while(list($cmdID, $cmdName) = each($cmdArray))
{
$cmdOptions .= “<option value=$cmdID>$cmdName</option>”;
}
$template = new Template($TEMPLATE_DIR);
$template->set_file(‘fh’, $MY_TEMPLATE);
$template->set_block (‘fh’, ‘mainBlock’, ‘main’);
$template->set_var(‘USERNAME’, $user);
$template->set_var(‘CMD_OPTIONS’, $cmdOptions);
$template->parse(‘main’,’mainBlock’, FALSE);
$template->pparse(‘output’, ‘fh’);
This example uses bad_screen.ihtml, shown in Listing 3-2, as the HTML interface
file. A while loop is used to create $cmdOptions. Notice that some HTML tags are
embedded in the following line:
$cmdOptions .= “<option value=$cmdID>$cmdName</option>”;
This violates the principle of keeping all HTML out of the code. There are situations in
which it isn’t possible to keep the HTML out, but in creating combo boxes you can.
Listing 3-2: bad_screen.ihtml
<html>
<head><title>My Document</title></head>
<!-- BEGIN mainBlock -->
<body bgcolor=”#ffffff”>
<h1>Hello {USERNAME} </h1>
<form>
<select name=”cmd”>
{CMD_OPTIONS}
</select>
<input type=submit>
</form>
</body>
<!-- END mainBlock -->
</html>
Listing 3-3 shows a modified version of Listing 3-2. Here the combo box (select
list) is shown as an embedded block called optionBlock within the mainBlock in
the template. The <option value=”{CMD_ID}”>{CMD_NAME}</option> line is
looped when the block is populated.
56 Part I: Designing PHP Applications
05 549669 ch03.qxd 4/4/03 9:24 AM Page 56
Listing 3-3: good_screen.ihtml
<html>
<head><title>My Document</title></head>
<!-- BEGIN mainBlock -->
<body bgcolor=”#ffffff”>
<h1>Hello {USERNAME} </h1>
<form>
<select name=”cmd”>
<!-- BEGIN optionBlock -->
<option value=”{CMD_ID}”>{CMD_NAME}</option>
<!-- BEGIN optionBlock -->
</select>
<input type=submit>
</form>
</body>
<!-- END mainBlock -->
</html>
To generate the combo box without having any HTML code inside the PHP
application, we modify the last code segment as follows:
$TEMPLATE_DIR = ‘/some/path’;
$MY_TEMPLATE = ‘bad_screen.ihtml’;
$cmdArray = array(
‘1’ => ‘Add’,
‘2’ => ‘Modify’,
‘3’ => ‘Delete’
);
$template = new Template($TEMPLATE_DIR);
$template->set_file(‘fh’, $MY_TEMPLATE);
$template->set_block (‘fh’, ‘mainBlock’, ‘main’);
$template->set_block (‘mainBlock’, ‘optionBlock’, ‘options’);
while(list($cmdID, $cmdName) = each($cmdArray))
{
$template->set_var(‘CMD_ID’, $cmdID);
$template->set_var(‘CMD_NAME’, $cmdName);
$template->parse(‘options’,’optionBlock’, TRUE);
}
Chapter 3: PHP Best Practices 57
05 549669 ch03.qxd 4/4/03 9:24 AM Page 57
$template->set_var(‘USERNAME’, $user);
$template->parse(‘main’,’mainBlock’, FALSE);
$template->pparse(‘output’, ‘fh’);
The embedded block optionBlock is populated using the while loop, which
replaced the CMD_ID, and CMD_NAME inside the loop. The parse() method that is
called to parse the optionBlock has the append flag set to TRUE. In other words,
when the block is parsed, the output of the last parsed block is appended to the cur-
rent one to make the list of options.
Finally, the mainBlock is parsed as usual and the combo box is generated com-
pletely from the interface template, without needing HTML tags in the PHP code.
