defensive(programming 

No content

use$a$framework 

don't&trust&users (meet%bobby%tables) 

secure&input 

filter_var( $input, FILTER_VALIDATE_BOOLEAN ); FILTER_VALIDATE_EMAIL; FILTER_VALIDATE_IP; FILTER_VALIDATE_REGEXP; FILTER_VALIDATE_URL; # php.net/function.filter_var 

v::alnum() ->length(1, 15) ->validate("PHP 6"); v::regex("/[a-z]/")->validate("a"); v::startsWith("lorem")->validate("lorem ipsum"); v::leapYear()->validate("1988"); v::macAddress()->validate("af-AA-22-33-44-55"); # github.com/respect/validation 

use$db$abstrac+ons 

/** * @entity * @table(name="cakes") */ class Cake { /** * @var string * @column(type="string") */ protected $type; /** * @param string $type */ public function setType($type) { $this->type = $type; } } 

$config = Setup::createAnnotationMetadataConfiguration( ["src"], $isDevMode = true ); $cake = new Cake(); $cake->setType("Brownie"); $manager = EntityManager::create($connection, $config); $manager->persist($cake); $manager->flush(); # github.com/doctrine/doctrine2 

$query = $factory->newSelect(); $query ->cols(["id", "type"]) ->from("cakes") ->where("cake.type = ?", "brownie"); print $query->getStatement(); # github.com/auraphp/aura.sqlquery 

just%don't%interpolate%strings%in%queries! 

rather&use&prepared&statements or#something#equally#secure 

secure&output 

$before = "This is an example of
some html content! click for drama console.log('boo!');"; $after = strip_tags($before, "
"); "This is an example of
some html content!" # php.net/function.strip_tags 

$before = "This is an example of
some html content! click for drama console.log('boo!');"; $after = htmlentities($before); "This is an example of<br> some html content! <a href='http://twitter.com'>click for drama</a> <script>console.log('boo!');</script>" # php.net/function.htmlentities 

don't&trust&developers (that%includes%you) 

write&tests 

seriously,*write*tests 

i'm$not$kidding 

cleancoders.com grumpy'learning.com 

follow%solid%principles 

hint%types 

function addTaskToQueue(Task $task, SplQueue $queue) { $clone = clone $queue; $clone->enqueue($task); return $clone; } function fetchProducts(array $products, Closure $then) { $then( array_map(function(Product $product) { return file_get_contents("http://api.com/{$product->id}"); }, $products) ); } 

function addTaxToPrice(float $percentage, float $price): float { return $price + ($price * $percentage); } declare(strict_types=1); $newPrice = addTaxToPrice(0.14, 120.0); # wiki.php.net/rfc/return_types # wiki.php.net/rfc/scalar_type_hints_v5 

un#l%then... 

/** * @param float $percentage * @param float $price * @return float */ function addTaxToPrice($percentage, $price) { assert(is_float($percentage)); assert(is_float($price)); return $price + ($price * $percentage); } # php.net/function.assert 

use$immutable$types 

/** * @param float $amount * @param string $reason * @param DateTime $timestamp */ public function __construct($amount, $reason, DateTime $timestamp) { assert(is_float($amount)); assert(is_string($reason)); $this->amount = $amount; $this->reason = $reason; $this->timestamp = $timestamp; } 

$timestamp = new DateTime("2015-06-26 12:15:00"); $transaction1 = new Transaction( 12.0, "bought a burrito", $timestamp ); $transaction2 = new Transaction( 9.0, "had shoes polished", $timestamp ); $timestamp->setTime(12, 20); 

/** * @param string $type */ public function withType($type) { assert(is_string($type)); $clone = clone $this; $clone->type = $type; return $clone; } 

/** * @param string $property * @param mixed $value */ public function cloneWith($property, $value) { $clone = clone $this; $clone->$property = $value; return $clone; } /** * @param string $type */ public function withType($type) { assert(is_string($type)); return $this->cloneWith("type", $type); } 

clone&is&shallow, so#manage#deep#cloning#yourself 

write&simple&code (it's&the&hardest&thing) 

do#the#one#thing 

function sendOrdersAndRenderInvoice(array $orders, $templatePath) { foreach ($orders as $order) { if (!($order instanceof Order)) { throw new InvalidArgumentException("Invalid order type"); } try { $this->api->send($order); } catch (ApiException $exception) { $this->logger->log("There was a problem sending an order"); throw $exception; } } if (!file_exists($templatePath)) { throw new InvalidArgumentException("Template not found"); } $template = file_get_contents($templatePath); return $this->renderer->render($template, $orders); } 

function sendOrders(array $orders) { $this->validateOrders($orders); foreach ($orders as $order) { $this->sendOrder($order); } } function validateOrders(array $orders) { foreach ($orders as $order) { if (!($order instanceof Order)) { throw new InvalidArgumentException("Invalid order type"); } }; } function sendOrder(Order $order) { try { $this->api->send($order); } catch (ApiException $exception) { $this->logger->log("There was a problem sending an order"); throw $exception; } } 

exit%early 

function openAccount(AccountHolder $holder, AccountType $type) { if ($holder->getAge() > 18 || $holder->hasParentPermission()) { if (in_array($type->getName(), $holder->getAllowedAccountTypes())) { if ($this->canOpenAccountType($type->getName())) { $this->openApprovedAccount($holder, $type); return true; } } } return false; } 

function openAccount(AccountHolder $holder, AccountType $type) { if ($holder->getAge() < 18 && !$holder->hasParentPermission()) { return false; } if (!in_array($type->getName(), $holder->getAllowedAccountTypes())) { return false; } if ($this->canOpenAccountType($type->getName())) { return false; } $this->openApprovedAccount($holder, $type); return true; } 

avoid&flag¶meters 

$template = $this->getTemplate($templatePath, false); $template = trim($template); return $this->renderer->render($template, $data, false); 

avoid&mixed¶meter/return&types 

use$value$objects 

thanks joind.in/14209 twi$er.com/assertchris