SlideShare ist ein Scribd-Unternehmen logo

More About PHP Frameworks

Jonathan Francis Roscoe
Jonathan Francis Roscoe

Slides for a presentation on advanced PHP (object-orientation, frameworks, security and debugging) given for the CS25010 web development module at Aberystwyth University.

Technologie
1 von 36
Downloaden Sie, um offline zu lesen
More About PHP Jonathan Francis Roscoe <jjr6@aber.ac.uk> http://users.aber.ac.uk/jjr6 November 29th 2011
Outline Introduction Some PHP tips Object-Orientation Frameworks Debugging, Testing and Continuous Integration Secure PHP Code Environments Related Reading 2 of 36
Introduction These slides are based on experience from my industrial year when I developed backed end code for web control panels. What I hope you’ll learn about today: • Techniques for improving code quality ◦ Speed ◦ Efficiency ◦ Reliability ◦ (Re)Usability • Advanced features of PHP • Frameworks • Making your PHP Applications secure • Debugging and Analysis of PHP applications I’ll mainly focus on PHP but most of this applies to any web development project. 3 of 36
Some PHP tips With dynamic weak typing, PHP is a laid back language allowing functional code to be written fast. • Use a strong editor with supporting tools - Notepad++, Eclipse (with plugin), vim, Netbeans • Use server-side includes and mix PHP and HTML as little as possible • Test your code (yes - unit testing and acceptance testing is possible) • Debug your code • Take security seriously • Frameworks can significantly improve the speed of your develop, as well as providing features for efficiency, security and reliability. 4 of 36
Server-Side Includes - index.php <?php s e s s i o n s t a r t ( ) ; $page = ”My Page ” $name = ” J o n a t h a n ” ; $ t= g e t t i m e ( ) ; ?> <html><head> < s t y l e t y p e=” t e x t / c s s ”> body { color : purple ; background −c o l o r : #d8da3d }</ s t y l e > < t i t l e ><?=$page ; ?></ t i t l e > </head><body> H e l l o <?=$name ; ?> <d i v i d =”menu”> <a h r e f =”#” Menu i t e m 1/> <a h r e f =”#” Menu i t e m 2/> </d i v > <body></html> 5 of 36
Keeping PHP tidy A better way to handle this code would be to place aspects that are probably wanted in other places into separate files, then we can reuse the same code. This will make code easier to read and will allow others to focus on front end development (HTML, CSS) without worrying too much about the back-end aspects. 6 of 36
functions.inc.php <?php // s t a r t t h e s e s s i o n session start (); // s e t t h e v a r i a b l e s we need on t h e page $name = ” J o n a t h a n ” $page = ”My Page ” ; $t = time ( ) ; ?> 7 of 36
menu.php <d i v i d =”menu”> <a h r e f =”#” Menu i t e m 1/> <a h r e f =”#” Menu i t e m 2/> </d i v > 8 of 36
header.php <html><head> < s t y l e t y p e=” t e x t / c s s ”> body { color : purple ; background −c o l o r : #d8da3d } </ s t y l e > < t i t l e ><?=$page ; ?></ t i t l e > </head> 9 of 36
The new index.php <?php // g r a b s u p p o r t i n g f u n c t i o n s r e q u i r e o n c e ( ’ f u n c t i o n s . i n c . php ’ ) ; // g r a b h e a d e r r e q u i r e o n c e ( ’ h e a d e r . php ’ ) ; ?> <body> H e l l o <?=$name ; ?> <?php r e q u i r e o n c e ( ’ menu . php ’ ) ; </body> </html> 10 of 36
PHP 5 and Object-Orientation Introduced in PHP 5, there is a lot in common with Java’s syntax, rules and conventions. • Interfaces and abstract classes • Magic Methods (e.g. toString()) • Exception classes and try..catch With simple yet powerful polymorphism: • Instantiation from String • class exists(), method exists() and other tricks PHP 5 introduced a few other significant features: • Type Hinting in methods • Reflection • Method overloading (quite different from Java) 11 of 36
OO PHP Example i n t e r f a c e Animal { f u n c t i o n speak ( ) ; } c l a s s Cow i m p l e m e n t s Animal { f u n c t i o n speak (){ p r i n t ”Moooooo ! ” ; } } $ c l a s s n a m e = ”Cow ” ; $a = new $ c l a s s n a m e ; $a −> s p e a k ( ) ; 12 of 36
Reflection in PHP Reflection is a fantastic concept in programming that you might already be familiar with. As PHP is weak and dynamic, we can use reflection with powerful results. For example: $ r = new R e f l e c t i o n C l a s s ( ’ Cow ’ ) ; $methods = $r−>ge tM e t ho d s ( ) ; Will give you a list of all the methods available. This may not sound like much, but we can use it for quick and easy polymorphic constructions. Many Reflection functions exist. It’s also possible to create a tool to describe undocumented classes you might need to work with. 13 of 36
Frameworks Frameworks can be compared to more specific software such as blogs (e.g. Wordpress) or Content Management Systems (eg. Drupal). • Concepts ◦ Faster development ◦ Reduced overhead ◦ Reusability (DRY) • Support for a number of common needs ◦ Session management ◦ Database interaction (usually Object Relational Mapping) ◦ Ajax ◦ Internationalisation ◦ Testing ◦ Deployment ◦ Templating • Typically based on an MVC approach and often object-oriented 14 of 36
MVC Dispatcher A dispatcher script is used to handle routes and control the flow of the MVC structure. • Instantiate model • Execute controller • Render view • autoload() magic method often used to enable source includes on the fly Typically takes the place of index.php. The following code is a simple example demonsrating how an MVC structured blog might be structured. 15 of 36
PHP Model Business/domain logic. <? c l a s s PostModel { function s t a t i c getPosts (){ r e t u r n m y s q l q u e r y ( ” SELECT ∗ FROM blog posts ;”); } } ?> 16 of 36
PHP Controller Controls actions of model and view. May handle input from view and instruct model. <? c l a s s PostController (){ function execute (){ $ p o s t s = PostModel : : g e t P o s t s ( ) ; } } ?> 17 of 36
PHP View User input and feedback. <html> ... <? f o r e a c h ( $ p o s t i n $ p o s t s ) : ?> <h1><?=$ p o s t [ ’ t i t l e ’];? > </ h1> <p><?=$ p o s t [ ’ body ’];? > </ p> <? e n d f o r e a c h ; ?> ... </html> 18 of 36
Popular Frameworks • Zend Framework • Symfony • Codeigniter • Rails • Zope 19 of 36
Debugging It can sometimes be difficult to understand how and why PHP code is behaving the way it is, but there are some useful tools: • Static Analysis - lint, PHP Codesniffer, IDE features • Dynamic Analysis - xdebug, Valgrind PHP has error reporting of its own, and some frameworks may provide debugging features. 20 of 36
Browser Extensions Web development can be a deviation from your familiar development techniques, fortunately various extensions can be invaluable in debugging the information that the client has, particularly when working with Ajax. • Web Developer Toolbar ◦ Firefox ◦ Chrome • Firebug ◦ Firefox ◦ Chrome, Internet Explorer, etc (Lite) • IE WebDeveloper Safari has a built in debug toolbar?.. 21 of 36
