general questions

[businessman332211@hotmail.com]

This is the time of year, where I calculate all the things in php I do not understand, and ask for help from people I trust know the answer, and have helped me this long time, I have come a Long ways towards mastering php/sql. Using mysql and other things. I have noticed I am particularly interested in 2 things, so I spent a very long time studying these, I am very good with PHP Security, and performance, now all I need to do is get better with actually working with php, and utilizing it, here are some questions I couldn't find answers to, and might allow me to step over that learning curve I have been trying to work over for so long.If you have the answer to one I would be happy to hear an answer, anything that would help or point me in the right directions would be greatly appreciated.1. ok I know about 3 files that I want to totally learn a bout how to use and how to control. The .htaccess, the php.ini, and the httpd.conf. I found a great tutorial here on php freaks to help me answer ALL my questions on php.ini, it explains it very well, and the php manual has some good info on that, I wanted to study that soon, but does anyone have any idea on where i can find decent/good resources on the other, I don't know where these originate, and searching for the just file extensions and related searches in google brought up nothing.2. One specific question I had was about httpd.conf, where do I get access to this file at, studying security I ran across some information, and I am trying to make it a habbit to always(and encourage clients) to to change the Server Signatures, and Server Tokens. I want to make this a habbit but don't know where to access the file at, or how to get access to it with web hosting companies.3. ok this is very important to me, I have run across some functions in a book, and triple cross referenced it, the best practice I see would be to do this with everything but I don't understand the process, and cna't find any good resourced on it to answer my specific questions. it's relating to incryption and decryption like this.Encryption

<?php    srand((double)microtime()*1000000 );    $td = mcrypt_module_open(MCRYPT_RIJNDAEL_256, '', MCRYPT_MODE_CFB, '');    $iv = mcrypt_create_iv(mcrypt_enc_get_iv_size($td), MCRYPT_RAND);    $ks = mcrypt_enc_get_key_size($td);    $key = substr(sha1('Your Secret Key Here'), 0, $ks);    mcrypt_generic_init($td, $key, $iv);    $ciphertext = mcrypt_generic($td, 'This is very important data');    mcrypt_generic_deinit($td);    mcrypt_module_close($td);    print $iv . "\n";    print trim($ciphertext) . "\n";?>

descryption

<?php    srand((double)microtime()*1000000 );    $td = mcrypt_module_open(MCRYPT_RIJNDAEL_256, '', MCRYPT_MODE_CFB, '');    $iv = mcrypt_create_iv(mcrypt_enc_get_iv_size($td), MCRYPT_RAND);    $ks = mcrypt_enc_get_key_size($td);    $key = substr(sha1('Your Secret Key Here'), 0, $ks);    mcrypt_generic_init($td, $key, $iv);    $ciphertext = mcrypt_generic($td, 'This is very important data');    mcrypt_generic_deinit($td);    mcrypt_generic_init($td, $key, $iv);    $plaintext = mdecrypt_generic($td, $ciphertext);    mcrypt_generic_deinit($td);    mcrypt_module_close($td);    print $iv . "\n";    print trim($ciphertext) . "\n";    print trim($plaintext) . "\n";?>