Reducing template code
When using the Template object to display a user interface, you may think that
many calls to the set_var() method are needed to replace template tags. For
example:
// OK - could be better
$TEMPLATE_DIR = ‘/some/path’;
$MY_TEMPLATE = ‘screen.ihtml’;
$template = new Template($TEMPLATE_DIR);
$template->set_file(‘fh’, $MY_TEMPLATE);
$template->set_block (‘fh’, ‘mainBlock’, ‘main’);
$template->set_var(‘FIRST’, $first);
$template->set_var(‘LAST’, $last);
$template->set_var(‘EMAIL’, $email);
$template->set_var(‘AGE’, $age);
$template->set_var(‘GENDER’, $gender);
$template->parse(‘main’,’mainBlock’, false);
$template->pparse(‘output’, ‘fh’);
If you are assigning a lot of template variables to values like in the previous code
segment, you can reduce the number of set_var() calls by combining all of the
calls into a single call. This will speed up the application since a single call is faster
than many calls to a method. An improved version of this script is shown below.
// BETTER
$TEMPLATE_DIR = ‘/some/path’;
$MY_TEMPLATE = ‘screen.ihtml’;
58 Part I: Designing PHP Applications
05 549669 ch03.qxd 4/4/03 9:24 AM Page 58
$template = new Template($TEMPLATE_DIR);
$template->set_file(‘fh’, $MY_TEMPLATE);
$template->set_block (‘fh’, ‘mainBlock’, ‘main’);
$template->set_var( array(
‘FIRST’ => $first,
‘LAST’ => $last,
‘EMAIL’ => $email,
‘AGE’ => $age,
‘GENDER’ => $gender
)
);
$template->parse(‘main’,’mainBlock’, false);
$template->pparse(‘output’, ‘fh’);
In this example, a single instance of set_var() method is used to pass an unnamed
associative array with template tags as keys and appropriate data as values.
Best Practices for Documentation
When you decide to develop software, you should create design and implementa-
tion documentations. Design documentations include block diagrams that describe
the system, flow charts that describe a specific process, class diagrams that show
the class hierarchy, and so on.
Implementation documentation also has flow charts to describe specific imple-
mentation processes. Most importantly, though, you use inline code comments to
describe what your code does.
You can use single-line or multiple comments such as:
<?php
// This is a single-line comment
$myName = ‘Joe Gunchy’;
/*
This is a multi-line comment that can span
over multiple lines.
*/
$mySchool = ‘CSUS’;
?>
Chapter 3: PHP Best Practices 59
05 549669 ch03.qxd 4/4/03 9:24 AM Page 59
All the code for this book is commented, although the inline code com-
ments have been stripped out of the code listings printed in the book to
reduce the number of lines and because the book covers each method in
detail. However, you can get the commented version of the code on
the accompanying CD-ROM and/or on the Web site for the book at
www.evoknow.com/phpbook.php.
Best Practices for Web Security
In this section I will discuss a set of best practices that if practiced will result in bet-
ter security for your Web applications.
Keep authentication information
away from prying eyes
Many Web applications use authentication information to allow restricted access to
the application using username/password or IP addresses. Similarly, all applica-
tions using databases use database access information (host name, username/pass-
word, port, etc.) that should never be revealed to any Web visitors. You should keep
these authentication data away from prying eyes by using one of these methods:
Store authentication data way from the Web document tree. Make your
applications read authentication related files from outside the Web docu-
ment tree so that these files are not browseable via Web. This will require
that your Web server has read access to these files. No other user (other
than the root) should have access to these files.
If you cannot store authentication files outside your Web document tree
for some reason, you need to make sure the authentication files are not
browseable via the Web. This can be done by using file extensions and
restricting these extensions from being served by the Web server.
When using databases with applications always create a limited privilege user by
following your database administration guide. This user should be allowed to only
access the specific database that your application needs access to. You should never
use a privileged database user account to access database from Web applications.
Consult your database documentation for details on how to create limited privilege
database users.
60 Part I: Designing PHP Applications
05 549669 ch03.qxd 4/4/03 9:24 AM Page 60