Profiling • Speed is particularly important when we have many users placing load on a server • ”Stepping through” is usually not possible • Xdebug is a PHP extension that provides debugging and performance analysis: ◦ Stack & function traces ◦ Memory allocation ◦ Callgrind profiles • Callgrind information can be investigated and visualised with a tool such as KCacheGrind, Carica or Webcachegrind. 22 of 36
Profiling Example call map showing relative runtime of each method called. 23 of 36
Profiling Example call graph showing relative runtime of each method called. 24 of 36
Testing • Code coverage is a measure of how well our tests explore every potential avenue of execution; strive for 100%. • Unit tests ◦ Test each module of code ◦ Core to test driven development methodology ◦ PHP-Unit is the PHP equivalent of JUnit, a tool you probably already know. You can use it to run subsections of your code, and test expected output. • Functional tests ◦ Tests of end user experience ◦ Selenium is a powerful tool that allows automatic execution of your webpages. This makes it easy to fully automate the testing of your entire site. • Continuous Integration ◦ Automated, routine build and testing of code ◦ Alert developers of new errors incode before it is released 25 of 36
Continuous Integration Overview of phpUnderControl showing various statistics. Source: http://phpundercontrol.org/ 26 of 36
Continuous Integration Example result of a phpUnderControl build, highlights code with errors. Source: http://manuel-pichler.de/ 27 of 36
Sanitising Input You’ve probably seen or implemented some form of client-side security - such as a Javascript popup if you haven’t don’t complete a form properply. These mainly exist to be quick and look pretty, they are not at all secure. So you must sanitise input on the server-side. $username = f i l t e r v a r ( FILTER SANITIZE STRING , $ POST [ ’ username ’ ] ) ; Regular expressions can be used to go beyond simply removing harmful characters and can validate some requirements: i f ( p r e g m a t c h ( ” / ˆ h t t p / ” , $ POST [ ’ u r l ’ ] ) ) echo ” Got a URL ! ” ; else echo ” URL i s no good . ; ” 28 of 36
Securing Your Code To show you why server-side sanitisation is important: .. m y s q l q u e r y ( ” SELECT ∗ FROM u s e r s WHERE p a s s w o r d = ’”. $ POST [ ’ p as sw ord ’ ] . ” ’ ) ; .. What if the input was something like: ’ ; DROP u s e r s −− Fortunately, tools exist to statically analyse your code for eversights and potentially dangerous behaviour. Pixy is a common script used on multi-user systems - such as your Aberystwyth user web hosting.. 29 of 36
Security - Server Side Code Scanners Dear Jonathan , P l e a s e d i s a b l e y o u r ”PHP−S h e l l ” program a s s o o n a s p o s s i b l e . At t h e moment , what you ha ve b a s i c a l l y a l l o w s anyone i n t h e w o r l d t o remove t h e e n t i r e contents of your account ! ( i f t h e y e n t e r ”rm −r / a b e r / j j r 6 / . ” a s t h e command ) . Cheers , Alun . 30 of 36
General Rules for Securing PHP PHP is often used to create public facing websites on the Internet, which typically include privileged areas. There are a few general security issues to be aware of: • Ensure user is authenticated & authorised as appropriate • Input should be validated & sanitised • Avoid careless debugging/error reporting (configure php.ini not to print error messages on a live system) • Development data (test files, svn metadata) should be removed • Server should be appropriately configured • Utilise security software that can isolate holes in your application.. 31 of 36
Security Testing Tools There are plenty of tools available to help you test your site, popular ones include: • http://code.google.com/p/skipfish - Skipfish is an open source web application security scanner from Google • Metasploit - a generic vulnerability scanner modules exist to test off-the-shelf (wordpress, drupal, etc) software http://www.metasploit.com/modules/ • Nikto2 - another open-source tool • http://evuln.com/tools/php-security/ - a free static code scanner for PHP • http://loadimpact.com/ - Remote load testing (Are your database queries efficient enough?!) 32 of 36
Environments Bugs in new code will have a serious impact on usability and security. A common technique for releasing code is to develop on isolated systems, then gradually deploy them in a limited or beta form, before going live. • Development Usually the programmer’s local machine. May use specialist data sets. Incomplete/untested functionality. Full debugging and error output. • Testing A local network server. Provides common test data for all developers. All code should have been partially tested and obtained from development branch of version control. Full debugging and error output. 33 of 36
Environments for Web Development • Staging/Pre-Production (”Bleeding Edge”) A live server with limited accessibility. May be available to beta users. Should be treated as the live system. All code should have been fully tested and taken form stable branch of version control. • Production The live server. Code on this server should not be edited directly. System should be updated through some form of scheduled deployment procedure. Debugging information printed here is a security risk and unpleasant to end users - errors should be caught and politely reported. 34 of 36
Useful PHP Tidbits • Server configuration information: phpinfo() • Server Side Inclusion: include(), require(), include_once(), require_once() • Validation/Sanitisation functions: preg_match(), strip_tags(), filter_var(), mysql_real_escape_string()/pg_escape_string() • HTML string output: htmlspecialchars() • Special predefined variables: $_SERVER[], $_SESSION[], $_ENV[] • Find files on the system - glob() • PEAR is a framework for managing PHP extensions, available from repositories such as PECL • Apache module for nice URLs: mod_rewrite • Many configuration options in php.ini - if you manage the server • of 36 35 Doxygen (generic Javadoc) works well with PHP
Related Reading • ”Billions of Hits: Scaling Twitter” presentation • http://www.unmaskparasites.com/ - tool for website vulnerabilities • https://www.owasp.org/ Lots of security information including an injections cheat sheet • http://www.symfony-project.org/book/ - the Symfony book, lots of good MVC information • http://www.php.net/ • http://www.phpframeworks.com/ - comparison of frameworks • http://browsershots.org/ - screenshots of your website in dozens of configurations (platform, browser, resolution) 36 of 36

