PHP vs .Net » Code

HTTP Signed Requests with PHP

blake — Sat, 24 Dec 2011 18:19:27 +0000

I thought I'd write a quick primer on a basic implementation of HTTP request signing with PHP. I see a lot of posts dealing with the topic, especially by people writing homebrew REST services.

What are signed HTTP requests?

Signed HTTP requests are simply a normal HTTP request, such as a GET or a POST, that happens to include a signature as part of the request. A signature is just a string of characters generated in a meaningful way. This signature can be used by the receiving party (ie. a REST service) to validate the request and ensure that it hasn't been tampered with.

What are signed requests good for?

In a nutshell, validating an HTTP request where restricted access to resources are necessary. For example, a service that allows someone to update their personal information needs to ensure that people can only update their own personal information. Signed requests ensure that the service that receives the data can verify that the sender is who they claim they are (or at least possesses the proper secret key, a de-facto assumption it is the right person).

Obviously, having someone log in and create a session is another method of verifying user identity, however, this is not always efficient or possible, especially with web services. As an example, every Facebook application developer gets a secret key when they create an application on Facebook. When Facebook sends information to someone's application, it will include a signed request that is only valid with that developer's key. By checking the signature, a developer can verify that a request came from Facebook, and isn't someone trying to fool their application. They also don't need to provide a complicated session procedure or have Facebook "log in" to their application; the signed request is enough.

What aren't signed requests good for?

Signed requests are not a form of encryption. If the data being sent is sensitive in nature, such that you wouldn't want it being sniffed in transit over a network connection, then SSL encrypted communication (HTTPS) is the way to go. For simple REST services however, often you just need to limit requests based on a user or other similar scope, and signed requests are sufficient for that.

A problem that signed requests can solve

Here is an example situation that has a security problem that can be solved by the use of signed requests. Let's say you operate a network of beer brewing web sites, and the brewers are allowed to send updates via a REST service you have provided. Each brewer has their own user id that they get when they sign up to your service. Bob's Brewery (user id 1234) wants to update their email address. The simplest of implementations might allow for a request to be sent like this: /user/update?email=newbob@example.com&userid=1234. However, if this was the only thing the REST service needed to update an email address, it would be trivial to cause serious mayhem. For example, Mr. Evil's Brewery could send in a simple request to change Bob's email address, just by finding Bob's ID somewhere, or even trying random ones:

/user/update?email=evil@example.org&userid=1 /user/update?email=evil@example.org&userid=12 /user/update?email=evil@example.org&userid=1234 etc.

Too easy! Obviously more security is needed, and this is where the concept of secret keys comes in.

Secret Keys

It is a common practice to assign each user a secret key that they use to interact with a web service, often called an API key, generally consisting of randomly generated characters. In this case, you could give Bob a secret key when he signs up with the brewery network, and it would be stored in your database along with the rest of his account information.

Here's where I often see confusion setting in. Many people think it is logical that the secret key be sent as part of the API request, because after all, it uniquely identifies the user and it was given only to that particular person. However, this is a security problem!

The thing about secret keys is that they have to remain secret, just like any password. As soon as a key is leaked, whoever finds it can impersonate that account, just as easily as Mr. Evil's Brewery did in the previous example. If you send a secret key as part of an HTTP request, it is no longer secret. You have just leaked it to whoever cared to be listening! A network sniffer could pick it up, or it could be recorded in proxy logs or web server logs that aren't secured. Perhaps your ISP is doing deep packet inspection, and a rogue employee makes off with the logs. Who knows!

The following is an example of this type of insecurity. Bob is sending his update request along with the secret key:

/user/update?email=newbob@example.com&userid=1234&secret_key=bobs-super-secret-key

Now, pretend that Bob goes to his local Tarborks coffee shop and jumps on the free open wireless connection. Mr. Evil happens to be there, and fires up his network sniffer program and starts watching all the HTTP traffic on the network. He sees Bob's request go out, since HTTP connections are not secure. Now he has Bob's secret key, and can make any kind of request he wants with it. Maybe he could even delete Bob's account with a request to /user/delete?userid=1234&secret_key=bobs-super-secret-key, or send insults to Bob's customers using a mail endpoint!

Sending the secret key as part of a network request is NOT safe. So how do we properly identify the sender if the user id can't be trusted and they can't send us their key? Well, you knew I'd get to it eventually... signed requests!

