Slashdot Mirror

sympleko (Matt Leingang) writes "What a beautiful world anthology is. It comes from the Greek for a gathering of flowers, and in literature means a collection of works. Harry Fuecks, a very frequent contributor to the SitePoint community PHP forums, has gathered a bouquet of PHP best practices in a new book. The book comes in two volumes. The audience for Volume I, "Foundations," is the advanced beginner who's done one or two things in PHP, but you wants to know how to do more. Volume II, "Applications," is a design volume, mainly, and is good for people who have lots of experience with PHP but want to be better programmers. It's nice that the two volumes are separate; if you already know the syntax and mechanics of PHP you can buy Volume II and maximize d!/d$.*" Read on for Leingang's review of Volume I, and watch for his followup on Volume II. The PHP Anthology: Volume I: Foundations author Harry Fuecks pages 376 publisher SitePoint rating 7 reviewer Matthew Leingang ISBN 0957921853 summary Good start; for the real story read Volume II as well.

The book is very well-written, often using a question-and-answer heading style that makes searching the table of contents easy. In the preface, we already meet the first cool aspect of the book: lots of links to sites in the form of footnotes.** Yes, most books of this genre include links to web sites, but this way makes a couple of things clear: first, that there are lot of references, so you have many places to jump to for more information, and it's a sleeker text flow: embedding URLs in dead text makes line breaking hard and detracts from the flow of the language. As you read a page, you can note, "OK, that's an online resource," and keep reading without having to stumble over an incomprehensible URL.

Each volume has numerous code examples, and they're all on the book's web page to save you from transcribing. The web site is the best place also to buy the books; they're generally not available in stores.

Chapter 1: PHP Basics
These are the foundations of the book. Quick highlights:

How does one exactly RTFM? The author directs the novice to the PHP web site and explains what each part of the online manual corresponds to. But also, the coolest aspect of the PHP web site is its search-by-url feature. It looks up a function or language reference page, finds a set of likely matches, or just googles the site for you. Try it: http://php.net/array, http://php.net/sprintf, http://php.net/error.

How to understand error messages. Remember your first "cannot add header information -- headers already sent" error. Huh? Learn the difference between parse errors (what you wrote is not valid code), semantic errors (you're asking PHP to do something illegal), environment errors (PHP is not equipped to do what you want), and logic errors (PHP is happy but you're not). The last is particularly insidious (no E_PEBKAC level of reporting), but unit testing (see Volume II) gives you hope to find and fix those.

How to include. What is the difference between include and require (answer: require forces a fatal error if it can't find the file you want, while include only warns)?

How to write portable and reusable code There are hundreds of configuration directives, and using them can make one of your applications simpler. But some are to be used only with careful consideration. The magic_quotes_gpc directive, for instance, sounded like a good idea at the time it was developed. It automatically escapes user input so backslashes remain backslashes and not escape characters. A common use of this directive allowed you to insert user-supplied data directly into a database without checking to make sure any embedded quotes wouldn't create unintended SQL statements. While this does guard against SQL injection attacks, you could still end up with garbage in the database. So you still have to check user data to make sure it complies to your standards. This is easier to do before escaping magic characters, so it's better to wait until just before storage; then add all the backslashes you need. Nowadays it's considered good form to not rely on this directive and just use addslashes when you need it.

For maximal code reuse, consider object orientation. But there's a whole chapter on that...

Chapter 2: Object Oriented PHP
"Be lazy," the author writes; "Write good code." One of the ways to organize your code is through object-oriented programming. Most readers know the basic concepts of OOP, and are probably tired of the few over-simplified examples. Beyond that this chapter wants to get you to think OO, to "no longer think about long lists of tasks that a single script should accomplish; instead, [to] see programming as the putting together of a set of tools to which your script will delegate work."

