In this post to his site Matthias Noback makes the argument that, during your normal development, classes should be final by default and only changed if there's a need to extend them.

I recently wrote about when to add an interface to a class. After explaining good reasons for adding an interface, I claim that if none of those reasons apply in your situation, you should just use a class and declare it "final".

[...] For a couple of years now I've been using the final keyword everywhere (thanks to Marco Pivetta for <a href="https://ocramius.github.io/blog/when-to-declare-classes-final/>getting me on track!). When I see a class that's not final, it feels to me like it's a very vulnerable class. Its internals are out in the open; people can do with it what they want, not only what its creator has imagined.

Still, I also remember my initial resistance to adding final to every class definition, and I often have to defend myself during workshops, so I thought it would help if I explained all about it here.

He starts off by talking about the alternative - non-final classes - and some of the issues that can come with it (and class extension). He makes the suggestion that "replacing is better than overriding" and creates less complexity overall. He also answers a question about the use of the "Template Method" design pattern that would allow for improvement from base "skeleton" logic designed to be extended. He covers "composition over inheritance", the use case of extension and how "final" is a better direction.

In a recent RFC that's been proposed and is now up for voting, the suggestion has been made to drop the var keyword in PHP 7.1 and completely remove it in PHP 8 (made a bit redundant buy the public keyword in classes). Evert Pot, however, disagrees and suggests dropping public instead.

A PHP RFC vote has started to deprecate the var keyword in PHP 7.1 and remove it in PHP 8. At the time of writing, there 23 who say it should be removed, and 18 who say it should not. [...] I’d like to offer a different opinion: I think people should be using var instead of public. I realize that this is as controversial as tabs vs. spaces (as in: it doesn’t really matter but conjures heated discussions), but hear me out!

He goes through an example on one of his own projects, showing how he's mostly removed the public level of exposure from his development (using final and statics instead). He then suggests three common thoughts he sees people having being in favor of dropping var versus public:

• #1: Everyone doing the same thing is good
• #2: It’s ugly!
• #3: The public keyword is useful to convey intent

He also points to one place where he does see the need for a public but also suggests that in that case var would do juts fine too.

On the NetTuts.com site there's a new post talking about protecting your keys when using a public site like GitHub. This relates to an easy thing to forget - removing hard-coded credentials from code before pushing it public.

In December 2014, Slashdot ran an alarming story Bots Scanning GitHub To Steal Amazon EC2 Keys, based on developer and blogger Andrew Hoffman's experience trying out Ruby on Rails on Amazon with AWS S3. He inadvertently committed an application.yml file with his AWS keys. [...] It's an easy mistake and most of us have probably done a similar thing at one point or another. And it's not just AWS keys that are at risk. As our use of cloud-based services increases, the expanding use of a broad variety of service API keys can be leveraged by hackers and spammers alike.

He goes through a solution he's found to help protect those credentials, in this case working with the configuration of a Yii framework-based application. He starts with a mention of .gitignore but points out that it could have unexpected results from "quirks" in its handling. He suggests a different option - using a configuration file that lives someplace outside of the main git directory and can be referenced directly from inside the application. He provides two kinds of examples: one using a PHP-based configuration and another based on an INI file. He finishes the post with a mention about WordPress plugins and the fact that they're (usually) stored in a database and open to exposure if a SQL injection vulnerability is found.

DevShed starts off a new series today focusing on security in web applications, specifically in PHP-based ones, with this first article - an overview.

With the web and web sites open to everyone -- including malicious hackers -- the security of web applications sits at the top of the list of issues on any web developer's mind. In this eight-part series, we will look at the security concerns of PHP developers, and what they can do to make their web applications more secure.

They talk about the importance of having a security plan from the start and look at a few simple steps to get started with in enhancing your application's security - the proper use of register globals, using error reporting to correctly catch problems and how to minimize the code exposure of your app.

Devshed has posted a new article covering one of the hottest topics in the PHP community right now - security.

Security in a scripting language such as PHP is more developer-dependent than language-dependent. In other words, although the language offers you the tools to create secure code, it cannot prevent insecure code. Thus, the degree to which code is secure almost entirely depends on how security conscious a developer is.

The article looks at three security-related topics:

• Register globals
• error reporting
• code exposure

and for each provides explanation and code where needed to help the reader understand the issues and possible problems with them.

Devshed has posted a new article covering one of the hottest topics in the PHP community right now - security.

Security in a scripting language such as PHP is more developer-dependent than language-dependent. In other words, although the language offers you the tools to create secure code, it cannot prevent insecure code. Thus, the degree to which code is secure almost entirely depends on how security conscious a developer is.

The article looks at three security-related topics:

• Register globals
• error reporting
• code exposure

and for each provides explanation and code where needed to help the reader understand the issues and possible problems with them.