About the Author

Chris Shiflett

Hi, I’m Chris: entrepreneur, community leader, husband, and father. I live and work in Boulder, CO.

PHP Quick Reference

While cleaning out my desk, I found an old copy of a PHP Quick Reference I helped make a few years ago. On the front page are a few performance and security tips that I thought I'd share. (Performance tips are from George Schlossnagle.)

Top 5 Performance Tips

  1. Use a Compiler Cache. Completely transparent to your application, a compiler cache is the closest you'll get to a fast = true ini setting.
  2. Profile Early; Profile Often. Big and small systems alike can behave in unexpected ways. Quantitative tools help you understand where your bottlenecks are. This is critical for targeting your tuning efforts.
  3. Cache Whenever Possible. The vast majority of performance optimizations involve caching data in one form or another. Whether caching content or just intermediate data during complex procedures, intelligent use of caching techniques can dramatically improve your performance.
  4. Be Mindful of Using External Data Sources. The top performance bottleneck in almost every application we analyze is making too many (or too complex) database queries. Always optimize your queries, and structure your most frequently accessed data to be efficiently fetched.
  5. Don't Over-Optimize. As Donald Knuth said, "Premature optimization is the root of all evil." Optimization is (at least after the initial stages) a matter of trading flexibility for performance. By over-optimizing your code, you can render it brittle to future functionality changes.

Top 5 Security Tips

  1. Trust Nothing. Most security vulnerabilities can be traced back to a misplaced trust in suspect data, primarily input provided by third parties. When in doubt, verify your assumptions to be sure.
  2. Filter Input. Inspect any data you receive from a third party to be sure it meets your expectations, rejecting anything that doesn't. Don't try to massage input in order to be accommodating, and err on the side of caution by allowing only what you know is safe rather than rejecting only what you know is not.
  3. Escape Output. When outputting data, be sure your data is represented in such a way that it is preserved in its new context. In PHP, we often mix data with HTML, SQL, and the like. Escaping helps preserve the distinction and prevent misinterpretation.
  4. Use Prepared Statements. By using prepared statements, you can preserve the distinction between an SQL query and the data to be bound to it. This offers strong protection against SQL injection.
  5. Reduce, Reuse, Recycle. Use mature, existing solutions. Not only are they likely to be more thorough than your own, but you can also simplify your code, making it easier to understand and less error-prone.

Got anything you'd add to these lists? Please share in the comments. :-)

About this post

PHP Quick Reference was posted on Thu, 06 Aug 2009. If you liked it, follow me on Twitter or share:


1.Travis said:

Hi Chris,

Thanks for the post -- would you be able to provide a few quick links for each item above? For example, if I were interested in profiling my PHP application, where would I start? Thanks!

Thu, 06 Aug 2009 at 23:30:46 GMT Link

2.Martin Fjordvald said:

The de-facto standard for profiling PHP code is xdebug and some sort of cache grind analyser such as kcachegrind for Unix and wincachegrind for Windows. Alternatively, webgrind runs in any browser so you just need a web server installed.

Fri, 07 Aug 2009 at 00:05:13 GMT Link

3.Chris Shiflett said:

Travis, I use APD for performance profiling, but Xdebug can do the job as well.

Fri, 07 Aug 2009 at 01:13:40 GMT Link

4.Steven Srowiec said:

For profiling I recently put a repo up on github (Link) that lets you do profiling in the way of memory usage, page load times and database queries. At the very least something like this that lets you see what your queries are doing and how many you're really running (and how many duplicates you have) could be helpful.

Fri, 07 Aug 2009 at 11:53:36 GMT Link

5.Chris Shiflett said:

Thanks for the link, Steven.

Fri, 07 Aug 2009 at 13:26:51 GMT Link

6.jestep said:

My biggest peeve is lazy coding.

If you're going to take the time to make a script/object/app etc. take the time to make sure you're doing it correctly.

I still run into short tags, PHP3 concepts, ereg, scripts relying on register globals, etc...

And, escape your damn user input. I don't see why it is so difficult to grasp raw POST and GET variables in a database query being a problem.

Haha, just ranting on the last one... The only other one I would add is comment your coding...

Never get complacent of the basics.

Sat, 08 Aug 2009 at 02:46:28 GMT Link

7.Joe Devon said:

According to Open X Blog, remove constants.

Just removing all the constants allowed us to improve the performance by almost 2x (we left one constant to be precise).

Sun, 09 Aug 2009 at 17:53:37 GMT Link

8.Roman said:

#5 in the second list is a double-edged sword. A lot of "reusable" solutions in PHP are really heavyweight and difficult to integrate into an existing application, unless you designed that app specifically to use those solutions. Needless to say, complexity creates performance and security problems. It would be good to have some kind of online library of lightweight (one class or one function), high-quality solutions for mundane problems in PHP. I haven't seen anything like it, though.

My #6 would be "try to do things with the minimum amount of code (within reason)". That's for both of the lists.

Sun, 09 Aug 2009 at 22:28:44 GMT Link

9.Ben Dunlap said:


It would be good to have some kind of online library of lightweight (one class or one function), high-quality solutions for mundane problems in PHP

I agree, and I haven't seen it either. Maybe I haven't looked hard enough?

Recently a friend asked me to add a contact form to his all-static-HTML site. We had a conversation about CMSes, etc., and it ended that he's very happy maintaining his static site by hand. He just wanted a contact form.

So I thought, "Easy -- I'll find the canonical open-source PHP contact form, tweak it a bit if need be, upload it, done."

But I couldn't find one, so I ended up writing the code myself. I tried to do it right but I'm sure I missed a few things.

Is Roman's dream library already out there, though? I tend to think it's not called PEAR, but maybe I haven't given PEAR a fair shake.

Tue, 11 Aug 2009 at 01:24:58 GMT Link

10.Bill Karwin said:

Re performance, I'd encourage folks to think of PHP as one layer in a multi-layered architecture. You also need to pay attention to client-side, network, server-side architecture (load balancing etc.), and hardware. Any of these layers can be a bottleneck, and just profiling your PHP code won't detect many of these weaknesses.

Tue, 11 Aug 2009 at 04:54:40 GMT Link

11.Chris Shiflett said:

You're right, Bill, but if PHP drives everything else, profiling will still reveal the manifestation of problems in other areas, and it will help you identify the areas where your tuning can have the greatest impact.

For example, if this line of code is the slowest in a particular page, you know it's time to track down the query and take a closer look:

$query->execute(array('name' => $clean['name']));

Tue, 11 Aug 2009 at 14:48:39 GMT Link

12.Vladimir said:

What about Zend Platform usage to identify performance problems, is it cool for that purpose ?

Sat, 15 Aug 2009 at 15:46:16 GMT Link

Hello! What’s your name?

Want to comment? Please connect with Twitter to join the discussion.