With this I want to get in the habit of ALWAYS encrypting all data before emailing form information or entering into a database, and decrypting it, but I don't understand the how and when, do I encrypt after validation before emailing, or databasing. If so then when do I decrypt, encrypt before emailing, when it reaches the clients email address( the person I am working for) can he read it, or am I understanding this wrong. I really want to get this down, and master these if this is helpful, if it's usless for that, then what can I use it for what type of things.4. I want to find more books, I have a few on photoshop CS2, and the JavaScript bible newest version, and PHP In a Nutshell which I am not happy with because it cut everything out from the online version that I needed. I want to find some really good books on javascript(not really, js bible is good), php, sql(mysql or others), and especially some general databasing, web site security anything, I really want to get better books, I could yes get them myself "google" it or however, but I am wanting some personal advice from people who bought specific books and recieved very good usage with them.5. If I fclose() a file inside a script, and lock it with flock() completely, will someone be able to open the file using a url if it's live or is that a good way to prevent people from getting to a part of the site, like I could flock() a db connection page, using like 3 other pages, isn't that like triple lock to prevent people from opening it, or doing anything with it through a url. Just a general inquiry, I don't know about this, I was just wondering it was a theory.6. This is really important to me, one thing I am trying to find out here is about opinions. What is better honestly. I use external .php files with forms, but I can do it that way, I tried doing same page, and it failed horribly, I completely sucked at it, I know that I love doing external when I am doing database connections, or whatever else, and when you click submit and it comes up with the errors, they click back the information is still there without them having to retype the data in. What I was wondering about this was what are the pro's and con's of each one from personal opinions and perspectives. I know that I prefer the external because It gives me more room to play around, I can have more fun with less distractions, and if I decide to do some huge scripts or try to get fancy, I have plenty of room to do whatever I want, I also heard some people keep db connections on another file, and include it, I tried this and didn't like it, it seemed just harder to use, I only like using 1 external file, but I wanted to learn how to do same page when doing really small contact forms, because I thought it would be a lot quicker, 5 hours fighting with a same page file, then I switched over to an external file and it worked perfectly. I don't see the point in going through the hassle.7. The reason I don't understand classes is because it's always use as examples relating to people or real life situations, but the bad thing about that is: when I see a dog/cat class, I cna't create a dog/cat in a php function and use them, what can I do with that but print out bark, or meow, I can't make a cat materialize, and work with it and make it ###### and ######, and meow with ######()######()meow()I just don't understand how this works, how is a class utilized on a php file, what kind of things, for instacne can a class come in when doing forms, if so I mean I read all the material given to me last time I asked, I have read through tons of tutorials, and books, but when it comes to classes, I get nothing but real world explanations, once I understand the concept of how it relates to php I will have an easier time keeping up with it when referring to real world scenarious.8. Why are there so many ways to validate form information, what in fact is the right/wrong way, or are no way's right or wrong, I don't understand this at all, I do it the way you saw earlier in other posts, I tried wildteen88's way but always get errors around the foreach statement, I tried other methods seen on here, some of them worked but didn't match my style of coding, it didn't feel good, or have fun, programming those, as compared to other ways I have tried, how do I find the right kinds for me, this has been puzzling me for quite some time.9. Is it good to use harden php, the act of

This is a set of patches to the PHP source code that make the task of hacking your server by exploiting PHP that much harder. Hardened PHP is not an official PHP project, and so cannot be relied upon to be as stable as the core PHP release, however it is just a set of minor patches and so isn't likely to affect stability at all.

"quoted from php in a nutshell"Is this something I need to be aware of, study on, or try to implement on a regular basis, or should I avoid this, what is the point.10. Is there a book out there that is "javascript is to javascript bible, as php is to whatever the book is."I see the js bible and it has everything, and anything I will ever want, I never will NEED another javascript book, I may get more for extra reading, but i'll never really need one. I want to find the same one in php, without it being the php.net manual. because I know not all of the functions are documented, I wanted a really good book for that, and so far haven't found anything, something in a book for when I am not working, or my wife is on the computer, and I don't feel like doing other things I can still study. I got everything from php in a nutshell I could I have reread it 4 times, on and off, and double checked sections numerous times but they stripped so much from the online version it's not even worth it.11. ok this is about the eval function, quoting the book "php in a nutshell" as it quotes the owner(or creator) of php, as him saying

Rasmus Lerdorf "If eval() is the answer, you're almost certainly asking the wrong question."

With me seeing that, the book also comments

That is, you should be able to achieve  your goals without resorting to eval().

With this being said it is obviously trying to tell me without an explanation about eval() being bad, ineffective, or a security issue. What is the reason for him saying those things, does anyone on here use eval() what are the positives or negatives, and why is it so severe that the owner himself would comment on it specifically like that. If it was so bad, why doesn't he just remove it from the newer versions of php instead of letting it re-enter new versions, because by what he says it's not good to use.12. The same with register_globals, I hate them, I always keep them off, if there not off I force them off, but why didn't the creator just remove them out of 4-5 when he found out, within 2 years everyone would have upgraded there scripts.13. Why are so many 3rd party scripts insecure as in they require register_globals on to use them, that prevents me access from most major third party scripts, I even had os Commerce, and Zen Cart tell me register_globals had to be set as on to be used, I just cna't have that, forcing me to do something new every time.14. why is it that sometimes when I use empty it works and sometimes I have to add a ! at the beginning that confuses me.15. Someone told me that using isset to pic up information on whether a form was submitted or not does not always work and it's better to use if ($_POST['whateverbuttoniscalled'] == "")instead of if (isset($_POST['whateverbuttoniscalled']));is this true or was he just a dumbass, that needed to re-learn php, the reason I ask is because this is the way I learnt and he criticized me for it, also he disagreed that register_globals being on was not a security issue, I went past him to his boss, and talked him into changing the server's anyway. Where does he get those kind of ideas(sorry partially ranting, and raving::And no I amnot a girl I am a guy, I just get pissed something:::')16. Is there a consideration for release of php6, a release date, beta release date, does anyone here know anything that we might be able to expect from new releases.17. Is mysql 5 good enough for me to be able to utilize affectively, safely, and securely without too big of an issue.18. Is it better to use Pear Db: when connecting to mysql, is it more or less secure, if so is it part of the core language, or do I have to compile certain extensions.Thanks for all the help I greatly appreciate it.

