Saturday, July 8, 2017

PHP Error

urge you to give it an intensive read – it has some genuinely important data you ought to know about – particularly the initial eight focuses. Two or three days back, Anna Filina developed the rundown with seven new passages. While less particular and normal, her focuses still convey weight and ought to be considered when creating.


Mistakes PHP Developers Often Make
I was asked by somebody from TopTal to investigate their rundown and conceivably contribute, and some of our devotees on informal communities communicated an enthusiasm for seeing the rundown proceeded, as well, so I'd get a kick out of the chance to accept this open door to include some of my own entrances to this rundown that I over and over need to caution my colleagues or supporters about.
1. Using the mysql extension
When utilizing SQL databases, particularly MySQL, very numerous engineers still choose the mysql expansion. The mysql augmentation is formally expostulated. It's shaky, untrustworthy, doesn't bolster SSL and is feeling the loss of some advanced MySQL highlights. It additionally creates belittling notification which don't break your application, they simply show up at the highest point of your application. Amusingly, this means it's likewise conceivable to just Google for all the different destinations that utilization this uncertain setup by basically searching for this. The ton of pain those applications are presented to because of this chaos is amazing.


Instead of using mysql, opt for one of the alternatives: MySQLi, or PDO. For example, using MySQLi instead is almost as simple as adding the letter “i” to the end of the API calls:
$c = mysql_connect("host", "user", "pass");
mysql_select_db("database");
$result = mysql_query("SELECT * FROM posts LIMIT 1");
$row = mysql_fetch_assoc($result);
vs
$mysqli = new mysqli("host", "user", "pass", "database");
$result = $mysqli->query("SELECT * FROM posts LIMIT 1");
$row = $result->fetch_assoc();
That’s all it took to make the setup immeasurably more secure.
You should opt for PDO, though. More on that in point 2.
2. Don't Use PDO
Don’t get me wrong, mysqli is (quite literally) generations ahead of the ancient mysql extension. It’s kept up to date, secure, reliable and fast. However, it’s mysql specific. Using PDO instead would let you use some wonderfully practical object oriented syntax, and would prepare you for tango with other SQL databases like PostgreSQL, MS SQL, and more. What’s more, PDO will let you use named parameters, a feature so useful, few people can imagine going to anything else after having taken proper advantage of it. Last but not least, there’s this: you can inject fetched data directly into a new object, which is a delightful timesaver in large projects.


3. Don't Rewriting URLs
Another commonly ignored and easy to fix issue. URLs like myapp.com/index.php?p=34&g=24 are just not acceptable in this day and age. Due to it being incredibly difficult to write a good URL rewriting guide that would cover every server and framework out there, almost every framework has a guide on how to set up clean URLs (LaravelPhalconSymfonyZend) and any that don’t just aren’t worth using – they obviously don’t care about modern practices.
4. Suppressing errors
wrote about this in a previous article, but it’s worth mentioning again. Any time you find yourself using the @ operator, reconsider and approach the problem from a different angle more carefully. Take my word for it when I say that 20 lines of boilerplate cURL code around an app’s functionality is better than a single line with the @ operator in front of it.
I’ve found through personal experimentation that a good approach is the one I advocate in the original post – turn all your notices into fatal errors. Making sure nothing gets logged into the error logs because there’s literally nothing to log is better than pretending poop isn’t hitting the fan by holding @ in front of your eyes.
We recently covered some Heroku add-ons for production ready PHP apps, and one of those was the excellent Papertrail – an add-on which lets you push all your app’s errors to their backend for easier searching, grouping, and elimination later on; so even if some errors do happen, it’s better to let them be logged and get rid of them by fixing your code, than silencing them and playing dumb in front of your users.
5. Assigning in Conditions
Even experienced developers sometimes have a slip of the finger and write if ($condition = 'value') { instead of if ($condition == 'value') {. Our hands will slip, our keyboards won’t register the keypress, we’ll end up pasting from another part of the code where the assignment actually happened – it happens, and we usually find out only when we run the app.
There are several ways to completely avoid this:
1.      Use a decent IDE. Any good IDE (like PhpStorm, for example) will warn you of “assignment in condition” issues when it detects them.
2.      Use “Yoda Conditions”. You’ll see these in many popular projects, even large frameworks. By inverting the comparison (as in, if ('value' = $condition) {), weaker IDEs will notice the problem, too. Some consider the Yoda syntax annoying and pointless, a lifeline where there should be none (“be more carefuly with your code, dammit”), but to each his own – if it helps someone, I’m all for it. If we were all elitists, WordPress and Zend Framework wouldn’t exist.
3.      By simply keeping it in mind, you’ll develop an eye reflex to check for it every time you write it. All it takes is practice, but it happens even to the best devs and that’s where 1. and 2. come in handy.
6. Being Too Transparent
Saying this might stir up some controversy, but here goes anyway. Unless you have 100% confidence in the framework’s developers, or don’t operate high-profit, high-traffic business critical applications, you should always strive to obscure your back-end ways – not broadcasting which framework your app is based on can actually help in preventing attacks, should a security vulnerability of that framework be discovered.
This is great if you’re at work and can upgrade immediately without devops issues and getting the team huddled up first, but for most people and companies using Symfony, this is not the case. Even though Symfony can be upgraded via Composer (as Ryan mentioned in the comments below), it usually takes a while to get approval in large teams with multi-tier environments. All websites using this translator approach that are declared Symfony users were (are?) therefore exposed to this vulnerability until fixed.
Using Symfony in the example above was just that – an example. Similar situations have arisen with countless other software over the years. Back when I still used Zend Framework commercially, we had this happen too, and suffered an attack due to it. WordPress has had its share of security gaffes and we know how high of a percentage of websites out there they power. These things happen, and sometimes, open source and transparency aren’t the best approach when dealing with applications that carry the majority of a company’s revenue stream.
7. Not Removing Development Configurations
Last but not least, development configuration removal should be mentioned. Quite recently (and it’s an honest coincidence I’m mentioning Symfony here again), Cnet suffered an attack due to not removing their development configuration.
Cnet, one of the world’s largest tech news sites, is based on Symfony. Symfony, as you might know, features two entry points to your application: app.php and app_dev.php. By pointing your browser to one, you get the production environment. By pointing to the one with the _dev suffix, you obviously get the development version, which features a debugger, sensitive data, and more. Whether this is good or bad is a subject of many discussions (again, thanks to Ryan for pointing this out), but it’s undeniable that it opens some clumsier developers to errors such as those Cnet suffered from. What’s more, any other URLs accessed when on app_dev will get redirected to other app_dev URLs. In other words, it’s not just the index page that launches in development mode, it’s the entire website – in Cnet’s case, that’s a lot of access.
If you follow the discussion on Twitter, it gets emabrrasingly sad really fast – and what’s even sadder is that it could have been avoided in a second’s work:
1.      The devs could have removed app_dev.php from the production servers
2.      The devs could have whitelisted IPs allowed to access app_dev.php, which is how it works by default unless you loosen those restrictions up.
Either of these approaches would have completely prevented all problems. Remember, when pushing to production, make sure your development configuration is either fully inaccessible, or accessible only to a whitelisted set of IPs.
Conclusion
How do you feel about this list? Does it cover common aspects or is it too esoteric? Do you have some more common pitfalls the three posts in total have failed to mention? Let me know in the comments below and we’ll update the post if your advice is sound!
Other links you may like
Installation process of CentOS 64-bit | Installing WampServer on Windows 7 and 8 | Kerio Control Installation and Configuration | Make USB Bootable | Microsoft Data Protection Manager 2012 | Most Common Mistakes Of Java Developers 

3 comments: