Difference between revisions of "WebsiteCodingPractices"
(→Common standards on how to write php pages for the website) |
|||
| Line 1: | Line 1: | ||
==Common standards on how to write php pages for the website== |
==Common standards on how to write php pages for the website== |
||
| − | Purpose |
+ | ==Purpose== |
* Make it easier for other people to edit your code |
* Make it easier for other people to edit your code |
||
* Ensure that pages are written securely |
* Ensure that pages are written securely |
||
* Encourage compatibility with future changes |
* Encourage compatibility with future changes |
||
| + | * Derived from pear coding standard http://pear.php.net/manual/en/standards.php |
||
| − | Standard |
+ | ==Standard== |
| + | '''Header''' |
||
* Optional $page_title |
* Optional $page_title |
||
| + | |||
| − | * Optional includes |
||
| + | * All pages that require authentication start with<br> |
||
| − | **Use include_once or require_once |
||
| − | **Any includes that are not used on every page are to be included at the start of the page using them |
||
| − | * All pages that require authentication are to start with<br> |
||
wscauth_requirepriv(PRIV); or <br> |
wscauth_requirepriv(PRIV); or <br> |
||
if(!wscauth_haspriv(PRIV)){return;} |
if(!wscauth_haspriv(PRIV)){return;} |
||
| + | * Optional includes |
||
| − | *All pages that are passed variables are to declare the variables after the authentication using<br> |
||
| + | **Use include_once or require_once |
||
| + | **Any includes that are not used on every page should be included at the start of the page using them |
||
| + | |||
| + | *All pages that are passed variables should declare the variables after the authentication |
||
| + | **Newer versions of php disable register_globals, which means that this is required<br> |
||
| + | eg.<br> |
||
$var=$_REQUEST['var']; for url, post and cookie or<br> |
$var=$_REQUEST['var']; for url, post and cookie or<br> |
||
$var=$_GET['var']; for URL only<br> |
$var=$_GET['var']; for URL only<br> |
||
| Line 25: | Line 31: | ||
$pid=preg_match(/^[0-9]+/, $_GET['pid'],$match) ? $match[0] : false;<br> |
$pid=preg_match(/^[0-9]+/, $_GET['pid'],$match) ? $match[0] : false;<br> |
||
This will assign $pid to the value of pid in the url if it is a number. |
This will assign $pid to the value of pid in the url if it is a number. |
||
| + | |||
| + | '''Block statments''' |
||
| + | |||
| + | *Use tabs to indent block code |
||
* Avoid nested or long if statements |
* Avoid nested or long if statements |
||
| Line 30: | Line 40: | ||
instead of if(COND){Do lots of code}<br> |
instead of if(COND){Do lots of code}<br> |
||
use if(!COND){return;}Do lots of code |
use if(!COND){return;}Do lots of code |
||
| + | |||
| + | '''Functions''' |
||
* Use functions to make the structure of a page clear |
* Use functions to make the structure of a page clear |
||
| Line 35: | Line 47: | ||
** If functions are used on more than one page, put them in an include |
** If functions are used on more than one page, put them in an include |
||
** Where possible use existing functions even if it is slightly less efficient. This will make the website more reliable and have a negligable impact on performance. |
** Where possible use existing functions even if it is slightly less efficient. This will make the website more reliable and have a negligable impact on performance. |
||
| + | |||
| + | '''Database''' |
||
* All database queries are to be performed in functions specifically for that task |
* All database queries are to be performed in functions specifically for that task |
||
| Line 43: | Line 57: | ||
mysql_real_escape_string($id),<br> |
mysql_real_escape_string($id),<br> |
||
mysql_real_escape_string($string))<br> |
mysql_real_escape_string($string))<br> |
||
| + | |||
| + | '''Syntax''' |
||
| + | |||
| + | *Use <?php and ?> not <? and ?> which is not standards compliant |
||
| + | |||
| + | *Use // not # for comments as # is not standards compliant |
||
| + | |||
| + | ==Example php page== |
||
| + | <?php<br> |
||
| + | $page_title="Example php page";<br> |
||
| + | wscauth_requrepriv(PRIV_VIEW_EXAMPLE);<br> |
||
| + | include_once("include/members.inc");<br> |
||
| + | include_once("include/strings.inc");<br> |
||
| + | <br> |
||
| + | $pid=preg_match(/^[0-9]+/, $_REQUEST['pid'],$match) ? $match[0] : false;<br> |
||
| + | <br> |
||