Signed HTTP Requests

To produce a signed HTTP request, the sender and the receiver must both know the rules on how to generate a signature. It can be any crazy method you care to dream up, but a common one is as follows:

The sender organizes the data they want to send in a logical way, such as sorting it alphabetically.
The data is run through a hashing algorithm using the secret key to produce a hash. Hashing algorithms produce short strings of characters that vary based on the input data, and the output is sufficiently unique such that varying the input data by even one character produces a completely different hash.
The hash is added to the original data and sent.
The receiver identifies the user and gets the secret key from their associated account information, and recreates the hash on the received data.
If the recreated hash matches the one included in the request, the request is valid.

To return to our Tarborks coffee shop scenario, the request going out might look like this now:

/user/update?email=newbob@example.com&userid=1234&sig=x1zz645

If Mr. Evil sniffs this request, he might be pretty pleased with himself and try to change it to /user/update?email=evil@example.org&userid=1234&sig=x1zz645. This request would be rejected by the server however, since the signature is now invalid! When Mr. Evil changed the request, he needed to change the signature to match. But since he doesn't have Bob's secret key, he can't generate a correct signature, for this request or any other he cares to make up. The only valid request he can possibly make is the exact same one he just sniffed, and that's not very malicious at all, since it's what Bob was trying to do anyway.

Get to the code already

Assuming Bob's user id is 1234, and the secret key you gave him is "bobs-super-secret-key", he might write the following PHP code.

User code

>> show as plain text

PHP:

$USER_ID = "1234";
$SECRET_KEY = "bobs-super-secret-key";
/**
* @param array $data Array of key/value pairs of data
* @param string $secretKey
* @return string A generated signature for the $data based on $secretKey
*/
function generateSignature($data,$secretKey)
{
//sort data array alphabetically by key
ksort($data);
//combine keys and values into one long string
$dataString = '';
foreach($data as $key => $value) {
$dataString .= $key.$value;
}
//lowercase everything
$dataString = strtolower($dataString);
//generate signature using the SHA256 hashing algorithm
return hash_hmac("sha256",$dataString,$secretKey);
}
$bobsData = array(
"userid" => $USER_ID,
"email" => "newbob@example.com"
);
$sig = generateSignature($bobsData,$SECRET_KEY);
//add signature to the outgoing data
$bobsData['sig'] = $sig;
//generate HTTP query string
$queryString = http_build_query($bobsData);
echo $queryString;

The code above outputs userid=1234&email=newbob%40example.com&sig=efffd9cc30a220f2981b5124e1caa44d91b85aa2d2181f5331f48ca719983c1d. That's the HTTP query string that Bob would send to the /user/update endpoint to change his email address. So how does the service verify the request?

Server-side code

>> show as plain text

PHP:

if (empty($_REQUEST['userid'])) {
throw new Exception("No user id was sent with the request.");
}
//look up the account associated with the value in $_REQUEST['userid']
//and get the secret key for that account - implement as necessary
$secretKey = getSecretKeyFromUserId($_REQUEST['userid']);
$data = $_REQUEST;
$receivedSignature = $data['sig'];
//generate a signature using the data sent by the user, without the 'sig'
//parameter of course. Note that the generateSignature() function is the
//SAME ONE that the users would use!
unset($data['sig']);
$generatedSignature = generateSignature($data,$secretKey);
if ($generatedSignature != $receivedSignature) {
throw new Exception("Received signature is invalid!");
}
else {
//continue on, knowing it is the right user making the request.
}

There you have it. Signed requests!

Advanced Usage

The signature for a signed request can be sent in different ways. Some services, such as Amazon's S3 REST API, puts the signature in the HTTP headers. This is arguably a bit cleaner than including it in the parameters of an HTTP request, since the signature doesn't get mixed in with the data, and has implications for caching as well (browser caches and proxies). If you want to do it that way, you might have the user set a header as part of their HTTP request:

>> show as plain text

PHP:

header("X-Brewery-Sig: ".$sig);

And the receiving server, instead of looking for the sig parameter in $_REQUEST['sig'] (and having to remove it before running the data through the generator function), would find it in:

>> show as plain text

PHP:

$_SERVER['HTTP_X_BREWERY_SIG'];

Hope you found this useful!

An Exercise in WordPress Integration, or Why WordPress Sucks

blake — Tue, 08 Dec 2009 08:23:50 +0000

I'd like to prefix my upcoming rant with the fact that WordPress is good at what it does: making basic blogs and publishing content. I use it, many other people use it, it works. Heck, I'm using it right now. But from a technical standpoint, WordPress sucks. I'm going to relate my experience here trying write a quick function to store post output to a file, to be used by a separate application on the same server.

I started off to write a function (let's call it a caching function for simplicity) that stores some HTML from the most recently published post. Sounds easy enough. I should be able to just put a function into the functions.php file of the custom template set I'm using. That's seems to be where the "userland" custom functions go.

