Some problems with the PHP programming language are solvable by applying a few coding standards. But others remain painful. I've read the articles "PHP: a fractal of bad design" by Eevee and the "Hardly" rebuttal by ManiacDan. A lot of these articles about the merits of PHP make inconsistent points. So I'll keep this short so that any inconsistencies can be found and corrected.
Similar standards could be laid out for PHP.
- Convert errors to exceptions
- PHP has two parallel error reporting mechanisms: the "error" system and the "exception" system. You can handle both by using the error handler snippet at the top of the manual page for the
ErrorExceptionclass. This snippet converts errors that aren't silenced (operator
@) to exceptions. It also changes the behavior of the silence operator to act not unlike an inline
tryfor functions that use the "error" system.
- Use only
===. In those cases where you want loose comparison, explicitly cast both sides of each expression to the type as which you want to compare them. This way you have to memorize only the casting rules, not the (different) rules for comparison as well.
php.inioptions are not for deployment to production
- These include
- When doing things related to a database, use methods of your connection object
- This way, you avoid the
realmess. For example, if
$dbis a database connection object, you can use
$db->quote(for PDO) or
$db->escape_string(for MySQLi) with statements that cannot be prepared and bound the normal way because they are variadic (especially statements using operator
- Use PDO for SQL databases
- The way the PDO library handles prepared statements makes Bobby Tables-type injection errors easier to avoid than older database client libraries. For example, it allows passing parameters to a prepared statement as an array with numeric or string keys instead of positional arguments to a
bindParam()command, which makes variadic statements possible.
- Don't try
fopen()on URLs with an Internet scheme
- This is non-portable, as it's one of the things server administrators routinely turn off for security reasons when your application shares a server with someone else's. Instead, use the CURL library for URLs.
- Number-like comparison of strings can never be fully turned off. For example, both
'10' <= '1e1'and
'10' >= '1e1'. One can use
strcmpin one's own code, but built-in sorting functions use the built-in operators
>that don't even impose a total order. Likewise,
switchuses built-in comparison operators.
- Parse errors and undefined function errors are fatal. Compare Python, which raises an
NameErrorexception that the caller can catch.
- Inconsistent conventions for function naming and argument order in the standard library.
- Associativity for the ternary
?:operator is the less useful side.
- PHP allows the server operator to change program semantics in ways that are annoying to work around, such as not allowing a shared hosting subscriber to turn off "magic quotes" or not following HTTP redirects in the CURL library.
- PHP versions change the semantics of existing programs in ways that encourage shared hosting providers to continue to offer only outdated versions of PHP, making it impossible for web application developers to take advantage of new features. Compare Python, which puts added functions in one namespace per module and conditions new incompatible syntax features on presence of
- The developers of PHP rejected keyword arguments.