PHP - Style Guide


  1. PHP scripts should not contains SQL statements. SQL statements should go into objects (like class.member.php)
  2. Use GetVar(), PostVar(), RequestVar(), and SessionVar(). Never access $_GET, $_POST directly. I've notice some weird behavior with GetVar(), PostVar(), RequestVar(), and SessionVar(), so becareful when using them. If these functions are not working correctly for you, please send me an email.
  3. Always use <?php ?>. The short tag conflict with XML. Stick with the standard <?php ?> as it will be guaranteed to be supported in all future versions.
  4. Do not put phpinfo() in your Webroot
  5. Keep function outside of loops
  6. Use a configuration file for storing application configurations. This configuration file is different across different environments (development, testing, production), therefore should not be in the same repository with the code. The operation team, or the release team, may wish to keep configuration file for production environment in a separate repository for history / rolling back the code.
  7. Information for connecting to databases (IP address, username, and password) are configuration settings
  8. Turn off error reporting with error_reporting(0), and then turn it on if the configuration indicate that this is a development environment
  9. Disable register_globals in .htaccess: php_flag register_globals 0
  10. Disable magic quotes in .htaccess: php_flag magic_quotes_gpc 0 php_flag magic_quotes_runtime 0
  11. Validate input (PEAR Validate)
  12. Prevent "SQL injection" attacks, by using mysql_real_escape_string or prepared statements.
  13. Prevent Cross Site Scripting (XSS) attacks (see below)
Unless otherwise stated, the content of this page is licensed under Creative Commons Attribution-ShareAlike 3.0 License