Samuel Folkes has posted a great article about bad PHP programming habits. In his article, titled 17 PHP Practices That Should Be Banned Forever, Folkes describes 17 specific behaviors which can lead to bad code, security holes, or both.
Not all of the 17 items are PHP-specific. Not properly commenting your code is of course a problem in any programming language. This is also one I am ashamed to say is a problem for me. Particularly when you are a one-man shop and you don’t have anyone else working in or maintaining your code, commenting doesn’t seem that necessary. Having said that, I have always commented complex sections of code for my own benefit. I’ve gotten better at more generalized commenting lately, particularly with writing Doc Block comments in my classes. However, I would like to think that most of my code–at least the more recent stuff–is well written and logical enough that it is fairly self-explanatory to an experienced developer.
Other notable bad PHP habits include reliance on the ubiquitous Register Globals, failure to sanitize user input, not closing database connections, overuse of error supression, and using functions inside loop declarations.
One habit Folkes describes hit home with me in a very direct way. He suggests reliance on short PHP tags (<?, <?=) is a no-no, principally because not all hosts have short tags enabled in php.ini, and also that potential conflicts can come up when working with XML, since XML documents begin with <?xml, the PHP parser may try to parse the XML open tag.
These are both valid concerns, particularly so if you are working extensively with XML, and/or if you are developing code to be distributed widely to server environments you have no control over.
I use the <?= tag extensively, since becoming a convert to Brian Lozier’s PHP Templating Class. Further, I develop in an enterprise environment, on a project which we do not intend to distribute, on a server where we (meaning the institution) do indeed control configuration.
I have developed a small number of XML documents generated from PHP scripts, but to this point my XML open tags have been encapsulated in strings (‘<?xml’) and would therefore never be parsed as PHP to begin with. Perhaps due to my limited exposure to XML with PHP, I’ve not run into a scenario in which this compatibility problem would arise.
Finally, I’ve read recently on one site that short tags will be deprecated in PHP 6, then on another site I’ve read that <?= is about to make a comeback, since Zend Framework is pushing a Brian Lozier-esque PHP-as-template-engine approach.
We’ll see. Until I see more obvious handwriting on the wall regarding short tags, I’m sticking to my current approach. As for the rest of Folkes’ recommendations, they are well worth a read for any newbie or seasoned PHP developer.