Empfohlen

Machine learning in php php con poland
Machine learning in php php con polandMachine learning in php php con poland
Machine learning in php php con polandDamien Seguy
 
Surprise! It's PHP :) (unabridged)
Surprise! It's PHP :) (unabridged)Surprise! It's PHP :) (unabridged)
Surprise! It's PHP :) (unabridged)Sharon Levy
 
Preparing code for Php 7 workshop
Preparing code for Php 7 workshopPreparing code for Php 7 workshop
Preparing code for Php 7 workshopDamien Seguy
 
Efficient Context-sensitive Output Escaping for Javascript Template Engines
Efficient Context-sensitive Output Escaping for Javascript Template EnginesEfficient Context-sensitive Output Escaping for Javascript Template Engines
Efficient Context-sensitive Output Escaping for Javascript Template Enginesadonatwork
 
Machine learning in php
Machine learning in phpMachine learning in php
Machine learning in phpDamien Seguy
 
Static Analysis of PHP Code – IPC Berlin 2016
Static Analysis of PHP Code – IPC Berlin 2016Static Analysis of PHP Code – IPC Berlin 2016
Static Analysis of PHP Code – IPC Berlin 2016Rouven Weßling
 
PHP 7 Crash Course - php[world] 2015
PHP 7 Crash Course - php[world] 2015PHP 7 Crash Course - php[world] 2015
PHP 7 Crash Course - php[world] 2015Colin O'Dell
 
Frontend Security: Applying Contextual Escaping Automatically, or How to Stop...
Frontend Security: Applying Contextual Escaping Automatically, or How to Stop...Frontend Security: Applying Contextual Escaping Automatically, or How to Stop...
Frontend Security: Applying Contextual Escaping Automatically, or How to Stop...adonatwork
 

Empfohlen

Machine learning in php php con poland
Machine learning in php php con polandMachine learning in php php con poland
Machine learning in php php con polandDamien Seguy
 
Surprise! It's PHP :) (unabridged)
Surprise! It's PHP :) (unabridged)Surprise! It's PHP :) (unabridged)
Surprise! It's PHP :) (unabridged)Sharon Levy
 
Preparing code for Php 7 workshop
Preparing code for Php 7 workshopPreparing code for Php 7 workshop
Preparing code for Php 7 workshopDamien Seguy
 
Efficient Context-sensitive Output Escaping for Javascript Template Engines
Efficient Context-sensitive Output Escaping for Javascript Template EnginesEfficient Context-sensitive Output Escaping for Javascript Template Engines
Efficient Context-sensitive Output Escaping for Javascript Template Enginesadonatwork
 
Machine learning in php
Machine learning in phpMachine learning in php
Machine learning in phpDamien Seguy
 
Static Analysis of PHP Code – IPC Berlin 2016
Static Analysis of PHP Code – IPC Berlin 2016Static Analysis of PHP Code – IPC Berlin 2016
Static Analysis of PHP Code – IPC Berlin 2016Rouven Weßling
 
PHP 7 Crash Course - php[world] 2015
PHP 7 Crash Course - php[world] 2015PHP 7 Crash Course - php[world] 2015
PHP 7 Crash Course - php[world] 2015Colin O'Dell
 
Frontend Security: Applying Contextual Escaping Automatically, or How to Stop...
Frontend Security: Applying Contextual Escaping Automatically, or How to Stop...Frontend Security: Applying Contextual Escaping Automatically, or How to Stop...
Frontend Security: Applying Contextual Escaping Automatically, or How to Stop...adonatwork
 
Design attern in php
Design attern in phpDesign attern in php
Design attern in phpFilippo De Santis
 
PHPcon Poland - Static Analysis of PHP Code – How the Heck did I write so man...
PHPcon Poland - Static Analysis of PHP Code – How the Heck did I write so man...PHPcon Poland - Static Analysis of PHP Code – How the Heck did I write so man...
PHPcon Poland - Static Analysis of PHP Code – How the Heck did I write so man...Rouven Weßling
 
What is the Joomla Framework and why do we need it?
What is the Joomla Framework and why do we need it?What is the Joomla Framework and why do we need it?
What is the Joomla Framework and why do we need it?Rouven Weßling
 
Modern PHP
Modern PHPModern PHP
Modern PHPSimon Jones
 
Object Oriented Design Patterns for PHP
Object Oriented Design Patterns for PHPObject Oriented Design Patterns for PHP
Object Oriented Design Patterns for PHPRobertGonzalez
 
Php exceptions
Php exceptionsPhp exceptions
Php exceptionsDamian Sromek
 
Php(report)
Php(report)Php(report)
Php(report)Yhannah
 
PHP 5.3
PHP 5.3PHP 5.3
PHP 5.3Chris Stone
 
PHP Basic and Fundamental Questions and Answers with Detail Explanation
PHP Basic and Fundamental Questions and Answers with Detail ExplanationPHP Basic and Fundamental Questions and Answers with Detail Explanation
PHP Basic and Fundamental Questions and Answers with Detail ExplanationAbdul Rahman Sherzad
 
Web application security
Web application securityWeb application security
Web application securitysalissal
 
Handling error & exception in php
Handling error & exception in phpHandling error & exception in php
Handling error & exception in phpPravasini Sahoo
 
