PHP Tips, Resources and Best Practices for 2015

That’s true. But some languages make it harder and some make it easier to write insecure code. PHP is just so shockingly inconsistent with a lot of features added on top later in its life that it really makes it very easy to write shitty code. Add to that an abundance of very outdated tutorials and books and virtually unlimited number of inexperienced developers giving poor advice and it becomes a big problem.

As those people progress to writing code in other languages the number of improperly written applications in those other languages will increase. The issue is that so many people write PHP without having learnt how to write programs properly in the first place and as you say, these people without any idea of how to write proper programs then advise others in how they too can write insecure garbage.

Being able to code properly is independent of the programming language used. Unfortunately since the portion of the code to make it secure is generally around 75% of the total code and this part of the code is not necessary for working examples it usually gets left out of most books teaching programming. Experienced programmers know this and will add all the extra code needed but many newbies never get beyond writing example code never intended for a live environment.

PHP actually makes it relatively easy to implement most of the security needed. All you need to do is to avoid moving $_POST and $_GET values (etc) out of those arrays without validating the values first. That takes care of about 50% of the security issues that most newbie code has without even applying any security measures (since you need to do that to prevent junk input anyway).

I totally agree with your comments on PHP versions. Projects should not support PHP versions that are no longer officially supported by PHP. It dissuades people from upgrading and as you say, damages the entire ecosystem.

Once official PHP support for a version is dropped, so should project support.

I think that minor versions of projects (or major versions of software with rapid dev cycles) should start with a minimum of whatever PHP version is oldest current and stay with that for its life cycle. Hence if Drupal 8 where to go gold today it would support PHP 5.5 until 8.1 is released.

I think there’s equal chance of people having 5.5 and 5.6 installed - both suffer from a lack of exposure. I’d go with 5.6 off the bat.

5.5 is still better than the 5.2 floor more than a few projects are holding onto (Wordpress…)

very usefull, thanks for the informations here

The current version of WordPress may still run on 5.2 but it is intended to be run on 5.5.

On 5.5 it uses the mysqli database interface instead of the mysql one - as you can easily find out by turning the mysql interface off.

Unfortunately many WP installations is on shared hosting where they are probably affraid of upgrading.

Its crazy that only 10% of all WP installations is 4.1 and 32% of all installations is running on PHP5.2

Not everyonly is updating like the rest of us:)

It is all of the other sites sharing on the same server who need to be afraid of those not upgrading as not upgrading produces a potential security hole on the server.

No wonder WordPress has such a bad reputation if 90% of installs are not up to date.

I used to work at a web agency who did’nt care about upgrading unless the customer directly paid for the upgrade. So instead we used alot of time to fixed those sites which got hacked WITHOUT the customer paying.

I hope thats not the attitude elsewhere.

Hi,

very usefull Thanks for the share

information that you share exactly, it makes sense, and I’ve used it successfully, thank you for sharing

Amen!

It doesn’t matter what developer you are, this is a general “developer commandment” I believe in.

A lot of times too, especially helping on the Internet, you might try and help someone, only to learn, you aren’t quite right yourself. So you also end up learning too. I think, as a developer, being humble in knowing that I don’t know everything, is also important. It is actually another commandment.

“Thou shall always be humble and never think thy knowledge is all encompassing!”

The other commandment from Bruno could be

“Thou shall always help the lesser knowing developer”.

:innocent:

Scott

3 Likes

cool thank you!

It sounds very interesting!
i like the post very much keep it up
Yah this forum is making a dfference. I love it.

1 Like

You can not directly criticize PHP. PHP is an open source language and you can learn form the internet, there are thousand of tutorials are available. You can make PHP secure by powerful scripting.

Very useful site, thanks everyone, glad to be a member

Good article with link to read and learn more on PHP. I started with w3school and it serves to be the simple and easy PHP guide.