Difference between revisions of "WebsiteCodingPractices"

From Warwick Student Cinema
Jump to: navigation, search
 
 
(85 intermediate revisions by 76 users not shown)
Line 1: Line 1:
  +
{{Update}}
  +
 
==Common standards on how to write php pages for the website==
 
==Common standards on how to write php pages for the website==
   
  +
This is up for discussion. If anyone would find it useful to see a particular standard implemented to make it easier for anyone to edit any page, please suggest it.
Purpose
 
  +
  +
If anyone things that any of the standards suggested do not help, please comment.
  +
  +
==Purpose==
 
* Make it easier for other people to edit your code
 
* Make it easier for other people to edit your code
 
* Ensure that pages are written securely
 
* Ensure that pages are written securely
 
* Encourage compatibility with future changes
 
* Encourage compatibility with future changes
  +
* Derived from pear coding standard http://pear.php.net/manual/en/standards.php
   
Standard
+
==Standard==
  +
'''Header'''
 
* Optional $page_title
 
* Optional $page_title
  +
* Optional includes
 
  +
* All pages that require authentication start with<br>
**Use include_once or require_once
 
**Any includes that are not used on every page are to be included at the start of the page using them
 
* All pages that require authentication are to start with<br>
 
 
wscauth_requirepriv(PRIV); or <br>
 
wscauth_requirepriv(PRIV); or <br>
 
if(!wscauth_haspriv(PRIV)){return;}
 
if(!wscauth_haspriv(PRIV)){return;}
   
  +
* Optional includes
*All pages that are passed variables by a form are to declare the variables after the authentication using<br>
 
  +
**Use include_once or require_once
$var=$_REQUEST['var'];
 
  +
**Any includes that are not used on every page should be included at the start of the page using them
  +
  +
*All pages that are passed variables should declare the variables after the authentication
  +
**Newer versions of php disable register_globals, which means that this is required<br>
  +
eg.<br>
  +
$var=$_REQUEST['var']; for url, post and cookie or<br>
  +
$var=$_GET['var']; for URL only<br>
  +
$var=$_POST['var']; for POST only<br>
  +
$var=$_COOKIE['var']; for cookie only
  +
  +
* Optional check vars passed to the page for expected string format
  +
eg.
  +
$pid=preg_match(/^[0-9]+/, $_GET['pid'],$match) ? $match[0] : false;<br>
  +
This will assign $pid to the value of pid in the url if it is a number.
  +
  +
'''Block statments'''
   
  +
*Use tabs to indent block code
* Optional check for any vars passed to the page either by url or POST
 
   
 
* Avoid nested or long if statements
 
* Avoid nested or long if statements
Line 24: Line 46:
 
instead of if(COND){Do lots of code}<br>
 
instead of if(COND){Do lots of code}<br>
 
use if(!COND){return;}Do lots of code
 
use if(!COND){return;}Do lots of code
  +
  +
'''Functions'''
   
 
* Use functions to make the structure of a page clear
 
* Use functions to make the structure of a page clear
Line 29: Line 53:
 
** If functions are used on more than one page, put them in an include
 
** If functions are used on more than one page, put them in an include
 
** Where possible use existing functions even if it is slightly less efficient. This will make the website more reliable and have a negligable impact on performance.
 
** Where possible use existing functions even if it is slightly less efficient. This will make the website more reliable and have a negligable impact on performance.
  +
  +
'''Database'''
   
 
* All database queries are to be performed in functions specifically for that task
 
* All database queries are to be performed in functions specifically for that task
Line 37: Line 63:
 