Zend Certification PHP 5 Sample Questions
Zend Certification PHP 5 Sample QuestionsZend Certification PHP 5 Sample Questions
Zend Certification PHP 5 Sample QuestionsJagat Kothari
 
PHP Technical Questions
PHP Technical QuestionsPHP Technical Questions
PHP Technical QuestionsPankaj Jha
 
Introduction to web programming with JavaScript
Introduction to web programming with JavaScriptIntroduction to web programming with JavaScript
Introduction to web programming with JavaScriptT11 Sessions
 
Elegant Ways of Handling PHP Errors and Exceptions
Elegant Ways of Handling PHP Errors and ExceptionsElegant Ways of Handling PHP Errors and Exceptions
Elegant Ways of Handling PHP Errors and ExceptionsZendCon
 
2 debugging-c
2 debugging-c2 debugging-c
2 debugging-cSubhashis Pradhan
 
Errors, Exceptions & Logging (PHP Hants Oct '13)
Errors, Exceptions & Logging (PHP Hants Oct '13)Errors, Exceptions & Logging (PHP Hants Oct '13)
Errors, Exceptions & Logging (PHP Hants Oct '13)James Titcumb
 
Jsp And Jdbc
Jsp And JdbcJsp And Jdbc
Jsp And JdbcRoy Antony Arnold G
 
Binaries Are Not Only Output
Binaries Are Not Only OutputBinaries Are Not Only Output
Binaries Are Not Only OutputHajime Morrita
 
RAII and ScopeGuard
RAII and ScopeGuardRAII and ScopeGuard
RAII and ScopeGuardAndrey Dankevich
 
Base64 Encoding
Base64 EncodingBase64 Encoding
Base64 EncodingJonathan Francis Roscoe
 
The New Front Line:An observation of cyber threats in the 21st century
The New Front Line:An observation of cyber threats in the 21st centuryThe New Front Line:An observation of cyber threats in the 21st century
The New Front Line:An observation of cyber threats in the 21st centuryJonathan Francis Roscoe
 

Weitere ähnliche Inhalte

Was ist angesagt?

PHPcon Poland - Static Analysis of PHP Code – How the Heck did I write so man...
PHPcon Poland - Static Analysis of PHP Code – How the Heck did I write so man...PHPcon Poland - Static Analysis of PHP Code – How the Heck did I write so man...
PHPcon Poland - Static Analysis of PHP Code – How the Heck did I write so man...Rouven Weßling
 
What is the Joomla Framework and why do we need it?
What is the Joomla Framework and why do we need it?What is the Joomla Framework and why do we need it?
What is the Joomla Framework and why do we need it?Rouven Weßling
 
Object Oriented Design Patterns for PHP
Object Oriented Design Patterns for PHPObject Oriented Design Patterns for PHP
Object Oriented Design Patterns for PHPRobertGonzalez
 
Php(report)
Php(report)Php(report)
Php(report)Yhannah
 
PHP Basic and Fundamental Questions and Answers with Detail Explanation
PHP Basic and Fundamental Questions and Answers with Detail ExplanationPHP Basic and Fundamental Questions and Answers with Detail Explanation
PHP Basic and Fundamental Questions and Answers with Detail ExplanationAbdul Rahman Sherzad
 
Web application security
Web application securityWeb application security
Web application securitysalissal
 
Handling error & exception in php
Handling error & exception in phpHandling error & exception in php
Handling error & exception in phpPravasini Sahoo
 
Zend Certification PHP 5 Sample Questions
Zend Certification PHP 5 Sample QuestionsZend Certification PHP 5 Sample Questions
Zend Certification PHP 5 Sample QuestionsJagat Kothari
 
PHP Technical Questions
PHP Technical QuestionsPHP Technical Questions
PHP Technical QuestionsPankaj Jha
 
Introduction to web programming with JavaScript
Introduction to web programming with JavaScriptIntroduction to web programming with JavaScript
Introduction to web programming with JavaScriptT11 Sessions
 
Elegant Ways of Handling PHP Errors and Exceptions
Elegant Ways of Handling PHP Errors and ExceptionsElegant Ways of Handling PHP Errors and Exceptions
Elegant Ways of Handling PHP Errors and ExceptionsZendCon
 
Errors, Exceptions & Logging (PHP Hants Oct '13)
Errors, Exceptions & Logging (PHP Hants Oct '13)Errors, Exceptions & Logging (PHP Hants Oct '13)
Errors, Exceptions & Logging (PHP Hants Oct '13)James Titcumb
 
Binaries Are Not Only Output
Binaries Are Not Only OutputBinaries Are Not Only Output
Binaries Are Not Only OutputHajime Morrita
 

Was ist angesagt? (20)

Design attern in php
Design attern in phpDesign attern in php
Design attern in php
 
PHPcon Poland - Static Analysis of PHP Code – How the Heck did I write so man...
PHPcon Poland - Static Analysis of PHP Code – How the Heck did I write so man...PHPcon Poland - Static Analysis of PHP Code – How the Heck did I write so man...
PHPcon Poland - Static Analysis of PHP Code – How the Heck did I write so man...
 
What is the Joomla Framework and why do we need it?
What is the Joomla Framework and why do we need it?What is the Joomla Framework and why do we need it?
What is the Joomla Framework and why do we need it?
 
Modern PHP
Modern PHPModern PHP
Modern PHP
 
Object Oriented Design Patterns for PHP
Object Oriented Design Patterns for PHPObject Oriented Design Patterns for PHP
Object Oriented Design Patterns for PHP
 
Php exceptions
Php exceptionsPhp exceptions
Php exceptions
 
Php(report)
Php(report)Php(report)
Php(report)
 
PHP 5.3
PHP 5.3PHP 5.3
PHP 5.3
 
PHP Basic and Fundamental Questions and Answers with Detail Explanation
PHP Basic and Fundamental Questions and Answers with Detail ExplanationPHP Basic and Fundamental Questions and Answers with Detail Explanation
PHP Basic and Fundamental Questions and Answers with Detail Explanation
 
Web application security
Web application securityWeb application security
Web application security
 
Handling error & exception in php
Handling error & exception in phpHandling error & exception in php
Handling error & exception in php
 
