SlideShare ist ein Scribd-Unternehmen logo

More about PHP

Jonathan Francis Roscoe
Jonathan Francis Roscoe

Slides for a presentation on advanced PHP (object-orientation, frameworks, security and debugging) given for the CS25010 web development module at Aberystwyth University.

Technologie
1 von 36
Downloaden Sie, um offline zu lesen
More About PHP Jonathan Francis Roscoe <jjr6@aber.ac.uk> http://users.aber.ac.uk/jjr6 November 29th 2011
Outline Introduction Some PHP tips Object-Orientation Frameworks Debugging, Testing and Continuous Integration Secure PHP Code Environments Related Reading 2 of 36
Introduction These slides are based on experience from my industrial year when I developed backed end code for web control panels. What I hope you’ll learn about today: • Techniques for improving code quality ◦ Speed ◦ Efficiency ◦ Reliability ◦ (Re)Usability • Advanced features of PHP • Frameworks • Making your PHP Applications secure • Debugging and Analysis of PHP applications I’ll mainly focus on PHP but most of this applies to any web development project. 3 of 36
Some PHP tips With dynamic weak typing, PHP is a laid back language allowing functional code to be written fast. • Use a strong editor with supporting tools - Notepad++, Eclipse (with plugin), vim, Netbeans • Use server-side includes and mix PHP and HTML as little as possible • Test your code (yes - unit testing and acceptance testing is possible) • Debug your code • Take security seriously • Frameworks can significantly improve the speed of your develop, as well as providing features for efficiency, security and reliability. 4 of 36
Server-Side Includes - index.php <?php s e s s i o n s t a r t ( ) ; $page = ”My Page ” $name = ” J o n a t h a n ” ; $ t= g e t t i m e ( ) ; ?> <html><head> < s t y l e t y p e=” t e x t / c s s ”> body { color : purple ; background −c o l o r : #d8da3d }</ s t y l e > < t i t l e ><?=$page ; ?></ t i t l e > </head><body> H e l l o <?=$name ; ?> <d i v i d =”menu”> <a h r e f =”#” Menu i t e m 1/> <a h r e f =”#” Menu i t e m 2/> </d i v > <body></html> 5 of 36
Keeping PHP tidy A better way to handle this code would be to place aspects that are probably wanted in other places into separate files, then we can reuse the same code. This will make code easier to read and will allow others to focus on front end development (HTML, CSS) without worrying too much about the back-end aspects. 6 of 36
functions.inc.php <?php // s t a r t t h e s e s s i o n session start (); // s e t t h e v a r i a b l e s we need on t h e page $name = ” J o n a t h a n ” $page = ”My Page ” ; $t = time ( ) ; ?> 7 of 36
menu.php <d i v i d =”menu”> <a h r e f =”#” Menu i t e m 1/> <a h r e f =”#” Menu i t e m 2/> </d i v > 8 of 36
header.php <html><head> < s t y l e t y p e=” t e x t / c s s ”> body { color : purple ; background −c o l o r : #d8da3d } </ s t y l e > < t i t l e ><?=$page ; ?></ t i t l e > </head> 9 of 36
The new index.php <?php // g r a b s u p p o r t i n g f u n c t i o n s r e q u i r e o n c e ( ’ f u n c t i o n s . i n c . php ’ ) ; // g r a b h e a d e r r e q u i r e o n c e ( ’ h e a d e r . php ’ ) ; ?> <body> H e l l o <?=$name ; ?> <?php r e q u i r e o n c e ( ’ menu . php ’ ) ; </body> </html> 10 of 36
PHP 5 and Object-Orientation Introduced in PHP 5, there is a lot in common with Java’s syntax, rules and conventions. • Interfaces and abstract classes • Magic Methods (e.g. toString()) • Exception classes and try..catch With simple yet powerful polymorphism: • Instantiation from String • class exists(), method exists() and other tricks PHP 5 introduced a few other significant features: • Type Hinting in methods • Reflection • Method overloading (quite different from Java) 11 of 36
OO PHP Example i n t e r f a c e Animal { f u n c t i o n speak ( ) ; } c l a s s Cow i m p l e m e n t s Animal { f u n c t i o n speak (){ p r i n t ”Moooooo ! ” ; } } $ c l a s s n a m e = ”Cow ” ; $a = new $ c l a s s n a m e ; $a −> s p e a k ( ) ; 12 of 36
Reflection in PHP Reflection is a fantastic concept in programming that you might already be familiar with. As PHP is weak and dynamic, we can use reflection with powerful results. For example: $ r = new R e f l e c t i o n C l a s s ( ’ Cow ’ ) ; $methods = $r−>ge tM e t ho d s ( ) ; Will give you a list of all the methods available. This may not sound like much, but we can use it for quick and easy polymorphic constructions. Many Reflection functions exist. It’s also possible to create a tool to describe undocumented classes you might need to work with. 13 of 36
Frameworks Frameworks can be compared to more specific software such as blogs (e.g. Wordpress) or Content Management Systems (eg. Drupal). • Concepts ◦ Faster development ◦ Reduced overhead ◦ Reusability (DRY) • Support for a number of common needs ◦ Session management ◦ Database interaction (usually Object Relational Mapping) ◦ Ajax ◦ Internationalisation ◦ Testing ◦ Deployment ◦ Templating • Typically based on an MVC approach and often object-oriented 14 of 36
MVC Dispatcher A dispatcher script is used to handle routes and control the flow of the MVC structure. • Instantiate model • Execute controller • Render view • autoload() magic method often used to enable source includes on the fly Typically takes the place of index.php. The following code is a simple example demonsrating how an MVC structured blog might be structured. 15 of 36
PHP Model Business/domain logic. <? c l a s s PostModel { function s t a t i c getPosts (){ r e t u r n m y s q l q u e r y ( ” SELECT ∗ FROM blog posts ;”); } } ?> 16 of 36
PHP Controller Controls actions of model and view. May handle input from view and instruct model. <? c l a s s PostController (){ function execute (){ $ p o s t s = PostModel : : g e t P o s t s ( ) ; } } ?> 17 of 36
PHP View User input and feedback. <html> ... <? f o r e a c h ( $ p o s t i n $ p o s t s ) : ?> <h1><?=$ p o s t [ ’ t i t l e ’];? > </ h1> <p><?=$ p o s t [ ’ body ’];? > </ p> <? e n d f o r e a c h ; ?> ... </html> 18 of 36
Popular Frameworks • Zend Framework • Symfony • Codeigniter • Rails • Zope 19 of 36
Debugging It can sometimes be difficult to understand how and why PHP code is behaving the way it is, but there are some useful tools: • Static Analysis - lint, PHP Codesniffer, IDE features • Dynamic Analysis - xdebug, Valgrind PHP has error reporting of its own, and some frameworks may provide debugging features. 20 of 36
Browser Extensions Web development can be a deviation from your familiar development techniques, fortunately various extensions can be invaluable in debugging the information that the client has, particularly when working with Ajax. • Web Developer Toolbar ◦ Firefox ◦ Chrome • Firebug ◦ Firefox ◦ Chrome, Internet Explorer, etc (Lite) • IE WebDeveloper Safari has a built in debug toolbar?.. 21 of 36
Profiling • Speed is particularly important when we have many users placing load on a server • ”Stepping through” is usually not possible • Xdebug is a PHP extension that provides debugging and performance analysis: ◦ Stack & function traces ◦ Memory allocation ◦ Callgrind profiles • Callgrind information can be investigated and visualised with a tool such as KCacheGrind, Carica or Webcachegrind. 22 of 36
Profiling Example call map showing relative runtime of each method called. 23 of 36
Profiling Example call graph showing relative runtime of each method called. 24 of 36
Testing • Code coverage is a measure of how well our tests explore every potential avenue of execution; strive for 100%. • Unit tests ◦ Test each module of code ◦ Core to test driven development methodology ◦ PHP-Unit is the PHP equivalent of JUnit, a tool you probably already know. You can use it to run subsections of your code, and test expected output. • Functional tests ◦ Tests of end user experience ◦ Selenium is a powerful tool that allows automatic execution of your webpages. This makes it easy to fully automate the testing of your entire site. • Continuous Integration ◦ Automated, routine build and testing of code ◦ Alert developers of new errors incode before it is released 25 of 36
Continuous Integration Overview of phpUnderControl showing various statistics. Source: http://phpundercontrol.org/ 26 of 36
Continuous Integration Example result of a phpUnderControl build, highlights code with errors. Source: http://manuel-pichler.de/ 27 of 36
Sanitising Input You’ve probably seen or implemented some form of client-side security - such as a Javascript popup if you haven’t don’t complete a form properply. These mainly exist to be quick and look pretty, they are not at all secure. So you must sanitise input on the server-side. $username = f i l t e r v a r ( FILTER SANITIZE STRING , $ POST [ ’ username ’ ] ) ; Regular expressions can be used to go beyond simply removing harmful characters and can validate some requirements: i f ( p r e g m a t c h ( ” / ˆ h t t p / ” , $ POST [ ’ u r l ’ ] ) ) echo ” Got a URL ! ” ; else echo ” URL i s no good . ; ” 28 of 36
Securing Your Code To show you why server-side sanitisation is important: .. m y s q l q u e r y ( ” SELECT ∗ FROM u s e r s WHERE p a s s w o r d = ’”. $ POST [ ’ p as sw ord ’ ] . ” ’ ) ; .. What if the input was something like: ’ ; DROP u s e r s −− Fortunately, tools exist to statically analyse your code for eversights and potentially dangerous behaviour. Pixy is a common script used on multi-user systems - such as your Aberystwyth user web hosting.. 29 of 36
Security - Server Side Code Scanners Dear Jonathan , P l e a s e d i s a b l e y o u r ”PHP−S h e l l ” program a s s o o n a s p o s s i b l e . At t h e moment , what you ha ve b a s i c a l l y a l l o w s anyone i n t h e w o r l d t o remove t h e e n t i r e contents of your account ! ( i f t h e y e n t e r ”rm −r / a b e r / j j r 6 / . ” a s t h e command ) . Cheers , Alun . 30 of 36
General Rules for Securing PHP PHP is often used to create public facing websites on the Internet, which typically include privileged areas. There are a few general security issues to be aware of: • Ensure user is authenticated & authorised as appropriate • Input should be validated & sanitised • Avoid careless debugging/error reporting (configure php.ini not to print error messages on a live system) • Development data (test files, svn metadata) should be removed • Server should be appropriately configured • Utilise security software that can isolate holes in your application.. 31 of 36
Security Testing Tools There are plenty of tools available to help you test your site, popular ones include: • http://code.google.com/p/skipfish - Skipfish is an open source web application security scanner from Google • Metasploit - a generic vulnerability scanner modules exist to test off-the-shelf (wordpress, drupal, etc) software http://www.metasploit.com/modules/ • Nikto2 - another open-source tool • http://evuln.com/tools/php-security/ - a free static code scanner for PHP • http://loadimpact.com/ - Remote load testing (Are your database queries efficient enough?!) 32 of 36
Environments Bugs in new code will have a serious impact on usability and security. A common technique for releasing code is to develop on isolated systems, then gradually deploy them in a limited or beta form, before going live. • Development Usually the programmer’s local machine. May use specialist data sets. Incomplete/untested functionality. Full debugging and error output. • Testing A local network server. Provides common test data for all developers. All code should have been partially tested and obtained from development branch of version control. Full debugging and error output. 33 of 36
Environments for Web Development • Staging/Pre-Production (”Bleeding Edge”) A live server with limited accessibility. May be available to beta users. Should be treated as the live system. All code should have been fully tested and taken form stable branch of version control. • Production The live server. Code on this server should not be edited directly. System should be updated through some form of scheduled deployment procedure. Debugging information printed here is a security risk and unpleasant to end users - errors should be caught and politely reported. 34 of 36
Useful PHP Tidbits • Server configuration information: phpinfo() • Server Side Inclusion: include(), require(), include_once(), require_once() • Validation/Sanitisation functions: preg_match(), strip_tags(), filter_var(), mysql_real_escape_string()/pg_escape_string() • HTML string output: htmlspecialchars() • Special predefined variables: $_SERVER[], $_SESSION[], $_ENV[] • Find files on the system - glob() • PEAR is a framework for managing PHP extensions, available from repositories such as PECL • Apache module for nice URLs: mod_rewrite • Many configuration options in php.ini - if you manage the server • of 36 35 Doxygen (generic Javadoc) works well with PHP
Related Reading • ”Billions of Hits: Scaling Twitter” presentation • http://www.unmaskparasites.com/ - tool for website vulnerabilities • https://www.owasp.org/ Lots of security information including an injections cheat sheet • http://www.symfony-project.org/book/ - the Symfony book, lots of good MVC information • http://www.php.net/ • http://www.phpframeworks.com/ - comparison of frameworks • http://browsershots.org/ - screenshots of your website in dozens of configurations (platform, browser, resolution) 36 of 36

