├── .gitignore
├── PHP_ The Right Way - phptherightway.com.azw3
├── PHP_ The Right Way - phptherightway.com.epub
├── PHP_ The Right Way - phptherightway.com.mobi
├── PHP_ The Right Way - phptherightway.com.pdf
├── PHP_ The Right Way - phptherightway.com.txt
├── README.md
├── build-pdf.sh
├── php-the-right-way-06-21-2013.pdf
└── php-the-right-way-06212013.html


/.gitignore:
--------------------------------------------------------------------------------
1 | *.DS_Store
2 | 


--------------------------------------------------------------------------------
/PHP_ The Right Way - phptherightway.com.azw3:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/lsd/php-the-right-way-pdf/fdf3c121eea1d71ff167cd88a8729281a643932e/PHP_ The Right Way - phptherightway.com.azw3


--------------------------------------------------------------------------------
/PHP_ The Right Way - phptherightway.com.epub:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/lsd/php-the-right-way-pdf/fdf3c121eea1d71ff167cd88a8729281a643932e/PHP_ The Right Way - phptherightway.com.epub


--------------------------------------------------------------------------------
/PHP_ The Right Way - phptherightway.com.mobi:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/lsd/php-the-right-way-pdf/fdf3c121eea1d71ff167cd88a8729281a643932e/PHP_ The Right Way - phptherightway.com.mobi


--------------------------------------------------------------------------------
/PHP_ The Right Way - phptherightway.com.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/lsd/php-the-right-way-pdf/fdf3c121eea1d71ff167cd88a8729281a643932e/PHP_ The Right Way - phptherightway.com.pdf


--------------------------------------------------------------------------------
/PHP_ The Right Way - phptherightway.com.txt:
--------------------------------------------------------------------------------
   1 | PHP: The Right Way
   2 | 
   3 | • Getting Started
   4 | 
   5 | – Use the Current Stable Version (5.4)
   6 | 
   7 | – Built-in web server
   8 | 
   9 | – Mac Setup
  10 | 
  11 | – Windows Setup
  12 | 
  13 | – Vagrant
  14 | 
  15 | • Code Style Guide
  16 | 
  17 | • Language Highlights
  18 | 
  19 | – Programming Paradigms
  20 | 
  21 | ∗ Object-oriented Programming
  22 | 
  23 | ∗ Functional Programming
  24 | 
  25 | ∗ Meta Programming
  26 | 
  27 | – Namespaces
  28 | 
  29 | – Standard PHP Library
  30 | 
  31 | – Command Line Interface
  32 | 
  33 | – XDebug
  34 | 
  35 | • Dependency Management
  36 | 
  37 | – Composer and Packagist
  38 | 
  39 | ∗ How to Install Composer
  40 | 
  41 | ∗ How to Install Composer (manually)
  42 | 
  43 | ∗ How to Define and Install Dependencies
  44 | 
  45 | ∗ Updating your dependencies
  46 | 
  47 | ∗ Checking your dependencies for security issues
  48 | 
  49 | – PEAR
  50 | 
  51 | ∗ How to install PEAR
  52 | 
  53 | ∗ How to install a package
  54 | 
  55 | ∗ Handling PEAR dependencies with Composer
  56 | 
  57 | • Coding Practices
  58 | 
  59 | – The Basics
  60 | 
  61 | – Date and Time
  62 | 
  63 | 1
  64 | 
  65 | – Design Patterns
  66 | 
  67 | – Exceptions
  68 | 
  69 | ∗ SPL Exceptions
  70 | 
  71 | • Databases
  72 | 
  73 | – PDO
  74 | 
  75 | – Abstraction Layers
  76 | 
  77 | • Security
  78 | 
  79 | – Web Application Security
  80 | 
  81 | – Password Hashing
  82 | 
  83 | – Data Filtering
  84 | 
  85 | ∗ Sanitization
  86 | 
  87 | ∗ Validation
  88 | 
  89 | – Configuration Files
  90 | 
  91 | – Register Globals
  92 | 
  93 | – Error Reporting
  94 | 
  95 | ∗ Development
  96 | 
  97 | ∗ Production
  98 | 
  99 | • Testing
 100 | 
 101 | – Test Driven Development
 102 | 
 103 | ∗ Unit Testing
 104 | 
 105 | ∗ Integration Testing
 106 | 
 107 | ∗ Functional Testing
 108 | 
 109 | – Behavior Driven Development
 110 | 
 111 | ∗ BDD Links
 112 | 
 113 | – Complementary Testing Tools
 114 | 
 115 | ∗ Tool Links
 116 | 
 117 | • Servers and Deployment
 118 | 
 119 | – Platform as a Service (PaaS)
 120 | 
 121 | – Virtual or Dedicated Servers
 122 | 
 123 | ∗ nginx and PHP-FPM
 124 | 
 125 | ∗ Apache and PHP
 126 | 
 127 | – Shared Servers
 128 | 
 129 | – Building and Deploying your Application
 130 | 
 131 | ∗ Build Automation Tools
 132 | 
 133 | ∗ Continuous Integration
 134 | 
 135 | • Caching
 136 | 
 137 | – Bytecode Cache
 138 | 
 139 | 2
 140 | 
 141 | – Object Caching
 142 | 
 143 | • Resources
 144 | 
 145 | – From the Source
 146 | 
 147 | – People to Follow
 148 | 
 149 | – Mentoring
 150 | 
 151 | – PHP PaaS Providers
 152 | 
 153 | – Frameworks
 154 | 
 155 | – Components
 156 | 
 157 | • Community
 158 | 
 159 | – PHP User Groups
 160 | 
 161 | – PHP Conferences
 162 | 
 163 | – Created and maintained by
 164 | 
 165 | – Project collaborators
 166 | 
 167 | – Project contributors
 168 | 
 169 | – Project sponsors
 170 | 
 171 | Welcome
 172 | 
 173 | There’s a lot of outdated information on the Web that leads new PHP users
 174 | 
 175 | astray, propagating bad practices and bad code. This must stop. PHP: The
 176 | 
 177 | Right Way is an easy-to-read, quick reference for PHP best practices, accepted
 178 | 
 179 | coding standards, and links to authoritative tutorials around the Web.
 180 | 
 181 | Getting Started
 182 | 
 183 | Use the Current Stable Version (5.4)
 184 | 
 185 | If you are just getting started with PHP make sure to start with the current
 186 | 
 187 | stable release of PHP 5.4. PHP has made great strides adding powerful new features over the last few years. Don’t let the minor version number difference
 188 | 
 189 | between 5.2 and 5.4 fool you, it represents major improvements. If you are
 190 | 
 191 | looking for a function or it’s usage, the documentation on the php.net website will have the answer.
 192 | 
 193 | Built-in web server
 194 | 
 195 | You can start learning PHP without the hassle of installing and configuring a
 196 | 
 197 | full-fledged web server (PHP 5.4 required). To start the server, run the following
 198 | 
 199 | from your terminal in your project’s web root:
 200 | 
 201 | 3
 202 | 
 203 | > php -S localhost:8000
 204 | 
 205 | • Learn about the built-in, command line web server
 206 | 
 207 | Mac Setup
 208 | 
 209 | OSX comes prepackaged with PHP but it is normally a little behind the latest
 210 | 
 211 | stable. Lion comes with PHP 5.3.6 and Mountain Lion has 5.3.10.
 212 | 
 213 | To update PHP on OSX you can get it installed through a number of Mac
 214 | 
 215 | package managers, with php-osx by Liip being recommended.
 216 | 
 217 | The other option is to compile it yourself, in that case be sure to have installed either Xcode or Apple’s substitute “Command Line Tools for Xcode” downloadable from Apple’s Mac Developer Center.
 218 | 
 219 | For a complete “all-in-one” package including PHP, Apache web server and
 220 | 
 221 | MySQL database, all this with a nice control GUI, try MAMP.
 222 | 
 223 | Windows Setup
 224 | 
 225 | PHP is available in several ways for Windows. You can download the binaries
 226 | 
 227 | and until recently you could use a ‘.msi’ installer. The installer is no longer
 228 | 
 229 | supported and stops at PHP 5.3.0.
 230 | 
 231 | For learning and local development you can use the built in webserver with
 232 | 
 233 | PHP 5.4 so you don’t need to worry about configuring it. If you would like an
 234 | 
 235 | “all-in-one” which includes a full-blown webserver and MySQL too then tools
 236 | 
 237 | such as the Web Platform Installer, Zend Server CE, XAMPP and WAMP will help get a Windows development environment up and running fast. That said,
 238 | 
 239 | these tools will be a little different from production so be careful of environment
 240 | 
 241 | differences if you are working on Windows and deploying to Linux.
 242 | 
 243 | If you need to run your production system on Windows then IIS7 will give
 244 | 
 245 | you the most stable and best performance. You can use phpmanager (a GUI plugin for IIS7) to make configuring and managing PHP simple. IIS7 comes
 246 | 
 247 | with FastCGI built in and ready to go, you just need to configure PHP as a
 248 | 
 249 | handler. For support and additional resources there is a dedicated area on iis.net
 250 | 
 251 | for PHP.
 252 | 
 253 | Vagrant
 254 | 
 255 | Running your application on different environments in development and produc-
 256 | 
 257 | tion can lead to strange bugs popping up when you go live. It’s also tricky to
 258 | 
 259 | keep different development environments up to date with the same version for
 260 | 
 261 | all libraries used when working with a team of developers.
 262 | 
 263 | 4
 264 | 
 265 | If you are developing on Windows and deploying to Linux (or anything non-
 266 | 
 267 | Windows) or are developing in a team, you should consider using a virtual
 268 | 
 269 | machine. This sounds tricky, but using Vagrant you can set up a simple virtual machine with only a few steps. These base boxes can then be set up manually,
 270 | 
 271 | or you can use “provisioning” software such as Puppet or Chef to do this for you.
 272 | 
 273 | Provisioning the base box is a great way to ensure that multiple boxes are set
 274 | 
 275 | up in an identical fashion and removes the need for you to maintain complicated
 276 | 
 277 | “set up” command lists. You can also “destroy” your base box and recreate it
 278 | 
 279 | without many manual steps, making it easy to create a “fresh” installation.
 280 | 
 281 | Vagrant creates shared folders used to share your code between your host and
 282 | 
 283 | your virtual machine, meaning you can create and edit your files on your host
 284 | 
 285 | machine and then run the code inside your virtual machine.
 286 | 
 287 | Back to Top
 288 | 
 289 | Code Style Guide
 290 | 
 291 | The PHP community is large and diverse, composed of innumerable libraries,
 292 | 
 293 | frameworks, and components. It is common for PHP developers to choose
 294 | 
 295 | several of these and combine them into a single project. It is important that
 296 | 
 297 | PHP code adhere (as close as possible) to a common code style to make it easy
 298 | 
 299 | for developers to mix and match various libraries for their projects.
 300 | 
 301 | The Framework Interop Group has proposed and approved a series of style recommendations, known as PSR-0, PSR-1 and PSR-2. Don’t let the funny names confuse you, these recommendations are merely a set of rules that some
 302 | 
 303 | projects like Drupal, Zend, Symfony, CakePHP, phpBB, AWS SDK, FuelPHP,
 304 | 
 305 | Lithium, etc are starting to adopt. You can use them for your own projects, or
 306 | 
 307 | continue to use your own personal style.
 308 | 
 309 | Ideally you should write PHP code that adheres to a known standard. This
 310 | 
 311 | could be any combination of PSR’s, or one of the coding standards made by
 312 | 
 313 | PEAR or Zend. This means other developers can easily read and work with your
 314 | 
 315 | code, and applications that implement the components can have consistency
 316 | 
 317 | even when working with lots of third-party code.
 318 | 
 319 | • Read about PSR-0
 320 | 
 321 | • Read about PSR-1
 322 | 
 323 | • Read about PSR-2
 324 | 
 325 | • Read about PEAR Coding Standards
 326 | 
 327 | • Read about Zend Coding Standards
 328 | 
 329 | You can use PHP_CodeSniffer to check code against any one of these recommendations, and plugins for text editors like Sublime Text 2 to be given real time feedback.
 330 | 
 331 | 5
 332 | 
 333 | Use Fabien Potencier’s PHP Coding Standards Fixer to automatically modify your code syntax so that it conforms with these standards, saving you from
 334 | 
 335 | fixing each problem by hand.
 336 | 
 337 | English is preferred for all symbol names and code infrastructure. Comments
 338 | 
 339 | may be written in any language easily readable by all current and future parties
 340 | 
 341 | who may be working on the codebase.
 342 | 
 343 | Back to Top
 344 | 
 345 | Language Highlights
 346 | 
 347 | Programming Paradigms
 348 | 
 349 | PHP is a flexible, dynamic language that supports a variety of programming
 350 | 
 351 | techniques. It has evolved dramatically over the years, notably adding a solid
 352 | 
 353 | object-oriented model in PHP 5.0 (2004), anonymous functions and namespaces
 354 | 
 355 | in PHP 5.3 (2009), and traits in PHP 5.4 (2012).
 356 | 
 357 | Object-oriented Programming
 358 | 
 359 | PHP has a very complete set of object-oriented programming features including
 360 | 
 361 | support for classes, abstract classes, interfaces, inheritance, constructors, cloning,
 362 | 
 363 | exceptions, and more.
 364 | 
 365 | • Read about Object-oriented PHP
 366 | 
 367 | • Read about Traits
 368 | 
 369 | Functional Programming
 370 | 
 371 | PHP supports first-class function, meaning that a function can be assigned to
 372 | 
 373 | a variable. Both user defined and built-in functions can be referenced by a
 374 | 
 375 | variable and invoked dynamically. Functions can be passed as arguments to
 376 | 
 377 | other functions (feature called Higher-order functions) and function can return
 378 | 
 379 | other functions.
 380 | 
 381 | Recursion, a feature that allows a function to call itself is supported by the
 382 | 
 383 | language, but most of the PHP code focus on iteration.
 384 | 
 385 | New anonymous functions (with support for closures) are present since PHP 5.3
 386 | 
 387 | (2009).
 388 | 
 389 | PHP 5.4 added the ability to bind closures to an object’s scope and also improved
 390 | 
 391 | support for callables such that they can be used interchangeably with anonymous
 392 | 
 393 | functions in almost all cases.
 394 | 
 395 | 6
 396 | 
 397 | • Continue reading on Functional Programming in PHP
 398 | 
 399 | • Read about Anonymous Functions
 400 | 
 401 | • Read about the Closure class
 402 | 
 403 | • More details in the Closures RFC
 404 | 
 405 | • Read about Callables
 406 | 
 407 | • Read about dynamically invoking functions with call_user_func_array
 408 | 
 409 | Meta Programming
 410 | 
 411 | PHP supports various forms of meta programming through mechanisms like the
 412 | 
 413 | Reflection API and Magic Methods. There are many Magic Methods available
 414 | 
 415 | like __get(), __set(), __clone(), __toString(), __invoke(), etc. that allow
 416 | 
 417 | developers to hook into class behavior. Ruby developers often say that PHP is
 418 | 
 419 | lacking method_missing, but it is available as __call() and __callStatic().
 420 | 
 421 | • Read about Magic Methods
 422 | 
 423 | • Read about Reflection
 424 | 
 425 | Namespaces
 426 | 
 427 | As mentioned above, the PHP community has a lot of developers creating lots
 428 | 
 429 | of code. This means that one library’s PHP code may use the same class name
 430 | 
 431 | as another library. When both libraries are used in the same namespace, they
 432 | 
 433 | collide and cause trouble.
 434 | 
 435 | Namespaces solve this problem. As described in the PHP reference manual,
 436 | 
 437 | namespaces may be compared to operating system directories that namespace
 438 | 
 439 | files; two files with the same name may co-exist in separate directories. Likewise,
 440 | 
 441 | two PHP classes with the same name may co-exist in separate PHP namespaces.
 442 | 
 443 | It’s as simple as that.
 444 | 
 445 | It is important for you to namespace your code so that it may be used by other
 446 | 
 447 | developers without fear of colliding with other libraries.
 448 | 
 449 | One recommended way to use namespaces is outlined in PSR-0, which aims to provide a standard file, class and namespace convention to allow plug-and-play
 450 | 
 451 | code.
 452 | 
 453 | • Read about Namespaces
 454 | 
 455 | • Read about PSR-0
 456 | 
 457 | Standard PHP Library
 458 | 
 459 | The Standard PHP Library (SPL) is packaged with PHP and provides a col-
 460 | 
 461 | lection of classes and interfaces. It is made up primarily of commonly needed
 462 | 
 463 | 7
 464 | 
 465 | datastructure classes (stack, queue, heap, and so on), and iterators which can
 466 | 
 467 | traverse over these datastructures or your own classes which implement SPL
 468 | 
 469 | interfaces.
 470 | 
 471 | • Read about the SPL
 472 | 
 473 | Command Line Interface
 474 | 
 475 | PHP was created primarily to write web applications, but it’s also useful for
 476 | 
 477 | scripting command line interface (CLI) programs. Command line PHP programs
 478 | 
 479 | can help you automate common tasks like testing, deployment, and application
 480 | 
 481 | administrativia.
 482 | 
 483 | CLI PHP programs are powerful because you can use your app’s code directly
 484 | 
 485 | without having to create and secure a web GUI for it. Just be sure not to put
 486 | 
 487 | your CLI PHP scripts in your public web root!
 488 | 
 489 | Try running PHP from your command line:
 490 | 
 491 | > php -i
 492 | 
 493 | The -i option will print your PHP configuration just like the phpinfo function.
 494 | 
 495 | The -a option provides an interactive shell, similar to ruby’s IRB or python’s
 496 | 
 497 | interactive shell. There are a number of other useful command line options, too.
 498 | 
 499 | Let’s write a simple “Hello, $name” CLI program. To try it out, create a file
 500 | 
 501 | named hello.php, as below.
 502 | 
 503 | <?php
 504 | 
 505 | if ($argc != 2) {
 506 | 
 507 | echo "Usage: php hello.php [name].\n";
 508 | 
 509 | exit(1);
 510 | 
 511 | }$name = $argv[1];
 512 | 
 513 | echo "Hello, $name\n";
 514 | 
 515 | PHP sets up two special variables based on the arguments your script is run
 516 | 
 517 | with. $argc is an integer variable containing the argument count and $argv is an array variable containing each argument’s value. The first argument is always the name of your PHP script file, in this case hello.php.
 518 | 
 519 | The exit() expression is used with a non zero number to let the shell know that
 520 | 
 521 | the command failed. Commonly used exit codes can be found here
 522 | 
 523 | To run our script, above, from the command line:
 524 | 
 525 | 8
 526 | 
 527 | > php hello.php
 528 | 
 529 | Usage: php hello.php [name]
 530 | 
 531 | > php hello.php world
 532 | 
 533 | Hello, world
 534 | 
 535 | • Learn about running PHP from the command line
 536 | 
 537 | • Learn about setting up Windows to run PHP from the command line
 538 | 
 539 | XDebug
 540 | 
 541 | One of the most useful tools in software development is a proper debugger. It
 542 | 
 543 | allows you to trace the execution of your code and monitor the contents of the
 544 | 
 545 | stack. XDebug, PHP’s debugger, can be utilized by various IDEs to provide
 546 | 
 547 | Breakpoints and stack inspection. It can also allow tools like PHPUnit and
 548 | 
 549 | KCacheGrind to perform code coverage analysis and code profiling.
 550 | 
 551 | If you find yourself in a bind, willing to resort to var_dump/print_r, and you
 552 | 
 553 | still can’t find the solution - maybe you need to use the debugger.
 554 | 
 555 | Installing XDebug can be tricky, but one of its most important features is
 556 | 
 557 | “Remote Debugging” - if you develop code locally and then test it inside a VM
 558 | 
 559 | or on another server, Remote Debugging is the feature that you will want to
 560 | 
 561 | enable right away.
 562 | 
 563 | Traditionally, you will modify your Apache VHost or .htaccess file with these
 564 | 
 565 | values:
 566 | 
 567 | php_value xdebug.remote_host=192.168.?.?
 568 | 
 569 | php_value xdebug.remote_port=9000
 570 | 
 571 | The “remote host” and “remote port” will correspond to your local computer
 572 | 
 573 | and the port that you configure your IDE to listen on. Then it’s just a matter
 574 | 
 575 | of putting your IDE into “listen for connections” mode, and loading the URL:
 576 | 
 577 | http://your-website.example.com/index.php?XDEBUG_SESSION_START=1
 578 | 
 579 | Your IDE will now intercept the current state as the script executes, allowing
 580 | 
 581 | you to set breakpoints and probe the values in memory.
 582 | 
 583 | • Learn more about XDebug
 584 | 
 585 | Back to Top
 586 | 
 587 | 9
 588 | 
 589 | Dependency Management
 590 | 
 591 | There are a ton of PHP libraries, frameworks, and components to choose from.
 592 | 
 593 | Your project will likely use several of them — these are project dependencies.
 594 | 
 595 | Until recently, PHP did not have a good way to manage these project depen-
 596 | 
 597 | dencies. Even if you managed them manually, you still had to worry about
 598 | 
 599 | autoloaders. No more.
 600 | 
 601 | Currently there are two major package management systems for PHP - Composer
 602 | 
 603 | and PEAR. Which one is right for you? The answer is both.
 604 | 
 605 | • Use Composer when managing dependencies for a single project.
