Learning PHP

[mikeworks]

I am trying to learn php/mysql and have completed a couple of courses so far on udemy. Still a lot to learn, but my goal is to code my own cms system that I could use on a network of high traffic sites. But while working through online course some questions don't seem to be answered or discussed much yet.

1. How to make script secure? A lot of courses so far are fairly brief on this, are there any good sources for information or books to study?

2. Caching? What caching should I be learning about to help run high traffic sites. I have experience with sites running memcache/smarty template cache.

[just a punk]

1. No answer here. It's like if you ask "how to make my home secure?" There could be a ton of recommendations, but no universal solution.

2. When PHP engine generates a page, it usually does a lot of things. Performs SQL queries, access various files and simple executes the code. Caching is a method do avoid it. Once the page was generated, it's saved as a simple HTML file. So next time when someone will try to open it, he will see the previously generated static version - the PHP code will not be executed, SQL queries will not be performed etc.

[Klen]

Quote:

Originally Posted by mikeworks

I am trying to learn php/mysql and have completed a couple of courses so far on udemy. Still a lot to learn, but my goal is to code my own cms system that I could use on a network of high traffic sites. But while working through online course some questions don't seem to be answered or discussed much yet.

1. How to make script secure? A lot of courses so far are fairly brief on this, are there any good sources for information or books to study?

2. Caching? What caching should I be learning about to help run high traffic sites. I have experience with sites running memcache/smarty template cache.

1. By trying to hack your own script, you can also ask other programmers to trying to hack it.
Basically you need to check your script against any kind of injections, regardless is it mysql or any other kind. But sometime even trivial solutions can block most of injections, for example command htmlentities which turns characters which are required to execute injection into html code.

2. I am using memcached and it do the fine job, page loads fast once is runned for first time, and it stil loads fast even if you make a change on page. There are additional caching engines, like Opcache and Ioncube which you can use as well with it, but also pay attention to your queries - a lot of optimization can be done by simply using either better queries or better data structure. For example,
you can organize data by dividing tables to frequently used data and settings data.

[Barry-xlovecam]

1. Limit user input to scripts to the expected input.

2. Set the correct (lowest permissions necessary) for all files and directories.

By only allowing only the expected, the dangerous unexpected user input will be rejected.

Google is your friend: https://www.google.com/search?q=secure+PHP
Lots of opinions and ideas here ^

[HomerSimpson]

best advice I can give you is to use a php framework... If you're a beginner to PHP a CodeIgniter is a good start. Using a framework you'll have to worry less about security and these regular PHP stuff and you'll focus more on what are you trying to build.

[NakedWomenTime]

Quote:

Originally Posted by mikeworks

1. How to make script secure? A lot of courses so far are fairly brief on this, are there any good sources for information or books to study?

A lot of this is running validation routines on data that can be passed into the script, e.g. from form fields or querystrings, so that rogue instructions can't be included with that data.

[redwhiteandblue]

One basic way to do caching is use the output buffering.

Put

ob_start();

at the start of your script, before you write any HTML. At the end, after you've written all the HTML, put

ob_end_flush();

That sends the contents of the buffer to the client with headers. To cache the page instead of sending it, you can make use of ob_get_contents(); and save the result as a file. Then the next time that page is requested, serve that file instead of rebuilding the page. After the file is a certain age, delete it and rebuild the page.

That's a basic way of doing caching. The problems arise when you want to dynamically add a value in the HTML which is different for each visitor, say if you're dynamically writing JS. Then it gets a bit more tricky....

[deonbell]

never truss user input.

htmlspecialchar is good php function.

Looks at parameterized sql statements to avoids sqlinjection. Much old information for sql still on web shows old ways of things. that is dangerous.

[Daniel BongaCash]

When it comes to secure, it is all individual, there are a lot of solutions you can find.

[fris]

https://laracasts.com/series/php-for-beginners

good series

[Miguel T]

If I'd pick a framework, I'd go with Laravel

[deonbell]

also, when i say don't trust user input. do input validation on the back-end. Even Post data can be manipulated using a proxy tool like Burp suite.

You can validate using javascript on the front end, just to save user time. But make sure security validation is done on the back-end.

[Tasty1]

Quote:

Originally Posted by Zuzana Miguel

If I'd pick a framework, I'd go with Laravel

Heard more people using that, must try myself.

[mikeworks]

Thanks for all advice. I'm getting a better understanding of what is required. So far have coded blog type script, with uploads, admin area, tags, search and a basic shopping cart while following video tutorials.

In general terms I guess the stages could be broken down as such:
-code secure script
-optimize db queries
-implement memcache

Is memcache the only caching solution I need to use? With current scripts I see they use memcache and template cache, but I guess the template cache is because it uses smarty?