10 Principles of the PHP Masters

With PHP’s widespread adoption,it’s almost too easy to find a script or snippet to do exactly what you need. Unfortunately, there’s no filter as to what is a “good practice” and what’s, well… not so good when writing a PHP script. We need trustworthy sources, who have proven they have a solid grasp on the best practices of PHP.

We need PHP masters to show us the best principles to follow for high-grade PHP programming.

1. Use PHP Only When You Need it – Rasmus Lerdorf

There’s no better resource than PHP’s creator for knowing what PHP is capable of. Rasmus Lerdorf created PHP in 1995, and since then the language has spread like wildfire through the developer community, changing the face of the Internet. However, Rasmus didn’t create PHP with that intent. PHP was created out of a need to solve web development problems.

And as with many open source projects that have gone on to become popular, the motivation was never philosophical or even narcissistic. It was purely a case of needing a tool to solve real-world Web-related problems. In 1994 the options were fairly limited when it came to Web development tools.

However, you can’t use PHP for everything. Lerdorf is the first to admit that PHP is really just a tool in your toolbox, and that even PHP has limitations.

Use the right tool for the job. I have run across companies that have completely bought into PHP, deploying it absolutely everywhere, but it was never meant to be a general-purpose language appropriate for every problem. It is most at home as the front-end scripting language for the Web.

Trying to use PHP for everything isn’t efficient, and it certainly isn’t the best use of your time as a web developer. Don’t be afraid to to use other languages if PHP isn’t working out for your project.

2. Use Many Tables With PHP and MYSQL for Scalability – Matt Mullenweg

Nobody needs to question Matt Mullenweg’s authority with PHP. He has, (alongside a rabid community), developed the most popular blogging system on the planet: WordPress. After creating WordPress, Matt and company launched the stellar WordPress.com, a free blogging site based on the WordPress MU code base blogging software for multiple blogs. At the time of this writing, WordPress.com hosts over 4 million blogs, and their users have written over 140,000 posts today. (You can see more interesting stats about WordPress.com usage here.)

If anybody knows how to scale a website, it’s Matt Mullenweg. In 2006 Matt gave some insight into WordPress’ database structure and explained why WordPress MU uses a separate MySQL table for each blog, as opposed to using one giant “monolithic” table for all of the blogs.

We tested this approach for MU, but found it was too expensive to scale past a certain point. With monolithic structures you hit a wall based on your hardware. In MU users are divided and can be partitioned easily, for example on WordPress.com we have the users partitioned between 4096 databases, which allows you to scale very cheaply and efficiently to hundreds of thousands and even millions of users and extremely high levels of traffic.

Being able migrate the tables allows the code and ultimately the blogs to run much faster and scale easier. Alongside some heavy caching, and smart database usage, Matt has shown that extremely popular sites like Facebook and WordPress.com can run off of PHP and handle the incredible traffic load.

3. Never, ever trust your users – Dave Child

Dave Child is the brainchild (teehee) behind the recently renamed Added Bytes (previously ilovejackdaniels.com) website that featured Dave’s excellent cheat sheets for many programming languages. Dave’s worked for many development companies in the UK and has established himself as an authority in the programming world.

Dave offers some sage advice when it comes to writing secure code in PHP: Don’t trust your users. They just might hurt you.

So the cardinal rule of all web development, and I can’t stress it enough, is: Never, Ever, Trust Your Users. Assume every single piece of data your site collects from a user contains malicious code. Always. That includes data you think you have checked with client-side validation, for example using JavaScript. If you can manage that, you’ll be off to a good start. If PHP security is important to you, this single point is the most important to learn.

Dave goes on to give specific examples of secure practices in parts one, two and three of his ‘Writing Secure PHP’ series. But his ultimate takeaway is this:

Finally, be completely and utterly paranoid.
If you assume your site will never come under attack, or face any problems of any sort, then when something eventually does go wrong, you will be in massive amounts of trouble. If, on the other hand, you assume every single visitor to your site is out to get you and you are permanently at war, you will help yourself to keep your site secure, and be prepared in case things should go wrong.

4. Invest in PHP Caching – Ben Balbo

Ben Balbo has been writing for Site Point, a very well respected tutorial site for the likes of developers and designers. He’s on the committee for both the Melbourne PHP User Group and Open Source Developers’ Club, so he knows a thing or two about the language. It’s no surprise with Ben’s background as a PHP developer and trainer that he recommends putting a little more thought and preparation into PHP caching.

If you have a busy and predominantly static web site–such as a blog–that’s managed through a content management system, it will likely require little alteration, yet may benefit from huge performance improvements resulting from a small investment of your time. Setting up caching for a more complex site that generates content on a per-user basis, such as a portal or shopping cart system, will prove a little more tricky and time consuming, but the benefits are still clear.

There are many different techniques for caching in PHP, and Ben touches on a few of the bigger ones in the article, like:

• cached function calls
• setting expiry headers
• caching file downloads in IE
• template caching
• Cache_Lite

and many others. Because of the nature of dynamic languages like PHP, caching is critical to store those parts of the page that are accessed frequently and don’t change often.

5. Speed up PHP Development with an IDE, Templates and Snippets – Chad Kieffer

When Chad Kieffer isn’t busy rocking user interfaces and administering databases, he’s giving expertise advice from his blog 2 tablespoons. Because of Chad’s wide field of expertise, he’s often able to see the big picture that other programmers might not, specifically when it comes to the holistic approach that Chad takes to developing a website. He specializes in all aspects of the development process, so any insights he can provide with putting together an entire project is going to be useful.

Chad believes that using an IDE like Eclipse PDT (Eclipse’s PHP development package) with a mixture of templates and snippets can really speed up the turnaround time on a project.