[aleksanteri]

15. Someone told me that using isset to pic up information on whether a form was submitted or not does not always work and it's better to use if ($_POST['whateverbuttoniscalled'] == "")instead of if (isset($_POST['whateverbuttoniscalled']));is this true or was he just a dumbass, that needed to re-learn php, the reason I ask is because this is the way I learnt and he criticized me for it, also he disagreed that register_globals being on was not a security issue, I went past him to his boss, and talked him into changing the server's anyway. Where does he get those kind of ideas(sorry partially ranting, and raving::And no I amnot a girl I am a guy, I just get pissed something:::')

$_POST[$var] is the special variable with $var as the query (same as the name attribute on the form input). The isset keyword function returns true when the variable is set posted, like on a page www.somepage.com?query=value, isset(_GET["query"]) would return true, but isset(_GET["secondquery"]) would return false. You can use this by:

if(isset(_POST['var'])){	// code to be run when var has been posted within the form}if(!isset(_POST['var'])){	// code to be run when var has been not posted within the form}

[businessman332211@hotmail.com]

sounds good I will keep that in mind, any more advice comments would be greatly appreciated, I would especially like to hear from justsomeguy if you had time, I trust your answers severely you have always answered in a way that cleared up every question I ever had if you have some time, later on.

[asylum]

1 & 2. Well, to learn about httpd.conf you first need access to the file which no web hosting company aside from serverpowered.com is going to give you access to as it could compromise their entire server. If you do have access to it then I think the best place to start learning is by reading the descriptions of the properties in the file. It will be in the apache folder and in the conf folder there.3. As far as encryption work goes, I wouldn't encrypt things you send in emails because the client will have now way of decrypting it unless you make the key public in which case you're just wasting your time. I would only encrypt things before putting them in the database and decrypting them after getting them from the database. However, a note on passwords and other such things, you need not decrypt them as functions such as md5 will always generate the same value for a give string. So all you need to do to get passwords to work is encrypt their password when they register and then encrypt their password every time they try to log in and check it against the encrypted password in the database.4. I swear by the O'Reilly books. Go to a Borders or something and get the O'Reilly books "Programming PHP" and "Web Database Applications" (which uses php and mysql) and you'll probably be set. Their javascript book is very good as well if you think you want another js book. I have never regretted buying an O'Reilly book.5. I doubt flock() prevents other people from accessing it and I'm almost positive you can't flock() a db connection as it's not a file but a resource.6. In my opinion you should only use external processing pages when either the code in the current page is getting a bit chunky and full or if you need to set a cookie or a header. Otherwise I see no reason to not just use the same page. There are however certain cases where you might want to use a seperate page for a different reason. For example you might want to create a page to handle all forms and actions and centralize things in a sort of way; not my personal preference though.7. If you know the javascript DOM then you're ahead of the game when it comes to oop. Object orientation is basically just a good way to bundle data and functions that act on that data. For example (tell me if this is another incomprehensible example), you may want to create a DB class to manage your db connection and handle queries of specific natures. You may have a forum and in your DB class you have a function that will get all the forums associated with a certain section or get all of the topics associated with a forum.8. My personal preference is to use javascript whenever I can to help prevent the reloading of a page. The benefit of using a server-side langauge against a client-side language for form vallidation is slim to none. So unless you have some data in a file or database to validate information or the format of information against I would just use javascript.9. I know nothing abuot Harden PHP but I would guess the point of it is the same as that of any extension of PHP: to give you more power. I would stay away from hacks you're unfamiliar with as there could be security flaws or just flaws in general and it would really ###### to make a bunch of changes and have your code break and not know how to get back to regular PHP without uninstalling and reinstalling it.10. As for a PHP bible, I don't think there is one but the O'Reilly book "Programming PHP" is very good. It covers the basics and some more advanced topics though I wouldn't call it the PHP bible.11. The positives are that you can dynamically generate php code from variables. This is much like the convention:

