PHP and MySQL coding tips

[FatPiper]

OK, my little tip (and I don't know if it's already been said or not ... too many posts in here, we should start a part 2 or something)

Don't ever, EVER, under ANY circumstances, EVER attempt to serialize objects, store them, and recover them later.

PHP's serializing object support (especially if the objects are complex, and stored object-within-object in a tree, with each one having reference variables to its parent, etc. etc.) is very sketchy. You can serialize and unserialize stuff and data will be changed, or you'll just get random crashes and errors.

For example: at a certain point I was trying to access something after unserializing in my object structure like this:
$blah = $object->array[$id1]->array2[$id2]->getID();
$something = $object->array[$id1]->array2[$id2]->getSomething();
It would get me the $blah just fine, but the $something would give me a "Can't run method on non-existing object" error ... basically the object disappeared between the two statements. When I just built it up by hand to test it, instead of unserializing, it worked fine.


The Moral Is: Thou Shalt Not Serialize Objects, else { Thou Shalt Have Very Large and Very Arbitrary Problems; }

[voostind]

Don't ever, EVER, under ANY circumstances, EVER attempt to serialize objects, store them, and recover them later.

In my experience, serializing objects works just fine. However, there are two things to take note of:
1. Don't put circular references in the objects you're serializing (A -> B and B -> A for example). The serialize() method will not know what to do with that. (Or maybe they've fixed that by now).
2. Be sure to include the classes of the objects you've serialized before deserializing them. If you don't, you will get messages like "Can't run method on non-existing object"...

Vincent

[trickie]

Originally posted by FatPiper

Don't ever, EVER, under ANY circumstances, EVER attempt to serialize objects, store them, and recover them later.

I have objects stored in the $_SESSION global, and they work ok. Aren't they serialized?

[voostind]

I have objects stored in the $_SESSION global, and they work ok. Aren't they serialized?

Yes, indeed they are!

Vincent

[Captain Proton]

Want to reduce server load and increase page load time on EVERY page? well here is how!

Uhm, no? I don't want to increase my page load time

And besides, output buffering in fact increases your server load because of the extra work it takes to compress the output

[FatPiper]

Well y'all are v.lucky or my code is v.bad then.

I'll admit that my code did have references, but they were not circular ... just recursive

object a:
property 1 = object b


object b:
property 1 = reference to object a

When one outputted the value of serialize($object_a), it would go infinitely spitting out data forever and ever. Serializing was not a pretty thing, and I'm pretty sure what'd happen is that when stored in the session, this data would get truncated because since it was spitting infinitely there was too much of it. This led to completely unpredictable results.

Storing basic objects works fine (VERY basic...), but anything complicated like references or database resources (yes, I know about __sleep and co.) and it could very well go haywire on you.

I will modify my previous statement to: do it if you must, but you're better off putting toString and fromString functions into your objects where you use your own method of serializing. Or just don't serialize.

[Egghead]

Some of the best tips I have found in PHP...

Register Globals
Register Globals is now turned off by default, and most coders are getting used to implementing $_POST['variable'] and so on into their scripts. Note for Windows users: If your php.ini file still sets "register_globals = On" because you kept your php.ini settings on an upgrade then it may be a good idea to change it - even if it is just on your home or local machine for your own personal use (It is good practice to get into secure habits).

What if you can not change the setting though? You may be using an ISP/host which sets "register_globals = On" for compatibility reasons and refuse to change it. Well shame on your ISP, however there are things you can do about it! First you may want to check the status of the register_globals setting, simply issue the phpinfo() function on the server and check the register_globals value in the PHP Core table.

If it is "On" and you can not change it to "Off" by editing the setting, then you have a few options to make your code more secure.
1. Put all your code into a function, then call the function. The scope of variables in functions will save the day for you.
2. Manually use a function to unregister globals. If you first save the superglobals, you can then copy them back after the unregistering is done.

