Categories
PHP

Coding conventions: PHP

Code structure

Assignment expressions

Using assignment as an expression is surprising to the reader and looks like an error. Do not write code like this:

if ( $a = foo() ) {
    bar();
}

Space is cheap, and you’re a fast typist, so instead use:

$a = foo();
if ( $a ) {
    bar();
}

Using assignment in a while() clause used to be legitimate, for iteration:

$res = $dbr->query( 'SELECT * FROM some_table' );
while ( $row = $dbr->fetchObject( $res ) ) {
    showRow( $row );
}

This is unnecessary in new code; instead use:

$res = $dbr->query( 'SELECT * FROM some_table' );
foreach ( $res as $row ) {
    showRow( $row );
}

Spaces

MediaWiki favors a heavily-spaced style for optimum readability.

Put spaces on either side of binary operators, for example:

// No:
$a=$b+$c;

// Yes:
$a = $b + $c;

Put spaces next to parentheses on the inside, except where the parentheses are empty. Do not put a space following a function name.

$a = getFoo( $b );
$c = getBar();

Opinions differ as to whether control structures  if, while, for, foreach etc. should be followed by a space; the following two styles are acceptable:

// Spacey
if ( isFoo() ) {
        $a = 'foo';
}

// Not so spacey
if( isFoo() ) {
        $a = 'foo';
}

In comments there should be one space between the # or // character and the comment, and a comment should be put on its own line.

// No:
        public static function getFoo( $bar ) {
                if ( $bar !== false ) { //because this and that..
                        return $bar; //already defined, return it
                }
        }

// Yes:
        public static function getFoo( $bar ) {
                // Because this and that..
                if ( $bar !== false ) {
                        // Already defined, return it.
                        return $bar;
                }
        }

To help developers fix code with an inadequately spacey style, a tool called stylize.php has been created, which uses PHP’s tokenizer extension to enforce most whitespace conventions automatically.

Ternary operator

The ternary operator can be used profitably if the expressions are very short and obvious:

$swat = isset( $this->mParams['swat'] ) ? $this->mParams['swat'] : false;

But if you’re considering a multi-line expression with a ternary operator, please consider using an if() block instead. Remember, disk space is cheap, code readability is everything, “if” is English and ?: is not.

PHP-v5.3 shorthand

Since we still support PHP 5.2.x, use of the shorthand ternary operator (?:) introduced in PHP 5.3 is not allowed.

String literals

For simple string literals, single quotes are slightly faster for PHP to parse than double quotes. Perhaps more importantly, they are easier to type, since you don’t have to press shift. For these reasons, single quotes are preferred in cases where they are equivalent to double quotes.

However, do not be afraid of using PHP’s double-quoted string interpolation feature: $elementId = “myextension-$index”; This has slightly better performance characteristics than the equivalent using the concatenation (dot) operator, and it looks nicer too.

Heredoc-style strings are sometimes useful:

$s = <<<EOT
<div class="mw-some-class">
$boxContents
</div>
EOT;

Some authors like to use END as the ending token, which is also the name of a PHP function. This leads to IRC conversations like the following:

<Simetrical>      vim also has ridiculously good syntax highlighting.
<TimStarling>     it breaks when you write <<<END in PHP
<Simetrical>      TimStarling, but if you write <<<HTML it syntax-highlights as HTML!
<TimStarling>     I have to keep changing it to ENDS so it looks like a string again
<brion-codereview>        fix the bug in vim then!
<TimStarling>     brion-codereview: have you ever edited a vim syntax script file?
<brion-codereview>        hehehe
<TimStarling>     http://tstarling.com/stuff/php.vim
<TimStarling>     that's half of it...
<TimStarling>     here's the other half: http://tstarling.com/stuff/php-syntax.vim
<TimStarling>     1300 lines of sparsely-commented code in a vim-specific language
<TimStarling>     which turns out to depend for its operation on all kinds of subtle inter-pass effects
<werdnum> TimStarling: it looks like some franken-basic language.

