10 (VERY) BASIC TIPS FOR PHP WEB APPLICATION SECURITY

Barebones list for the things you should be looking for when developing a web app in PHP. Some of it applies to all web apps, not just PHP. Use HTML_Safe (or a similar javascript stripping library) to check for and remove javascript when you’re accepting data that will be output to a page. Check every get and post variable for validity. Every web site has url like “dosomething.php?id=3”. Make sure that id you’re accepting is actually a number (or whatever type you’re allowing).

WHAT CAUSED THAT LOAD SPIKE?

Every now and then, we find that we will have a sudden increase in the number of apache processes, load average will spike up, and then go back down to normal. In rare cases, we will see the same thing happen, and the load avg spike WAY up, all queries appear locked up, and the server must be rebooted. I am looking for ways of determining what caused this. I should note that it happens extremely rarely, and has never shown up in a load test.

SHOW CREATE TRIGGER - NOPE

As of MySQL 5.0 there is no SHOW CREATE TRIGGER which is pretty annoying. I don’t like using “show triggers like “, so I figured I’d write a wrapper around mysqldump. For the record, this was a huge pain the ass. I did this on Fedora, GNU sed version 4.1.5. You need to have your password stored in ~./my.cnf for this to work, I believe. I haven’t tried it without it.

MYSQLDUMP TIPS BY CRAZYTOON

Our sysadmin has a nice blog post with a few tips for using mysqldump, especially if your database is used for more than a basic site, or if you have stored procedures and/or triggers.

COUNT(1) VS COUNT(*) - ANY DIFFERENCE?

A while ago when I started my first job in LA, I was using MSSQL. I was told to never use count(), and rather to use count(1). Several people insisted this performs better than count(), and since I really didn’t care to argue or look into it, I just started doing it. Fast forward to today, where I am still writing count(1), but on MySQL. I’m at a different company now, but working with a lot of the same people.

WHY HAVE REPLACE INTO AND INSERT ... ON DUPLICATE KEY UPDATE?

REPLACE INTO will actually perform a delete and then an insert, while INSERT … ON DUPLCIATE KEY UPDATE will perform an update (as the name suggests). I would think the latter would be faster. I have not done any performance testing between the two, but it only seems logical the update would be faster than the delete/insert. Please correct me if I’m wrong. Since the two statements both end up with the same result, I’m not sure yet what the benefit of REPLACE into it.

ANSWERBAG READ WRITE API NOW IN BETA

Although it’s not officially announced, our read/write api is now out and in beta. It’s not officially launched on the site or anything, but we are looking for interested partners. Docs are here

PUBLIC AND PRIVATE KEYS OVER SSH

I found a very good explanation of how to set up public key authentication over ssh. I’m always looking for it when I need it, and it always takes forever. http://www.petefreitag.com/item/532.cfm You can also use ssh-copy-id, I’m not sure what the specifics are behind it, but it seems to be available occasionally (Fedora 6) and not in other places (OS X 10.4.8).

PAGING THROUGH DATA 2.0

For a long time, whenever I wanted to do paging to browse through a table, I used to run 2 queries. The first would get the results, and the second would be an almost identical query, with a count() instead of fields, and I’d use the result of the second query to figure out how many pages I would need. Now there’s a better solution, and it’s called found_rows(). Say you have a simple select statement:

CALLING A FUNCTION FROM WITHIN PREG_REPLACE

Regular expressions are awesome. However, sometimes doing everything in them is extremely difficult, or impossible. Luckily, we can flex the power of preg_replace’s ’e’ option to execute the replacement string as PHP code. The reason why I found this is was I was looking for a suitable URL auto-linker that could shorten the url to a certain length. I found several examples on PHP.net, but unfortunately none of them did a good job of shortening the URL, or formatting it in a special way.