inanimatt.com • Matt Robinson

Learning PHP?

Everyone's got their own way of learning PHP, and there's loads of good books and tutorials already. Here are some general tips and some golden rules that ought to help you however you choose to learn.

Caveat lector

Feel free to send me corrections! I know I'm not always right, and I do appreciate learning new stuff.

The golden rules

There's something about PHP that attracts really bad coding, and when it's bad, it's usually because someone broke one of the golden rules:

  1. Filter your input
  2. Escape your output
  3. Use UTF-8
  4. Use prepared statements
  5. Keep your code clear and simple
  6. Use source control

Make sure your learning material is up to date.

A lot's happened in the last few years, and best practices usually get better. If the book or site you're reading talks about $HTTP_POST_VARS, for example, it's out of date and may have some pretty poor advice in it. Even if it's right, it might be missing out on some cool stuff that'll either save you time, or be easier to learn.

The PHP manual is your friend

(a weirdly deformed and sometimes inscrutable one, but…) Anyway, what's so great about it is the user comments – I guarantee that someone's had the same problem you're having, and lived to share their experience.

Security isn't a chapter in a book, it's a whole approach to programming.

It applies to everything you learn and do in PHP, and if you get that early on, writing secure code will be second nature. Learn what ‘output escaping’ means, learn what ‘input filtering’ means. Always do both. If your learning material gives you examples like $myVar = $_POST['myVar']; and doesn't immediately follow it with why that might be bad, find something else to read.

Don't worry about performance or optimisation yet.

Focus on simplicity and (if you're feeling cocky) elegance. If you start to think about making code faster when your project's not finished, your code will be harder to read, maintain and debug. Worse, you don't know what really needs improving until people start using it. To really make things faster, you need experience in how your project fits together, how people use it, and how PHP works (and HTTP, and Unix, and web browsers…) If you're just starting out, you may find yourself wasting time early in a project only to find you've missed the bottleneck. There's a saying that a busy site is a nice problem to have to deal with - it means you concentrated on making a good site that people go to. That's when you can sit down and figure out if it'll be better to rewrite bits of it, or just buy more servers.

Don't reinvent the wheel.

Someone else has probably had more time to make and fix the thing you need. If your code needs to read RSS, use something like SimplePie. If you need to filter HTML, use something like HTMLPurifier. If you write your own, you'll miss out on years of cumulative testing and shared wisdom. Not always true, of course; starting from scratch can mean getting a clean break from the mistakes of the past, refocus on clarity and simplicity, and trim off bloat and kludges. The price of that hubris is that you're doomed to spend a lot of time repeating at least some of the mistakes of the past. Never assume that starting from scratch will be quicker, and plan to spend a lot of time fixing bugs.

Frameworks give you discipline and consistency.

They're not always the right (or even easiest) way to code, but all projects made with that framework will have the same file and folder structure, and coding conventions. They'll probably have a lot more in common too. This makes it easier for you (and others) to find the code you need if you're coming back to it after a long time, it makes it easier to reuse code between projects, and it also means that a lot of the things that can go wrong with your project will go wrong in familiar ways, instead of new and exciting ways. Obviously you don't need a framework to have consistent code, but it definitely helps. Most MVC-ish PHP frameworks (like CakePHP and Symfony) encourage the discipline of separating your code into a logical structure, which can save you a lot of time, and make it a lot easier to reuse code between projects. They're also written using best practice coding standards, so they're a great source of inspiration and good examples.

Find a source control system, and learn to love it.

If you're working on your own or in a small group, then Subversion is straightforward and has a bunch of desktop interfaces like Versions or TortoiseSVN. You can even get free Subversion hosting from places like Beanstalk, which means you get source control and offsite backup. Bonus! Using source control means you can get to your code whenever you want, and you have the unlimited ability to undo changes, which means you can be adventurous and experiment with large chunks of code. That's really, really handy when you're learning.

Keep your database connection details outside of the web folder.

Most of the time, the whole internet doesn't need access to all your code. If you've kept your display code separate from your control code, there's really no reason to keep most of it in the public web folder, so don't. If it's not possible, block web access to the folder it's in by using something like a .htaccess file, but bear in mind that if anything goes wrong with your server configuration, those files may become readable and your secrets revealed to anyone who cares to look. I know I'll sound like a scratched record when I say this, but Frameworks can really help.

Don't use PHP when you don't need to.

This one can be a tough lesson to learn, especially when you're in the honeymoon period you get when you learn a new language. When you're building a new site, think about how you're going to use it, how often you're going to update it, and weigh that up against the cost of making the whole site dynamic or CMS-backed. Most of the time, you don't need to have a script fetching a page from a database every time someone comes to your site, and even though caching can help a lot, you could probably go even further. If you only update every few weeks, think about keeping your dynamic stuff offline and making it spit out HTML files that you upload to your site. It's not just faster and safer, you get to avoid learning about all the hardcore performance stuff, because web servers do most of it for you when they're just handling static files.