Empfohlen

Machine learning in php php con poland
Machine learning in php php con polandMachine learning in php php con poland
Machine learning in php php con polandDamien Seguy
 
Surprise! It's PHP :) (unabridged)
Surprise! It's PHP :) (unabridged)Surprise! It's PHP :) (unabridged)
Surprise! It's PHP :) (unabridged)Sharon Levy
 
Preparing code for Php 7 workshop
Preparing code for Php 7 workshopPreparing code for Php 7 workshop
Preparing code for Php 7 workshopDamien Seguy
 
Efficient Context-sensitive Output Escaping for Javascript Template Engines
Efficient Context-sensitive Output Escaping for Javascript Template EnginesEfficient Context-sensitive Output Escaping for Javascript Template Engines
Efficient Context-sensitive Output Escaping for Javascript Template Enginesadonatwork
 
Machine learning in php
Machine learning in phpMachine learning in php
Machine learning in phpDamien Seguy
 
Static Analysis of PHP Code – IPC Berlin 2016
Static Analysis of PHP Code – IPC Berlin 2016Static Analysis of PHP Code – IPC Berlin 2016
Static Analysis of PHP Code – IPC Berlin 2016Rouven Weßling
 
PHP 7 Crash Course - php[world] 2015
PHP 7 Crash Course - php[world] 2015PHP 7 Crash Course - php[world] 2015
PHP 7 Crash Course - php[world] 2015Colin O'Dell
 
Frontend Security: Applying Contextual Escaping Automatically, or How to Stop...
Frontend Security: Applying Contextual Escaping Automatically, or How to Stop...Frontend Security: Applying Contextual Escaping Automatically, or How to Stop...
Frontend Security: Applying Contextual Escaping Automatically, or How to Stop...adonatwork
 

Empfohlen

Machine learning in php php con poland
Machine learning in php php con polandMachine learning in php php con poland
Machine learning in php php con polandDamien Seguy
 
Surprise! It's PHP :) (unabridged)
Surprise! It's PHP :) (unabridged)Surprise! It's PHP :) (unabridged)
Surprise! It's PHP :) (unabridged)Sharon Levy
 
Preparing code for Php 7 workshop
Preparing code for Php 7 workshopPreparing code for Php 7 workshop
Preparing code for Php 7 workshopDamien Seguy
 
Efficient Context-sensitive Output Escaping for Javascript Template Engines
Efficient Context-sensitive Output Escaping for Javascript Template EnginesEfficient Context-sensitive Output Escaping for Javascript Template Engines
Efficient Context-sensitive Output Escaping for Javascript Template Enginesadonatwork
 
Machine learning in php
Machine learning in phpMachine learning in php
Machine learning in phpDamien Seguy
 
Static Analysis of PHP Code – IPC Berlin 2016
Static Analysis of PHP Code – IPC Berlin 2016Static Analysis of PHP Code – IPC Berlin 2016
Static Analysis of PHP Code – IPC Berlin 2016Rouven Weßling
 
PHP 7 Crash Course - php[world] 2015
PHP 7 Crash Course - php[world] 2015PHP 7 Crash Course - php[world] 2015
PHP 7 Crash Course - php[world] 2015Colin O'Dell
 
Frontend Security: Applying Contextual Escaping Automatically, or How to Stop...
Frontend Security: Applying Contextual Escaping Automatically, or How to Stop...Frontend Security: Applying Contextual Escaping Automatically, or How to Stop...
Frontend Security: Applying Contextual Escaping Automatically, or How to Stop...adonatwork
 
Design attern in php
Design attern in phpDesign attern in php
Design attern in phpFilippo De Santis
 
PHPcon Poland - Static Analysis of PHP Code – How the Heck did I write so man...
PHPcon Poland - Static Analysis of PHP Code – How the Heck did I write so man...PHPcon Poland - Static Analysis of PHP Code – How the Heck did I write so man...
PHPcon Poland - Static Analysis of PHP Code – How the Heck did I write so man...Rouven Weßling
 
What is the Joomla Framework and why do we need it?
What is the Joomla Framework and why do we need it?What is the Joomla Framework and why do we need it?
What is the Joomla Framework and why do we need it?Rouven Weßling
 
Modern PHP
Modern PHPModern PHP
Modern PHPSimon Jones
 
Object Oriented Design Patterns for PHP
Object Oriented Design Patterns for PHPObject Oriented Design Patterns for PHP
Object Oriented Design Patterns for PHPRobertGonzalez
 
Php exceptions
Php exceptionsPhp exceptions
Php exceptionsDamian Sromek
 
Php(report)
Php(report)Php(report)
Php(report)Yhannah
 
PHP 5.3
PHP 5.3PHP 5.3
PHP 5.3Chris Stone
 
PHP Basic and Fundamental Questions and Answers with Detail Explanation
PHP Basic and Fundamental Questions and Answers with Detail ExplanationPHP Basic and Fundamental Questions and Answers with Detail Explanation
PHP Basic and Fundamental Questions and Answers with Detail ExplanationAbdul Rahman Sherzad
 
Web application security
Web application securityWeb application security
Web application securitysalissal
 
Handling error & exception in php
Handling error & exception in phpHandling error & exception in php
Handling error & exception in phpPravasini Sahoo
 
