PHP Coding Style Function vs Passing Variables

Question

A bit new to the whole PHP thing.

Just wanna ask, which is better in regards to performance and security. I know both has its pros and cons, but just cant seem to come to a conclusion on which could be better for overall performance and security.

1. Use a PHP file with loads of functions. So every page I have will "include" the function php file, thus functions can be called in any given page.

OR

1. Have a PHP file that accept parameter input(not sure if that is what you call it). For example function.PHP?id=100

Any comments?

Thanks everyone :)

Answer 1

The second method is preferred: one index.php file which drives the entire application/website.

As for breaking down the application, you'll use both : parameters in the URL, to decide what is to be done, and helper functions which receive parameters and do their job.

The challenge is to break down the "big problem" in smaller, reusable "sub-problems" and wrap each in a reusable function.

After that, solving the "big problem" is a matter of sticking together function calls, like you do in a puzzle game.

Now, that was the way to go at your beginner level , at a more advanced level you would break it down in an OOP manner , to take advantage of autoloading (read my response there for details).

Right in-between the two levels of experience, you could try first to use a procedural php framework like http://www.limonade-php.net/ , and second to understand its code and learn from it. This should put you on the right track for more advanced uses of PHP.

None of your presented options have something particular in respect to security or performance, they're both the same. Breaking it down in functions is a matter of code reusability and maintainability . That being said, the OOP is still better in any regards (again, I'll have to point at my other answer).

As I said, you'll use both, AND you'll have to validate the input (that is, $_REQUEST $_GET , $_POST , $_COOKIE , $_SESSION , $_FILE , (some elements from) $_SERVER ). Be careful with XSS (basically, you'll use either strip_tags() or htmlentities() or a combination of the two). That's about the security aspect.

Answer 2

Welcome Tak4evr

I would use Object Orientated design practices over this method. Procedural code, based on many functions is hard to follow and therefore expensive to maintain.

But given the choices I would go with your first option:

Use a PHP file with loads of functions. So every page I have will "include" the function php file, thus functions can be called in any given page.

You would include this file and rather than using function.php?id=100 as you suggested you should use something more descriptive which then uses your functions.

For example use clients.php?id=100 then use clients.php to get the id , and pass that id to one of your functions.

Hope that helps.

Answer 3

It took me a while to try to work out what you could possibly mean by this question.

Have a PHP file that accept parameter input(not sure if that is what you call it). For example function.PHP?id=100

I guess you mean that you want to be able to include only the relevant parts of PHP code using your own user-defined function.

Unless you're very VERY good at programming, this approach is the wrong way to solve the problem. Have a google for self-modifying code for some discussion on the topic. It opens up huge code injection vulnerabilities and makes debugging the code very hard.

Even if there were no security issues, and no maintenance issues, and you are a guru programmer, the only way to pass parameters into a PHP script is via an HTTP request or by running a program - both have a huge overhead compared with reading the code directly from the local filesystem - so this approach is wrong from the performance point of view.

PHP does have functionality which appears, en face, to be very similar to what you are proposing - the autoloader. However there are some very important differences.

Most of the perfromance related stuff which you can control within PHP (ie not the HTTP stuff, not the DB stuff) is the amount of code the interpreter has to parse. So your first approach is flawed from a performance point of view.

The right way to solve the problem is to break down the functionality into related chunks - and keeps these in seperate files, then only include the ones you need for a particular task.