PHP and MySQL coding tips

[scoates]

"marginally" definitely means "marginally" in this case.
We're talking thousands of variable replacements (double quoted) before you'll notice ANY performace decrease, but you are correct, you do get some miniscule amount of gain from breaking out of quotes to substitute.

PHP Code:

<?php

function microtimeAsDouble()
{
    $nowTime = explode(" ", microtime());
    return ($nowTime[0] + $nowTime[1]);
}

// turn on automatic flushing:
ob_implicit_flush();

// seed random number generator:
srand((double)microtime()*10000);

// set memory limit to 64 megs.
ini_set('memory_limit', '64M');

// how many?
$iterations = 10000;

$b = "test";

$startTime = microtimeAsDouble();
for ($i=0; $i<=$iterations; $i++) {
    $a = '---'. $b .'---';
}
$singleTime = microtimeAsDouble() - $startTime;

echo "Single: ". $singleTime ." seconds.<br /><hr />";


$startTime = microtimeAsDouble();
for ($i=0; $i<=$iterations; $i++) {
    $a = "---$b---";
}
$doubleTime = microtimeAsDouble() - $startTime;

echo "Double: ". $doubleTime ." seconds.<br /><hr />";

?>

for 100,000 iterations, I'm getting (~):

Code:

Single: 0.38587403297424 seconds.
Double: 0.50207698345184 seconds.

S

[auroraeosrose]

P.S. I did mention that it was only useful for those beginning to code, or high traffic/large sites, yes? marginal may not show up much in benchmarks, and may not be needed on personal websites, but sometimes every little bit helps - it's not do or die, just a tip

anyway...

one thing I almost forgot - everyone who writes php should read this - yeah I know, those of you who have been coding php forever are so sick of the document, but it's a great piece for beginning coders who often don't think about security

http://www.securereality.com.au/studyinscarlet.txt

[scoates]

also str_replace will take arrays as parameters.

S

[MattR]

Never, ever use if($foo == "bar") if $foo happens to be a string...ALWAYS ALWAYS ALWAYS use if(strcmp($foo, 'bar')) instead.

Why?

[auroraeosrose]

From a user added note in the php manual:

"These comparison operators work based on the context in which they are being used. So if you want to compare two strings, but they both happen to be valid numeric values, you're in line to get burned. The PHP way to compare two strings safely is to use strcmp(). "

I think that explains it pretty well, better than I could try...sometimes the words just don't come out right...

strcmp is binary safe
so "" == 0 is true
strcmp("",0) != 0
strcmp returns 0 for = 1 or -1 for 1=
You can get a lot of the same effect from === which compares type as well as value - but thats not always what you want because you could have problems with casting...

I guess after contemplation, wouldn't say its better to always use it, but maybe i would say always use it for something like comparing a password. Or anywhere you have mixed type values as strings, php and that loose typecasting and all. I suppose most of the time == or === is good enough. Probably faster...anyone want to do benchmarks on it?

http://safari.oreilly.com/main.asp?b...ogphp&snode=39

o'reilly has a bit on it here....I just sacrifice the speed for the strcmp() always because I'm obsessive about things like security, and I don't want things sneaking in....



anyway: yes, str_replace will take an array, but I leave them seperately - I don't always strip out everything, like extra spaces and all,...and there's a typo in that...sorry...that's what happens when you cut and paste from the wrong cvs file (smacks self...) I fixed it...

[MattR]

Assumption: NOT NULL is better than NULL

You can't necessarily make that assumption as a whole.

Obviously, there are a few extra "cycles" spent on finding offsets for variable length data (for that matter, you have to compute offsets for fixed length data too), but probably such a small difference, it may not be measurable for most cases. Also, if you are able to improve the cache hit ratio (and/or reduce cache searches) by using fewer pages to store your data, wouldn't that more than offset the "cost" of finding variable length columns on the row?

[filch]

Hello to all,

I am totally new to PHP so sorry if this is mundane.

So based on the old way of passing a variable i.e. somepage.php?id=1 how would you now accomplish this same thing with the new way? Would it be something like somepage.php?$_GET('id')

Help is ALWAYS appreciated!

Cheers :: filch

[GeekSupport]

Originally posted by filch
Hello to all,

I am totally new to PHP so sorry if this is mundane.

So based on the old way of passing a variable i.e. somepage.php?id=1 how would you now accomplish this same thing with the new way? Would it be something like somepage.php?$_GET('id')

Help is ALWAYS appreciated!

Cheers :: filch

you do not need to change the way you make links. the only change is in the code

if you had a link which points to ./somepage.php?id=1, the code in somepage.php to grab "id" and its value of "1" is by (below)

PHP Code:

<?php
  $id = $_GET['id'];

  echo $id;
?>

$id would echo out 1. you don't necessarily have to store $_GET variables to another var, but it's easier for me to use after taking in the form/external data.

