OFFICIALLYSCRIVNA

So I've now been developing large scale web applications for a few years now, and I thought i'd share a few points I believe every coder needs to think about.

If you're just starting out you wont know why you NEED to do these things, but anybody who has had to re-visit there own or someody elses poor code will soon tell you that it's far better to get it right and scaleable from the start than to have to go over everything and try and change it 6 months down the line.

So, in no particular order..

1) Don't rush to start

Think things through before you write it. This goes hand in hand with point 10, if you think something through to begin with and do it right the first time, it'll be easy to expand upon and improve later.
If you rush straight in you'll get half way through, get stuck and have to start all over again.

2) Plan to scale the codebase

Many problems in developing applications come from having "organic" code, we've all seen it, code that just grows and grows into a behemoth of unsupportability.
All projects, whether big or small need to be factored into well organised, scalable applications, From! The! Start!
No silly naming of functions, having a function "set()". It needs to be "set_foo()" at a mimumum so that you can have "set_bar()" as well, having just "set()" is going to get confusing VERY quickly, don't do it!
Consider using an MVC like framework, either your own, or a lightweight open source one.

3) Seperate application logic from markup

Now doing this may sound simple, but doing it *well* will inherently move you into a situation where you'll be using an MVC or a templating "engine" like Smarty.
This will look much prettier and give you (or a non-techy designer) complete freedom to change your design without touching any code that could potentially break the application.

So the last few days I've been seriously stressing about the implications of XSS (Cross site scripting) in a project that I've been working on. If you don't know what XSS is all about and you're a web developer, you're in trouble, google it.

There's also a great website over at http://ha.ckers.org/xss.html that gives you a huge list of many of the known XSS methods.

There are a plethora of PHP Classes out there that work on forums and such with a limited subset of XHTML but I need to cover as much as possible, and before people start shouting at me, an approach using BBCode or Textile just isn't possible here. (and it's ugly, don't get me started)

Whilst trying to find a decent PHP function to parse out these threats in the simplest manner possible I ended up combining a few to come up with what's below.

Download file (strip_xss.txt)

function strip_xss($str, $allowed=null){
	if (!$allowed){
		$allowed = array('<h1>','<h2>','<h3>','<h4>','<h5>','<h6>','<b>','<i>','<u>','<a>','<ul>','<ol>','<li>','<pre>','<hr>','<blockquote>','<img>','<font>','<span>','','
','<table>','<thead>','<th>','<tr>','<td>','<em>','<strong>','<applet>','<div>','<center>','<pre>','<ins>','<del>','<em>','<kbd>','<dd>','<tbody>','<tfooter>','<big>','<button>','<input>','<option>','<textarea>','<fieldset>','<form>','<legend>','code');
	}
	$disabled = array('onabort', 'onactivate', 'onafterprint', 'onafterupdate', 'onbeforeactivate', 'onbeforecopy', 'onbeforecut', 'onbeforedeactivate', 'onbeforeeditfocus', 'onbeforepaste', 'onbeforeprint', 'onbeforeunload', 'onbeforeupdate', 'onblur', 'onbounce', 'oncellchange', 'onchange', 'onclick', 'oncontextmenu', 'oncontrolselect', 'oncopy', 'oncut', 'ondataavaible', 'ondatasetchanged', 'ondatasetcomplete', 'ondblclick', 'ondeactivate', 'ondrag', 'ondragdrop', 'ondragend', 'ondragenter', 'ondragleave', 'ondragover', 'ondragstart', 'ondrop', 'onerror', 'onerrorupdate', 'onfilterupdate', 'onfinish', 'onfocus', 'onfocusin', 'onfocusout', 'onhelp', 'onkeydown', 'onkeypress', 'onkeyup', 'onlayoutcomplete', 'onload', 'onlosecapture', 'onmousedown', 'onmouseenter', 'onmouseleave', 'onmousemove', 'onmoveout', 'onmouseover', 'onmouseup', 'onmousewheel', 'onmove', 'onmoveend', 'onmovestart', 'onpaste', 'onpropertychange', 'onreadystatechange', 'onreset', 'onresize', 'onresizeend', 'onresizestart', 'onrowexit', 'onrowsdelete', 'onrowsinserted', 'onscroll', 'onselect', 'onselectionchange', 'onselectstart', 'onstart', 'onstop', 'onsubmit', 'onunload');
	
	// remove all non-printable characters. CR(0a) and LF(0b) and TAB(9) are allowed // this prevents some character re-spacing such as <java\0script> // note that you have to handle splits with \n, \r, and \t later since they *are* allowed in some inputs
	$str = preg_replace('/([\x00-\x08,\x0b-\x0c,\x0e-\x19])/', '', $str);
	
	// straight replacements, the user should never need these since they're normal characters
	// this prevents like <IMG SRC=&#X40&#X61&#X76&#X61&#X73&#X63&#X72&#X69&#X70&#X74&#X3A&#X61&#X6C&#X65&#X72&#X74&#X28&#X27&#X58&#X53&#X53&#X27&#X29>
	$search = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890!@#$%^&*()~`";:?+/={}[]-_|\'\\';
	for ($i = 0; $i < strlen($search); $i++) {
		// ;? matches the ;, which is optional // 0{0,7} matches any padded zeros, which are optional and go up to 8 chars // &#x0040 @ search for the hex values
		$str = preg_replace('/(&#[xX]0{0,8}'.dechex(ord($search[$i])).';?)/i', $search[$i], $str); // with a ;
		// &#00064 @ 0{0,7} matches '0' zero to seven times
		$str = preg_replace('/(&#0{0,8}'.ord($search[$i]).';?)/', $search[$i], $str); // with a ;
	}
	
	return preg_replace('/\s(' . implode('|', $disabled) . ').*?([\s\>])/', '\\2', preg_replace('/<(.*?)>/ie', "'<' . preg_replace(array('/javascript:[^\"\']*/i', '/(" . implode('|', $disabled) . ")[ \\t\\n]*=[ \\t\\n]*[\"\'][^\"\']*[\"\']/i', '/\s+/'), array('', '', ' '), stripslashes('\\1')) . '>'", strip_tags($str, implode('', $allowed))) );
}

Download file (strip_xss.txt)

What I'm yet to come up with is a way of stopping people putting in things such as..

<img src="http://yoursite.com/admin/users/deleteall" />

Then whenever an admin or someone went to this page, alredy logged in to the app, the page would be executed as them, perfectly legally. Obviously there isn't a page that does delete all users, but you can see the problem, right.

Anybody who finds an improvement / bug, please please please add it back here so everyone can benefit, i'll update the code as we go!

So Recently I've been delving into the marvelous world of Pushing data to web browsers.

Ok, before I get flamed, what I mean by pushing (for now) is the browser requesting data and the server sending new events periodically as they happen. Other technologies in this area are things like Comet and Orbited. Many people are already using various methods to implement this, services such as Mibbit, GMail/GDocs, Facebook, Highrise and others.

While this isn't a discussion about why I didn't use the existing approaches, I will say some of them are because the servers are based on Java or Twisted (python), which is bulky and I felt it could be simplified.

For now the general thought process is that the clients web browser requests data from the server via AJAX or JSONP, Flash or an IFrame, and when the server has some data to send, it plops it out, the web browser reads it and everyone is happy...

Limitations of these methods...

So for anybody that has ever used Trac to look at your SVN repo's you'll know that there is a cool diff tool they use that shows the differences between change sets.

The tool shows the additions / deletions of the code highlighted in different colours with line numbers and some clever shizzle.

So anyway, I thought that was pretty cool so decided to have a go at it in PHP. You can see my attempt over here and the code for that page is available here.

It's a pretty simple class which compares and highlights all the differences between 2 files or strings located on your server. I was going to do loads of cool stuff with this but never got round to it. Hopefully his will be a helpful start to someone else.

