I’ve been doing a significant amount of PHP development lately. There were two projects in particular that made me think about PHP best practices.
The first was just a website with a login feature that stopped working when it was moved from one server to another. The problem turned out to be how the query was being assembled to check the users credentials. The query was created by interpolating values into a string. The string, when assembed with PHP on the new server, was malformed SQL.
In PHP, a literal string is terminated by single quotes. It’s pretty straight forward:
$my_string = 'This is my string';
This is best when all you need is a simple string. But, you also have the option of using an interpolated string, which is kind of cool. Note the double quotes instead of single quotes.
$my_name = 'Doug';
$my_string = "My name is $my_name.";
When you use $my_string, it becomes ‘My name is Doug.’ Interpolation is a useful feature, but it can be misused or become confusing. When it comes to SQL queries, using prepared statements are the preferred way. Prepared statements are more secure and can actually perform better.
PHP prepared statements are a little tedious, but not bad. If you’re using MySQL version 4.1.3 or better, it is recommended that you use the mysqli PHP extension. The following is an example of a prepared statement using mysqli.
$handle = new mysqli('server', 'user', 'pword', 'db_name');
$query = $handle->prepare("update table1 set field = ? where ID = ?");
With the above example, you create a handle to the database server and one of its databases. Then, using the prepare method, you create a string template for your query. The bind_param method’s first argument is a string of characters that indicate what datatype the variables contain. The ‘s’ is for a string and the ‘i’ is for an integer. See? Not so bad!
The second project was a site we setup on our PHP server so we could examine it and add onto it. It turned out that the whole site was built with short tags. Up until now, I don’t think I’ve ever seen a website developed with short tags.
Your “normal” PHP mark up tags look like this:
<?php // some PHP code here. ?>
Short tags look like this:
<? // some PHP code here. ? >
PHP can also be configured to use ASP style tags:
<% // some PHP code here. %>
Now, there’s some conflict online as to where or if short tags should be used or not. One benefit of the short tag is you can output a string into HTML markup more concisely. Like so:
<?= $some_variable ?>
The long form looks like this:
<?php echo $some_variable; ?>
There’s also a concern that the simple ‘<?’ tag can cause issues with using PHP and XML. It is actually quite the hot topic online. However, the primary reason not to use short tags, in my opinion, is that short tag support will not be available in PHP6. Right or wrong, best get into the habit now!
While researching this post, I discovered some really cool things about PHP that I didn’t know. Check out the links below.