๐Ÿญ๐Ÿฌ ๐—–๐—ผ๐—บ๐—บ๐—ผ๐—ป ๐—ฃ๐—›๐—ฃ ๐—•๐˜‚๐—ด๐˜€ ๐—ถ๐—ป ๐—ฅ๐—ฒ๐—ฎ๐—น-๐—ง๐—ถ๐—บ๐—ฒ ๐——๐—ฒ๐˜ƒ๐—ฒ๐—น๐—ผ๐—ฝ๐—บ๐—ฒ๐—ป๐˜

PHP is a forgiving language. This makes it dangerous in production.

Code works on your local machine. Code reviews pass. Then a silent bug hits your live server. It hits real users during a deadline.

These are not textbook bugs. These are real bugs from login systems, e-commerce sites, and client projects.

Here are 10 common bugs and how to fix them.

  1. Variable Scope Problem: Variables outside a function are not available inside it. Broken: $user = "Rahul"; function greet() { echo $user; } Fixed: function greet($user) { echo $user; } greet("Rahul");

  2. Assignment instead of Comparison Problem: Using = instead of === creates an authentication bypass. Broken: if($isLoggedIn = true) { ... } Fixed: if($isLoggedIn === true) { ... }

  3. UTF-8 Text Issues Problem: strlen() counts bytes, not characters. This breaks validation for non-ASCII text. Broken: echo strlen("เคจเคฎเคธเฅเคคเฅ‡"); // Returns 18 Fixed: echo mb_strlen("เคจเคฎเคธเฅเคคเฅ‡", 'UTF-8'); // Returns 6

  4. Missing isset() Problem: Accessing $_POST keys before they exist causes errors. Fixed: $name = $_POST['username'] ?? '';

  5. Plain Text Passwords Problem: Storing raw passwords gives attackers full access if your database leaks. Fixed: $hashed = password_hash($password, PASSWORD_BCRYPT);

  6. SQL Injection Problem: Putting user input directly into queries lets users read or delete your data. Fixed: $stmt = $pdo->prepare("SELECT * FROM users WHERE id = ?"); $stmt->execute([$_GET['id']]);

  7. Redirect without exit() Problem: header() sets a redirect but the script keeps running. Fixed: header("Location: login.php"); exit();

  8. Memory Crashes Problem: file_get_contents() loads entire large files into RAM. Fixed: Use fopen() and fgets() to read files line by line.

  9. Session Errors Problem: session_start() fails if you send any output first. Fixed: Call session_start() at the very top of your script.

  10. Silent Database Errors Problem: PDO hides errors by default. You will not know why a query failed. Fixed: Set PDO::ATTR_ERRMODE to PDO::ERRMODE_EXCEPTION.

Summary Table:

โ€ข Variable Scope: Logic Risk โ€ข = vs ===: Critical Risk โ€ข strlen() UTF-8: Medium Risk โ€ข isset() check: Medium Risk โ€ข Plain Passwords: Critical Risk โ€ข SQL Injection: Critical Risk โ€ข Redirect without exit: High Risk โ€ข Large Files: High Risk โ€ข Session Order: Medium Risk โ€ข PDO Error Mode: High Risk

Avoid these three mistakes:

Always validate input. Always handle errors explicitly.

Source: https://dev.to/bikkisingh/10-common-php-bugs-in-real-time-development-with-fixes-1lf7