About the Author

Chris Shiflett

Hi, I'm Chris, a web developer and a founding member of Analog. I live and work in Brooklyn, NY.

PHP Quick Reference

While cleaning out my desk, I found an old copy of a PHP Quick Reference I helped make a few years ago. On the front page are a few performance and security tips that I thought I'd share. (Performance tips are from George Schlossnagle.)

Top 5 Performance Tips

  1. Use a Compiler Cache. Completely transparent to your application, a compiler cache is the closest you'll get to a fast = true ini setting.
  2. Profile Early; Profile Often. Big and small systems alike can behave in unexpected ways. Quantitative tools help you understand where your bottlenecks are. This is critical for targeting your tuning efforts.
  3. Cache Whenever Possible. The vast majority of performance optimizations involve caching data in one form or another. Whether caching content or just intermediate data during complex procedures, intelligent use of caching techniques can dramatically improve your performance.
  4. Be Mindful of Using External Data Sources. The top performance bottleneck in almost every application we analyze is making too many (or too complex) database queries. Always optimize your queries, and structure your most frequently accessed data to be efficiently fetched.
  5. Don't Over-Optimize. As Donald Knuth said, "Premature optimization is the root of all evil." Optimization is (at least after the initial stages) a matter of trading flexibility for performance. By over-optimizing your code, you can render it brittle to future functionality changes.

Top 5 Security Tips

  1. Trust Nothing. Most security vulnerabilities can be traced back to a misplaced trust in suspect data, primarily input provided by third parties. When in doubt, verify your assumptions to be sure.
  2. Filter Input. Inspect any data you receive from a third party to be sure it meets your expectations, rejecting anything that doesn't. Don't try to massage input in order to be accommodating, and err on the side of caution by allowing only what you know is safe rather than rejecting only what you know is not.
  3. Escape Output. When outputting data, be sure your data is represented in such a way that it is preserved in its new context. In PHP, we often mix data with HTML, SQL, and the like. Escaping helps preserve the distinction and prevent misinterpretation.
  4. Use Prepared Statements. By using prepared statements, you can preserve the distinction between an SQL query and the data to be bound to it. This offers strong protection against SQL injection.
  5. Reduce, Reuse, Recycle. Use mature, existing solutions. Not only are they likely to be more thorough than your own, but you can also simplify your code, making it easier to understand and less error-prone.

Got anything you'd add to these lists? Please share in the comments. :-)

About This Post

PHP Quick Reference was posted on Thu, 06 Aug 2009 at 22:03:07 GMT.

12 Comments

1. Travis's GravatarTravis said:

Hi Chris,

Thanks for the post -- would you be able to provide a few quick links for each item above? For example, if I were interested in profiling my PHP application, where would I start? Thanks!

Thu, 06 Aug 2009 at 23:30:46 GMT Link

2. Martin Fjordvald's GravatarMartin Fjordvald said:

The de-facto standard for profiling PHP code is xdebug and some sort of cache grind analyser such as kcachegrind for Unix and wincachegrind for Windows. Alternatively, webgrind runs in any browser so you just need a web server installed.

Fri, 07 Aug 2009 at 00:05:13 GMT Link

3. Chris Shiflett's GravatarChris Shiflett said:

Travis, I use APD for performance profiling, but Xdebug can do the job as well.

Fri, 07 Aug 2009 at 01:13:40 GMT Link

4. Steven Srowiec's GravatarSteven Srowiec said:

For profiling I recently put a repo up on github (Link) that lets you do profiling in the way of memory usage, page load times and database queries. At the very least something like this that lets you see what your queries are doing and how many you're really running (and how many duplicates you have) could be helpful.

Fri, 07 Aug 2009 at 11:53:36 GMT Link

5. Chris Shiflett's GravatarChris Shiflett said:

Thanks for the link, Steven.

Fri, 07 Aug 2009 at 13:26:51 GMT Link

6. jestep's Gravatarjestep said:

My biggest peeve is lazy coding.

If you're going to take the time to make a script/object/app etc. take the time to make sure you're doing it correctly.

I still run into short tags, PHP3 concepts, ereg, scripts relying on register globals, etc...

And, escape your damn user input. I don't see why it is so difficult to grasp raw POST and GET variables in a database query being a problem.

Haha, just ranting on the last one... The only other one I would add is comment your coding...

Never get complacent of the basics.

Sat, 08 Aug 2009 at 02:46:28 GMT Link

7. Joe Devon's GravatarJoe Devon said:

According to Open X Blog, remove constants.

