MOPP: Day 1 : Scope and Variables
This is the first tip and a quick one. A big part of application security is knowing your data. You should be able to look at a page of your application and know exactly what is going on behind it.
One very important part of this is ‘variable lifecycle’. You should ask yourselves these questions about all variables in your program.
- Where is the variable initialized?
- What happens, step by step, after initialization?
- What modifications are made to the variable?
- Where is the variable last seen, or where is it output?
Knowing the answers to these will drastically speed up your applications by eliminating multiple instances of classes, disposing properly of ‘dummy’ variables and getting rid of any other variables which are copies of each other or forgotten debugging actions.
This also helps your security model. Knowing where your data travels will allow you to protect it from any accidental leakage (sent to output without escaping), or storing it in an insecure manner.
While iterating or doing any sort of repetitive programming, developers tend to use variables named ‘i’ or ‘r’ etc. We should always remember, more information the better. In this case, we should be prefixing (or whatever your style is) our variables with identifiers to hint at what they are doing in a loop.
Use “intMemberCounter” etc… instead to help identification.
This will also allow extension later on. For example we could add multiple database queries to an iteration and still have it very legible for maintainers long after the application is written.
You are annotating your functions right? Remember the more information the better. Let other developers (and yourself) know what is actually happening in functions/loops/etc. as the more functionality you add, the more likely some of your code will become very saturated with procedural code.
With PHP 5.3 we now have namespaces in php. If I can suggest anything to anyone about understanding scope management, I would tell them to play with namespaces. If you have not used namespaces yet, I suggest downloading Zend Server with PHP 5.3 and heading over to the link at the bottom and learn it.
You should also be familiar with all the kinds of type-hinting available in php, as they are adding more as newer versions come out. With all the power of organization being built in, there is no reason for sloppy code anymore in production environment.s
Legible, elegant, optimized and secure code is standardized. It conforms to one coding style, and has all sorts of identifiers and comments that should allow any developer to jump in and debug a problem or extend a functionality easily, without hunting and searching through code to find the correct locations, only to leave the code more illegible with the additions.
stay tuned for day 2….
Namespaces:http://php.net/manual/en/language.namespaces.php
Type-hinting:http://php.net/manual/en/language.oop5.typehinting.php
Simple Example: (give me a break here, this IS national hangover day)
<?php
$q = "SELECT fname,lname FROM `members`";
$r = $db->doQuery($q);
$i=0;
foreach($r as $row) {
// bleh....
$i++;
}
//**************** After *************//
$membersQuery = "SELECT fname,lname FROM `members`";
$membersQueryResult = $db->doQuery($membersQuery);
$membersCounter=0;
foreach($membersQueryResult as $membersRow){
// bleh....
$membersCounter++;
}