 606 | 
 607 | • Use PEAR when managing dependencies for PHP as a whole on your
 608 | 
 609 | system.
 610 | 
 611 | In general, Composer packages will be available only in the projects that you
 612 | 
 613 | explicitly specify whereas a PEAR package would be available to all of your PHP
 614 | 
 615 | projects. While PEAR might sound like the easier approach at first glance, there
 616 | 
 617 | are advantages to using a project-by-project approach to your dependencies.
 618 | 
 619 | Composer and Packagist
 620 | 
 621 | Composer is a brilliant dependency manager for PHP. List your project’s depen-
 622 | 
 623 | dencies in a composer.json file and, with a few simple commands, Composer
 624 | 
 625 | will automatically download your project’s dependencies and setup autoloading
 626 | 
 627 | for you.
 628 | 
 629 | There are already a lot of PHP libraries that are compatible with Composer,
 630 | 
 631 | ready to be used in your project. These “packages” are listed on Packagist, the official repository for Composer-compatible PHP libraries.
 632 | 
 633 | How to Install Composer
 634 | 
 635 | You can install Composer locally (in your current working directory; though this
 636 | 
 637 | is no longer recommended) or globally (e.g. /usr/local/bin). Let’s assume you
 638 | 
 639 | want to install Composer locally. From your project’s root directory:
 640 | 
 641 | curl -s https://getcomposer.org/installer | php
 642 | 
 643 | This will download composer.phar (a PHP binary archive). You can run this
 644 | 
 645 | with php to manage your project dependencies. Please Note: If you pipe
 646 | 
 647 | downloaded code directly into an interpreter, please read the code online first to
 648 | 
 649 | confirm it is safe.
 650 | 
 651 | 10
 652 | 
 653 | How to Install Composer (manually)
 654 | 
 655 | Manually installing Composer is an advanced technique; however, there are
 656 | 
 657 | various reasons why a developer might prefer this method vs. using the interactive
 658 | 
 659 | installation routine. The interactive installation checks your PHP installation to
 660 | 
 661 | ensure that:
 662 | 
 663 | • a sufficient version of PHP is being used
 664 | 
 665 | • .phar files can be executed correctly
 666 | 
 667 | • certain directory permissions are sufficient
 668 | 
 669 | • certain problematic extensions are not loaded
 670 | 
 671 | • certain php.ini settings are set
 672 | 
 673 | Since a manual installation performs none of these checks, you have to decide
 674 | 
 675 | whether the trade-off is worth it for you. As such, below is how to obtain
 676 | 
 677 | Composer manually:
 678 | 
 679 | curl -s https://getcomposer.org/composer.phar -o $HOME/local/bin/composer
 680 | 
 681 | chmod +x $HOME/local/bin/composer
 682 | 
 683 | The path $HOME/local/bin (or a directory of your choice) should be in your
 684 | 
 685 | $PATH environment variable. This will result in a composer command being
 686 | 
 687 | available.
 688 | 
 689 | When you come across documentation that states to run Composer as php
 690 | 
 691 | composer.phar install, you can substitute that with:
 692 | 
 693 | composer install
 694 | 
 695 | How to Define and Install Dependencies
 696 | 
 697 | Composer keeps track of your project’s dependencies in a file called
 698 | 
 699 | composer.json. You can manage it by hand if you like, or use Composer itself.
 700 | 
 701 | The php composer.phar require command adds a project dependency and if
 702 | 
 703 | you don’t have a composer.json file, one will be created. Here’s an example
 704 | 
 705 | that adds Twig as a dependency of your project. Run it in your project’s root directory where you’ve downloaded composer.phar:
 706 | 
 707 | php composer.phar require twig/twig:~1.8
 708 | 
 709 | Alternatively the php composer.phar init command will guide you through
 710 | 
 711 | creating a full composer.json file for your project. Either way, once you’ve
 712 | 
 713 | created your composer.json file you can tell Composer to download and install
 714 | 
 715 | your dependencies into the vendors/ directory. This also applies to projects
 716 | 
 717 | you’ve downloaded that already provide a composer.json file:
 718 | 
 719 | 11
 720 | 
 721 | php composer.phar install
 722 | 
 723 | Next, add this line to your application’s primary PHP file; this will tell PHP to
 724 | 
 725 | use Composer’s autoloader for your project dependencies.
 726 | 
 727 | <?php
 728 | 
 729 | require 'vendor/autoload.php';
 730 | 
 731 | Now you can use your project dependencies, and they’ll be autoloaded on
 732 | 
 733 | demand.
 734 | 
 735 | Updating your dependencies
 736 | 
 737 | Composer creates a file called composer.lock which stores the exact version of
 738 | 
 739 | each package it downloaded when you first ran php composer.phar install.
 740 | 
 741 | If you share your project with other coders and the composer.lock file is part of
 742 | 
 743 | your distribution, when they run php composer.phar install they’ll get the
 744 | 
 745 | same versions as you. To update your dependencies, run php composer.phar
 746 | 
 747 | update.
 748 | 
 749 | This is most useful when you define your version requirements flexibly. For
 750 | 
 751 | instance a version requirement of ~1.8 means “anything newer than 1.8.0, but less
 752 | 
 753 | than 2.0.x-dev”. You can also use the * wildcard as in 1.8.*. Now Composer’s
 754 | 
 755 | php composer.phar update command will upgrade all your dependencies to
 756 | 
 757 | the newest version that fits the restrictions you define.
 758 | 
 759 | Checking your dependencies for security issues
 760 | 
 761 | The Security Advisories Checker is a web service and a command-line tool, both will examine your composer.lock file and tell you if you need to update any of
 762 | 
 763 | your dependencies.
 764 | 
 765 | • Learn about Composer
 766 | 
 767 | PEAR
 768 | 
 769 | Another veteran package manager that many PHP developers enjoy is PEAR. It behaves much the same way as Composer, but has some noteable differences.
 770 | 
 771 | PEAR requires each package to have a specific structure, which means that the
 772 | 
 773 | author of the package must prepare it for usage with PEAR. Using a project
 774 | 
 775 | which was not prepared to work with PEAR is not possible.
 776 | 
 777 | 12
 778 | 
 779 | PEAR installs packages globally, which means after installing them once they
 780 | 
 781 | are available to all projects on that server. This can be good if many projects
 782 | 
 783 | rely on the same package with the same version but might lead to problems if
 784 | 
 785 | version conflicts between two projects arise.
 786 | 
 787 | How to install PEAR
 788 | 
 789 | You can install PEAR by downloading the phar installer and executing it. The
 790 | 
 791 | PEAR documentation has detailed install instructions for every operating system.
 792 | 
 793 | If you are using Linux, you can also have a look at your distribution package
 794 | 
 795 | manager. Debian and Ubuntu for example have a apt php-pear package.
 796 | 
 797 | How to install a package
 798 | 
 799 | If the package is listed on the PEAR packages list, you can install it by specifying the official name:
 800 | 
 801 | pear install foo
 802 | 
 803 | If the package is hosted on another channel, you need to discover the channel
 804 | 
 805 | first and also specify it when installing. See the Using channel docs for more information on this topic.
 806 | 
 807 | • Learn about PEAR
 808 | 
 809 | Handling PEAR dependencies with Composer
 810 | 
 811 | If you are already using Composer and you would like to install some PEAR code too, you can use Composer to handle your PEAR dependencies. This example
 812 | 
 813 | will install code from pear2.php.net:
 814 | 
 815 | {
 816 | 
 817 | "repositories": [
 818 | 
 819 | {
 820 | 
 821 | "type": "pear",
 822 | 
 823 | "url": "http://pear2.php.net"
 824 | 
 825 | }
 826 | 
 827 | ],
 828 | 
 829 | "require": {
 830 | 
 831 | "pear-pear2/PEAR2_Text_Markdown": "*",
 832 | 
 833 | "pear-pear2/PEAR2_HTTP_Request": "*"
 834 | 
 835 | }
 836 | 
 837 | }
 838 | 
 839 | 13
 840 | 
 841 | The first section "repositories" will be used to let Composer know it should
 842 | 
 843 | “initialise” (or “discover” in PEAR terminology) the pear repo. Then the require
 844 | 
 845 | section will prefix the package name like this:
 846 | 
 847 | pear-channel/Package
 848 | 
 849 | The “pear” prefix is hardcoded to avoid any conflicts, as a pear channel could be
 850 | 
 851 | the same as another packages vendor name for example, then the channel short
 852 | 
 853 | name (or full URL) can be used to reference which channel the package is in.
 854 | 
 855 | When this code is installed it will be available in your vendor directory and
 856 | 
 857 | automatically available through the Composer autoloader:
 858 | 
 859 | vendor/pear-pear2.php.net/PEAR2_HTTP_Request/pear2/HTTP/Request.php
 860 | 
 861 | To use this PEAR package simply reference it like so:
 862 | 
 863 | $request = new pear2\HTTP\Request();
 864 | 
 865 | • Learn more about using PEAR with Composer
 866 | 
 867 | Back to Top
 868 | 
 869 | Coding Practices
 870 | 
 871 | The Basics
 872 | 
 873 | PHP is a vast language that allows coders of all levels the ability to produce
 874 | 
 875 | code not only quickly, but efficiently. However while advancing through the
 876 | 
 877 | language, we often forget the basics that we first learnt (or overlooked) in favor
 878 | 
 879 | of short cuts and/or bad habits. To help combat this common issue, this section
 880 | 
 881 | is aimed at reminding coders of the basic coding practices within PHP.
 882 | 
 883 | • Continue reading on The Basics
 884 | 
 885 | Date and Time
 886 | 
 887 | PHP has a class named DateTime to help you when reading, writing, comparing
 888 | 
 889 | or calculating with date and time. There are many date and time related
 890 | 
 891 | functions in PHP besides DateTime, but it provides nice object-oriented interface
 892 | 
 893 | to most common uses. It can handle time zones, but that is outside this short
 894 | 
 895 | introduction.
 896 | 
 897 | 14
 898 | 
 899 | To start working with DateTime, convert raw date and time string to an object
 900 | 
 901 | with createFromFormat() factory method or do new \DateTime to get the
 902 | 
 903 | current date and time. Use format() method to convert DateTime back to a
 904 | 
 905 | string for output.
 906 | 
 907 | <?php
 908 | 
 909 | $raw = '22. 11. 1968';
 910 | 
 911 | $start = \DateTime::createFromFormat('d. m. Y', $raw);
 912 | 
 913 | echo 'Start date: ' . $start->format('m/d/Y') . "\n";
 914 | 
 915 | Calculating with DateTime is possible with the DateInterval class. DateTime
 916 | 
 917 | has methods like add() and sub() that take a DateInterval as an argument. Do
 918 | 
 919 | not write code that expect same number of seconds in every day, both daylight
 920 | 
 921 | saving and timezone alterations will break that assumption. Use date intervals
 922 | 
 923 | instead. To calculate date difference use the diff() method. It will return new
 924 | 
 925 | DateInterval, which is super easy to display.
 926 | 
 927 | <?php
 928 | 
 929 | // create a copy of $start and add one month and 6 days
 930 | 
 931 | $end = clone $start;
 932 | 
 933 | $end->add(new \DateInterval('P1M6D'));
 934 | 
 935 | $diff = $end->diff($start);
 936 | 
 937 | echo 'Difference: ' . $diff->format('%m month, %d days (total: %a days)') . "\n";
 938 | 
 939 | // Difference: 1 month, 6 days (total: 37 days)
 940 | 
 941 | On DateTime objects you can use standard comparison:
 942 | 
 943 | <?php
 944 | 
 945 | if ($start < $end) {
 946 | 
 947 | echo "Start is before end!\n";
 948 | 
 949 | }
 950 | 
 951 | One last example to demonstrate the DatePeriod class. It is used to iterate
 952 | 
 953 | over recurring events. It can take two DateTime objects, start and end, and the
 954 | 
 955 | interval for which it will return all events in between.
 956 | 
 957 | <?php
 958 | 
 959 | // output all thursdays between $start and $end
 960 | 
 961 | $periodInterval = \DateInterval::createFromDateString('first thursday');
 962 | 
 963 | $periodIterator = new \DatePeriod($start, $periodInterval, $end, \DatePeriod::EXCLUDE_START_DATE); foreach ($periodIterator as $date) {
 964 | 
 965 | // output each date in the period
 966 | 
 967 | echo $date->format('m/d/Y') . ' ';
 968 | 
 969 | }
 970 | 
 971 | 15
 972 | 
 973 | • Read about DateTime
 974 | 
 975 | • Read about date formatting (accepted date format string options)
 976 | 
 977 | Design Patterns
 978 | 
 979 | When you are building your application it is helpful to use common patterns in
 980 | 
 981 | your code and common patterns for the overall structure of your project. Using
 982 | 
 983 | common patterns is helpful because it makes it much easier to manage your code
 984 | 
 985 | and lets other developers quickly understand how everything fits together.
 986 | 
 987 | If you use a framework then most of the higher level code and project structure
 988 | 
 989 | will be based on that framework, so a lot of the pattern decisions are made for
 990 | 
 991 | you. But it is still up to you to pick out the best patterns to follow in the code
 992 | 
 993 | you build on top of the framework. If, on the other hand, you are not using a
 994 | 
 995 | framework to build your application then you have to find the patterns that best
 996 | 
 997 | suit the type and size of application that you’re building.
 998 | 
 999 | • Continue reading on Design Patterns
1000 | 
1001 | Exceptions
1002 | 
1003 | Exceptions are a standard part of most popular programming languages, but they
1004 | 
1005 | are often overlooked by PHP programmers. Languages like Ruby are extremely
1006 | 
1007 | Exception heavy, so whenever something goes wrong such as a HTTP request
1008 | 
1009 | failing, or a DB query goes wrong, or even if an image asset could not be found,
1010 | 
1011 | Ruby (or the gems being used) will throw an exception to the screen meaning
1012 | 
1013 | you instantly know there is a mistake.
1014 | 
1015 | PHP itself is fairly lax with this, and a call to file_get_contents() will
1016 | 
1017 | usually just get you a FALSE and a warning. Many older PHP frameworks like
1018 | 
1019 | CodeIgniter will just return a false, log a message to their proprietary logs and
1020 | 
1021 | maybe let you use a method like $this->upload->get_error() to see what
1022 | 
1023 | went wrong. The problem here is that you have to go looking for a mistake and
1024 | 
1025 | check the docs to see what the error method is for this class, instead of having it
1026 | 
1027 | made extremely obvious.
1028 | 
1029 | Another problem is when classes automatically throw an error to the screen
1030 | 
1031 | and exit the process. When you do this you stop another developer from being
1032 | 
1033 | able to dynamically handle that error. Exceptions should be thrown to make a
1034 | 
1035 | developer aware of an error, then they can choose how to handle this. E.g:
1036 | 
1037 | <?php
1038 | 
1039 | $email = new Fuel\Email;
1040 | 
1041 | $email->subject('My Subject');
1042 | 
1043 | $email->body('How the heck are you?');
1044 | 
1045 | 16
1046 | 
1047 | $email->to('guy@example.com', 'Some Guy');
1048 | 
1049 | try
1050 | 
1051 | {
1052 | 
1053 | $email->send();
1054 | 
1055 | }catch(Fuel\Email\ValidationFailedException $e)
1056 | 
1057 | {
1058 | 
1059 | // The validation failed
1060 | 
1061 | }catch(Fuel\Email\SendingFailedException $e)
1062 | 
1063 | {
1064 | 
1065 | // The driver could not send the email
1066 | 
1067 | }
1068 | 
1069 | SPL Exceptions
1070 | 
1071 | The generic Exception class provides very little debugging context for the devel-
1072 | 
1073 | oper; however, to remedy this, it is possible to create a specialized Exception
1074 | 
1075 | type by sub-classing the generic Exception class:
1076 | 
1077 | <?php
1078 | 
1079 | class ValidationException extends Exception {}
1080 | 
1081 | This means you can add multiple catch blocks and handle different Exceptions
1082 | 
1083 | differently. This can lead to the creation of a lot of custom Exceptions, some of which could have been avoided using the SPL Exceptions provided in the SPL
1084 | 
1085 | extension.
1086 | 
1087 | If for example you use the __call() Magic Method and an invalid method
1088 | 
1089 | is requested then instead of throwing a standard Exception which is vague,
1090 | 
1091 | or creating a custom Exception just for that, you could just throw new
1092 | 
1093 | BadFunctionCallException;.
1094 | 
1095 | • Read about Exceptions
1096 | 
1097 | • Read about SPL Exceptions
1098 | 
1099 | • Nesting Exceptions In PHP
1100 | 
1101 | • Exception Best Practices in PHP 5.3
1102 | 
1103 | Back to Top
1104 | 
1105 | Databases
1106 | 
1107 | Many times your PHP code will use a database to persist information. You have
1108 | 
1109 | a few options to connect and interact with your database. The recommended
1110 | 
1111 | 17
1112 | 
1113 | option until PHP 5.1.0 was to use native drivers such as mysql, mysqli, pgsql,
1114 | 
1115 | etc.
1116 | 
1117 | Native drivers are great if you are only using ONE database in your application,
1118 | 
1119 | but if, for example, you are using MySQL and a little bit of MSSQL, or you
1120 | 
1121 | need to connect to an Oracle database, then you will not be able to use the same
1122 | 
1123 | drivers. You’ll need to learn a brand new API for each database — and that
1124 | 
1125 | can get silly.
1126 | 
1127 | As an extra note on native drivers, the mysql extension for PHP is no longer
1128 | 
1129 | in active development, and the official status since PHP 5.4.0 is “Long term
1130 | 
1131 | deprecation”. This means it will be removed within the next few releases, so
1132 | 
1133 | by PHP 5.6 (or whatever comes after 5.5) it may well be gone. If you are
1134 | 
1135 | using mysql_connect() and mysql_query() in your applications then you will
1136 | 
1137 | be faced with a rewrite at some point down the line, so the best option is to
1138 | 
1139 | replace mysql usage with mysqli or PDO in your applications within your own
1140 | 
1141 | development schedules so you won’t be rushed later on. If you are starting
1142 | 
1143 | from scratch then absolutely do not use the mysql extension: use the MySQLi
1144 | 
1145 | extension, or use PDO.
1146 | 
1147 | • PHP: Choosing an API for MySQL
1148 | 
1149 | PDO
1150 | 
1151 | PDO is a database connection abstraction library — built into PHP since 5.1.0
1152 | 
1153 | — that provides a common interface to talk with many different databases. PDO
1154 | 
1155 | will not translate your SQL queries or emulate missing features; it is purely for
1156 | 
1157 | connecting to multiple types of database with the same API.
1158 | 
1159 | More importantly, PDO allows you to safely inject foreign input (e.g. IDs) into
1160 | 
1161 | your SQL queries without worrying about database SQL injection attacks. This
1162 | 
1163 | is possible using PDO statements and bound parameters.
1164 | 
1165 | Let’s assume a PHP script receives a numeric ID as a query parameter. This ID
1166 | 
1167 | should be used to fetch a user record from a database. This is the wrong way to
1168 | 
1169 | do this:
1170 | 
1171 | <?php
1172 | 
1173 | $pdo = new PDO('sqlite:users.db');
1174 | 
1175 | $pdo->query("SELECT name FROM users WHERE id = " . $_GET['id']); // <-- NO!
1176 | 
1177 | This is terrible code.
1178 | 
1179 | You are inserting a raw query parameter into
1180 | 
1181 | a SQL query.
1182 | 
1183 | This will get you hacked in a heartbeat.
1184 | 
1185 | Just imag-
1186 | 
1187 | ine if a hacker passes in an inventive id parameter by calling a URL
1188 | 
1189 | like http://domain.com/?id=1%3BDELETE+FROM+users.
1190 | 
1191 | This will set the
1192 | 
1193 | $_GET[’id’] variable to 1;DELETE FROM users which will delete all of your
1194 | 
1195 | users! Instead, you should sanitize the ID input using PDO bound parameters.
1196 | 
1197 | 18
1198 | 
1199 | <?php
1200 | 
1201 | $pdo = new PDO('sqlite:users.db');
1202 | 
1203 | $stmt = $pdo->prepare('SELECT name FROM users WHERE id = :id');
1204 | 
1205 | $stmt->bindParam(':id', $_GET['id'], PDO::PARAM_INT); //<-- Automatically sanitized by PDO
1206 | 
1207 | $stmt->execute();
1208 | 
1209 | This is correct code. It uses a bound parameter on a PDO statement. This
1210 | 
1211 | escapes the foreign input ID before it is introduced to the database preventing
1212 | 
1213 | potential SQL injection attacks.
1214 | 
1215 | • Learn about PDO
1216 | 
1217 | You should also be aware that database connections use up resources and it was
1218 | 
1219 | not unheard-of to have resources exhausted if connections were not implicitly
1220 | 
1221 | closed, however this was more common in other languages. Using PDO you can
1222 | 
1223 | implicitly close the connection by destroying the object by ensuring all remaining
1224 | 
1225 | references to it are deleted, ie. set to NULL. If you don’t do this explicitly, PHP
1226 | 
1227 | will automatically close the connection when your script ends unless of course
1228 | 
1229 | you are using persistent connections.
1230 | 
1231 | • Learn about PDO connections
1232 | 
1233 | Abstraction Layers
1234 | 
1235 | Many frameworks provide their own abstraction layer which may or may not
1236 | 
1237 | sit on top of PDO. These will often emulate features for one database system
1238 | 
1239 | that another is missing from another by wrapping your queries in PHP methods,
1240 | 
1241 | giving you actual database abstraction. This will of course add a little overhead,
1242 | 
1243 | but if you are building a portable application that needs to work with MySQL,
1244 | 
1245 | PostgreSQL and SQLite then a little overhead will be worth it the sake of code
1246 | 
1247 | cleanliness.
