/
STANDARD
501 lines (354 loc) · 10.2 KB
/
STANDARD
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
$Id$
osCommerce Coding Standards
Coding standards are defined to keep the codebase in a maintainable state.
The more developers working within the codebase means the more ways php
logic can be written.
If every developer follows the standards then everyone is able to review
the codebase and not waste time thinking about why a certain style was
used in a particular area compared to another area.
File Format
-----------
The source code should be saved in Unix format - meaning with Unix
linefeeds.
Most editors are able to set the preferred format method of Windows,
Unix, or Macintosh.
Some editors add a line to the bottom of the file. This is safe to have
as long as a further character (including the space character) does not
exist. Characters that exist at the end of the file may interfer when
redirections occur as text has been sent to the client already.
The filename of the files must be all lowercass characters and contain
no more than 31 characters to be Apple/Mac compatible.
Indentation
-----------
Indentation of logic should be 2 whitespace characters.
TABs should not be used.
Starting and Ending PHP Logic
-----------------------------
When starting PHP logic, the tag should be written as "<?php", not in the
short form of "<?" or in ASP compatible tags such as "<%".
The end tag to mark the end of the PHP logic should be written as "?>".
A valid example:
<?php
echo "Hello World!";
?>
Defining Constants
------------------
Constants must be defined before they are being used - which also includes
constants called from include()'d/require()'d files.
Variable Scope*
--------------
All variables must be accessed and set within their scope as:
$HTTP_GET_VARS['variable']
$HTTP_POST_VARS['variable']
$HTTP_COOKIE_VARS['variable']
$variable (either local, or session)
* This needs to be updated when the codebase has been made compatible with
the register_global parameter. Session variables are then accessed and set
within its scope as:
$HTTP_SESSION_VARS['variable']
When PHP3 support is dropped, the following scope will be used:
$_GET['variable']
$_POST['variable']
$_COOKIE['variable']
$_SESSION['variable']
PHP 4.0.x does not support the above scope which was introduced in PHP 4.1.x.
The following can be used which is not compatible with PHP 3.x:
$_GET =& $HTTP_GET_VARS;
$_POST =& $HTTP_POST_VARS;
$_COOKIE =& $HTTP_COOKIE_VARS;
$_SESSION =& $HTTP_SESSION_VARS;
include() vs require()
----------------------
The use of include() will include the specified file when needed, whereas
the use of require() will always include the specified file regardless if it
is needed or not.
Example:
<?php
require('file.php');
if (condition == true) {
include('file_true.php');
} else {
...
}
?>
Instantiating Classes
---------------------
When instantiating classes into objects, the following style must be used:
<?php
// without class parameters*
$object = new className;
// with class parameters
$object = new className($parameter1);
?>
* PHP3 does not support the following style which includes an empty bracket
set:
<?php
$object = new className();
?>
Displaying Strings
------------------
Strings or values should be displayed as:
<?php
echo 'Hello Mr Mister!';
?>
The following styles should be avoided:
<?php
print $variable;
?>
<?=$variable;?>
Singe-Quotes vs Double-Quotes
-----------------------------
When displaying strings single quote characters should be used.
Double quote characters should be used only when control characters are
needed.
For example:
<?php
echo 'Hello Mr Mister!' . "\n";
?>
Custom Functions
----------------
All custom functions should start with tep_ so that the developer knows
a native PHP function is not being called.*
An example custom function style:
<?php
function tep_my_function($parameter, $optional = '') {
global $HTTP_GET_VARS, $another_variable;
....
return true;
}
?>
* When 2.2 is finalized the custom functions should be renamed to osc_*
as "tep" refers to the previous name of the project.
Class Names
-----------
There are two types of styles to use when classes are used.
The first type of class set are the static classes that can be found in
the includes/classes directory.
If the class name contains more than one word, the words in the filename
are separated with an underscore character. The actual class name is one
whole word where words from the second onwards being capitalized.
For example, a class name of myOwnClass has a filename of
my_own_class.php.
The second type of class set are the dynamic modules that can be found
in the includes/modules/* directories.
The class names must match the filename as most of them are include()'d
dynamicly.
For example, a class filename of my_own_module.php has a class name of
my_own_module.
