Posted by Josse Barrera on 12/30/05 21:15

Balazs Wellisch wrote:

>>Question 1:
>>===========
>>Is there any such thing as a PHP application (or are PHP solutions just a
>>bunch of "loosely coupled" scripts thrown together)?
>>
>>
>
> It sounds to me like what you're asking for is a framework. Frameworks
> provide a logical grouping of PHP scripts. Remember that PHP is a scripting
> language. Unlike C++ which gets compiled into a single executable it really
> is a bunch of "loosely coupled" scripts. A framework will organize these
> scripts into logical sets of modules that, when written correctly, can ease
> the development and maintenance of the application.
>
> The best frameworks take advantage of the Model-View-Controller (MVC) design
> pattern. MVC separates data objects (model), the presentation layer (view),
> and the business logic (controller). There is a lot of good info on MVC out
> there. A quick Google search should help you out.
>
> There are several frameworks out there which I have used. The most robust is
> Struts, but I have not seen a good enough PHP port of it yet.
>
> I've used Fusebox (www.fusebox.org) with quite a bit of success. It is quite
> powerful when combined with FLiP, the Fusebox Lifecycle Process.
>
> There are numerous other frameworks out there and of course you can roll
> your own. I would strongly suggest that you find one you feel comfortable
> with and develop all your applications within it. This will speed up your
> development immensely as you start effectively reusing code from modules you
> write. It will also help with debugging, unit testing and readability of
> your code.
>
>
>
>>Question 2:
>>=============
>>Assuming there IS such a thing as a PHP application, how does one go about
>>putting one together?. In the C++ world, there is the concept of
>>libraries, in Java there are packages, In .Net there are assemblies.
>>
>>i). How do PHP solutions logically partition functionality?.
>>
>>Writing extensions in C seems to be one way to go, but apart from that
>>being overkill, I my ISP may not even allow me to load my extension. There
>>must be a simpler way to partition logic surely ?.
>>
>>
>
> Again, follow the principles of MVC!
>
>
>
>>Question 3:
>>==============
>>I have seen a few examples that seem to partition functionality by
>>splitting objects into various files (a bit like the use of header files
>>in C/C++), along with a liberal showering of calls to include() in the
>>code - however, unlike header files, the files "included" contain not just
>>the class definitions etc, but also (more critically), the implementation
>>(i.e. any business logic that may show how your system may be
>>compromised).
>>
>
>
> Be careful! There is a LOT of garbage PHP code out there. There are a lot of
> people who go into PHP scripting without having any idea of software
> engineering or programming principles. Don't end up following the wrong
> example.
>
>
>>i). Is it possible to have your "header" files (i.e. class implementation
>>source code) stored in a directory location that is hidden in some way -
>>the main goal is to thwart any hacker who may simply look at your
>>include() method calls, casually navigate to the appropriate directories
>>and peruse your source code at his/her leisure.
>>
>
>
> Yes. You can also encrypt your PHP files if you want. Take a look at Zend.
>
>
>
>>ii). There are potential issues about using include().
>>a). I remember reading somewhere that you have a performance hit (I/O
>>bottleneck) every time you call include
>
>
> Not really true. There is a small I/O hit but most of the pages get cached
> anyway so this is not that much of a problem in a well configured system.
> Again, take a look at Zend and their free Optimizer.
> http://www.zend.com/store/products/zend-optimizer.php
>
> The bigger problem is that using a lot of includes all over the place is
> like using a bunch of GOTOs. Remember that BASIC nightmare?
>
>
>>b). There are potential security issues - You can't use include() if you
>>use a function called something like basedir() (or something - sorry, I
>>don't remember the function name). But this function allows one to
>>restrict users from accessing files above the parent of a specified
>>directory. Any (informed) feedback on this will be much appreciated.
>>
>
>
> You can include files from anywhere on the server. You can even include
> files from an entirely different server through a URL. What matters is that
> the included file's permissions are set up correctly. They should be
> readable by the apache process only. And you can always use Zend Encoder or
> something similar to encrypt the code in these files.
>
> Your bigger problem will be the security of your database. I'm assuming you
> will be storing login information in a database? In this case you have to
> make sure your db is configured properly and sensitive information, such as
> passwords, etc., is encrypted.
>
> You will also have to make sure that your sessions management is configured
> properly. Do not pass IDs along in the URL and use SSL where possible. Do
> not use global variables, etc.
>
>
>>I would be very pleased to get informed feedback on this last question
>>(Q3) in particular because the thought of having code that shows a hacker
>>how authentication or licensing (for example) is implemented at the server
>>side does not bear thinking about. I look forward to hearing from the PHP5
>>gurus in this ng.
>>
>
>
> Well, although I've been doing web development for over 10 years now, I've
> only been working with PHP for about 5. So, I consider myself more of a
> novice than a guru, but I hope this was helpful.
>
> Balazs
>
>
>

Thank you very, very much Balazs, this has been *very* helpful. Your
10yrs experience clearly shows. Mucho gracias !.

[Back to original message]