Important Rule #395
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,45 @@ | ||
| --- | ||
| anchor: important_coding_tip | ||
| --- | ||
|
|
||
| # Important Coding Tip{#important_coding_tip_title} | ||
|
|
||
| ## Do not do as they do | ||
| As you learn how to program in PHP you will find almost all instructional tutorials as of 2014 do you a grave injustice. They teach you how to write dangerous, hackable, insecure PHP code. | ||
|
|
||
| Since I can't wave a magic wand and make all those tutorials fix themselves, I have decided to instead provide you with a simple way to not let them do this to you. | ||
|
|
||
| For any tutorial which ever tells you to get data submitted by a user by using the $_GET superglobal variable, you can perform a simple substitution: | ||
|
|
||
| If they say: | ||
| $exampleVariable = $_GET['exampleVariable']; | ||
|
|
||
| You should use: | ||
| $exampleVariable = $get('examplevariable); | ||
|
|
||
| This is a small change that looks similar visually, so it makes it easy for you to substitute. Instead of getting the data from an array, you are getting the data using a function. | ||
|
|
||
| Now in addition to the above, you will ALSO need to create this function. So at the top of any PHP file where you will be using this function, simple add the following 4 lines: | ||
|
|
||
|
|
||
| // FIXME: replace this with a more complete data sanitizing script | ||
| if isset($_GET) { unset($_GET); } // Force yourself not to use the global variable | ||
| $get = function($varName) { | ||
| return filter_input(INPUT_GET, $varName, FILTER_SANITIZE_STRING); } | ||
|
|
||
|
There was a problem hiding this comment. If you do this, assuming your code is functional, you would need to pass around $get to every function that needs to get a $_GET variable, which is far from ideal. There was a problem hiding this comment. Sanitizing isn't a one-size fits all. Context matters. |
||
|
|
||
| ## What this does | ||
|
|
||
| // FIXME: replace this with a more complete data sanitizing script | ||
| This is a PHP comment, it is not executable code. This is simply a notation to remind you in the future if you are using this file for a production website, to go back and replace this code with more appropriate and secure code. | ||
|
|
||
| if isset($_GET) { unset($_GET); } // Force yourself not to use the global variable | ||
| This line is to force you not use the $_GET array by deleting it. That way if you cut and paste code from a tutorial, you won't accidentally introduce security issues if you forget to make the neccessary changes. | ||
|
|
||
|
|
||
| $get = function($varName) { | ||
| return filter_input(INPUT_GET, $varName, FILTER_SANITIZE_STRING); } | ||
|
|
||
| These 2 lines create a function to remove any HTML tags from a query string variable and return it. The function is a special PHP construct called a closure, which you can learn about later, which allows it to be refereneced by a variable. The purpose of using this odd construct is that it allows you to reuse these 2 lines of code multiple times in a PHP application without having to worry about duplicate function names. | ||
|
|
||
| The filter_input is a PHP function which provides a create deal more security options then just the one I have used here. It is up to you to learn about and use those options appropriately. What I have included here is the bare minimum to provide some basic security AND to allow you to easily increase your security incremementally. For example, instead of having to rewrite every single PHP program you write in the beginning, you merely need to search for all the FIXME strings and change filter_input(INPUT_GET, $varName, FILTER_SANITIZE_STRING) to something more appropriate for your specific needs. | ||
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,12 @@ | ||
| --- | ||
| title: Use the Current Stable Version (5.5) | ||
| isChild: true | ||
| anchor: use_the_current_stable_version | ||
| --- | ||
|
|
||
| ## Use the Current Stable Version (5.5) {#use_the_current_stable_version_title} | ||
|
|
||
| If you are just getting started with PHP make sure to start with the current stable release of [PHP 5.5][php-release]. PHP has made great strides adding powerful [new features](#language_highlights) over the last few years. Don't let the minor version number difference between 5.2 and 5.5 fool you, it represents _major_ improvements. If you are looking for a function or its usage, the documentation on the [php.net][php-docs] website will have the answer. | ||
|
|
||
| [php-release]: http://www.php.net/downloads.php | ||
| [php-docs]: http://www.php.net/manual/en/ |
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is not true.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Actually, "almost all" reflects my experience.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
"many" might be more acceptable. There's a lot of stuff out there that you'll be insulting which isn't that bad.
I've written plenty of tutorials that still stand, as have some of my friends. :)
Phil Sturgeon
Sent from my iPhone and there's probably typos because I'm probably at the pub.