4.3.4. Function definition
l The name of the parameter is consistent with the naming specifications of the variables;
l The left bracket in the function definition is next to the function name, without spaces in the middle;
l The beginning of the opening brace starts with a new line;
l Arguments with default values should be located after the parameter list;
l When function calls and definitions, add a space between the parameters and parameters;
l The phenomenon of the starting indent position and end indent position of the function must be carefully checked and effectively eliminated.
For example, a standard definition:
function authcode($string, $operation, $key = '')
{
if($flag)
{
//Statement
}
//Function body
}
Definitions that do not meet the standards:
function authcode($string,$operation,$key = '') {
//Function body
}
4.3.5. Quotation marks
Single and double quotes have different meanings in PHP. The biggest differences are as follows:
In single quotes, any variable ($var), special escape characters (such as "\t \r \n", etc.) will not be parsed, so PHP parses faster, and escape characters only support the escape of single quotes and backslashes themselves, such as "\'" and "\\";
In double quotes, the value of the variable ($var) will be substituted into the string, and the special escape characters will be parsed into a specific single character. There are also some special functional escapes specifically for the above two characteristics, such as "\$" and "{$array['key']}. This way, although the program is more convenient to write, PHP parsing is also slow;
In an array, if the subscript is not an integer, but a string type, be sure to enclose the subscript in single quotes. The correct way is to write it as $array['key'], rather than $array[key], because incorrect way will make the PHP parser think that the key is a constant, and then first determine whether the constant exists. When it does not exist, it will use "key" as the subscript to be brought into the expression, and at the same time, an error event will be set up, resulting in an Notice-level error.
Therefore, in most cases where single quotes can be used, double quotes are prohibited. According to the above analysis, cases where single quotes may or must be used include but are not limited to the following:
l The string is a fixed value and does not contain special escape characters such as "\t";
l Fixed subscript of array, such as $array['key'];
l There is no need to include variables in the expression, such as $string= ‘test’;, not $string= “test$var”;
Exceptionally, in regular expressions (for preg_series functions and ereg series functions), phpcms uses double quotes, which is for the convenience of manual analysis and writing, and maintain the unity of regular expressions and reduce unnecessary analysis confusion.
In database SQL statements, all data must not be included in single quotes, but must be processed by the intval function before performing SQL queries; all strings must be included in single quotes to avoid possible injection vulnerabilities and SQL errors. The correct way to write it is:
$catid = intval($catid);
SELECT * FROM phpcms_member WHERE username='$_username' AND catid=$catid;
All data needs to be processed by addingslashes() before inserting into the database to avoid errors when inserting into the database without escape. If a file has been introduced in phpcms, all variables obtained through GET, POST, FILE, have been escaped by default by addslashes() and do not need to be repeated. If the data processing is necessary (for example for direct display), you can use stripslashes() to recover, but the data must be escaped again before inserting into the database.
In cached files, the value of cached data is generally escaped using addcslashes($string, '\'\\') .
4.3.6.
4.4. Naming Principles
Naming is the core of program planning. The ancients believed that as long as you know a person's true name, you would gain incredible power above that person. As long as you think of the right name for things, it will bring you and those who come later on with stronger power than code.
Name is a long-term and profound result of things in the ecological environment in which they live. In general, only programmers who know the system can get the most appropriate name for the system. If all naming is suitable for its nature, the relationship will be clear and the meaning can be derived, and the general idea can be expected.
As per the general convention, the names of classes, functions and variables should always describe the functions of these codes that can be easily known by the code readers. The simpler and more regular the form is, the easier it is to perceive and understand it. Ambiguous, obscure naming should be avoided.
4.4.1. Variable, object, function name
Variables, objects, and function names are all in lowercase format. Unless necessary, the underscore "_" is generally not used to split between words;
Based on standard computer English as the blueprint, it eliminates all naming methods that are mixed with pinyin or pinyin English;
Variable naming can only use well-documented English abbreviation methods in the project. For example, $data can be used but not $data1 and $data2 can be used. Forms that are easy to cause confusion, such as $articledata and $userdata, should be used;
You can reasonably abbreviate excessively long naming, such as $bio($biography) and $tpp($threadsPerPage), provided that there is such an existing abbreviation in English, or the letters comply with the English abbreviation specifications;
It is necessary to be clear about the part of speech of the English words used. Within the scope of permissions, most of them use the form of $enable***, $is***, and the former is followed by verbs and the latter is followed by adjectives.
