PHP

This post is intended to make you think a little bit more about some of the habits you may have formed whilst programming. It is not the nirvana of programming, nor best practice, just a few little ideas to help you along the way.

1. Use descriptive variable names
Arguably this is the hallmark of the inexperienced or just plain poor programmer. Using variables names such as $x or $y makes a major sacrifice in readability for a negligible performance improvement.
Remember, variable names are cheap whilst programmer time is not.

2. No commented out code
Sure, commenting out code makes sense if you do not use a revision control system (like CVS/SVN/Git/etc) however – why on earth are you not using a revision control system?
Leaving commented code behind tends to clutter files and reduces readability, – especially in those hard times on a console and don’t have the luxury of an editor with syntax highlighting and large resolution.

3. Write control structures as you would say them
It is all too easy to make control structures (if, switch, while, etc…) unreadable. An easy trick to improve readability is to read it to yourself, from start to finish; this forces you to read it anew and clears up strange comparisons such as: ‘!$security_check===false’.

4. Use single quotes (‘) by default and double quotes only when you want to put variables in your string
It’s the little things…

This is a function to protect email addresses on your website from bots or spiders that harvest email addresses for spam purposes; it uses a substitution cipher generating a unique key for every page load.
PHP encrypts your email address and generates javascript to decrypt it because most bots and spiders can’t execute javascript. A visitor of your web page will not notice this as long as they have javascript enabled, otherwise they will see “[javascript protected email address]”

As the script contains quite a lot of special characters, a downloadable version is available here

Usage
echo hide_email(‘test@test.com’);

Further reading
Ross Killen’s implementation here
Methods to hide email addresses in page source here

A great source of information on the PHP language is Practical PHP Programming. This great reference is available free of charge under an open source type license here.

Over the next few posts I’ll try to list similar resources for other relevant programming languages, methodologies and reference material.

Sometimes PHP novices attempt to make cleaner or more legible code by copying predefined variables to variables with shortened names prior to working with them. This actually results in doubled memory consumption (when the variable is altered) and therefore slower scripts. In the following example, if a user had inserted 512KB worth of characters into a textarea field this would result in nearly 1MB of memory being used.

$title = strip_tags($_POST['title']);
echo $title;

This operation can be performed inline, – avoiding the memory overhead.

echo strip_tags($_POST['title']);

Twitter is a service for friends, family, and co-workers to communicate and stay connected through the exchange of quick, frequent answers to one simple question: What are you doing?

PHP Twitter is a (wrapper)class to communicate with the Twitter API written by Tijs Verkoyen. Download page is available here

A quote from the author (and he’s not wrong) The class is well documented inline. If you use a decent IDE you’ll see that each method is documented with PHPDoc. There is also a tutorial available here

So, to sum up, these links should kickstart your twittering ability from PHP (and your website).

Happy tweeting!

A few changes in PHP 6:

This post is mainly about what is removed (and will no doubt break countless scripts out there)

• magic quotes
• register_globals
• register_long_arrays
• safe_mode

magic_quotes


// Assuming magic_quotes is on
$sql = "INSERT INTO USERS (USERNAME) VALUES $_GET['username'];


// Using proper parameterised query method (MySQL)
$statement = $dbh->prepare("INSERT INTO USERS (USERNAME) VALUES ?";
$statement->execute(array($_GET['username']));

Obviously the get_magic_quotes_gpc() function will no longer be available.

register_globals

// a security hole because if register_globals is on the value for user_authorised can be set by a user sending
// them in the query string
// i.e www.example.com/index.php?user_authorised=true
if ($user_authorised){
// show all the data
}

// Being specifc
function is_authorised{
if (isset($_SESSION['user'])){
return true;
}else{
return false;
}
}
$user_authorised = is_authorised();

register_long_arrays

Using deprecated registered arrays:

// Echo the name of the user value given on the query string
// http://www.example.com/index.php?username=notgood
echo "Welcome, $HTTP_GET_VARS['username']";

Using $_GET

// Using the supported $_GET array instead
echo "Welcom, $_GET['username']@;

safe_mode
This was originally to ensure that the owner of a file being operated on matches the owner of the script that is executing. It was originally a way to attempt to handle security when operating on a shared server environment (like many ISPs would have) It is outside the scope of this blog to document the numerous functions affected by this change, so consult your documentation.

Sometimes a browser may be hiding behind a proxy – this little function will hopefully get to the root of things:

function userIP(){
// Returns the True IP of the client calling the requested page by first checking to see if HTTP_X_FORWARDED_FOR has a value (proxy)
$userIP = $_SERVER['HTTP_X_FORWARDED_FOR'];
if($userIP == ""){
$userIP = $_SERVER['REMOTE_ADDR'];
}
// Return the IP we've figured out:
return $userIP;
}