Brown PHP

There are several methods to solve errors in PHP code. Sometimes when the user waits to see an output a blank page will be shown if there is an error. To show the errors E_ALL^E_STRICT is used for the PHP 5 version. Contrarily, remaining versions just use E_ALL.

Even though error_reporting set to E_ALL, PHP sometimes still shows a ’blank’ page without showing the errors. Therefore, to indicate errors it should run in different directory, because the directory may be full and by erasing the file, the errors will be displayed as usually. It may even help in turning the ’error logging’ off.

If the reporting of an error is set in http.conf contained by a script then the ’integer’ value must be used and not the string in some versions. Or else the error message would not be displayed during the output of a program.

The handling of errors is very important because they are useful in removing harmful user information about the system, allowing the developer to access the information. PHP provides certain methods for handling the errors.

For example, the browser can be installed in such way that errors are not displayed; instead we can log and see the errors using log_errors and display_errors directives in the php.ini file. Depending on the change needed in the development, the error display can be turned on and off.

Error_reporting() may give the results which are not expected if the @ error repression command is used. Depending on the configuration settings, this will throw an error level E_WARNING in relation to the missing file. If the command is removed, the code works as expected. On the other hand, by using ini_set in config.php, the same result is accomplished. From this, we can know that the above said instructions are same.

The fatal errors can be caught by making use of another dynamic way. The fundamental is easy and can be tested with the system. In work sites, it fails to catch these fatal errors when the display errors are turned on, but sometimes the system can be tested to see all the fatal errors quickly in an unproblematic way by turning off the display errors. The syntax for the function used to catch all the fatal errors is;

function catchFatalErrors($p_OnOff=’On’)

If there is a warning like “Warning: mysql_query()” then the query requires a full table scan. It is not looked in error_reporting settings it will be set in php.ini. It can be turned off by writing syntax; within_set(“mysql.trace_mode”,”Off”), in the script.

The quick methods as said above, when used in codes helps in the avoidance of errors. Like when a blank page appears instead of an output, it can be avoided by using the methods and when the errors appear, they can be rectified by using the above methods.

The phenomenal growth of PHP applications has also led to a mushrooming of increased quantum of malicious activity. It thus becomes imperative that you write secure PHP code to protect your website. Here are some tips for the same.

The three most vulnerable aspects of PHP that can become easily accessible to anyone are XSS (Cross Site Scripting), Global Variables and SQL code.

XSS

The growth of XSS has followed a steady growth in the use of AJAX. Cross Site Scripting, for instance is used when you create a Comment section in your website. If the commentator has to log in to comment, his login information gets stored in a cookie. As the JavaScript code is generally run whenever a person writes the comment, there is a pretty good chance of the contents of the cookie being accessible to a remote server handled by a malicious user.

To counter this, make a habit of including filters whenever you request for random information. Use the die() function to exit from the task whenever the filters detect an unqualified input. The details that are typed are first filtered and then sent to the website’s database. Again the information is filtered before it is output.

<?php

//A good filter program that validates data, prevents XSS attack and
//preempts white lists would look like this

echo 'this is what you input';

echo htmlentities($_POST['myInfo']);

?>

Global Variables

The PHP feature “Register Globals” leads to a palpable lacuna in programming safety. Once this feature is activated in PHP configuration file, even a single variable that is to uninitialized, can lead to a great security flaw. For instance

<?php

if (is_admin()) ( $authorized=true; )

if ($authorized) ( include "/very/sensitive/data.php"; )

?>

When you run the file, because of non-initialization the user may not be verified, resulting in anyone accessing the administrative control! To counter this, you should disable Register Globals, initialize variables use localized variables and as far as possible within the programs.

SQL Code

The SQL code is vulnerable to malicious users just like XSS feature. To write a secure SQL code you need to remember a couple of things. First avoid using dynamic code and second, if dynamic code in inevitable then do not have direct input into the tables.

For instance, a code like this will take care of the sql security

if ($_POST['submit'] == 'Save') {

   if (isset($_POST['acct_num']) &&
       isValidAccountNumber($_POST['acc_num'])) {

        $link = mysql_connect ('hostname', 'user', 'password')
              or die('Could not connect to DB');
        ...
   }
}

Preferably have a database to select user name so that any other entry (like “bingo” or ‘blah blah’) can be swiftly detected. A simple way of preventing SQL security lapse is by typecasting the data so that input is effectively monitored. You can also make use of the versatile “mysql_real_escape_string”. This function can successfully filter symbols and contain SQL security flaws.

These three are the most significant to create a secure PHP code. Apart from this, you should also ensure that

• The system is well protected
• Files and database are protected.
• Posts are verified
• Input is always validated

Input validation is the key to secure programming. Make a habit of allowing only the right input into your system. A systematic approach to PHP, keeping in mind the pitfalls, can guard the program against most flaws and malicious attacks.

 Loading ...

I have touched on PHP frameworks before that has sparked up a lot of discussion.  A lot of people swear by one framework and other developers another.  Before you first get into one you might want to ask yourself if you need to use a PHP framework.  You might not even need to use one.  But the fact is that over time, they can significantly reduce development time.

Okay, so let’s say that you are new to PHP frameworks.  There are a few popular choices out there to sink your teeth into, but which one?  You don’t want to pick a framework to spend days upon days learning the architecture, only to find out that no other PHP developers out there are using that framework.  Thus making the time you spent learning the framework’s ins and outs a waste of time.

