Hendra Nicholas I am a software engineer, consultant and CEO at 41studio currently living in West Java, Indonesia. My interests range from programming to sport. I am also interested in entrepreneurship, technology, and design.

5 Common Mistakes for PHP Developers to Avoid

3 min read

5 Common Mistakes for PHP Developers to Avoid

PHP is a server side scripting language that is used to develop Static websites or Dynamic websites or Web applications. PHP stands for Hypertext Pre-processor, that earlier stood for Personal Home Pages.

PHP is probably the most popular scripting language on the web. It is used to enhance web pages. With PHP, you can do things like create username and password login pages, check details from a form, create forums, picture galleries, surveys, and a whole lot more. If you’ve come across a web page that ends in PHP, then the author has written some programming code to liven up the plain, old HTML.

Here are the most common mistakes PHP developers may face and tips to help avoid them.


Some of the top cyber attacks on the web are SQL injections. In a SQL injection attack, a hacker will insert SQL code you haven’t authorized into your database, causing it to execute commands like leaking, altering, or deleting data. However, there are ways that better PHP programming can minimize the risk of SQL injection attacks.

PHP is the backbone for several out-of-the-box solutions such as WordPress. When writing new extensions and plugins for WordPress sites, developers will likely create inline SQL statements. These statements are built from the front-end and sent back to the SQL database. If these statements are malformed, you run the risk of leaving your site open to SQL injection.

There are two ways to avoid this. The first way (and the most preferred) is by using prepared statements. The second is by using parameterized queries.


PHP has different error levels, but you can manually suppress them in your code. This is useful if you have errors that aren’t critical and don’t cause any serious effects. For instance, you could suppress warning messages regarding PHP versions.

Errors are available in a system that tells the programmer that something is wrong. Suppressing errors is a bad way to let the app run with potential bugs. At the same time, popping up of incoherent errors on the web is highly irritating. A good practice can be to redirect them to an error log, using the php.ini file. On the other hand, frequent logging may slow down the website drastically, especially during heavy traffic. Hence an alternative can be to change the default error handler with another customized one e.g. that could end the application if a grave error occurs. PHP add-ons such as Papertrail allow the errors to be sent to the back-end instead of popping up on screen, so that they can be searched, grouped and fixed later.

3. Forgetting to Run Backups

It might seem like an easy step, but many developers have poor backup practices. You don’t need to back up every hour, but you should run backups each day if you do significant work on a project. Just remember that your backups save you hours of recoding should you lose your data in the event your drive fails.

If you have a difficult time figuring out a problem in your code, back up the system so you don’t lose the solution—and hours of work—and have to recode it. A backup can also save you from missing a deadline if something happens to go awry.

You should also create backups for your clients in the rare case that a client has a critical failure and no backup. It’s a nice gesture, and you can help your client out of a potentially sticky situation.

4. Invalidated User Input/ Cross-Site Script

Badly intended user inputs may creep in as arguments in URL strings or as data from forms, which can allow a user to see the local details and files of the website. It is therefore very useful to validate the data as per expected values/ranges before allowing it to be passed into the system for further use/processing. A hacker can embed a client-side script in a data to be displayed on the webpage, such as in comments, which eventually gets executed on the server to steal some sensitive information via the back-end and let everything appear normally on the server. Exploiting a database query allows a user to inject query strings that can fetch sensitive records from the database for the user is a common SQL injection technique engaged by hackers. Validating user-entered data or is very important to avoid all of these.

5. Configuration Loopholes

An accidentally or carelessly left development system configuration and perhaps sensitive data can expose the setup to unwarranted hacking. It is simple to remove app_dev.php which allows access to development version of the app from the actual deployed servers. Similarly, the php.ini file contains configuration data. If the website is hosted on a shared server, this file can be is a sitting duck for malicious audience. Keeping the local PHP settings specific to the hosting account of the programmer ensures that a restricted and more secure environment is available for the app. By creating a page that calls the phpinfo() function to list the specific values of the php.ini variables, and keeping this page in a secure private area not accessible to public is a good practice.

Hendra Nicholas I am a software engineer, consultant and CEO at 41studio currently living in West Java, Indonesia. My interests range from programming to sport. I am also interested in entrepreneurship, technology, and design.