When I interview a LAMP candidate I’m usually looking first at what kind of OOP experience they have. Do they know the difference between an object and a class? Do they understand inheritance, extending classes? Have they ever used any common design patterns? Singletons? Factory methods? Do they know what $this is? If you have an kind of enterprise codebase, it’s essential to understand the big picture if you are going to make meaningful contributions.

I would be extremely happy in your above example if a developer simply said to me: “User input should never be trusted, the $_GET argument should be run through a sanitation method then placed in an appropriately named array, i.e. $clean[’query’]”.

Passing the ENT_QUOTES argument to htmlspecialchars to ensure that single quotes (’) are also escaped isn’t strictly necessary in this case, but it’s a good habit to get into.

Um, why do this if it “isn’t strictly necessary”? As far as I can tell, this practice is of no use whatsoever in this or any other case. If you’re escaping <, >, &, and perhaps ", that’s all you need.

“Passing the ENT_QUOTES argument to htmlspecialchars to ensure that single quotes (’) are also escaped isn’t strictly necessary in this case, but it’s a good habit to get into.”
Very dependent on the context, fx can be a very bad habbit when used i generateed javascript. Also a place where I prefer a wrapper function.

And the little issues about () around echo, I would read the company’s code standard, before I removed it.

And one thing IHMO that makes good PHP code, is the planning before You opens the editor.

Sessions, security and even Cookies, all have the same areas that compound with a vast amount of opinions, too many ways of producing the same code (OOP or simplified functions) that do the same thing and way too many controversies on how to produce the most secure code with no real answer.

You can simply confuse yourself to the point of mental breakdown just looking for a correct way of handling security issues pertaining to sessions.

And no, that is not a good thing. Having too many options to produce code is why PHP is constantly under the microscope and controversy of “secure applications” and why most employers dont take PHP seriously. After all, the general misconception is that most of us that develop PHP applications are simply people that stumbled onto a easy format to program with and as a result, think we are developers. The same thought process exudes highly in most college campuses that rely stringently on Flash, Java and .NET curriculum. When you walk into a college and see a Microsoft plaque of recognition and sponsorship hanging on the wall, you can pretty much forget programming in PHP.

So, what does that have to do with anything? Where do you go to school to get a Bachelors degree in PHP programming? Where do you go to get a Masters degree in PHP programming? Nowhere really. At least around here. There is no such thing. But, if you want to be a .NET, Java or Flash developer, I can show you 30 jobs that I received in just the last 4 days.

Employers want to see that Degree hanging on your wall and use that degree to base their pay rates upon, whether or not the technology you use is actually better than what they are using.

Just think of it like this, to make it real short and sweet. Why do most employers use M$ servers and not Linux servers?

It is true that anyone with a little smarts can create a decent (and sometimes pretty sophisticated) php website. And that, I think, is what most employers see.

However, the real difficulty is that getting from the decent to the elegant and from the pretty safe to the really secure is a hard road. There are few available classes and very little training exists. Learning from books and the school of hard knocks is difficult, especially when there are many ways of doing just about everything in PHP.

I’ve gotten to the point where I do get paid for my work as a contractor building database-driven websites. Maybe not a LOT, but enough so that I feel decent about the resultant hourly wage.

Most of the “how-to” materials for advanced php programming assumes an understanding of some other language. Available information is often contradictory and incomplete. The php manual is excellent, but only if you know what you’re looking for to start with.

PHP programmers will probably become more standardly paid when there is a clearly defined path charting the beginner, novice, amateur, advanced, professional and master. It will also be easier for php programmers (and scripters) to get better at their skills.

Once there are more truly professional and master php programmers, then we’ll see more advanced enterprise websites built and running with php. And THAT is what will get higher pay for all of us.

I have worked on PHP/ JSP/ .NET but have a feeling that.. compared to ASP.net and Java, PHP don’t have a proper IDE. I am aware that lot of IDE’s from zend, eclipse, Nusphere etc are there in the market. But personally I don’t find any of them useful and handy like Visual studio or Net beans.

I will appreciate your comments on this. And will like to know how you are managing it?

<?php
$query = isset($_GET['query']) ? (string) $_GET['query'] : '';
echo '<p>Search results for query: ' . htmlspecialchars($query) . '.</p>';
?>

- I accept/encourage filtering (type casting), when this is the type of the interface.
- Casting a text input to int would be a bad example of filtering (for multiple reasons).
- $query could equal ” or null depending on the behaviour/semantic you want. ;-)

Personaly I won’t care much about single vs. double quote, etc. — but to each his owns. I will probably give more values to someone who is good in analysis, do good design, etc. — it is much easier after to optimize stuff in the case it is needed. Your example was just an example anyway and you probably go further than all these. ;-)

Having said that, I’m a kind-of generalist. I believe that someone who is a good developer, will be good in PHP, Java, Ruby, etc. [even with different language like Haskell, Prolog, etc.] — because at the analysis, design point, even construction/coding, testing, etc. the thinking and output will be very similar (even if the language can drive a part of our solution). So I will mostly seek for a good developer.

Of course sometime, you want/need someone “ready” to do the job with the solution you have used (e.g. PHP). However if you plan to hire someone for the next 2-5 years, chance are a good developers will do a better job even with the learning overhead. I guess it is a dilemma with skill/potential vs. experience. Hopefully you find both at the same time. ;-)

Actually, I would risk to say that there is a big chance that a good developer will be good in other fields of work, but the overhead might be too high (e.g. become a good lawyer/doctor/etc. in a month without experience/knowledge). But like I said, this is risky, because some people are very “smart”, but are not athletics, nor good musician, etc. or simply have no interest at being good at something beside their potential, skill and knowledge.

Amen.

Take Brynteg Books for example. A database of over 2 million books and a custom search engine. Yet each page requires only 3-4 SQL queries.

Likewise take a look at Mia Masri (wedding tiaras & jewellery) which has a PHP/MySQL content management system behind the scenes. Much of the PHP work happens behind the scenes, again with 3-4 SQL queries. And there’s dynamic use of PHP + Flash within the Design-a-Tiara feature that is a state-of-the-art web app.

I come back to my earlier point (and to bring this back on topic), the quality of a PHP coder is more about the quality of the programmer as a programmer rather than the specifics of this language. And that’s where the value lies in hiring a PHP coder.