1248 | 
1249 | Some abstraction layers have been built using the PSR-0 namespace standard so
1250 | 
1251 | can be installed in any application you like:
1252 | 
1253 | • Aura SQL
1254 | 
1255 | • Doctrine2 DBAL
1256 | 
1257 | • ZF2 Db
1258 | 
1259 | • ZF1 Db
1260 | 
1261 | Back to Top
1262 | 
1263 | 19
1264 | 
1265 | Security
1266 | 
1267 | Web Application Security
1268 | 
1269 | There are bad people ready and willing to exploit your web application. It is
1270 | 
1271 | important that you take necessary precautions to harden your web application’s
1272 | 
1273 | security. Luckily, the fine folks at The Open Web Application Security Project
1274 | 
1275 | (OWASP) have compiled a comprehensive list of known security issues and
1276 | 
1277 | methods to protect yourself against them. This is a must read for the security-
1278 | 
1279 | conscious developer.
1280 | 
1281 | • Read the OWASP Security Guide
1282 | 
1283 | Password Hashing
1284 | 
1285 | Eventually everyone builds a PHP application that relies on user login. User-
1286 | 
1287 | names and passwords are stored in a database and later used to authenticate
1288 | 
1289 | users upon login.
1290 | 
1291 | It is important that you properly hash passwords before storing them. Password hashing is an irreversible, one way function performed against the users password.
1292 | 
1293 | This produces a fixed-length string that can not be feasibly reversed. This means
1294 | 
1295 | you can compare a hash against another to determine if they both came from the
1296 | 
1297 | same source string, but you can not determine the original string. If passwords
1298 | 
1299 | are not hashed and your database is accessed by an unauthorized third-party,
1300 | 
1301 | all user accounts are now compromised. Some users may (unfortunately) use
1302 | 
1303 | the same password for other services. Therefore, it is important to take security
1304 | 
1305 | seriously.
1306 | 
1307 | Hashing passwords with password_hash
1308 | 
1309 | In PHP 5.5 password_hash will be introduced. At this time it is using BCrypt,
1310 | 
1311 | the strongest algorithm currently supported by PHP. It will be updated in the
1312 | 
1313 | future to support more algorithms as needed though. The password_compat
1314 | 
1315 | library was created to provide forward compatibility for PHP >= 5.3.7.
1316 | 
1317 | Below we hash a string, we then check the hash against a new string. Because
1318 | 
1319 | our two source strings are different (‘secret-password’ vs. ‘bad-password’) this
1320 | 
1321 | login will fail.
1322 | 
1323 | <?php
1324 | 
1325 | require 'password.php';
1326 | 
1327 | $passwordHash = password_hash('secret-password', PASSWORD_DEFAULT);
1328 | 
1329 | 20
1330 | 
1331 | if (password_verify('bad-password', $passwordHash)) {
1332 | 
1333 | //Correct Password
1334 | 
1335 | } else {
1336 | 
1337 | //Wrong password
1338 | 
1339 | }
1340 | 
1341 | • Learn about password_hash
1342 | 
1343 | • password_compat for PHP >= 5.3.7 && < 5.5
1344 | 
1345 | • Learn about hashing in regards to cryptography
1346 | 
1347 | • PHP password_hash RFC
1348 | 
1349 | Data Filtering
1350 | 
1351 | Never ever (ever) trust foreign input introduced to your PHP code. Always
1352 | 
1353 | sanitize and validate foreign input before using it in code. The filter_var and
1354 | 
1355 | filter_input functions can sanitize text and validate text formats (e.g. email
1356 | 
1357 | addresses).
1358 | 
1359 | Foreign input can be anything: $_GET and $_POST form input data, some
1360 | 
1361 | values in the $_SERVER superglobal, and the HTTP request body via
1362 | 
1363 | fopen(’php://input’, ’r’). Remember, foreign input is not limited to form
1364 | 
1365 | data submitted by the user. Uploaded and downloaded files, session values,
1366 | 
1367 | cookie data, and data from third-party web services are foreign input, too.
1368 | 
1369 | While foreign data can be stored, combined, and accessed later, it is still foreign
1370 | 
1371 | input. Every time you process, output, concatenate, or include data in your
1372 | 
1373 | code, ask yourself if the data is filtered properly and can it be trusted.
1374 | 
1375 | Data may be filtered differently based on its purpose. For example, when
1376 | 
1377 | unfiltered foreign input is passed into HTML page output, it can execute HTML
1378 | 
1379 | and JavaScript on your site! This is known as Cross-Site Scripting (XSS) and
1380 | 
1381 | can be a very dangerous attack. One way to avoid XSS is to sanitize all user-
1382 | 
1383 | generated data before outputting it to your page by removing HTML tags
1384 | 
1385 | with the strip_tags function or escaping characters with special meaning into
1386 | 
1387 | their respective HTML entities with the htmlentities or htmlspecialchars
1388 | 
1389 | functions.
1390 | 
1391 | Another example is passing options to be executed on the command line. This can
1392 | 
1393 | be extremely dangerous (and is usually a bad idea), but you can use the built-in
1394 | 
1395 | escapeshellarg function to sanitize the executed command’s arguments.
1396 | 
1397 | One last example is accepting foreign input to determine a file to load from the
1398 | 
1399 | filesystem. This can be exploited by changing the filename to a file path. You
1400 | 
1401 | need to remove ”/”, “../”, null bytes, or other characters from the file path so it can’t load hidden, non-public, or sensitive files.
1402 | 
1403 | • Learn about data filtering
1404 | 
1405 | 21
1406 | 
1407 | • Learn about filter_var
1408 | 
1409 | • Learn about filter_input
1410 | 
1411 | • Learn about handling null bytes
1412 | 
1413 | Sanitization
1414 | 
1415 | Sanitization removes (or escapes) illegal or unsafe characters from foreign input.
1416 | 
1417 | For example, you should sanitize foreign input before including the input in
1418 | 
1419 | HTML or inserting it into a raw SQL query. When you use bound parameters
1420 | 
1421 | with PDO, it will sanitize the input for you.
1422 | 
1423 | Sometimes it is required to allow some safe HTML tags in the input when
1424 | 
1425 | including it in the HTML page. This is very hard to do and many avoid it by
1426 | 
1427 | using other more restricted formatting like Markdown or BBCode, although
1428 | 
1429 | whitelisting libraries like HTML Purifier exists for this reason.
1430 | 
1431 | See Sanitization Filters
1432 | 
1433 | Validation
1434 | 
1435 | Validation ensures that foreign input is what you expect. For example, you may
1436 | 
1437 | want to validate an email address, a phone number, or age when processing a
1438 | 
1439 | registration submission.
1440 | 
1441 | See Validation Filters
1442 | 
1443 | Configuration Files
1444 | 
1445 | When creating configuration files for your applications, best practices recommend
1446 | 
1447 | that one of the following methods be followed:
1448 | 
1449 | • It is recommended that you store your configuration information where it
1450 | 
1451 | cannot be accessed directly and pulled in via the file system.
1452 | 
1453 | • If you must store your configuration files in the document root, name the
1454 | 
1455 | files with a .php extension. This ensures that, even if the script is accessed
1456 | 
1457 | directly, it will not be outputed as plain text.
1458 | 
1459 | • Information in configuration files should be protected accordingly, either
1460 | 
1461 | through encryption or group/user file system permissions
1462 | 
1463 | Register Globals
1464 | 
1465 | NOTE: As of PHP 5.4.0 the register_globals setting has been removed and
1466 | 
1467 | can no longer be used. This is only included as a warning for anyone in the
1468 | 
1469 | process of upgrading a legacy application.
1470 | 
1471 | 22
1472 | 
1473 | When enabled, the register_globals configuration setting that makes several
1474 | 
1475 | types of variables (including ones from $_POST, $_GET and $_REQUEST) available
1476 | 
1477 | in the global scope of your application. This can easily lead to security issues as
1478 | 
1479 | your application cannot effectively tell where the data is coming from.
1480 | 
1481 | For example: $_GET[’foo’] would be available via $foo, which can override
1482 | 
1483 | variables that have not been declared. If you are using PHP < 5.4.0 make sure
1484 | 
1485 | that register_globals is off.
1486 | 
1487 | • Register_globals in the PHP manual
1488 | 
1489 | Error Reporting
1490 | 
1491 | Error logging can be useful in finding the problem spots in your application,
1492 | 
1493 | but it can also expose information about the structure of your application to
1494 | 
1495 | the outside world. To effectively protect your application from issues that could
1496 | 
1497 | be caused by the output of these messages, you need to configure your server
1498 | 
1499 | differently in development versus production (live).
1500 | 
1501 | Development
1502 | 
1503 | To show every possible error during development, configure the following
1504 | 
1505 | settings in your php.ini:
1506 | 
1507 | display_errors = On
1508 | 
1509 | display_startup_errors = On
1510 | 
1511 | error_reporting = -1
1512 | 
1513 | log_errors = On
1514 | 
1515 | Passing in the value -1 will show every possible error, even when new
1516 | 
1517 | levels and constants are added in future PHP versions. The E_ALL
1518 | 
1519 | constant also behaves this way as of PHP 5.4. - php.net
1520 | 
1521 | The E_STRICT error level constant was introduced in 5.3.0 and is not part of
1522 | 
1523 | E_ALL, however it became part of E_ALL in 5.4.0. What does this mean? In
1524 | 
1525 | terms of reporting every possible error in version 5.3 it means you must use
1526 | 
1527 | either -1 or E_ALL | E_STRICT.
1528 | 
1529 | Reporting every possible error by PHP version
1530 | 
1531 | • < 5.3 -1 or E_ALL
1532 | 
1533 | •
1534 | 
1535 | 5.3 -1 or E_ALL | E_STRICT
1536 | 
1537 | • > 5.3 -1 or E_ALL
1538 | 
1539 | 23
1540 | 
1541 | Production
1542 | 
1543 | To hide errors on your production environment, configure your php.ini as:
1544 | 
1545 | display_errors = Off
1546 | 
1547 | display_startup_errors = Off
1548 | 
1549 | error_reporting = E_ALL
1550 | 
1551 | log_errors = On
1552 | 
1553 | With these settings in production, errors will still be logged to the error logs
1554 | 
1555 | for the web server, but will not be shown to the user. For more information on
1556 | 
1557 | these settings, see the PHP manual:
1558 | 
1559 | • error_reporting
1560 | 
1561 | • display_errors
1562 | 
1563 | • display_startup_errors
1564 | 
1565 | • log_errors
1566 | 
1567 | Back to Top
1568 | 
1569 | Testing
1570 | 
1571 | Writing automated tests for your PHP code is considered a best practice and
1572 | 
1573 | can lead to well-built applications. Automated tests are a great tool for making
1574 | 
1575 | sure your application does not break when you are making changes or adding
1576 | 
1577 | new functionality and should not be ignored.
1578 | 
1579 | There are several different types of testing tools (or frameworks) available for
1580 | 
1581 | PHP, which use different approaches - all of which are trying to avoid manual
1582 | 
1583 | testing and the need for large Quality Assurance teams, just to make sure recent
1584 | 
1585 | changes didn’t break existing functionality.
1586 | 
1587 | Test Driven Development
1588 | 
1589 | From Wikipedia:
1590 | 
1591 | Test-driven development (TDD) is a software development process
1592 | 
1593 | that relies on the repetition of a very short development cycle: first
1594 | 
1595 | the developer writes a failing automated test case that defines a
1596 | 
1597 | desired improvement or new function, then produces code to pass
1598 | 
1599 | that test and finally refactors the new code to acceptable standards.
1600 | 
1601 | Kent Beck, who is credited with having developed or ‘rediscovered’
1602 | 
1603 | the technique, stated in 2003 that TDD encourages simple designs
1604 | 
1605 | and inspires confidence
1606 | 
1607 | 24
1608 | 
1609 | There are several different types of testing that you can do for your application
1610 | 
1611 | Unit Testing
1612 | 
1613 | Unit Testing is a programming approach to ensure functions, classes and methods
1614 | 
1615 | are working as expected, from the point you build them all the way through the
1616 | 
1617 | development cycle. By checking values going in and out of various functions and
1618 | 
1619 | methods, you can make sure the internal logic is working correctly. By using
1620 | 
1621 | Dependency Injection and building “mock” classes and stubs you can verify that
1622 | 
1623 | dependencies are correctly used for even better test coverage.
1624 | 
1625 | When you create a class or function you should create a unit test for each
1626 | 
1627 | behavior it must have. At a very basic level you should make sure it errors if
1628 | 
1629 | you send it bad arguments and make sure it works if you send it valid arguments.
1630 | 
1631 | This will help ensure that when you make changes to this class or function
1632 | 
1633 | later on in the development cycle that the old functionality continues to work
1634 | 
1635 | as expected. The only alternative to this would be var_dump() in a test.php,
1636 | 
1637 | which is no way to build an application - large or small.
1638 | 
1639 | The other use for unit tests is contributing to open source. If you can write a
1640 | 
1641 | test that shows broken functionality (i.e. fails), then fix it, and show the test
1642 | 
1643 | passing, patches are much more likely to be accepted. If you run a project which
1644 | 
1645 | accepts pull requests then you should suggest this as a requirement.
1646 | 
1647 | PHPUnit is the de-facto testing framework for writing unit tests for PHP
1648 | 
1649 | applications, but there are several alternatives
1650 | 
1651 | • SimpleTest
1652 | 
1653 | • Enhance PHP
1654 | 
1655 | • PUnit
1656 | 
1657 | • atoum
1658 | 
1659 | Integration Testing
1660 | 
1661 | From Wikipedia:
1662 | 
1663 | Integration testing (sometimes called Integration and Testing, abbre-
1664 | 
1665 | viated “I&T”) is the phase in software testing in which individual
1666 | 
1667 | software modules are combined and tested as a group. It occurs
1668 | 
1669 | after unit testing and before validation testing. Integration testing
1670 | 
1671 | takes as its input modules that have been unit tested, groups them
1672 | 
1673 | in larger aggregates, applies tests defined in an integration test plan
1674 | 
1675 | to those aggregates, and delivers as its output the integrated system
1676 | 
1677 | ready for system testing.
1678 | 
1679 | Many of the same tools that can be used for unit testing can be used for
1680 | 
1681 | integration testing as many of the same principles are used.
1682 | 
1683 | 25
1684 | 
1685 | Functional Testing
1686 | 
1687 | Sometimes also known as acceptance testing, functional testing consists of using
1688 | 
1689 | tools to create automated tests that actually use your application instead of just
1690 | 
1691 | verifying that individual units of code are behaving correctly and that individual
1692 | 
1693 | units can speak to each other correctly. These tools typically work using real
1694 | 
1695 | data and simulating actual users of the application.
1696 | 
1697 | Functional Testing Tools
1698 | 
1699 | • Selenium
1700 | 
1701 | • Mink
1702 | 
1703 | • Codeception is a full-stack testing framework that includes acceptance testing tools
1704 | 
1705 | Behavior Driven Development
1706 | 
1707 | There are two different types of Behavior-Driven Development (BDD): SpecBDD
1708 | 
1709 | and StoryBDD. SpecBDD focuses on technical behavior or code, while StoryBDD
1710 | 
1711 | focuses on business or feature behaviors or interactions. PHP has frameworks
1712 | 
1713 | for both types of BDD.
1714 | 
1715 | With StoryBDD, you write human-readable stories that describe the behavior
1716 | 
1717 | of your application. These stories can then be run as actual tests against your
1718 | 
1719 | application. The framework used in PHP applications for StoryBDD is Behat,
1720 | 
1721 | which is inspired by Ruby’s Cucumber project and implements the Gherkin DSL
1722 | 
1723 | for describing feature behavior.
1724 | 
1725 | With SpecBDD, you write specifications that describe how your actual code
1726 | 
1727 | should behave. Instead of testing a function or method, you are describing how
1728 | 
1729 | that function or method should behave. PHP offers the PHPSpec framework for
1730 | 
1731 | this purpose. This framework is inspired by the RSpec project for Ruby.
1732 | 
1733 | BDD Links
1734 | 
1735 | • Behat, the StoryBDD framework for PHP, inspired by Ruby’s Cucumber
1736 | 
1737 | project;
1738 | 
1739 | • PHPSpec, the SpecBDD framework for PHP, inspired by Ruby’s RSpec
1740 | 
1741 | project;
1742 | 
1743 | • Codeception is a full-stack testing framework that uses BDD principles.
1744 | 
1745 | 26
1746 | 
1747 | Complementary Testing Tools
1748 | 
1749 | Besides individual testing and behavior driven frameworks, there are also a
1750 | 
1751 | number of generic frameworks and helper libraries useful for any preferred
1752 | 
1753 | approach taken.
1754 | 
1755 | Tool Links
1756 | 
1757 | • Selenium is a browser automation tool which can be integrated with
1758 | 
1759 | PHPUnit
1760 | 
1761 | • Mockery is a Mock Object Framework which can be integrated with
1762 | 
1763 | PHPUnit or PHPSpec
1764 | 
1765 | • Prophecy is a highly opinionated yet very powerful and flexible PHP object mocking framework. It’s integrated with PHPSpec and can be used with
1766 | 
1767 | PHPUnit.
1768 | 
1769 | Back to Top
1770 | 
1771 | Servers and Deployment
1772 | 
1773 | PHP applications can be deployed and run on production web servers in a
1774 | 
1775 | number of ways.
1776 | 
1777 | Platform as a Service (PaaS)
1778 | 
1779 | PaaS provides the system and network architecture necessary to run PHP
1780 | 
1781 | applications on the web. This means little to no configuration for launching
1782 | 
1783 | PHP applications or PHP frameworks.
1784 | 
1785 | Recently PaaS has become a popular method for deploying, hosting, and scaling
1786 | 
1787 | PHP applications of all sizes. You can find a list of PHP PaaS “Platform as a
1788 | 
1789 | Service” providers in our resources section.
1790 | 
1791 | Virtual or Dedicated Servers
1792 | 
1793 | If you are comfortable with systems administration, or are interested in learning
1794 | 
1795 | it, virtual or dedicated servers give you complete control of your application’s
1796 | 
1797 | production environment.
1798 | 
1799 | 27
1800 | 
1801 | nginx and PHP-FPM
1802 | 
1803 | PHP, via PHP’s built-in FastCGI Process Manager (FPM), pairs really nicely
1804 | 
1805 | with nginx, which is a lightweight, high-performance web server. It uses less memory than Apache and can better handle more concurrent requests. This is
1806 | 
1807 | especially important on virtual servers that don’t have much memory to spare.
1808 | 
1809 | • Read more on nginx
1810 | 
1811 | • Read more on PHP-FPM
1812 | 
1813 | • Read more on setting up nginx and PHP-FPM securely
1814 | 
1815 | Apache and PHP
1816 | 
1817 | PHP and Apache have a long history together. Apache is wildly configurable and
1818 | 
1819 | has many available modules to extend functionality. It is a popular choice for shared servers and an easy setup for PHP frameworks and open source apps like
1820 | 
1821 | WordPress. Unfortunately, Apache uses more resources than nginx by default
1822 | 
1823 | and cannot handle as many visitors at the same time.
1824 | 
1825 | Apache has several possible configurations for running PHP. The most common
1826 | 
1827 | and easiest to setup is the prefork MPM with mod_php5. While it isn’t the most memory efficient, it is the simplest to get working and to use. This is probably
1828 | 
1829 | the best choice if you don’t want to dig too deeply into the server administration
1830 | 
1831 | aspects. Note that if you use mod_php5 you MUST use the prefork MPM.
1832 | 
1833 | Alternatively, if you want to squeeze more performance and stability out of
1834 | 
1835 | Apache then you can take advantage of the same FPM system as nginx and
1836 | 
1837 | run the worker MPM or event MPM with mod_fastcgi or mod_fcgid. This configuration will be significantly more memory efficient and much faster but it
1838 | 
1839 | is more work to set up.
1840 | 
1841 | • Read more on Apache
1842 | 
1843 | • Read more on Multi-Processing Modules
1844 | 
1845 | • Read more on mod_fastcgi
1846 | 
1847 | • Read more on mod_fcgid
1848 | 
1849 | Shared Servers
1850 | 
1851 | PHP has shared servers to thank for its popularity. It is hard to find a host
1852 | 
1853 | without PHP installed, but be sure it’s the latest version. Shared servers allow
1854 | 
1855 | you and other developers to deploy websites to a single machine. The upside
1856 | 
1857 | to this is that it has become a cheap commodity. The downside is that you
1858 | 
1859 | never know what kind of a ruckus your neighboring tenants are going to create;
1860 | 
1861 | loading down the server or opening up security holes are the main concerns. If
1862 | 
1863 | your project’s budget can afford to avoid shared servers you should.
1864 | 
1865 | 28
1866 | 
1867 | Building and Deploying your Application
1868 | 
1869 | If you find yourself doing manual database schema changes or running your
1870 | 
1871 | tests manually before updating your files (manually), think twice! With every
1872 | 
1873 | additional manual task needed to deploy a new version of your app, the chances
1874 | 
1875 | for potentially fatal mistakes increase. Whether you’re dealing with a simple
1876 | 
1877 | update, a comprehensive build process or even a continuous integration strategy,
1878 | 
1879 | build automation is your friend.