So I check the function reference first. Hey, wp_get_recent_posts(). Looks promising, so I give it a shot. It goes ahead and gets the most recent post just fine. Things are ok so far.

A problem appears

Now, I want to output the post exactly as it would appear in the blog, and save that output to a file on disk. Surely there's a basic function that will output a post's content? You know... take the post_content field from the database record and format it properly? Suddenly, the skies darken. Evil laughter booms out. Ha ha ha! WordPress mocks the folly of simplistic functional thinking!

The template files use functions like the_content() and the_title(). Just in case you can't tell from the excellent naming scheme, these actually produce echoed output. Checking out the_content(), we see it dutifully calls get_the_content(), then runs a couple of lines of formatting stuff on the results. So how about using get_the_content() for my caching function? I could run the other few formatting bits manually after that. Should be ok, right? After all, the doc comment for get_the_content() says the following:

/** * Retrieve the post content. *

So, I can go ahead assume it simply retrieves the basic post content then? Ha ha. NO. WHY WOULD IT DO THAT? Instead, it takes a bunch of globals that get set who-the-hell-knows-where, runs through a bunch of crap seemingly unrelated to the content of a post, and does a whole lot of textual modifications to some kind of content. Reading through the function is like jabbing red-hot fire pokeys into your eyes. Here's a portion of it:

>> show as plain text

PHP:



$content = $pages[$page-1];


if ( preg_match('/<\!--more(.*?)?-->/', $content, $matches) ) {


$content = explode($matches[0], $content, 2);


if ( !empty($matches[1]) && !empty($more_link_text) )

$more_link_text = strip_tags(wp_kses_no_null(trim($matches[1])))
$hasTeaser = true;
}

$pages is some kind of global that doesn't seem to have any relation to a post. Then apparently we're looking for HTML comments of , and replacing them with... well, something. I'd hate to think what would happen if I ever wrote a post with an HTML comment in it that happened to hit on whatever random content markers WordPress has decided to use. (Oh wait! That just happened to me while I was trying to publish the above code fragment!) I didn't even bother to look into things like wp_kses_no_null. It probably involves dark rituals with live chicken sacrifice. Why is there so much going on in a function called get_the_content()?

In the end, it seems that get_the_content() will eventually get the content of a post, but only if you set a half-a-dozen or so globals before you call it. And what the hell post is it even getting?

"The Loop"

Digging further, it's clear that the template functions for output are all like that. They don't take any kind of parameters; they just operate on globals! There's no way to take the post data that I just retrieved with wp_get_recent_posts(), and format it using these functions. You have to be in "The Loop" in order to do that. And "The Loop" sucks. It's not a catchy, easy-to-use method of handling posts, despite WordPress's efforts to pass it off as something neat or fun. It's a mish-mash of global functions with random naming and variable schemes (incidentally, just like the rest of WordPress). You can only use "The Loop" if you're accessing WordPress in a "normal", web-requested-and-template-loaded kind of way. It doesn't work if you're outside a template file (such as in functions.php before a template gets loaded).

So back to square one. Unfortunately, it appears that if I want to have the regular blog-formatted output, I need to harness "The Loop" somehow, and clearly you can't do that on your own (ie. outside of a template file) without knowing about every global variable in the system.

After some quick googling, I came across the query_posts() function, which you can use to set up "The Loop". Reading the documentation on it, you can find this little gem:

"The query_posts function overrides and replaces the main query for the page. To save your sanity, do not use it for any other purpose."

To paraphrase: "We've created a public API function that is pretty much useless except in a very specific page-dependent situation. Please enjoy how useless it is. But don't use it."

The fact that there is a "main query" for a page is another indicator of just how global-happy WordPress is, and that in turn gives you an insight into why it has so many security holes. How do you keep track of so many globals across so many functions?

A solution... sort of.

Fortunately, the query_posts() doc page links to the WP_Query docs, which is marginally more helpful, and provides the path for a solution. Using WP_Query sets up the wacky global stuff necessary to use "The Loop", which means we can hack our way through to getting some formatted post content. While technically feasible, you have to emulate a bunch of $_REQUEST parameters to the query() method. I ended up with this:

>> show as plain text

PHP:



function cacheMostRecentPost()


{


$featuredPosts = new WP_Query();


$featuredPosts->query('showposts=1');


while ($featuredPosts->have_posts())


{


$featuredPosts->the_post();


ob_start();


//do output with stuff like the_title() and the_content()


$str = ob_get_contents();


ob_end_clean();


//write $str to cache fragment


}

}
//set up hooks for this file when a post is changed or deleted
add_action('save_post', 'cacheMostRecentPost');
add_action('deleted_post', 'cacheMostRecentPost');

So despite relying on a specific set up of incoming HTTP parameters (as a string) for the most part, at least you can pass paramters to the query if you know the right ones. In this case, "showposts=1" seems to be the total number of posts fetched, and they appear to come back ordered by posting date, most recent first. This works for what I want it to do, but guess what? It doesn't work if you try to run it anywhere that's not one of those action hooks, because "The Loop" overwrites all the globals necessary for doing output later! So I can't use that function, say, at the top of the index.php template file if I wanted to. If I do, thanks to the overwritten globals, WordPress decides that I actually want the "Archive" page instead of the index page(!), and switches templates accordingly. So while I achieved my goal of being able to cache a post to a file with this function, it's certainly not portable, and it's certainly not elegant.