Functions and parameters

Avoid passing huge numbers of parameters to functions or constructors:

//Constructor for Block.php as of 1.17. *DON'T* do this!
function __construct( $address = '', $user = 0, $by = 0, $reason = '',
        $timestamp = 0, $auto = 0, $expiry = '', $anonOnly = 0, $createAccount = 0, $enableAutoblock = 0,
        $hideName = 0, $blockEmail = 0, $allowUsertalk = 0 )
{
        ...
}

It quickly becomes impossible to remember the order of parameters, and you will inevitably end up having to hardcode all the defaults in callers just to customise a parameter at the end of the list. If you are tempted to code a function like this, consider passing an associative array of named parameters instead.

In general, using boolean parameters is discouraged in functions. In $object->getSomething( $input, true, true, false ), without looking up the documentation for MyClass::getSomething(), it is impossible to know what those parameters are meant to indicate. Much better is to either use class constants, and make a generic flag parameter:

$myResult = MyClass::getSomething( $input, MyClass::FROM_DB & MyClass::PUBLIC_ONLY );

Or to make your function accept an array of named parameters:

$myResult = MyClass::getSomething( $input, array( 'fromDB', 'publicOnly' ) );

Try not to repurpose variables over the course of a function, and avoid modifying the parameters passed to a function (unless they’re passed by reference and that’s the whole point of the function, obviously).

C borrowings

The PHP language was designed by people who love C and wanted to bring souvenirs from that language into PHP. But PHP has some important differences from C.

In C, constants are implemented as preprocessor macros and are fast. In PHP, they are implemented by doing a runtime hashtable lookup for the constant name, and are slower than just using a string literal. In most places where you would use an enum or enum-like set of macros in C, you can use string literals in PHP.

PHP has three special literals: true, false and null. Homesick C developers write null as NULL because they want to believe that it is a macro defined as ((void*)0). This is not necessary.

Use elseif not else if. They have subtly different meanings:

// This:
if( $foo == 'bar' ) {
        echo 'Hello world';
} else if( $foo == 'Bar' ) {
        echo 'Hello world';
} else if( $baz == $foo ) {
        echo 'Hello baz';
} else {
        echo 'Eh?';
}

// Is actually equivalent to:
if( $foo == 'bar' ) {
        echo 'Hello world';
} else {
        if( $foo == 'Bar' ) {
                echo 'Hello world';
        } else  {
                if( $baz == $foo ) {
                        echo 'Hello baz';
                } else {
                        echo 'Eh?';
                }
        }
}

And the latter has poorer performance.

Naming

Use lowerCamelCase when naming functions or variables. For example:

private function doSomething( $userPrefs, $editSummary )

Use UpperCamelCase when naming classes: class ImportantClass. Use uppercase with underscores for global and class constants: DB_MASTER, Revision::REV_DELETED_TEXT. Other variables are usually lowercase or lowerCamelCase; avoid using underscores in variable names.

There are also some prefixes used in different places:

Functions

  • wf (wiki functions) – top-level functions, e.g.
function wfFuncname() { ... }

Verb phrases are preferred: use getReturnText() instead of returnText().

Variables

  • $wg – global variables, e.g. $wgVersion, $wgTitle. Always use this for new globals, so that it’s easy to spot missing “global $wgFoo” declarations. In extensions, the extension name should be used as a namespace delimiter. For example, $wgAbuseFilterConditionLimit, not $wgConditionLimit.

It is common to work with an instance of the Database class; we have a naming convention for these which helps keep track of the nature of the server to which we are connected. This is of particular importance in replicated environments, such as Wikimedia and other large wikis; in development environments there is usually no difference between the two types, which can conceal subtle errors.

  • $dbw – a Database object for writing (a master connection)
  • $dbr – a Database object for non-concurrency-sensitive reading (this may be a read-only slave, slightly behind master state, so don’t ever try to write to the database with it, or get an “authoritative” answer to important queries like permissions and block status)

The following may be seen in old code but are discouraged in new code:

  • $ws – Session variables, e.g. $_SESSION[‘wsSessionName’]
  • $wc – Cookie variables, e.g. $_COOKIE[‘wcCookieName’]
  • $wp – Post variables (submitted via form fields), e.g. $wgRequest->getText( ‘wpLoginName’ )
  • $m – object member variables: $this->mPage. This is discouraged in new code, but try to stay consistent within a class.