In a perfect world, I would suggest to learn them all!  However, there are only 24 hours in a day, and prioritizing your PHP framework education might be a good idea. So above I added a poll that I plead to other PHP developers out there to vote on.  Hopefully after a lot of participation we will see the most popular PHP framework.

Remember, BrownPHP is a site that helps other PHP developers.  By us learning what the most popular PHP frameworks, it will allow us to become more efficient, and ultimately more successful!  If you do feel strongly about one PHP framework over another, please leave a comment and explain why you chose the PHP framework that you did.

PHP is a server-side scripting language used all over the world for general purposes. Earlier, PHP used to be the short for Personal Home Page. It is now known as ‘PHP: Hypertext Processor’. It is very helpful for web development and can be blended into HTML too.

Moreover, it is easy to learn. PHP includes many functions without the need for namespace importing. You can decide whether to write object oriented code or not. The syntax is also similar with weakly typed variables.

The simplicity in using PHP sometimes acts against it. Since there are very few coding restrictions, developers tend to write a bad code. The answer to this is definitely to use a framework. There are various PHP Frameworks available today like Zend Framework, CakePHP Framework and CodeIgniter. They provide a strong organization for your application and follow the commonly used MVC pattern.

Some of the other advantages of using a framework are:

1. MVC structured code:MVC or Model- View- Controller is a well-known design pattern that demarcates the database and business logic from the presentation layer. This results in simple, clean and understandable code.
2. Maintaining the coding standards:The MVC code is easy to write and also follows the code restrictions. Due to a uniform and standard coding, things are simpler and bugs can be resolved faster. This will save you a lot of worry and it will be easier to find out where the problem lies.
3. Attractive URLs:Almost all these frameworks make sure that your URLs look attractive and easy to access. Apache takes care of requests for a particular URL, which further invokes the central framework object. The end-users can only see the URL pasted on their browser, and cannot make out that you are using PHP for the same.

4. Get all the help you need:When you use a PHP framework, you no longer need to manually enter all the validation criteria for forms etc. The only thing you should do is instantiating a new form validator object and instruct it as you wish. It will handle the rest.
5. Finish coding faster:Frameworks help the developers to write code in lesser time than usual. This leaves them with some extra time for themselves.All said and done, there is always the option of writing your own framework for your application. However, when you have something like CakePHP doing a lot of nifty things for you or a Zend that provides great functionality, you can select one depending on your requirements. So just choose a framework and start coding!

PHP]Architect's Guide to PHP Security NEW US $28.22 Auction Ends: Thursday May-17-2012 22:27:24 PDT   | Watch this Item

PHP/Architect's Pocket PHP Reference NEW US $21.65 Auction Ends: Thursday May-17-2012 22:27:27 PDT   | Watch this Item

PHP/Architect's Guide to Programming with Zend Framewor US $45.14 Auction Ends: Thursday May-17-2012 22:27:30 PDT   | Watch this Item

PHP/Architect's Guide to E-Commerce Programming with Ma US $45.14 Auction Ends: Thursday May-17-2012 22:27:33 PDT   | Watch this Item

The Zend Framework, developed by Zend Technologies is an open-source, object oriented web-application framework implemented in PHP 5. It is widely known as ZF and is developed with the purpose of making things easier for PHP developers and supporting best practices at the same time. CakePHP too, is an open-source web application framework used for creating web applications written in PHP. It is developed by Cake Software Foundation, Inc. It is written in PHP and is based on the model of Ruby on Rails.

Zend Framework has easy methods of licensing with the new BSD license and a swift and well-tested code base that your business can rely upon. It makes use of commonly available APIs from well known vendors like Google, Amazon, Yahoo!, Flickr and API providers and catalogers such as StrikeIron and Programmable Web.

ZF offers a simple component library to provide 80 percent of the functionality mostly needed by developers. The rest of the 20 percent can be altered as per your requirements of the business. This can be done since it has a flexible architecture and you do not need any configuration file to get started with. Due to this, training costs are lessened and the product reaches the market sooner. Moreover, Zend Framework also offers:

• AJAX support through JSON, which offers ease-of-use of the framework.
• The PHP version of the Lucene Search engine.
• Simple access to data formats needed in Web 2.0 applications.
• The ideal destination to utilize and publish web services.
• Top quality, object-oriented PHP 5 class library.

CakePHP is a rapid development framework for PHP that offers a flexible architecture for development, maintenance and deployment of applications. It uses the usual design patterns like MVC and ORM within the convention over configuration paradigm that helps lower development expenses and does not need the developers to write a lot of code. CakePHP boasts of clients like Mozilla Addons, Scratch by MIT, Yale Daily News, Onion Store and MapMe to name a few.

Just like ZF, CakePHP does not require configuration. It is very simple to use. The company has a user friendly community called #cakephp on IRC that helps new users to begin. It is distributed under the MIT License and promises Best Practices like security, authentication and session handling. It has an object-oriented approach to keep you at ease.

Overall, both these frameworks are good to use as per your requirements. CakePHP is suitable for developers new to MVC and those who require stricter conventions. ZF is a choice for those who need better control over the application design and built-in support for renowned Web services. Both the frameworks are developing fast and the choice is entirely yours.