The PHP Anthology Volume 1, Chapter 1 - PHP Basics

Magic Quotes

Magic quotes is a feature intended to help prevent security breaches in sites developed by PHP beginners.

It adds escape characters (see Chapter 5, Text Manipulation for more information) to incoming URL query strings, form posts, and cookie data automatically, before your script is able to access any of these values. Should you insert the data directly into your database, there's no risk of someone being able to tamper with the database provided magic quotes functionality is switched on.

For beginners, this is certainly a useful way to prevent disasters. However, once you understand what SQL injection attacks are, and have developed the habit of dealing with them in your code, the magic quote functionality can become more of a problem than it's worth.

Magic quotes functionality is controlled by a PHP configuration setting, magic_quotes_gpc, which can be either on or off.

My own preference is to always have magic quotes switched off, and deal with escaping data for SQL statements myself. Unfortunately, this means the code I write won't port well to PHP installations where magic quotes is switched on (I'll end up with backslashes in my content). Thankfully, to deal with this problem, PHP provides the function get_magic_quotes_gpc, which can be used to find out whether magic quotes are switched on. To keep the code in this book portable, we'll use a simple file that strips out magic quotes, should the functionality be enabled:

Example 1.8. MagicQuotes/strip_quotes.php (in SPLIB)

<?php      
/**      
* Checks for magic_quotes_gpc = On and strips them from incoming      
* requests if necessary      
*/      
if (get_magic_quotes_gpc()) {      
 $_GET    = array_map('stripslashes', $_GET);      
 $_POST   = array_map('stripslashes', $_POST);      
 $_COOKIE = array_map('stripslashes', $_COOKIE);      
}      
?>

If we include this at the start of any file in which we accept data from a query string, a form post, or a cookie, we'll remove any slashes added by magic quotes, should this functionality be switched on. This effectively gives us back what we started with.

The subject of SQL injection attacks is discussed in detail in the section called "How do I solve database errors caused by quotes/apostrophes?". If you're not yet confident that you can protect yourself against SQL Injection attacks, use magic quotes. Once you're happy you have a full grasp of all the issues, switch the magic quotes functionality off and save yourself many headaches. Note that magic quotes can only be switched on or off using the php.ini file or one of Apache's .htaccess files. For more information, see Appendix A, PHP Configuration.

Call-Time Pass-By-Reference Off

A reference is like a "short cut" to the value of a variable. References are often required when we use PHP functions and classes, a subject we'll discuss further in Chapter 2, Object Oriented PHP. When you use a reference to a variable in calling a function or class method, it's defined as a call-time pass-by-reference Consider this example:

$result = myFunction(&$myVariable);

Here the & operator tells PHP to use a reference to the variable $myVariable as the argument, rather than creating a copy of its value. This is now generally regarded as bad practice, as it can make the job of understanding someone else's code extremely difficult.

Switch this off in php.ini using the following command:

allow_call_time_pass_reference = Off

Alternatively, switch it off in a .htaccess file as follows:

php_flag allow_call_time_pass_reference off

Write Reusable Code

It's easy to say, I know, but if you find yourself writing any more than one PHP script, you need to start thinking about ways to make your code reusable, before you suffer premature hair loss. Technically, this isn't exactly an issue of portability as such, but if you end up working on other sites or applications, you'll appreciate having ready code that you can simply plug into your new project. Also, if you're writing code that other people will integrate with existing applications on their Websites, you need to package it in a form that doesn't place requirements on the code they're already using.

For example, if your application has some kind of user authentication system, will it integrate with the one they're already using—a system that already has a large database of users associated with it?

The best approach is to write object oriented code (the focus of Chapter 2, Object Oriented PHP) with a mind to creating reusable "components." Some people argue that writing object oriented code in PHP slows down the application's performance and should therefore be avoided at all costs. What they forget to mention is the drastic increase in your performance that object oriented programming delivers. After all, fast programmers cost more than fast microprocessors!

Some things to consider when measuring the potential of your code for reuse are:

• What happens when requirements change?
• How easy is it to add new features to your code?
• Are you still able to understand the code after a long period of time?
• Can your code be integrated easily with other applications?
• Will assumptions made in your code apply to your work on other sites?

You'll find throughout this book many hints and suggestions to encourage you to write reusable code, although an in-depth analysis of PHP applications design as a whole is beyond its scope. As you read this book, you should get a feeling for some of the critical factors as subjects for further investigation. You have one main responsibility to yourself as an experienced PHP developer: to keep expanding your general knowledge of the more esoteric aspects of software development, such as design patterns and enterprise application architecture, as a means to improve your development technique and, more importantly, save yourself time. The broader your knowledge, the lower the risk of failure when you land that big project.

Further Reading

• Write Secure Scripts with PHP 4.2! A tutorial that explains the importance of writing scripts with register_globals switched off.
• Effortless (or Better!) Bug Detection with PHP Assertions
• Using Strings Zend provides a walk-through of the main functions available for working with strings.
• String Theory DevShed offers an in depth look at strings, going as far as Posix extended regular expressions.

Look out for more chapters from The PHP Anthology on SitePoint in coming weeks! If you can't wait, download the sample chapters, or order your very own copy now!