So today I needed to force a file to download in a web browser where the browser would normally just output the file. It will also work in IE6 over a secure (HTTPS) connection.. which was a bit like hard work.

function forceDownload($file,$name=false,$contenttype="application/octet-stream",$delete=false){
	if (!$name) $name = $file;
	
	header("Cache-Control: public, must-revalidate");
	header("Pragma: hack");
	header("Content-Type: " . $contenttype);
	header("Content-Length: " .(string)(filesize($file)) );
	header('Content-Disposition: attachment; filename="'.basename($name).'"');
	header("Content-Transfer-Encoding: binary\n");
					  
	$fp = fopen($file, 'rb');
	$buffer = fread($fp, filesize($file));
	fclose ($fp);
	echo $buffer;
	if ($delete){
		unlink($file);
	}
}

Example Usage:
So I wanted to create a temporary file, write some contents to it then force the file to be outputted via the browser and deleted on completion of download.

$data = 'what a load of content';    // data to write to a file

$filename = 'cache/tmpfile.txt';     // the file to write the data too, must be writable
file_put_contents($filename,$data);  // write the data to the file

// force the download and delete the file afterwards
forceDownload($filename,'whateverfilenameyoulike.txt','text/plain',true);

pr($array)
Yes, I know wht you're thinking, how can Scrivna have written the ultimate time saving function? Well to be honest... I haven't... someone else did it and I've ripped it off :-)

Basically, what really annoys me is that when your writing code with big arrays of data and you need to view that data, print_r is your friend, it outputs an array to the page, only problem is it doesn't output it as html, the most common way to remedy this is to either...

A) View the source of the page so it appears formatted correctly
B) Wrap your print_r statement in <pre> tags
C) Do nothing and struggle like hell to read the output
D) Use my fabtabulous function below (trust me, this will save you hours)

And now for the big moment... here it comes.. are you ready for this?

Wait for it, drum roll please....

function pr($arrayness){
	echo '<pre>';
	print_r($arrayness);
	echo '</pre>';
}

Da na!! Yup, isn't it great!

Not only is it shorter than typing print_r all the bloody time, it also formats your output properly.
If you really are crazy you could do some kind of crazy merge with the function over HERE to buffer the output and put it into a variable... but that's for another day.

Thankyou and goodnight.

So the time may come when you have code for embedding a youtube video into a webpage but need that video to be automagically resized and looping and putting the kettle on for you. Well... here's a snippet of code that just might do that for you!

<?php
// function to adjust a youtube videos settings given the embed code

function youtube_adjust($string,$width=425,$height=355,$autoplay=false,$looping=false){
	// match the url in the embed string

	$pattern = '/name="movie" value[\\s=\'"]+([^"\'>\\s]+)/is';
	preg_match($pattern,$string,$url);
	// split the url to get the different parts
	$result = split('[/&]', $url[0]);
	$id = $result[4];

	// shall i adjust these things?
	$autoplay = $autoplay ? 1 : 0;
	$looping = $looping ? 1 : 0; 

	// insert the new settings into the new format string and return it
	return '<a href="http://www.youtube.com/v/%27.$id.%27&hl=en&autoplay=%27.$autoplay.%27&loop=%27.$looping.%27" style="left: 0px ! important; top: 22px ! important" title="Click here to block this object with Adblock Plus" class="abp-objtab-06839183377036349 visible ontop"></a><a href="http://www.youtube.com/v/%27.$id.%27&hl=en&autoplay=%27.$autoplay.%27&loop=%27.$looping.%27" style="left: 0px ! important; top: 22px ! important" title="Click here to block this object with Adblock Plus" class="abp-objtab-010214352500039581 visible ontop"></a><object height="'.$height.'" width="'.$width.'">
<param name="movie" value="http://www.youtube.com/v/'.$id.'&hl=en&autoplay=1"></param>
<param name="wmode" value="transparent"></param><embed src="http://www.youtube.com/v/'.$id.'&hl=en&autoplay='.$autoplay.'&loop='.$looping.'" type="application/x-shockwave-flash" wmode="transparent" height="'.$height.'" width="'.$width.'"></embed></object>';
}

