SQL conventions
case sensitive
-
all the SQL keywords must be written in uppercase: SELECT, AS, GROUP BY
-
other elements like table names, column names, functions must be in lowercase.
null value
-
you should have coalesce() around all strings that may be null.
-
add special case in join / where condition if value may be null.
avoid “*”
-
avoid to write query like “SELECT * FROM users;”
sub query
-
avoid subquery, sometimes it's slower than JOIN (need to test on case-by-case basis)
UNION
-
some simple SELECT queries with UNION, INTERSECT OR EXCEPT are much more faster than big queries, and easier to read.
Rollback
-
if you updated something in postgres, need to create rollback and verify files in the same tickets.
SELECT f.f_id, coalesce(f.f_visa_type, 'no_visa_type') AS f_visa_type
FROM forms AS f
JOIN actions AS appt
ON appt.a_when::date = ‘2013-01-01’
AND appt.a_what = ‘attend_appointment’
AND appt.a_form = f.f_id
JOIN forms_infos AS fi
ON fi.fi_xref_f_id = f.f_id
AND fi.fi_type = 'is_vip'
AND (trim(fi.fi_value) = 'no' OR fi.fi_value IS NULL)
WHERE f.f_is_anonymised = ‘f’
AND f.f_tech_deleted = ‘f’;
PHP conventions
PHP tags
-
always use “<?php”, never use “<?”
PHP comments
-
We keep comments as clean as possible, false comment is worse than no comment at all.
-
“Self-commenting code” is preferable, we do this by having plain English function names that describe what they do.
-
/* Multi-line commenting of code is to be * /
-
avoid comment code since we can find the old code from git.
PHP indentation
-
we use 2 / 4 spaces indent, never use tabs
-
line width: no more than 140
-
space between parameters, array items and some operators.
PHP common rules
-
one line of code should do one and only one thing, avoid “if ($ok = func_test())”
PHP value assignment
-
avoid use constants, define('WE_DONT_LIKE_CONSTANTS', true); use our configurator instead.
-
dont nest ternary expression
-
ternary condition must always be embraced with parenthesis
-
use ternary expression only for simple cases like : $a = ($b ⇐ 3.99) ? $c : “some_value”;
-
$a = 1; $b = 2; Bad idea, don't try to save lines.
PHP function
-
you could create a little helper function outside object
public function my_helper_function($first_param = 'default', $second_param) { }
-
function name must by lowercase_underscored, as with the parameters
-
function body should not be more than 50 lines
-
never use echo inside function or methods
-
PHP class
-
UpperCamelCase for class name
-
lowerCamelCase for class properties
-
always set default value for class properties
-
always specify the scope and use the most restricted scope (private / protected / public)
-
PHP class functions
-
lowerCamelCase for methods, better to have a verb in function names like getUserName()
-
local variables are lower_case_with_underscores
-
array names are better with an 's'
-
dont use req('') in class functions, it breaks the isolatoin. The requested or configuration value should be given by parameters.
public function sampleClassMethod() { $a_string = 'foo'; $strings = array(); foreach ($strings as $string) { if ($string == 'bar') return false; if ($string == 'SKIP') continue; if ($string == 'bar') do_stuff(); } if ($a == $b) return true; return false; }
Security
-
never use eval($text), $text content will be executed as PHP code.
-
all content must be escaped before going out, using e_html() or e_val() to avoid XSS (cross-site scripting)
-
all input must be filtered according to the “url_params_filter.csv” in the req() function.
-
Never use $_GET[], $_POST, $_REQUEST directly, use req() instead
-
all sql queries must be done with DB::q($sql, $sql_params), the variables in sql query must be replaced by “%s / %i / %n” in case of SQL injectoin.
$sql = "SELECT me FROM group WHERE name = %s"; $sql_params = array("me"); $res = DB::q($sql, $sql_params);
-
all the controller page should have “require_once('_inc/common.php');” at the top.
-
If developer created new function or process, need to update “rights.csv”
-
all files operation should use the statistics class “FS”
-
all url should be called by “autolink()” function.
-
never use $_SESSOIN, use functions form class.sessoin.php
-
avoid HTML comment as they can be read by everyone.
-
user could change form elements to submit some illegal data, developer should think more about this.
-
sensitive data exposure
-
cross-site request forgery