Zend Certification PHP 5 Sample Questions
Zend Certification PHP 5 Sample QuestionsZend Certification PHP 5 Sample Questions
Zend Certification PHP 5 Sample QuestionsJagat Kothari
 
PHP Technical Questions
PHP Technical QuestionsPHP Technical Questions
PHP Technical QuestionsPankaj Jha
 
Introduction to web programming with JavaScript
Introduction to web programming with JavaScriptIntroduction to web programming with JavaScript
Introduction to web programming with JavaScriptT11 Sessions
 
Elegant Ways of Handling PHP Errors and Exceptions
Elegant Ways of Handling PHP Errors and ExceptionsElegant Ways of Handling PHP Errors and Exceptions
Elegant Ways of Handling PHP Errors and ExceptionsZendCon
 
2 debugging-c
2 debugging-c2 debugging-c
2 debugging-cSubhashis Pradhan
 
Errors, Exceptions & Logging (PHP Hants Oct '13)
Errors, Exceptions & Logging (PHP Hants Oct '13)Errors, Exceptions & Logging (PHP Hants Oct '13)
Errors, Exceptions & Logging (PHP Hants Oct '13)James Titcumb
 
Jsp And Jdbc
Jsp And JdbcJsp And Jdbc
Jsp And JdbcRoy Antony Arnold G
 
Binaries Are Not Only Output
Binaries Are Not Only OutputBinaries Are Not Only Output
Binaries Are Not Only OutputHajime Morrita
 
RAII and ScopeGuard
RAII and ScopeGuardRAII and ScopeGuard
RAII and ScopeGuardAndrey Dankevich
 
Base64 Encoding
Base64 EncodingBase64 Encoding
Base64 EncodingJonathan Francis Roscoe
 
The New Front Line:An observation of cyber threats in the 21st century
The New Front Line:An observation of cyber threats in the 21st centuryThe New Front Line:An observation of cyber threats in the 21st century
The New Front Line:An observation of cyber threats in the 21st centuryJonathan Francis Roscoe
 

Weitere ähnliche Inhalte

Was ist angesagt?

PHPcon Poland - Static Analysis of PHP Code – How the Heck did I write so man...
PHPcon Poland - Static Analysis of PHP Code – How the Heck did I write so man...PHPcon Poland - Static Analysis of PHP Code – How the Heck did I write so man...
PHPcon Poland - Static Analysis of PHP Code – How the Heck did I write so man...Rouven Weßling
 
What is the Joomla Framework and why do we need it?
What is the Joomla Framework and why do we need it?What is the Joomla Framework and why do we need it?
What is the Joomla Framework and why do we need it?Rouven Weßling
 
Object Oriented Design Patterns for PHP
Object Oriented Design Patterns for PHPObject Oriented Design Patterns for PHP
Object Oriented Design Patterns for PHPRobertGonzalez
 
Php(report)
Php(report)Php(report)
Php(report)Yhannah
 
PHP Basic and Fundamental Questions and Answers with Detail Explanation
PHP Basic and Fundamental Questions and Answers with Detail ExplanationPHP Basic and Fundamental Questions and Answers with Detail Explanation
PHP Basic and Fundamental Questions and Answers with Detail ExplanationAbdul Rahman Sherzad
 
Web application security
Web application securityWeb application security
Web application securitysalissal
 
Handling error & exception in php
Handling error & exception in phpHandling error & exception in php
Handling error & exception in phpPravasini Sahoo
 
Zend Certification PHP 5 Sample Questions
Zend Certification PHP 5 Sample QuestionsZend Certification PHP 5 Sample Questions
Zend Certification PHP 5 Sample QuestionsJagat Kothari
 
PHP Technical Questions
PHP Technical QuestionsPHP Technical Questions
PHP Technical QuestionsPankaj Jha
 
Introduction to web programming with JavaScript
Introduction to web programming with JavaScriptIntroduction to web programming with JavaScript
Introduction to web programming with JavaScriptT11 Sessions
 
Elegant Ways of Handling PHP Errors and Exceptions
Elegant Ways of Handling PHP Errors and ExceptionsElegant Ways of Handling PHP Errors and Exceptions
Elegant Ways of Handling PHP Errors and ExceptionsZendCon
 
Errors, Exceptions & Logging (PHP Hants Oct '13)
Errors, Exceptions & Logging (PHP Hants Oct '13)Errors, Exceptions & Logging (PHP Hants Oct '13)
Errors, Exceptions & Logging (PHP Hants Oct '13)James Titcumb
 
Binaries Are Not Only Output
Binaries Are Not Only OutputBinaries Are Not Only Output
Binaries Are Not Only OutputHajime Morrita
 

Was ist angesagt? (20)

Design attern in php
Design attern in phpDesign attern in php
Design attern in php
 
PHPcon Poland - Static Analysis of PHP Code – How the Heck did I write so man...
PHPcon Poland - Static Analysis of PHP Code – How the Heck did I write so man...PHPcon Poland - Static Analysis of PHP Code – How the Heck did I write so man...
PHPcon Poland - Static Analysis of PHP Code – How the Heck did I write so man...
 
What is the Joomla Framework and why do we need it?
What is the Joomla Framework and why do we need it?What is the Joomla Framework and why do we need it?
What is the Joomla Framework and why do we need it?
 
