SitePoint Sponsor

User Tag List

Results 1 to 9 of 9
  1. #1
    SitePoint Zealot ceefour's Avatar
    Join Date
    Feb 2005
    Location
    Bandung, Indonesia
    Posts
    138
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Thumbs up PHP Application Development Part One

    http://www.devshed.com/index2.php?op...ge=0&hide_js=1

    "The first practice we will discuss covers directory structure and security along with filesystem naming conventions for PHP applications. After that, we will cover some coding conventions such as function and variable naming, indentation, and more. Lastly we will review basic coding considerations to provide flexibility, scalability, and efficiency. Before beginning, let it be understood that some of the conventions advocated in this article could be considered a matter of preference and are by no means the single correct solution, however they are time tested and have proven effective time and again in application development."

    Articles like this are definitely must-reads for all PHP developers. Most useful if you're still beginning, but even experienced PHP developers can miss a few of the points described there. Of course it's far from being a complete list of best practices, as you can't describe "best practices" without making someone disagree.

    Anyways I gave a print-friendly version as I hate browsing through multiple pages of an article. And the print-friendly version is also save-as-friendly. ;-)

    You can find my other favorite PHP resources here:
    http://www.furl.net/members/ceefour/PHP

    Also you can visit my site:
    http://dev.gauldong.net/

  2. #2
    SitePoint Evangelist djdykes's Avatar
    Join Date
    Feb 2005
    Location
    Chester, Cheshire
    Posts
    565
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    http://cssbasics.com/

    Is a pretty cool resource i've found too... seeing as though i knew nothing of css

  3. #3
    SitePoint Zealot ceefour's Avatar
    Join Date
    Feb 2005
    Location
    Bandung, Indonesia
    Posts
    138
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    >http://www.php-for-beginners.co.uk
    PHP Tutorials for beginners written by a beginner.
    --
    eh? Can't help but think this would be the best way to get into the minds of "beginners", but also can't help but think negatively at first......

  4. #4
    SitePoint Zealot ceefour's Avatar
    Join Date
    Feb 2005
    Location
    Bandung, Indonesia
    Posts
    138
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by djdykes
    Yup! Exactly as I thought.

    GREAT WORK! But there are some (IMHO major) flaws that I actually had expected to discover on a "by-beginner" site. Anyway to me you don't look like one, but you need to reflect that first on your tutorial.

    I posted the following comments on your site:
    --
    Duh! I've guessed, and looks like I wasn't that incorrect.

    Please use the $_GET variable as opposed to the relying on register_globals. Actually you'd want to wrap the $_GET things into a function which detects get_magic_quotes_gpc() and stripslash accordingly.

    This may be too complex at start but it's REALLY something that should be done at start. *TONS* of scripts are broken and leave gaping security hole because of this.

    You would explain first the "easy" way (by using $_GET, *NOT* by using automatic register globals). Then explain that there is some bad things in the word namely magic_quotes_gpc and other magic_quotes stuff and we should handle that accordingly because we can't be sure what kind of PHP configuration we have. An in order to make that more flexible we'd want to put it inside a function rather than doing manual processing everytime.

    Very good effort. Sorry I had to give a 1.0 rating because of this. I hate it.
    --
    (at http://www.php-for-beginners.co.uk/page/28 )

  5. #5
    SitePoint Zealot ceefour's Avatar
    Join Date
    Feb 2005
    Location
    Bandung, Indonesia
    Posts
    138
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    djdykes, I've added your site on my Furl bookmarks page:
    http://www.furl.net/members/ceefour/PHP

    You might consider adding that URL to your site's links as it contains several useful links with comments, and you can bet it's almost always updated.... almost like technorati or del.icio.us php tag, but this is handpicked by me ;-)

  6. #6
    SitePoint Evangelist djdykes's Avatar
    Join Date
    Feb 2005
    Location
    Chester, Cheshire
    Posts
    565
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Well that is my personal site in my signature but any publicity is good publicity right?

    Thanks for the feedback, I will add your link.
    The thing about these tutorials they were basically written to help me understand PHP more then anything, and they have. They are written from absolute beginners point of view, so if the content is outdated or insecure i appreciate being let know and i'll update the tutorials accordingly... so thank you.
    You make a good point of saying security should be essential to all beginners, which is why i have on my to do list a tutorial on ways to prevent attacks...alongwith reg exps, more array stuff etc etc...

    so thanks for the feedback.

    James

  7. #7
    SitePoint Wizard
    Join Date
    Dec 2004
    Location
    USA
    Posts
    1,407
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    great stuff - thanks!

  8. #8
    SitePoint Wizard
    Join Date
    Dec 2004
    Location
    USA
    Posts
    1,407
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    ceefour - you said:
    Please use the $_GET variable as opposed to the relying on register_globals. Actually you'd want to wrap the $_GET things into a function which detects get_magic_quotes_gpc() and stripslash accordingly.

    This may be too complex at start but it's REALLY something that should be done at start. *TONS* of scripts are broken and leave gaping security hole because of this."

    Is this what you meant:

    if(!get_magic_quotes_gpc())
    {
    $input = addslashes($input);
    }
    Last edited by WebDevGuy; Mar 3, 2005 at 09:03.

  9. #9
    SitePoint Zealot ceefour's Avatar
    Join Date
    Feb 2005
    Location
    Bandung, Indonesia
    Posts
    138
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by WebDevGuy
    ceefour - you said:
    Please use the $_GET variable as opposed to the relying on register_globals. Actually you'd want to wrap the $_GET things into a function which detects get_magic_quotes_gpc() and stripslash accordingly.

    This may be too complex at start but it's REALLY something that should be done at start. *TONS* of scripts are broken and leave gaping security hole because of this."

    Is this what you meant:

    if(!get_magic_quotes_gpc())
    {
    $input = addslashes($input);
    }
    No, the *OTHER* way around:

    PHP Code:
    $input NULL;
    if (isset(
    $_REQUEST['input']))
      
    $input get_magic_quotes_gpc() ?
       
    stripslashes($_REQUEST['input']) : $_REQUEST['input']; 
    You'll immediately note several things:
    - the isset() check is necessary to avoid PHP bursting out notice messages because you use a nonexistent variable
    - I used $_REQUEST as this is the aggregation of _GET, _POST, and _COOKIE but you should use $_GET or $_POST depending on the situation
    - I used stripslash-on-demand instead of addslash-on-demand. Why? Because you need to process unfiltered data, for example if you want to display it on a HTML page these slashes aren't pretty, and you'll want to use nl2br and/or htmlspecialchars for escaping that. If you want to use that variable on a database then you will *NOT* use addslashes but instead use mysql_escape_string or any other database-dependent escaping function.
    - That code will not work if the input variable is an array, you need to do recursive stripslash, and that ain't pretty.


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •