Looking for more information on how to do PHP the right way? Check out PHP: The Right Way

Dependencies in Disguise
Sep 28, 2015 @ 08:48:27

On the PHP.cc's site has an article that looks at dependencies in disguise based on a "workshop" one of their members, Stefan Priebsch, gave at the recent Bulgaria PHP Conference.

Yesterday I gave a presentation at the [Bulgaria PHP Conference](https://thephp.cc/dates/2015/09/bulgaria-php-conference) (a great event, by the way). Following an [ad-hoc workshop](https://twitter.com/s_bergmann/status/647732967087939584) that I gave as part of the hallway track and an entertaining hackathon, I decided it was too late to join the party and went back to the hotel with some other speakers. Checking out how the day was reflected in social media, I contributed a few more tweets to a [conversation](https://twitter.com/tim_bezhashvyly/status/647861115721003008) that had started earlier in the day ([here](https://thephp.cc/dates/2015/09/bulgaria-php-conference/solid-mvc) are the slides of my talk that people are referring to). I am writing this to clarify my point, and help everybody to understand better.

He talks about dependency injection as a best practice that's followed in libraries all over the PHP ecosystem, making it easier to work with objects and their needs. Sometimes this means using a dependency injection container and others it's just constructor/method injection. He talks about how these objects are build in factory methods and recommends making one factory but points out that this only really works when all the objects you need are known up front. However, he gives several (code) examples of places where this could be difficult and how some are using service locators to solve the problem. He points out, however, that this then expands the API of the application out way too far, opening it up to objects all across the application when there may be no need. This is where the hidden dependencies can come in, things masked behind the use of a single service locator. He recommends solving the issue with more customized locators, as in his example of routing locator used to handle dependencies for a POST HTTP request.

tagged: dependency disguise injection service locator bestpractice solid development

Link: https://thephp.cc/news/2015/09/dependencies-in-disguise

AppDynamics PHP Blog:
Introduction to PHP Security – Part 2
Jul 22, 2015 @ 08:33:01


AppDynamics PHP blog has posted the second part of their series looking at some of the basics of PHP security. In part one they talked about some of the most common attacks and how to remediate them. In this latest part they "dive deeper" and get into some of the more advanced issues.

Truth be told, there are potentially an infinite number of ways in which a software product can be compromised and have its security breached. [...] New security flaws are regularly found, and routine patches are immediately released for most of the major software applications you utilize in your application stack. No matter whether your web or database server, your operating system, your PHP runtime, or even the MVC framework that your time adopted, your point(s) of exposure may exist anywhere within the various components that make up your application ecosystem.

They start with a few more advanced best practices including using SSL and keeping error messages away from the public eye. They briefly discuss other kinds of injection types (besides just SQL) and offer some tips about securing the data that lives in the application as well.

tagged: security introduction series part2 advanced bestpractice injectiondata

Link: https://blog.appdynamics.com/php/introduction-to-php-security-part-2

SitePoint PHP Blog:
Basic TDD in Your New PHP Package
Jan 28, 2015 @ 12:27:17

The SitePoint PHP blog continues their "How to Build Your Own PHP Package" series with their latest post (part two of the series) covering the use of test-driven development while working on the package code.

In part 1, we set up our development environment, baked in some rules as inherited from The League, and created two sample but useless classes – Diffbot and DiffbotException. In this part, we’ll get started with Test Driven Development.

He starts by briefly introducing PHPUnit, a PHP-based unit testing tool, and how to use it to generate the HTML version of the code coverage report. He helps you define a good phpunit.xml configuration file and how to execute a first sample test (code provided) from inside PHPStorm. From there he adds one some more complex testing of exception handling and checking the class types. With this foundation, he moves into the test-driven development (TDD) practices. TDD means writing the tests before writing the code to make those tests pass. He gives an example of this and shows how test abstract classes too. He then comes back around and writes the code to satisfy the test.

tagged: tdd package bestpractice unittest testdriven development tutorial

Link: http://www.sitepoint.com/basic-tdd-new-php-package/

SitePoint PHP Blog:
PHP Tips, Resources and Best Practices for 2015
Jan 05, 2015 @ 09:59:18

The SitePoint PHP blog has shared a list of their suggestions of the best tips, resources and best practices for 2015. This includes tips about your environments, tools and techniques you can use to improve your everyday work.

PHP has had many reputations over the years, but being insecure as a language never really was one of them. The core team, all its faults notwithstanding, is rather quick in pouncing on all security matters, and updating PHP to the latest version will often allay all worries. But the end users, such as we are, tend to mess things up. We don’t update, we use outdated packages or packages with holes in them we’re not aware of, we use ancient extensions… we expose ourselves to risk in some truly creative ways.

Some of the things mentioned include:

  • Keeping your PHP up to date
  • Adopt HTTPS
  • Secure your PHP
  • Stay on the Right Way
  • Avoid Bad Packages
  • Dodge common mistakes
  • Use Virtualization

Each section comes with a description and plenty of links to point you in a good direction and get you started off right for 2015.

tagged: bestpractice tips resources list 2015 tools

Link: http://www.sitepoint.com/php-tips-resources-best-practices-2015/

Top 10 PHP Code Review Tips
Sep 10, 2014 @ 11:15:31

On the VitalFlux site there's a recent post sharing a few tips (a Top 10 list) of things to think about when doing code reviews.

