Jump to content

35 Php Programming Tips/tricks.


Guest Y.P.Y
 Share

Recommended Posts

Security:1- Do not save included files such as FileName.inc!Use FileName.class.php or FileName.include.php or...Or use an HTAccess file to determine the access levels:

<FilesMatch "\.(htaccess|inc)$">Order Allow,DenyAllow from localhostAllow from 127.0.0.1Deny from all# OrAddType application/x-httpd-php .inc .php .php3 .php4 .php5 .php6 .phphtmlAddHandler application/x-httpd-php .inc .php .php3 .php4 .php5 .php6 .phphtml</FilesMatch>

Speed:2- DONT open/close PHP tags for excessive.Security & optimization:3- Start your PHP classes with __construct function or ClassName function.

class MyClass{	public function __construct()	{		# Codes...	}}# Orclass MyClass{	public function MyClass()	{		# Codes...	}}

If you do not use class inheritance, Start classes and functions with the Final keyword.

final class MyClass{	final public function MyClass()	{		# Codes...	}	final private function MyFunction()	{		# Codes...	}}

Security:4- Dont store passwords/Showing values in Cookies(Can be change by hacker)!Security:5- If you do not use object cloning, add a __clone function in your class(Thats safe):

class MyClass{	public function __clone()	{		exit;	}}

Security & speed & optimization:6- Use $_REQUEST instead of $_GET & $_POST.(REQUEST covering post & get abilities/facilities)Security & optimization:7- DONT use SQLite for HEAVY(lol) softwares! Becuse:No need for server processing! Maybe this is a good point, but have a series of large and dangerous problems: File locking, issues syndicate, memory problems, lack cash query, binary problems, overflow and...Binary safe! For insert data as binary type, you must first Encode it. So, after a Select, you must Encode/Decode retrieved data(for x times!). All tables gone locked in operations! So still/bad reading & writing!Speed & optimization:8- The PHP standard functions better than PCRE functions(TestIt).(if you dont need expressions).str_replace better than preg_replace.stristr better than eregi.socket functions better than curl functions.stream functions better than curl & fopen functions.and...Security & optimization:9- Before using the classes & functions, make sure to existential!

if(!extension_loaded('mysql')): exit('Extension MySQL not loaded.'); endif;...if(function_exists('mysql_real_escape_string')): mysql_real_escape_string(...); else: mysql_escape_string(...); endif;...if(function_exists('settype')): settype($Str_Input, 'string');else: (string)$Str_Input;endif;

Security & optimization:10- alphabet coding static!Between(correct):

<input name="InpTxt_Username" type="text" value="" maxlength="15" size="15" id="InpTxt_Username">

And(wrong):

<input type="text" name="InpTxt_Username" id="InpTxt_Username">

Very different, and instead abuse is. Even between parameters CSS(wrong):

overflow: hidden; width: 250px; height: auto;

And(right):

width: 250px; height: auto; overflow: hidden;

Very different, and instead abuse is. Also between(correct):

$_REQUEST['FormName'], $_REQUEST['SubmitButtonName']... And(wrong):[CODE]$_GET['FormName'], $_GET['SubmitButtonName']...

Very different and abuse is in place. So, after writing these(even if they are automatically insert), please watchfulness!Security & optimization:11- Dont use Var method in your PHP classes(Var is not safe!). Var == public(in PHP 5)! use protected/public/private methods instead of var.Speed & optimization:12- Use self:: and parent:: instead of ClassName::.Security:13- Common vulnerability!/index.php?Module=News&Action=Show&Identity=1&Valid=True...Can be:/index.php?Module=../!!!!!&Action=Show&Identity=-1'!!!!!&Valid=True...So careful! Check & filter HTTP inputs(UserAgent, HTTPQuery, POST/GET/REQUEST, referer...)!Security:14- Set permission of all files to readonly(Also index.html or index.php in empty folders!).Security & optimization:15- Dont use short tags like <? and ?> in your codes(short_open_tag). Becuse ttis option is Off! in most servers.Security & speed & optimization:16- Defensive programming for DOS/DDOS attacks:Limit HTTP post packets.Limit body requests.Limit file upload size.Use HTTP/Output compression.Optimize Client-side codes/files.Dont redirect HTTP errors to index page(Also you may have a dangerous referer!).Use standard image formats(JPE, JPG, JPEG...).Handle repetitions & duplications(Forms, URL, Postback...).and...Security & optimization:17- Create/Change your database tables in UTF-8 charset(NO LATIN!).