Busy schedules, long to do lists, and deadlines make it tough for developers to get familiar with some of the advanced features their tools provide. This is a shame, because some features, like Eclipse Templates, can really reduce coding time and errors.

Common sense says that any time you can automate a task, the quicker you’ll get the project done. The same holds true with Dan’s theory. By taking the time to create templates that you’ll use over and over, you’ll save tons of time automating the repetitive parts of coding.

By using an IDE like Eclipse and the PDT package, you’ll find that your development time will incrementally speed up. The IDE will auto-close brackets, add those missing semicolons and even allow you to debug within the editor, without having to upload to the server.
(Chad has a nifty tutorial on getting started with Eclipse PDT and the benefits of an IDE in general, if you’re interested.)

6. Make Better Use of PHP’s Filter Functions – Joey Sochacki

While Joey Sochacki may not be as big of a name as Matt Mullenweg in the PHP community, he’s a seasoned web developer and shares tips that he’s picked up along the way at his blog Devolio.

Joey has found that even though there is a ton of filtering that has to happen when writing PHP code, not many programmers make use of PHP’s filter functions.

Filtering data. We all have to do it. Most, if not all of us, despise doing it. However, unbeknown to most are PHP’s filter_* functions, that allow us to do all sorts of filtering and validation. Using PHP’s filter_* functions, we can validate and sanitize data types, URLs, e-mail addresses, IP addresses, strip bad characters, and more, all with relative ease.

Filtering can be tricky, but this guide can help immensely. With Joey’s help you’ll learn how to install the filters and and filter nearly anything, taking advantage of the filtering power of PHP.

7. Use a PHP Framework – Josh Sharp

There has always been a debate as to whether to use a PHP framework like Zend, CakePHP, Code Igniter, or any other framework. There are upsides and downsides to using one, and many developers have their own opinions about whether or not to go down this road.

Josh Sharp is a web developer who makes his bread and butter creating websites for clients. This is why you should trust him when he says it’s a good idea to use a PHP framework to save time and eliminate mistakes when programming. Why? Josh believes it’s because PHP is too easy to learn.

But PHP’s ease of use is also its downfall. Because there are less restrictions on the structure of the code you write, it’s much easier to write bad code. But there is a solution: use a framework.

PHP frameworks help standardize how you program, and can save lots of time in the development process. You can read more about the benefit of using a PHP framework at Josh’s blog.

8. Don’t use a PHP Framework – Rasmus Lerdorf

Contrary to Josh’s belief that one should use a PHP framework, Rasmus Lerdorf, the Godfather of PHP himself, believes that frameworks aren’t that great. Why? Because they perform much slower than simple PHP.

During Rasmus’ presentation at Drupalcon 2008, Rasmus compared the response times to a PHP page with a simple “Hello World” example, and compared it to a few PHP frameworks (slides 24-32), and showed that PHP frameworks are much slower than straight PHP.

You can listen or watch the entire presentation where Rasmus shows the performance losses with PHP frameworks. In short, Rasmus shows that performance takes a major hit when you use a PHP framework as opposed to using pure PHP.

9. Use Batch Processing – Jack D. Herrington

Jack Herrington is no stranger to PHP and the development world. On top of writing over 30 articles for the prestigious IBM developerWorks, Jack has also published programming books like PHP Hacks. Jack is a bona fide expert.

Herrington recommends using batch processing and cron to tackle those tasks that can process in the background. Web users don’t want to wait long for tasks to complete on the web. There are some jobs that take longer that are much more suited to being done in the background.

Certainly, in some small cases, it’s a bit easier to fire off of a helper thread to handle small jobs. But it’s easy to see that with the use of conventional tools — cron, MySQL, standard object-oriented PHP, and Pear::DB — creating batch jobs in PHP applications is easy to do, easy to deploy, and easy to maintain.

Jack believes in simplicity, and instead of using threading on servers, he uses the simple combination of cron, PHP and MySQL to process tasks in the background.

I’ve done both, and I think cron has the advantage of the “Keep It Simple, Stupid” (KISS) principle. It keeps the background processing simple. Instead of having a multithreaded job-processing application that runs forever and, thus, can never leak memory, you have a simple batch script that cron starts. The script determines whether there’s anything to do, does it, then exits. No need to worry about memory leaks. No need to worry about a thread stalling or getting caught in an infinite loop.

10. Turn on Error Reporting Immediately – David Cummings

David Cummings runs his own software company that specializes in content management systems, and has won several awards. If anyone knows how to develop a PHP application efficiently, it’s Dave.

David wrote in a SitePoint article about the two PHP tips he wished he’d learned in the beginning. One of the tips: Turn on error reporting immediately. It’ll save a great deal of time in the long run.

The single most important thing I tell people who use PHP is to turn error reporting to its maximum level. Why would I want to do this? Generally the error reporting is set at a level that will hide many little things like:

• declaring a variable ahead of time,
• referencing a variable that isn’t available in that segment of code, or
• using a define that isn’t set.

These factors might not seem like that big a deal — until you develop structured or object oriented programs with functions and classes. Too often, writing code without error reporting turned up high would cost you hours as you scoured long functions that didn’t work because a variable was misspelled or not accessible.

Error reporting can make finding the reason for an error much easier. A tiny bug in the code can be quickly identified if PHP’s error reporting is turned on high. Save yourself some time and hair pulling by letting PHP find your bugs for you.

Read the previous post in this series: 10 Principles of the CSS Masters.

• Subscribe to the NETTUTS RSS Feed for more daily web development tutorials and articles.

Glen Stansberry is a web developer and blogger who’s struggled more times than he’d wish to admit with CSS. You can read more tips on web development at his blog Web Jackalope.