mysql_real_escape_string($id),<br>
 
mysql_real_escape_string($id),<br>
 
mysql_real_escape_string($string))<br>
 
mysql_real_escape_string($string))<br>
  +
  +
'''Syntax'''
  +
  +
*Use <?php and ?> not <? and ?> which is not standards compliant
  +
  +
'''Comments'''
  +
  +
*All functions should be preceded with a comment block so that docmentation can be automatically built
  +
  +
The comment block should have to following format
  +
/**
  +
* A description of the function
  +
* @param string $param A description of the parameter
  +
*
  +
*/
  +
function example ($param) { ...
  +
  +
*Comments used within the code should have a dimilar format
  +
  +
*Documentation on comment syntax is available at http://www.phpdoc.org
  +
  +
==Example php page==
  +
<?php<br>
  +
$page_title="Example php page";<br>
  +
wscauth_requrepriv(PRIV_VIEW_EXAMPLE);<br>
  +
include_once("include/members.inc");<br>
  +
include_once("include/strings.inc");<br>
  +
<br>
  +
$pid=preg_match(/^[0-9]+/, $_REQUEST['pid'],$match) ? $match[0] : false;<br>
  +
<br>
  +
//This if statement may not actually be required as person_by_id does a similar thing.<br>
  +
//Consider what the effect of not passing $pid would be and only use a statment like this if the page would break.<br>
  +
if(!$pid){<br>
  +
&nbsp;print "Person not found";<br>
  +
&nbsp;include_once("another_page.php");<br>
  +
&nbsp;return;<br>
  +
}<br>
  +
$person=person_by_id($pid);<br>
  +
print "Name ".$person['fullname'];<br>
  +
<br>
  +
//Only put a function in this page, if it cannot be used in other pages.<br>
  +
function exampleFunction($var1, $var2, $var3="default"){<br>
  +
&nbsp;//Only do database queries in this page, if this will be the only page where the database table is used.<br>
  +
&nbsp;$query=sprintf("SELECT * FROM example_table WHERE<br>
  +
&nbsp;&nbsp;&nbsp;pid='%d' AND expired="<br>
  +
&nbsp;&nbsp;&nbsp;.stringNull($date).<br>
  +
&nbsp;&nbsp;&nbsp;")",<br>
  +
&nbsp;&nbsp;mysql_real_escape_string($pid));<br>
  +
<br>
  +
&nbsp;return wscdb_fetchresults($query,0,0);<br>
  +
}<br>
  +
?>
  +
  +
[[Category:Website]]

Latest revision as of 23:25, 9 February 2019

Common standards on how to write php pages for the website

This is up for discussion. If anyone would find it useful to see a particular standard implemented to make it easier for anyone to edit any page, please suggest it.

If anyone things that any of the standards suggested do not help, please comment.

Purpose

Standard

Header

  • Optional $page_title
  • All pages that require authentication start with

wscauth_requirepriv(PRIV); or
if(!wscauth_haspriv(PRIV)){return;}

  • Optional includes
    • Use include_once or require_once
    • Any includes that are not used on every page should be included at the start of the page using them
  • All pages that are passed variables should declare the variables after the authentication
    • Newer versions of php disable register_globals, which means that this is required

eg.
$var=$_REQUEST['var']; for url, post and cookie or
$var=$_GET['var']; for URL only
$var=$_POST['var']; for POST only
$var=$_COOKIE['var']; for cookie only

  • Optional check vars passed to the page for expected string format

eg. $pid=preg_match(/^[0-9]+/, $_GET['pid'],$match) ? $match[0] : false;
This will assign $pid to the value of pid in the url if it is a number.

Block statments

  • Use tabs to indent block code
  • Avoid nested or long if statements

eg. instead of if(COND){Do lots of code}
use if(!COND){return;}Do lots of code

Functions

  • Use functions to make the structure of a page clear
    • If the page performs lots of actions use a switch statment to call functions that perform the actions. Do not use lots of if statments throughout the page
    • If functions are used on more than one page, put them in an include
    • Where possible use existing functions even if it is slightly less efficient. This will make the website more reliable and have a negligable impact on performance.

Database

  • All database queries are to be performed in functions specifically for that task
  • Database queries should use PEAR or string formatting functions

eg. $query=sprintf("SELECT * FROM table WHERE id='%d' AND string='%s'",
mysql_real_escape_string($id),
mysql_real_escape_string($string))

Syntax

  • Use <?php and ?> not <? and ?> which is not standards compliant

Comments

  • All functions should be preceded with a comment block so that docmentation can be automatically built

The comment block should have to following format

/**
 * A description of the function
 * @param string $param A description of the parameter
 *
 */
function example ($param) { ...
  • Comments used within the code should have a dimilar format

Example php page

<?php
$page_title="Example php page";
wscauth_requrepriv(PRIV_VIEW_EXAMPLE);
include_once("include/members.inc");
include_once("include/strings.inc");

$pid=preg_match(/^[0-9]+/, $_REQUEST['pid'],$match) ? $match[0] : false;

//This if statement may not actually be required as person_by_id does a similar thing.
//Consider what the effect of not passing $pid would be and only use a statment like this if the page would break.
if(!$pid){
 print "Person not found";
 include_once("another_page.php");
 return;
}
$person=person_by_id($pid);
print "Name ".$person['fullname'];

//Only put a function in this page, if it cannot be used in other pages.
function exampleFunction($var1, $var2, $var3="default"){
 //Only do database queries in this page, if this will be the only page where the database table is used.
 $query=sprintf("SELECT * FROM example_table WHERE
   pid='%d' AND expired="
   .stringNull($date).
   ")",
  mysql_real_escape_string($pid));

 return wscdb_fetchresults($query,0,0);
}
?>