Already we have developed a number of web based applications and most of them are Drupal oriented. Though we have a enormous support of rich contributed modules to satisfy different business logics but often we need to build custom modules to fulfill the whole process flow.

During these custom modules development, we need to consider the following code practices which might help to reduce the vulnerable situations:

(I’m starting from the very beginning smiley )

Practice #1:
Try to use single quoted strings for most cases. If we use double quoted strings with variables, the Zend Engine takes additional times to parse the string to separate variables and other characters. Using single quote reduces the processing times.

$single_quote = ‘single-quote’; echo ‘Always use ’ .  $single_quote . ‘.’;

echo “Always use  $single_quote.“;

Practice #2:
Use single quote around array indexes.

$array [‘index’]

$array [“index”], $array [index] (this is technically incorrect)

Practice #3:
Use ‘_’ as word separator for array indexes.

$array [‘good_index’]

$array [“bad-index”] (it generates warnings)

Practice #4:
If we have any doubt about a variable or array element or object property, always use isset(). But it is good practice the check a variable before use.

Practice #5:
For any use of array or objects, like we are using an array with foreach loop, please set a IF condition to check the array or object is set and not empty. To check an array or object has any element or property I always prefer count(). Because, it is safe than using empty() function.

Like, if(isset($check_this_array) && count($check_this_array) >0) { your loop; } is better than if(isset($check_this_array) && !empty($check_this_array)) { your loop; }       

Practice #6:
We should not use a function inside a loop declaration.

$total_photo = count($photo_list);
for ($index=0;  $index< $total_photo; $index++) {}

for ($index=0;  $index< count($photo_list); $index++) {}

Practice #7:
Please do type cast where it requires. Like for a integer type variable I prefer settype($my_variable, ‘integer’)

Practice #8:
Please initialize any variable/array before use it. It is safe.

Practice #9:
We should always use <?php ?> (Avoid <? ?>). Because, it is safe for all existing and incoming versions of PHP.

Practice #10:
it's better to use indentations and white spaces in our code.

Practice #11:
It is good parctice to use a ; (semicolon) after each statement.

Practice #12:
Function names, variable names should be meaningful.

Practice #13:
It's better to write each statement in a single line.

Practice #14:
If a function has a default return value, then it's better to return the value early.

For example: 

function returnTheDeafultValueFirst( $return_value = null ) {
      if ( is_null($return_value) )
             return null;
      else {
             // do_some_thing; 
             // then return the result;

Practice #15:
If a function takes some form values and use those values to do some transactions with database line insert/update/delete/select, then it is safe to use mysql_real_escape_string before execute any query. Specially, when we need to build some custom modules.

Practice #16:
Ohh! code commenting. It is obvious.

I know above these are not enough for this topic sad soon i'll add some more smiley



ron's picture

Drupal coding standards:

Javascript coding standards for drupal

CSS coding standards for drupal


Add new comment