BEST PRACTICES For IT Teams and PHP DEVS
Sanitize input
URLs: url_encodeValue attribute (html): html_special_chars
See: https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet
Dependency injection is nice, SQL injection not soALWAYS use bound parameters
IF you need to build SQL Queries, use a builder. Don’t “roll your own”
Use PDO.
Use PDO::quote to escape literals in `IN` clause. If these are numbers, use `intval()` or
`floatval`.
Do not trust data, even from database.
Other security tips● Use secure cookies (http://cookiecontroller.com/internet-cookies/secure-cookies/)
● Sign your cookies & encrypt them !
(httpOnly & secure attributes + hmac signature & AES encryption)
● Check on UI and backend
(Hiding a button is not enough to prevent an action)
●
Know your stuff● DO IT RIGHT : www.phptherightway.com
● DO IT SECURE : https://www.owasp.org/
● RTFM : http://be2.php.net/manual/en/
● CS can help : https://sourcemaking.com/
Teams are smarter than individuals● Reuse components
○ http://symfony.com/components
○ http://www.yiiframework.com/extensions/
● Don’t reinvent the wheel
○ Involve standards
■ https://tools.ietf.org/
■ http://www.php-fig.org/psr/
■ https://www.jcp.org/en/jsr/overview (yes, you can borrow from other technos!)
● Don’t re-implement the framework
○ Eg. $_SERVER[‘REQUEST_METHOD’]==’POST’ ? $repo->save($user) : $repo->get($user->id)
● Don’t misuse framework hooks (Eg. save entities in a “validate” method)
Handle error and unusual activity properly● Log odd events with at least a “WARNING” level;
● Throw exceptions on exceptional situations;
○ Create your own exceptions unless you can reuse an existing one;
○ Log details which can help debugging;
● With good logging, reading the code becomes optional;
● Do not attempt to “automagically” fix some “bad call”
○ If you don’t know : good place for throwing an exception !
● Validate input on public methods;
● All “switch” have to feature a “default” case;
● Bail out as early as possible; (if ... return)
Tricks● Feel compelled to make a comment ? → make a function !
● Too many indents ?→ make a function or bail out early !
● Using break ? → make a function !
● Need to inherit more than one class ? → use composition !
● Too many controller dependencies ? → split your controller !
● Code hard to read ? → good naming, functions !
● Troubles to use a class ?→ Don’t use magic methods (__get, __invoke, …) !
(Magic methods should be used to make proxies and advanced stuff)