Wharrgarbl

The entire code flow is mind-boggling. Basing the output functions around a bunch of globals reminds me of code someone would have written in PHP 3 a decade ago, or something a very inexperienced programmer would write. Definitely not something you would expect in an application used by what is probably now millions of people. What's wrong with having some data fetching functions, and some output functions? You could, and I know I'm talking crazy here, but you could fetch some data, and then pass it to the output functions. Then (bear with me here), you could probably fetch posts (or whatever) at any time, and get some formatted output at any time, without overwriting some important global that might be used later in the code flow. Revolutionary, I know. Sorry if I went too fast on that. I'll repeat it louder and/or slower for any WordPress core developers that happen to be reading.

So, WordPress? How about something like:

$postObjects = getRecentPostsByDate(1); $output = formatPostContent($postObject[0]);

The mere concept of having individual posts exist inside their own little encapsulated world would make the APIs a hundred times more useful (and easier to understand). You could even keep those crap the_title() and the_content() and the_something_lol_naming_scheme_lol() functions if you wanted. Just make them take parameters. Better yet, put them inside a formatting object, or even the post object itself. $post->the_content() would still work, but it would have context!

The reason this gets me worked up is not that it's so frustrating to use (although that helps). I've had to deal with a lot of frustrating code in my career. It's more the fact that it's this kind of thing that gives PHP programmers a bad name. The code is just bad. The design is random. The API functions are random. The naming schemes are random. Functions don't do what their name (or their doc comment) indicates they should do. Integrating wordpress into another application or site is next to impossible (try it, I dare you), and the other way around, integrating another application or site into wordpress is much more difficult than it should be. Global usage is rampant and ridiculous to follow.

You don't have to look any farther than a single WordPress code file to understand why there have been so many security holes over the last couple of years. And there's a lot of PHP code out there that's the quality of WordPress, or worse.

To re-iterate my opening, if you don't need to get anything special out of it, WordPress does the job. They've filled their market niche well, and it's encouraging that development is ongoing and releases occur often. I've worked with it on occasion over the last few years, and the improvements are obvious, interface-wise especially, and to some extent code-wise as well (the WP_Query object is a step forward). But working with the code is not fun. Even modifying the template files is an exercise in counter-intuitiveness.

I'm sure there are reasons the code is what it is at this point, and I'm equally as sure I don't have the full picture to go with my condemnations. I guess I should just be thankful that I don't have to maintain it.

ASP.Net MVC – How to route to images or other file types

morgan — Fri, 07 Aug 2009 04:23:51 +0000

A recent question on Stack Overflow (and subsequent answer that I wrote for it) inspired this post. I had recently been discussing URL rewriting in depth with my brother, and have also been doing some introductory work with the routing engine in ASP.Net MVC, and the question piqued my interest since I had been meaning to look at this more closely for some time.

The question on Stack Overflow is titled "How do I route images with ASP.Net MVC", but fundamentally the question is really asking "how can I use ASP.Net MVC to re-route URL's to actual physical files, rather than methods of a controller?"

To be clear, lets address the conceptual differences between routing and url rewriting. Url rewriting takes the requested URL and modifies it before your code ever sees it. As far as your application is concerned, the client requested the rewritten URL. All that URL rewriting does is to change one URL into another URL, based on pattern matching.

Routing is a different and much more powerful beast. The ASP.Net routing engine maps an URL to a "resource", based on a set of routes. The first route to match the requested URL wins the prize, and sends the request off to the resource it chooses. For the ASP.Net MVC framework (which uses System.Web.Routing under the hood), a resource is something that can handle the request object, which is always a piece of code.

So where does that leave physical files? If a request is always parsed by the routing engine and then handed off to some function somewhere, how can we ever route a request for an image to actually return the physical image?

Well, it takes a tiny bit of legwork, but once we're through it, I'm confident you will see the huge advantages that routing has over simple url-rewriting. We will show the equivalent of url-rewriting by handling a request for an image using an URL that doesn't map to a physical path, but be able to return the image anyway.

