this post was submitted on 20 Feb 2026

42 points (93.8% liked)

Programming

25682 readers

226 users here now

Welcome to the main community in programming.dev! Feel free to post anything relating to programming here!

Cross posting is strongly encouraged in the instance. If you feel your post or another person's post makes sense in another community cross post into it.

Hope you enjoy the instance!

Rules

Follow the programming.dev instance rules
Keep content related to programming in some way
If you're posting long videos try to add in some form of tldr for those who don't want to watch videos

Wormhole

Follow the wormhole through a path of communities !webdev@programming.dev

founded 2 years ago

MODERATORS

snowe@programming.dev

Ategon@programming.dev

UlrikHD@programming.dev

bugsmith@programming.dev

Spyro@programming.dev

I'm making a "pure" PHP site. The code works (mostly, still WIP), but I really feel like I'm doing a lot of "wrongs" (programming.dev)

submitted 20 hours ago by ICastFist@programming.dev to c/programming@programming.dev

24 comments fedilink hide all child comments

Decided to bite the bullet and learn PHP, which is used for nearly everything at my job. My starting voyage was to mess around with "pure php", as in, no frameworks, no libraries, not even javascript, just the basic server with v8.3 running and some (currently very shitty) CSS styling.

So, I decided to go with a 2 step process: first, a site for me to post my stuff, with the possibility for external users to make accounts and leave comments. Step 2 would be making a forum where said users can interact. Before I began coding anything, I wrote down the database specification, though it's still "open for debate". I also didn't pay attention and made all tables as MyISAM initially instead of InnoDB, which made me lose all foreign keys, thankfully easily remedied given the small size of the project.

Thus far, I've got the user creation, listing, login (with hashed password), post creation and post viewing working. Visitors, normal users and admin see different links and forms, depending on pages, all with inline php code in appropriate pages - for instance, (unlogged) visitors don't see a comment box when reading a post. I'm currently working on the user edit page.

Anyway, why do I think I'm doing a lot of "wrongs"? For starters, I'm not using classes. At all. Functions are being added "globally" to one of 3 include somepage.php; that are in every page; every database related function - select all, select 1, update, are all in the db.php file. So, every page load is also loading the entire list of database functions, plus a bunch of html-automation related functions, even when none of them are used. Since PDO::fetch() returns an array with mapped keys (ie: $result['column1']), I feel like I have "no good reason" to use classes, especially as I'm still putting some finishing touches on the tables. I mean, I can access the relevant data with $bla['column_name'];, which is all I need thus far.

A lot of the resulting html comes from echo, some of it from functions to handle it more easily, like passing an array so a "global" function of mine returns it as neatly organized <td> elements.

There is no MVC, just good ol' <a href> and <form method=post> where they need to be. All my forms' actions call a separate php page that's just code to handle the form, always as POST, in order to check blank fields, size and character constraint, etc.

I've no doubt that, as is, my project has a number of security holes, though cross-site scripting and session poisoning are not among them. I did try sql injection and couldn't get it to work, so good on me.

As awful as this project might be against "the real world" use, I feel weirdly proud of what I'm achieving. Is there a name for this feeling, of pride for something you know is subpar?

top 24 comments

sorted by: hot top controversial new old

[–] MonkderVierte@lemmy.zip 2 points 7 hours ago (1 children)

Is there something simiar to Affenformular in englisch?

[–] ICastFist@programming.dev 2 points 5 hours ago

"Monkey form"? Now that's new. The idea of the entire validation being the same page that renders the form is interesting, I might try that with some pages

[–] PokerChips@programming.dev 9 points 14 hours ago

You're doing fine. I built a couple social media type sites in raw PHP over 15 years ago. They never went anywhere but they did help get my foot in the door at a couple dev shops back in the day.

Years later I rewrote them in codeigniter. So that's about all the advice I can give because I'm certain that my sites had security holes in them too.

Reading your experience took me down memory lane. Thanks for the throwback.

[–] atzanteol@sh.itjust.works 17 points 16 hours ago (1 children)

Ahhh, self doubt, my old friend...

"There is probably a better way" is a fairly common feeling. In fact there probably is a better way. But at some point you need to be pragmatic and be happy with "good enough". Don't let perfect be the enemy of good (enough) as they say...

That said - follow your intuitions as well that things could be done better. Don't be afraid to just re-write a bunch of things to see if an idea works better. Like grouping things from some "common.php" into domain specific functionality (dates.php, db.php, etc.). Or re-working how your front-end works. Maybe read other code or ask for code review from people more experienced, or even from an AI (yes, yes, I know, but they can be useful).