1880 | 
1881 | Among the tasks you might want to automate are:
1882 | 
1883 | • Dependency management
1884 | 
1885 | • Compilation, minification of your assets
1886 | 
1887 | • Running tests
1888 | 
1889 | • Creation of documentation
1890 | 
1891 | • Packaging
1892 | 
1893 | • Deployment
1894 | 
1895 | Build Automation Tools
1896 | 
1897 | Build tools can be described as a collection of scripts that handle common tasks
1898 | 
1899 | of software deployment. The build tool is not a part of your software, it acts on
1900 | 
1901 | your software from ‘outside’.
1902 | 
1903 | There are many open source tools available to help you with build automation,
1904 | 
1905 | some are written in PHP others aren’t. This shouldn’t hold you back from using
1906 | 
1907 | them, if they’re better suited for the specific job. Here are a few examples:
1908 | 
1909 | Phing is the easiest way to get started with automated deployment in the PHP
1910 | 
1911 | world. With Phing you can control your packaging, deployment or testing process
1912 | 
1913 | from within a simple XML build file. Phing (which is based on Apache Ant)
1914 | 
1915 | provides a rich set of tasks usually needed to install or update a web app and
1916 | 
1917 | can be extended with additional custom tasks, written in PHP.
1918 | 
1919 | Capistrano is a system for intermediate-to-advanced programmers to execute commands in a structured, repeatable way on one or more remote machines. It
1920 | 
1921 | is pre-configured for deploying Ruby on Rails applications, however people are
1922 | 
1923 | successfully deploying PHP systems with it. Successful use of Capistrano
1924 | 
1925 | depends on a working knowledge of Ruby and Rake.
1926 | 
1927 | Dave Gardner’s blog post PHP Deployment with Capistrano is a good starting point for PHP developers interested in Capistrano.
1928 | 
1929 | Chef is more than a deployment framework, it is a very powerful Ruby based system integration framework that doesn’t just deploy your app but can build
1930 | 
1931 | your whole server environment or virtual boxes.
1932 | 
1933 | Chef resources for PHP developers:
1934 | 
1935 | 29
1936 | 
1937 | • Three part blog series about deploying a LAMP application with Chef,
1938 | 
1939 | Vagrant, and EC2
1940 | 
1941 | • Chef Cookbook which installs and configures PHP 5.3 and the PEAR
1942 | 
1943 | package management system
1944 | 
1945 | Further reading:
1946 | 
1947 | • Automate your project with Apache Ant
1948 | 
1949 | • Maven, a build framework based on Ant and how to use it with PHP
1950 | 
1951 | Continuous Integration
1952 | 
1953 | Continuous Integration is a software development practice where
1954 | 
1955 | members of a team integrate their work frequently, usually each
1956 | 
1957 | person integrates at least daily — leading to multiple integrations
1958 | 
1959 | per day. Many teams find that this approach leads to significantly
1960 | 
1961 | reduced integration problems and allows a team to develop cohesive
1962 | 
1963 | software more rapidly.
1964 | 
1965 | – Martin Fowler
1966 | 
1967 | There are different ways to implement continuous integration for PHP. Recently
1968 | 
1969 | Travis CI has done a great job of making continuous integration a reality even for small projects. Travis CI is a hosted continuous integration service for the open
1970 | 
1971 | source community. It is integrated with GitHub and offers first class support for
1972 | 
1973 | many languages including PHP.
1974 | 
1975 | Further reading:
1976 | 
1977 | • Continuous Integration with Jenkins
1978 | 
1979 | • Continuous Integration with PHPCI
1980 | 
1981 | • Continuous Integration with Teamcity
1982 | 
1983 | Back to Top
1984 | 
1985 | Caching
1986 | 
1987 | PHP is pretty quick by itself, but bottlenecks can arise when you make remote
1988 | 
1989 | connections, load files, etc. Thankfully, there are various tools available to speed
1990 | 
1991 | up certain parts of your application, or reduce the number of times these various
1992 | 
1993 | time consuming tasks need to run.
1994 | 
1995 | 30
1996 | 
1997 | Bytecode Cache
1998 | 
1999 | When a PHP file is executed, under the hood it is first compiled to bytecode
2000 | 
2001 | (also known as opcode) and, only then, the bytecode is executed. If a PHP file
2002 | 
2003 | is not modified, the bytecode will always be the same. This means that the
2004 | 
2005 | compilation step is a waste of CPU resources.
2006 | 
2007 | This is where Bytecode cache comes in. It prevents redundant compilation
2008 | 
2009 | by storing bytecode in memory and reusing it on successive calls. Setting up
2010 | 
2011 | bytecode cache is a matter of minutes, and your application will speed up
2012 | 
2013 | significantly. There’s really no reason not to use it.
2014 | 
2015 | Popular bytecodes caches are:
2016 | 
2017 | • APC
2018 | 
2019 | • XCache
2020 | 
2021 | • Zend Optimizer+ (part of Zend Server package)
2022 | 
2023 | • WinCache (extension for MS Windows Server)
2024 | 
2025 | Object Caching
2026 | 
2027 | There are times when it can be beneficial to cache individual objects in your
2028 | 
2029 | code, such as with data that is expensive to get or database calls where the result
2030 | 
2031 | is unlikely to change. You can use object caching software to hold these pieces
2032 | 
2033 | of data in memory for extremely fast access later on. If you save these items to
2034 | 
2035 | a data store after you retrieve them, then pull them directly from the cache for
2036 | 
2037 | following requests, you can gain a significant improvement in performance as
2038 | 
2039 | well as reduce the load on your database servers.
2040 | 
2041 | Many of the popular bytecode caching solutions let you cache custom data as
2042 | 
2043 | well, so there’s even more reason to take advantage of them. APC, XCache, and
2044 | 
2045 | WinCache all provide APIs to save data from your PHP code to their memory
2046 | 
2047 | cache.
2048 | 
2049 | The most commonly used memory object caching systems are APC and mem-
2050 | 
2051 | cached. APC is an excellent choice for object caching, it includes a simple API
2052 | 
2053 | for adding your own data to its memory cache and is very easy to setup and
2054 | 
2055 | use. The one real limitation of APC is that it is tied to the server it’s installed
2056 | 
2057 | on. Memcached on the other hand is installed as a separate service and can be
2058 | 
2059 | accessed across the network, meaning that you can store objects in a hyper-fast
2060 | 
2061 | data store in a central location and many different systems can pull from it.
2062 | 
2063 | Note that when running PHP as a (Fast-)CGI application inside your webserver,
2064 | 
2065 | every PHP process will have its own cache, i.e. APC data is not shared be-
2066 | 
2067 | tween your worker processes. In these cases, you might want to consider using
2068 | 
2069 | memcached instead, as it’s not tied to the PHP processes.
2070 | 
2071 | 31
2072 | 
2073 | In a networked configuration APC will usually outperform memcached in terms
2074 | 
2075 | of access speed, but memcached will be able to scale up faster and further. If
2076 | 
2077 | you do not expect to have multiple servers running your application, or do not
2078 | 
2079 | need the extra features that memcached offers then APC is probably your best
2080 | 
2081 | choice for object caching.
2082 | 
2083 | Example logic using APC:
2084 | 
2085 | <?php
2086 | 
2087 | // check if there is data saved as 'expensive_data' in cache
2088 | 
2089 | $data = apc_fetch('expensive_data');
2090 | 
2091 | if ($data === false) {
2092 | 
2093 | // data is not in cache; save result of expensive call for later use
2094 | 
2095 | apc_add('expensive_data', $data = get_expensive_data());
2096 | 
2097 | }
2098 | 
2099 | print_r($data);
2100 | 
2101 | Learn more about popular object caching systems:
2102 | 
2103 | • APC Functions
2104 | 
2105 | • Memcached
2106 | 
2107 | • Redis
2108 | 
2109 | • XCache APIs
2110 | 
2111 | • WinCache Functions
2112 | 
2113 | Back to Top
2114 | 
2115 | Resources
2116 | 
2117 | From the Source
2118 | 
2119 | • PHP Website
2120 | 
2121 | • PHP Documentation
2122 | 
2123 | People to Follow
2124 | 
2125 | • Rasmus Lerdorf
2126 | 
2127 | • Fabien Potencier
2128 | 
2129 | • Derick Rethans
2130 | 
2131 | • Chris Shiflett
2132 | 
2133 | • Sebastian Bergmann
2134 | 
2135 | 32
2136 | 
2137 | • Matthew Weier O’Phinney
2138 | 
2139 | • Pádraic Brady
2140 | 
2141 | • Anthony Ferrara
2142 | 
2143 | • Nikita Popov
2144 | 
2145 | Mentoring
2146 | 
2147 | • phpmentoring.org - Formal, peer to peer mentoring in the PHP community.
2148 | 
2149 | PHP PaaS Providers
2150 | 
2151 | • PagodaBox
2152 | 
2153 | • AppFog
2154 | 
2155 | • Heroku (PHP support is undocumented but based on stable Facebook partnership link)
2156 | 
2157 | • fortrabbit
2158 | 
2159 | • Engine Yard Orchestra PHP Platform
2160 | 
2161 | • Red Hat OpenShift Platform
2162 | 
2163 | • dotCloud
2164 | 
2165 | • AWS Elastic Beanstalk
2166 | 
2167 | • cloudControl
2168 | 
2169 | • Windows Azure
2170 | 
2171 | • Zend Developer Cloud
2172 | 
2173 | • Google App Engine
2174 | 
2175 | Frameworks
2176 | 
2177 | Rather than re-invent the wheel, many PHP developers use frameworks to build
2178 | 
2179 | out web applications. Frameworks abstract away many of the low-level concerns
2180 | 
2181 | and provide helpful, easy-to-use interfaces to complete common tasks.
2182 | 
2183 | You do not need to use a framework for every project. Sometimes plain PHP is
2184 | 
2185 | the right way to go, but if you do need a framework then there are three main
2186 | 
2187 | types available:
2188 | 
2189 | • Micro Frameworks
2190 | 
2191 | • Full-Stack Frameworks
2192 | 
2193 | • Component Frameworks
2194 | 
2195 | Micro-frameworks are essentially a wrapper to route a HTTP request to a
2196 | 
2197 | callback, controller, method, etc as quickly as possible, and sometimes come
2198 | 
2199 | 33
2200 | 
2201 | with a few extra libraries to assist development such as basic database wrappers
2202 | 
2203 | and the like. They are prominently used to build remote HTTP services.
2204 | 
2205 | Many frameworks add a considerable number of features on top of what is
2206 | 
2207 | available in a micro-framework and these are known Full-Stack Frameworks.
2208 | 
2209 | These often come bundled with ORMs, Authentication packages, etc.
2210 | 
2211 | Component-based frameworks are collections of specialized and single-purpose
2212 | 
2213 | libraries. Disparate component-based frameworks can be used together to make
2214 | 
2215 | a micro- or full-stack framework.
2216 | 
2217 | • Popular PHP Frameworks
2218 | 
2219 | Components
2220 | 
2221 | As mentioned above “Components” are another approach to the common goal
2222 | 
2223 | of creating, distributing and implementing shared code. Various component
2224 | 
2225 | repositories exist, the main two of which are:
2226 | 
2227 | • Packagist
2228 | 
2229 | • PEAR
2230 | 
2231 | Both of these repositories have command line tools associated with them to help
2232 | 
2233 | the installation and upgrade processes, and have been explained in more detail
2234 | 
2235 | in the Dependency Management section.
2236 | 
2237 | There are also component-based frameworks, which allow you to use their compo-
2238 | 
2239 | nents with minimal (or no) requirements. For example, you can use the FuelPHP
2240 | 
2241 | Validation package, without needing to use the FuelPHP framework itself. These projects are essentially just another repository for reusable components:
2242 | 
2243 | • Aura
2244 | 
2245 | • FuelPHP (2.0 only)
2246 | 
2247 | • Laravel’s “Illuminate Components”
2248 | 
2249 | • Symfony Components
2250 | 
2251 | Back to Top
2252 | 
2253 | • Josh Lockhart
2254 | 
2255 | • Kris Jordan
2256 | 
2257 | • Phil Sturgeon
2258 | 
2259 | • New Media Campaigns
2260 | 
2261 | • Licensed CC Attribution-NonCommercial-ShareAlike 3.0 . . . .
2262 | 
2263 | 34
2264 | 
2265 | 
2266 | 
2267 | 
2268 | 
2269 | Document Outline
2270 | 
2271 | 
2272 | [welcome]Welcome
2273 | 
2274 | [gettingstartedtitle]Getting Started [usethecurrentstableversion54title]Use the Current Stable Version (5.4)
2275 | 
2276 | [builtinwebservertitle]Built-in web server
2277 | 
2278 | [macsetuptitle]Mac Setup
2279 | 
2280 | [windowssetuptitle]Windows Setup
2281 | 
2282 | [vagranttitle]Vagrant
2283 | 
2284 | 
2285 | 
2286 | 
2287 | 
2288 | [codestyleguidetitle]Code Style Guide
2289 | 
2290 | [languagehighlightstitle]Language Highlights [programmingparadigmstitle]Programming Paradigms [objectorientedprogramming]Object-oriented Programming
2291 | 
2292 | [functionalprogramming]Functional Programming
2293 | 
2294 | [metaprogramming]Meta Programming
2295 | 
2296 | 
2297 | 
2298 | 
2299 | 
2300 | [namespacestitle]Namespaces
2301 | 
2302 | [standardphplibrarytitle]Standard PHP Library
2303 | 
2304 | [commandlineinterfacetitle]Command Line Interface
2305 | 
2306 | [xdebugtitle]XDebug
2307 | 
2308 | 
2309 | 
2310 | 
2311 | 
2312 | [dependencymanagementtitle]Dependency Management [composerandpackagisttitle]Composer and Packagist [howtoinstallcomposer]How to Install Composer
2313 | 
2314 | [howtoinstallcomposermanually]How to Install Composer (manually)
2315 | 
2316 | [howtodefineandinstalldependencies]How to Define and Install Dependencies
2317 | 
2318 | [updatingyourdependencies]Updating your dependencies
2319 | 
2320 | [checkingyourdependenciesforsecurityissues]Checking your dependencies for security issues
2321 | 
2322 | 
2323 | 
2324 | 
2325 | 
2326 | [peartitle]PEAR [howtoinstallpear]How to install PEAR
2327 | 
2328 | [howtoinstallapackage]How to install a package
2329 | 
2330 | [handlingpeardependencieswithcomposer]Handling PEAR dependencies with Composer
2331 | 
2332 | 
2333 | 
2334 | 
2335 | 
2336 | [codingpracticestitle]Coding Practices [thebasicstitle]The Basics
2337 | 
2338 | [dateandtimetitle]Date and Time
2339 | 
2340 | [designpatternstitle]Design Patterns
2341 | 
2342 | [exceptionstitle]Exceptions [splexceptions]SPL Exceptions
2343 | 
2344 | 
2345 | 
2346 | 
2347 | 
2348 | [databasestitle]Databases [pdo]PDO
2349 | 
2350 | [abstractionlayers]Abstraction Layers
2351 | 
2352 | 
2353 | 
2354 | 
2355 | 
2356 | [securitytitle]Security [webapplicationsecuritytitle]Web Application Security
2357 | 
2358 | [passwordhashingtitle]Password Hashing
2359 | 
2360 | [datafilteringtitle]Data Filtering [sanitization]Sanitization
2361 | 
2362 | [validation]Validation
2363 | 
2364 | 
2365 | 
2366 | 
2367 | 
2368 | [configurationfilestitle]Configuration Files
2369 | 
2370 | [registerglobalstitle]Register Globals
2371 | 
2372 | [errorreportingtitle]Error Reporting [development]Development
2373 | 
2374 | [production]Production
2375 | 
2376 | 
2377 | 
2378 | 
2379 | 
2380 | [testingtitle]Testing [testdrivendevelopmenttitle]Test Driven Development [unittesting]Unit Testing
2381 | 
2382 | [integrationtesting]Integration Testing
2383 | 
2384 | [functionaltesting]Functional Testing
2385 | 
2386 | 
2387 | 
2388 | 
2389 | 
2390 | [behaviordrivendevelopmenttitle]Behavior Driven Development [bddlinks]BDD Links
2391 | 
2392 | 
2393 | 
2394 | 
2395 | 
2396 | [complementarytestingtoolstitle]Complementary Testing Tools [toollinks]Tool Links
2397 | 
2398 | 
2399 | 
2400 | 
2401 | 
2402 | [serversanddeploymenttitle]Servers and Deployment [platformasaservicepaastitle]Platform as a Service (PaaS)
2403 | 
2404 | [virtualordedicatedserverstitle]Virtual or Dedicated Servers [nginxandphpfpm]nginx and PHP-FPM
2405 | 
2406 | [apacheandphp]Apache and PHP
2407 | 
2408 | 
2409 | 
2410 | 
2411 | 
2412 | [sharedserverstitle]Shared Servers
2413 | 
2414 | [buildtitle]Building and Deploying your Application [buildautomationtools]Build Automation Tools
2415 | 
2416 | [continuousintegration]Continuous Integration
2417 | 
2418 | 
2419 | 
2420 | 
2421 | 
2422 | [cachingtitle]Caching [bytecodecachetitle]Bytecode Cache
2423 | 
2424 | [objectcachingtitle]Object Caching
2425 | 
2426 | 
2427 | 
2428 | 
2429 | 
2430 | [resourcestitle]Resources [fromthesource]From the Source
2431 | 
2432 | [peopletofollow]People to Follow
2433 | 
2434 | [mentoring]Mentoring
2435 | 
2436 | [phppaasproviders]PHP PaaS Providers
2437 | 
2438 | [frameworkstitle]Frameworks
2439 | 
2440 | [componentstitle]Components
2441 | 
2442 | 
2443 | 
2444 | 
2445 | 
2446 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | # PHP: The Right Way (PDF)
 2 | 
 3 | #### PDF conversion by Isam at http://github.com/lsd (zenchloride @ gmail com)
 4 | 
 5 | ### Last updated 06/21/2013 
 6 | 
 7 | ## [Download PHP-The-Right-Way.pdf](https://github.com/lsd/php-the-right-way-pdf/raw/builder/php-the-right-way-06-21-2013.pdf)
 8 | 
 9 | ## Overview
10 | 
11 | This is a simple (2-3 line) script to generate a printer/ebook-reader\* friendly  
12 | version of <http://phptherightway.com>.  
13 |   
14 | You need to have Jekyll, pandoc, MacTex (or at least pdflatex for PDF output)  
15 | 
16 | ## NOTICE  
17 | 
18 | This currently only outputs in PDF format. You may choose to skip this mess and  
19 | download the PDF or single HTML version of the site also included right here.  
20 |   
21 | The PDF conversion required MacTex.pkg which was 2.3 GB and 4.33 GB decompressed.  
22 | 
23 | If you need an updated version of the PDF without going through the hassle of setting  
24 | anything up, just send me a message and I will regenerate the PDF.  
25 | 
26 | **Even better, send me a cronjob that updates the PDF nightly**
27 | 
28 | *Thanks! -Isam Machlovi*
29 | 


--------------------------------------------------------------------------------
/build-pdf.sh:
--------------------------------------------------------------------------------
 1 | #!/bin/sh
 2 | # This uses pandoc to convert PHP-The-Right-Way to a PDF.
 3 | # github.com/lsd for this + generated PDFs / ePubs / Mobi / etc.
 4 | 
 5 | echo "----------------\n"
 6 | echo "Make sure you are in the root file of the SOURCE of the site."
 7 | echo "Make sure pandoc and jekyll are installed"
 8 | echo "For example, ..."
 9 | echo "$ git clone https://github.com/codeguy/php-the-right-way.git"
10 | echo "$ cd php-the-right-way/"
11 | echo "$ cat CNAME"
12 | echo "$ sh build-html-to-pdf.sh"
13 | echo "----------------\n"
14 | 
15 | echo "Starting Jekyll build and then serving. OK? (any key or ctrl+c to quit)"
16 | read
17 | 
18 | jekyll build
19 | jekyll serve
20 | 
21 | echo "Assuming site is on localhost:4000. Now running pandoc to generate single HTML."
22 | echo "this: pandoc -s -S --toc -c styles/all.css http://localhost:4000 -o php-the-right-way-single-html.html"
23 | echo "... OK?"
24 | read
25 | pandoc -s -S --toc -c styles/all.css http://localhost:4000 -o php-the-right-way-single-html.html
26 | 
27 | echo "Edit the outputted HTML file."
28 | echo "Save it and then hit any key to continue."
29 | echo "(CTRL+C to terminate at any time)"
30 | read
31 | 
32 | echo "Finished? Use this step to remove unwanted things or fix formatting in the HTML"
33 | echo "Examples of issues: "
34 | echo "* There are 2 ToC (remove --toc flag above or manually remove the HTML for one of the ToC)"
35 | echo "* I added <style>body { margin: 1em }</style> to my copy"
36 | echo "* I added <style>a { color: rgb(0, 96, 172); }</style> to my copy"
37 | echo "* I removed some pages I don't need (contribute, disclaimer, etc.."