PHP Code:

function unregister_globals()
{
   // Save the existing superglobals first
   $REQUEST = $_REQUEST;
   $GET = $_GET;
   $POST = $_POST;
   $COOKIE = $_COOKIE;
   if (isset($_SESSION))
   {
      $SESSION = $_SESSION;
   }
   $FILES = $_FILES;
   $ENV = $_ENV;
   $SERVER = $_SERVER;

   // Unset the $GLOBALS array (clear all)
   foreach($GLOBALS as $key => $value)
   {
      if ($key != 'GLOBALS')
      {
         unset($GLOBALS[$key]);
      }
   }

   // Re-assign the saved superglobals again
   $_REQUEST = $REQUEST;
   $_GET = $GET;
   $_POST = $POST;
   $_COOKIE = $COOKIE;
   if (isset($SESSION))
   {
      $_SESSION = $SESSION;
   }
   $_FILES = $FILES;
   $_ENV = $ENV;
   $_SERVER = $SERVER;
}
unregister_globals(); 


Apologies to Theo Spears of php|architect magazine (http://www.phparch.com). You can read his two other methods for solving the register globals problem and also other ideas for "Writing Secure PHP Code" in the January 2003, Volume II, Issue 1 edition of the magazine, which is available FREE.

Magic Quotes
Another configurable setting which may affect your scripts is Magic Quotes - both GPC (for incoming Get, Post and Cookie data) and Runtime (for runtime-generated data, e.g. data from SQL, from exec(), etc.) Check the status of Magic Quotes with this:

PHP Code:

echo 'GPC Status: ' . get_magic_quotes_gpc() . '<br />';
echo 'Runtime Status: ' . get_magic_quotes_runtime();
// 1 = On
// 0 = Off 


Use a function that will automatically call "addslashes" to your SQL queries if Magic Quotes is off. Here's one for GPC quotes:

PHP Code:

define("MAGIC_QUOTES_STAT_GPC", get_magic_quotes_gpc());

function auto_slash($str)
{
   if (1 == MAGIC_QUOTES_STAT_GPC)
   {
      return $str;
   }

   else
   {
      return addslashes($str);
   }
} 


Then adapt your SQL queries accordingly...

PHP Code:

// Here is an UPDATE query using a $_POST value
$table = 'my_table';
$field = auto_slash($_POST['my_field']);
$sql   = 'UPDATE ' . $table .
         'SET my_field = ' . $field .
         '\'';
         // Note: a backslash is missing here! '
         // See note at end of this post.

// And here is a SELECT query using the same
$id     = auto_slash($_POST['my_id']);
$column = 'my_column';
$table  = 'my_table';
$sql    = 'SELECT ' . $column .
          'FROM ' . $table .
          'WHERE id = \'' . $id .
          '\'';
          // Note: a backslash is missing here! 


Databases and Tables
When putting SQL queries into your PHP scripts, you should create a seperate file which sets the names of each database or table. This file can then be included when required, and if any database or table name needs to be changed, then you only need to make one alteration - not many! This is very useful when you are using scripts from other people which create databases/tables, as their script may create a new database/table with the same name as one you already have.
Example configuration file:

PHP Code:

// Database Table Names
$conf['tbl']['books'] = 'book_names';
$conf['tbl']['authors'] = 'writers'; 


Any query can then use the defined names as so:

PHP Code:

$table = "$conf['tbl']['books']";
$field = 'field_value'
$sql   = 'UPDATE ' . $table .
         'SET my_field = ' . $field .
         '\'';
         // Note: a backslash is missing here!'

$table = "$conf['tbl']['authors']";
$field = 'field_value'
$sql   = 'UPDATE ' . $table .
         'SET my_field = ' . $field .
         '\'';
         // Note: a backslash is missing here! 


NOTE: The VB Code in this forum keeps removing a backslash from the PHP source code.
All lines reading
' ' ' ;
should in fact read
' \ ' ' ;

[Derfel Cadarn]

jumping in and out of php sometimes leaves me quite befuddled and having to match the braces is no ...