One problem you can find yourself in is that you've created code that's very difficult to understand, but since you're "in it" right now you understand it completely. If you put the code down for a week or two and come back to it you may find it very difficult to re-learn. If using classes, creating a DAO layer, or some other pattern helps to make your code easier to read then it's worth following.

[–] ICastFist@programming.dev 1 points 8 hours ago

Yeah, I'm currently kinda afraid to put it down and come back after 1+ week for fear of having no fucking clue what the fuck I was thinking. Won't be the first time, nor the last .

It's kinda fun, despite some errors leaving me grunting a lot and taking my sweet time to actually fix, mostly related to PDO or SQL shenanigans. Took me over an hour to get a working select * from some_table order by ? Offset ? Limit ?; execute statement. Turns out I had to put the offset and limit variables as parts of the prepared statement's string, otherwise they'd be stringified or something - select * from some_table order by ? Offset '.$offset.' Limit '.$limit.';

[–] tyler@programming.dev 10 points 15 hours ago

As awful as this project might be against “the real world” use, I feel weirdly proud of what I’m achieving. Is there a name for this feeling, of pride for something you know is subpar?

that's called being human my dude. people love building things, no matter how shit they are. The first step to accomplishing something big is accomplishing something small (or shit!). A great example of this is the Queen of Shitty Robots

[–] hperrin@lemmy.ca 18 points 18 hours ago (1 children)

Be really careful with this.

You might accidentally develop your own framework that you end up working on for 17 years, pulling out the best part, and rewriting it in Node.js.

Jk jk. Congrats, and I hope you love it. :) PHP is a really good language.

[–] ICastFist@programming.dev 3 points 8 hours ago

Too late, I'm already rewriting everything in a docker kubernetes rancher node.js container

[–] rimu@piefed.social 9 points 16 hours ago

That's the beauty (and horror) of PHP!

Fun for small stuff, good for learning. Unpretentious. Dead simple to deploy.

[–] PodPerson@lemmy.zip 10 points 19 hours ago

I think that feeling (at least in coding) is the satisfaction of learning. I’m definitely a learn by mistakes kind of learner and the fact that you’re chugging along, getting familiar with the language and its quirks, and has a sense that there’s a better way right around the corner, it seems like the right path to me. I feel like all of it becomes a bit less enjoyable when you eventually learn the “proper” way and don’t allow yourself to do things any other way.

[–] luciole@beehaw.org 3 points 18 hours ago (1 children)

You'd have a problem if you felt like you made something perfect. You can improve those "wrongs" in any order but getting something up and working first and foremost is a very sane way to get some practice in.

[–] MonkderVierte@lemmy.zip 1 points 7 hours ago

You'd have a problem if you felt like you made something perfect.

Or you've made something perfect. But only with confidence, after years of experience. And usually a small snippet, large code is always imperfect.

[–] thebardingreen@lemmy.starlightkel.xyz 3 points 18 hours ago* (last edited 18 hours ago) (2 children)

On the one hand, you do have good reasons to use classes.

Interacting with your database.
Sanitizing your inputs.
Building pages from templates.

Rather than piecemeal loading all these functions from every page where a bunch of them aren't being used, you can create three classes.

has all your database interactions in it and then you can treat all database interactions as an object. My queries are usually all executed with $Data->runQuery();
Since you're working in raw PHP with no frameworks or libraries, you NEED to validate every input users send, or bots are going to spam the shit out of your database. The way you have things now, you're probably either calling some function(s) on every form submit (every time $_SERVER['request_method']==='POST') OR you're just not doing it. When working in raw PHP, I always write a Validator class which sits in between every $_GET and $_POST and makes damn sure what ever is coming in meets a set of criteria that I expect. I'm happy to go into the architecture of this with you if that would be helpful.
I'm assuming you might have something for each page like

include('header.php');

include('footer.php');

Instead, I like to write a page builder class that constructs my pages dynamically based on routing. So then any given page becomes and instance of $Page and you populate it with various methods (like $Page->renderForm('form');) You can also then base the routing logic on your form submissions.

On the other hand... it's probably fine at this stage to just not use classes and if it works, why fix it?

You probably feel like you don't have a need for classes because you're just not comfortable working with them yet, and need more experience thinking through architecture. This is fine. This is normal. This is exactly where you should be, given what you say about your experience level.

SQL injection probably didn't work because PDO protects you from that to some extent. Doesn't mean you shouldn't account for it in your input processing.

Most of my HTML comes from echo.

Good, it should. I effing HATE reading through code where people are tagging in and out of PHP all the time. It looks so ugly. That's not a standard best practice, just MY personal practice. IMHO, for HUMAN readability purposes, HTML should either be in echos or template files.

I fricken hate this: <a> <bunch> <of> <html> <php? run_some_php('here'); />

Don't effing make me read that. I co-run an independent coding shop and whenever we work in PHP, I tell people please not to do that.

