Best practices and pointers

1. BEST PRACTICES
For IT Teams
and
PHP DEVS

2. Controllers
Should
Be
Skin

3. Abuse SERVICES

4. ABUSE SERVICES

5. CONTROLLERS
TOO

7. IOC TIME

8. RECEIVE AND
DON’T
ASK

9. AVOID
- new -

10. BAD, BAD, BAD

11. GOOD

12. BETTER

13. Taht’s all we really have to know

14. SECURITY

15. XSS

16. Sanitize input
URLs: url_encode
Value attribute (html): html_special_chars
See:
https://www.owasp.org/index.php/XSS_(Cross_
Site_Scripting)_Prevention_Cheat_Sheet

17. SQL
INJECTION

18. Dependency injection is nice, SQL injection not so
ALWAYS use bound parameters
IF you need to build SQL Queries, use a builder. Don’t “roll your own”
Use PDO.
Use PDO::quote to escape literals in `IN` clause. If these are numbers, use `intval()` or
`floatval`.
Do not trust data, even from database.

19. Other security tips
● Use secure cookies (http://cookiecontroller.com/internet-cookies/secure-cookies/)
● Sign your cookies & encrypt them !
(httpOnly & secure attributes + hmac signature & AES encryption)
● Check on UI and backend
(Hiding a button is not enough to prevent an action)
●

20. UNSORTED

21. Know your stuff
● DO IT RIGHT : www.phptherightway.com
● DO IT SECURE : https://www.owasp.org/
● RTFM : http://be2.php.net/manual/en/
● CS can help : https://sourcemaking.com/

22. Teams are smarter than individuals
● Reuse components
○ http://symfony.com/components
○ http://www.yiiframework.com/extensions/
● Don’t reinvent the wheel
○ Involve standards
■ https://tools.ietf.org/
■ http://www.php-fig.org/psr/
■ https://www.jcp.org/en/jsr/overview (yes, you can borrow from other technos!)
● Don’t re-implement the framework
○ Eg. $_SERVER[‘REQUEST_METHOD’]==’POST’ ? $repo->save($user) : $repo->get($user->id)
● Don’t misuse framework hooks (Eg. save entities in a “validate” method)

23. Handle error and unusual activity properly
● Log odd events with at least a “WARNING” level;
● Throw exceptions on exceptional situations;
○ Create your own exceptions unless you can reuse an existing one;
○ Log details which can help debugging;
● With good logging, reading the code becomes optional;
● Do not attempt to “automagically” fix some “bad call”
○ If you don’t know : good place for throwing an exception !
● Validate input on public methods;
● All “switch” have to feature a “default” case;
● Bail out as early as possible; (if ... return)

24. Tricks
● Feel compelled to make a comment ? → make a function !
● Too many indents ?→ make a function or bail out early !
● Using break ? → make a function !
● Need to inherit more than one class ? → use composition !
● Too many controller dependencies ? → split your controller !
● Code hard to read ? → good naming, functions !
● Troubles to use a class ?→ Don’t use magic methods (__get, __invoke, …) !
(Magic methods should be used to make proxies and advanced stuff)