Zend Certification PHP 5 Sample Questions
Zend Certification PHP 5 Sample QuestionsZend Certification PHP 5 Sample Questions
Zend Certification PHP 5 Sample Questions
 
PHP Technical Questions
PHP Technical QuestionsPHP Technical Questions
PHP Technical Questions
 
Introduction to web programming with JavaScript
Introduction to web programming with JavaScriptIntroduction to web programming with JavaScript
Introduction to web programming with JavaScript
 
Elegant Ways of Handling PHP Errors and Exceptions
Elegant Ways of Handling PHP Errors and ExceptionsElegant Ways of Handling PHP Errors and Exceptions
Elegant Ways of Handling PHP Errors and Exceptions
 
2 debugging-c
2 debugging-c2 debugging-c
2 debugging-c
 
Errors, Exceptions & Logging (PHP Hants Oct '13)
Errors, Exceptions & Logging (PHP Hants Oct '13)Errors, Exceptions & Logging (PHP Hants Oct '13)
Errors, Exceptions & Logging (PHP Hants Oct '13)
 
Jsp And Jdbc
Jsp And JdbcJsp And Jdbc
Jsp And Jdbc
 
Binaries Are Not Only Output
Binaries Are Not Only OutputBinaries Are Not Only Output
Binaries Are Not Only Output
 
RAII and ScopeGuard
RAII and ScopeGuardRAII and ScopeGuard
RAII and ScopeGuard
 

Andere mochten auch

The New Front Line:An observation of cyber threats in the 21st century
The New Front Line:An observation of cyber threats in the 21st centuryThe New Front Line:An observation of cyber threats in the 21st century
The New Front Line:An observation of cyber threats in the 21st centuryJonathan Francis Roscoe
 
Weekly Code Drop July 4, creating auth tokens
Weekly Code Drop July 4, creating auth tokensWeekly Code Drop July 4, creating auth tokens
Weekly Code Drop July 4, creating auth tokensjasonc411
 
Bypassing Corporate Email Filtering
Bypassing Corporate Email FilteringBypassing Corporate Email Filtering
Bypassing Corporate Email Filteringamiable_indian
 
Hacker's Practice Ground - CarolinaCon - 2015
Hacker's Practice Ground - CarolinaCon - 2015Hacker's Practice Ground - CarolinaCon - 2015
Hacker's Practice Ground - CarolinaCon - 2015lokeshpidawekar
 

Andere mochten auch (9)

Base64 Encoding
Base64 EncodingBase64 Encoding
Base64 Encoding
 
The New Front Line:An observation of cyber threats in the 21st century
The New Front Line:An observation of cyber threats in the 21st centuryThe New Front Line:An observation of cyber threats in the 21st century
The New Front Line:An observation of cyber threats in the 21st century
 
Weekly Code Drop July 4, creating auth tokens
Weekly Code Drop July 4, creating auth tokensWeekly Code Drop July 4, creating auth tokens
Weekly Code Drop July 4, creating auth tokens
 
Looking Forwards to Going Backwards
Looking Forwards to Going BackwardsLooking Forwards to Going Backwards
Looking Forwards to Going Backwards
 
Bypassing Corporate Email Filtering
Bypassing Corporate Email FilteringBypassing Corporate Email Filtering
Bypassing Corporate Email Filtering
 
Hacker's Practice Ground - CarolinaCon - 2015
Hacker's Practice Ground - CarolinaCon - 2015Hacker's Practice Ground - CarolinaCon - 2015
Hacker's Practice Ground - CarolinaCon - 2015
 
Unicode (and Python)
Unicode (and Python)Unicode (and Python)
Unicode (and Python)
 
Mastering Python 3 I/O
Mastering Python 3 I/OMastering Python 3 I/O
Mastering Python 3 I/O
 
Mastering Python 3 I/O (Version 2)
Mastering Python 3 I/O (Version 2)Mastering Python 3 I/O (Version 2)
Mastering Python 3 I/O (Version 2)
 

Ähnlich wie More About PHP Frameworks

Creating a Smooth Development Workflow for High-Quality Modular Open-Source P...
Creating a Smooth Development Workflow for High-Quality Modular Open-Source P...Creating a Smooth Development Workflow for High-Quality Modular Open-Source P...
Creating a Smooth Development Workflow for High-Quality Modular Open-Source P...Pantheon
 
Php i basic chapter 3 (syahir chaer's conflicted copy 2013-04-22)
Php i basic chapter 3 (syahir chaer's conflicted copy 2013-04-22)Php i basic chapter 3 (syahir chaer's conflicted copy 2013-04-22)
Php i basic chapter 3 (syahir chaer's conflicted copy 2013-04-22)Muhamad Al Imran
 
Php i basic chapter 3 (afifah rosli's conflicted copy 2013-04-23)
Php i basic chapter 3 (afifah rosli's conflicted copy 2013-04-23)Php i basic chapter 3 (afifah rosli's conflicted copy 2013-04-23)
Php i basic chapter 3 (afifah rosli's conflicted copy 2013-04-23)Muhamad Al Imran
 
TWINS: OOP and FP - Warburton
TWINS: OOP and FP - WarburtonTWINS: OOP and FP - Warburton
TWINS: OOP and FP - WarburtonCodemotion
 
Php training100%placement-in-mumbai
Php training100%placement-in-mumbaiPhp training100%placement-in-mumbai
Php training100%placement-in-mumbaivibrantuser
 
Ein Stall voller Trüffelschweine - (PHP-)Profiling-Tools im Überblick
Ein Stall voller Trüffelschweine - (PHP-)Profiling-Tools im ÜberblickEin Stall voller Trüffelschweine - (PHP-)Profiling-Tools im Überblick
Ein Stall voller Trüffelschweine - (PHP-)Profiling-Tools im Überblickrenebruns
 
Tool Up Your LAMP Stack
Tool Up Your LAMP StackTool Up Your LAMP Stack
Tool Up Your LAMP StackLorna Mitchell
 
PHP complete reference with database concepts for beginners
PHP complete reference with database concepts for beginnersPHP complete reference with database concepts for beginners
PHP complete reference with database concepts for beginnersMohammed Mushtaq Ahmed
 