I know my first PHP classes were just namespaced scripts. The attributes and methods weren't at all related. This chapter (as well as Chapter 7 of Volume II) helps you distinguish where your classes are and how they connect. One of the aids for this is the use of Unified Modeling Language (UML) class diagrams. These diagrams, which use boxes for classes and arrows for the relationships between them, are really cool programming and teaching tools that require no code!

Here I think the book's physical workflow got caught in a gap between major PHP releases. The cover says this book says "PHP5 ready," which is a bit of a misnomer because all the code examples and rules are all written for PHP4. Minor text mentioning how things are going to be different in PHP5 has been inserted. It's true that none of the OO code written here will break in PHP5, but there are major additions to PHP5 especially in the OO implementation (no more ampersands! actual private variables! Exceptions! Much, much more!). Still, the author makes the point that you the programmer may not be using PHP5 for a while (PHP 5.0.0 is only a few weeks old today), and that you shouldn't put off learning PHP until version 5 is agreed to be stable.

I've read the comments of PHP bashers, arguing that using it for OO programming is a waste of overhead. The author has heard that argument, too, and rebuts:

"What they forget to mention is the drastic increase in your performance that object oriented programming delivers. After all, fast programmers cost more than fast microprocessors!"

Hear, hear. RAM and disk space are commodities, while programmers are not (yet).

Chapter 3: PHP and MySQL
This goes beyond the simple HOWTO on connecting to a database. A suite of PHP classes is developed for database connections, querying, and result handling, not as much to use as for your "health"--i.e., to see a well-done class from start to finish. For your real applications, use a real, well-maintained and tested class such as those found in PEAR. This is another principle of good programming: Somebody has probably had the same problem you are having right now, and already solved it (also known as Ecclesiastes 1:9, "...there is nothing new under the sun.")

If you've done lots of SQL queries, you get to thinking that there's got to be a better way to access a database. In fact, you can build a layer of abstraction over the database connection layer to create interface classes to individual tables. This is called a persistence layer. For an implementation, see PEAR::DB_DataObject.

Any web programmer fears insecurity, and I don't mean self-doubt. The author weaves discussions of security into each chapter. For instance, you must be careful to guard against allowing users to seriously alter the nature of your SQL queries. Trust no user-supplied data! Also, this chapter gives a PHP-based solution for creating MySQL dumps.

Once you've got the data in the database, making sure users can find it is another problem. You can use LIKE relations in your queries to search field strings. The author shows how to use FULLTEXT indexes (a MySQL 4 feature) to assist in searching the entire table or any set of fields you like, all at once.

Chapter 4: Files
Sometimes databases are overkill for data storage, or you need to extract data from text files. The author gives several examples of uses of interacting with a local or remote file system. He explains:

• how to slurp whole files into memory or to process them chunk-by-chunk.
• how to use the PHP built-in functions to interface with the file system (so you can make a self-updating "Last updated: " item on your pages).
• how to use .ini-style files to store configuration data -- a common configuration style which is much faster than keeping it in a RDBMS or XML file.
• how to use FTP with PHP.
• how to compress and decompress with tar through PHP.
• how to send create a file and send it to your web user (custom files generated on-the-fly and ready for download!).

Again, the security threat is raised, and the author gives pointers on how to prevent from crackers getting you to execute their code by including one of their files rather than your own.

Chapter 5: Text Manipulation
When building dynamic web sites, being able to manipulate code is a must. You need to validate the data that users send to you, as well as guard against simple HTML error or malicious cross-site scripting (XSS) attacks. There are lots of built in functions (strip_tags to remove the HTML from a string), but using regular expressions you can validate and filter just about anything. You can reimplement a restricted set of markup tags a la BBCode, or set up a custom, easily-updated profanity filter.