Handling the Request

First off, we need to handle the request that we want to re-route to a physical file. Out of the box, ASP.Net MVC uses an instance of the MvcRouteHandler object to handle every request. MvcRouteHandler hides all the complexities of taking the requested URL, breaking it down into parts, finding the right controller in your application, instantiating it and passing it all the data it needs.

The end result of MvcRouteHandler is not what we desire. We want to return an image, not instantiate a controller and run a method. We want to skip dealing with controllers altogether in this case. So lets create our own route handler that we'll use instead.

To do so, we simply implement IRouteHandler, an interface exposed by ASP.Net MVC that actually inherits from IHttpHandler. This means that what we're writing is the ASP.Net MVC equivalent of an .ashx file for a webforms app - we're inserting our own handling module into the ASP.Net pipeline, that will handle the request much closer to the webserver/http level, rather than at the ASP.Net application level.

IRouteHandler only has one method that we need to implement, which is GetHttpHandler().

using System;
using System.Collections.Generic;
using System.IO;
using System.Linq;
using System.Web;
using System.Web.Compilation;
using System.Web.Routing;
using System.Web.UI;

namespace MvcApplication1
{
    public class ImageRouteHandler : IRouteHandler
    {
        public IHttpHandler GetHttpHandler(RequestContext requestContext)
        {
            string filename = requestContext.RouteData.Values["filename"] as string;

            if (string.IsNullOrEmpty(filename))
            {
                requestContext.HttpContext.Response.Clear();
                requestContext.HttpContext.Response.StatusCode = 404;
                requestContext.HttpContext.Response.End();
            }
            else
            {
                requestContext.HttpContext.Response.Clear();
                requestContext.HttpContext.Response.ContentType = GetContentType(requestContext.HttpContext.Request.Url.ToString());

                // find physical path to image here.  
                string filepath = requestContext.HttpContext.Server.MapPath("~/test.jpg");

                requestContext.HttpContext.Response.WriteFile(filepath);
                requestContext.HttpContext.Response.End();
            }
            return null;
        }

        private static string GetContentType(String path)
        {
            switch (Path.GetExtension(path))
            {
                case ".bmp": return "Image/bmp";
                case ".gif": return "Image/gif";
                case ".jpg": return "Image/jpeg";
                case ".png": return "Image/png";
                default: break;
            }
            return "";
        }
    }
}

The above IRouteHandler is pretty simple. Ignoring the GetContentType helper method, there's really only two things happening. First, we check for a "filename" parameter that got passed in to our handler (more on that in a second). If it's not there, we return a 404 response. Otherwise, we attempt to open up the physical file "test.jpg", and stream it to the browser.

Clearly, this should be adapted to your needs by actually using the filename parameter to find the physical files on your system. But moving on - how do we invoke this from our MVC app? And how do we pass in the filename parameter, of which we'd like to reroute to some other physical path?

Routing the Request to the Custom Handler

Well, this is the easy part. Where you'd normally define your routes in Global.asax, simply use routes.Add(), instead of routes.MapRoute(). Just like this:

routes.Add("ImagesRoute",
                 new Route("graphics/{filename}", new ImageRouteHandler()));

This method of adding our route allows us to specify our custom IRouteHandler, rather than routes.MapRoute(), which by default uses an instance of MvcRouteHandler. So now, we've defined a route that matches against any requested URL containing "graphics/", and puts the rest of the URL into the "filename" bucket of the RouteDataDictionary, and hands it off to our IRouteHandler. This is how we pass the filename parameter into our custom route handler - basically the same way we pass things into controllers, by defining the variables in the route pattern.

We've successfully routed all URL's containing "graphics/", which doesn't physically exist in our web application, and returning "temp.jpg", which could exist anywhere. With a bit of coding around the file IO, you could return files from anywhere.

And that's pretty much it! You might be thinking, "this seems like a lot of extra work just to re-route a URL to a physical file that already existed in my web app!". If you take a step back though, you'll see the power of this approach. What if you wanted to log every request to the original URL to a special log file? What if you wanted to also transform the image before returning it? Perhaps launch a system executable or asynchronously hit a web service? What if you wanted to...?

In a nutshell, by inserting your own HttpHandlers into the ASP.Net pipeline to handle routed requests, you can code anything that you'd like to happen when a request comes in, rather than just rewriting it to some other URL.

PHP Variable Test reference

blake — Mon, 30 Jun 2008 02:08:33 +0000

I thought I'd post a link to this PHP Variable Tests reference page. It's a great reference that's kept up to date with the current version of PHP. I use it sometimes when I'm waffling over what function to use to validate a variable.