PHP Code:

<?php
  echo $_GET['id'];
?>

(above)would give the same result
but

PHP Code:

<?php
  echo $id;
?>

(above) would give you nothing (register globals = off).

hope that helps a little

[Darth Cow]

DR_LaRRY_PEpPeR mentions how to turn off magic quotes from PHP code - is there an equivolent way to turn off the evil of register globals with just PHP?

Thanks

[weirdbeardmt]

Originally posted by Darth Cow
DR_LaRRY_PEpPeR mentions how to turn off magic quotes from PHP code - is there an equivolent way to turn off the evil of register globals with just PHP?

Thanks

PHP_FLAG register_globals OFF in an .htaccess oughta do it.

[Darth Cow]

Originally posted by weirdbeardmt
PHP_FLAG register_globals OFF in an .htaccess oughta do it.

I was hoping there was a solution just using PHP - I'm honestly not exactly certain how to edit/get to work .htaccess files . I do know I'm running Apache though .

[samsm]

Alright, I answered the wrong question so now I'm going back and hopefully posting something more useful.

You can still use $_SERVER style arrays even if register globals is on. So, simply ignoring registered globals can remove any problem you may have.

Problems from register globals come when you go to access $is_logged_in and little does your application know that it is being provided by $_GET['is_logged_in] (relatively insecure) rather than $_SESSION['is_logged_in'] (relatively secure).

So yes, there is an equivalent way to turn off register globals with PHP... just don't use them! Use $_SESSION['is_logged_in'] instead of the registered $is_logged_in and so on throughout your scripts.

EDIT:
This should wipe out any variables gloabally registered by the user while leaving the $_GET, $_POST and $_COOKIE arrays in tact.

PHP Code:

 foreach($_REQUEST as $key => $value)
{
    if ($key == 'key') { break; }
    unset($$key);
} 


[Darth Cow]

Originally posted by samsm
So yes, there is an equivalent way to turn off register globals with PHP... just don't use them! Use $_SESSION['is_logged_in'] instead of the registered $is_logged_in and so on throughout your scripts.

Well OK, that's what I already try to do . But I just wanted the maximum security anyways, even though I can't edit my PHP config file .

[nickgreenway]

Thanks Harry

Am into my second day of PHP development. Am struggling to parse html forms through my setup - any ideas - for example this file (uploader.html)
---------------
<html>
<head> <title>File Uploader</title> </head>
<body>
<h3>File Upload</h3>
Select a file to uploadbr>

<form action="uploader.php" method="post" enctype="multipart/form-data">
<input type="file" name="file" size=50>
<br>
<input type="submit" value="Upload File">
</form>

</body>
</html>
-------------------
should allow me to slect a file, parse it through this php script: (uploader.php)
------------------
<?php

if($file_name !="")
{
copy ("C:\\Apache\\htdocs\\$file_name") or die("Could not copy file");
}
else
{
die("No file specified");
}
?>

<html>
<head> <title>Upload complete</title> </head>
<body>
<h3>File upload succeeded...</h3>
<ul>
<li>Sent: <?php echo "$file_name"; ?>
<li>Size: <?php echo "$file_size"; ?> bytes
<li>Type: <?php echo "$file_type"; ?>
</ul>

<a href="<?php echo "$file_name" ?>">Click here to view file</a>

</body>
</html>
----------------------------
However, I always receive the "No File specified" error. This type of error occurs on all scripts handlign forms -

any ideas - am I missing something in my php.ini.

Many thanks and keep up the good coding.

[KungPaoChicken]

Hate waiting for pages or having your views wait? Want to reduce server load and increase page load time on EVERY page? well here is how!
Use ob_start("ob_gzhandler");! Here is an example that will compress the whole page and send it to the users browser and then the user will decode it automaticly!To get this to work properly, you have to compile PHP with "--with-zlib". Have fun with your new faster webpage

PHP Code:

<?php

ob_start("ob_gzhandler");

?>
<html>
<body>
<p>This should be a compressed page.
</html>
<body>

[DragonAss]

Originally posted by scoates
"marginally" definitely means "marginally" in this case.
We're talking thousands of variable replacements (double quoted) before you'll notice ANY performace decrease, but you are correct, you do get some miniscule amount of gain from breaking out of quotes to substitute.

The fraction of a second may not count towards much in this case, but I still prefer the "faster" method for easier readability in color-coded editors. My editor makes any "raw" written variables stick out like a sore thumb for easy pickin, but blends them in when they're contained inside double quotes. Even the color-coded PHP on this board demonstrates what I mean:

PHP Code:

<?php

echo 'I find it easier to debug a '. $concantenated .' string with '. $color_coding '.<br /><hr />';

echo "...than to troubleshoot the $double_quoted variety of $strings.<br /><hr />";

?>

I don't know if any editors highlight all PHP variables regardless of where they are... but if any such editor exists, I haven't seen one yet. In the meantime, it's nice to know the highlighted concantenation method not only works fine, but is a fraction of a second faster.