Chapter 6: Dates and Times
Another real-world problem is formatting dates and times in a human-readable (and perhaps localizeable) way, and on the machine level manipulating dates correctly. Luckily these are all solved problems and PHP connects you to the C functions which do it. Whether you store dates as MySQL timestamps (e.g., 2004-08-03 20:07:00) or UNIX timestamps (1091578114 seconds since the epoch) is up to you, although if you use the former you'll probably have to convert to the latter at some point. Putting it all together you can create dynamic calendars where clicking on a day brings you to your appointments for that day. Another good use of date functions is a implementation of cron written entirely in PHP for those not on a unix platform.

Chapter 7: Images
Once you've mastered the art of producing HTML with PHP (developed even further in Chapter 9), you'll wonder what else can do. It turns out that PHP, using glue to the GD image library, can output images as well. You can generate thumbnails of your images to create galleries. You can watermark images with text to discourage stealing them. You can hide your images behind a PHP script that protects people other than you from linking directly to your images. And you can analyze data with enough charts and graphs to make Ross Perot ecstatic.

Chapter 8: Email
Contacting your users off-site is a must if you want them to come back. Furthermore, it's a nice way to register users by sending them links to an address they provide. PHP can send email natively using the mail function, but as always there are nice classes which jazz up the features. You can send HTML attachments (known by some as "spam", but we're not here to judge), even including the images in the mail. You can even use PHP as a replacement for procmail by parsing incoming mail and triggering actions based on headers.

Chapter 9: Web Page Elements
Eventually you get tired of writing HTML, and interweaving markup and presentation logic can give you a headache. Can't PHP be told to format the table the right way? Another solved problem! Displaying data in a table is a common task, and classes such as PEAR::HTML_Table can take a simple data structure and beautify it for you. Forms are another area in which PHP-generated code can save you time. You can also use PHP to produce "breadcrumbs" (there's one at the top of every slashdot page) and drop-down menus that show your users where in the hierarchy of information they are. Finally the author shows how to use apache's url_rewrite module to get those question marks, file extensions, and ampersands out of your URLS and sex them up. (You can also do this without url_rewrite, completely inside PHP, but using a custom error document and examining the path requested.)

Chapter 10: Error Handling
So you're all excited about your next web app, and you dive into coding, and something goes wrong. What then? This chapter is about errors. You can use the error_reporting function to customize which exceptions actually produce error messages, or create your own error messages that handle errors your own way. You can choose to log them in a database, send an e-mail to a coding team, and most importantly, recover gracefully so that your users don't see an error message. Not only is it unprofessional, it may reveal information about your program, file system, or database structure that can harm you.

Appendices
There are several good appendices, which tell you which configuration directives you're probably most interested in (the complete list you can get on PHP's web site), some common security breaches, and how to install PEAR, PHP's version of CPAN. My favorite appendix is the "Hosting Provider Checklist," a great reference for evaluating whether kewlhosting.com is going to give you the freedom and support you need to make a great hosted web site.

All in all, I liked this volume. Having read probably a dozen PHP books I wouldn't say it offers new information. But even though you know the plot, it's possible to enjoy a well-told story. See Volume II for heavier-duty ideas.

* My made-up calculus notation for "bang for your buck"
**Like this: http://books.slashdot.org/

In real life, Matthew Leingang is Preceptor in Mathematics at Harvard University. He promises to review any book sent to him for free, and sometimes actually does it. Slashdot welcomes readers' book reviews. To see your own review here, carefully read the book review guidelines, then visit the submission page.

markthebrewer writes "From an article in the New Scientist: Conventional wisdom every 15 year-old knows says that you can't mix oil and water without some kind of surfactant. However a team lead by Richard Pashley from the Australian National University in Canberra have done it simply by first removing all dissolved gases from the water. Apart from the obvious potential improvements in salad dressings, it could have an impact on the manufacture of everything from drugs to paint - anywhere an emulsion is required. Apparently, it will also give some insight into the mysterious 'long-range hydrophobic effect' (or why oil droplets coalesce over surprisingly long distances)." Keep in mind the usual scientific caveat: this experiment doesn't seem to have been replicated by other experimenters yet.

