News Feed
Jobs Feed
Sections




News Archive
feed this:

Looking for more information on how to do PHP the right way? Check out PHP: The Right Way

DZone.com:
Writing clean code in PHP 5.4
February 23, 2012 @ 12:08:18

With the first stable release of PHP 5.4 not too far off, it's important to understand the new features it offers and how to use them effectively. In this new post to DZone.com Giorgio Sironi shows how to "write clean code" with these new features, including a few snippets of code to illustrate.

After seven release candidates, it's clear PHP 5.4 is coming: as always the improvements from the previous minor version are many. [...] Let's look at the new features and score them on two metrics: usefulness, and potential for abuse. I'll try to avoid discussing non-language related matters.

He starts by pointing out some of the "gotchas" that can happen with traits (like errors thrown when more than one method is named the same and that they are a separate hierarchy), the short syntax and dereferencing support for arrays, closure binding, upload progress and more. For each of them he gives two measurements - the usefulness of the feature and the potential for abuse.

0 comments voice your opinion now!
clean code upcoming features usefulness abuse


DevShed:
PHP Programs to Prevent MySQL Injection or HTML Form Abuse
January 07, 2009 @ 11:13:41

On DevShed today there's a new tutorial looking at a method for protecting your application (your MySQL/PHP application) forms from malicious attacks like SQL injections.

It has been known for a while that if a form is unsecured, malicious code in the form of MySQL injection will be initiated to attack the site. HTML forms such as drop down menus, search box, check boxes are all susceptible entry points of this type of abuse. This article will explain what happens in this kind of attack, and how to prevent it.

They compare unvalidated input with a validated method that uses some simple checks to ensure that the given content is numeric and regular expressions to match text.

0 comments voice your opinion now!
tutorial form abuse security regular expression validate


Sara Golemon's Blog:
create_function() is not your friend
May 21, 2007 @ 09:31:00

In response to this previous post from Felix Geisendorfer, Sara Golemon shares a few thoughts on why she thinks it's just the other way around - create_function is not your friend.

In the short post she lists just a few of the issues surrounding the use of the function including that it:

  • is prone to critical abuse by user-supplied code
  • skips opcode cache optimizations
  • encourages not using comments (evil)
  • 100% blind to reflection or PHPDoc style documentation generation

0 comments voice your opinion now!
createfunction eval abuse opcodecache reflection phpdoc createfunction eval abuse opcodecache reflection phpdoc


Marco Tabini's Blog:
5 PHP Performance Tips You Probably Don't Want To Hear
December 12, 2006 @ 13:07:38

In a new entry on his blog today, Marco Tabini introduces us to 5 PHP Performance Tips that we "probably don't want to hear".

I thought it might be interesting to write an article about the performance-enhancing tips you probably don't want to hear about - that is, those that are most likely to produce measurable (and durable) results but do require some effort on your part.

His list consists of:

  • You Don't Need To Plan Ahead In Order To Have A Plan
  • Combat Database Abuse
  • Do You Really Need A Database Anyway?
  • Scale Horizontally
  • Refactor To Scale Vertically
For each, he explains the title and gives a bit of validation to the point. There's some great mentions of tools that you can use to help accomplish them too - a profiler, the Lucene and Xapian full-text databases, and Lustre.

0 comments voice your opinion now!
performance tip plan database abuse scale horizontal vertical performance tip plan database abuse scale horizontal vertical


Ilia Alshanetsky's Blog:
Another unserialize() abuse
March 23, 2006 @ 06:59:23

With yet another reason not to trust the users of your application (mainly the data they send you), Ilia Alshanetsky has details on an issue that could be caused by the unserialize() function in PHP.

While talking with PHP developers this morning I thought of another way unverified serialized strings could be abused. This exploit can only affect PHP 5 installs though, but given the growing market share of PHP 5 it is certainly something worth noting.

As you may know classes in PHP are allowed to implement a magic method called __wakeup() that contains operation that are to be performed when a class is deserialized. Some native classes like PDO implement this function with a goal of preventing database serialization and throw an error when it is used.

He uses an example with PDO and a string of a serialized "supposed PDO object" to illustrate how, without the proper handling, it could lead to a fatal error in the script. The end result of the fatal error, if displaying errors is still on, could be that somewhat sensitive information could be displayed to the viewer.

0 comments voice your opinion now!
unserialize abuse __wakeup fatal error display unserialize abuse __wakeup fatal error display


PHPEverywhere:
Is PHP4 the new perl?
February 20, 2006 @ 07:23:27

From PHPEverywhere today, there's a new post from John Lim that asks the question, "Is PHP4 the new Perl?"

Tim Bray, one of authors of XML, voices concern about PHP: "So here's my problem, based on my limited experience with PHP (deploying a couple of free apps to do this and that, and debugging a site for a non-technical friend here and there): all the PHP code I've seen in that experience has been messy, unmaintainable crap. Spaghetti SQL wrapped in spaghetti PHP wrapped in spaghetti HTML, replicated in slightly-varying form in dozens of places.

But in the big picture, it feels vulnerable to me."

John argues that it's not the language's fault if the code that's written is bad (more coders need this). He also suggests that maybe PHP4 is perl for the web - simply because of the one of the reasons it's popular - it's potential for abuse from badly written code.

0 comments voice your opinion now!
php4 new perl abuse spaghetti unmaintainable php4 new perl abuse spaghetti unmaintainable



Community Events











Don't see your event here?
Let us know!


install framework application package podcast hhvm opinion database language hack unittest support component introduction facebook performance security release composer symfony2

All content copyright, 2014 PHPDeveloper.org :: info@phpdeveloper.org - Powered by the Solar PHP Framework