Pitfalls

  • Understand and read the documentation for isset() and empty(). Use them only when appropriate.
    • empty() is inverted conversion to boolean with error suppression. Only use it when you really want to suppress errors. Otherwise just use !. Do not use it to test if an array is empty, unless you simultaneously want to check if the variable is unset.
    • Do not use isset() to test for null. Using isset() in this situation could introduce errors by hiding mis-spelled variable names. Instead, use $var === null
  • Study the rules for conversion to boolean. Be careful when converting strings to boolean.
  • Be careful with double-equals comparison operators. Triple-equals is often more intuitive.
    • ‘foo’ == 0 is true
    • ‘000’ == ‘0’ is true
    • ‘000’ === ‘0’ is false
  • Array plus does not renumber the keys of numerically-indexed arrays, so array(‘a’) + array(‘b’) === array(‘a’). If you want keys to be renumbered, use array_merge(): array_merge( array( ‘a’ ), array( ‘b’ ) ) == array( ‘a’, ‘b’ )
  • Make sure you have error_reporting set to E_ALL for PHP 5. This will notify you of undefined variables and other subtle gotchas that stock PHP will ignore. See also Manual:How to debug.
  • When working in a pure PHP environment, remove any trailing ?> tags. These tags often cause issues with trailing white-space and “headers already sent” error messages (cf. bugzilla:17642 and http://news.php.net/php.general/280796).
  • Do not use the ‘goto’ syntax introduced in 5.3. PHP may have introduced the feature, but that does not mean we should use it.

Comments and Documentation

The Doxygen documentation style is used (it is very similar to PHPDoc for the subset that we use). A code documentation example: giving a description of a function or method, the parameters it takes (using @param), and what the function returns (using @return), or the @ingroup or @author tags.

Use @ rather than \ as the escape character (i.e. use @param rather than \param) – both styles work in Doxygen, but for backwards and future compatibility MediaWiki uses has chosen the @param style as convention).

Use /** to begin the comments, instead of the Qt-style formatting /*!.

General format for parameters is such: @param type $varname: description. Multiple types can be listed by separating with a pipe character.

Doxygen documentation states that @param should have the same format as phpDocumentor:

@param  datatype1|datatype2 $paramname description

For every public interface (method, class, variable, whatever) you add or change, a @since tag should be provided, so people extending the code via this interface know they are breaking compatibility with older versions of the code.

class Foo {

        /**
         * @var array $bar: Description here
         * @example array( 'foo' => Bar, 'quux' => Bar, .. )
         */
        protected $bar;

        /**
         * Short decription here, following by documentation of the parameters.
         *
         * @since 1.42
         *
         * @param FooContext $context
         * @param array|string $options: Optionally pass extra options. Either a string or an array of strings.
         * @return Foo|null: New instance of Foo or null of quuxification failed.
         *
         * Some example:
         * @code
         * ...
         * @endcode
         */
        public function makeQuuxificatedFoo( FooContext $context = null, $options = array() ) {
                /* .. */
        }

}

PHPDoc was used at the very beginning but got replaced with Doxygen for performance reason. We should probably drop PHPDoc compatibility.

@var: documenting class members

There is a ‘bug’ in Doxygen which affects MediaWiki’s documentation: using @var to specify the class members’ type only works if the variable name is appended:

       /**
         * Some explanation about the variable
         *
         * @var string $msg
         */
        protected $msg;

If you don’t append the variable name Doxygen will ignore the entire comment block and it will not be included in the docs.

Integration

There are a few pieces of code in the MediaWiki codebase which are intended to be standalone and easily portable to other applications; examples include the UTF normalisation in /includes/normal and the libraries in /includes/libs. Apart from these, code should be integrated into the rest of the MediaWiki environment, and should allow other areas of the codebase to integrate with it in return.

Global objects

Do not access the PHP superglobals $_GET, $_POST, etc, directly; use $request->get*( ‘param’ ) instead; there are various functions depending on what type of value you want. You can get a WebRequest from the nearest RequestContext, or if absolutely necessary $wgRequest. Equally, do not access $_SERVER directly; use $request->getIP() if you want to get the IP address of the current user.