$v = 'foo';$$v = 'bar';$foo == 'bar'; //true

However eval is slow and can be a security risk when used with user input. If you check all your user input then eval is just slow.12. I don't know why he didn't take it out, maybe there's a hidden convenience to being able to pass any parameter at all to a script; the $$v = 'bar' can be an example of this.13. I'm sure you (or at least a person could) hack the scripts so that they don't need register_globals on, it's just a question how much effort vs. value when there are so many other alternatives that don't use register_globals already.14. Well I assume you know that the ! means a logical not so when you say if(!empty($v)) you're saying if variable v contains something then do this. So I'm not sure if that answers your question or not.15. I've never had a problem with isset so I think he may have been mistaken.16. Check php.net17. I am using some moderately advanced joins and table configurations and I'm using 4.1 so 5 should be fine.18. I also don't know anything about PEAR db though I've been meaning to look it up (and I think "Programming PHP" talks about it).I hope I at least answered some of your questions. Probably not as clear or concise as justsomeguy, but oh well.P.S. you're not posting this on php freaks, this is w3schools

[businessman332211@hotmail.com]

I post in both now, because people there help me with certain Types of things, but people here no more about other types of things especially js, and css. You answered my questions very well, and thanks for all the advice, the reason I specifically pointed out justsomeguy, wasn't to say no one else could answer them as effectively, it is just for some reason, the way he explains things sometimes motivates me in ways that other people have not been able to do, and has motivated me to get past some issues in learning that other people "although they explained it perfectly enough for me to get a full understanding" somehow didn't add in the motivation factor behind it possibly, because I started looking up to him after I wondered why he had such a wierd pick, I thought he was wierd, but after Is started seeing the way he answered questions, I started looking up to him, for having the knowledge, and motivation and passion in it, to easily pass it through conversation(not to say other people don't have passion and motivation) it's just that some people reach out to other specific people, he just happened to be one of the ones that reached out to me in his speech, and motivated me to press on during my trials and tribulations through programming. :S

[justsomeguy]

I appreciate that, that's a nice thing to say. I'm happy to help, it's why I'm here. One of the best ways to learn is to explain it to other people. When I have some time I'll go through your questions and see if I can add anything.

[justsomeguy]

I'm going to add my 2 cents by replying to asylum's post where appropriate, because I agree with a lot of what he says.About server config files, I've never really looked into them myself. I don't think I've ever needed a reason to. Basically I don't want to count on the server having a specific .htaccess file or something like that, if I'm dealing with user authentication I'll do it in PHP and rest assured that it will work the same everywhere.Re: encryption, the only time you would want to encrypt data is if you are storing the data and the data is sensitive. If you are storing sensitive data in a database or a file, it might be a good idea to encrypt it. Encryption can also be a selling point, but there's not much of a point in encrypting data that is not sensitive. If you are worried about transmitting sensitive data, then transmit it over SSL instead of HTTP.I agree about the O'Reilly books. I've never felt like I needed to look elsewhere. Start browsing around oreilly.com and make a few purchases, I think you'll agree. Rasmus Lerdorf's Programming PHP is an excellent book, and there is now a second edition.

5. I doubt flock() prevents other people from accessing it and I'm almost positive you can't flock() a db connection as it's not a file but a resource.

I've never used flock, I don't think I've run into a situation where I would need it.

6. In my opinion you should only use external processing pages when either the code in the current page is getting a bit chunky and full or if you need to set a cookie or a header.  Otherwise I see no reason to not just use the same page.  There are however certain cases where you might want to use a seperate page for a different reason.  For example you might want to create a page to handle all forms and actions and centralize things in a sort of way; not my personal preference though.

In my own applications, I have a global configuration file that gets included on all pages. That config file, in turn, includes about 8 other files that I use for storing error messages in different languages, database information and helper functions, generic utility functions, authentication functions, session functions, etc. I can edit that one global config file and all pages have access to everything. This is what the start of my pages looks like:

<?phprequire_once ("include/global.conf.php");auth_user();

Voila. The user is authenticated, the database is connected, the session is started, and all global variables have been set. The major advantage of having a form validate and process itself is that if you have any errors, you just spit out the same thing with the error messages on it. I'll make a quick example to show you how easy it is to process on the same page. (here)

7. If you know the javascript DOM then you're ahead of the game when it comes to oop.  Object orientation is basically just a good way to bundle data and functions that act on that data.  For example (tell me if this is another incomprehensible example), you may want to create a DB class to manage your db connection and handle queries of specific natures.  You may have a forum and in your DB class you have a function that will get all the forums associated with a certain section or get all of the topics associated with a forum.

