Don’t Cross the Beams! