Should I Use @ in My PHP Code

Why should I not put my PHP files in the public_html folder?

The difference is typically that JavaScript code is untrusted code (or at least it should be, since it's running on the client), whereas PHP code is usually considered trusted code (since it runs on the server where it can't be directly interfered with by users).

As such, someone discovering a hole in PHP source often has access to much greater privileges if they can exploit it than someone who discovers a hole in JavaScript code, since they can get PHP to run something server-side.

Now, while security through obscurity should not be your primary means of securing your code - it's always best to not have security holes in the first place - it's also generally not a good idea to make it easier for an attacker to locate a hole that somehow got introduced. Keeping things out of the non-script serving root helps prevent accidents ("oops, I accidentally disabled PHP, everyone who requests a page gets the source code instead") from occurring.

Furthermore, server-side files may include things like configuration data that is not meant to be public - internal network addresses, database info, et cetera (though it's also a good idea to keep things like credentials separate from your PHP code as well).

when to use index.php instead of index.html

You will have to choose the PHP extension (.php) when you want php code to be executed in the file. PHP code is code between the opening <?php or <? and the closing ?> tags.

When no PHP code should be executed you can use the .html extension.

Usually when using the .php extension you are telling the web server, that it should use a php interpreter to process the file before it will be delivered to the browser. The php interpreter will then replace all content between the <?php and ?> by the output of the PHP code. Just as if you wrote it manually. The processed file will then be delivered to the browser.

However, using the .php extension to tell the web server to process php code is configurable. If you want you can use other file extensions too.

There is another thing that should be pointed out. When you only type the url path (without a filename) like :

http://www.myserver.com/

there is an order of extensions (filenames) which the webserver (apache) searches for an index document. For example an apache config may contain a section like:

<IfModule mod_dir.c>
      DirectoryIndex index.html index.cgi index.pl index.php index.xhtml index.htm
</IfModule>

Meaning that the index document is searched in the order above. This means if you place an index.html and a index.php in the same folder - and having the configuration above - always the index.html would be delivered by the server.

Should I use PHP code or a MySQL stored proc to create an efficient reward point system?

I recommend you to read this
Who Needs Stored Procedures ..and i quote this

Having used both stored procedures and dynamic SQL extensively I definitely prefer the latter: easier to manage, better encapsulation, no BL in the data access layer, greater flexibility and much more. Virtually every major open-source PHP project uses dynamic SQL over stored procs (see: Drupal, Wordpress, Magento and many more).

from @leepowers (MySQL stored procedures or php code?)

Is it a good practice to use php code inside javascript?

No, it is not good practice.

will it effect the performance?

I do not specifically know which performance you meant when you wrote that line, but about all performances I can imagine, I would say: Most certainly, no.

is there any other reasons?

Mixing two languages is hard as it requires proper encoding. This makes things complex. Complexity is bad practice.

Should I be using assert in my PHP code?

The rule of thumb which is applicable across most languages (all that I vaguely know) is that an assert is used to assert that a condition is always true whereas an if is appropriate if it is conceivable that it will sometimes fail.

In this case, I would say that assert is appropriate (based on my weak understanding of the situation) because records should always be set before the given method is called. So a failure to set the record would be a bug in the program rather than a runtime condition. Here, the assert is helping to ensure (with adequate testing) that there is no possible program execution path that could cause the code that is being guarded with the assert to be called without records having been set.

The advantage of using assert as opposed to if is that assert can generally be turned off in production code thus reducing overhead. The sort of situations that are best handled with if could conceivably occur during runtime in production system and so nothing is lost by not being able to turn them off.

Seriously, should I write bad PHP code?

I think Joomla and Wordpress are not the greatest examples of good PHP code, with no offense. I have nothing personal against the people working on it and it's great how they enable people to have a website/blog and I know that a lot of people spend all their free time on either of those projects but the code quality is rather poor (with no offense).

Review security announcements over the past year if you don't believe me; also assuming you are looking for performance from either of the two, their code does not excel there either. So it's by no means good code, but Wordpress and Joomla both excel on the frontend - pretty easy to use, people get a website and can do stuff.

And that's why they are so successful, people don't select them based on code quality but on what they enabled them to do.

To answer your performance question, yes, it's true that all the good stuff (functions, classes, etc.) slow your application down. So I guess if your application/script is all in one file, so be it. Feel free to write bad PHP code then.

As soon as you expand and start to duplicate code, you should consider the trade off (in speed) which writing maintainable code brings along. :-)

IMHO this trade off is rather small because of two things:

  1. CPU is cheap.
  2. Developers are not cheap.

When you need to go back into your code in six months from now, think if those nano seconds saved running it, still add up when you need to fix a nasty bug (three or four times, because of duplicated code).

You can do all sorts of things to make PHP run faster. Generally people recommend a cache, such as APC. APC is really awesome. It runs all sorts of optimizations in the background for you, e.g. caching the bytecode of a PHP file and also provides you with functions in userland to save data.

So for example if you parse a configuration file each time you run that script disk i/o is really critical. With a simple apc_store() and apc_fetch() you can store the parsed configuration file either in a file-based or a memory-based (RAM) cache and retrieve it from there until the cache expired or is deleted.

APC is not the only cache, of course.

When PHP code should really be treated as unsafe?

The issue is that later someone may change the function 'somefunction' and do more than simply multiply it by 4.

The function in itself is not unsafe, but the line:

 someFunction($_GET['value']);

Is completely unsafe. Maybe someFunction gets refactored into another file or is way down in the code.
You should alway check and scrub user supplied data to protect yourself and others working on a library or function somewhere not caught not expecting you to pass them pure $_GET array data.

This is especially true when working with others and is why it's being asked in the interview--to see if your looking ahead at future potential issues, not to see that you understand that currently someFunction is harmless when pass possibly dangerous GET data. It's becomes an issue when your coworker refactors someFunction to query a DB table.

Why should we separate PHP from HTML

The best practice is not to seperate PHP from HTML, the best practice is to seperate logic from markup.

Also important is coding style. Proper line indentions. Using echo "</div>"; instead of echo"</div>";, valid HTML, not putting variables into quotations:

echo "The variable contains the string $rand";

better (why? see my comment below):

echo "The variable contains the string ",
     $rand,
     " :-)";

Your whole project gains much quality and worthness just by improving the code, writing clean, readable, maintainable. Imagine you want to change the Text, you would have to add or change lots of echoes.

Code Style Guides > Pear,
PSR, Zend <

encourage developers to keep their code readable, valid and cross-browser compatible


Related Topics

Trying to Send Mail Using Swift Mailer, Gmail Smtp, PHP

How to Create a Facade Class with Laravel

Running Python Script in Laravel

PHP - Add Item to Beginning of Associative Array

How to Access an Object Property Named as a Variable in PHP

PHP Recursively Unset Array Keys If Match

How to Perform an Action Every 5 Results

Retrieve (Or Simulate) Full Query from Pdo Prepared Statement

File Attachment with PHPmailer

How to Execute PHP with Extension File.Php.Jpg

Getting Cdata Content While Parsing Xml File

Php: Check for Duplicate Values in a Multidimensional Array

PHP Output with Sleep()

Mysqli Throws "Warning: MySQLi_Stmt_Bind_Param() Expects Parameter 1 to Be MySQLi_Stmt, Boolean Given"

3Rd Party Dependency Conflict in Developing Wordpress Plugin

Is There a Built-In Function or Plugin to Handle Date Formatting in JavaScript

How to Send Mail Using PHP

MySQL Encryption/Storing Sensitive Data,


Leave a reply



Submit