38 | echo "Anyway, last warning before making PDF. Proceed? (CTRL+C to die)"
39 | read
40 | 
41 | 
42 | 


--------------------------------------------------------------------------------
/php-the-right-way-06-21-2013.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/lsd/php-the-right-way-pdf/fdf3c121eea1d71ff167cd88a8729281a643932e/php-the-right-way-06-21-2013.pdf


--------------------------------------------------------------------------------
/php-the-right-way-06212013.html:
--------------------------------------------------------------------------------
  1 | <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
  2 | <html xmlns="http://www.w3.org/1999/xhtml">
  3 | <head>
  4 |   <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
  5 |   <meta http-equiv="Content-Style-Type" content="text/css" />
  6 |   <meta name="generator" content="pandoc" />
  7 |   <title>PHP: The Right Way</title>
  8 |   <style type="text/css">code{white-space: pre;}</style>
  9 |   <link rel="stylesheet" href="styles/all.css" type="text/css" />
 10 |   <style>
 11 |     body { margin: 1em; }
 12 |     a { color: rgb(0, 96, 172); }
 13 |   </style>
 14 | </head>
 15 | <body>
 16 | <div id="header">
 17 | <h1 class="title">PHP: The Right Way</h1>
 18 | </div>
 19 | <div id="TOC">
 20 | <ul>
 21 | <li><a href="#getting_started_title">Getting Started</a><ul>
 22 | <li><a href="#use_the_current_stable_version_54_title">Use the Current Stable Version (5.4)</a></li>
 23 | <li><a href="#builtin_web_server_title">Built-in web server</a></li>
 24 | <li><a href="#mac_setup_title">Mac Setup</a></li>
 25 | <li><a href="#windows_setup_title">Windows Setup</a></li>
 26 | <li><a href="#vagrant_title">Vagrant</a></li>
 27 | </ul></li>
 28 | <li><a href="#code_style_guide_title">Code Style Guide</a></li>
 29 | <li><a href="#language_highlights_title">Language Highlights</a><ul>
 30 | <li><a href="#programming_paradigms_title">Programming Paradigms</a><ul>
 31 | <li><a href="#objectoriented_programming">Object-oriented Programming</a></li>
 32 | <li><a href="#functional_programming">Functional Programming</a></li>
 33 | <li><a href="#meta_programming">Meta Programming</a></li>
 34 | </ul></li>
 35 | <li><a href="#namespaces_title">Namespaces</a></li>
 36 | <li><a href="#standard_php_library_title">Standard PHP Library</a></li>
 37 | <li><a href="#command_line_interface_title">Command Line Interface</a></li>
 38 | <li><a href="#xdebug_title">XDebug</a></li>
 39 | </ul></li>
 40 | <li><a href="#dependency_management_title">Dependency Management</a><ul>
 41 | <li><a href="#composer_and_packagist_title">Composer and Packagist</a><ul>
 42 | <li><a href="#how_to_install_composer">How to Install Composer</a></li>
 43 | <li><a href="#how_to_install_composer_manually">How to Install Composer (manually)</a></li>
 44 | <li><a href="#how_to_define_and_install_dependencies">How to Define and Install Dependencies</a></li>
 45 | <li><a href="#updating_your_dependencies">Updating your dependencies</a></li>
 46 | <li><a href="#checking_your_dependencies_for_security_issues">Checking your dependencies for security issues</a></li>
 47 | </ul></li>
 48 | <li><a href="#pear_title">PEAR</a><ul>
 49 | <li><a href="#how_to_install_pear">How to install PEAR</a></li>
 50 | <li><a href="#how_to_install_a_package">How to install a package</a></li>
 51 | <li><a href="#handling_pear_dependencies_with_composer">Handling PEAR dependencies with Composer</a></li>
 52 | </ul></li>
 53 | </ul></li>
 54 | <li><a href="#coding_practices_title">Coding Practices</a><ul>
 55 | <li><a href="#the_basics_title">The Basics</a></li>
 56 | <li><a href="#date_and_time_title">Date and Time</a></li>
 57 | <li><a href="#design_patterns_title">Design Patterns</a></li>
 58 | <li><a href="#exceptions_title">Exceptions</a><ul>
 59 | <li><a href="#spl_exceptions">SPL Exceptions</a></li>
 60 | </ul></li>
 61 | </ul></li>
 62 | <li><a href="#databases_title">Databases</a><ul>
 63 | <li><a href="#pdo">PDO</a></li>
 64 | <li><a href="#abstraction_layers">Abstraction Layers</a></li>
 65 | </ul></li>
 66 | <li><a href="#security_title">Security</a><ul>
 67 | <li><a href="#web_application_security_title">Web Application Security</a></li>
 68 | <li><a href="#password_hashing_title">Password Hashing</a></li>
 69 | <li><a href="#data_filtering_title">Data Filtering</a><ul>
 70 | <li><a href="#sanitization">Sanitization</a></li>
 71 | <li><a href="#validation">Validation</a></li>
 72 | </ul></li>
 73 | <li><a href="#configuration_files_title">Configuration Files</a></li>
 74 | <li><a href="#register_globals_title">Register Globals</a></li>
 75 | <li><a href="#error_reporting_title">Error Reporting</a><ul>
 76 | <li><a href="#development">Development</a></li>
 77 | <li><a href="#production">Production</a></li>
 78 | </ul></li>
 79 | </ul></li>
 80 | <li><a href="#testing_title">Testing</a><ul>
 81 | <li><a href="#test_driven_development_title">Test Driven Development</a><ul>
 82 | <li><a href="#unit_testing">Unit Testing</a></li>
 83 | <li><a href="#integration_testing">Integration Testing</a></li>
 84 | <li><a href="#functional_testing">Functional Testing</a></li>
 85 | </ul></li>
 86 | <li><a href="#behavior_driven_development_title">Behavior Driven Development</a><ul>
 87 | <li><a href="#bdd_links">BDD Links</a></li>
 88 | </ul></li>
 89 | <li><a href="#complementary_testing_tools_title">Complementary Testing Tools</a><ul>
 90 | <li><a href="#tool_links">Tool Links</a></li>
 91 | </ul></li>
 92 | </ul></li>
 93 | <li><a href="#servers_and_deployment_title">Servers and Deployment</a><ul>
 94 | <li><a href="#platform_as_a_service_paas_title">Platform as a Service (PaaS)</a></li>
 95 | <li><a href="#virtual_or_dedicated_servers_title">Virtual or Dedicated Servers</a><ul>
 96 | <li><a href="#nginx_and_phpfpm">nginx and PHP-FPM</a></li>
 97 | <li><a href="#apache_and_php">Apache and PHP</a></li>
 98 | </ul></li>
 99 | <li><a href="#shared_servers_title">Shared Servers</a></li>
100 | <li><a href="#build_title">Building and Deploying your Application</a><ul>
101 | <li><a href="#build_automation_tools">Build Automation Tools</a></li>
102 | <li><a href="#continuous_integration">Continuous Integration</a></li>
103 | </ul></li>
104 | </ul></li>
105 | <li><a href="#caching_title">Caching</a><ul>
106 | <li><a href="#bytecode_cache_title">Bytecode Cache</a></li>
107 | <li><a href="#object_caching_title">Object Caching</a></li>
108 | </ul></li>
109 | <li><a href="#resources_title">Resources</a><ul>
110 | <li><a href="#from_the_source">From the Source</a></li>
111 | <li><a href="#people_to_follow">People to Follow</a></li>
112 | <li><a href="#mentoring">Mentoring</a></li>
113 | <li><a href="#php_paas_providers">PHP PaaS Providers</a></li>
114 | <li><a href="#frameworks_title">Frameworks</a></li>
115 | <li><a href="#components_title">Components</a></li>
116 | </ul></li>
117 | <li><a href="#community_title">Community</a><ul>
118 | <li><a href="#php_user_groups">PHP User Groups</a></li>
119 | <li><a href="#php_conferences">PHP Conferences</a></li>
120 | <li><a>Created and maintained by</a></li>
121 | <li><a>Project collaborators</a></li>
122 | <li><a>Project contributors</a></li>
123 | <li><a>Project sponsors</a></li>
124 | </ul></li>
125 | </ul>
126 | </div>
127 | 
128 | <h1 id="welcome"><a href="#welcome">Welcome</a></h1>
129 | <p>There’s a lot of outdated information on the Web that leads new PHP users astray, propagating bad practices and bad code. This must stop. <em>PHP: The Right Way</em> is an easy-to-read, quick reference for PHP best practices, accepted coding standards, and links to authoritative tutorials around the Web.</p>
130 | 
131 | <h1 id="getting_started_title"><a href="#getting_started_title">Getting Started</a></h1>
132 | <h2 id="use_the_current_stable_version_54_title"><a href="#use_the_current_stable_version_54_title">Use the Current Stable Version (5.4)</a></h2>
133 | <p>If you are just getting started with PHP make sure to start with the current stable release of <a href="http://www.php.net/downloads.php">PHP 5.4</a>. PHP has made great strides adding powerful <a href="#language_highlights">new features</a> over the last few years. Don’t let the minor version number difference between 5.2 and 5.4 fool you, it represents <em>major</em> improvements. If you are looking for a function or it’s usage, the documentation on the <a href="http://www.php.net/manual/en/">php.net</a> website will have the answer.</p>
134 | <h2 id="builtin_web_server_title"><a href="#builtin_web_server_title">Built-in web server</a></h2>
135 | <p>You can start learning PHP without the hassle of installing and configuring a full-fledged web server (PHP 5.4 required). To start the server, run the following from your terminal in your project’s web root:</p>
136 | <pre><code>&gt; php -S localhost:8000</code></pre>
137 | <ul>
138 | <li><a href="http://www.php.net/manual/en/features.commandline.webserver.php">Learn about the built-in, command line web server</a></li>
139 | </ul>
140 | <h2 id="mac_setup_title"><a href="#mac_setup_title">Mac Setup</a></h2>
141 | <p>OSX comes prepackaged with PHP but it is normally a little behind the latest stable. Lion comes with PHP 5.3.6 and Mountain Lion has 5.3.10.</p>
142 | <p>To update PHP on OSX you can get it installed through a number of Mac <a href="http://www.php.net/manual/en/install.macosx.packages.php">package managers</a>, with <a href="http://php-osx.liip.ch/">php-osx by Liip</a> being recommended.</p>
143 | <p>The other option is to <a href="http://www.php.net/manual/en/install.macosx.compile.php">compile it yourself</a>, in that case be sure to have installed either Xcode or Apple’s substitute <a href="https://developer.apple.com/downloads">“Command Line Tools for Xcode”</a> downloadable from Apple’s Mac Developer Center.</p>
144 | <p>For a complete “all-in-one” package including PHP, Apache web server and MySQL database, all this with a nice control GUI, try <a href="http://www.mamp.info/en/downloads/index.html">MAMP</a>.</p>
145 | <h2 id="windows_setup_title"><a href="#windows_setup_title">Windows Setup</a></h2>
146 | <p>PHP is available in several ways for Windows. You can <a href="http://windows.php.net">download the binaries</a> and until recently you could use a ‘.msi’ installer. The installer is no longer supported and stops at PHP 5.3.0.</p>
147 | <p>For learning and local development you can use the built in webserver with PHP 5.4 so you don’t need to worry about configuring it. If you would like an “all-in-one” which includes a full-blown webserver and MySQL too then tools such as the <a href="http://www.microsoft.com/web/downloads/platform.aspx">Web Platform Installer</a>, <a href="http://www.zend.com/en/products/server-ce/">Zend Server CE</a>, <a href="http://www.apachefriends.org/en/xampp.html">XAMPP</a> and <a href="http://www.wampserver.com/">WAMP</a> will help get a Windows development environment up and running fast. That said, these tools will be a little different from production so be careful of environment differences if you are working on Windows and deploying to Linux.</p>
148 | <p>If you need to run your production system on Windows then IIS7 will give you the most stable and best performance. You can use <a href="http://phpmanager.codeplex.com/">phpmanager</a> (a GUI plugin for IIS7) to make configuring and managing PHP simple. IIS7 comes with FastCGI built in and ready to go, you just need to configure PHP as a handler. For support and additional resources there is a <a href="http://php.iis.net/">dedicated area on iis.net</a> for PHP.</p>
149 | <h2 id="vagrant_title"><a href="#vagrant_title">Vagrant</a></h2>
150 | <p>Running your application on different environments in development and production can lead to strange bugs popping up when you go live. It’s also tricky to keep different development environments up to date with the same version for all libraries used when working with a team of developers.</p>
151 | <p>If you are developing on Windows and deploying to Linux (or anything non-Windows) or are developing in a team, you should consider using a virtual machine. This sounds tricky, but using <a href="http://vagrantup.com/">Vagrant</a> you can set up a simple virtual machine with only a few steps. These base boxes can then be set up manually, or you can use “provisioning” software such as <a href="http://www.puppetlabs.com/">Puppet</a> or <a href="http://www.opscode.com/">Chef</a> to do this for you. Provisioning the base box is a great way to ensure that multiple boxes are set up in an identical fashion and removes the need for you to maintain complicated “set up” command lists. You can also “destroy” your base box and recreate it without many manual steps, making it easy to create a “fresh” installation.</p>
152 | <p>Vagrant creates shared folders used to share your code between your host and your virtual machine, meaning you can create and edit your files on your host machine and then run the code inside your virtual machine.</p>
153 | <p><a href="#top">Back to Top</a></p>
154 | <h1 id="code_style_guide_title"><a href="#code_style_guide_title">Code Style Guide</a></h1>
155 | <p>The PHP community is large and diverse, composed of innumerable libraries, frameworks, and components. It is common for PHP developers to choose several of these and combine them into a single project. It is important that PHP code adhere (as close as possible) to a common code style to make it easy for developers to mix and match various libraries for their projects.</p>
156 | <p>The <a href="http://www.php-fig.org/">Framework Interop Group</a> has proposed and approved a series of style recommendations, known as <a href="https://github.com/php-fig/fig-standards/blob/master/accepted/PSR-0.md">PSR-0</a>, <a href="https://github.com/php-fig/fig-standards/blob/master/accepted/PSR-1-basic-coding-standard.md">PSR-1</a> and <a href="https://github.com/php-fig/fig-standards/blob/master/accepted/PSR-2-coding-style-guide.md">PSR-2</a>. Don’t let the funny names confuse you, these recommendations are merely a set of rules that some projects like Drupal, Zend, Symfony, CakePHP, phpBB, AWS SDK, FuelPHP, Lithium, etc are starting to adopt. You can use them for your own projects, or continue to use your own personal style.</p>
157 | <p>Ideally you should write PHP code that adheres to a known standard. This could be any combination of PSR’s, or one of the coding standards made by PEAR or Zend. This means other developers can easily read and work with your code, and applications that implement the components can have consistency even when working with lots of third-party code.</p>
158 | <ul>
159 | <li><a href="https://github.com/php-fig/fig-standards/blob/master/accepted/PSR-0.md">Read about PSR-0</a></li>
160 | <li><a href="https://github.com/php-fig/fig-standards/blob/master/accepted/PSR-1-basic-coding-standard.md">Read about PSR-1</a></li>
161 | <li><a href="https://github.com/php-fig/fig-standards/blob/master/accepted/PSR-2-coding-style-guide.md">Read about PSR-2</a></li>
162 | <li><a href="http://pear.php.net/manual/en/standards.php">Read about PEAR Coding Standards</a></li>
163 | <li><a href="http://framework.zend.com/wiki/display/ZFDEV2/Coding+Standards">Read about Zend Coding Standards</a></li>
164 | </ul>
165 | <p>You can use <a href="http://pear.php.net/package/PHP_CodeSniffer/">PHP_CodeSniffer</a> to check code against any one of these recommendations, and plugins for text editors like <a href="https://github.com/benmatselby/sublime-phpcs">Sublime Text 2</a> to be given real time feedback.</p>
166 | <p>Use Fabien Potencier’s <a href="http://cs.sensiolabs.org/">PHP Coding Standards Fixer</a> to automatically modify your code syntax so that it conforms with these standards, saving you from fixing each problem by hand.</p>
167 | <p>English is preferred for all symbol names and code infrastructure. Comments may be written in any language easily readable by all current and future parties who may be working on the codebase.</p>
168 | <p><a href="#top">Back to Top</a></p>
169 | <h1 id="language_highlights_title"><a href="#language_highlights_title">Language Highlights</a></h1>
170 | <h2 id="programming_paradigms_title"><a href="#programming_paradigms_title">Programming Paradigms</a></h2>
171 | <p>PHP is a flexible, dynamic language that supports a variety of programming techniques. It has evolved dramatically over the years, notably adding a solid object-oriented model in PHP 5.0 (2004), anonymous functions and namespaces in PHP 5.3 (2009), and traits in PHP 5.4 (2012).</p>
172 | <h3 id="objectoriented_programming"><a href="#objectoriented_programming">Object-oriented Programming</a></h3>
173 | <p>PHP has a very complete set of object-oriented programming features including support for classes, abstract classes, interfaces, inheritance, constructors, cloning, exceptions, and more.</p>
174 | <ul>
175 | <li><a href="http://www.php.net/manual/en/language.oop5.php">Read about Object-oriented PHP</a></li>
176 | <li><a href="http://www.php.net/traits">Read about Traits</a></li>
177 | </ul>
178 | <h3 id="functional_programming"><a href="#functional_programming">Functional Programming</a></h3>
179 | <p>PHP supports first-class function, meaning that a function can be assigned to a variable. Both user defined and built-in functions can be referenced by a variable and invoked dynamically. Functions can be passed as arguments to other functions (feature called Higher-order functions) and function can return other functions.</p>
180 | <p>Recursion, a feature that allows a function to call itself is supported by the language, but most of the PHP code focus on iteration.</p>
181 | <p>New anonymous functions (with support for closures) are present since PHP 5.3 (2009).</p>
182 | <p>PHP 5.4 added the ability to bind closures to an object’s scope and also improved support for callables such that they can be used interchangeably with anonymous functions in almost all cases.</p>
183 | <ul>
184 | <li>Continue reading on <a href="/pages/Functional-Programming.html">Functional Programming in PHP</a></li>
185 | <li><a href="http://www.php.net/manual/en/functions.anonymous.php">Read about Anonymous Functions</a></li>
186 | <li><a href="http://php.net/manual/en/class.closure.php">Read about the Closure class</a></li>
187 | <li><a href="https://wiki.php.net/rfc/closures">More details in the Closures RFC</a></li>
188 | <li><a href="http://php.net/manual/en/language.types.callable.php">Read about Callables</a></li>
189 | <li><a href="http://php.net/manual/en/function.call-user-func-array.php">Read about dynamically invoking functions with <code>call_user_func_array</code></a></li>
190 | </ul>
191 | <h3 id="meta_programming"><a href="#meta_programming">Meta Programming</a></h3>
192 | <p>PHP supports various forms of meta programming through mechanisms like the Reflection API and Magic Methods. There are many Magic Methods available like <code>__get()</code>, <code>__set()</code>, <code>__clone()</code>, <code>__toString()</code>, <code>__invoke()</code>, etc. that allow developers to hook into class behavior. Ruby developers often say that PHP is lacking <code>method_missing</code>, but it is available as <code>__call()</code> and <code>__callStatic()</code>.</p>
193 | <ul>
194 | <li><a href="http://php.net/manual/en/language.oop5.magic.php">Read about Magic Methods</a></li>
195 | <li><a href="http://www.php.net/manual/en/intro.reflection.php">Read about Reflection</a></li>
196 | </ul>
197 | <h2 id="namespaces_title"><a href="#namespaces_title">Namespaces</a></h2>
198 | <p>As mentioned above, the PHP community has a lot of developers creating lots of code. This means that one library’s PHP code may use the same class name as another library. When both libraries are used in the same namespace, they collide and cause trouble.</p>
199 | <p><em>Namespaces</em> solve this problem. As described in the PHP reference manual, namespaces may be compared to operating system directories that <em>namespace</em> files; two files with the same name may co-exist in separate directories. Likewise, two PHP classes with the same name may co-exist in separate PHP namespaces. It’s as simple as that.</p>
200 | <p>It is important for you to namespace your code so that it may be used by other developers without fear of colliding with other libraries.</p>
201 | <p>One recommended way to use namespaces is outlined in <a href="https://github.com/php-fig/fig-standards/blob/master/accepted/PSR-0.md">PSR-0</a>, which aims to provide a standard file, class and namespace convention to allow plug-and-play code.</p>
202 | <ul>
203 | <li><a href="http://php.net/manual/en/language.namespaces.php">Read about Namespaces</a></li>
204 | <li><a href="https://github.com/php-fig/fig-standards/blob/master/accepted/PSR-0.md">Read about PSR-0</a></li>
205 | </ul>
206 | <h2 id="standard_php_library_title"><a href="#standard_php_library_title">Standard PHP Library</a></h2>
207 | <p>The Standard PHP Library (SPL) is packaged with PHP and provides a collection of classes and interfaces. It is made up primarily of commonly needed datastructure classes (stack, queue, heap, and so on), and iterators which can traverse over these datastructures or your own classes which implement SPL interfaces.</p>
208 | <ul>
209 | <li><a href="http://php.net/manual/en/book.spl.php">Read about the SPL</a></li>
210 | </ul>
211 | <h2 id="command_line_interface_title"><a href="#command_line_interface_title">Command Line Interface</a></h2>
212 | <p>PHP was created primarily to write web applications, but it’s also useful for scripting command line interface (CLI) programs. Command line PHP programs can help you automate common tasks like testing, deployment, and application administrativia.</p>
213 | <p>CLI PHP programs are powerful because you can use your app’s code directly without having to create and secure a web GUI for it. Just be sure not to put your CLI PHP scripts in your public web root!</p>
214 | <p>Try running PHP from your command line:</p>
215 | <pre><code>&gt; php -i</code></pre>
216 | <p>The <code>-i</code> option will print your PHP configuration just like the <a href="http://php.net/manual/en/function.phpinfo.php"><code>phpinfo</code></a> function.</p>
217 | <p>The <code>-a</code> option provides an interactive shell, similar to ruby’s IRB or python’s interactive shell. There are a number of other useful <a href="http://www.php.net/manual/en/features.commandline.options.php">command line options</a>, too.</p>
218 | <p>Let’s write a simple “Hello, $name” CLI program. To try it out, create a file named <code>hello.php</code>, as below.</p>
219 | <pre><code>&lt;?php
220 | if ($argc != 2) {
221 |     echo &quot;Usage: php hello.php [name].\n&quot;;
222 |     exit(1);
223 | }
224 | $name = $argv[1];
225 | echo &quot;Hello, $name\n&quot;;</code></pre>
226 | <p>PHP sets up two special variables based on the arguments your script is run with. <a href="http://php.net/manual/en/reserved.variables.argc.php"><code>$argc</code></a> is an integer variable containing the argument <em>count</em> and <a href="http://php.net/manual/en/reserved.variables.argv.php"><code>$argv</code></a> is an array variable containing each argument’s <em>value</em>. The first argument is always the name of your PHP script file, in this case <code>hello.php</code>.</p>
227 | <p>The <code>exit()</code> expression is used with a non zero number to let the shell know that the command failed. Commonly used exit codes can be found <a href="http://www.gsp.com/cgi-bin/man.cgi?section=3&amp;topic=sysexits">here</a></p>
228 | <p>To run our script, above, from the command line:</p>
229 | <pre><code>&gt; php hello.php
230 | Usage: php hello.php [name]
231 | &gt; php hello.php world
232 | Hello, world</code></pre>
233 | <ul>
234 | <li><a href="http://php.net/manual/en/features.commandline.php">Learn about running PHP from the command line</a></li>
235 | <li><a href="http://www.php.net/manual/en/install.windows.commandline.php">Learn about setting up Windows to run PHP from the command line</a></li>
236 | </ul>
237 | <h2 id="xdebug_title"><a href="#xdebug_title">XDebug</a></h2>
238 | <p>One of the most useful tools in software development is a proper debugger. It allows you to trace the execution of your code and monitor the contents of the stack. XDebug, PHP’s debugger, can be utilized by various IDEs to provide Breakpoints and stack inspection. It can also allow tools like PHPUnit and KCacheGrind to perform code coverage analysis and code profiling.</p>
239 | <p>If you find yourself in a bind, willing to resort to var_dump/print_r, and you still can’t find the solution - maybe you need to use the debugger.</p>
240 | <p><a href="http://xdebug.org/docs/install">Installing XDebug</a> can be tricky, but one of its most important features is “Remote Debugging” - if you develop code locally and then test it inside a VM or on another server, Remote Debugging is the feature that you will want to enable right away.</p>
241 | <p>Traditionally, you will modify your Apache VHost or .htaccess file with these values:</p>
242 | <pre><code>php_value xdebug.remote_host=192.168.?.?