[Kymira]

Originally posted by ZuulJin
I got one...

When trying to loop through the global arrays (I've only tested the $_POST array) you have to access it by the key name not by number.

.... (edited out for space)

Code:

for ($i = '0'; $i < count($_POST); $i++)
{
  $key = array_search('on', $_POST);
  echo $_POST[$key] . ' is on!';
}

[Z]

When using a for loop, it's faster to set the end condition outside of the loop. Ex:

Code:

$array_count = count($_POST);

for ($i = '0'; $i < $array_count; $i++)
{
  $key = array_search('on', $_POST);
  echo $_POST[$key] . ' is on!';
}

Why is this faster? Unlike C/C++, Java (etc), PHP is an interpretted language and isn't compiled down to machine language. So if you call a function inside a loop declaration, PHP will call that function every time it iterates though the loop.

[Kymira]

With regard to the whole "global vars are evil arguement," I would agree to a certain point.

For things such as "$is_logged_in," then yes, I agree that global vars are evil. On the other hand, if you look at phpBB's code, the use global vars for internal variables such as "global $db." In this case, $db is a database abstraction layer that that entire project uses. For example:

PHP Code:

/* simply authenticating users with plain text is bad in my opinion, but this is just an example*/
function auth_user(&$username, &$password)
{
   global $db;

   $query = "SELECT blah, blah.....";

   $result = $db->sql_query($query);

   $auth_array = $db->sql_fetchrow($result);

   /* more code to process the results, but not important to this example */
} 


For something like this, the $db class is used throughout the script, and it's easier than having to constantly pass the $db class to a function. Apparently there are problems with passing objects to a function, and using global vars in this way can help augment that.

Associative Array Interpolation in Strings

PHP Code:

echo $array['key']; // is better than

echo $array[key]; 


However, if you try to use $array['key'] in a double quotes echo, it won't work. What you have to do is this:

PHP Code:

echo "This is my var in the array [COLOR=red]{[/COLOR]$array['key'][COLOR=red]}[/COLOR]."; 


The braces help the parser distinguish the quotes between the brackets, i.e. [].

[MattR]

Kymira,

I think the official word from Zend (et al) is that you should abandon the use of double-quotes since the process to find variables in the quotes is quite costly. Not to mention it craps out quite soon (you can run benchmarks and it will eventually kill PHP).

In short:

PHP Code:

echo 'You are ' . $age . ' years old!'; 


is better and preferable to:

PHP Code:

echo "You are $age years old!"; 


[voostind]

For things such as "$is_logged_in," then yes, I agree that global vars are evil. On the other hand, if you look at phpBB's code, the use global vars for internal variables such as "global $db." In this case, $db is a database abstraction layer that that entire project uses.

So you're saying in some cases it's okay to use globals. Well, it's not (IMHO). The fact that a program uses globals can never be rectified by the reason for using them, as far as I'm concerned. So in this case I'd say: phpBB has a design problem, because it has to have at least one global variable to work properly...

Vincent

[datune]

Associative Array Interpolation in Strings

Code:

echo $array['key']; // is better than

echo $array[key];

PHP Code:

echo $array['key'] 


Is not only better, it is the only correct way of doing, unless key is a constant. Turn on error reporting (including notices), and try this

PHP Code:

$array = array('one' => 'eins', 'two' => 'zwei');
echo $array[one]; 


Will output the following
Notice: Use of undefined constant one - assumed 'one' in ....

Apparently there are problems with passing objects to a function, and using global vars in this way can help augment that.

Never ever have i had problems passing objects to a function. Could you show me one example where passing objects to a function causes problems?

datune

[johnn]

Originally posted by MattR
I think the official word from Zend (et al) is that you should abandon the use of double-quotes since the process to find variables in the quotes is quite costly. Not to mention it craps out quite soon (you can run benchmarks and it will eventually kill PHP).

How do you change to single quotes for this line for speed:

PHP Code:

$query = "select x from table b where x = '$y'"; 


Thanks,
John

[MattR]

Originally posted by johnn
How do you change to single quotes for this line for speed:

PHP Code:

$query = "select x from table b where x = '$y'"; 


Thanks,
John

PHP Code:

$query = 'select x from table b where x = \'' . $y . '\''; 


[Michel V]

Originally posted by voostind
So in this case I'd say: phpBB has a design problem, because it has to have at least one global variable to work properly...

How would you go about passing that $db to functions and classes?

[voostind]

How would you go about passing that $db to functions and classes?

I wouldn't.

I would only pass the $db to the classes that actually need it, which - if you layer your code properly - will be surprisingly small in number...

Vincent