Something I've noticed lately with the newer versions of PHP is that ctype_digit no longer returns true when you give it an empty string (ie. ctype_digit('')). This is great, since I always thought that returning true on an empty string was counter-intuitive; by definition, it should only return true "if every character in $text is a decimal digit", so if there's no characters, it can't be true. It's also great because that means that there's lots of places in some of my code where I can change

if (ctype_digit((string) $x) && $x != '')

to just

if (ctype_digit((string) $x)),

which is cleaner and nicer.

It looks like they may have made this change back around PHP 5.1, but I never noticed it until I checked that variable reference page. Nice to see it!

Ten PHP Best Practices Tips that will get you a job

blake — Wed, 04 Jun 2008 22:06:09 +0000

The last couple of weeks have been quite the experience for me. I was part of a big layoff at my former company, which was interesting. I've never been in that position before, and it's hard not to take it personally. I started watching the job boards, and a nice-looking full-time PHP position caught my eye, so I sent out a resume and landed an interview. Before the face-to-face portion, I chatted with the owner and head programmer on a conference call, and they ended up sending me a technical assessment quiz. One particular question caught my eye on this quiz... it looked something like this:

Find the errors in the following code:

";
	}
} 

?>

So, give it a shot. How many can you find?

If you got the missing comma in the parameter list, the "new Array()" error, the colon instead of a semi-colon, the '=' instead of '=>' in the foreach statement, and the erroneous use of '+' on the echo line, then congratulations, you found all the errors! You have the basic PHP technical skills to pay the bills.

That's not how I answered the question though. I noted the errors, obviously, but I went further than that. For instance, did you notice that there were no single quotes around the array indexes ($x[sales] and $x[profit])? That won't cause a fatal PHP error, but it is a coding error! Did you also notice the use of double-quoted strings instead of single-quoted strings on the echo line? Or the usage of the opening PHP short tag? Or the usage of "
" instead of "
"?

After pointing out the actual errors, I made a point of adding comments about those things I just mentioned. It was enough to push the answer from "correct" to "impressive", and it scored me a lot of points with the programmers who were reviewing my application. Enough so that they offered me the job! (I eventually turned it down, as I have been seduced by the siren call of the contracting life, and I intend to flex my PHP skills to the benefit of my clients, and not a faceless corporate overlord who dabbles in telemarketing. I need a shower).

So, read on for my Ten PHP Best Practices Tips that will get you a job:

1. Single-quoted strings are your friend. When you surround a PHP string in double quotes, it is subsequently parsed by the PHP interpreter for variables and special characters, such as "\n". If you just want to output a basic string, use single quotes! There is a marginal performance benefit, since the string does not get parsed. If you have variables or special characters, then by all means use double-quotes, but pick single quotes when possible.

2. String output. Which line of code do you think runs faster?
print "Hi my name is $a. I am $b"; echo "Hi my name is $a. I am $b"; echo "Hi my name is ".$a.". I am ".$b; echo "Hi my name is ",$a,". I am ",$b;
This might seem weird to you, but the last one is actually the fastest operation. print is slower than echo, putting variables inline in a string is slower than concatenating them, and concatenating strings is slower than using comma-separated echo values! Not only does not-inlining your variables give you a performance boost, but it also makes your code easier to read in any editor that has syntax highlighting (your variables will show up in nice colors). The little-known use of echo as a function that takes a comma-separated list of values is the fastest of them all, since no string operations are performed, it just outputs each parameter. If you combine all this with Tip #1 and use single quotes, you're on your way to some finely-tuned strings.

3. Use single-quotes around array indexes. As you saw in the quiz question above, I pointed out that $x[sales] is technically incorrect! You should quote associative array indexes, like so: $x['sales']. This is because PHP considers the unquoted index as a "bare" string, and considers it a defined constant. When it can't find a matching symbol for this constant in the symbol table however, it converts it to a real string, which is why your code will work. Quoting the index prevents this constant-checking stuff, and makes it safer in case someone defines a future constant with the same name. I've also heard that it is up to seven times faster than referencing an unquoted index, although I haven't tested this. For more on this, see the section called "Array do's and don'ts" in the Array section of the PHP manual.

4. Don't use short open tags. Eww... are you really using these? is just bad form. It can cause conflicts with XML parsers, and if you ever distribute code, it's going to annoy the heck out of people who have to start modifying their PHP ini directives to get it to work. There's just no good reasons to use short open tags. Use the full .


5.  Don't use regular expressions if you don't need to. If you're doing basic string operations, stay away from the preg and ereg function groups whenever possible.  str_replace is much faster than preg_replace, and strtr is even faster than str_replace!  Save those crunch cycles... your enterprise applications will thank you.