Class Structure
---------------
The class should be written in the following structure:
<?php
class myclass {
var $variable;
// class constuctor
function myclass() {
....
return true;
}
// class methods
function do_something() {
$this->variable = 'set';
return true;
}
}
$class = new myclass;
$class->do_something();
?>
Database Queries
----------------
Database queries are wrapped around custom functions and should be
structured as:
<?php
// multi-result set
$action_query = tep_db_query("select column1, ...");
while ($action = tep_db_fetch_array($action_query)) {
echo $action['column1'];
}
// single result set
$action_query = tep_db_query("select column1, ...");
$action = tep_db_fetch_array($action_query);
echo $action['column1'];
// return number of rows
$action_query = tep_db_query("select count(*) as total from ...");
$action = tep_db_fetch_array($action_query);
echo $action['total'];
// query with parameters
$action_query = tep_db_query("select column1 from table where field = '" . tep_db_input($some_id) . "'");
while ($action = tep_db_fetch_array($action_query)) {
....
}
?>
Unlike displaying strings, double quote characters are wrapped around the sql query.
The following is currently for the Administration Tool but will also be implemented
in the Catalog module.
Before data can be entered in the database, it must be protected against possible
attacks residing in the user input. The data is first prepared and then protected
when inserting it into the table. The following structure is used:
<?php
$value1 = tep_db_prepare_input($HTTP_POST_VARS['value1']);
tep_db_query("update table set column = '" . tep_db_input($value1) . "' where id = '" . (int)$id . "'");
?>
Variable type casting should be performed directly for integer based values, such
as column IDs: (int)$variable
Multiple values can be parsed, protected and inserted into the table in an easier
fashion:
<?php
$value1 = tep_db_prepare_input($HTTP_POST_VARS['value1']);
$value2 = tep_db_prepare_input($HTTP_POST_VARS['value2']);
$value3 = tep_db_prepare_input($HTTP_POST_VARS['value3']);
$sql_data_array = array('column1' => $value1,
'column2' => $value2,
'column3' => $value3);
tep_db_perform('table', $sql_data_array);
?>
A similar structure can be used for updating values in a table:
<?php
$value1 = tep_db_prepare_input($HTTP_POST_VARS['value1']);
$value2 = tep_db_prepare_input($HTTP_POST_VARS['value2']);
$value3 = tep_db_prepare_input($HTTP_POST_VARS['value3']);
$sql_data_array = array('column1' => $value1,
'column2' => $value2,
'column3' => $value3);
tep_db_perform('table', $sql_data_array, 'update', "id = '" . (int)$id . "'");
?>
Table names should not directly be entered in the query, but the constant
parameter assigned to that table. A list of defined constant table names
can currently be found in includes/database_tables.php.
Function Output
---------------
All custom functions should return strings; not directly via echo().
For example:
<?php
function tep_my_function($string) {
return $string;
}
?>
and not:
<?php
function tep_my_function($string) {
echo $string;
}
?>
Condition Statements
--------------------
If statements should be written as:
<?php
if (condition == true) {
....
} else {
....
}
?>
If the condition is to check for a boolean value, this should be added
to the condition (as above) for clarity.
The following should not be used:
<?php
if (!$condition) {
....
}
?>
instead use the following:
<?php
if ($condition == false) {
....
}
?>
Multiple conditions should reside in their own parenthesis, as:
<?php
if ( (condition == true) && (condition == true) ) {
....
}
?>
Simple boolean expressions can be written as:
<?php
$value = (($condition == true) ? 'true' : 'false');
?>
Simple statements can be written as:
<?php
if ($condition == true) ....
?>
Functions do not need to be checked with a true/false
statement. For the following valid example:
<?php
if (empty($string)) {
...
}
if ( (isset($variable)) && (tep_not_null($string)) ) {
...
}
?>
Switch-Case statements should be written as:
<?php
switch ($value) {
case '1':
....
break;
case '2':
....
break;
default:
....
break;
}
?>
Condition Checking
------------------
To see if a variable exists, use the following structure:
<?php
if (isset($variable)) {
...
}
?>
and not:
<?php
if ($variable) {
...
}
?>
Repetitive Statements
---------------------
while loops should be written as:
<?php
while (condition == true) {
....
}
?>
Walking through an array should be written as:
<?php
// for php3 compatibility
reset($array);
while (list($key, $value) = each($array)) {
....
}
// the php4 way
foreach ($array as $key => $value) {
....
}
?>
for loops should be written as:
<?php
for ($i=0, $n=sizeof($array); $i<$n; $i++) {
....
}
?>
Mixing HTML and PHP
-------------------
Common HTML tags started in HTML must end in HTML, and
tags started in PHP must end in PHP.
Wrong:
<td><?php echo "Hello</td>"; ?>
Correct:
<td><?php echo "Hello"; ?></td>
Correct:
<?php
echo '<td>Hello</td>';
?>
Exceptions to this standard include the tep_draw_form()
function:
<?php
echo tep_draw_form();
?>
[form input fields are placed here]
</form>
?>