4.4.2. Constant
Constants should always be named in capital letters, and in a few cases where it is particularly necessary, scribing can be used to separate words;
The built-in values of PHP, TRUE, FALSE, and NULL must all be written in capital letters.
4.5. Variable initialization and logic checking
Any variable must be initialized before being accumulated, displayed directly or stored, for example:
$number = 0; //Numerical initialization
$string = ‘'; //String initialization
$array = array(); //Array initialization
When judging a variable that cannot be determined (does not know whether it has been assigned), you can use empty() or isset() instead of directly using if($switch) form, unless you know exactly that this variable must have been initialized and assigned.
The difference between empty() and isset() is:
l bool empty(mixed var)
n If var is a non-empty or non-zero value, empty() returns FALSE. In other words, "", 0, "0", NULL, FALSE, array(), var$var; and objects without any attributes will be considered empty, and if var is empty, TRUE is returned.
l bool isset(mixed var[, mixed var[, ...]])
n Return TRUE if var exists, otherwise return FALSE.
n If a variable has been released using unset(), it will no longer be isset(). If you use isset() to test a variable set to NULL, FALSE will be returned. At the same time, it should be noted that a NULL byte ("\0") is not equivalent to PHP's NULL constant.
To determine whether a variable is an array, please use is_array(). This judgment is especially suitable for traversing an array, such as foreach(), because if you do not make a judgment in advance, foreach() will report an error to variables of non-array type;
To determine whether an array element exists, you can use isset($array['key']) or empty(). The differences and differences between the two are as follows.
4.6. Security
Variables in PHP do not need to be declared in advance like C language. The interpreter will automatically create them when they are used for the first time, and the type does not need to be specified. The interpreter will automatically determine based on the context. From a developer's point of view, this is undoubtedly an extremely convenient way to deal with it. A variable is created and can be used anywhere in the program. The result is that developers often do not pay attention to initializing variables. Therefore, to improve the security of the program, we cannot trust any variables that are not clearly defined. All variables must be initialized before defining them to prevent malicious constructs from overwriting variables used in the program.
For details, you can read (/) this document. This document lists common security issues in PHP, and it is very necessary to read this document!
4.7. Compatibility
Code design should take into account the characteristics of PHP high and low versions. At present, PHP 4.3.0 should still be used as the minimum through platform, and try not to use functions, constants or constants added by higher versions of PHP. If you use a function that is only available in a higher version, it must be encapsulated twice, automatically judge the current PHP version, and write compatible code in the lower version by yourself;
For individual functions, the parameter requirements or code requirements should be subject to the stricter PHP version;
Do not use functions in the PHP extension module unless necessary. When using it, necessary judgments should be added. When the server environment does not support this function, necessary processing should be performed. Compatibility descriptions should also be added to the function descriptions in the documents and programs.
4.8. Code reuse
Effective reuse of code can reduce the loss of efficiency and waste of resources. To avoid repeated labor and waste of time when developing software projects. Developers should try their best to increase the reuse rate of existing code, and at the same time devote more energy to the application of new technologies and the innovative development of new functions.
l Don’t be stingy to define functions or classes when you need to use code multiple times and there is no built-in PHP function available for the tasks you want to implement. Developers must place functions in the include directory and use . as the function file suffix, and place classes in the include/class directory according to the function and call situation. If more than 3 lines are exceeded, programs that implement the same function must not appear multiple times in different programs. This is a problem that cannot be tolerated and avoided;
l Do not appear two or more similar codes or the same codes in the same program at any time. Even in different programs, try your best to avoid them. Developers should always have the ability to find situations that avoid duplication of large segments of code (more than 10 lines) or similar.
It should be emphasized that although this part is short, it requires very experience and will take a lot of time and energy from developers to optimize. Any product developer must always be clear and understand the importance and necessity of code reuse, and work hard to enhance product efficiency, logic and readability. This is a basic quality that an excellent software developer must possess.