243 | php_value xdebug.remote_port=9000</code></pre>
244 | <p>The “remote host” and “remote port” will correspond to your local computer and the port that you configure your IDE to listen on. Then it’s just a matter of putting your IDE into “listen for connections” mode, and loading the URL:</p>
245 | <pre><code>http://your-website.example.com/index.php?XDEBUG_SESSION_START=1</code></pre>
246 | <p>Your IDE will now intercept the current state as the script executes, allowing you to set breakpoints and probe the values in memory.</p>
247 | <ul>
248 | <li><a href="http://xdebug.org/docs/">Learn more about XDebug</a></li>
249 | </ul>
250 | <p><a href="#top">Back to Top</a></p>
251 | <h1 id="dependency_management_title"><a href="#dependency_management_title">Dependency Management</a></h1>
252 | <p>There are a ton of PHP libraries, frameworks, and components to choose from. Your project will likely use several of them — these are project dependencies. Until recently, PHP did not have a good way to manage these project dependencies. Even if you managed them manually, you still had to worry about autoloaders. No more.</p>
253 | <p>Currently there are two major package management systems for PHP - Composer and PEAR. Which one is right for you? The answer is both.</p>
254 | <ul>
255 | <li>Use <strong>Composer</strong> when managing dependencies for a single project.</li>
256 | <li>Use <strong>PEAR</strong> when managing dependencies for PHP as a whole on your system.</li>
257 | </ul>
258 | <p>In general, Composer packages will be available only in the projects that you explicitly specify whereas a PEAR package would be available to all of your PHP projects. While PEAR might sound like the easier approach at first glance, there are advantages to using a project-by-project approach to your dependencies.</p>
259 | <h2 id="composer_and_packagist_title"><a href="#composer_and_packagist_title">Composer and Packagist</a></h2>
260 | <p>Composer is a <strong>brilliant</strong> dependency manager for PHP. List your project’s dependencies in a <code>composer.json</code> file and, with a few simple commands, Composer will automatically download your project’s dependencies and setup autoloading for you.</p>
261 | <p>There are already a lot of PHP libraries that are compatible with Composer, ready to be used in your project. These “packages” are listed on <a href="http://packagist.org/">Packagist</a>, the official repository for Composer-compatible PHP libraries.</p>
262 | <h3 id="how_to_install_composer"><a href="#how_to_install_composer">How to Install Composer</a></h3>
263 | <p>You can install Composer locally (in your current working directory; though this is no longer recommended) or globally (e.g. /usr/local/bin). Let’s assume you want to install Composer locally. From your project’s root directory:</p>
264 | <pre><code>curl -s https://getcomposer.org/installer | php</code></pre>
265 | <p>This will download <code>composer.phar</code> (a PHP binary archive). You can run this with <code>php</code> to manage your project dependencies. <strong>Please Note:</strong> If you pipe downloaded code directly into an interpreter, please read the code online first to confirm it is safe.</p>
266 | <h3 id="how_to_install_composer_manually"><a href="#how_to_install_composer_manually">How to Install Composer (manually)</a></h3>
267 | <p>Manually installing Composer is an advanced technique; however, there are various reasons why a developer might prefer this method vs. using the interactive installation routine. The interactive installation checks your PHP installation to ensure that:</p>
268 | <ul>
269 | <li>a sufficient version of PHP is being used</li>
270 | <li><code>.phar</code> files can be executed correctly</li>
271 | <li>certain directory permissions are sufficient</li>
272 | <li>certain problematic extensions are not loaded</li>
273 | <li>certain <code>php.ini</code> settings are set</li>
274 | </ul>
275 | <p>Since a manual installation performs none of these checks, you have to decide whether the trade-off is worth it for you. As such, below is how to obtain Composer manually:</p>
276 | <pre><code>curl -s https://getcomposer.org/composer.phar -o $HOME/local/bin/composer
277 | chmod +x $HOME/local/bin/composer</code></pre>
278 | <p>The path <code>$HOME/local/bin</code> (or a directory of your choice) should be in your <code>$PATH</code> environment variable. This will result in a <code>composer</code> command being available.</p>
279 | <p>When you come across documentation that states to run Composer as <code>php composer.phar install</code>, you can substitute that with:</p>
280 | <pre><code>composer install</code></pre>
281 | <h3 id="how_to_define_and_install_dependencies"><a href="#how_to_define_and_install_dependencies">How to Define and Install Dependencies</a></h3>
282 | <p>Composer keeps track of your project’s dependencies in a file called <code>composer.json</code>. You can manage it by hand if you like, or use Composer itself. The <code>php composer.phar require</code> command adds a project dependency and if you don’t have a <code>composer.json</code> file, one will be created. Here’s an example that adds <a href="http://twig.sensiolabs.org">Twig</a> as a dependency of your project. Run it in your project’s root directory where you’ve downloaded <code>composer.phar</code>:</p>
283 | <pre><code>php composer.phar require twig/twig:~1.8</code></pre>
284 | <p>Alternatively the <code>php composer.phar init</code> command will guide you through creating a full <code>composer.json</code> file for your project. Either way, once you’ve created your <code>composer.json</code> file you can tell Composer to download and install your dependencies into the <code>vendors/</code> directory. This also applies to projects you’ve downloaded that already provide a <code>composer.json</code> file:</p>
285 | <pre><code>php composer.phar install</code></pre>
286 | <p>Next, add this line to your application’s primary PHP file; this will tell PHP to use Composer’s autoloader for your project dependencies.</p>
287 | <pre><code>&lt;?php
288 | require &#39;vendor/autoload.php&#39;;</code></pre>
289 | <p>Now you can use your project dependencies, and they’ll be autoloaded on demand.</p>
290 | <h3 id="updating_your_dependencies"><a href="#updating_your_dependencies">Updating your dependencies</a></h3>
291 | <p>Composer creates a file called <code>composer.lock</code> which stores the exact version of each package it downloaded when you first ran <code>php composer.phar install</code>. If you share your project with other coders and the <code>composer.lock</code> file is part of your distribution, when they run <code>php composer.phar install</code> they’ll get the same versions as you. To update your dependencies, run <code>php composer.phar update</code>.</p>
292 | <p>This is most useful when you define your version requirements flexibly. For instance a version requirement of ~1.8 means “anything newer than 1.8.0, but less than 2.0.x-dev”. You can also use the <code>*</code> wildcard as in <code>1.8.*</code>. Now Composer’s <code>php composer.phar update</code> command will upgrade all your dependencies to the newest version that fits the restrictions you define.</p>
293 | <h3 id="checking_your_dependencies_for_security_issues"><a href="#checking_your_dependencies_for_security_issues">Checking your dependencies for security issues</a></h3>
294 | <p>The <a href="https://security.sensiolabs.org/">Security Advisories Checker</a> is a web service and a command-line tool, both will examine your <code>composer.lock</code> file and tell you if you need to update any of your dependencies.</p>
295 | <ul>
296 | <li><a href="http://getcomposer.org/doc/00-intro.md">Learn about Composer</a></li>
297 | </ul>
298 | <h2 id="pear_title"><a href="#pear_title">PEAR</a></h2>
299 | <p>Another veteran package manager that many PHP developers enjoy is <a href="http://pear.php.net/">PEAR</a>. It behaves much the same way as Composer, but has some noteable differences.</p>
300 | <p>PEAR requires each package to have a specific structure, which means that the author of the package must prepare it for usage with PEAR. Using a project which was not prepared to work with PEAR is not possible.</p>
301 | <p>PEAR installs packages globally, which means after installing them once they are available to all projects on that server. This can be good if many projects rely on the same package with the same version but might lead to problems if version conflicts between two projects arise.</p>
302 | <h3 id="how_to_install_pear"><a href="#how_to_install_pear">How to install PEAR</a></h3>
303 | <p>You can install PEAR by downloading the phar installer and executing it. The PEAR documentation has detailed <a href="http://pear.php.net/manual/en/installation.getting.php">install instructions</a> for every operating system.</p>
304 | <p>If you are using Linux, you can also have a look at your distribution package manager. Debian and Ubuntu for example have a apt <code>php-pear</code> package.</p>
305 | <h3 id="how_to_install_a_package"><a href="#how_to_install_a_package">How to install a package</a></h3>
306 | <p>If the package is listed on the <a href="http://pear.php.net/packages.php">PEAR packages list</a>, you can install it by specifying the official name:</p>
307 | <pre><code>pear install foo</code></pre>
308 | <p>If the package is hosted on another channel, you need to <code>discover</code> the channel first and also specify it when installing. See the <a href="http://pear.php.net/manual/en/guide.users.commandline.channels.php">Using channel docs</a> for more information on this topic.</p>
309 | <ul>
310 | <li><a href="http://pear.php.net/">Learn about PEAR</a></li>
311 | </ul>
312 | <h3 id="handling_pear_dependencies_with_composer"><a href="#handling_pear_dependencies_with_composer">Handling PEAR dependencies with Composer</a></h3>
313 | <p>If you are already using <a href="/#composer_and_packagist">Composer</a> and you would like to install some PEAR code too, you can use Composer to handle your PEAR dependencies. This example will install code from <code>pear2.php.net</code>:</p>
314 | <pre><code>{
315 |     &quot;repositories&quot;: [
316 |         {
317 |             &quot;type&quot;: &quot;pear&quot;,
318 |             &quot;url&quot;: &quot;http://pear2.php.net&quot;
319 |         }
320 |     ],
321 |     &quot;require&quot;: {
322 |         &quot;pear-pear2/PEAR2_Text_Markdown&quot;: &quot;*&quot;,
323 |         &quot;pear-pear2/PEAR2_HTTP_Request&quot;: &quot;*&quot;
324 |     }
325 | }</code></pre>
326 | <p>The first section <code>&quot;repositories&quot;</code> will be used to let Composer know it should “initialise” (or “discover” in PEAR terminology) the pear repo. Then the require section will prefix the package name like this:</p>
327 | <blockquote>
328 | <p>pear-channel/Package</p>
329 | </blockquote>
330 | <p>The “pear” prefix is hardcoded to avoid any conflicts, as a pear channel could be the same as another packages vendor name for example, then the channel short name (or full URL) can be used to reference which channel the package is in.</p>
331 | <p>When this code is installed it will be available in your vendor directory and automatically available through the Composer autoloader:</p>
332 | <blockquote>
333 | <p>vendor/pear-pear2.php.net/PEAR2_HTTP_Request/pear2/HTTP/Request.php</p>
334 | </blockquote>
335 | <p>To use this PEAR package simply reference it like so:</p>
336 | <pre><code>$request = new pear2\HTTP\Request();</code></pre>
337 | <ul>
338 | <li><a href="http://getcomposer.org/doc/05-repositories.md#pear">Learn more about using PEAR with Composer</a></li>
339 | </ul>
340 | <p><a href="#top">Back to Top</a></p>
341 | <h1 id="coding_practices_title"><a href="#coding_practices_title">Coding Practices</a></h1>
342 | <h2 id="the_basics_title"><a href="#the_basics_title">The Basics</a></h2>
343 | <p>PHP is a vast language that allows coders of all levels the ability to produce code not only quickly, but efficiently. However while advancing through the language, we often forget the basics that we first learnt (or overlooked) in favor of short cuts and/or bad habits. To help combat this common issue, this section is aimed at reminding coders of the basic coding practices within PHP.</p>
344 | <ul>
345 | <li>Continue reading on <a href="/pages/The-Basics.html">The Basics</a></li>
346 | </ul>
347 | <h2 id="date_and_time_title"><a href="#date_and_time_title">Date and Time</a></h2>
348 | <p>PHP has a class named DateTime to help you when reading, writing, comparing or calculating with date and time. There are many date and time related functions in PHP besides DateTime, but it provides nice object-oriented interface to most common uses. It can handle time zones, but that is outside this short introduction.</p>
349 | <p>To start working with DateTime, convert raw date and time string to an object with <code>createFromFormat()</code> factory method or do <code>new \DateTime</code> to get the current date and time. Use <code>format()</code> method to convert DateTime back to a string for output.</p>
350 | <pre><code>&lt;?php
351 | $raw = &#39;22. 11. 1968&#39;;
352 | $start = \DateTime::createFromFormat(&#39;d. m. Y&#39;, $raw);
353 | 
354 | echo &#39;Start date: &#39; . $start-&gt;format(&#39;m/d/Y&#39;) . &quot;\n&quot;;</code></pre>
355 | <p>Calculating with DateTime is possible with the DateInterval class. DateTime has methods like <code>add()</code> and <code>sub()</code> that take a DateInterval as an argument. Do not write code that expect same number of seconds in every day, both daylight saving and timezone alterations will break that assumption. Use date intervals instead. To calculate date difference use the <code>diff()</code> method. It will return new DateInterval, which is super easy to display.</p>
356 | <pre><code>&lt;?php
357 | // create a copy of $start and add one month and 6 days
358 | $end = clone $start;
359 | $end-&gt;add(new \DateInterval(&#39;P1M6D&#39;));
360 | 
361 | $diff = $end-&gt;diff($start);
362 | echo &#39;Difference: &#39; . $diff-&gt;format(&#39;%m month, %d days (total: %a days)&#39;) . &quot;\n&quot;;
363 | // Difference: 1 month, 6 days (total: 37 days)</code></pre>
364 | <p>On DateTime objects you can use standard comparison:</p>
365 | <pre><code>&lt;?php
366 | if ($start &lt; $end) {
367 |     echo &quot;Start is before end!\n&quot;;
368 | }</code></pre>
369 | <p>One last example to demonstrate the DatePeriod class. It is used to iterate over recurring events. It can take two DateTime objects, start and end, and the interval for which it will return all events in between.</p>
370 | <pre><code>&lt;?php
371 | // output all thursdays between $start and $end
372 | $periodInterval = \DateInterval::createFromDateString(&#39;first thursday&#39;);
373 | $periodIterator = new \DatePeriod($start, $periodInterval, $end, \DatePeriod::EXCLUDE_START_DATE);
374 | foreach ($periodIterator as $date) {
375 |     // output each date in the period
376 |     echo $date-&gt;format(&#39;m/d/Y&#39;) . &#39; &#39;;
377 | }</code></pre>
378 | <ul>
379 | <li><a href="http://www.php.net/manual/book.datetime.php">Read about DateTime</a></li>
380 | <li><a href="http://www.php.net/manual/function.date.php">Read about date formatting</a> (accepted date format string options)</li>
381 | </ul>
382 | <h2 id="design_patterns_title"><a href="#design_patterns_title">Design Patterns</a></h2>
383 | <p>When you are building your application it is helpful to use common patterns in your code and common patterns for the overall structure of your project. Using common patterns is helpful because it makes it much easier to manage your code and lets other developers quickly understand how everything fits together.</p>
384 | <p>If you use a framework then most of the higher level code and project structure will be based on that framework, so a lot of the pattern decisions are made for you. But it is still up to you to pick out the best patterns to follow in the code you build on top of the framework. If, on the other hand, you are not using a framework to build your application then you have to find the patterns that best suit the type and size of application that you’re building.</p>
385 | <ul>
386 | <li>Continue reading on <a href="/pages/Design-Patterns.html">Design Patterns</a></li>
387 | </ul>
388 | <h2 id="exceptions_title"><a href="#exceptions_title">Exceptions</a></h2>
389 | <p>Exceptions are a standard part of most popular programming languages, but they are often overlooked by PHP programmers. Languages like Ruby are extremely Exception heavy, so whenever something goes wrong such as a HTTP request failing, or a DB query goes wrong, or even if an image asset could not be found, Ruby (or the gems being used) will throw an exception to the screen meaning you instantly know there is a mistake.</p>
390 | <p>PHP itself is fairly lax with this, and a call to <code>file_get_contents()</code> will usually just get you a <code>FALSE</code> and a warning. Many older PHP frameworks like CodeIgniter will just return a false, log a message to their proprietary logs and maybe let you use a method like <code>$this-&gt;upload-&gt;get_error()</code> to see what went wrong. The problem here is that you have to go looking for a mistake and check the docs to see what the error method is for this class, instead of having it made extremely obvious.</p>
391 | <p>Another problem is when classes automatically throw an error to the screen and exit the process. When you do this you stop another developer from being able to dynamically handle that error. Exceptions should be thrown to make a developer aware of an error, then they can choose how to handle this. E.g:</p>
392 | <pre><code>&lt;?php
393 | $email = new Fuel\Email;
394 | $email-&gt;subject(&#39;My Subject&#39;);
395 | $email-&gt;body(&#39;How the heck are you?&#39;);
396 | $email-&gt;to(&#39;guy@example.com&#39;, &#39;Some Guy&#39;);
397 | 
398 | try
399 | {
400 |     $email-&gt;send();
401 | }
402 | catch(Fuel\Email\ValidationFailedException $e)
403 | {
404 |     // The validation failed
405 | }
406 | catch(Fuel\Email\SendingFailedException $e)
407 | {
408 |     // The driver could not send the email
409 | }</code></pre>
410 | <h3 id="spl_exceptions"><a href="#spl_exceptions">SPL Exceptions</a></h3>
411 | <p>The generic <code>Exception</code> class provides very little debugging context for the developer; however, to remedy this, it is possible to create a specialized <code>Exception</code> type by sub-classing the generic <code>Exception</code> class:</p>
412 | <pre><code>&lt;?php
413 | class ValidationException extends Exception {}</code></pre>
414 | <p>This means you can add multiple catch blocks and handle different Exceptions differently. This can lead to the creation of a <em>lot</em> of custom Exceptions, some of which could have been avoided using the SPL Exceptions provided in the <a href="/#standard_php_library">SPL extension</a>.</p>
415 | <p>If for example you use the <code>__call()</code> Magic Method and an invalid method is requested then instead of throwing a standard Exception which is vague, or creating a custom Exception just for that, you could just <code>throw new BadFunctionCallException;</code>.</p>
416 | <ul>
417 | <li><a href="http://php.net/manual/en/language.exceptions.php">Read about Exceptions</a></li>
418 | <li><a href="http://php.net/manual/en/spl.exceptions.php">Read about SPL Exceptions</a></li>
419 | <li><a href="http://www.brandonsavage.net/exceptional-php-nesting-exceptions-in-php/">Nesting Exceptions In PHP</a></li>
420 | <li><a href="http://ralphschindler.com/2010/09/15/exception-best-practices-in-php-5-3">Exception Best Practices in PHP 5.3</a></li>
421 | </ul>
422 | <p><a href="#top">Back to Top</a></p>
423 | <h1 id="databases_title"><a href="#databases_title">Databases</a></h1>
424 | <p>Many times your PHP code will use a database to persist information. You have a few options to connect and interact with your database. The recommended option <em>until PHP 5.1.0</em> was to use native drivers such as <a href="http://php.net/mysql">mysql</a>, <a href="http://php.net/mysqli">mysqli</a>, <a href="http://php.net/pgsql">pgsql</a>, etc.</p>
425 | <p>Native drivers are great if you are only using ONE database in your application, but if, for example, you are using MySQL and a little bit of MSSQL, or you need to connect to an Oracle database, then you will not be able to use the same drivers. You’ll need to learn a brand new API for each database — and that can get silly.</p>
426 | <p>As an extra note on native drivers, the mysql extension for PHP is no longer in active development, and the official status since PHP 5.4.0 is “Long term deprecation”. This means it will be removed within the next few releases, so by PHP 5.6 (or whatever comes after 5.5) it may well be gone. If you are using <code>mysql_connect()</code> and <code>mysql_query()</code> in your applications then you will be faced with a rewrite at some point down the line, so the best option is to replace mysql usage with mysqli or PDO in your applications within your own development schedules so you won’t be rushed later on. <em>If you are starting from scratch then absolutely do not use the mysql extension: use the <a href="http://php.net/mysqli">MySQLi extension</a>, or use PDO.</em></p>
427 | <ul>
428 | <li><a href="http://php.net/manual/en/mysqlinfo.api.choosing.php">PHP: Choosing an API for MySQL</a></li>
429 | </ul>
430 | <h2 id="pdo"><a href="#pdo">PDO</a></h2>
431 | <p>PDO is a database connection abstraction library — built into PHP since 5.1.0 — that provides a common interface to talk with many different databases. PDO will not translate your SQL queries or emulate missing features; it is purely for connecting to multiple types of database with the same API.</p>
