|
Posted by Balazs Wellisch on 12/30/05 19:59
>
> Question 1:
> ===========
> Is there any such thing as a PHP application (or are PHP solutions just a
> bunch of "loosely coupled" scripts thrown together)?
>
>
It sounds to me like what you're asking for is a framework. Frameworks
provide a logical grouping of PHP scripts. Remember that PHP is a scripting
language. Unlike C++ which gets compiled into a single executable it really
is a bunch of "loosely coupled" scripts. A framework will organize these
scripts into logical sets of modules that, when written correctly, can ease
the development and maintenance of the application.
The best frameworks take advantage of the Model-View-Controller (MVC) design
pattern. MVC separates data objects (model), the presentation layer (view),
and the business logic (controller). There is a lot of good info on MVC out
there. A quick Google search should help you out.
There are several frameworks out there which I have used. The most robust is
Struts, but I have not seen a good enough PHP port of it yet.
I've used Fusebox (www.fusebox.org) with quite a bit of success. It is quite
powerful when combined with FLiP, the Fusebox Lifecycle Process.
There are numerous other frameworks out there and of course you can roll
your own. I would strongly suggest that you find one you feel comfortable
with and develop all your applications within it. This will speed up your
development immensely as you start effectively reusing code from modules you
write. It will also help with debugging, unit testing and readability of
your code.
> Question 2:
> =============
> Assuming there IS such a thing as a PHP application, how does one go about
> putting one together?. In the C++ world, there is the concept of
> libraries, in Java there are packages, In .Net there are assemblies.
>
> i). How do PHP solutions logically partition functionality?.
>
> Writing extensions in C seems to be one way to go, but apart from that
> being overkill, I my ISP may not even allow me to load my extension. There
> must be a simpler way to partition logic surely ?.
>
>
Again, follow the principles of MVC!
> Question 3:
> ==============
> I have seen a few examples that seem to partition functionality by
> splitting objects into various files (a bit like the use of header files
> in C/C++), along with a liberal showering of calls to include() in the
> code - however, unlike header files, the files "included" contain not just
> the class definitions etc, but also (more critically), the implementation
> (i.e. any business logic that may show how your system may be
> compromised).
>
Be careful! There is a LOT of garbage PHP code out there. There are a lot of
people who go into PHP scripting without having any idea of software
engineering or programming principles. Don't end up following the wrong
example.
> i). Is it possible to have your "header" files (i.e. class implementation
> source code) stored in a directory location that is hidden in some way -
> the main goal is to thwart any hacker who may simply look at your
> include() method calls, casually navigate to the appropriate directories
> and peruse your source code at his/her leisure.
>
Yes. You can also encrypt your PHP files if you want. Take a look at Zend.
> ii). There are potential issues about using include().
> a). I remember reading somewhere that you have a performance hit (I/O
> bottleneck) every time you call include
Not really true. There is a small I/O hit but most of the pages get cached
anyway so this is not that much of a problem in a well configured system.
Again, take a look at Zend and their free Optimizer.
http://www.zend.com/store/products/zend-optimizer.php
The bigger problem is that using a lot of includes all over the place is
like using a bunch of GOTOs. Remember that BASIC nightmare?
> b). There are potential security issues - You can't use include() if you
> use a function called something like basedir() (or something - sorry, I
> don't remember the function name). But this function allows one to
> restrict users from accessing files above the parent of a specified
> directory. Any (informed) feedback on this will be much appreciated.
>
You can include files from anywhere on the server. You can even include
files from an entirely different server through a URL. What matters is that
the included file's permissions are set up correctly. They should be
readable by the apache process only. And you can always use Zend Encoder or
something similar to encrypt the code in these files.
Your bigger problem will be the security of your database. I'm assuming you
will be storing login information in a database? In this case you have to
make sure your db is configured properly and sensitive information, such as
passwords, etc., is encrypted.
You will also have to make sure that your sessions management is configured
properly. Do not pass IDs along in the URL and use SSL where possible. Do
not use global variables, etc.
> I would be very pleased to get informed feedback on this last question
> (Q3) in particular because the thought of having code that shows a hacker
> how authentication or licensing (for example) is implemented at the server
> side does not bear thinking about. I look forward to hearing from the PHP5
> gurus in this ng.
>
Well, although I've been doing web development for over 10 years now, I've
only been working with PHP for about 5. So, I consider myself more of a
novice than a guru, but I hope this was helpful.
Balazs
[Back to original message]
|