Some of the Best Practices for Beginner Web Developers to be followed.

Bitopan Das
Aug 31, 2018 · 3 min read
Image Source: https://en.wikipedia.org/wiki/PHP

If you are a beginner level web developer and are still doing the work with procedural PHP, this article is for you. I have summarized some of the best practices for web developers to be followed.

Disclaimer: If you are an intermediate level developer then this article is not for you.

1. Use GET method in forms only for SELECT queries. For INSERT, UPDATE AND DELETE always use POST method.

2. All parameters, in both GET and POST, are to be sanitized. If there is a mysql database connection, simply mysql_real_escape_string() function will do the work, otherwise google for a better sanitizer function.

3. No SELECT query should be followed by (*). Please be specific to the database table columns, you want to be retrieved.

4. Each Form should include a hidden input for a session token. The reason is to stop CSRF attack. The hidden input will contain the value of a session variable, say ‘token’. Once the form is submitted, it will first check if the token value that comes from the Form is same as the session token value i.e

if($_POST['token'] == $_SESSION['token']).

If false, the page will be redirected back to the form and no database query will be executed.

5. If you are including a file, which comes from the URL, be explicit to define it on the page and check for any file inclusion vulnerabilities. E.g. if your URL looks like

http://example.com/some-page

And your code looks like

<?php$page = end(explode("/"), any_current_page_url_function());Include $page . ".php";?>

It will lead to the file inclusion vulnerabilities. Your code should look like below:

<?php$page = end(explode("/"), current_page_url_function());if($page == "some-page"){Include "some-page.php";}?>

6. Always check for XSS (Cross-site Scripting) vulnerabilities. If you are ‘echo’-ing any value which comes either by by GET or POST method, always be sure to use htmlspecialchars() function. This function will convert the predefined HTML characters to the HTML entities and will stop the XSS.

7. When a project is on development mode, the display_error behavior should always be ON, so that the page renders all the errors, warnings and notices.

8. Avoid using $_POST[some_string]; use $_POST["some_string"] instead (notice the double quotes). The some_string part in the previous code is treated as a CONSTANT and as you have not defined it as a CONSTANT, it produces errors/warnings, for which the error_log file get increased day by day, besides, the page needs more execution time. Remember that when you mark display_error as ‘OFF’, it just doesn’t display the errors, warnings and notices, but these are always there.

9. For array, if the array is not defined earlier, i.e. if the array is dynamic, before any iteration or using foreach loop, be sure to check with is_array function. E.g.

<?phpIf ( is_array ( $items ) && count($items)) { // This line is required.    foreach( $items as $item ){        //code goes here    }}?>

10. For file upload, explicitly define the max size of the file and the file type in your php code. Besides, do not store the huge amount of files together. Programmatically create sub-folders to store the files. It helps managing the files.

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade