pleasure to maintain, but they were not written by "php programmers."

I give all of our junior devs a link to Java Anti-Patterns . One of the nice things about that page is the Java-specific examples because there are many features of Java that lend themselves to common mistakes. I was hoping to find a similar list for php, but a google search did not reveal anything meaningful.

There are a few questions already out there for what a developer should know when programming PHP , but I wanted to focus on the negative.

What are the common things you have seen in PHP that should be avoided and what is a common solution to doing the same thing in a better way?

Some of the obvious examples to me that I think will be mentioned but aren't PHP specific:

  • Don't concatenate SQL. Use prepare statements or proper escaping.

  • Don't blindly embed PHP into HTML - use templating/MVC.

  • Don't blindly post raw unfiltered user input - scrub it for XSS attacks.

  • Don't manually try to parse all of your POSTs and GETs - use a web framework.

Here would be some examples that I would consider PHP specific:

  • Don't have too many layers of file include/require linking and try to avoid conditional linking. Rather, have a sane naming convention and be consistent with your organization.

  • Don't use PHPs raw database API unless you can help it, instead use a database framework like ADODB instead.

  • Don't overuse PHP's dynamic typing by setting the variable to a string in one place and a boolean somewhere else, then expecting the boolean tests to make sense.

So, what are your favorite PHP don'ts and how do you do it right?

Source: Tips4all


  1. I disagree with this one:

    Don't blindly embed PHP into HTML - use templating/MVC.

    PHP is a templating language. While I agree with the concept of implementing MVC, I don't see why there should be a requirement to implement a yet another DSL around producing web output.

  2. How Is PHP Done the Right Way? covers a lot of these issues.

  3. Never EVER use a $_GET or $_POST without checking it and cleaning it up.
    Read about how to set up the php.ini right.
    Never put variables into raw SQL.
    If you use frameworks, use the ones with less dependencies.
    Stop over-generalization.
    Distribute your code on the php files. In most cases there is no real need to put everything into one index.php.
    Reduce complexity before writing code.
    Respect the fact that it is a web application. (Try to be RESTful.) It's not a desktop application. So stop putting everything into $_SESSION.
    At least one comment line for every 10 lines of code. You WILL read that after a year. I promise!
    Code like a girl - make it nice to read.

  4. One of my favourite DON'Ts would have to be:

    $query = 'select * from users where username = ' . $_POST['username'];

    Can it get much scarier than that?

  5. If I had to include a favourite don't it has to be the one posted by karim79:

    $query = 'select * from users where username = ' . $_POST['username'];

    Many developers in PHP keep stuck in structured age. PHP supports classes and objects since a while ago, I just don't get why people keep hard coding PHP into html, without templates or nothing at all.

    I believe that developers from other languages, like .NET or Java have earned the right to criticize the language if so many developers keep programming like that. PHP is a very great language, very flexible, still a little junior but is growing, but many just don't get it, all they want is to solve by making the old classic copy & paste.

  6. use SPL
    use PDO instead of using mysql_query or pg_query or others
    always use the filter extension on user input