<?
echo("<p>Search results for query: " .
$_GET['query'] . ".</p>");
?>
The main problem in this code is that the user-submitted value ($_GET['query']
) is output directly to the page, resulting in a Cross Site Scripting (XSS) vulnerability. But there are plenty of other ways in which it can be improved.
So, what sort of answer are we hoping for?
Good:
<?
echo("<p>Search results for query: " .
htmlspecialchars($_GET['query']) . ".</p>");
?>
This is the least we expect. The XSS vulnerability has been remedied using htmlspecialchars
to escape dangerous characters in the submitted value.
Better:
<?php
if (isset($_GET['query']))
{
echo '<p>Search results for query: ',
htmlspecialchars($_GET['query'], ENT_QUOTES), '.</p>';
}
?>
Now this looks like someone we might want to hire:
- The “short” opening PHP tag (
<?
) has been replaced with the more portable (and XML-friendly)<?php
form. - Before attempting to output the value of
$_GET['query']
,isset
is used to verify that it actually has a value. - The unnecessary brackets (
()
) around the value passed toecho
have been removed. - Strings are delimited by single quotes instead of double quotes to avoid the performance hit of PHP searching for variables to interpolate within the strings.
- Rather than using the string concatenation operator (
.
) to pass a single string to theecho
statement, the strings to be output byecho
are separated by commas for a tiny performance boost. - Passing the
ENT_QUOTES
argument tohtmlspecialchars
to ensure that single quotes ('
) are also escaped isn’t strictly necessary in this case, but it’s a good habit to get into.
Frequently Asked Questions about Good and Bad PHP Code
What are some common mistakes in PHP coding?
PHP is a powerful scripting language, but it’s also easy to make mistakes if you’re not careful. Some common mistakes include not using proper error reporting, not validating or sanitizing user inputs, using outdated PHP functions, and not using prepared statements for SQL queries. These mistakes can lead to security vulnerabilities, poor performance, and other issues. It’s important to keep up-to-date with best practices and to always test your code thoroughly.
How can I improve my PHP coding skills?
Improving your PHP coding skills involves a combination of learning and practice. Start by studying the basics of PHP, including its syntax, data types, and control structures. Then, move on to more advanced topics like object-oriented programming, error handling, and security. Practice by working on small projects or contributing to open-source projects. Additionally, consider getting a mentor or joining a PHP community where you can learn from others.
What are the best practices for PHP coding?
Best practices for PHP coding include using a consistent coding style, commenting your code, using error reporting during development, validating and sanitizing user inputs, using prepared statements for SQL queries, and keeping your PHP version up-to-date. These practices can help you write code that is secure, efficient, and easy to maintain.
What are some examples of bad PHP code?
Bad PHP code can take many forms. It might involve using outdated PHP functions, not using error reporting, not validating or sanitizing user inputs, or not using prepared statements for SQL queries. These practices can lead to security vulnerabilities, poor performance, and other issues. It’s important to learn from these mistakes and to always strive to write high-quality PHP code.
How can I refactor bad PHP code?
Refactoring bad PHP code involves identifying the problems, making a plan to fix them, and then implementing that plan. Start by reviewing the code and looking for common mistakes like not using error reporting, not validating or sanitizing user inputs, or using outdated PHP functions. Then, decide how to fix these issues. This might involve rewriting parts of the code, implementing new features, or changing the way the code is structured. Always test your changes thoroughly to make sure you haven’t introduced new problems.
What is the importance of using the latest PHP version?
Using the latest PHP version is important for several reasons. First, it ensures that you have access to the latest features and improvements. Second, it helps protect your code from security vulnerabilities that have been fixed in newer versions. Finally, it can help improve the performance of your code. Always make sure to test your code thoroughly after upgrading to a new PHP version.
How can I write secure PHP code?
Writing secure PHP code involves following best practices like validating and sanitizing user inputs, using prepared statements for SQL queries, and using proper error reporting. It’s also important to keep your PHP version up-to-date to protect against known security vulnerabilities. Additionally, consider using a security-focused development process that includes regular code reviews and security testing.
What are the benefits of using a PHP framework?
Using a PHP framework can provide several benefits. It can help you write code more quickly and efficiently by providing a structured development process. It can also help improve the security and performance of your code by providing built-in features and optimizations. Finally, it can make it easier to maintain and scale your code by providing a consistent coding style and architecture.
What are some good resources for learning PHP?
There are many resources available for learning PHP. This includes online tutorials, books, video courses, and coding bootcamps. Additionally, consider joining a PHP community or forum where you can ask questions and learn from others. Always make sure to practice what you learn by working on projects or contributing to open-source software.
How can I prepare for a PHP job interview?
Preparing for a PHP job interview involves studying the basics of PHP, practicing your coding skills, and learning about the company you’re interviewing with. Be prepared to answer questions about your experience with PHP, your understanding of best practices, and your problem-solving skills. Additionally, consider doing some practice interviews to help you feel more comfortable.
Kevin Yank is an accomplished web developer, speaker, trainer and author of Build Your Own Database Driven Website Using PHP & MySQL and Co-Author of Simply JavaScript and Everything You Know About CSS is Wrong! Kevin loves to share his wealth of knowledge and it didn't stop at books, he's also the course instructor to 3 online courses in web development. Currently Kevin is the Director of Front End Engineering at Culture Amp.