The database class is a good example. I'm currently working on an error class, where when an error happens I can create a new error object, assign various properties (error message, error code, file, line number, etc) and then later print it out. This works well in a class because I can later make changes to the class, add sweet new capabilities, and all the old code still works. But the new code I use that class in can also take advantage of the new stuff. Or you can also change, for example, how the class outputs or stores the errors in the database, but none of the pages need to change. They just have this:$error->print()But now the print method does cooler things.

8. My personal preference is to use javascript whenever I can to help prevent the reloading of a page.  The benefit of using a server-side langauge against a client-side language for form vallidation is slim to none.  So unless you have some data in a file or database to validate information or the format of information against I would just use javascript.

Now this I will definately disagree with. There is one major benefit of validating server-side, and that is that the user cannot skip validation. In Opera, for example, turning off javascript (and all client-side validation) is as easy as pushing F12. Javascript can be a good way to validate because it's convenient for the user, but in my opinion it should never be relied upon exclusively.

9. I know nothing abuot Harden PHP but I would guess the point of it is the same as that of any extension of PHP: to give you more power.  I would stay away from hacks you're unfamiliar with as there could be security flaws or just flaws in general and it would really ###### to make a bunch of changes and have your code break and not know how to get back to regular PHP without uninstalling and reinstalling it.

I'll second that, I don't have any experience with hardened PHP.

10. As for a PHP bible, I don't think there is one but the O'Reilly book "Programming PHP" is very good.  It covers the basics and some more advanced topics though I wouldn't call it the PHP bible.

True that, double true!Ahh, eval, sweet eval. The reason people dislike eval is for exactly the same reason that people dislike GOTO statements: they can make for really sloppy code that is hard to follow and understand. JUMP and GOTO statements died a quiet death decades ago, but eval is still around because it can indeed still be useful, and sometimes it is the only alternative. I'll give you an example of the only time I can think of using an eval. I built an application for an international client who operates hotels, and they needed a way for their hotel staff worldwide to be able to fill out a series of forms online about their hotel and surroundings (like a 'wizard') and at the end of the process a document gets generated with the next year's business plan. There were a couple hundred questions, and it would have been an ugly nightmare to go through each one individually, especially when some questions depend on the answers to other questions. So, when I was creating the document at the end, I had a class defined for the questions, and I had a lot of logic determining what they answered. So the logic statements had 2 operands (answer A and answer and an operator (equal, less than, greater than, greater than or equal, not equal, etc). So my logic statements looked like this:eval("if ({$answerA} {$operator} {$answerB})");which would evaluate to something like this:if (12 >= 4)or something. That's the only time I've ever needed to use eval. Anything else can probably be done a better way.Re: register globals, there are people still using it, that's why it's still in there. Some people depend on it, and I guess it can still be useful, like eval.

14. Well I assume you know that the ! means a logical not so when you say if(!empty($v)) you're saying if variable v contains something then do this.

If you read that statement in literal English, you would say "if $v is not empty". Like asylum said, ! is logical not. != means not equal.

15. I've never had a problem with isset so I think he may have been mistaken.

Second that. Sometimes even isset is the only way, especially if the value "" is a valid value.

17. I am using some moderately advanced joins and table configurations and I'm using 4.1 so 5 should be fine.

If you can find a host with MySQL 5 on it, consider yourself lucky, and make fun of people who can't use subqueries yet. But then again, if you are building portable applications, you still can't count on MySQL 5 being present.

18. I also don't know anything about PEAR db though I've been meaning to look it up (and I think "Programming PHP" talks about it).

I've never used PEAR either, again because I haven't had a reason to. I have my own database abstraction functions (changing from mysql to postgresql is as easy as changing this:

function db_fetch_assoc($result){  return mysql_fetch_assoc($result);}

into this:

function db_fetch_assoc($result){  return pg_fetch_assoc($result);}

Like I said before, I use my own database functions, so my pages use db_query and db_fetch_assoc instead of a database-specific function. That's one reason why people use PEAR, because it abstracts out the database management system.Again, I appreciate what you said. And like I said, I'm happy to help, it's why I'm here. There are three very effective ways to learn: self-study, practical experience, and explaining to others.