This article represents top 10 areas to consider while you are taking up the task to do the code review of a PHP project. The other day, I had a discussion with one of the PHP senior developers who asked me about where to start on the task related with reviewing a PHP web application and, we brainstormed and came up with the list. Interestingly, apart from few, most of them can be pretty much applied to applications written with other programming languages as well.

Their top ten list of things to look for during code reviews extend beyond just the syntax of the code and good coding practices. They also suggest things like:

  • Adherence to Business Functionality
  • Object-Oriented Principles
  • Security
  • Integration Patterns/Protocols

Code reviews, if done effectively and efficiently, can be a major benefit for producing quality code that not only adheres to standards but also follows good practices and principles (like SOLID).

tagged: code review tips top10 list syntax bestpractice business

Link: http://vitalflux.com/top-10-php-code-review-tips/

Wojciech Sznapka:
Type Hinting is important
Jun 12, 2014 @ 09:41:51

In his latest post Wojciech Sznapka reminds us that type hinting is important in your PHP applications and can help provide more structure and better overall code practices.

One of my favorite PHP interview questions, is: what is Type Hinting and why it’s important? Putting definition in one sentence, Type Hinting is a way to define type of parameter in function signature and it’s a sine qua non to leverage polymorphism. [...] So given the fact, that Type Hinting is optional and we don’t need to specify types of parameters passed to the method – why bother? Answer is easy: well prepared method signatures defines your model and are part of the “contract” that your code reveals to its consumers. It also prevents many silly errors and keeps codebase clean and coherent.

He talks about the best practices on using type hinting including where to put them (in an interface or base class or child class?) and some of the pros and cons of each. He also points out that some practices around type hinting, like overriding the hint and calling the method with unexpected/variable input, should be avoided (see the L in SOLID).

tagged: typehint importance bestpractice liskov substitution principle solid

Link: http://blog.sznapka.pl/type-hinting-is-important

Best Practice for Code Examples
Aug 14, 2013 @ 10:29:55

If you've ever thought about including code examples in your (blog/site/etc) posts and were wondering how to least frustrate your site's visitors, check out these suggestions from one of SitePoint's UX authors, James Edwards.

The majority of articles about web development include code examples, and across the web we see great variation in how they're formatted and presented. But a lot of them are not very good - because the code is badly formatted, hard to read, or can't be copied-and-pasted without unwanted junk. So in this article I'd like to take a hard look at code examples, to investigate the common problems they have, and try to establish some best practice for how they should be done.

He talks first about the whole point of including code examples in a post and five basic principles for what they should be like:

  • Code examples should use good semantic markup.
  • Tabs in code should not be converted to spaces.
  • Code should have basic syntax highlighting.
  • Code examples can have horizontal scrolling, but shouldn't have vertical scrolling.
  • Code examples should have line numbers, which are not included in text selection.

There's some examples of code markup included as well as some CSS rules you can drop in to help follow his suggestions.

tagged: bestpractice code sample ux example

Link: http://www.sitepoint.com/best-practice-for-code-examples

Phil Sturgeon:
Building a Decent API
Jul 16, 2013 @ 09:32:46

Phil Sturgeon has posted a set of best practices he follows when building out new APIs. It covers a wide range of topics at a high level, but it's a good checklist to get you started.

PHP developers are increasingly moving over to API development, as are a lot of server-side developers. It's a trend thats been happening for the last few years and it's getting to the point where everyone and their dog are putting articles showing off how to build "awesome" API's. Unfortunately most of these are either woefully inadequate or are promoting bad practices.

His recommendations include:

  • Use the URI sparingly, and correctly
  • Resources are EVERYTHING
  • Authentication
  • Background all the things
  • Version your API like an adult

Each item in his list has some points to back it up and provide a bit more detail on what it's all about.

tagged: api development recommendations list bestpractice

Link: http://philsturgeon.co.uk/blog/2013/07/building-a-decent-api

How to Write Testable and Maintainable Code in PHP
May 16, 2013 @ 11:53:18

NetTuts.com has a new tutorial posted suggesting a few ways you can make testable and maintainable code in PHP applications.

Frameworks provide a tool for rapid application development, but often accrue technical debt as rapidly as they allow you to create functionality. Technical debt is created when maintainability isn't a purposeful focus of the developer. Future changes and debugging become costly, due to a lack of unit testing and structure. Here's how to begin structuring your code to achieve testability and maintainability - and save you time.

There's a few concepts they cover in the tutorial including DRY (don't repeat yourself), working with dependency injection and actually writing the tests with PHPUnit. They start with a bit of code that needs some work and use the tests to help refactor it into something that can be easily mocked (using Mockery).

tagged: testable maintainable code tutorial bestpractice mock object

Link: http://net.tutsplus.com/tutorials/php/how-to-write-testable-and-maintainable-code-in-php

Login Security (Best Practices Recommendations)
Aug 14, 2012 @ 12:20:08

On Reddit.com there's a good conversation going on in the PHP category about login security and best practices surrounding it.

So I was handed an ancient project which was up to me to fix / improve. About a week later I am about done but there is 1 thing I left...Login security. As it is now, it's just md5(password) that's saved in the database. Better then nothing, but far from good enough. My plan was to have a constant pepper in the class which handles the logins, then do something like crypt(pepper . $password) to store it, since that should generate a random salt and is slower then sha1 / md5 / etc. I feel this should be save enough, do any of you have any ideas on how to improve it (without non-standard extensions)?

There's lots of comments so far and a lot of them are following along the same lines - use a better method of encryption, something like crypt with Blowfish or something similar as well as some hashing (like HMAC).

tagged: security password hash encrypt bestpractice discussion