[–] luciole@beehaw.org 3 points 18 hours ago (1 children)

A template is literally an HTML file with some PHP tags sprinkled to feed in the data. Echoing large swaths of HTML is weird. And PHP tag syntax is actually <?php hello(); ?>.

[–] thebardingreen@lemmy.starlightkel.xyz 2 points 17 hours ago (1 children)

I don't like reading it captain pedantic. Deal with it. :)

[–] luciole@beehaw.org 1 points 8 hours ago

Aw man, I feel for your colleagues. If you're the boss you're the boss I guess. I gotta say though, imho being pedantic comes with the territory when you hang out with a code interpreter all day. It's just a question of getting things done.

[–] PokerChips@programming.dev 1 points 14 hours ago (2 children)

Question. Do you echo 50 lines of html where only few instances of php are needed? That seems like madness.

[–] ICastFist@programming.dev 1 points 8 hours ago

1 echo with 100 lines of html and a bunch of "value: " . $somevar . " ;"

[–] thebardingreen@lemmy.starlightkel.xyz 1 points 12 hours ago* (last edited 12 hours ago)

Very rarely, but probably only in situations where you would too. No, usually I put my HTML in HTML files. They're usually building blocks... page components, not a full page. I regulate the page flow in PHP, and I don't like it cluttered up with tons of HTML, inside or outside of echos. I have been known to do stuff like this though:

echo "".$Page->pagecomponents['contents_of_some_html_file']."";

If I go and look at $Page, it will show that $this->pagecomponents is set by reading my template files in so I can grab HTML structures dynamically. If the contents of pagecomponents['component'] are set dynamically (they usually are), there won't be some ugly <php ?> tag in the HTML file, but my $Page class will handle populating it somehow. The architecture I usually use is $Validator is instantiated for a page load, then $Data, so whatever user activity $Validator has detected and cleaned up tells $Data what to do with the data backend (which is usually a combination of Maria and Redis) then $Data gets fed into $Page which figures out what page to build, looks at all my HTML building blocks and figures out how to put them together and populate whatever it needs to. So it will usually be something like (very simplistically)

$Validator = new Validator($_GET, $_POST);

$Data = new Data($Validator); $Page = new Page($Data);

renderPage($Page->Page);

[–] entwine@programming.dev 2 points 18 hours ago (1 children)

It has been a very long time since I've worked with PHP, so I can't help you with specific runtime stuff, like what the cost of module imports is.

But not using classes is a perfectly valid approach. The only issue is ofc that you need to hardcode column names, but it sounds like that's at a manageable place for you right now.

Organizing things into classes makes things easier once the operations you're doing on data get more complex. There are no good rules for this, you kinda have to develop a feel for it on your own as you gain experience.

For the specific case of SQL results, you'll typically be better off using what's known as an ORM library. Here's a random one I found on GH as an example. But for your small project, what you're doing right now is fine.

As awful as this project might be against “the real world” use

All those patterns and frameworks and things people use are meant to make a codebase more manageable or flexible. ORMs are a good example: they have a lot of benefits, but they are by no means required.

With that said, your zero guardrails approach is likely to end up an unmaintainable spaghetti mess as you add more and more features. There is a point at which you really should sit down and learn about those more advanced techniques and practices. They actually do have value, especially if you ever want to build something bigger than what you have now.

I feel weirdly proud of what I’m achieving. Is there a name for this feeling, of pride for something you know is subpar?

You should feel proud. You accomplished something 99% of the population hasn't. You leveled up. You're a real motherfucking software engineer. You've used your brain in ways those AI slop coders never will. There is no "subpar". When you break your 1RM record at the gym, is it "subpar" just because the guy next to you can do twice the weight?

Fuck no, because you're fighting your fights, he's fighting his. All that matters is that you're winning.

And you are winning.

You're a winner.

You're my winner.

I love you.

[–] MalMen@monero.town 3 points 16 hours ago

Reading your post just made me remember my php journey 20 years ago... I miss that days but I cant imagine myself not using some framework nowadays... I use to build the wheel everytime I started a project

[–] SneakyWeasel@lemmy.ca 2 points 19 hours ago (1 children)

This sounds really close to what i had to do in school for php. I had to make everything without objects at first. Then the teacher said half eay through to make everything into objects.

[–] ICastFist@programming.dev 2 points 19 hours ago (1 children)

Was it worth the hassle?

[–] SneakyWeasel@lemmy.ca 3 points 19 hours ago

It was worth it in the end for sure, but the whole time i wanted it to be objects and clases from the get go. The website i was making was a twitter look-alike. I think it was called twatter or something