Introduction to web and php mysql
Introduction to web and php mysqlIntroduction to web and php mysql
Introduction to web and php mysqlProgrammer Blog
 
Joomla! Day Chicago 2011 Presentation - Steven Pignataro
Joomla! Day Chicago 2011 Presentation - Steven PignataroJoomla! Day Chicago 2011 Presentation - Steven Pignataro
Joomla! Day Chicago 2011 Presentation - Steven PignataroSteven Pignataro
 
Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016bugcrowd
 
20 PHP Static Analysis and Documentation Generators #burningkeyboards
20 PHP Static Analysis and Documentation Generators #burningkeyboards20 PHP Static Analysis and Documentation Generators #burningkeyboards
20 PHP Static Analysis and Documentation Generators #burningkeyboardsDenis Ristic
 
Joomla Code Quality Control and Automation Testing
Joomla Code Quality Control and Automation TestingJoomla Code Quality Control and Automation Testing
Joomla Code Quality Control and Automation TestingShyam Sunder Verma
 

Ähnlich wie More About PHP Frameworks (20)

My Saminar On Php
My Saminar On PhpMy Saminar On Php
My Saminar On Php
 
Creating a Smooth Development Workflow for High-Quality Modular Open-Source P...
Creating a Smooth Development Workflow for High-Quality Modular Open-Source P...Creating a Smooth Development Workflow for High-Quality Modular Open-Source P...
Creating a Smooth Development Workflow for High-Quality Modular Open-Source P...
 
Php i basic chapter 3 (syahir chaer's conflicted copy 2013-04-22)
Php i basic chapter 3 (syahir chaer's conflicted copy 2013-04-22)Php i basic chapter 3 (syahir chaer's conflicted copy 2013-04-22)
Php i basic chapter 3 (syahir chaer's conflicted copy 2013-04-22)
 
Php i basic chapter 3 (afifah rosli's conflicted copy 2013-04-23)
Php i basic chapter 3 (afifah rosli's conflicted copy 2013-04-23)Php i basic chapter 3 (afifah rosli's conflicted copy 2013-04-23)
Php i basic chapter 3 (afifah rosli's conflicted copy 2013-04-23)
 
Php i basic chapter 3
Php i basic chapter 3Php i basic chapter 3
Php i basic chapter 3
 
TWINS: OOP and FP - Warburton
TWINS: OOP and FP - WarburtonTWINS: OOP and FP - Warburton
TWINS: OOP and FP - Warburton
 
Php training100%placement-in-mumbai
Php training100%placement-in-mumbaiPhp training100%placement-in-mumbai
Php training100%placement-in-mumbai
 
Api Design
Api DesignApi Design
Api Design
 
Software Development with PHP & Laravel
Software Development with PHP & LaravelSoftware Development with PHP & Laravel
Software Development with PHP & Laravel
 
Python for web security - beginner
Python for web security - beginnerPython for web security - beginner
Python for web security - beginner
 
Ein Stall voller Trüffelschweine - (PHP-)Profiling-Tools im Überblick
Ein Stall voller Trüffelschweine - (PHP-)Profiling-Tools im ÜberblickEin Stall voller Trüffelschweine - (PHP-)Profiling-Tools im Überblick
Ein Stall voller Trüffelschweine - (PHP-)Profiling-Tools im Überblick
 
Tool up your lamp stack
Tool up your lamp stackTool up your lamp stack
Tool up your lamp stack
 
Tool Up Your LAMP Stack
Tool Up Your LAMP StackTool Up Your LAMP Stack
Tool Up Your LAMP Stack
 
PHP complete reference with database concepts for beginners
PHP complete reference with database concepts for beginnersPHP complete reference with database concepts for beginners
PHP complete reference with database concepts for beginners
 
Introduction to web and php mysql
Introduction to web and php mysqlIntroduction to web and php mysql
Introduction to web and php mysql
 
Joomla! Day Chicago 2011 Presentation - Steven Pignataro
Joomla! Day Chicago 2011 Presentation - Steven PignataroJoomla! Day Chicago 2011 Presentation - Steven Pignataro
Joomla! Day Chicago 2011 Presentation - Steven Pignataro
 
Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016
 
Mufix Network Programming Lecture
Mufix Network Programming LectureMufix Network Programming Lecture
Mufix Network Programming Lecture
 
20 PHP Static Analysis and Documentation Generators #burningkeyboards
20 PHP Static Analysis and Documentation Generators #burningkeyboards20 PHP Static Analysis and Documentation Generators #burningkeyboards
20 PHP Static Analysis and Documentation Generators #burningkeyboards
 
Joomla Code Quality Control and Automation Testing
Joomla Code Quality Control and Automation TestingJoomla Code Quality Control and Automation Testing
Joomla Code Quality Control and Automation Testing
 

Kürzlich hochgeladen

Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Manik S Magar
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteDianaGray10
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024Stephanie Beckett
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningLars Bell
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .Alan Dix
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxLoriGlavin3
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.Curtis Poe
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxLoriGlavin3
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersNicole Novielli
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfLoriGlavin3
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersRaghuram Pandurangan
 

Kürzlich hochgeladen (20)

Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test Suite
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine Tuning
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptx
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software Developers
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdf
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information Developers
 

More About PHP Frameworks

  • 1. More About PHP Jonathan Francis Roscoe <jjr6@aber.ac.uk> http://users.aber.ac.uk/jjr6 November 29th 2011
  • 2. Outline Introduction Some PHP tips Object-Orientation Frameworks Debugging, Testing and Continuous Integration Secure PHP Code Environments Related Reading 2 of 36
  • 3. Introduction These slides are based on experience from my industrial year when I developed backed end code for web control panels. What I hope you’ll learn about today: • Techniques for improving code quality ◦ Speed ◦ Efficiency ◦ Reliability ◦ (Re)Usability • Advanced features of PHP • Frameworks • Making your PHP Applications secure • Debugging and Analysis of PHP applications I’ll mainly focus on PHP but most of this applies to any web development project. 3 of 36
  • 4. Some PHP tips With dynamic weak typing, PHP is a laid back language allowing functional code to be written fast. • Use a strong editor with supporting tools - Notepad++, Eclipse (with plugin), vim, Netbeans • Use server-side includes and mix PHP and HTML as little as possible • Test your code (yes - unit testing and acceptance testing is possible) • Debug your code • Take security seriously • Frameworks can significantly improve the speed of your develop, as well as providing features for efficiency, security and reliability. 4 of 36
  • 5. Server-Side Includes - index.php <?php s e s s i o n s t a r t ( ) ; $page = ”My Page ” $name = ” J o n a t h a n ” ; $ t= g e t t i m e ( ) ; ?> <html><head> < s t y l e t y p e=” t e x t / c s s ”> body { color : purple ; background −c o l o r : #d8da3d }</ s t y l e > < t i t l e ><?=$page ; ?></ t i t l e > </head><body> H e l l o <?=$name ; ?> <d i v i d =”menu”> <a h r e f =”#” Menu i t e m 1/> <a h r e f =”#” Menu i t e m 2/> </d i v > <body></html> 5 of 36
  • 6. Keeping PHP tidy A better way to handle this code would be to place aspects that are probably wanted in other places into separate files, then we can reuse the same code. This will make code easier to read and will allow others to focus on front end development (HTML, CSS) without worrying too much about the back-end aspects. 6 of 36
  • 7. functions.inc.php <?php // s t a r t t h e s e s s i o n session start (); // s e t t h e v a r i a b l e s we need on t h e page $name = ” J o n a t h a n ” $page = ”My Page ” ; $t = time ( ) ; ?> 7 of 36
  • 8. menu.php <d i v i d =”menu”> <a h r e f =”#” Menu i t e m 1/> <a h r e f =”#” Menu i t e m 2/> </d i v > 8 of 36
  • 9. header.php <html><head> < s t y l e t y p e=” t e x t / c s s ”> body { color : purple ; background −c o l o r : #d8da3d } </ s t y l e > < t i t l e ><?=$page ; ?></ t i t l e > </head> 9 of 36
  • 10. The new index.php <?php // g r a b s u p p o r t i n g f u n c t i o n s r e q u i r e o n c e ( ’ f u n c t i o n s . i n c . php ’ ) ; // g r a b h e a d e r r e q u i r e o n c e ( ’ h e a d e r . php ’ ) ; ?> <body> H e l l o <?=$name ; ?> <?php r e q u i r e o n c e ( ’ menu . php ’ ) ; </body> </html> 10 of 36
  • 11. PHP 5 and Object-Orientation Introduced in PHP 5, there is a lot in common with Java’s syntax, rules and conventions. • Interfaces and abstract classes • Magic Methods (e.g. toString()) • Exception classes and try..catch With simple yet powerful polymorphism: • Instantiation from String • class exists(), method exists() and other tricks PHP 5 introduced a few other significant features: • Type Hinting in methods • Reflection • Method overloading (quite different from Java) 11 of 36
  • 12. OO PHP Example i n t e r f a c e Animal { f u n c t i o n speak ( ) ; } c l a s s Cow i m p l e m e n t s Animal { f u n c t i o n speak (){ p r i n t ”Moooooo ! ” ; } } $ c l a s s n a m e = ”Cow ” ; $a = new $ c l a s s n a m e ; $a −> s p e a k ( ) ; 12 of 36
  • 13. Reflection in PHP Reflection is a fantastic concept in programming that you might already be familiar with. As PHP is weak and dynamic, we can use reflection with powerful results. For example: $ r = new R e f l e c t i o n C l a s s ( ’ Cow ’ ) ; $methods = $r−>ge tM e t ho d s ( ) ; Will give you a list of all the methods available. This may not sound like much, but we can use it for quick and easy polymorphic constructions. Many Reflection functions exist. It’s also possible to create a tool to describe undocumented classes you might need to work with. 13 of 36
  • 14. Frameworks Frameworks can be compared to more specific software such as blogs (e.g. Wordpress) or Content Management Systems (eg. Drupal). • Concepts ◦ Faster development ◦ Reduced overhead ◦ Reusability (DRY) • Support for a number of common needs ◦ Session management ◦ Database interaction (usually Object Relational Mapping) ◦ Ajax ◦ Internationalisation ◦ Testing ◦ Deployment ◦ Templating • Typically based on an MVC approach and often object-oriented 14 of 36
  • 15. MVC Dispatcher A dispatcher script is used to handle routes and control the flow of the MVC structure. • Instantiate model • Execute controller • Render view • autoload() magic method often used to enable source includes on the fly Typically takes the place of index.php. The following code is a simple example demonsrating how an MVC structured blog might be structured. 15 of 36
  • 16. PHP Model Business/domain logic. <? c l a s s PostModel { function s t a t i c getPosts (){ r e t u r n m y s q l q u e r y ( ” SELECT ∗ FROM blog posts ;”); } } ?> 16 of 36
  • 17. PHP Controller Controls actions of model and view. May handle input from view and instruct model. <? c l a s s PostController (){ function execute (){ $ p o s t s = PostModel : : g e t P o s t s ( ) ; } } ?> 17 of 36
  • 18. PHP View User input and feedback. <html> ... <? f o r e a c h ( $ p o s t i n $ p o s t s ) : ?> <h1><?=$ p o s t [ ’ t i t l e ’];? > </ h1> <p><?=$ p o s t [ ’ body ’];? > </ p> <? e n d f o r e a c h ; ?> ... </html> 18 of 36
  • 19. Popular Frameworks • Zend Framework • Symfony • Codeigniter • Rails • Zope 19 of 36
  • 20. Debugging It can sometimes be difficult to understand how and why PHP code is behaving the way it is, but there are some useful tools: • Static Analysis - lint, PHP Codesniffer, IDE features • Dynamic Analysis - xdebug, Valgrind PHP has error reporting of its own, and some frameworks may provide debugging features. 20 of 36
  • 21. Browser Extensions Web development can be a deviation from your familiar development techniques, fortunately various extensions can be invaluable in debugging the information that the client has, particularly when working with Ajax. • Web Developer Toolbar ◦ Firefox ◦ Chrome • Firebug ◦ Firefox ◦ Chrome, Internet Explorer, etc (Lite) • IE WebDeveloper Safari has a built in debug toolbar?.. 21 of 36
