Tips for PHP Developers

Security

• Do use PDO parameters over SQL values to avoid SQL injection.
• Do use htmlspecialchars/htmlentities and/or strip_tags to escape html and JavaScript to avoid XSS exploits.
• Do use sessions and secure sockets to prevent session hijacking. Use md5 checksums to validate session ids. Store a special token md5(uniqueid(rand(),time)) in the session and bump it against a hidden field in the post form. eg. $_SESSION["token"]===$FORM["token"].
• Do use escapeshellarg/escapeshellcmd for calling exec to avoid command injection.
• Do remove linebreaks from incoming headers to prevent early header termination and injection. Fixed >PHP5.1
• Use md5 checksum on serialized values and sessionid to validate integrity.
• Use === to verify input values to ensure type matching.
• Do use security through obsurity:
  • ini_set("display_errors",false);
  • ini_set("log_errors",true);
  • ini_set("error_log","path/to/php.log");
  • ini_set("session.save_path","path/above/www"); or "mm" session module or store in a sqllite db
  • php.ini expose_php=off
  • php.ini register_globals=off
  • Apache servertokens=prod
• Use session_regenerate for any user privledge escalation in application.
• Use secure sockets SSL for commerce transactions.

Performance

• Do use single quotes over double quotes.
• Do use switch over lots of if statements
• Do avoid testing loop conditionals with function tests every iteration eg. for($i=0;i<=count($x);$i++){...
• Do use foreach for looping collections/arrays.
  • PHP4 items are byval
  • >PHP5 items are byref
• Do consider using the Singleton Method when creating complex PHP classes.
• Do use POST over GET for all values that will wind up in the database for TCP/IP packet performance reasons.
• Do use ctype_alnum,ctype_alpha and ctype_digit over regular expression to test form value types for performance reasons.
• Do use full file paths in production environment over basename/fileexists/open_basedir to avoid performance hits for the filesystem having to hunt through the file path. Once determined, serialize and/or cache path values in a $_SETTINGS array. $_SETTINGS["cwd"]=cwd(./);
• Do use require/include over require_once/include_once to ensure proper opcode caching.
• Do use tmpfile or tempnam for creating temp files/filenames
• Do use a proxy to access web services (XML or JSOM) on foreign domains using XMLHTTP to avoid cross-domain errors. eg. foo.com<-->XMLHTTP<-->bar.com
• Do use error_reporting (E_ALL); during debug.
• Do set Apache allowoverride to "none" to improve Apache performance in accessing files/directories.
• Do use a fast fileserver for serving static content (thttpd). static.mydomain.com, dynamic.mydomain.com
• Do serialize application settings like paths into an associative array and cache or serialize that array after first execution.
• Do use PHP output control buffering for page caching of heavilty accessed pages
• Do use PDO prepare over native db prepare for statements. mysql_attr_direct_query=>1
• Do NOT use SQL wildcard select. eg. SELECT *
• Do use database logic (queries, joins, views, procedures) over loopy PHP.
• Do use shortcut syntax for SQL insers if not using PDO parameters parameters. eg. INSERT INTO MYTABLE (FIELD1,FIELD2) VALUES (("x","y"),("p","q"));

Tools

• microtime() - Return current Unix timestamp with microseconds to mark performance.
• ab Apache Bench server benchmarking tool.(-n 1000, -c 500)
• Zend Performance Suite
• Callgrind/KCachegrind profiling tool.
• http_load multiprocessing http test client.
• xdebug helps you debugging your script by providing a lot of valuable debug information.
• PHP Security Scanner
• PECL APC opcode caching module.
  • pecl install APC
  • php.ini APC.STAT=0
  • APC_STORE($_SETTINGS)

New Technologies/Techniques

• Service Data Objects -SDOs enable PHP applications to work with data from different sources (like a database query, an XML file, and a spreadsheet) using a single interface.
• JavaScript Object Notation - JSON is a lightweight computer data interchange format you can use instead of XML in AJAX apps.
• PHP5.1.3 to be released within the week.
• PHP6 will implement numerous changes.
• DB2 Viper implements extensive XML support.

Speakers/Sites/Blogs/Lectures

• Chris ShiflettPHP Security Consortium and PHP security guru
• John Coggeshall
• Ilia Alshanetsky: PDO Lecture, Security Lecture
• Marcus Boerger
• Derick Rethans: eZ Components - RAD for PHP
• Rasmus Lerdorf
• Christian Wenz: The Return of Javascript: AJAX , New (and old) Trends in Web Hacking, The ABCs of Web Services
• Andrei Zmievski: PHP 6 and Unicode
• Paul Reinheimer: Simple Web Services: REST
• Sara Golemon: Embedding and Extending PHP
• Davey Shafik: Future Deployment of PHP Applications, Migrating to PHP 5.1
• Marcus Baker: Is Agile Right for You? , The OO Sound Barrier: Leveraging OOP
• Lukas Smith: Beyond SQL
• Johannes Schlueter:
• Grant Hutchison: XML to the Max - DB2 Viper with PHP
• Caroline Maynard: PHP Service Data Objects
• Andi Gutmans
• Jason Sweat
• Joe Stagner
• Hartmut Holzgraefe
• Tony Cairns: i5/OS Zend Core Roadmap
• Marco Tabini