PHP can be a maddening language. It's messy, it's old, hampered by the mistakes of the past, and the internet is absolutely littered with terrible advice and even worse code. I can't fix all that, but I can tell you what to watch out for.
There's a fantastic, up-to-date list of best-practice tips at PHP The Right Way. If you see any conflict between the advice there and the advice here, consider them a better authority!
Golden rules:
There are certain principles that apply to all coding for the web, and if you learn and apply these principles, your code will be safer, and your life will be (slightly) less stressful and upsetting.
Always escape your output
HTML and XML are markup languages; that means that the code that controls the content is mixed in with the content itself. When you write PHP that produces HTML, you need to use a process called “escaping” to make sure that you don't allow content to be mistaken for commands.
Always filter your input
Whether your script is parsing a URL, handling a form, or reading a file, you need to ensure that your code only accepts what you expect it to. Filtering (and validating) your input keeps your server, data, and users safe.
Talk to your database the right way
PHP has grown (to put it politely) "organically", which means that it now has about a dozen ways to talk to databases. Most of them are wrong. Learn how use PDO and use its support for parameterised queries to keep your data safe and your brain unfried. Then use the Doctrine DBAL, a lightweight wrapper, to make your code even faster and easier.
Tips & Tricks
Starting a new Project
Here's some up-to-date advice on starting a clean, easy, testable new PHP project.
Use namespaces and autoloading
If you're not using PHP 5.3 or newer, you're in for a world of pain and misery. Namespaces keep your code tidy and promote safe and easy code re-use. The Composer package manager and autoloader make finding and using third-party code quick and painless.
Use source control
Learning and using a source control system like Git gives you the freedom to make mistakes, the courage to experiment with sweeping changes without losing your code, and the ability to participate in the wider coding community.
Use unicode
If you're from an English-speaking country, there's a good chance you've never knowingly worked with character-sets and encodings. That needs to change, because they can cause you a lot of hassle and trouble. Find out what they are, and how to use unicode's UTF-8 encoding whenever possible.
Using cURL in PHP
It's tempting to be lazy and use file_get_contents() on a URL, but you miss out on HTTP caching, get poor error handling, and don't set a meaningful user agent, which makes your code a bad citizen of the web. Here's a basic function for making a sensible HTTP request with the cURL extension.
Don't code when you don't need to
It's tempting to use your shiny new PHP sledgehammer to crack every nut, but simpler is nearly always better. Consider static site generators instead of CMSes. Look for good quality code online before writing your own.
File-handling tips
Learn to use an object oriented interface to files (and why), browse and filter folders, and handle temporary files transparently (which a neat way of making CSV output without touching the filesystem).
Feedback
Please send me corrections; I know someone's always wrong on the internet, and I'd appreciate knowing if it's me.
It should go without saying, but any example code shown on this site is yours to use without obligation or warrantee of any kind. As far as it's possible to do so, I release it into the public domain.
HTML and XML are markup languages; that means that the
