PHP
PHP is lovely, though if you ever work with other people having good code is important. Here are some tips to improve your code.
Comment & Document
It’s really important that people understand why you are doing certain things in certain ways. Adding a quick comment above sections of code should be adequate, but documenting classes and functions (Even if it’s in a Wiki) is fantastic.
Give Variables, Functions and Classes Meaningful names
Nothing is worse than trying to figure out what a function called “SIDFE()” does. Give everything a name that if someone else looked at it, they could figure out what it does. The above is a real example I have come across while adjusting a clients website, if the other programmer had called it something like Scan_Incomming_Data_For_Evil() it would have been a lot more straightforward.
White space
As you can see, a little space here and there makes life a lot easier.
No one likes to have to search for the start of a function. Make sure you indent your code and keep it easy to read quickly.
Never Delete – Comment out
This one is a little hard to grasp, but imagine you just fixed a bug (say 100 lines of code to fix it) and something else has broken. It makes sense to be able to go back and see the old code without modification of the new code. Also, doing this helps people see where an old bug was (assuming you comment that the section of code is evil) for future reference.
Use Braces
Braces are those neat } and { things. If you don’t use them on various functions it’s a pain to figure out where a loop starts and finishes. This is especially important when programming on a large scale because no one likes debugging fugly code. Here is an example of good and bad code:
<?php
/* Examples of annoying code */
if ( $coder === 'Silly' ) bang_head();
while ( $coder === 'Silly' )
bang_head();
/* Examples of good code*/
if ( $coder !== 'Silly' ){ Drink_Beer(); }
while ( $coder !== 'Silly' ){
Drink_Beer();
}
?>
Read the rest of this entry »
Posted April 6th, 2009
Twitter has sprung to fame in the last few months, mostly thanks to its fantastic API. Here is a really quick and easy way to display your recent tweets on your website.
<?php # File created on 1st April 2009 by Mike Rogers (http://www.fullondesign.co.uk/).
/*
function - recent_tweets(string $username [, int $limit = 5])
$username - Your twitter username, such as rogem002
$limit - Default: 5 - how many tweets you wish to show, must be numeric.
*/
function recent_tweets($username, $limit=5){
if(!is_numeric($limit)){$limit = 5;}
$xml = simplexml_load_file('http://search.twitter.com/search.atom?q=from%3A'.urlencode($username));
$items_count= count($xml->entry);
if($items_count < $limit){$limit = $items_count;}
$i = 0;
$return .= '
<ul>';
while($i < $limit){
$return .= '
<li title="'.$xml->entry[$i]->title.'"><!-- '.$xml->entry[$i]->published.' -->'.$xml->entry[$i]->content.'</li>
';
$i++;
}
$return .= '</ul>
';
return $return;
}
echo recent_tweets('rogem002', 5);
/*
You are free to share, modify and use this code for commercial uses. Please give a link back (to http://www.fullondesign.co.uk/ ) if you can, but you don't have you.
*/
?>
Edit: This only works for Twitterers who have privacy settings open (thanks Dan from XDnet.co.uk for the heads up).
Posted April 1st, 2009
Saying “Don’t trust your users” would be a little over statement, but in the world of programming it’s the best mindset. Here are some really basic tips for programming in general (but mostly focusing on PHP).
Validate All Input
It’s very important to check all input to your script; a client could accidentally put a semi-colon in a field and possibly break your code. Always check that the user is posting what you expect. Here are some simple methods to validate input.
<?php
// Input must be a number
if(is_numeric($input)){
echo 'Input is a number';
} else {
echo 'Input is not a number';
}
// Input can only contain numbers and letters.
if(preg_match('/([^A-z0-9])/', $input)){
echo 'Input does not contain only numbers and letters.';
} else {
echo 'Input contains only numbers and letters.';
}
// Input must be an email
if(preg_match('/^([a-zA-Z0-9])+@([a-zA-Z0-9_-])+(\.[a-zA-Z0-9_-]+)+/', $input)){
echo 'Email Is Valid.';
} else {
echo 'Email Is Invalid.';
}
?>
Hash Passwords
Hashing passwords is mostly important from a privacy view point; if a hacker gets in they could sell your users details.
Use Sessions, not cookies
Never set sensitive data in cookies, users could edit them and potentially cause problems on your website. Instead use Sessions; they are a server side solution which is a little more secure.
<?php
session_start(); // Start the session. Always put this at the top of your html.
// Set some sessions
$_SESSION['name'] = 'Example 1';
// echo session data
echo $_SESSION['name'];
// Would return Example 1
?>
Read the rest of this entry »
Posted March 27th, 2009
Privacy on your website will be paramount to your success. In the world of application development, security can sometimes be overlooked (normally because accessibility is considered more important). Luckily, modern theories in coding mean we now can now be accessible and secure.
Hashing is a really simple technique to hide data using a one way encryption. It’s especially necessary when dealing with users passwords (In a recent study, 60% of respondents use a similar passwords). Here is an example of how to hash using the MD5 function:
<?php
$password = md5('password');
// $password will now return 5f4dcc3b5aa765d61d8327deb882cf99
?>
However, we can improve on this code. Many hackers now use Rainbow tables to reverse the one-way encryption (and thus find out the secret data). Luckily programmers have come up with a new technique to combat this…Adding a pinch of salt to a hash. In programming terms, a salt is essentially an extra piece of information we add to what the user input to make it unusual. Here is an example how to code this:
<?php
$salt = '%$£Salt_Here*(&^';
$password = md5('password'.$salt);
// $password will now return 5747563a265df7a3250884394c0a05e0
?>
Related Posts
PHP Security Consortium: Password Hashing
Essential PHP Security
Posted March 17th, 2009
Anyone who has ever developed a website which allows users to upload files will tell you “It’s best to think everyone is out to destroy your server”, which unfortunately is the best mindset to be in when setting up any website. One of the main methods used to by hackers to breach security on your website is to upload a file which allows them to execute code.
Here is a very quick and easy solution to stop potential hackers executing files in certain folders.
Open the .htaccess file in the folder you wish to protect and add the following code:
Options -Indexes
Options -ExecCGI
AddHandler cgi-script .php .php3 .php4 .phtml .pl .py .jsp .asp .htm .shtml .sh .cgi
This will essentially stop the folders returning an index of what is inside them and stop various files from running.
Useful Links
PHP File Upload Security
Apache Tutorial: .htaccess files
Apache, MySQL, and PHP Web Development All-in-one Desk Reference for Dummies
Posted February 23rd, 2009