TOP 5 PHP Mistakes

Posted on by jordanhaines

Learning and working with PHP over the year makes you noticed certain issue that keep popping up either when you work on someone eleses code or you read on the internet.

I have put together a list of 5 of the top mistakes PHP developers are still making today.

1 – Not using PDO

When you start out learning PHP many developers will access the database via MYSQLi, While there is nothing wrong with this, as of PHP 5.1 there is a better and more secure way to access the database. PHP Data Objects (PDO) provide methods for prepared statements and working with objects that will make you far more productive!

While there is a bit of a learning curve from moving from MYSQLi to PDO we would highly recommend it. An example of a PDO connection is below.

<?php

Try {
	/* MySQL with PDO_MYSQL */
  	$DBH = new PDO("mysql:host=$host;dbname=$dbname", $user, $pass);

	/* Set the Errors */
	$DBH->setAttribute( PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION );

	/* Data we want to insert into the database */
	$data = array( 'name' => 'Cathy', 'addr' => '9 Dark and Twisty', 'city' => 'Cardiff' );

	/* PDO Prepared Statement */
	$STH = $DBH->("INSERT INTO folks (name, addr, city) value (:name, :addr, :city)");

	/* Execute Statement */
	$STH->execute($data);

	/* close the connection */
	$DBH = null;
}
catch(PDOException $e) {
    	echo $e->getMessage();
}

?>

2 – Using * in SELECT queries

As developers we can get lazy sometimes, When you want to fetch data from a database the chances are you will not need all the columns in the database. So instead of fetching all the data from the database, only fetch the data you need. This is quicker and far more efficient.

3 – Not using UTF-8

When we build websites they can be accessed internationally and we sometimes forget that if we are developers in the UK, USA and Australia. We will test our PHP code using English and all will be fine, but as soon as we put some other language characters in, We start getting strange symbols all over the place.

UTF-8 solves this issue. If you encode all your data with UTF-8 then you will avoid the strange symbols.

4 – Not encrypting the password field

I do not think a week goes by where we do not hear a news report about some companies data being stolen because there security was not up to scratch. They then have to tell there users to change there passwords as the hackers have got them.

One way to secure passwords is encrypt them when you store the password in the database. The current accepted best practice is to us bcrypt hash the password.

An example of using bcrypt without a salt is given below:

<?php
	$hash = password_hash($password, PASSWORD_DEFAULT);
?>

5 – Not sanitising user input

As a PHP developer you will have to deal with user inputted data at some point. Rule 1 is never trust user inputted data. You always have to sanitise the data in order to protect your website from security risks.

An example of this is if you are going to create a new user it would be good to use mysqli_real_escape_string() or even better PDO::quote(). Some examples are given below, These are based on the examples give from PHP.net:

mysqli_real_escape_string() Example:

<?php
	$mysqli = new mysqli("localhost", "my_user", "my_password", "world");

	$city = "'s Hertogenbosch";

	/* this query with escaped $city will work */
	if ($mysqli->query("INSERT into myCity (Name) VALUES ('$city')")) {
    		printf("%d Row inserted.\n", $mysqli->affected_rows);
	}

	$mysqli->close();
?>

PDO::quote() Example:

<?php
	$conn = new PDO('sqlite:/home/lynn/music.sql3');

	/* Simple string */
	$string = 'Nice';
	print "Quoted string: " . $conn->quote($string) . "\n";
?>
This entry was posted in PHP, Web Development. Bookmark the permalink.