432 | <p>More importantly, <code>PDO</code> allows you to safely inject foreign input (e.g. IDs) into your SQL queries without worrying about database SQL injection attacks. This is possible using PDO statements and bound parameters.</p>
433 | <p>Let’s assume a PHP script receives a numeric ID as a query parameter. This ID should be used to fetch a user record from a database. This is the <code>wrong</code> way to do this:</p>
434 | <pre><code>&lt;?php
435 | $pdo = new PDO(&#39;sqlite:users.db&#39;);
436 | $pdo-&gt;query(&quot;SELECT name FROM users WHERE id = &quot; . $_GET[&#39;id&#39;]); // &lt;-- NO!</code></pre>
437 | <p>This is terrible code. You are inserting a raw query parameter into a SQL query. This will get you hacked in a heartbeat. Just imagine if a hacker passes in an inventive <code>id</code> parameter by calling a URL like <code>http://domain.com/?id=1%3BDELETE+FROM+users</code>. This will set the <code>$_GET['id']</code> variable to <code>1;DELETE FROM users</code> which will delete all of your users! Instead, you should sanitize the ID input using PDO bound parameters.</p>
438 | <pre><code>&lt;?php
439 | $pdo = new PDO(&#39;sqlite:users.db&#39;);
440 | $stmt = $pdo-&gt;prepare(&#39;SELECT name FROM users WHERE id = :id&#39;);
441 | $stmt-&gt;bindParam(&#39;:id&#39;, $_GET[&#39;id&#39;], PDO::PARAM_INT); //&lt;-- Automatically sanitized by PDO
442 | $stmt-&gt;execute();</code></pre>
443 | <p>This is correct code. It uses a bound parameter on a PDO statement. This escapes the foreign input ID before it is introduced to the database preventing potential SQL injection attacks.</p>
444 | <ul>
445 | <li><a href="http://www.php.net/manual/en/book.pdo.php">Learn about PDO</a></li>
446 | </ul>
447 | <p>You should also be aware that database connections use up resources and it was not unheard-of to have resources exhausted if connections were not implicitly closed, however this was more common in other languages. Using PDO you can implicitly close the connection by destroying the object by ensuring all remaining references to it are deleted, ie. set to NULL. If you don’t do this explicitly, PHP will automatically close the connection when your script ends unless of course you are using persistent connections.</p>
448 | <ul>
449 | <li><a href="http://php.net/manual/en/pdo.connections.php">Learn about PDO connections</a></li>
450 | </ul>
451 | <h2 id="abstraction_layers"><a href="#abstraction_layers">Abstraction Layers</a></h2>
452 | <p>Many frameworks provide their own abstraction layer which may or may not sit on top of PDO. These will often emulate features for one database system that another is missing from another by wrapping your queries in PHP methods, giving you actual database abstraction. This will of course add a little overhead, but if you are building a portable application that needs to work with MySQL, PostgreSQL and SQLite then a little overhead will be worth it the sake of code cleanliness.</p>
453 | <p>Some abstraction layers have been built using the PSR-0 namespace standard so can be installed in any application you like:</p>
454 | <ul>
455 | <li><a href="https://github.com/auraphp/Aura.Sql">Aura SQL</a></li>
456 | <li><a href="http://www.doctrine-project.org/projects/dbal.html">Doctrine2 DBAL</a></li>
457 | <li><a href="http://packages.zendframework.com/docs/latest/manual/en/index.html#zend-db">ZF2 Db</a></li>
458 | <li><a href="http://framework.zend.com/manual/en/zend.db.html">ZF1 Db</a></li>
459 | </ul>
460 | <p><a href="#top">Back to Top</a></p>
461 | <h1 id="security_title"><a href="#security_title">Security</a></h1>
462 | <h2 id="web_application_security_title"><a href="#web_application_security_title">Web Application Security</a></h2>
463 | <p>There are bad people ready and willing to exploit your web application. It is important that you take necessary precautions to harden your web application’s security. Luckily, the fine folks at <a href="https://www.owasp.org/">The Open Web Application Security Project</a> (OWASP) have compiled a comprehensive list of known security issues and methods to protect yourself against them. This is a must read for the security-conscious developer.</p>
464 | <ul>
465 | <li><a href="https://www.owasp.org/index.php/Guide_Table_of_Contents">Read the OWASP Security Guide</a></li>
466 | </ul>
467 | <h2 id="password_hashing_title"><a href="#password_hashing_title">Password Hashing</a></h2>
468 | <p>Eventually everyone builds a PHP application that relies on user login. Usernames and passwords are stored in a database and later used to authenticate users upon login.</p>
469 | <p>It is important that you properly <a href="http://en.wikipedia.org/wiki/Cryptographic_hash_function"><em>hash</em></a> passwords before storing them. Password hashing is an irreversible, one way function performed against the users password. This produces a fixed-length string that can not be feasibly reversed. This means you can compare a hash against another to determine if they both came from the same source string, but you can not determine the original string. If passwords are not hashed and your database is accessed by an unauthorized third-party, all user accounts are now compromised. Some users may (unfortunately) use the same password for other services. Therefore, it is important to take security seriously.</p>
470 | <p><strong>Hashing passwords with <code>password_hash</code></strong></p>
471 | <p>In PHP 5.5 <code>password_hash</code> will be introduced. At this time it is using BCrypt, the strongest algorithm currently supported by PHP. It will be updated in the future to support more algorithms as needed though. The <code>password_compat</code> library was created to provide forward compatibility for PHP &gt;= 5.3.7.</p>
472 | <p>Below we hash a string, we then check the hash against a new string. Because our two source strings are different (‘secret-password’ vs. ‘bad-password’) this login will fail.</p>
473 | <pre><code>                                                                                                                                                                                              
474 | &lt;?php                                                                                                                                                                                                            
475 | require &#39;password.php&#39;;
476 | 
477 | $passwordHash = password_hash(&#39;secret-password&#39;, PASSWORD_DEFAULT);
478 | 
479 | if (password_verify(&#39;bad-password&#39;, $passwordHash)) {
480 |     //Correct Password
481 | } else {
482 |     //Wrong password
483 | }</code></pre>
484 | <ul>
485 | <li><a href="http://us2.php.net/manual/en/function.password-hash.php">Learn about <code>password_hash</code></a></li>
486 | <li><a href="https://github.com/ircmaxell/password_compat"><code>password_compat</code> for PHP &gt;= 5.3.7 &amp;&amp; &lt; 5.5</a></li>
487 | <li><a href="http://en.wikipedia.org/wiki/Cryptographic_hash_function">Learn about hashing in regards to cryptography</a></li>
488 | <li><a href="https://wiki.php.net/rfc/password_hash">PHP <code>password_hash</code> RFC</a></li>
489 | </ul>
490 | <h2 id="data_filtering_title"><a href="#data_filtering_title">Data Filtering</a></h2>
491 | <p>Never ever (ever) trust foreign input introduced to your PHP code. Always sanitize and validate foreign input before using it in code. The <code>filter_var</code> and <code>filter_input</code> functions can sanitize text and validate text formats (e.g. email addresses).</p>
492 | <p>Foreign input can be anything: <code>$_GET</code> and <code>$_POST</code> form input data, some values in the <code>$_SERVER</code> superglobal, and the HTTP request body via <code>fopen('php://input', 'r')</code>. Remember, foreign input is not limited to form data submitted by the user. Uploaded and downloaded files, session values, cookie data, and data from third-party web services are foreign input, too.</p>
493 | <p>While foreign data can be stored, combined, and accessed later, it is still foreign input. Every time you process, output, concatenate, or include data in your code, ask yourself if the data is filtered properly and can it be trusted.</p>
494 | <p>Data may be <em>filtered</em> differently based on its purpose. For example, when unfiltered foreign input is passed into HTML page output, it can execute HTML and JavaScript on your site! This is known as Cross-Site Scripting (XSS) and can be a very dangerous attack. One way to avoid XSS is to sanitize all user-generated data before outputting it to your page by removing HTML tags with the <code>strip_tags</code> function or escaping characters with special meaning into their respective HTML entities with the <code>htmlentities</code> or <code>htmlspecialchars</code> functions.</p>
495 | <p>Another example is passing options to be executed on the command line. This can be extremely dangerous (and is usually a bad idea), but you can use the built-in <code>escapeshellarg</code> function to sanitize the executed command’s arguments.</p>
496 | <p>One last example is accepting foreign input to determine a file to load from the filesystem. This can be exploited by changing the filename to a file path. You need to remove ”/”, “../”, <a href="http://php.net/manual/en/security.filesystem.nullbytes.php">null bytes</a>, or other characters from the file path so it can’t load hidden, non-public, or sensitive files.</p>
497 | <ul>
498 | <li><a href="http://www.php.net/manual/en/book.filter.php">Learn about data filtering</a></li>
499 | <li><a href="http://php.net/manual/en/function.filter-var.php">Learn about <code>filter_var</code></a></li>
500 | <li><a href="http://www.php.net/manual/en/function.filter-input.php">Learn about <code>filter_input</code></a></li>
501 | <li><a href="http://php.net/manual/en/security.filesystem.nullbytes.php">Learn about handling null bytes</a></li>
502 | </ul>
503 | <h3 id="sanitization"><a href="#sanitization">Sanitization</a></h3>
504 | <p>Sanitization removes (or escapes) illegal or unsafe characters from foreign input.</p>
505 | <p>For example, you should sanitize foreign input before including the input in HTML or inserting it into a raw SQL query. When you use bound parameters with <a href="#databases">PDO</a>, it will sanitize the input for you.</p>
506 | <p>Sometimes it is required to allow some safe HTML tags in the input when including it in the HTML page. This is very hard to do and many avoid it by using other more restricted formatting like Markdown or BBCode, although whitelisting libraries like <a href="http://htmlpurifier.org/">HTML Purifier</a> exists for this reason.</p>
507 | <p><a href="http://www.php.net/manual/en/filter.filters.sanitize.php">See Sanitization Filters</a></p>
508 | <h3 id="validation"><a href="#validation">Validation</a></h3>
509 | <p>Validation ensures that foreign input is what you expect. For example, you may want to validate an email address, a phone number, or age when processing a registration submission.</p>
510 | <p><a href="http://www.php.net/manual/en/filter.filters.validate.php">See Validation Filters</a></p>
511 | <h2 id="configuration_files_title"><a href="#configuration_files_title">Configuration Files</a></h2>
512 | <p>When creating configuration files for your applications, best practices recommend that one of the following methods be followed:</p>
513 | <ul>
514 | <li>It is recommended that you store your configuration information where it cannot be accessed directly and pulled in via the file system.</li>
515 | <li>If you must store your configuration files in the document root, name the files with a <code>.php</code> extension. This ensures that, even if the script is accessed directly, it will not be outputed as plain text.</li>
516 | <li>Information in configuration files should be protected accordingly, either through encryption or group/user file system permissions</li>
517 | </ul>
518 | <h2 id="register_globals_title"><a href="#register_globals_title">Register Globals</a></h2>
519 | <p><strong>NOTE:</strong> As of PHP 5.4.0 the <code>register_globals</code> setting has been removed and can no longer be used. This is only included as a warning for anyone in the process of upgrading a legacy application.</p>
520 | <p>When enabled, the <code>register_globals</code> configuration setting that makes several types of variables (including ones from <code>$_POST</code>, <code>$_GET</code> and <code>$_REQUEST</code>) available in the global scope of your application. This can easily lead to security issues as your application cannot effectively tell where the data is coming from.</p>
521 | <p>For example: <code>$_GET['foo']</code> would be available via <code>$foo</code>, which can override variables that have not been declared. If you are using PHP &lt; 5.4.0 <strong>make sure</strong> that <code>register_globals</code> is <strong>off</strong>.</p>
522 | <ul>
523 | <li><a href="http://www.php.net/manual/en/security.globals.php">Register_globals in the PHP manual</a></li>
524 | </ul>
525 | <h2 id="error_reporting_title"><a href="#error_reporting_title">Error Reporting</a></h2>
526 | <p>Error logging can be useful in finding the problem spots in your application, but it can also expose information about the structure of your application to the outside world. To effectively protect your application from issues that could be caused by the output of these messages, you need to configure your server differently in development versus production (live).</p>
527 | <h3 id="development"><a href="#development">Development</a></h3>
528 | <p>To show every possible error during <strong>development</strong>, configure the following settings in your <code>php.ini</code>:</p>
529 | <pre><code>display_errors = On
530 | display_startup_errors = On
531 | error_reporting = -1
532 | log_errors = On</code></pre>
533 | <blockquote>
534 | <p>Passing in the value <code>-1</code> will show every possible error, even when new levels and constants are added in future PHP versions. The <code>E_ALL</code> constant also behaves this way as of PHP 5.4. - <a href="http://php.net/manual/function.error-reporting.php">php.net</a></p>
535 | </blockquote>
536 | <p>The <code>E_STRICT</code> error level constant was introduced in 5.3.0 and is not part of <code>E_ALL</code>, however it became part of <code>E_ALL</code> in 5.4.0. What does this mean? In terms of reporting every possible error in version 5.3 it means you must use either <code>-1</code> or <code>E_ALL | E_STRICT</code>.</p>
537 | <p><strong>Reporting every possible error by PHP version</strong></p>
538 | <ul>
539 | <li>&lt; 5.3 <code>-1</code> or <code>E_ALL</code></li>
540 | <li>  5.3 <code>-1</code> or <code>E_ALL | E_STRICT</code></li>
541 | <li>&gt; 5.3 <code>-1</code> or <code>E_ALL</code></li>
542 | </ul>
543 | <h3 id="production"><a href="#production">Production</a></h3>
544 | <p>To hide errors on your <strong>production</strong> environment, configure your <code>php.ini</code> as:</p>
545 | <pre><code>display_errors = Off
546 | display_startup_errors = Off
547 | error_reporting = E_ALL
548 | log_errors = On</code></pre>
549 | <p>With these settings in production, errors will still be logged to the error logs for the web server, but will not be shown to the user. For more information on these settings, see the PHP manual:</p>
550 | <ul>
551 | <li><a href="http://php.net/manual/errorfunc.configuration.php#ini.error-reporting">error_reporting</a></li>
552 | <li><a href="http://php.net/manual/errorfunc.configuration.php#ini.display-errors">display_errors</a></li>
553 | <li><a href="http://php.net/manual/errorfunc.configuration.php#ini.display-startup-errors">display_startup_errors</a></li>
554 | <li><a href="http://php.net/manual/errorfunc.configuration.php#ini.log-errors">log_errors</a></li>
555 | </ul>
556 | <p><a href="#top">Back to Top</a></p>
557 | <h1 id="testing_title"><a href="#testing_title">Testing</a></h1>
558 | <p>Writing automated tests for your PHP code is considered a best practice and can lead to well-built applications. Automated tests are a great tool for making sure your application does not break when you are making changes or adding new functionality and should not be ignored.</p>
559 | <p>There are several different types of testing tools (or frameworks) available for PHP, which use different approaches - all of which are trying to avoid manual testing and the need for large Quality Assurance teams, just to make sure recent changes didn’t break existing functionality.</p>
560 | <h2 id="test_driven_development_title"><a href="#test_driven_development_title">Test Driven Development</a></h2>
561 | <p>From <a href="http://en.wikipedia.org/wiki/Test-driven_development">Wikipedia</a>:</p>
562 | <blockquote>
563 | <p>Test-driven development (TDD) is a software development process that relies on the repetition of a very short development cycle: first the developer writes a failing automated test case that defines a desired improvement or new function, then produces code to pass that test and finally refactors the new code to acceptable standards. Kent Beck, who is credited with having developed or ‘rediscovered’ the technique, stated in 2003 that TDD encourages simple designs and inspires confidence</p>
564 | </blockquote>
565 | <p>There are several different types of testing that you can do for your application</p>
566 | <h3 id="unit_testing"><a href="#unit_testing">Unit Testing</a></h3>
567 | <p>Unit Testing is a programming approach to ensure functions, classes and methods are working as expected, from the point you build them all the way through the development cycle. By checking values going in and out of various functions and methods, you can make sure the internal logic is working correctly. By using Dependency Injection and building “mock” classes and stubs you can verify that dependencies are correctly used for even better test coverage.</p>
568 | <p>When you create a class or function you should create a unit test for each behavior it must have. At a very basic level you should make sure it errors if you send it bad arguments and make sure it works if you send it valid arguments. This will help ensure that when you make changes to this class or function later on in the development cycle that the old functionality continues to work as expected. The only alternative to this would be var_dump() in a test.php, which is no way to build an application - large or small.</p>
569 | <p>The other use for unit tests is contributing to open source. If you can write a test that shows broken functionality (i.e. fails), then fix it, and show the test passing, patches are much more likely to be accepted. If you run a project which accepts pull requests then you should suggest this as a requirement.</p>
570 | <p><a href="http://phpunit.de">PHPUnit</a> is the de-facto testing framework for writing unit tests for PHP applications, but there are several alternatives</p>
571 | <ul>
572 | <li><a href="http://simpletest.org">SimpleTest</a></li>
573 | <li><a href="http://www.enhance-php.com/">Enhance PHP</a></li>
574 | <li><a href="http://punit.smf.me.uk/">PUnit</a></li>
575 | <li><a href="https://github.com/atoum/atoum">atoum</a></li>
576 | </ul>
577 | <h3 id="integration_testing"><a href="#integration_testing">Integration Testing</a></h3>
578 | <p>From <a href="http://en.wikipedia.org/wiki/Integration_testing">Wikipedia</a>:</p>
579 | <blockquote>
580 | <p>Integration testing (sometimes called Integration and Testing, abbreviated “I&amp;T”) is the phase in software testing in which individual software modules are combined and tested as a group. It occurs after unit testing and before validation testing. Integration testing takes as its input modules that have been unit tested, groups them in larger aggregates, applies tests defined in an integration test plan to those aggregates, and delivers as its output the integrated system ready for system testing.</p>
581 | </blockquote>
582 | <p>Many of the same tools that can be used for unit testing can be used for integration testing as many of the same principles are used.</p>
583 | <h3 id="functional_testing"><a href="#functional_testing">Functional Testing</a></h3>
584 | <p>Sometimes also known as acceptance testing, functional testing consists of using tools to create automated tests that actually use your application instead of just verifying that individual units of code are behaving correctly and that individual units can speak to each other correctly. These tools typically work using real data and simulating actual users of the application.</p>
585 | <h4 id="functional_testing_tools"><a href="#functional_testing_tools">Functional Testing Tools</a></h4>
586 | <ul>
587 | <li><a href="http://seleniumhq.com">Selenium</a></li>
588 | <li><a href="http://mink.behat.org">Mink</a></li>
589 | <li><a href="http://codeception.com">Codeception</a> is a full-stack testing framework that includes acceptance testing tools</li>
590 | </ul>
591 | <h2 id="behavior_driven_development_title"><a href="#behavior_driven_development_title">Behavior Driven Development</a></h2>
592 | <p>There are two different types of Behavior-Driven Development (BDD): SpecBDD and StoryBDD. SpecBDD focuses on technical behavior or code, while StoryBDD focuses on business or feature behaviors or interactions. PHP has frameworks for both types of BDD.</p>
593 | <p>With StoryBDD, you write human-readable stories that describe the behavior of your application. These stories can then be run as actual tests against your application. The framework used in PHP applications for StoryBDD is Behat, which is inspired by Ruby’s <a href="http://cukes.info/">Cucumber</a> project and implements the Gherkin DSL for describing feature behavior.</p>