Modern PHP
Modern PHPModern PHP
Modern PHP
 
Object Oriented Design Patterns for PHP
Object Oriented Design Patterns for PHPObject Oriented Design Patterns for PHP
Object Oriented Design Patterns for PHP
 
Php exceptions
Php exceptionsPhp exceptions
Php exceptions
 
Php(report)
Php(report)Php(report)
Php(report)
 
PHP 5.3
PHP 5.3PHP 5.3
PHP 5.3
 
PHP Basic and Fundamental Questions and Answers with Detail Explanation
PHP Basic and Fundamental Questions and Answers with Detail ExplanationPHP Basic and Fundamental Questions and Answers with Detail Explanation
PHP Basic and Fundamental Questions and Answers with Detail Explanation
 
Web application security
Web application securityWeb application security
Web application security
 
Handling error & exception in php
Handling error & exception in phpHandling error & exception in php
Handling error & exception in php
 
Zend Certification PHP 5 Sample Questions
Zend Certification PHP 5 Sample QuestionsZend Certification PHP 5 Sample Questions
Zend Certification PHP 5 Sample Questions
 
PHP Technical Questions
PHP Technical QuestionsPHP Technical Questions
PHP Technical Questions
 
Introduction to web programming with JavaScript
Introduction to web programming with JavaScriptIntroduction to web programming with JavaScript
Introduction to web programming with JavaScript
 
Elegant Ways of Handling PHP Errors and Exceptions
Elegant Ways of Handling PHP Errors and ExceptionsElegant Ways of Handling PHP Errors and Exceptions
Elegant Ways of Handling PHP Errors and Exceptions
 
2 debugging-c
2 debugging-c2 debugging-c
2 debugging-c
 
Errors, Exceptions & Logging (PHP Hants Oct '13)
Errors, Exceptions & Logging (PHP Hants Oct '13)Errors, Exceptions & Logging (PHP Hants Oct '13)
Errors, Exceptions & Logging (PHP Hants Oct '13)
 
Jsp And Jdbc
Jsp And JdbcJsp And Jdbc
Jsp And Jdbc
 
Binaries Are Not Only Output
Binaries Are Not Only OutputBinaries Are Not Only Output
Binaries Are Not Only Output
 
RAII and ScopeGuard
RAII and ScopeGuardRAII and ScopeGuard
RAII and ScopeGuard
 

Andere mochten auch

The New Front Line:An observation of cyber threats in the 21st century
The New Front Line:An observation of cyber threats in the 21st centuryThe New Front Line:An observation of cyber threats in the 21st century
The New Front Line:An observation of cyber threats in the 21st centuryJonathan Francis Roscoe
 
Weekly Code Drop July 4, creating auth tokens
Weekly Code Drop July 4, creating auth tokensWeekly Code Drop July 4, creating auth tokens
Weekly Code Drop July 4, creating auth tokensjasonc411
 
Bypassing Corporate Email Filtering
Bypassing Corporate Email FilteringBypassing Corporate Email Filtering
Bypassing Corporate Email Filteringamiable_indian
 
Hacker's Practice Ground - CarolinaCon - 2015
Hacker's Practice Ground - CarolinaCon - 2015Hacker's Practice Ground - CarolinaCon - 2015
Hacker's Practice Ground - CarolinaCon - 2015lokeshpidawekar
 

Andere mochten auch (9)

Base64 Encoding
Base64 EncodingBase64 Encoding
Base64 Encoding
 
The New Front Line:An observation of cyber threats in the 21st century
The New Front Line:An observation of cyber threats in the 21st centuryThe New Front Line:An observation of cyber threats in the 21st century
The New Front Line:An observation of cyber threats in the 21st century
 
Weekly Code Drop July 4, creating auth tokens
Weekly Code Drop July 4, creating auth tokensWeekly Code Drop July 4, creating auth tokens
Weekly Code Drop July 4, creating auth tokens
 
Looking Forwards to Going Backwards
Looking Forwards to Going BackwardsLooking Forwards to Going Backwards
Looking Forwards to Going Backwards
 
Bypassing Corporate Email Filtering
Bypassing Corporate Email FilteringBypassing Corporate Email Filtering
Bypassing Corporate Email Filtering
 
Hacker's Practice Ground - CarolinaCon - 2015
Hacker's Practice Ground - CarolinaCon - 2015Hacker's Practice Ground - CarolinaCon - 2015
Hacker's Practice Ground - CarolinaCon - 2015
 
Unicode (and Python)
Unicode (and Python)Unicode (and Python)
Unicode (and Python)
 
Mastering Python 3 I/O
Mastering Python 3 I/OMastering Python 3 I/O
Mastering Python 3 I/O
 
Mastering Python 3 I/O (Version 2)
Mastering Python 3 I/O (Version 2)Mastering Python 3 I/O (Version 2)
Mastering Python 3 I/O (Version 2)
 

Ähnlich wie More about PHP

Creating a Smooth Development Workflow for High-Quality Modular Open-Source P...
Creating a Smooth Development Workflow for High-Quality Modular Open-Source P...Creating a Smooth Development Workflow for High-Quality Modular Open-Source P...
Creating a Smooth Development Workflow for High-Quality Modular Open-Source P...Pantheon
 
Php i basic chapter 3 (syahir chaer's conflicted copy 2013-04-22)
Php i basic chapter 3 (syahir chaer's conflicted copy 2013-04-22)Php i basic chapter 3 (syahir chaer's conflicted copy 2013-04-22)
Php i basic chapter 3 (syahir chaer's conflicted copy 2013-04-22)Muhamad Al Imran
 
Php i basic chapter 3 (afifah rosli's conflicted copy 2013-04-23)
Php i basic chapter 3 (afifah rosli's conflicted copy 2013-04-23)Php i basic chapter 3 (afifah rosli's conflicted copy 2013-04-23)
Php i basic chapter 3 (afifah rosli's conflicted copy 2013-04-23)Muhamad Al Imran
 
TWINS: OOP and FP - Warburton
TWINS: OOP and FP - WarburtonTWINS: OOP and FP - Warburton
TWINS: OOP and FP - WarburtonCodemotion
 
Php training100%placement-in-mumbai
Php training100%placement-in-mumbaiPhp training100%placement-in-mumbai
Php training100%placement-in-mumbaivibrantuser
 
Ein Stall voller Trüffelschweine - (PHP-)Profiling-Tools im Überblick
Ein Stall voller Trüffelschweine - (PHP-)Profiling-Tools im ÜberblickEin Stall voller Trüffelschweine - (PHP-)Profiling-Tools im Überblick
Ein Stall voller Trüffelschweine - (PHP-)Profiling-Tools im Überblickrenebruns
 
Tool Up Your LAMP Stack
Tool Up Your LAMP StackTool Up Your LAMP Stack
Tool Up Your LAMP StackLorna Mitchell
 