| + | //This if statement may not actually be required as person_by_id does a similar thing.<br> |
||
| + | //Consider what the effect of not passing $pid would be and only use a statment like this if the page would break.<br> |
||
| + | if(!$pid){<br> |
||
| + | print "Person not found";<br> |
||
| + | include_once("another_page.php");<br> |
||
| + | return;<br> |
||
| + | }<br> |
||
| + | $person=person_by_id($pid);<br> |
||
| + | print "Name ".$person['fullname'];<br> |
||
| + | <br> |
||
| + | //Only put a function in this page, if it cannot be used in other pages.<br> |
||
| + | function exampleFunction($var1, $var2, $var3="default"){<br> |
||
| + | //Only do database queries in this page, if this will be the only page where the database table is used.<br> |
||
| + | $query=sprintf("SELECT * FROM example_table WHERE<br> |
||
| + | pid='%d' AND expired="<br> |
||
| + | .stringNull($date).<br> |
||
| + | ")",<br> |
||
| + | mysql_real_escape_string($pid));<br> |
||
| + | <br> |
||
| + | return wscdb_fetchresults($query,0,0);<br> |
||
| + | }<br> |
||
| + | ?> |
||
[[Category:Website]] |
[[Category:Website]] |
||
Revision as of 10:55, 18 January 2007
Contents
Common standards on how to write php pages for the website
Purpose
- Make it easier for other people to edit your code
- Ensure that pages are written securely
- Encourage compatibility with future changes
- Derived from pear coding standard http://pear.php.net/manual/en/standards.php
Standard
Header
- Optional $page_title
- All pages that require authentication start with
wscauth_requirepriv(PRIV); or
if(!wscauth_haspriv(PRIV)){return;}
- Optional includes
- Use include_once or require_once
- Any includes that are not used on every page should be included at the start of the page using them
- All pages that are passed variables should declare the variables after the authentication
- Newer versions of php disable register_globals, which means that this is required
- Newer versions of php disable register_globals, which means that this is required
eg.
$var=$_REQUEST['var']; for url, post and cookie or
$var=$_GET['var']; for URL only
$var=$_POST['var']; for POST only
$var=$_COOKIE['var']; for cookie only
- Optional check vars passed to the page for expected string format
eg.
$pid=preg_match(/^[0-9]+/, $_GET['pid'],$match) ? $match[0] : false;
This will assign $pid to the value of pid in the url if it is a number.
Block statments
- Use tabs to indent block code
- Avoid nested or long if statements
eg.
instead of if(COND){Do lots of code}
use if(!COND){return;}Do lots of code
Functions
- Use functions to make the structure of a page clear
- If the page performs lots of actions use a switch statment to call functions that perform the actions. Do not use lots of if statments throughout the page
- If functions are used on more than one page, put them in an include
- Where possible use existing functions even if it is slightly less efficient. This will make the website more reliable and have a negligable impact on performance.
Database
- All database queries are to be performed in functions specifically for that task
- Database queries should use PEAR or string formatting functions
eg.
$query=sprintf("SELECT * FROM table WHERE id='%d' AND string='%s'",
mysql_real_escape_string($id),
mysql_real_escape_string($string))
Syntax
- Use <?php and ?> not <? and ?> which is not standards compliant
- Use // not # for comments as # is not standards compliant
Example php page
<?php
$page_title="Example php page";
wscauth_requrepriv(PRIV_VIEW_EXAMPLE);
include_once("include/members.inc");
include_once("include/strings.inc");
$pid=preg_match(/^[0-9]+/, $_REQUEST['pid'],$match) ? $match[0] : false;
//This if statement may not actually be required as person_by_id does a similar thing.
//Consider what the effect of not passing $pid would be and only use a statment like this if the page would break.
if(!$pid){
print "Person not found";
include_once("another_page.php");
return;
}
$person=person_by_id($pid);
print "Name ".$person['fullname'];
//Only put a function in this page, if it cannot be used in other pages.
function exampleFunction($var1, $var2, $var3="default"){
//Only do database queries in this page, if this will be the only page where the database table is used.
$query=sprintf("SELECT * FROM example_table WHERE
pid='%d' AND expired="
.stringNull($date).
")",
mysql_real_escape_string($pid));
return wscdb_fetchresults($query,0,0);
}
?>
