12 comments

[ 3.2 ms ] story [ 44.8 ms ] thread
Hi HN! I'm the author. I've spent a lot of time writing PHP, and one thing that always struck me was that PHP often has many different ways of approaching what should be simple tasks. Some ways are clearly flawed, but can still be found in online tutorials. Database access for example: there's at least 3 different libraries you can use to connect to a MySQL server. Which one should a newbie pick, and which one is "best"?

I wanted to compile a guide containing what can be considered the best ways of approaching such problems, with basic examples and links to follow-up reading.

If anyone has suggestions or corrections, please drop me a line! Contact info is in the page.

Hi, great post !

Suggestions :

Sanitizing HTML

Please explain why you prefer htmlspecialchars over htmlentities

Please explain why you should htmlspecialchars when outputting content, but never use it when inserting to database (obvious for us, not for your reader)

Checking for null values

Please explicit that === should also be used when compairing to false (problem is the same as with null)

Please use Yoda condition in your example or even better explain why (it's also a best practice in PHP (also recommanded by WordPress Coding guidelines and several other frameworks, by example))

Thanks, I've added a note about htmlentities. Actually it's better to use htmlentities, and I got the two functions confused while writing! Another reason why such a guide is needed :)
Thank you so much for this. I'm about to embark on a major PHP project for my employer after having been away from the language for years, and having a modern reference for best practices is invaluable.
Cool! I haven't been programming PHP for some time, and was surprised that i didn't know a lot of stuff on your list. Nice work!
Love the idea and I think it's a great resource to centralize most common solution like using phpass to hash/salt passwords to avoid people reinventing the wheel all the time.

Could you elaborate on why you chose PDO over MySQLi to interact with MySQL? Especially with all the "specific things to do for it to work properly" at the end of the section?

The email address validation is also a great section, everyone tries to rewrite its own and fails or forgets to handle cases (such as '+' in first part). I think it would be great to show other filters examples instead of providing a link to the documentation, like how to sanitize a username entry for example?

Another interesting section would be how to handle errors properly, like the use of trigger_error(), set_error_handler() or exceptions. Seems that a lot of people are also doing their own logging/debugging/reporting system not knowing where to start?

Another point is the utf8_encode() and utf8_decode() functions whose names are misleading as they only handle conversion to/from ISO-8859-1. A section on te proper use of iconv() with examples could really be useful no?
hey good post :)

I got a few tidbits to add.

"if you ever plan on deploying your PHP to a server whose configuration you can't control, then you should always use <?php ?>." I would change that to "always use <?php ?>", if you do you're safe, otherwise you can run into problems (as I have).

its a matter of opinion but I would recommend SwiftMailer over phpmailer.

And lastly, I would definately put namespacing and code organization in here somewhere, like PSR https://github.com/php-fig/fig-standards/blob/master/accepte...

liked the article!

<?= ?> is perfectly fine, and I believe Rasmus Lerdorf said several times it would continue to be supported by default settings (whereas <? ?> is being phased out, and rightly so).

That means there is no need to go and tell people to convert all their <?= ?> into <?php print() ?>.