  • 22. Profiling • Speed is particularly important when we have many users placing load on a server • ”Stepping through” is usually not possible • Xdebug is a PHP extension that provides debugging and performance analysis: ◦ Stack & function traces ◦ Memory allocation ◦ Callgrind profiles • Callgrind information can be investigated and visualised with a tool such as KCacheGrind, Carica or Webcachegrind. 22 of 36
  • 23. Profiling Example call map showing relative runtime of each method called. 23 of 36
  • 24. Profiling Example call graph showing relative runtime of each method called. 24 of 36
  • 25. Testing • Code coverage is a measure of how well our tests explore every potential avenue of execution; strive for 100%. • Unit tests ◦ Test each module of code ◦ Core to test driven development methodology ◦ PHP-Unit is the PHP equivalent of JUnit, a tool you probably already know. You can use it to run subsections of your code, and test expected output. • Functional tests ◦ Tests of end user experience ◦ Selenium is a powerful tool that allows automatic execution of your webpages. This makes it easy to fully automate the testing of your entire site. • Continuous Integration ◦ Automated, routine build and testing of code ◦ Alert developers of new errors incode before it is released 25 of 36
  • 26. Continuous Integration Overview of phpUnderControl showing various statistics. Source: http://phpundercontrol.org/ 26 of 36
  • 27. Continuous Integration Example result of a phpUnderControl build, highlights code with errors. Source: http://manuel-pichler.de/ 27 of 36
  • 28. Sanitising Input You’ve probably seen or implemented some form of client-side security - such as a Javascript popup if you haven’t don’t complete a form properply. These mainly exist to be quick and look pretty, they are not at all secure. So you must sanitise input on the server-side. $username = f i l t e r v a r ( FILTER SANITIZE STRING , $ POST [ ’ username ’ ] ) ; Regular expressions can be used to go beyond simply removing harmful characters and can validate some requirements: i f ( p r e g m a t c h ( ” / ˆ h t t p / ” , $ POST [ ’ u r l ’ ] ) ) echo ” Got a URL ! ” ; else echo ” URL i s no good . ; ” 28 of 36
  • 29. Securing Your Code To show you why server-side sanitisation is important: .. m y s q l q u e r y ( ” SELECT ∗ FROM u s e r s WHERE p a s s w o r d = ’”. $ POST [ ’ p as sw ord ’ ] . ” ’ ) ; .. What if the input was something like: ’ ; DROP u s e r s −− Fortunately, tools exist to statically analyse your code for eversights and potentially dangerous behaviour. Pixy is a common script used on multi-user systems - such as your Aberystwyth user web hosting.. 29 of 36
  • 30. Security - Server Side Code Scanners Dear Jonathan , P l e a s e d i s a b l e y o u r ”PHP−S h e l l ” program a s s o o n a s p o s s i b l e . At t h e moment , what you ha ve b a s i c a l l y a l l o w s anyone i n t h e w o r l d t o remove t h e e n t i r e contents of your account ! ( i f t h e y e n t e r ”rm −r / a b e r / j j r 6 / . ” a s t h e command ) . Cheers , Alun . 30 of 36
  • 31. General Rules for Securing PHP PHP is often used to create public facing websites on the Internet, which typically include privileged areas. There are a few general security issues to be aware of: • Ensure user is authenticated & authorised as appropriate • Input should be validated & sanitised • Avoid careless debugging/error reporting (configure php.ini not to print error messages on a live system) • Development data (test files, svn metadata) should be removed • Server should be appropriately configured • Utilise security software that can isolate holes in your application.. 31 of 36
  • 32. Security Testing Tools There are plenty of tools available to help you test your site, popular ones include: • http://code.google.com/p/skipfish - Skipfish is an open source web application security scanner from Google • Metasploit - a generic vulnerability scanner modules exist to test off-the-shelf (wordpress, drupal, etc) software http://www.metasploit.com/modules/ • Nikto2 - another open-source tool • http://evuln.com/tools/php-security/ - a free static code scanner for PHP • http://loadimpact.com/ - Remote load testing (Are your database queries efficient enough?!) 32 of 36
  • 33. Environments Bugs in new code will have a serious impact on usability and security. A common technique for releasing code is to develop on isolated systems, then gradually deploy them in a limited or beta form, before going live. • Development Usually the programmer’s local machine. May use specialist data sets. Incomplete/untested functionality. Full debugging and error output. • Testing A local network server. Provides common test data for all developers. All code should have been partially tested and obtained from development branch of version control. Full debugging and error output. 33 of 36
  • 34. Environments for Web Development • Staging/Pre-Production (”Bleeding Edge”) A live server with limited accessibility. May be available to beta users. Should be treated as the live system. All code should have been fully tested and taken form stable branch of version control. • Production The live server. Code on this server should not be edited directly. System should be updated through some form of scheduled deployment procedure. Debugging information printed here is a security risk and unpleasant to end users - errors should be caught and politely reported. 34 of 36
  • 35. Useful PHP Tidbits • Server configuration information: phpinfo() • Server Side Inclusion: include(), require(), include_once(), require_once() • Validation/Sanitisation functions: preg_match(), strip_tags(), filter_var(), mysql_real_escape_string()/pg_escape_string() • HTML string output: htmlspecialchars() • Special predefined variables: $_SERVER[], $_SESSION[], $_ENV[] • Find files on the system - glob() • PEAR is a framework for managing PHP extensions, available from repositories such as PECL • Apache module for nice URLs: mod_rewrite • Many configuration options in php.ini - if you manage the server • of 36 35 Doxygen (generic Javadoc) works well with PHP
  • 36. Related Reading • ”Billions of Hits: Scaling Twitter” presentation • http://www.unmaskparasites.com/ - tool for website vulnerabilities • https://www.owasp.org/ Lots of security information including an injections cheat sheet • http://www.symfony-project.org/book/ - the Symfony book, lots of good MVC information • http://www.php.net/ • http://www.phpframeworks.com/ - comparison of frameworks • http://browsershots.org/ - screenshots of your website in dozens of configurations (platform, browser, resolution) 36 of 36