complete php tips guide

edal11

I have read a lot of php tutorials about things to keep in mind when developping, or what Not to do when writing a php script, or the php tips guide, etc.....

So I was wondering that by sharing all our knowledge we could make a list here about:
- Security issues to keep in mind
- Tips to optimize code
- What NOT to do
- Etc....

A sort of a complete tips guide 😉

This way we have everything in one tutorial and save our time to look at different ones on different sites or books 🙂 !

edal11

What I've learn in such a short time programming in php and that it seems to be a good consideration is

Never ever trust the user: Always validate user input
Work with register_globals = off

koenigsbote

Everyone always writes : "Turn those registered globals off" !
But why? Registered globals are great! Ok, you have a major manipulation problem, but do you really pass on every tiny piece of information through a form (or session ?)?

How do other people pass on information without using registered globals?

edal11

Check this code:

<?php
session_start();

if ($username == 'kevin' and $password == 'secret')
{
$authorized = true;
session_register('authorized');
}
?>

<?php

if (!$authorized)

{
//Display HTML Form prompting user to log in
}
else
{
//Super-secret HTML content goes here
}
?>

With register globals on, If the users writes in the URL ?authorized=1 security is bypassed because of the global scope of $authorized.

As fo register_globals OFF this can't be done, you would then have this code:

<?php
session_start();

if ($POST['username'] == 'kevin' and
$POST['password'] == 'secret')
{
$_SESSION['authorized'] = true;
}
?>

<?php
if ( !$_SESSION['authorized'] )
{
//Display HTML Form prompting user to log in
}
else
{
//Super-secret HTML content goes here
}
?>

This way your security hole is gone, using register_globals off!
🙂

edal11

A common mistake is to name your include files with some extension like .inc or .class, etc....

This is not a good practice. Any one can then view your entire code. They just have to type in an url like

http://www.mysite.com/includes/myfunctions.inc

and they will have your script rigth in front of your eyes!!!

So, always name your files with .php extension.