PHP complete reference with database concepts for beginners
PHP complete reference with database concepts for beginnersPHP complete reference with database concepts for beginners
PHP complete reference with database concepts for beginnersMohammed Mushtaq Ahmed
 
Introduction to web and php mysql
Introduction to web and php mysqlIntroduction to web and php mysql
Introduction to web and php mysqlProgrammer Blog
 
Joomla! Day Chicago 2011 Presentation - Steven Pignataro
Joomla! Day Chicago 2011 Presentation - Steven PignataroJoomla! Day Chicago 2011 Presentation - Steven Pignataro
Joomla! Day Chicago 2011 Presentation - Steven PignataroSteven Pignataro
 
Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016bugcrowd
 
20 PHP Static Analysis and Documentation Generators #burningkeyboards
20 PHP Static Analysis and Documentation Generators #burningkeyboards20 PHP Static Analysis and Documentation Generators #burningkeyboards
20 PHP Static Analysis and Documentation Generators #burningkeyboardsDenis Ristic
 
Joomla Code Quality Control and Automation Testing
Joomla Code Quality Control and Automation TestingJoomla Code Quality Control and Automation Testing
Joomla Code Quality Control and Automation TestingShyam Sunder Verma
 

Ähnlich wie More about PHP (20)

My Saminar On Php
My Saminar On PhpMy Saminar On Php
My Saminar On Php
 
Creating a Smooth Development Workflow for High-Quality Modular Open-Source P...
Creating a Smooth Development Workflow for High-Quality Modular Open-Source P...Creating a Smooth Development Workflow for High-Quality Modular Open-Source P...
Creating a Smooth Development Workflow for High-Quality Modular Open-Source P...
 
Php i basic chapter 3
Php i basic chapter 3Php i basic chapter 3
Php i basic chapter 3
 
Php i basic chapter 3 (syahir chaer's conflicted copy 2013-04-22)
Php i basic chapter 3 (syahir chaer's conflicted copy 2013-04-22)Php i basic chapter 3 (syahir chaer's conflicted copy 2013-04-22)
Php i basic chapter 3 (syahir chaer's conflicted copy 2013-04-22)
 
Php i basic chapter 3 (afifah rosli's conflicted copy 2013-04-23)
Php i basic chapter 3 (afifah rosli's conflicted copy 2013-04-23)Php i basic chapter 3 (afifah rosli's conflicted copy 2013-04-23)
Php i basic chapter 3 (afifah rosli's conflicted copy 2013-04-23)
 
TWINS: OOP and FP - Warburton
TWINS: OOP and FP - WarburtonTWINS: OOP and FP - Warburton
TWINS: OOP and FP - Warburton
 
Php training100%placement-in-mumbai
Php training100%placement-in-mumbaiPhp training100%placement-in-mumbai
Php training100%placement-in-mumbai
 
Api Design
Api DesignApi Design
Api Design
 
Software Development with PHP & Laravel
Software Development with PHP & LaravelSoftware Development with PHP & Laravel
Software Development with PHP & Laravel
 
Python for web security - beginner
Python for web security - beginnerPython for web security - beginner
Python for web security - beginner
 
Ein Stall voller Trüffelschweine - (PHP-)Profiling-Tools im Überblick
Ein Stall voller Trüffelschweine - (PHP-)Profiling-Tools im ÜberblickEin Stall voller Trüffelschweine - (PHP-)Profiling-Tools im Überblick
Ein Stall voller Trüffelschweine - (PHP-)Profiling-Tools im Überblick
 
Tool up your lamp stack
Tool up your lamp stackTool up your lamp stack
Tool up your lamp stack
 
Tool Up Your LAMP Stack
Tool Up Your LAMP StackTool Up Your LAMP Stack
Tool Up Your LAMP Stack
 
PHP complete reference with database concepts for beginners
PHP complete reference with database concepts for beginnersPHP complete reference with database concepts for beginners
PHP complete reference with database concepts for beginners
 
Introduction to web and php mysql
Introduction to web and php mysqlIntroduction to web and php mysql
Introduction to web and php mysql
 
Joomla! Day Chicago 2011 Presentation - Steven Pignataro
Joomla! Day Chicago 2011 Presentation - Steven PignataroJoomla! Day Chicago 2011 Presentation - Steven Pignataro
Joomla! Day Chicago 2011 Presentation - Steven Pignataro
 
Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016
 
Mufix Network Programming Lecture
Mufix Network Programming LectureMufix Network Programming Lecture
Mufix Network Programming Lecture
 
20 PHP Static Analysis and Documentation Generators #burningkeyboards
20 PHP Static Analysis and Documentation Generators #burningkeyboards20 PHP Static Analysis and Documentation Generators #burningkeyboards
20 PHP Static Analysis and Documentation Generators #burningkeyboards
 
Joomla Code Quality Control and Automation Testing
Joomla Code Quality Control and Automation TestingJoomla Code Quality Control and Automation Testing
Joomla Code Quality Control and Automation Testing
 

Kürzlich hochgeladen

GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century educationjfdjdjcjdnsjd
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdflior mazor
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsJoaquim Jorge
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024The Digital Insurer
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProduct Anonymous
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 

Kürzlich hochgeladen (20)

GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 

More about PHP

  • 1. More About PHP Jonathan Francis Roscoe <jjr6@aber.ac.uk> http://users.aber.ac.uk/jjr6 November 29th 2011
  • 2. Outline Introduction Some PHP tips Object-Orientation Frameworks Debugging, Testing and Continuous Integration Secure PHP Code Environments Related Reading 2 of 36
  • 3. Introduction These slides are based on experience from my industrial year when I developed backed end code for web control panels. What I hope you’ll learn about today: • Techniques for improving code quality ◦ Speed ◦ Efficiency ◦ Reliability ◦ (Re)Usability • Advanced features of PHP • Frameworks • Making your PHP Applications secure • Debugging and Analysis of PHP applications I’ll mainly focus on PHP but most of this applies to any web development project. 3 of 36
  • 4. Some PHP tips With dynamic weak typing, PHP is a laid back language allowing functional code to be written fast. • Use a strong editor with supporting tools - Notepad++, Eclipse (with plugin), vim, Netbeans • Use server-side includes and mix PHP and HTML as little as possible • Test your code (yes - unit testing and acceptance testing is possible) • Debug your code • Take security seriously • Frameworks can significantly improve the speed of your develop, as well as providing features for efficiency, security and reliability. 4 of 36
  • 5. Server-Side Includes - index.php <?php s e s s i o n s t a r t ( ) ; $page = ”My Page ” $name = ” J o n a t h a n ” ; $ t= g e t t i m e ( ) ; ?> <html><head> < s t y l e t y p e=” t e x t / c s s ”> body { color : purple ; background −c o l o r : #d8da3d }</ s t y l e > < t i t l e ><?=$page ; ?></ t i t l e > </head><body> H e l l o <?=$name ; ?> <d i v i d =”menu”> <a h r e f =”#” Menu i t e m 1/> <a h r e f =”#” Menu i t e m 2/> </d i v > <body></html> 5 of 36
  • 6. Keeping PHP tidy A better way to handle this code would be to place aspects that are probably wanted in other places into separate files, then we can reuse the same code. This will make code easier to read and will allow others to focus on front end development (HTML, CSS) without worrying too much about the back-end aspects. 6 of 36
  • 7. functions.inc.php <?php // s t a r t t h e s e s s i o n session start (); // s e t t h e v a r i a b l e s we need on t h e page $name = ” J o n a t h a n ” $page = ”My Page ” ; $t = time ( ) ; ?> 7 of 36
  • 8. menu.php <d i v i d =”menu”> <a h r e f =”#” Menu i t e m 1/> <a h r e f =”#” Menu i t e m 2/> </d i v > 8 of 36
  • 9. header.php <html><head> < s t y l e t y p e=” t e x t / c s s ”> body { color : purple ; background −c o l o r : #d8da3d } </ s t y l e > < t i t l e ><?=$page ; ?></ t i t l e > </head> 9 of 36
  • 10. The new index.php <?php // g r a b s u p p o r t i n g f u n c t i o n s r e q u i r e o n c e ( ’ f u n c t i o n s . i n c . php ’ ) ; // g r a b h e a d e r r e q u i r e o n c e ( ’ h e a d e r . php ’ ) ; ?> <body> H e l l o <?=$name ; ?> <?php r e q u i r e o n c e ( ’ menu . php ’ ) ; </body> </html> 10 of 36
  • 11. PHP 5 and Object-Orientation Introduced in PHP 5, there is a lot in common with Java’s syntax, rules and conventions. • Interfaces and abstract classes • Magic Methods (e.g. toString()) • Exception classes and try..catch With simple yet powerful polymorphism: • Instantiation from String • class exists(), method exists() and other tricks PHP 5 introduced a few other significant features: • Type Hinting in methods • Reflection • Method overloading (quite different from Java) 11 of 36
  • 12. OO PHP Example i n t e r f a c e Animal { f u n c t i o n speak ( ) ; } c l a s s Cow i m p l e m e n t s Animal { f u n c t i o n speak (){ p r i n t ”Moooooo ! ” ; } } $ c l a s s n a m e = ”Cow ” ; $a = new $ c l a s s n a m e ; $a −> s p e a k ( ) ; 12 of 36
  • 13. Reflection in PHP Reflection is a fantastic concept in programming that you might already be familiar with. As PHP is weak and dynamic, we can use reflection with powerful results. For example: $ r = new R e f l e c t i o n C l a s s ( ’ Cow ’ ) ; $methods = $r−>ge tM e t ho d s ( ) ; Will give you a list of all the methods available. This may not sound like much, but we can use it for quick and easy polymorphic constructions. Many Reflection functions exist. It’s also possible to create a tool to describe undocumented classes you might need to work with. 13 of 36
  • 14. Frameworks Frameworks can be compared to more specific software such as blogs (e.g. Wordpress) or Content Management Systems (eg. Drupal). • Concepts ◦ Faster development ◦ Reduced overhead ◦ Reusability (DRY) • Support for a number of common needs ◦ Session management ◦ Database interaction (usually Object Relational Mapping) ◦ Ajax ◦ Internationalisation ◦ Testing ◦ Deployment ◦ Templating • Typically based on an MVC approach and often object-oriented 14 of 36
  • 15. MVC Dispatcher A dispatcher script is used to handle routes and control the flow of the MVC structure. • Instantiate model • Execute controller • Render view • autoload() magic method often used to enable source includes on the fly Typically takes the place of index.php. The following code is a simple example demonsrating how an MVC structured blog might be structured. 15 of 36
  • 16. PHP Model Business/domain logic. <? c l a s s PostModel { function s t a t i c getPosts (){ r e t u r n m y s q l q u e r y ( ” SELECT ∗ FROM blog posts ;”); } } ?> 16 of 36
  • 17. PHP Controller Controls actions of model and view. May handle input from view and instruct model. <? c l a s s PostController (){ function execute (){ $ p o s t s = PostModel : : g e t P o s t s ( ) ; } } ?> 17 of 36
  • 18. PHP View User input and feedback. <html> ... <? f o r e a c h ( $ p o s t i n $ p o s t s ) : ?> <h1><?=$ p o s t [ ’ t i t l e ’];? > </ h1> <p><?=$ p o s t [ ’ body ’];? > </ p> <? e n d f o r e a c h ; ?> ... </html> 18 of 36
  • 19. Popular Frameworks • Zend Framework • Symfony • Codeigniter • Rails • Zope 19 of 36
  • 20. Debugging It can sometimes be difficult to understand how and why PHP code is behaving the way it is, but there are some useful tools: • Static Analysis - lint, PHP Codesniffer, IDE features • Dynamic Analysis - xdebug, Valgrind PHP has error reporting of its own, and some frameworks may provide debugging features. 20 of 36
  • 21. Browser Extensions Web development can be a deviation from your familiar development techniques, fortunately various extensions can be invaluable in debugging the information that the client has, particularly when working with Ajax. • Web Developer Toolbar ◦ Firefox ◦ Chrome • Firebug ◦ Firefox ◦ Chrome, Internet Explorer, etc (Lite) • IE WebDeveloper Safari has a built in debug toolbar?.. 21 of 36
