代码基本规范

SQL conventions

---

case sensitive

• all the SQL keywords must be written in uppercase: SELECT, AS, GROUP BY

• other elements like table names, column names, functions must be in lowercase.

null value

• you should have coalesce() around all strings that may be null.

• add special case in join / where condition if value may be null.

avoid “*”

• avoid to write query like “SELECT * FROM users;”

sub query

• avoid subquery, sometimes it's slower than JOIN (need to test on case-by-case basis)

UNION

• some simple SELECT queries with UNION, INTERSECT OR EXCEPT are much more faster than big queries, and easier to read.

Rollback

• if you updated something in postgres, need to create rollback and verify files in the same tickets.

SELECT f.f_id, coalesce(f.f_visa_type, 'no_visa_type') AS f_visa_type
FROM forms AS f
  JOIN actions AS appt
    ON appt.a_when::date = ‘2013-01-01’
      AND appt.a_what = ‘attend_appointment’
      AND appt.a_form = f.f_id
  JOIN forms_infos AS fi
    ON fi.fi_xref_f_id = f.f_id
      AND fi.fi_type = 'is_vip'
      AND (trim(fi.fi_value) = 'no' OR fi.fi_value IS NULL)
WHERE f.f_is_anonymised = ‘f’
  AND f.f_tech_deleted = ‘f’;

PHP conventions

---

PHP tags

• always use “<?php”, never use “<?”

PHP comments

• We keep comments as clean as possible, false comment is worse than no comment at all.

• “Self-commenting code” is preferable, we do this by having plain English function names that describe what they do.

• /* Multi-line commenting of code is to be * /

• avoid comment code since we can find the old code from git.

PHP indentation

• we use 2 / 4 spaces indent, never use tabs

• line width: no more than 140

• space between parameters, array items and some operators.

PHP common rules

• one line of code should do one and only one thing, avoid “if ($ok = func_test())”

PHP value assignment

• avoid use constants, define('WE_DONT_LIKE_CONSTANTS', true); use our configurator instead.

• dont nest ternary expression

• ternary condition must always be embraced with parenthesis

• use ternary expression only for simple cases like : $a = ($b ⇐ 3.99) ? $c : “some_value”;

• $a = 1; $b = 2; Bad idea, don't try to save lines.

PHP function

• you could create a little helper function outside object

  public function my_helper_function($first_param = 'default', $second_param) {
  }

• function name must by lowercase_underscored, as with the parameters

• function body should not be more than 50 lines

• never use echo inside function or methods

• PHP class

• UpperCamelCase for class name

• lowerCamelCase for class properties

• always set default value for class properties

• always specify the scope and use the most restricted scope (private / protected / public)

• PHP class functions

• lowerCamelCase for methods, better to have a verb in function names like getUserName()

• local variables are lower_case_with_underscores

• array names are better with an 's'

• dont use req('') in class functions, it breaks the isolatoin. The requested or configuration value should be given by parameters.

  public function sampleClassMethod() {
      $a_string = 'foo';
      $strings = array();
      foreach ($strings as $string) {
          if ($string == 'bar') return false;
          if ($string == 'SKIP') continue;
          if ($string == 'bar') do_stuff();
      }
  
      if ($a == $b) return true;
      return false;
  }

  Security

• never use eval($text), $text content will be executed as PHP code.

• all content must be escaped before going out, using e_html() or e_val() to avoid XSS (cross-site scripting)

• all input must be filtered according to the “url_params_filter.csv” in the req() function.

• Never use $_GET[], $_POST, $_REQUEST directly, use req() instead

• all sql queries must be done with DB::q($sql, $sql_params), the variables in sql query must be replaced by “%s / %i / %n” in case of SQL injectoin.

  $sql = "SELECT me FROM group WHERE name = %s";
  $sql_params = array("me");
  $res = DB::q($sql, $sql_params);

• all the controller page should have “require_once('_inc/common.php');” at the top.

• If developer created new function or process, need to update “rights.csv”

• all files operation should use the statistics class “FS”

• all url should be called by “autolink()” function.

• never use $_SESSOIN, use functions form class.sessoin.php

• avoid HTML comment as they can be read by everyone.

• user could change form elements to submit some illegal data, developer should think more about this.

• sensitive data exposure

• cross-site request forgery