Category Archives: PHP

Essential PHP Security

Posted on by
1

I recently finished reading Essential PHP Security by Chris Shiflett (O’Reilly). It was a good, quick read, and for me it was mostly a review of principles I had previously read on Chris’s blog. The main principles are filter input and escape output. Using separate arrays for each kind of data is a best practice:


// filter input and assign it to the "$clean" array
if (ctype_alnum($_POST['name']))
$clean['name'] = $_POST['name'];

// escape HTML output with htmlentities()
$html['name'] = htmlentities($clean['name'], ENT_QUOTES);
echo "You entered the name $html[name].";

// escape MySQL output with mysql_real_escape_string()
$mysql['name'] = mysql_real_escape_string($clean['name']);
mysql_query("INSERT INTO table (name) VALUES ('$mysql[name]')");

After reading the book I was only left with one question: is HTTP Authentication over SSL fairly secure? (I assumed it would be.) I emailed Chris with my question and he responded quickly in the affirmative. Thanks, Chris.

CSS Best Practices

Posted on by
35

Last month at the UPHPU meeting, Wade Shearer presented on CSS best practices. He’s one of the few programmers in the group that’s a designer first, and a programmer second, so he has unique insight into web design. Here are my notes:

  • Keep HTML free of presentational attributes
  • Write clean, semantic HTML
  • Use HTML tables semantically–for tabular data, not layout (generally)
  • Create print-friendly version of all your pages using media=print
  • For input buttons, use a 1px invisible GIF and then restyle the image with CSS:


    • <!-- HTML -->
    <input type="image" src="1px.gif" class="next_button" />

    // CSS
    input.next_button
    {
    background-image: url(next_button.gif);
    }

  • Do the same thing for image links, but for accessibility include link text overwritten by a style:


    • <!-- HTML -->
    <a href="next_page.html" class="next_button" />Next Page</a>

    // CSS
    a.next_button
    {
    display: block;
    background-image: url(next_button.gif);
    text-indent: -99999px;
    }

  • Use comments in CSS to separate typography, headers, layout, forms
  • Sometimes body styles don’t cascade into tables like they should so you need to repeat body styles on all tables
  • begin with a few default styles:


    • table, tr, td
    {
    margin:0;
    padding:0;
    border:0;
    border-collapse:collapse;
    vertical-align:top;
    }

    form
    {
    padding:0;
    margin:0;
    }

    img
    {
    border:none;
    padding:0;
    margin:0;
    }

  • Restyling the horizontal rule (<hr>) with an image can be a beautiful addition to a web page
  • Keep a library of helpful CSS classes:


    • .float_left
    {
    float:left;
    }

    .float_right
    {
    float:right;
    }

    .clear
    {
    clear:both;
    }

    .col2_left
    {
    float:left;
    width:45%;
    }

    .col2_right
    {
    float:right;
    width:45%;
    }

  • Use PHP to do browser sniffing and to include CSS files relevant to the section.
  • For more best practices, take a peak at the stylesheets for Wade’s place of employment, Doba.com

John Taber on frameworks

Posted on by
Reply

John Taber, traffic engineer and PHP developer, has a great post comparing the various MVC frameworks available for PHP, as well as Ruby on Rails.

We really don’t care what the language is or what the plumbing looks like, just so long as we can get the program to do what we want, is super maintainable, and is fast to market. The last thing we want to do is CRUD stuff. Actually, a framework concept should be ideal for us. Which is why I looked so hard at all the choices…. These are strictly our opinions and of course, YMMV.

John compares them with a real practical sense. On a side note, for some reason I find it funny to read a traffic engineer write “Your Mileage May Vary” (YMMV).

Report on PHP Hacker Night

Posted on by
5

Last night John, Jonathan, Alvaro and I got together to talk PHP over dinner and dessert. I had fun and learned a lot. Here are my notes:

  • Sitening is a web development consultancy with a bunch of cool online tools and what appears to be a good blog. (I haven’t read it yet.) John printed a post from their blog about databases and PHP. I’m going to subscribe to it.
  • We talked about Qcodo, a code generator that John likes because it’s simple.
  • Alvaro really likes Propel for creating database objects to perform CRUD operations. It’s “intuitive” to use.
  • We discussed apt-get vs. yum, with the winner being apt-get.
  • We discussed Ruby on Rails and the similar frameworks for PHP such as Cake, Symfony, and PHP on Trax. John and Alvaro think these frameworks are too limiting, though if the scope of your project falls within the conventions of the framework they can be nice. They both prefer a lighter-weight framework.
  • Alvaro is building a custom, light-weight framework that will be simply combine Propel and Smarty. He’ll release it at protonframework.com when it’s ready.
  • Alvaro recommends the Selenium Firefox extension for code testing and automation. It can record each of your steps as you use your web app, then you can set up assertions (unit tests?), then you can run the recorded tests each time you make changes to your web app. This seems like a great way to test web apps consistently and thoroughly. I’m looking forward to trying Selenium.
  • We discussed the virtues of SVG and lamented that Internet Explorer doesn’t have better support for it. John uses SVG extensively for creating reports and modeling streets and traffic flow in his work.
  • Alvaro really likes XPath, a language for querying an XML document. On the browser side, XPath is useful for finding a certain node in the DOM. Firefox has a built-in Javascript function for running XPath queries on the DOM.
  • With AJAX John can change SVG reports in real time by changing the specific DOM node that needs to be updated. XPath could be useful here.
  • On the server side, XPath is useful for screen scraping. You can retrieve an HTML page, run it through Tidy to convert it to XML, then use XPath (through the PHP DOM library) to query it. Alvaro says its easier and more portable than writing regular expressions, which is how I currently do my screen scraping.
  • There are Firefox extensions for working with XPath. They allow you to click anywhere on a web page and see the XPath query that would retrieve that element.
  • Martin Fowler’s book was recommended.
  • By using the Apache directive “ForceType”, you can forgo the “.php” extension on your files and create pretty URL’s. (ALL of your files are parsed for PHP.)

The food was good and the company was excellent. I look forward to doing this again.

PHP Hacker Night tonight

Posted on by
1

John Taber and I are pudding (sic) on a “PHP Hacker Night” tonight. We’ll be meeting for dinner at 7:30 at Las Tarascas [map] in Provo. Dessert will be at Pudding on the Rice, which is next door. Both restaurants have free wifi, so bring your laptops. We’ll discuss PHP programming and any technology topics that come to mind.

For more information see the UPHPU website: PHP Hacker Night

Disclaimer: I realize I’m posting this less than 2 hours before game time, but if you read this in time you’re probably in the target audience, so come!