Spot on on all of your corrections. I write PHP advice and tutorials for web sites as part of my day job and know all too well that advice posted at a reputable site like this will live on in code for years, whether it’s good advice or not.

Thanks for taking the time to post corrections

=C=

Firstly, as for detecting if PHP is set up correctly..use the php -i command from the command line, or phpinfo() function on a php file loaded through your web server. This will allow you (the setter-upper) to tell if all the modules you expected to be loaded, are loaded properly. For example, when you load the MySQL extension into php, there will be a section of `php -i` or phpinfo() labeled “mysql” and will show some default server variables for the module, letting you know that the MySQL client library is loaded and available to php.

Secondly, in reference to using “addslashes” and “magic_quotes_gpc.” DON’T! The “addslashes” function is *absolutely not suitable* for sanitizing database input. It does not do anything more than add backslashes before apostrophes in a string, and does not take into account the databases’ character set collation. As for the “magic_quotes_gpc” setting, it is not guaranteed to be ON in all server configurations, in fact, I turn it OFF in EVERY server configuration I do. It causes more headaches than it’s really worth. With PHP, you can use the PDO library to prepare your SQL statements, and sanitize the input in a MUCH MORE secure manner than either of the two methods Andrew mentions.

Finally, I don’t want to come off as a conceited, or look like I’m downing Andrew – I appreciate him trying to contribute to the community, and help new developers out – the community definitely benefits from these sorts of people. So, thank you Andrew for sending chris your tips! Without you sending them, I probably wouldn’t have been prompted to share what I am about to share.

I have a few more methodological type points of advice for new developers.

1. Never, ever trust what a user of your site gives you, ever.
Always error check, and sanitize your field inputs. ESPECIALLY when you are outputting that data on the page, or interacting with a file that exists on your file system. Its TRIVIAL for a user to type in some html in their text box, or “../../../../../../../../../../../../etc/passwd” to access your server password file.

So, a few tips when dealing with those types of fields:

1. If you’re going to output the stuff a user types in, always, always, yes even if you don’t feel like it, call htmlspecialchars on the data, and sanitize it using the *sql functions of php (mysql_real_escape_string, PDO bind param, whatever).

2. If you’re dealing with the name of a physical file, call the function basename on the input (as well as using a regular expression checking for illegal characters in the filename)

On some related notes:

3. If you don’t know what regular expressions are, time for some googling. There are lots of sites offering tutorials and other help with them (regexlib.com comes to mind). Regular expressions are incredibly powerful, and despite what anyone says, absolutely awesome and appropriate when used in moderation.

4. Get in the habit of commenting, and ORGANIZING your code! Nothing is more frustrating than when you come back to a project 3 months after not working with it – and not understanding a lick of what it does! Organization and comments will ALSO help you explain any problems you’re having to another developer (meaning, you’ll get better help – faster). Once you’ve made it a habit, you won’t ever have to worry about it again – because you’ll do it automatically!

5. If you’re unsure, ask for help. Use IRC (efnet, freenode), read blogs, read the comments on php.net documentation pages (they’re astonishingly helpful), stackoverflow.com has some resident php geniuses even.

Finally, remember, the community is only as good as the people inside it. If you come across a real you-know-what, don’t bother fighting, be the bigger person and move on. Someone knows the answer, there is no reason you have to deal with someone who is hurting the community of developers when there are thousands of people willing to help you. You just have to know who to ask.

I hope these tips are useful to someone, thanks for reading them and Good Luck!

I think newbies to PHP should install programmes such as XAMPP and when they are confident, they can move on to the fun of installing PHP and Apache.

Asking help from communities is good, but some “professional coders” use forums incorrectly and end up asking questions in a stupid manor. For example they may not provide problem code or may just try to get someone to do their work for free.

Most of all, relax and enjoy the wild ride.

I have found that http://phpfreaks.com/ is a good website (Forum), with very good PHP developers that are there to help you. also dont be afraid to google your errors, there are many web sites out there with people that either have or gotten the same error with a correct way to fix the error.

if you are a beginner with php I recommend grabbing a few books from your local library or book store.

There are many websites on the internet that have wonderful tutorials

http://www.w3schools.com
http://www.tutorialized.com

or you could google for PHP tutorials.

I have been messing with PHP for about 5 years now and still use google or look into books for references when I have problems.

I hope that this could help someone that would like to learn PHP

~John Grissom 3