1.04 Cutting-Edge Technologies for Web Professionals The Truth about Sessions NEW Session Management Exposed Doing Business the Open Source Way Interview with MySQL AB and Zend Bug Off Eliminating Bugs from PHP Code Writing PHP Extensions Internals by Zeev Suraski Clean Up Your Code Refactoring Techniques PHP at intelleFLEET, LLC. Data Acquisition 2 Table of Contents php magazine 01.2004 Tools & Reviews Cover Story NEW Locked! page 09 The Truth about Sessions page 39 If you write PHP applications, for example a guestbook or an auc- Nearly every PHP application uses sessions. This article takes a de- tion software and you distribute it you also know that your applica- tailed look at implementing a secure session management mech- tions will by distributed by source. This article wants to analyze if anism with PHP. Following a fundamental introduction to the Web's and when it does make sense to encodeyour PHP applications and underlying architecture, the challenge of maintaining state, and the which products are therefore available. basic operation and intent of cookies, I will step you through some simple and effective methods that can be used to increase the se- Book Review page 16 curity and reliability of your stateful PHP applications. Professional PHP Web Services It is a common misconception that PHP provides a certain level of security with its native session management features. On the con- trary, PHP simply provides a convenient mechanism. It is up to the Business developer to provide the complete solution, and as you will see, there is no one solution that is best for everyone. Doing Business the Open Source Way page 17 Open Source is the way of the future, and now, even companies go for it. Meet the new entrepreneurs: MySQL AB and Zend Technolo- Development gies. Clean Up Your Code page 46 This article describes a methodology to improve application design. Columns It teaches us to build flexibility in our code when and where it is needed, and to avoid ending up with endless code clutter. The arti- Inside Wire page 21 cle also discusses when to refactor, and the things to keep in mind Some useful and strange fixes for making URL tampering less invit- when applying this technique. Illustrated with real life examples in ing, how to get a little more strict on incoming data, overriding PHP, it explains a number of common refactorings. With these ex- safe_mode with the CGI binary, running a PHP script, and more. amples, the article proves that the methodology can be applied eas- ily in a web development environment. Start Up Bug O¤ page 25 Enterprise A tutorial on how to resolve and prevent bugs from impeding your PHP at intelleFLEET, LLC page 55 PHP scripts. PHP is a well-known and commonly used server scripting language for the creation of dynamic web sites. Still many new users ask why Internals PHP should be preferred over other technologies/languages and many also ask for references to companies who have used PHP with Writing PHP Extensions page 31 success. This is the story about how PHP was helpful in making a One of the key factors of PHP's tremendous success was the very success of a small startup company located in Southern California easy to use extensibility API. The simplicity of adding new function- with customers all over USA. ality to the PHP engine, such as support for a new database or a new protocol, enabled a wide audience of developers to join in the project, and eventually resulted in one of the most powerful web Departments platforms in use today. The purpose of this article is to explain the Editorial page 03 process of creating a new PHP extension, and to explain how to im- Advertising Index page 60 plement some of the features commonly used in extensions. Imprint page 60 News & Trends page 04 3 Editorial php magazine 01.2004 Dear Readers, Welcome to the first issue of the PHP Magazine. As with all For those of you with a Business bent of mind, we profile ‘first’ editorials, we will reserve some space, without expound- MySQL AB and Zend Technologies – two companies whose ing too much, to discuss how we came to be. success stories demonstrate that making money and working The beginning of the year 2003 marked the release of the for Open Source projects at the same time is very much compat- International PHP Magazine in print, establishing itself as the ible. In this interview David Axmark and Doron Gerstel talk premier source of cutting-edge PHP Information. True to its about the links both companies have with Open Source, PHP, name, the magazine gained international repute with its stun- and associated licensing issues. ning technical content, fostered and nurtured by the likes of De- The Inside Wire column documents the work of PHP pro- rick Rethans and Jan Lehnardt, with extensive inputs from core grammers who come up with useful and strange ways to fix members of the PHP team. From that point, it took us over a things that may or may not be broken. From the weird to the year to realize that we had to bring out an electronic version to simple – the Start Up corner houses an article on debugging satiate the ever-burgeoning amount of information-demand PHP scripts for newbie PHP users; it’ll be interesting for more that we receive from avid PHP enthusiasts around the world. advanced readers as well. To move on to higher things, the In- You asked for it, and here we are!! ternals section focuses on extending PHP – this series will put The PHP Magazine is your monthly dose of PHP, contain- you on your way to becoming a hardcore extension writer. ing an assortment of carefully handpicked articles from the vast In this issue, we chose to run a cover story on Session Secu- resource pool of the PHP Magazine editorial. This issue also rity, since there is a definitive void for information in this area. features, a brand-new Cover Story based on PHP Security along Our author agrees that our community has been harmed, by a with some articles centered around that theme. Most of the arti- lack of good security-related documentation. The cover story cles are written by authors who deal with PHP in their daily takes a detailed look at implementing a secure session manage- work, so feel free to administer yourself with doses in large ment mechanism with PHP. quantities. For those of you who are trying to cope with constant To start with, the News & Trends section chronicles the ‘go- changes in code design, we get down to some hands-on Devel- ings-on’ in the PHP arena. opment with refactoring – a way to change your code design In the Tools&Reviews track, we do an under-the-hood analy- without changing the inherent functionality. As a parting shot, sis of PHP encoding solutions – with the PHP bytecode encoders for the Enterpriseing lot, we record how PHP helped turn a of Zend and ionCube, and a review of a PHP book as well. small startup company in Southern California into a big-time player with customers all over USA – enjoy the case study on in- telleFLEET, LLC. We hope you enjoy reading all that we have lined up for you. We look forward to hearing your questions, suggestions, and guidance, concerning the content and detail in the maga- zine. We would also like to hear about any other topics that you think are interesting and can be helpful to the PHP community at large. Feel free to write to us at [email protected]. Before we sign off, it’s the season of peace and joy – we wish you a Merry Christmas and a Peaceful & Prosperous New Year ahead. Let’s raise a toast to our monthly dose of PHP. Indu Britto 4 News & Trends php magazine 01.2004 Zend/Win Enabler - Running PHP on Windows Finding Bottlenecks in PHP Code Zend has announced the beta release of ZPS for windows - a solu- DBG 2.11.0 released - Php Debugger DBG is a comprehensive soft- tion for running PHP on Windows with increased performance and ware tool that helps you to debug your PHP script. It may work with assured stability. Here are some highlights of ZPS from the Zend your production or development web server or locally without any web site: other computers. DBG is equipped with the ability to backtrace er- • The Enabler that marries PHP and Windows with no limits, is pro- rors. It shows local and global variables as well as parameters that duced and supported by the designers of PHP themselves. have been passed to all nested function calls at any point of execu- • Finally, a Windows - PHP Enabler that has stability and scalabili- tion. Among other things, it allows you to execute scripts in a step- ty built-in by-step manner, set breakpoints (including conditional ones), eval- • Provide your customers with multi-platform PHP applications, uate expressions, and watch variables. The profiler allows you to running Linux and/or Windows seamlessly find bottlenecks in PHP code at the functions level as well as the • Keep you boss and your customers happy - performance up to 3x modules level and even the source lines level. DBG 2.11.0 brings better than ISAPI and up to 10x better than CGI, with none of IS- with it, the addition of the PCRE and getopt library to the source API’s instability. tree. • No more wondering about unstable, experimental or mysterious http://dd.cron.ru/ IIS and Apache connectivity methods http://www.zend.com/store/products/zend-win-enabler.php#1 Zend Performance Suite 3.6.0 Released Zend Performance Suite (ZPS) is the complete performance man- Dumping PHP Data Structures to/from XML agement solution for delivering PHP-based dynamic content cost- PHP_XML_Dumper 0.50 released - PHP_XML_Dumper is a class effectively.