4.9. Other details
4.9.1. Include calls
Include the caller file, please use require_once all to avoid possible duplicate inclusion problems;
Includes the call cache file. Since the cache file cannot be guaranteed to be 100% correctly opened, please use include_once or include. If necessary, you can use @include_once or @include to ignore the error prompts;
Inclusion and calling code, it must start with PHPCMS_ROOT.'/', and the practice of writing program file names directly (for example: require_once ‘';);
All included and invoked program files, including but not limited to programs, caches, or templates, cannot usually be requested directly by URL. phpcms determines whether the program is legally called by defining a token constant IN_PHPCMS in ./include/. Therefore, in any program file that is included and called except ./include/, the following content needs to be included so that visitors cannot directly request the file through the URL:
defined('IN_PHPCMS') or exit('Access Denied');
4.9.2. Error Reporting Level
During the software development and debugging stage, please use error_reporting(E_ALL); as the default error reporting level, this level is the strictest, and can report all errors, warnings and prompts in the program to help developers check and verify the code, avoiding most security issues, logical errors, and spelling errors. error_reporting() can be set in the first few lines of ./include/.
When the software is released, please use error_reporting(E_ERROR | E_WARNING | E_PARSE); as the default error reporting level, to facilitate users and minimize unnecessary error prompt information.
5. Database design
5.1. Fields
5.1.1. Table and field naming
The agreement in the "4.4 Naming Principles" before the naming of tables and fields is the basic criterion.
All data table names, as long as their name is a countable noun, must be named in plural form, such as: phpcms_member (user table); fields that store multiple contents, or fields that represent quantity, should also be named in plural form, such as: hits (number of views), items (number of contents).
When the fields between several tables are connected, pay attention to the uniformity of the naming of the associated fields between the tables, such as the articleid in the phpcms_article_1 table and the articleid in the phpcms_article_data_1 table.
Fields representing id autoincrement are usually in the following forms:
l Usually, use the full name form, such as userid and articleid;
l The id has no functional function and is only designed for convenience of management and maintenance. It can be used in the full form or it can be named only as id.
Due to space limitations, it is impossible to describe them one by one, but for all naming related to tables and fields, please be sure to refer to the naming methods of existing fields of phpcms to ensure the systematicity and unity of naming.
5.1.2. Field Structure
When the database performs comparison operations, it will first determine whether it is NULL. Only when it is not NULL is the required value. Therefore, based on efficiency considerations, all fields cannot be empty, that is, all NOT NULL;
Non-negative fields are expected to be stored, such as the ids, number of posts, etc., and must be set to UNSIGNED type. The UNSIGNED type is twice as large as the positive integer range that non-UNSIGNED types can store, so it can obtain larger numerical storage space;
Fields that store switch and option data usually use tinyint(1) non-UNSIGNED type, and in rare cases it may also use the enum() result set method. When tinyint is used as a switch field, usually 1 is on; 0 is off; -1 is special data, such as N/A (unavailable); those above 1 are special results or switch binary combinations (see the relevant code in phpcms for details);
In tables of MEMORY/HEAP, pay special attention to planning to save storage space, which will save more memory. For example, in the cdb_sessions table, the storage of the IP address is split into 4 tinyint(3) UNSIGNED type fields, without the char(15) method;
For any type of data table, the field space should be based on the principle of sufficient use and no waste. The value range of the field of numerical type is shown in the following table:
Field type Storage space (b) UNSIGNED Value range
tinyint 1 No -128~127
Yes 0~255
smallint 2 No -32768~32767
Yes 0~65535
mediumint 3 No -8388608~8388607
Yes 0~16777215
int 4 No -2147483648~2147483647
Yes 0~4294967295
bigint 8 No -9223372036854775808
~9223372036854775807
Yes 0
~18446744073709551615
5. Statement
In all SQL statements, except for the table name and field name, all statements and functions must be uppercase, and lowercase or mixed uppercase and case should be eliminated. For example, select * from phpcms_member; is a writing method that does not comply with the specifications.
A very long SQL statement should have appropriate line breaks and be defined based on keywords such as JOIN, FROM, ORDER BY.
Generally speaking, when operating on multiple tables, you should specify an abbreviation of 1 to 2 letters for each table according to different table names to facilitate the concise and readability of the statement.
The following statement examples are in compliance with the specifications:
$result = $db->query(”SELECT m.*, i.*
FROM “.TABLE_MEMBER.” m, “.TABLE_MEMBERINFO.” i
WHERE = AND ='$_userid');
Previous page123Next pageRead the full text