Just removing all the constants allowed us to improve the performance by almost 2x (we left one constant to be precise).

Sun, 09 Aug 2009 at 17:53:37 GMT Link

8. Roman's GravatarRoman said:

#5 in the second list is a double-edged sword. A lot of "reusable" solutions in PHP are really heavyweight and difficult to integrate into an existing application, unless you designed that app specifically to use those solutions. Needless to say, complexity creates performance and security problems. It would be good to have some kind of online library of lightweight (one class or one function), high-quality solutions for mundane problems in PHP. I haven't seen anything like it, though.

My #6 would be "try to do things with the minimum amount of code (within reason)". That's for both of the lists.

Sun, 09 Aug 2009 at 22:28:44 GMT Link

9. Ben Dunlap's GravatarBen Dunlap said:

@Roman:

It would be good to have some kind of online library of lightweight (one class or one function), high-quality solutions for mundane problems in PHP

I agree, and I haven't seen it either. Maybe I haven't looked hard enough?

Recently a friend asked me to add a contact form to his all-static-HTML site. We had a conversation about CMSes, etc., and it ended that he's very happy maintaining his static site by hand. He just wanted a contact form.

So I thought, "Easy -- I'll find the canonical open-source PHP contact form, tweak it a bit if need be, upload it, done."

But I couldn't find one, so I ended up writing the code myself. I tried to do it right but I'm sure I missed a few things.

Is Roman's dream library already out there, though? I tend to think it's not called PEAR, but maybe I haven't given PEAR a fair shake.

Tue, 11 Aug 2009 at 01:24:58 GMT Link

10. Bill Karwin's GravatarBill Karwin said:

Re performance, I'd encourage folks to think of PHP as one layer in a multi-layered architecture. You also need to pay attention to client-side, network, server-side architecture (load balancing etc.), and hardware. Any of these layers can be a bottleneck, and just profiling your PHP code won't detect many of these weaknesses.

Tue, 11 Aug 2009 at 04:54:40 GMT Link

11. Chris Shiflett's GravatarChris Shiflett said:

You're right, Bill, but if PHP drives everything else, profiling will still reveal the manifestation of problems in other areas, and it will help you identify the areas where your tuning can have the greatest impact.

For example, if this line of code is the slowest in a particular page, you know it's time to track down the query and take a closer look:

<?php
 
$query->execute(array('name' => $clean['name']));
 
?>

Tue, 11 Aug 2009 at 14:48:39 GMT Link

12. Vladimir's GravatarVladimir said:

What about Zend Platform usage to identify performance problems, is it cool for that purpose ?

Sat, 15 Aug 2009 at 15:46:16 GMT Link

Post A Comment

Personal Details and Comment

Style Guide

Line breaks are converted to paragraphs. Also use:

  • <a href="" title="">text</a>1
  • <em>text</em>
  • <blockquote><p>text</p></blockquote>
  • <code>2  <?php  if ($foo) {      $foo = TRUE;  }  ?></code>
  1. Note: <code> can be used inline (e.g. in paragraphs) or in a block as shown. Include whitespace and newlines in blocks.

Please enter Chris (my first name) below. This is a primitive spam prevention technique, and I apologize for the inconvenience.

Preview and Submit

Upcoming Talks

ConFoo

10 - 12 Mar 2010

At Hilton Montréal Bonaventure, Montréal, Canada.

South by Southwest

12 - 16 Mar 2010

At Austin Convention Center, Austin, Texas.

Dutch PHP Conference

10 - 12 Jun 2010

At TBD, Amsterdam, Netherlands.

O'Reilly Open Source Convention

19 - 23 Jul 2010

At Oregon Convention Center, Portland, Oregon.

New Comments

liukang wrote:

I have problem with this example. In my php.ini magic_quotes_gpc is off so i'm using only addsla...

Posted in addslashes() Versus mysql_real_escape_string()
RyanTheGreat wrote:

Well, I'm not Chris, but I will do my best to address the questions raised in the comments by Ian...

Posted in Security Corner: Cross-Site Request Forgeries
Chris Shiflett wrote:

Thanks for the kind words, Simon. I'm glad you liked the tutorial. In case it's helpful, here'...

Posted in Webstock
Chris Shiflett wrote:

Hi Robin, I plan to post something about it, but it's going to be hard to express everything i...

Posted in Webstock
Simon Mahony wrote:

Hi Chris, I really enjoyed your workshop on the Evolution of Security at Webstock. I think I g...

Posted in Webstock

Browse Comments

Work and Books

Analog Essential PHP Security HTTP Developer's Handbook