Static methods and properties

Static methods and properties are useful for programmers because they act like globals without polluting the global namespace. However, they make subclassing and reuse more difficult for other developers. Generally, you should avoid introducing static functions and properties when you can, especially if the sole purpose is to just save typing.

For example, lots of developers would prefer to write something like:

Foo::bar();

This is because it is shorter and takes less keystrokes. However, by doing this you’ve made the Foo class much harder to subclass and reuse. Instead of introducing a static method, you could just type:

$f = new Foo();
$f->bar();

Remember, shorter does not always mean better, and you should take the time to design your classes in a way that makes them easy to reuse.

Late static binding

In PHP 5.3, a new feature called “Late Static Binding” (LSB) was added to help work around this perceived lack of functionality in static functions. However, the usefulness of LSB is debatable among MediaWiki developers and should be avoided for the time being.

Classes

Encapsulate your code in an object-oriented class, or add functionality to existing classes; do not add new global functions or variables. Try to be mindful of the distinction between ‘backend’ classes, which represent entities in the database (eg User, Block, Revision, etc), and ‘frontend’ classes, which represent pages or interfaces visible to the user (SpecialPage, Article, ChangesList, etc. Even if your code is not obviously object-oriented, you can put it in a static class (eg IP or Html).

As a holdover from PHP 4’s lack of private class members and methods, older code will be marked with comments such as /** @private */ to indicate the intention; respect this as if it were enforced by the interpreter.

Mark new code with proper visibility modifiers, including public if appropriate, but do not add visibility to existing code without first checking, testing and refactoring as required. It’s generally a good idea to avoid visibility changes unless you’re making changes to the function which would break old uses of it anyway.

Error handling

Don’t suppress errors with PHP’s @ operator, for any reason ever. It’s broken when E_STRICT is enabled and it causes an unlogged, unexplained error if there is a fatal, which is hard to support. Use wfSuppressWarnings() and wfRestoreWarnings() instead. The checkSyntax.php maintenance script can check for this error for you.

When your code encounters a sudden error, you should throw a MWException (or an appropriate subclass) rather than using PHP’s trigger_error. The exception handler will display this as nicely as possible to the end user and wiki administrator, and also provides a stack trace to developers.

'Coz sharing is caring
Categories
HTTP Concepts

How does remember me differ from session timeout

So what would a remember me bring to the party?

What’s important to distinguish here is the difference between a “session cookie” and a “remember me cookie”.

Since HTTP is a stateless protocol, a session cookie is used to tie several requests to a single user. Without it, every single request to your webserver is completely unrelated to every other request. Can you imagine writing applications without sessions? Every request is completely empty, no logins, no session variables..every request is an unknown user! This basically means no web applications!

Now, important thing here is to realise that you absolutely don’t want your session to last 24 hours! In my book, this is a very big no-no. The shorter your session is, the safer it is (at least theoretically). Why? Because a session can be hijacked! The longer your session is around, the more chance it has of being hijacked.

For example, imagine a banking application. Also, imagine your user is accessing it on a public PC (our user is not the brightest). So he’s managing his account or whatever..and his phone rings. Being an idiot, he takes the call and leaves, without logging out. Do you want your session to expire in 5 minutes, 15 minutes, or 24 hours? Don’t know about you, but for something as critical as online banking, I want that session gone ASAP.

Moving on to the “remember me” part.

So session cookie “connects” multiple requests in a single session, what does the “remember me” cookie do? In simple terms: it ties multiple sessions to a single user.

You want your site to be easy and pleasant to use, and logging in is almost never pleasant. It’s just an annoying thing you have to do every time before doing that thing you really want to do. A remember me cookie removes that annoyance.

You log in once, check the box, and now you’re always logged in on that PC. This is why you should never use “remember me” feature while on a shared PC, because the next person will have your identity. Legitimately. This is why remember me cookies are also a security risk, they can be hijacked much like the session cookie.

Finally, there is one crucial difference between a session cookie and a remember me cookie: expiration. Session cookies normally expire when you close your browser (or after a time you’ve specified explicitly), whereas remember me cookies typically last for much longer.

'Coz sharing is caring