594 | <p>With SpecBDD, you write specifications that describe how your actual code should behave. Instead of testing a function or method, you are describing how that function or method should behave. PHP offers the PHPSpec framework for this purpose. This framework is inspired by the <a href="http://rspec.info/">RSpec project</a> for Ruby.</p>
595 | <h3 id="bdd_links"><a href="#bdd_links">BDD Links</a></h3>
596 | <ul>
597 | <li><a href="http://behat.org/">Behat</a>, the StoryBDD framework for PHP, inspired by Ruby’s <a href="http://cukes.info/">Cucumber</a> project;</li>
598 | <li><a href="http://www.phpspec.net/">PHPSpec</a>, the SpecBDD framework for PHP, inspired by Ruby’s <a href="http://rspec.info/">RSpec</a> project;</li>
599 | <li><a href="http://www.codeception.com">Codeception</a> is a full-stack testing framework that uses BDD principles.</li>
600 | </ul>
601 | <h2 id="complementary_testing_tools_title"><a href="#complementary_testing_tools_title">Complementary Testing Tools</a></h2>
602 | <p>Besides individual testing and behavior driven frameworks, there are also a number of generic frameworks and helper libraries useful for any preferred approach taken.</p>
603 | <h3 id="tool_links"><a href="#tool_links">Tool Links</a></h3>
604 | <ul>
605 | <li><a href="http://seleniumhq.org/">Selenium</a> is a browser automation tool which can be <a href="http://www.phpunit.de/manual/3.1/en/selenium.html">integrated with PHPUnit</a></li>
606 | <li><a href="https://github.com/padraic/mockery">Mockery</a> is a Mock Object Framework which can be integrated with <a href="http://phpunit.de/">PHPUnit</a> or <a href="http://www.phpspec.net/">PHPSpec</a></li>
607 | <li><a href="https://github.com/phpspec/prophecy">Prophecy</a> is a highly opinionated yet very powerful and flexible PHP object mocking framework. It’s integrated with <a href="http://www.phpspec.net/">PHPSpec</a> and can be used with <a href="http://phpunit.de/">PHPUnit</a>.</li>
608 | </ul>
609 | <p><a href="#top">Back to Top</a></p>
610 | <h1 id="servers_and_deployment_title"><a href="#servers_and_deployment_title">Servers and Deployment</a></h1>
611 | <p>PHP applications can be deployed and run on production web servers in a number of ways.</p>
612 | <h2 id="platform_as_a_service_paas_title"><a href="#platform_as_a_service_paas_title">Platform as a Service (PaaS)</a></h2>
613 | <p>PaaS provides the system and network architecture necessary to run PHP applications on the web. This means little to no configuration for launching PHP applications or PHP frameworks.</p>
614 | <p>Recently PaaS has become a popular method for deploying, hosting, and scaling PHP applications of all sizes. You can find a list of <a href="#php_paas_providers">PHP PaaS “Platform as a Service” providers</a> in our <a href="#resources">resources section</a>.</p>
615 | <h2 id="virtual_or_dedicated_servers_title"><a href="#virtual_or_dedicated_servers_title">Virtual or Dedicated Servers</a></h2>
616 | <p>If you are comfortable with systems administration, or are interested in learning it, virtual or dedicated servers give you complete control of your application’s production environment.</p>
617 | <h3 id="nginx_and_phpfpm"><a href="#nginx_and_phpfpm">nginx and PHP-FPM</a></h3>
618 | <p>PHP, via PHP’s built-in FastCGI Process Manager (FPM), pairs really nicely with <a href="http://nginx.org">nginx</a>, which is a lightweight, high-performance web server. It uses less memory than Apache and can better handle more concurrent requests. This is especially important on virtual servers that don’t have much memory to spare.</p>
619 | <ul>
620 | <li><a href="http://nginx.org">Read more on nginx</a></li>
621 | <li><a href="http://php.net/manual/en/install.fpm.php">Read more on PHP-FPM</a></li>
622 | <li><a href="https://nealpoole.com/blog/2011/04/setting-up-php-fastcgi-and-nginx-dont-trust-the-tutorials-check-your-configuration/">Read more on setting up nginx and PHP-FPM securely</a></li>
623 | </ul>
624 | <h3 id="apache_and_php"><a href="#apache_and_php">Apache and PHP</a></h3>
625 | <p>PHP and Apache have a long history together. Apache is wildly configurable and has many available <a href="http://httpd.apache.org/docs/2.4/mod/">modules</a> to extend functionality. It is a popular choice for shared servers and an easy setup for PHP frameworks and open source apps like WordPress. Unfortunately, Apache uses more resources than nginx by default and cannot handle as many visitors at the same time.</p>
626 | <p>Apache has several possible configurations for running PHP. The most common and easiest to setup is the <a href="http://httpd.apache.org/docs/2.4/mod/prefork.html">prefork MPM</a> with mod_php5. While it isn’t the most memory efficient, it is the simplest to get working and to use. This is probably the best choice if you don’t want to dig too deeply into the server administration aspects. Note that if you use mod_php5 you MUST use the prefork MPM.</p>
627 | <p>Alternatively, if you want to squeeze more performance and stability out of Apache then you can take advantage of the same FPM system as nginx and run the <a href="http://httpd.apache.org/docs/2.4/mod/worker.html">worker MPM</a> or <a href="http://httpd.apache.org/docs/2.4/mod/event.html">event MPM</a> with mod_fastcgi or mod_fcgid. This configuration will be significantly more memory efficient and much faster but it is more work to set up.</p>
628 | <ul>
629 | <li><a href="http://httpd.apache.org/">Read more on Apache</a></li>
630 | <li><a href="http://httpd.apache.org/docs/2.4/mod/mpm_common.html">Read more on Multi-Processing Modules</a></li>
631 | <li><a href="http://www.fastcgi.com/mod_fastcgi/docs/mod_fastcgi.html">Read more on mod_fastcgi</a></li>
632 | <li><a href="http://httpd.apache.org/mod_fcgid/">Read more on mod_fcgid</a></li>
633 | </ul>
634 | <h2 id="shared_servers_title"><a href="#shared_servers_title">Shared Servers</a></h2>
635 | <p>PHP has shared servers to thank for its popularity. It is hard to find a host without PHP installed, but be sure it’s the latest version. Shared servers allow you and other developers to deploy websites to a single machine. The upside to this is that it has become a cheap commodity. The downside is that you never know what kind of a ruckus your neighboring tenants are going to create; loading down the server or opening up security holes are the main concerns. If your project’s budget can afford to avoid shared servers you should.</p>
636 | <h2 id="build_title"><a href="#build_title">Building and Deploying your Application</a></h2>
637 | <p>If you find yourself doing manual database schema changes or running your tests manually before updating your files (manually), think twice! With every additional manual task needed to deploy a new version of your app, the chances for potentially fatal mistakes increase. Whether you’re dealing with a simple update, a comprehensive build process or even a continuous integration strategy, <a href="http://en.wikipedia.org/wiki/Build_automation">build automation</a> is your friend.</p>
638 | <p>Among the tasks you might want to automate are:</p>
639 | <ul>
640 | <li>Dependency management</li>
641 | <li>Compilation, minification of your assets</li>
642 | <li>Running tests</li>
643 | <li>Creation of documentation</li>
644 | <li>Packaging</li>
645 | <li>Deployment</li>
646 | </ul>
647 | <h3 id="build_automation_tools"><a href="#build_automation_tools">Build Automation Tools</a></h3>
648 | <p>Build tools can be described as a collection of scripts that handle common tasks of software deployment. The build tool is not a part of your software, it acts on your software from ‘outside’.</p>
649 | <p>There are many open source tools available to help you with build automation, some are written in PHP others aren’t. This shouldn’t hold you back from using them, if they’re better suited for the specific job. Here are a few examples:</p>
650 | <p><a href="http://www.phing.info/">Phing</a> is the easiest way to get started with automated deployment in the PHP world. With Phing you can control your packaging, deployment or testing process from within a simple XML build file. Phing (which is based on <a href="http://ant.apache.org/">Apache Ant</a>) provides a rich set of tasks usually needed to install or update a web app and can be extended with additional custom tasks, written in PHP.</p>
651 | <p><a href="https://github.com/capistrano/capistrano/wiki">Capistrano</a> is a system for <em>intermediate-to-advanced programmers</em> to execute commands in a structured, repeatable way on one or more remote machines. It is pre-configured for deploying Ruby on Rails applications, however people are <strong>successfully deploying PHP systems</strong> with it. Successful use of Capistrano depends on a working knowledge of Ruby and Rake.</p>
652 | <p>Dave Gardner’s blog post <a href="http://www.davegardner.me.uk/blog/2012/02/13/php-deployment-with-capistrano/">PHP Deployment with Capistrano</a> is a good starting point for PHP developers interested in Capistrano.</p>
653 | <p><a href="http://www.opscode.com/chef/">Chef</a> is more than a deployment framework, it is a very powerful Ruby based system integration framework that doesn’t just deploy your app but can build your whole server environment or virtual boxes.</p>
654 | <p>Chef resources for PHP developers:</p>
655 | <ul>
656 | <li><a href="http://www.jasongrimes.org/2012/06/managing-lamp-environments-with-chef-vagrant-and-ec2-1-of-3/">Three part blog series about deploying a LAMP application with Chef, Vagrant, and EC2</a></li>
657 | <li><a href="https://github.com/opscode-cookbooks/php">Chef Cookbook which installs and configures PHP 5.3 and the PEAR package management system</a></li>
658 | </ul>
659 | <p>Further reading:</p>
660 | <ul>
661 | <li><a href="http://net.tutsplus.com/tutorials/other/automate-your-projects-with-apache-ant/">Automate your project with Apache Ant</a></li>
662 | <li><a href="http://maven.apache.org/">Maven</a>, a build framework based on Ant and <a href="http://www.php-maven.org/">how to use it with PHP</a></li>
663 | </ul>
664 | <h3 id="continuous_integration"><a href="#continuous_integration">Continuous Integration</a></h3>
665 | <blockquote>
666 | <p>Continuous Integration is a software development practice where members of a team integrate their work frequently, usually each person integrates at least daily — leading to multiple integrations per day. Many teams find that this approach leads to significantly reduced integration problems and allows a team to develop cohesive software more rapidly.</p>
667 | </blockquote>
668 | <p><em>– Martin Fowler</em></p>
669 | <p>There are different ways to implement continuous integration for PHP. Recently <a href="https://travis-ci.org/">Travis CI</a> has done a great job of making continuous integration a reality even for small projects. Travis CI is a hosted continuous integration service for the open source community. It is integrated with GitHub and offers first class support for many languages including PHP.</p>
670 | <p>Further reading:</p>
671 | <ul>
672 | <li><a href="http://jenkins-ci.org/">Continuous Integration with Jenkins</a></li>
673 | <li><a href="http://www.phptesting.org/">Continuous Integration with PHPCI</a></li>
674 | <li><a href="http://www.jetbrains.com/teamcity/">Continuous Integration with Teamcity</a></li>
675 | </ul>
676 | <p><a href="#top">Back to Top</a></p>
677 | <h1 id="caching_title"><a href="#caching_title">Caching</a></h1>
678 | <p>PHP is pretty quick by itself, but bottlenecks can arise when you make remote connections, load files, etc. Thankfully, there are various tools available to speed up certain parts of your application, or reduce the number of times these various time consuming tasks need to run.</p>
679 | <h2 id="bytecode_cache_title"><a href="#bytecode_cache_title">Bytecode Cache</a></h2>
680 | <p>When a PHP file is executed, under the hood it is first compiled to bytecode (also known as opcode) and, only then, the bytecode is executed. If a PHP file is not modified, the bytecode will always be the same. This means that the compilation step is a waste of CPU resources.</p>
681 | <p>This is where Bytecode cache comes in. It prevents redundant compilation by storing bytecode in memory and reusing it on successive calls. Setting up bytecode cache is a matter of minutes, and your application will speed up significantly. There’s really no reason not to use it.</p>
682 | <p>Popular bytecodes caches are:</p>
683 | <ul>
684 | <li><a href="http://php.net/manual/en/book.apc.php">APC</a></li>
685 | <li><a href="http://xcache.lighttpd.net/">XCache</a></li>
686 | <li><a href="http://www.zend.com/products/server/">Zend Optimizer+</a> (part of Zend Server package)</li>
687 | <li><a href="http://www.iis.net/download/wincacheforphp">WinCache</a> (extension for MS Windows Server)</li>
688 | </ul>
689 | <h2 id="object_caching_title"><a href="#object_caching_title">Object Caching</a></h2>
690 | <p>There are times when it can be beneficial to cache individual objects in your code, such as with data that is expensive to get or database calls where the result is unlikely to change. You can use object caching software to hold these pieces of data in memory for extremely fast access later on. If you save these items to a data store after you retrieve them, then pull them directly from the cache for following requests, you can gain a significant improvement in performance as well as reduce the load on your database servers.</p>
691 | <p>Many of the popular bytecode caching solutions let you cache custom data as well, so there’s even more reason to take advantage of them. APC, XCache, and WinCache all provide APIs to save data from your PHP code to their memory cache.</p>
692 | <p>The most commonly used memory object caching systems are APC and memcached. APC is an excellent choice for object caching, it includes a simple API for adding your own data to its memory cache and is very easy to setup and use. The one real limitation of APC is that it is tied to the server it’s installed on. Memcached on the other hand is installed as a separate service and can be accessed across the network, meaning that you can store objects in a hyper-fast data store in a central location and many different systems can pull from it.</p>
693 | <p>Note that when running PHP as a (Fast-)CGI application inside your webserver, every PHP process will have its own cache, i.e. APC data is not shared between your worker processes. In these cases, you might want to consider using memcached instead, as it’s not tied to the PHP processes.</p>
694 | <p>In a networked configuration APC will usually outperform memcached in terms of access speed, but memcached will be able to scale up faster and further. If you do not expect to have multiple servers running your application, or do not need the extra features that memcached offers then APC is probably your best choice for object caching.</p>
695 | <p>Example logic using APC:</p>
696 | <pre><code>&lt;?php
697 | // check if there is data saved as &#39;expensive_data&#39; in cache
698 | $data = apc_fetch(&#39;expensive_data&#39;);
699 | if ($data === false) {
700 |     // data is not in cache; save result of expensive call for later use
701 |     apc_add(&#39;expensive_data&#39;, $data = get_expensive_data());
702 | }
703 | 
704 | print_r($data);</code></pre>
705 | <p>Learn more about popular object caching systems:</p>
706 | <ul>
707 | <li><a href="http://php.net/manual/en/ref.apc.php">APC Functions</a></li>
708 | <li><a href="http://memcached.org/">Memcached</a></li>
709 | <li><a href="http://redis.io/">Redis</a></li>
710 | <li><a href="http://xcache.lighttpd.net/wiki/XcacheApi">XCache APIs</a></li>
711 | <li><a href="http://www.php.net/manual/en/ref.wincache.php">WinCache Functions</a></li>
712 | </ul>
713 | <p><a href="#top">Back to Top</a></p>
714 | <h1 id="resources_title"><a href="#resources_title">Resources</a></h1>
715 | <h2 id="from_the_source"><a href="#from_the_source">From the Source</a></h2>
716 | <ul>
717 | <li><a href="http://php.net/">PHP Website</a></li>
718 | <li><a href="http://php.net/docs.php">PHP Documentation</a></li>
719 | </ul>
720 | <h2 id="people_to_follow"><a href="#people_to_follow">People to Follow</a></h2>
721 | <ul>
722 | <li><a href="http://twitter.com/rasmus">Rasmus Lerdorf</a></li>
723 | <li><a href="http://twitter.com/fabpot">Fabien Potencier</a></li>
724 | <li><a href="http://twitter.com/derickr">Derick Rethans</a></li>
725 | <li><a href="http://twitter.com/shiflett">Chris Shiflett</a></li>
726 | <li><a href="http://twitter.com/s_bergmann">Sebastian Bergmann</a></li>
727 | <li><a href="http://twitter.com/weierophinney">Matthew Weier O’Phinney</a></li>
728 | <li><a href="http://twitter.com/padraicb">Pádraic Brady</a></li>
729 | <li><a href="http://twitter.com/ircmaxell">Anthony Ferrara</a></li>
730 | <li><a href="http://twitter.com/nikita_ppv">Nikita Popov</a></li>
731 | </ul>
732 | <h2 id="mentoring"><a href="#mentoring">Mentoring</a></h2>
733 | <ul>
734 | <li><a href="http://phpmentoring.org/">phpmentoring.org</a> - Formal, peer to peer mentoring in the PHP community.</li>
735 | </ul>
736 | <h2 id="php_paas_providers"><a href="#php_paas_providers">PHP PaaS Providers</a></h2>
737 | <ul>
738 | <li><a href="https://pagodabox.com/">PagodaBox</a></li>
739 | <li><a href="https://appfog.com/">AppFog</a></li>
740 | <li><a href="https://heroku.com">Heroku</a> (PHP support is undocumented but based on stable Facebook partnership <a href="http://net.tutsplus.com/tutorials/php/quick-tip-deploy-php-to-heroku-in-seconds/">link</a>)</li>
741 | <li><a href="http://fortrabbit.com/">fortrabbit</a></li>
742 | <li><a href="http://www.engineyard.com/products/orchestra/">Engine Yard Orchestra PHP Platform</a></li>
743 | <li><a href="http://www.redhat.com/products/cloud-computing/openshift/">Red Hat OpenShift Platform</a></li>
744 | <li><a href="http://docs.dotcloud.com/services/php/">dotCloud</a></li>
745 | <li><a href="http://aws.amazon.com/elasticbeanstalk/">AWS Elastic Beanstalk</a></li>
746 | <li><a href="https://www.cloudcontrol.com/">cloudControl</a></li>
747 | <li><a href="http://www.windowsazure.com/">Windows Azure</a></li>
748 | <li><a href="http://www.phpcloud.com/develop">Zend Developer Cloud</a></li>
749 | <li><a href="https://developers.google.com/appengine/docs/php/gettingstarted/">Google App Engine</a></li>
750 | </ul>
751 | <h2 id="frameworks_title"><a href="#frameworks_title">Frameworks</a></h2>
752 | <p>Rather than re-invent the wheel, many PHP developers use frameworks to build out web applications. Frameworks abstract away many of the low-level concerns and provide helpful, easy-to-use interfaces to complete common tasks.</p>
753 | <p>You do not need to use a framework for every project. Sometimes plain PHP is the right way to go, but if you do need a framework then there are three main types available:</p>
754 | <ul>
755 | <li>Micro Frameworks</li>
756 | <li>Full-Stack Frameworks</li>
757 | <li>Component Frameworks</li>
758 | </ul>
759 | <p>Micro-frameworks are essentially a wrapper to route a HTTP request to a callback, controller, method, etc as quickly as possible, and sometimes come with a few extra libraries to assist development such as basic database wrappers and the like. They are prominently used to build remote HTTP services.</p>
760 | <p>Many frameworks add a considerable number of features on top of what is available in a micro-framework and these are known Full-Stack Frameworks. These often come bundled with ORMs, Authentication packages, etc.</p>
761 | <p>Component-based frameworks are collections of specialized and single-purpose libraries. Disparate component-based frameworks can be used together to make a micro- or full-stack framework.</p>
762 | <ul>
763 | <li><a href="https://github.com/codeguy/php-the-right-way/wiki/Frameworks">Popular PHP Frameworks</a></li>
764 | </ul>
765 | <h2 id="components_title"><a href="#components_title">Components</a></h2>
766 | <p>As mentioned above “Components” are another approach to the common goal of creating, distributing and implementing shared code. Various component repositories exist, the main two of which are:</p>
767 | <ul>
768 | <li><a href="/#composer_and_packagist">Packagist</a></li>
769 | <li><a href="/#pear">PEAR</a></li>
770 | </ul>
771 | <p>Both of these repositories have command line tools associated with them to help the installation and upgrade processes, and have been explained in more detail in the <a href="/#dependency_management">Dependency Management</a> section.</p>
772 | <p>There are also component-based frameworks, which allow you to use their components with minimal (or no) requirements. For example, you can use the <a href="https://github.com/fuelphp/validation">FuelPHP Validation package</a>, without needing to use the FuelPHP framework itself. These projects are essentially just another repository for reusable components:</p>
773 | <ul>
774 | <li><a href="http://auraphp.github.com/">Aura</a></li>
775 | <li><a href="https://github.com/fuelphp">FuelPHP (2.0 only)</a></li>
776 | <li><a href="https://github.com/illuminate">Laravel’s “Illuminate Components”</a></li>
777 | <li><a href="http://symfony.com/doc/current/components/index.html">Symfony Components</a></li>
778 | </ul>
779 | <p><a href="#top">Back to Top</a></p>
780 | <ul style="font-size: 80%;">
781 | <li><a href="http://twitter.com/codeguy">Josh Lockhart</a></li>
782 | <li><a href="http://krisjordan.com/">Kris Jordan</a></li>
783 | <li><a href="http://philsturgeon.co.uk/">Phil Sturgeon</a></li>
784 | <li><a href="http://www.newmediacampaigns.com">New Media Campaigns</a></li>
785 | <li>Licensed <a href="http://creativecommons.org/licenses/by-nc-sa/3.0/">CC Attribution-NonCommercial-ShareAlike 3.0 ... </a>.</li>
786 | </ul>
787 | </body>
788 | </html>
789 | 


--------------------------------------------------------------------------------