6.  Don't use functions inside a loop declaration. This isn't a PHP-specific tip, but you'll see it in a lot of code.
Bad:



for ($i = 0; $i < count($array); $i++) {

//stuff

}



Good:



$count = count($array);

for($i = 0; $i < $count; $i++) {

//stuff

}



That should be pretty self-explanatory, but it's amazing how many people would rather save a line of code at the expense of performance.  If you use a function like count() inside a loop declaration, it's going to get executed at every iteration!  If your loop is large, you're using a lot of extra execution time.
7.  Never rely on register_globals or magic quotes. register_globals and magic quotes are both old features of PHP that seemed like a good idea at the time (ten years ago), but in reality turned out to be not that great.  Older installations of PHP would have these features on by default, and they cause security holes, programming errors, and all sorts of bad practices, such as relying on user input to create variables.  Both these features are now deprecated, and everyone needs to stop using them.  If you are ever working on code that relies on these features, get it out of there as soon as you can!
8.  Always initialize your variables.  PHP will automatically create a variable if it hasn't been initialized, but it's not good practice to rely on this feature.  It makes for sloppy code, and in large functions or projects can become quite confusing if you have to track down where it's being created.  In addition, incrementing an uninitialized variable is much slower than if it was initialized.  It's just a good idea.
9.  Document your code. You've heard it many times, but this can't be said enough.  I know places that won't hire people who don't document code.  I even got my previous job after an interview where the VP sat-in with the interviewer and I, where I had brought my laptop in and I was just scrolling through some code I had written for one of my sites.  He saw my documented functions and was impressed enough to ask me about my documenting habits.  A day later I had the job.
I know a lot of self-declared PHP gurus out there like to pretend that their code is so good that they don't have to spend time documenting it, and these people are full of $largeAnimal poop.  Learn docblock syntax, familiarize yourself with some PHP Documentation packages like phpDocumentor or Doxygen, and take the extra time to do it.  It's worth it.
10.  Code to a standard. This is something that you should ask potential employers about during interviews.  Ask them what kind of coding standards they use... PEAR?  Zend?  In-house?  Mention that you code to a specific standard, whether it be your own, or one of the more prevalent ones out there.  The problem with loosely-typed languages like PHP is that without a proper coding standard, code tends to start looking like huge piles of garbage.  Stinky, disgusting garbage.  A basic set of rules that includes whitespace standards, brace matching, naming conventions, etc. is a must-have, must-follow for anyone who prides themselves on their code quality.
That being said, I hate all you space-indenters.  I mean, what the hell?  4 space characters as an indent?  That's exactly four times as much whitespace to parse as a tab.  More importantly, you can set your tab-stops to any value you want if you're using any text-editor more advanced than Notepad, so every developer can having something that they like the looks of.  Set it to 4 if you want, or 0 if you're a masochist.  I don't care, but you can't do that with spaces!  You're stuck with exactly the amount that Mr. Monkey Pants in cubicle 17 decided to put in.  So why are spaces so popular?  This "4-space indent" standard everyone uses is stupid!  Stop it!  Stop doing it!
... sorry, pet peeve.
Anyway, I hope these tips are helpful.  If you want to impress at a job interview, it's the little details that will get you noticed!  Maybe don't rant about your coding standards though.



HTML manipulation with System.Xml.XmlDocument
morgan — Mon, 18 Feb 2008 06:13:10 +0000
HTML Table of Contents Generator Example
Sometimes it's easy to forget that HTML is just one type of XML, and hence you can utilize the System.Xml library for fun and profit with your HTML.  System.Xml is full of powerful tools to manipulate well-formed documents, and you really don't need to know much about XML to leverage it.  With two simple lines of code you can have a document loaded into a data structure that has powerful manipulation methods that allow you to do complex tasks. Such as generating a table of contents, for example.
Blake phoned me last night very frustrated after having spent a couple hours scouring the 'tubes for some kind of tool that would take his marked-up html document and generate a table of contents from the heading tags in it.  He started asking my advice about a C# program he had downloaded. It included three forms and over 1000 lines of code, and purported to do what he needed.  Except it didn't... it just kept crashing, and couldn't handle certain nestings of tags, etc. etc.  One look at the code made it pretty clear why... some kind of home-brewed tree structure peppered with variables like "treeUp, treeDown, treeRight, itemBegin, itemEnd".... bleeargh.  XmlDocument to the rescue!
In 45 minutes I had a program whipped up into a console app that did exactly what he needed, and it was essentially only 60 lines of code (plus some jazz for error handling/argument passing).   Let's take a look:
>> show as plain text
C#:




private void GenerateTOC(XmlNodeList nodelist, StringBuilder sb)


