Internet Bandaid   [RSS Feed]

Code Details – Best Practice

without comments

1) USE PREPARED STATEMENTS/PARAMETER BINDS

In your model, I see you doing something good by sanitizing input before binding to a query:

$result=mysqli_query($GLOBALS['dbcon'],"SELECT * FROM tbl_automobiles where automobile_id=".((int)$id))

To make things easier, mysqli (and PDO db library) has something called prepared statements that let’s you bind parameters. I’m going to use some pseudocode right now to demonstrate:

$stmt = $PDO->prepare("SELECT * FROM tbl_automobiles where automobile_id = :id AND model LIKE :somemodel");
$stmt->bind('id',$_GET['id'], PDO::PARAM_INT);
$stmt->bind(':somemodel','%mercedes%',PDO::PARAM_STR);
$result = $stmt->execute();

Again, this is pseudocode so my syntax might be wrong. But hopefully you get the idea that you can have “place holders” for variables in your prepared statement, then use a bind() function to assign the appropriate values and value types to it. This is one of the common ways to prevent SQL Injection, which you are probably aware of (if not, do a google search on it, because it’s short but important read).

So for your assignment, try to incorporate mysqli’s prepared statements when you need to pass parameters to your queries.

2) PHP SHORT HAND ECHO NOTATIONI see you use PHP short hand echo notation like <?=$somevariable ?> are sometimes turned off on our customer’s servers, which means the page would give a parse error. We usually have no control over how customer servers are set up, so we should stick with <?php echo $somevariable; ?> to be safe.

The fact that you used PHP shorthand notation is a sign that you’ve done programming before, as such a feature is available in most templating languages. It’s just a shame that not every server has it enabled by default (probably because LAMP servers often render many serverside scripts like php, python, perl etc… and apache might not know if <?= $something ?> is a php, perl or python variable.)

3) SINGLE QUOTES vs. DOUBLE QUOTES – I see you used single quotes here like this <table border=’1′> for html attributes, but everywhere else, you use double quotes. Generally, we should pick one format and stick to it. We’ve been use to using double quotes

4) SANITIZE OUTPUT WITH htmlspecialchars() – I see code like <input value=”<?php echo $_POST['body_content']; ?>” />. This is very dangerous because if $_POST['body_content'] has the following value

"/><script type="text/javascript" language="javascript">location.href="http://virus.com";</script><input type="

Then a user will be redirected to a virus website. You should instead have code like this

<input value=”<?php echo htmlspecialchars($_POST['body_content']); ?>” />

To encode dangerous html characters. You can also htmlspecialchars() all variables prior to binding to the view.

5) Use Hyphen instead of Underscore in file names for SEO- instead of find_a_car.automobile.php, try something like find-a-car-automobile.php . If these pages are ever exposed to the Google search, then search engine optimization (SEO) practices is to use hyphen to denote spaces between words. This enables google to better understand what your page is about, improving visibility in google search result pages.

Written by John Lai

March 18th, 2014 at 8:30 am

Posted in Uncategorized

Start Mission - Project management and invoicing

Leave a Reply