markthebrewer writes "From an article in the New Scientist: Conventional wisdom every 15 year-old knows says that you can't mix oil and water without some kind of surfactant. However a team lead by Richard Pashley from the Australian National University in Canberra have done it simply by first removing all dissolved gases from the water. Apart from the obvious potential improvements in salad dressings, it could have an impact on the manufacture of everything from drugs to paint - anywhere an emulsion is required. Apparently, it will also give some insight into the mysterious 'long-range hydrophobic effect' (or why oil droplets coalesce over surprisingly long distances)." Keep in mind the usual scientific caveat: this experiment doesn't seem to have been replicated by other experimenters yet.

zonker asks: "I live in a relatively new, moderately sized home that doesn't have conduit in the walls, nor does it have extra wires for networking. I am investigating getting a broadband connection, but first I have to decide how I will connect the network for the 6 computers in the house. As per the owners, I am not allowed to drill holes in the walls, and as per my girlfriend, I am not allowed to run Cat5 through the halls, so I am looking at my alternatives: wireless, HomePNA, and HomePlug. I'm afraid the house is a little too big for wireless without getting expensive, so it looks like either phonewire, or electric-wire. I've done some initial googling for people's opinions of these products and my quick findings where that magazine and website reviews seem to be favorable of some of them, while personal accounts seem to vary wildly. What solutions have worked for you? Are these things ready for primetime? Or should I suck it up and buy a few WAP's to extend the radius of a wireless network?"

GSpot writes: "While doing my weekly surf to see if there has been any change in one of my favorite websites, themes.org is being redirected to themes.freshmeat.net and seemingly has been reborn yet again. The previous incarnation had a dreadful interface that was difficult to navigate and when it worked it was painfully sssssllllllooooowwwww. The current version is upon a first impression a much more pleasant experience. I plan on visiting often." Mirotrem points out this brief history of themes.org running on the site (written by Chris D.), detailing the moves the site has made to this point. (Freshmeat, Themes.org, and Slashdot are all part of the world-controlling conspiracy under the VA Software umbrella better known as the Sinister Andover Keiretsu.)

buzzcutbuddha asks: "I have been tasked with creating/finding a Collaboration and Knowledge Management tool for work, and while there are some good commercial ones out there like Intraspect and Microsoft Sharepoint, but I want to look at it from another angle. Most people are aware of online community models like Slashdot, Kuro5hin.org, Everything2.org, it's Perlmonks derivative, and Wikki Wikki Web. Some may even remember SixDegrees from before it was retired. But are there any other notable online communities that have similar functions to the systems described above? I'm looking for a way to let people load documents or link to documents, discuss the documents, moderate the submissions and comments, and do searches. At this point, the underlying technology is not important."

jfmiller asks: "I'm an intern at an anonymous government agency (not the TLA kind). I have been tasked with simplifying and increasing password security. At present each of our users must log into Novell (and winnt) then Lotus Notes, telnet into a both a local and a statewide mainframe and then log into the individual subunits of each of those systems. In all they have to remember something like 7 passwords. What technology is available to simplify this situation? What experience have people had? I'm especially interested in Biometrics. Remember: the sky's the limit, after all, it's your tax dollars at work."

mmmmbeer asks: "I have a question for anyone who has outsourced programming jobs to overseas companies. My company is considering doing this, which in theory will allow us to dump off a bunch of (supposed) 'grunt work' and free up our programmers to do other work. One of our management's reasons why they think this is good is because the contracting company can 'throw a bunch of coders on it' and therefore get it done quickly. To me this seems to violate Brooks's Law. We (the in-house programmers) are also worried that the learning curve will in fact be great enough that, even if the extra manpower works to their (and our) advantage, it could still be done faster and better in-house. My question is, has anyone had any experience with this, good or bad, and do you have any warnings or suggestions for us?"