[NBLUG/talk] PHP help...
troy at zenux.net
Mon Apr 24 23:26:54 PDT 2006
On Mon, Apr 24, 2006 at 09:42:26AM -0700, Chris Palmer wrote:
> Todd Cary writes:
> > Though I have been creating php programs for several years (some high
> > profile), I am quite sure my programming style could be greatly
> > improved. Are there any resources in the North Bay where one could
> > get some hands on help?
> Style is important, but not as important as substance. :) The biggest
> problem I see with PHP programs is a lack of input and output
> validation, leading to SQL injection, shell injection, filesystem
> traversal, cross-site scripting and other security, correctness and
> reliability bugs.
A great way to safeguard your SQL, and eliminate the annoying need to call
add_slashes() or strip_slashes(), and/or detect magic_quotes_crap, is to
use a database abstraction layer or engine that supports placeholders in
I personally like adodb these days. http://phplens.com/adodb/
A typical insert changes from:
mysql_query("update users set name=$name, bio=$bio where userID=$userID");
$sth = $dbh->prepare("update users set name=?, bio=? where userID=?");
$dbh->execute($sth, array($name, $bio, $userID));
Obviously, you still need to validate those variables...
This saves you from any attack leveraging unescaped quote characters.
Depending on the database backend and the number of rows to update, you
could also see significant speed and memory improvements. It's much harder
to attack an application whose SQL statements are prepared before any user
data actually gets to them.
On a general note, just look at code from other projects which you've found
useful. The open source php apps that I've hacked on tend to be hit and
miss -- brilliant code intermixed with putrid code. Some of the best apps
(oscommerce / phpicalendar) are the worst as far as code quality.
It weathers a shit-storm of criticism, but I think
http://gallery.menalto.com/ is consistently well-done. Even phpbb has some
really nice stuff. The templating system (despite some sloppy eval()'s )
does a super job of separating layout from logic while remaining flexible.
I'm rambling, but my point is that checking out how others do things, even
if poorly, is a huge benefit.
-troy (off to take my own advice and check out some nifty bash tools that a
rackspace rep. forgot to remove)
More information about the talk