  • 22. Profiling • Speed is particularly important when we have many users placing load on a server • ”Stepping through” is usually not possible • Xdebug is a PHP extension that provides debugging and performance analysis: ◦ Stack & function traces ◦ Memory allocation ◦ Callgrind profiles • Callgrind information can be investigated and visualised with a tool such as KCacheGrind, Carica or Webcachegrind. 22 of 36
  • 23. Profiling Example call map showing relative runtime of each method called. 23 of 36
  • 24. Profiling Example call graph showing relative runtime of each method called. 24 of 36
  • 25. Testing • Code coverage is a measure of how well our tests explore every potential avenue of execution; strive for 100%. • Unit tests ◦ Test each module of code ◦ Core to test driven development methodology ◦ PHP-Unit is the PHP equivalent of JUnit, a tool you probably already know. You can use it to run subsections of your code, and test expected output. • Functional tests ◦ Tests of end user experience ◦ Selenium is a powerful tool that allows automatic execution of your webpages. This makes it easy to fully automate the testing of your entire site. • Continuous Integration ◦ Automated, routine build and testing of code ◦ Alert developers of new errors incode before it is released 25 of 36
  • 26. Continuous Integration Overview of phpUnderControl showing various statistics. Source: http://phpundercontrol.org/ 26 of 36
  • 27. Continuous Integration Example result of a phpUnderControl build, highlights code with errors. Source: http://manuel-pichler.de/ 27 of 36
  • 28. Sanitising Input You’ve probably seen or implemented some form of client-side security - such as a Javascript popup if you haven’t don’t complete a form properply. These mainly exist to be quick and look pretty, they are not at all secure. So you must sanitise input on the server-side. $username = f i l t e r v a r ( FILTER SANITIZE STRING , $ POST [ ’ username ’ ] ) ; Regular expressions can be used to go beyond simply removing harmful characters and can validate some requirements: i f ( p r e g m a t c h ( ” / ˆ h t t p / ” , $ POST [ ’ u r l ’ ] ) ) echo ” Got a URL ! ” ; else echo ” URL i s no good . ; ” 28 of 36
  • 29. Securing Your Code To show you why server-side sanitisation is important: .. m y s q l q u e r y ( ” SELECT ∗ FROM u s e r s WHERE p a s s w o r d = ’”. $ POST [ ’ p as sw ord ’ ] . ” ’ ) ; .. What if the input was something like: ’ ; DROP u s e r s −− Fortunately, tools exist to statically analyse your code for eversights and potentially dangerous behaviour. Pixy is a common script used on multi-user systems - such as your Aberystwyth user web hosting.. 29 of 36
  • 30. Security - Server Side Code Scanners Dear Jonathan , P l e a s e d i s a b l e y o u r ”PHP−S h e l l ” program a s s o o n a s p o s s i b l e . At t h e moment , what you ha ve b a s i c a l l y a l l o w s anyone i n t h e w o r l d t o remove t h e e n t i r e contents of your account ! ( i f t h e y e n t e r ”rm −r / a b e r / j j r 6 / . ” a s t h e command ) . Cheers , Alun . 30 of 36
  • 31. General Rules for Securing PHP PHP is often used to create public facing websites on the Internet, which typically include privileged areas. There are a few general security issues to be aware of: • Ensure user is authenticated & authorised as appropriate • Input should be validated & sanitised • Avoid careless debugging/error reporting (configure php.ini not to print error messages on a live system) • Development data (test files, svn metadata) should be removed • Server should be appropriately configured • Utilise security software that can isolate holes in your application.. 31 of 36
  • 32. Security Testing Tools There are plenty of tools available to help you test your site, popular ones include: • http://code.google.com/p/skipfish - Skipfish is an open source web application security scanner from Google • Metasploit - a generic vulnerability scanner modules exist to test off-the-shelf (wordpress, drupal, etc) software http://www.metasploit.com/modules/ • Nikto2 - another open-source tool • http://evuln.com/tools/php-security/ - a free static code scanner for PHP • http://loadimpact.com/ - Remote load testing (Are your database queries efficient enough?!) 32 of 36
  • 33. Environments Bugs in new code will have a serious impact on usability and security. A common technique for releasing code is to develop on isolated systems, then gradually deploy them in a limited or beta form, before going live. • Development Usually the programmer’s local machine. May use specialist data sets. Incomplete/untested functionality. Full debugging and error output. • Testing A local network server. Provides common test data for all developers. All code should have been partially tested and obtained from development branch of version control. Full debugging and error output. 33 of 36
  • 34. Environments for Web Development • Staging/Pre-Production (”Bleeding Edge”) A live server with limited accessibility. May be available to beta users. Should be treated as the live system. All code should have been fully tested and taken form stable branch of version control. • Production The live server. Code on this server should not be edited directly. System should be updated through some form of scheduled deployment procedure. Debugging information printed here is a security risk and unpleasant to end users - errors should be caught and politely reported. 34 of 36
  • 35. Useful PHP Tidbits • Server configuration information: phpinfo() • Server Side Inclusion: include(), require(), include_once(), require_once() • Validation/Sanitisation functions: preg_match(), strip_tags(), filter_var(), mysql_real_escape_string()/pg_escape_string() • HTML string output: htmlspecialchars() • Special predefined variables: $_SERVER[], $_SESSION[], $_ENV[] • Find files on the system - glob() • PEAR is a framework for managing PHP extensions, available from repositories such as PECL • Apache module for nice URLs: mod_rewrite • Many configuration options in php.ini - if you manage the server • of 36 35 Doxygen (generic Javadoc) works well with PHP
  • 36. Related Reading • ”Billions of Hits: Scaling Twitter” presentation • http://www.unmaskparasites.com/ - tool for website vulnerabilities • https://www.owasp.org/ Lots of security information including an injections cheat sheet • http://www.symfony-project.org/book/ - the Symfony book, lots of good MVC information • http://www.php.net/ • http://www.phpframeworks.com/ - comparison of frameworks • http://browsershots.org/ - screenshots of your website in dozens of configurations (platform, browser, resolution) 36 of 36