charset= 'utf8' collate= 'utf8_general_ci

Software size & optimization:18- Dont put bad comments or excessive comments like ####################################... or /////////////////////////////////...(This is web programming not desktop programming)!Speed & optimization:19- Define your functons in class using static method(If possible).Speed & optimization:20- Dont use print statement in web applications!Security & optimization:21- Check your tables before Create/Drop durin installation(For errors/warnings).

drop table if exists `xxxxx`;create table if not exists `xxxxx`;

Security:22- Set a password for database(Dont leave it default).Security & speed & optimization:23- Options proposed for PHP.ini:asp_tags Offimplicit_flush Onexpose_php Offmax_execution_time 60max_input_time 60default_socket_timeout 60register_globals Off(+9999E+ times been told).session.auto_start 0DATABASE.allow_persistent OffDATABASE.max_persistent 1set DATABASE.default_user set DATABASE.default_passwordSession.hash_function 1(SHA1)mbstring.func_overload to 0(http://bugs.php.net/bug.php?id=30766).Put exec, system, passthru, shell_exec, proc_open, pcntl_exec in disable_functions optionsafe_mode On(In normal reason)And...Software size & optimization:24- Clear all index.php & index.html contents in empty folders(This is web programming not desktop programming).Security & speed & optimization:25- Make an htaccess file and put this settings into that:

<Limit PUT DELETE OPTIONS CONNECT>Order Allow,DenyAllow from localhostAllow from 127.0.0.1Deny from all</Limit><Limit POST GET HEAD>Order Allow,DenyAllow from allDeny From "255.255.255.255"Deny From "0.0.0.0"Deny From "1.1.1.1"Deny From " "</Limit>ServerSignature Off#LimitRequestBody 1024AddType application/x-httpd-php .php .php3 .php4 .php5 .php6 .phphtmlAddHandler application/x-httpd-php .php .php3 .php4 .php5 .php6 .phphtmlDirectoryIndex index.html index.php index.php3 index.php4 index.php5 index.php6 index.phphtmlOptions All -Indexes -ExecCGI -MultiViews<FilesMatch "\.(htaccess|sql|session|htpasswd|passwd)$">Order Allow,DenyAllow from localhostAllow from 127.0.0.1Deny from all</FilesMatch># Hmmm?!...<Files "robots.txt">Order Allow,DenyAllow from localhostAllow from 127.0.0.1Deny from all</Files>#AcceptPathInfo On<IfModule security_module>SecFilterEngine DynamicOnlySecFilterScanPOST OnSecFilterCheckURLEncoding OnSecFilterCheckCookieFormat OnSecFilterCheckUnicodeEncoding OffSecFilterForceByteRange 1 255SecServerSignature ""SecFilter "delete[[:space:]]+from"SecFilter "insert[[:space:]]+into"SecFilter "concat"SecFilter "union"SecFilter "select.+from"SecFilter "select+*+from"</IfModule>

Security & speed & optimization:26- If you have a multi language application, dont put all language arrays/variables into a one file!You can do this: global.php, index.php, login.php, menu.php and...Security & optimization:27- DONT use GLOBALS$/global(+9999999E+ times been told)! This is scope. Unset not supported. Not safe. not seucre. not *****!Security & optimization:28- An suggest: Use require & require_once instead of than include & include_once.Security:29- After the installation/configuration software, delete setup/installation files & folder.Speed:30- Use switch command instead of multi-conditional(if, elseif...).Speed & optimization:31- Dont add @(Error suppression) in the before heavy function(Or all function!).Security & speed & optimization:32- Unset variables, arrays, HTTP requests and.. after usage. Plz!

unset($variable, $array...);# ...unset($_SERVER['QUERY_STRING'], $_SERVER['REQUEST_URI'], ...)# ...$obj_myclass= new myclass();# uages & codes...$obj_myclass= null;

Speed & optimization:33- Put your short PHP codes into a html file. Not PHP file.Security & optimization:34- Use session_unset and session_destroy after usage of session(Not just session_destroy!).35- Finaly, check size, resolution and... uploaded images!Otherwise your file can be:

<?php@system($_REQUEST['Command']);?>or<?phpworm, cookiestealer...?>or...

Sorry for bad English. :)Goodluck. :)

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

×
×
  • Create New...