{


    foreach (XmlNode node in nodelist)


    {


        if (Regex.IsMatch(node.Name, "h[1-7]"))


        {


            //We've found an "h" tag.  Update our TOC stringbuilder,


            //and our original XMLDocument to add anchor tags.


            if (this.isVerbose) { Console.WriteLine("Found " + node.Name); }


 


            String tabs = "";


            int hLevel = int.Parse(node.Name.Substring(1, 1));


            if (hLevel != this.lastHLevel)


            {


                if (hLevel lastHLevel)


                {


                    //Retreat to a less indented block level


                    for (int i = this.lastHLevel - 1; i> hLevel - 1; i--)


                    {


                        tabs = new String('\t', i);


                        sb.Append(tabs + "\n");


                    }


                }


                else


                {


                    //Indent some more - Add the level difference in indents


                    for (int i = this.lastHLevel; i )


                    {


                        tabs = new String('\t', i);


                        sb.Append(tabs + "\n");


                    }


                }


                //Set lastHLevel to the current HLevel


                this.lastHLevel = hLevel;


            }


 


            //Generate the TOC entry for this node, with a link to it's anchor.


            tabs = new String('\t', this.lastHLevel);


            sb.Append(tabs + "
\"#toc" + this.tocCount + "\">" + node.InnerXml + "
\n");


 


            //Add an anchor tag to the node in the original document


            node.InnerXml = "\"toc" + this.tocCount.ToString() + "\">" + node.InnerXml + "";


            this.tocCount++;


        }


 


        //Now recurse over child nodes


        if (node.ChildNodes.Count> 0)


            GenerateTOC(node.ChildNodes, sb);


 


        //Finish whatever  level we have open if we're the last child of the root.


        if (node.NextSibling == null && node.ParentNode.ParentNode == null)


        {


            for (int i = 0; i lastHLevel; i++)


            {


                String tabs = new String('\t', this.lastHLevel - i - 1);


                sb.Append(tabs + "\n");


            }


        }


    }


} 






So in line 3, we start looping over every node (i.e. html element) in the document.  Line 5 checks to see if the current node is a header tag with a simple Regular Expression.  Lines 11-34 control the indent level of the TOC's html output - we use one 
 level for each header level.  (So an h5 tag is nested in 5  tags.)  Line 37-38 adds some html output for the TOC for the current node, namely we create a TOC list item.  Finally, lines 41 and 42 modify the original XmlDocument object by adding an anchor tag to the html of the current node.  Then we recursively call the function again with the current node's children.  The last bit of code polishes off our TOC output at the very end of our recursion. 
(At this point, real purists might interject with the fact that 10 lines of code and an XSLT stylesheet could do the same thing; I'd agree, except in practice I find that executing simple loop-driven tasks with XSLT to be quite cumbersome, and I doubt I could do anything with XSLT in 45 minutes.)
So to use the function above, simply harness the raw power of the System.Xml.XmlDocument  object, like so:
>> show as plain text
C#:




XmlDocument htmldoc = new XmlDocument();


htmldoc.PreserveWhitespace = true;


htmldoc.Load("myfile.html"); 






Assuming your HTML is well-formed, you can now pass htmldoc.ChildNodes and a StringBuilder into the recursive function above, and your StringBuilder will come back full of HTML table of contents goodness.  Additionally, your XmlDocument variable will have the corresponding anchors added to the header tags.  Just simply output your StringBuilder and XmlDocument to a file, and voila!  Instant HTML table of contents!  (Might look something like below:)
>> show as plain text
C#:




StringBuilder sb = new StringBuilder();


//Assume that the root node is not an  tag and build our TOC from the children.


thisApp.GenerateTOC(htmldoc.ChildNodes, sb);


 


//Output TOC


FileStream fs = new FileStream("TOC.html", FileMode.Create);


StreamWriter sw = new StreamWriter(fs);


sw.Write(sb.ToString());


sw.Close();


 


//Output original document with new  tags



XmlWriter xw = new XmlTextWriter("OriginalWithAnchors.html", Encoding.UTF8);


htmldoc.WriteTo(xw); 






All that in less than 80 lines of code, 45 minutes, and no XSD's, XSLT, or really, any XML at all.  XmlDocument.Load() is simply one of the greatest functions in the .Net framework.  Instant document object with an implicit tree structure.
Download the code here:  HTML Table of Contents Generator.  It includes a binary .exe file in the "bin\Release" directory, so you don't need Visual Studio if you just want to run the above program    Simply call htmltoc.exe infile.html, and you'll have TOC.html and OriginalWithAnchors.html outputted.  TOC.html contains your nicely formatted table of contents, with links to all the anchors in OriginalWithAnchors.html.