// this is the string youtube give you
$string = '<a href="http://www.youtube.com/v/iy3T3sp4EW4&hl=en" style="left: 0px ! important; top: 22px ! important" title="Click here to block this object with Adblock Plus" class="abp-objtab-06839183377036349 visible ontop"></a><a href="http://www.youtube.com/v/iy3T3sp4EW4&hl=en" style="left: 0px ! important; top: 22px ! important" title="Click here to block this object with Adblock Plus" class="abp-objtab-010214352500039581 visible ontop"></a><object height="355" width="425">
<param name="movie" value="http://www.youtube.com/v/iy3T3sp4EW4&hl=en"></param>
<param name="wmode" value="transparent"></param><embed src="http://www.youtube.com/v/iy3T3sp4EW4&hl=en" type="application/x-shockwave-flash" wmode="transparent" height="355" width="425"></embed></object>';

// call and output it yar
echo youtube_adjust($string,200,100,true,true);
?>

P.S Wordpress is gay and likes inserting random character places, sorry if this has screwed up the code above.

So, as you may or may not know, I've been trying to calculate the shortest distance to travel between a number of points (aka The Travelling Salesman Problem) While i completely failed at doing this is Java i have created a way to do it in PHP. So without further hesitation here is the class and a quick usage example.

Ok, so recently i've been making all my web pages support unicode character sets, one of the tasks is ensuring all output is encoded in utf-8. Anyway to make a long story short, using the ob_get_contents() function i showed you a few posts ago, gives you output in whatever character set the file is saved as, and no matter what you do you cant get the blasted thing to display as utf-8... so there are a few methods of fixing this...

My first attempt being php's iconv() function to convert all the output into utf-8, however, this is just pants and you'd have to detect what format its in in the first place in order to recode it...

The other (and better) approach is just to ensure that all your pages are encoded in utf-8 to start with, with the IDE I use (Coda) you can set the default file encoding in the preferences, and i'm sure many other editors give you the same options.

Magic.

So today i came across the need to include a file in php with limited access to data and not output it to the browser...

Basically all this does is buffer the output then get the buffer contents and return it...

// assigns the output of a file into a variable... lovely jubbly!
function get_include_contents($filename,$data='') {
    if (is_file($filename)) {
    	if (is_array($data)){
		extract($data);
    	}
        ob_start();
        include $filename;
        $contents = ob_get_contents();
        ob_end_clean();
        return $contents;
    }
    return false;
}

I suppose a usage example might be nice

$data = array('name'=>'Ross','hobby'=>'Writing Random Code');
$output = get_include_contents('my_file.php',$data);
// my_file.php will now have access to the variables $name and $hobby

easy as pi :-p

Again people amaze me with just how thick they can be. Basically I want to create a random string 8 characters long, a bit of google bashing gives me functions that are like 20 - 100 lines long, why people? why? here is my fabtabulous (and far better than yours) script for achieving this.

function random_string($length=8){
	$charset = array('a','b','c','d','e','f','g','h','i','j','k','l','m','n','o','p','q','r','s','t','u','v','w','x','y','z', 'A','B','C','D','E','F','G','H','I','J','K','L','M','N','O','P','Q','R','S','T','U','V','W','X','Y','X','Z','0','1','2','3','4','5','6','7','8','9','0');
	$chars = array_rand($charset,$length);
	foreach ($chars as $a=>$value){
		$key.= $charset[$value];
	}
	return $key;
}

See how easy it is people! Love you really

And while i'm ranting about stuff... comparing 2 multidimensional arrays, hello php? bah.. here's my very simple solution!

function array_compare($array1,$array2){
	return (md5(serialize($array1)) == md5(serialize($array2))) ? true : false;
}