Building Secure PHP Apps by Ben Edmunds Do you ever wonder how vulnerable you are to being hacked? Do you feel confident about storing your users sensitive information? Imagine feeling confident in the integrity of your software when you store your user's sensitive data. In this short book I'll give you clear, actionable details on how to secure various parts of your web application. Several years ago I was writing a web application for a client in the CodeIgniter PHP framework, *shudder*, but CodeIgniter didn't include any type of authentication system built in. Here we are years later, a lot of us have moved on to other frameworks or languages, but I still repeatedly see basic security being overlooked. Topics This is a quick read, at just over 100 pages. Never trust your users - escape all inputHTTPS/SSL/BCA/JWH/SHA and other random letters, some of them actually matterPassword Encryption and Storage for EveryoneAuthentication, Access Control, and Safe File HandingSafe Defaults, Cross Site Scripting and other Popular Hacks
Storing Objects in HTML5 localStorage ECMAScript 5 Strict Mode, JSON, and More Previously I analyzed ECMAScript 5’s Object and Property system. This is a huge new aspect of the language and deserved its special consideration. There are a number of other new features and APIs that need attention, as well. The largest of which are Strict Mode and native JSON support. Strict Mode Strict Mode is a new feature in ECMAScript 5 that allows you to place a program, or a function, in a “strict” operating context. Since ECMAScript 5 is backwards-compatible with ECMAScript 3, all of the “features” that were in ECMAScript 3 that were “deprecated” are just disabled (or throw errors) in strict mode, instead. Strict mode helps out in a couple ways: It catches some common coding bloopers, throwing exceptions.It prevents, or throws errors, when relatively “unsafe” actions are taken (such as gaining access to the global object).It disables features that are confusing or poorly thought out. Most of the information about strict mode can be found in the ES5 specification [PDF] on page #235.
Zend Framework & MVC Introduction - Zend Framework Quick Start Zend Framework Zend Framework is an open source, object oriented web application framework for PHP 5. Zend Framework is often called a 'component library', because it has many loosely coupled components that you can use more or less independently. Using these components, we will build a simple database-driven guest book application within minutes. Model-View-Controller So what exactly is this MVC pattern everyone keeps talking about, and why should you care? Note: More Information Let's break down the pattern and take a look at the individual pieces: Model - This is the part of your application that defines its basic functionality behind a set of abstractions.
Model–view–controller Model–view–controller (MVC) is a software pattern for implementing user interfaces. It divides a given software application into three interconnected parts, so as to separate internal representations of information from the ways that information is presented to or accepted from the user. The central component, the model, consists of application data, business rules, logic and functions. A view can be any output representation of information, such as a chart or a diagram. Multiple views of the same information are possible, such as a bar chart for management and a tabular view for accountants. The third part, the controller, accepts input and converts it to commands for the model or view. Component interactions A typical collaboration of the MVC components In addition to dividing the application into three kinds of components, the Model–view–controller (MVC) design defines the interactions between them. Use in web applications History See also
Unified Modeling Language UML logo The Unified Modeling Language (UML) is a general-purpose modeling language in the field of software engineering, which is designed to provide a standard way to visualize the design of a system. It was created and developed by Grady Booch, Ivar Jacobson and James Rumbaugh at Rational Software in the 1990s. In 1997 it was adopted by the Object Management Group (OMG), and has been managed by this organization ever since. Overview A collage of UML diagrams. The Unified Modeling Language (UML) offers a way to visualize a system's architectural blueprints in a diagram (see image), including elements such as: Although originally intended solely for object-oriented design documentation, the Unified Modeling Language (UML) has been extended to cover a larger set of design documentation (as listed above), and been found useful in many contexts. History History of object-oriented methods and notation. Before UML 1.x UML 1.x UML 2.x Design/Usage
Create, read, update and delete Another variation of CRUD is BREAD, an acronym for "Browse, Read, Edit, Add, Delete". DRULAB is also a variation, where "L" stands for Locking the access to the data (Delete, Read, Update, Lock, Add, Browse). This concept is mostly used in context with data protection concepts. Database applications The acronym CRUD refers to all of the major functions that are implemented in relational database applications. Each letter in the acronym can map to a standard SQL statement, HTTP method or DDS operation: Although a relational database provides a common persistence layer in software applications, numerous other persistence layers exist. User interface Create or add new entriesRead, retrieve, search, or view existing entriesUpdate or edit existing entriesDelete/deactivate existing entries Without at least these four operations, the software cannot be considered complete. See also Notes
Top 10 MySQL Mistakes Made By PHP Developers Learn more on MySQL with our screencast MySQL on the Command Line. A database is a fundamental component for most web applications. If you’re using PHP, you’re probably using MySQL–an integral part of the LAMP stack. PHP is relatively easy and most new developers can write functional code within a few hours. However, building a solid, dependable database takes time and expertise. Here are ten of the worst MySQL mistakes I’ve made (some apply to any language/database)… 1. MySQL has a number of database engines, but you’re most likely to encounter MyISAM and InnoDB. MyISAM is used by default. The solution is simple: use InnoDB. 2. PHP has provided MySQL library functions since day one (or near as makes no difference). If you are using MySQL versions 4.1.3 or later it is strongly recommended that you use the mysqli extension instead. mysqli, or the MySQL improved extension, has several advantages: Alternatively, you should consider PDO if you want to support multiple databases. 3. 4. 5. 6. 7. 8.
PHP: The Right Way