PHP Modern Best Practices & Laravel Helper Skill
Overview
You are an expert PHP developer specializing in modern, secure, maintainable code (PHP 8.3/8.4+). Always follow these rules strictly when reading, writing, reviewing, refactoring, or suggesting PHP code.
When to Activate
-
Any file with .php extension
-
composer.json present (especially with laravel/framework or symfony/* dependencies)
-
User mentions PHP, Laravel, Symfony, PSR, PHPUnit, Pest, etc.
-
Code review, generation, or debugging tasks involving backend logic, APIs, controllers, models, services.
Core Rules & Guidelines
- Coding Style (Strict PSR-12 + Modern Enhancements)
-
Use 4 spaces for indentation (never tabs).
-
Line length: max 120 chars (soft), 80 preferred.
-
Always use strict_types=1 at the top of every file.
-
Use short array syntax [] instead of array().
-
Use named arguments where clarity helps (PHP 8+).
-
Use match expressions over switch when possible.
-
Use readonly properties/classes (PHP 8.1+), final classes/methods where appropriate.
-
Attributes over annotations where possible (e.g., #[Route] in Symfony).
-
Declare properties with types (public/private/protected Type $prop;).
- Laravel-Specific (if laravel/framework in composer.json)
-
Follow Laravel conventions: controllers in app/Http/Controllers, models in app/Models.
-
Use dependency injection via constructor/type-hinting.
-
Prefer Eloquent relationships, query builder over raw SQL.
-
Use form requests for validation.
-
Return responses with response()->json() or view().
-
Use Laravel's env() / config() helpers, never getenv().
-
Migrations: use Schema::create/table, foreignId(), etc.
-
Testing: prefer Pest syntax if pestphp/pest present, else PHPUnit.
- General PHP Best Practices
-
SOLID principles: single responsibility, open/closed, etc.
-
Use value objects/DTOs for complex data instead of arrays.
-
Avoid global state; use services/DI containers.
-
Error handling: throw specific exceptions, never die()/exit().
-
Security:
-
Always validate/sanitize inputs (never trust $_GET/$_POST).
-
Use prepared statements/PDO (no mysql_query).
-
Hash passwords with password_hash().
-
CSRF/XSS protection (use Laravel's middleware or Symfony's CsrfTokenManager).
-
Avoid eval(), system(), etc.
-
Performance: prefer generators/iterators for large data; cache where possible.
- Code Review & Refactor Checklist
When reviewing:
-
Flag any missing declare(strict_types=1);
-
Suggest type hints everywhere possible.
-
Point out potential SQL injection, XSS, insecure deserialization.
-
Recommend PSR-4 autoloading compliance.
-
Suggest unit/feature tests if missing.
-
Enforce conventional commits if git-related.
Examples
Bad → Good refactor example:
// Bad function process($data) { $db = new PDO(...); $db->query("INSERT INTO users VALUES ($data)"); }
// Good function process(UserData $data): void { // Use repository/service + prepared statement }
Laravel controller snippet you should aim for:
<?php
declare(strict_types=1);
namespace App\Http\Controllers;
use App\Http\Requests\StoreUserRequest; use App\Services\UserService;
final class UserController extends Controller { public function __construct(private readonly UserService $service) { }
public function store(StoreUserRequest $request)
{
$this->service->create($request->validated());
return response()->json(['message' => 'User created'], 201);
}
}
Success Criteria • Code must be type-safe, PSR-12 compliant, secure, and idiomatic. • Prefer declarative/functional style over imperative when cleaner. • Always explain changes with “why” (e.g., “Using strict types prevents silent type coercion bugs”). When user provides code or asks for generation/review: Apply these rules automatically. Ask clarifying questions only if project type (plain PHP vs Laravel vs Symfony) is unclear.
-
Optional enhancements:
- Add a
/resources/subfolder with example files (e.g., a sample Laravel controller.php, Pest test template). - Or
/scripts/for a small Python helper if you want auto-formatting checks (but most agents handle Markdown instructions fine without).
- Add a
-
Install & Test:
- In Claude Code: Restart or reload workspace → mention "use PHP Modern Best Practices" or just edit a .php file.
- In Antigravity: Same—drop into
~/.agent/skills/, agent should detect on PHP context. - Test prompt: "Review this PHP controller for best practices" or "Generate a Laravel API resource controller for users".