Well, I couldn't agree more, but since I started using Arachnophilia as my HTML & PHP & Java-editor, I haven't had any troubles with it!!!
This little careware-program (written in Java, advantages might be known ) highlights the closing brace when you're on an opening brace (and the other way around). It is GREAT as an editor, at least when you are, like me, some old-fashioned dude, writing every code by hand instead of those frontpagers, et cetera!
You can get it at http://www.arachnoid.com/arachnophilia/ , mentioning my name doesn't bring me anything more than thanx from Paul Lupus. But that's part of Careware!

Try it! Or don't!

[website]

voostind: I do not fully agree with you. I have a class called $db and a variable called $access that is an array that includes the current user privilages and info. I keep these variables global with global $accss,$db; because they never change over the script and I am using them all the time, I mean, all normal variables I call with the ($var1, $var2) method but I still use these globals simply to simple my script, what is wrong with that I mean, I will never use them for anything else then they currently do.

Also one question, if accessing arrays, is it better to use single quote ['something'] or double quote ["something"] ? btw, I know I should use ' ' for strings and I always do that but how is it with arrays?

[voostind]

...but I still use these globals simply to simple my script, what is wrong with that I mean...

The result of doing this is that your programs aren't modular. Instead of having small, efficient, reusable, modules, you have one big piece of software. Imagine you implemented some brilliant code you'd like to reuse in other projects (or like to release as Open Source or something), then you'd have to rewrite it, because without the globals, the code doesn't work.

And that's just one reason globals are evil... [img]images/smilies/wink.gif[/img]

Vincent

[website]

ok vincent, I see your point, I realise that my code is rather depended on the current project but can you then please explain to me these layers better?
Example:
I have a Global variable called $db which refers to the Db class I created, it makes my work a lot easier and here is an example of something I am doing all the time

PHP Code:

$q = 'SELECT col FROM table WHERE conditions';
$res = mysql_query($q) or die(mysql_error());
while ($row = mysql_fetch_assoc($res)) {
  $array[] = $row;
} 


Instead I did this once and now I simply do

PHP Code:

q = 'SELECT col FROM table WHERE conditions';
$result = $db->ret_marray($q); 


Are you saying that I should write my code as the first example is?
And I mean, this would result in very easy change between databases

But if you are saying that I shouldn't do this like I did then how? how would you do what I did but still in very simple way?

Edit:

This issue has been considered for a long time and is solved.

[DaveBaker]

Associative Array Interpolation in Strings

PHP Code:

echo $array['key']; // is better than

echo $array[key]; 


However, if you try to use $array['key'] in a double quotes echo, it won't work. What you have to do is this:

PHP Code:

echo "This is my var in the array [color=red]{[/color]$array['key'][color=red]}[/color]."; 


The braces help the parser distinguish the quotes between the brackets, i.e. [].

Why is this? We're told in my 4.3.0 help documentation to use $array['key'] rather than $array[key] but then one has to use curly quotes or concatenation on that constuct rather than being able to just plop it into a double-quoted string. I don't understand why PHP isn't able to figure out how to parse this:

echo("The value is $array['key'].");

[MattR]

echo "This is my var " . $array[ 'key' ] . " stuff";

You can also use the comma (,) in place of dot (.) in echo.

[voostind]

You can also use the comma (,) in place of dot (.) in echo.

Actually, it's better to use a comma instead of a dot, because it saves some overhead (no string concatenation).

Example:
echo 'foo', 'bar';
translates to:
echo 'foo';
echo 'bar';

whereas:
echo 'foo' . 'bar'
translates to:
echo 'foobar'

The first is cheaper, because PHP doesn't first have to create the new string 'foobar', but can instead send the two strings to output directly.

