Monday, September 15, 2008

Day 1 - Notes from ZendCon

For those that don't know, there's generally 3-5 sessions happening concurrently at given scheduled blocks that are not related. In laymen terms, there's other classes happening at the same time, and obviously I can only go to 1 at a time.

Today's class was "PHP Certification Crash Course," and as I stated earlier we were late, so I was only able to attend the latter half of the class.

Regardless, the topics covered were generally rather simple. I was actually amazed at how simple they were.

So here's the topics we covered during the time I was there:

OOP: Magic functions, SPL
So this was actually pretty lame. They talked a lot about the magic methods (e.g., __autoload, __call, __set/__get, __sleep, __wakeup, and so on) and exact parameter use. However the instructor (as I'll be calling him for now on) stated many times that it wasn't really necessary to know these, but he spent a lot of time talking about them.

The cool part about this section, while rather brief, was the discussion around Reflection. This clearly confused probably 80-90% of the room, you could just tell by their faces. But like I said, it was really brief. But the instructor did go over some good points. There are some helper classes for the reflection object by passing them to the static method Reflection::export.
These helper classes are as follows (and can be found here): Object, Class, Method, Property, Function, Parameter, Exception, Extension. Now I'm not entirely keen on the output of export, but the actual reflection classes seem to have some nice methods that can assist. I'll have to look at how our project at work handles the reflection for WSDL generation and see if I can tweak anything (another developer wrote that stuff and is no longer with the company).

We also talked a little bit about SPL. The key things we talked about was ArrayIterator and ArrayObject. Both of which I have a lot of experience in, and the instructor didn't
really delve into much detail about how to the magic functions are called or what they're used for. But he did at least state that they help your object act as arrays, which for the most part is true.

String Manipulation:
To me this was another no-brainer section. We talked a bit about strpos, and the dangers of doing a simple test as follows:
$url = "http://blah.com";
if (strpos($url, 'http://')) {
echo 'You have a URL';
} else {
echo 'Not a valid URL';
}
In case you can't tell what the issue is, it's that strpos will return "0" since it returns the index of the string that the needle was found in. And for those not thinking straight, 0 evaluates as false (as does NULL, "" [empty string], and of course FALSE).

Here's another funny little trick that one might see on the test. What does this evaluate to:
var_dump( ($a == $b) * strcmp($a, $b) );
Or how about this?
strcmp ($a, $b) + strcmp($b, $a);
Well, in both cases, the answer is always, without any doubt, "0".

Files, Streams, Networking:
The next session was more discussing how these 3 ideologies were combined and implemented in practically the same way.
In terms of Files, the main topic of discussion was how to differentiate what functions do what. That is to say, functions that start with "f" are for file resources (except file), and all functions with "file_" act on file names.
There was also a good little discussion on file wrappers (e.g., file://, http://, custom://) and how to build your own file wrappers to return custom data as expected from your wrapper. A good example would be to build a custom compression file wrapper for local compressed files. The downside to this, is that it's not part of SPL, and doesn't have any Interfaces to implement, so the methods need to be looked up every time. Ugh.
There was a lot about streams, in particular: contexts and meta data. To be honest, I started dozing off at this point, and don't have any good take-aways.

XSS, XSRF, and Security:
The rest of the class was a bunch of security considerations. The main take-away for this section is: All input (from outside) is (potentially) evil.
That is to say, you really should scrub the hell out of your data before storing in a session, form element, or database; and in particular, you should never just echo things out. An example is that someone can end a tag, or override a header (for PHP_SELF) and output raw html/javascript to do things you really don't want them to (like redirect, hijack data, phish, etc).
This is also true for SQL injections, and should use the database-specific escape methods and prepared statements to ensure you don't have someone insert a username of "Bobby; drop tables" (thankyou, XKCD).


Whelp! I think that's it, and a long ass post. Let me know if you have any questions, but I think most of it was really straight forward.

-Spaz

No comments: