playbooks

home / skills / jcastillotx / vibe-skeleton-app / php-best-practices

php-best-practices skill

/setup/skills/php-best-practices

This skill helps you write, review, and refactor PHP code by applying security, performance, and PSR-aligned best practices.

npx playbooks add skill jcastillotx/vibe-skeleton-app --skill php-best-practices

Review the files below or copy the command above to add this skill to your agents.

Files (30)
SKILL.md
2.8 KB
---
name: php-best-practices
description: PHP coding standards and best practices. This skill should be used when writing, reviewing, or refactoring PHP code. Triggers on tasks involving PHP applications, WordPress plugins, Laravel projects, or any PHP-based backend.
trigger_patterns:
  - php
  - composer
  - psr-4
  - namespace
  - wordpress plugin
  - laravel
auto_load_with:
  - wordpress-best-practices
  - laravel-best-practices
  - mysql-best-practices
---

# PHP Best Practices

Comprehensive coding standards for PHP development, optimized for AI agents and LLMs. Contains 24 rules across 8 categories, prioritized by impact.

## When to Apply

Reference these guidelines when:
- Writing PHP application code
- Developing WordPress plugins or themes
- Building Laravel applications
- Implementing security measures
- Optimizing PHP performance
- Following PSR standards

## Rule Categories by Priority

| Priority | Category | Impact | Prefix |
|----------|----------|--------|--------|
| 1 | Security | CRITICAL | `security-` |
| 2 | Error Handling | HIGH | `error-` |
| 3 | Performance | HIGH | `perf-` |
| 4 | Type Safety | MEDIUM-HIGH | `types-` |
| 5 | OOP Patterns | MEDIUM | `oop-` |
| 6 | PSR Standards | MEDIUM | `psr-` |
| 7 | Testing | MEDIUM | `test-` |
| 8 | Modern PHP | LOW-MEDIUM | `modern-` |

## Quick Reference

### 1. Security (CRITICAL)
- `security-input-validation` - Validate with filter_var()
- `security-output-escaping` - Escape based on context
- `security-password-hashing` - Use password_hash()
- `security-csrf-tokens` - Implement CSRF protection
- `security-no-eval` - Never use eval()

### 2. Error Handling (HIGH)
- `error-exception-handling` - Use try-catch properly
- `error-custom-exceptions` - Create domain exceptions
- `error-error-reporting` - Configure error levels
- `error-logging` - Use PSR-3 logging

### 3. Performance (HIGH)
- `perf-opcache-enabled` - Enable OPcache
- `perf-autoloading` - Use Composer autoloader
- `perf-string-interpolation` - Prefer interpolation
- `perf-generators-memory` - Use generators for large data

### 4. Type Safety (MEDIUM-HIGH)
- `types-strict-types` - Declare strict_types=1
- `types-return-types` - Always declare return types
- `types-nullable-types` - Use ?Type for nullable
- `types-union-types` - Use union types

### 5. OOP Patterns (MEDIUM)
- `oop-final-classes` - Prefer final classes
- `oop-interface-segregation` - Small interfaces
- `oop-dependency-injection` - Inject dependencies

### 6. PSR Standards (MEDIUM)
- `psr-coding-style` - Follow PSR-12
- `psr-autoloading` - Use PSR-4
- `psr-http-messages` - Use PSR-7

### 7. Modern PHP (LOW-MEDIUM)
- `modern-constructor-promotion` - Use property promotion

## How to Use

Read individual rule files for detailed explanations and code examples.

## Full Compiled Document

For the complete guide with all rules expanded: `AGENTS.md`

Overview

This skill codifies PHP coding standards and best practices for writing, reviewing, and refactoring PHP code. It prioritizes security, error handling, and performance while covering type safety, OOP patterns, PSR standards, testing, and modern PHP features. Use it as a checklist to raise code quality across applications, WordPress plugins, and Laravel projects.

How this skill works

The skill inspects PHP tasks and recommends targeted rules based on priority categories such as security (critical), error handling, and performance. It maps common issues to concise rules (prefixed for clarity) and suggests concrete fixes like input validation, password hashing, OPcache usage, and strict typing. Results include actionable guidance you can apply immediately during development or code review.

When to use it

  • Writing new PHP application code or modules
  • Reviewing or refactoring existing PHP codebases
  • Developing WordPress plugins, themes, or Laravel packages
  • Implementing security hardening or performance tuning
  • Preparing code for CI, testing, or deployment

Best practices

  • Treat security rules as highest priority: validate inputs, escape outputs, avoid eval, and use password_hash()
  • Use structured error handling: catch exceptions, define domain exceptions, and configure error reporting
  • Optimize performance: enable OPcache, leverage Composer autoloading, and use generators for large data
  • Enforce type safety: declare strict_types, explicit return types, and use nullable/union types where appropriate
  • Follow PSR standards: PSR-12 for style, PSR-4 for autoloading, and PSR-7 for HTTP messages
  • Prefer modern OOP: dependency injection, small interfaces, final classes, and constructor property promotion

Example use cases

  • Audit a Laravel controller to add input validation, typed return signatures, and PSR-compliant logging
  • Refactor a WordPress plugin to remove direct database queries, add prepared statements, and escape outputs
  • Convert legacy scripts to use Composer autoloading, enable OPcache, and introduce strict_types for safety
  • Add domain-specific exceptions and centralized error logging to improve observability
  • Apply generator-based streaming to memory-heavy imports to reduce peak memory usage

FAQ

Which rules are most critical?

Security rules are critical: validate and sanitize inputs, escape outputs by context, avoid eval, and use strong password hashing.

How do I adopt these guidelines incrementally?

Start by enforcing security and error-handling rules, then add type declarations and PSR compliance. Tackle performance and modern PHP changes in smaller refactor iterations.