Vincent

[torrent]

Why is this? We're told in my 4.3.0 help documentation to use $array['key'] rather than $array[key] but then one has to use curly quotes or concatenation on that constuct rather than being able to just plop it into a double-quoted string. I don't understand why PHP isn't able to figure out how to parse this:

echo("The value is $array['key'].");

How's PHP supposed to recognise between you referencing a variable called $array and then quoting the text ['key'] and you referencing a variable called $array['key']. You can either use simple syntax with the { } to delimit for parser the variable name, or use the complex syntax for more complex expressions. E.g.:

PHP Code:

// 'simple' syntax examples
print "Hello ${_POST['name']}, and welcome.";
print "Hello $name, and welcome";

//'complex' syntax examples
print "Hello {$member->name}, and welcome";
print "Hello {$member['details']['name']}, and welcome"; 


[website]

How's PHP supposed to recognise between you referencing a variable called $array and then quoting the text ['key'] and you referencing a variable called $array['key']. You can either use simple syntax with the { } to delimit for parser the variable name, or use the complex syntax for more complex expressions. E.g.:

PHP Code:

// 'simple' syntax examples
print "Hello ${_POST['name']}, and welcome.";
print "Hello $name, and welcome";

//'complex' syntax examples
print "Hello {$member->name}, and welcome";
print "Hello {$member['details']['name']}, and welcome"; 


Hmm, nice, didn't know this.

But honestly, isn't it better simply to do

PHP Code:

print 'Hello ' . $_POST['name'] . ', and welcome.'; 


?

and then ofcourse to use echo() if you can ?

[Jeff Lange]

PHP Code:

print "Hello {$member->name}, and welcome"; 


PHP Code:

echo "Hello $member->name, and welcome"; 


would also work

[AhmedF]

according to what voo said, would not this be 'best':

PHP Code:

print 'Hello ' , $_POST['name'] , ', and welcome.'; 


Notice the ',' instead of '.'

[torrent]

PHP Code:

echo "Hello $member->name, and welcome"; 


would also work

True. Only because the name is followed by an invalid character for variable names. If you changed the above to:]

PHP Code:

echo "Width = $member->width00"; 


The this would not work, as 00 are valid characters in a variable name.

Point is; there are a zillion ways you can print out your information. Do what you think is best in your application.

[website]

according to what voo said, would not this be 'best':

PHP Code:

print 'Hello ' , $_POST['name'] , ', and welcome.'; 


Notice the ',' instead of '.'

I belive the , does only work with echo()

But guys, isn't this method still 'better' then the other one ?
This is the problem with php, there are too many ways to do a single thing.

[torrent]

Kymira,

I think the official word from Zend (et al) is that you should abandon the use of double-quotes since the process to find variables in the quotes is quite costly. Not to mention it craps out quite soon (you can run benchmarks and it will eventually kill PHP).

In short:

PHP Code:

echo 'You are ' . $age . ' years old!'; 


is better and preferable to:

PHP Code:

echo "You are $age years old!"; 


I think it should be noted that you cannot single quote escaped characters you want the parser to recognise. For example

PHP Code:

<?php
print "There is a newline between this text\nand this text\n";
print 'Now see what happens\nwhen you do this!';
?>

I agree it is good practice to use single-quotes where possible, although find it slightly more difficult to believe the performance difference in everyday PHP programming is really that noticeable.

[Jeff Lange]

PHP Code:

print "There is a newline between this text\nand this text\n";
print 'Now see what happens\nwhen you do this!'; 


Of course you could go:

PHP Code:

print 'There is a newline between this text
and this text
'; 


(Not saying it's better, lol, just pointing it out.)

[GamerZ]

according to what voo said, would not this be 'best':

PHP Code:

print 'Hello ' , $_POST['name'] , ', and welcome.'; 


Notice the ',' instead of '.'

What is the difference between '.' and ','? I always use with '.'

[Jeff Lange]

PHP Code:

print 'Hello', $_POST['name'], ', and welcome.'; 


would not work, because commas do not work with print, only echo.

And the difference is, when echoing and using commas, (especially when outputting variables), instead of creating a new string in memory, it just outputs it as it goes.

(faster.)

[GamerZ]

PHP Code:

print 'Hello', $_POST['name'], ', and welcome.'; 


would not work, because commas do not work with print, only echo.

And the difference is, when echoing and using commas, (especially when outputting variables), instead of creating a new string in memory, it just outputs it as it goes.

(faster.)

thanks, learned another gd pt.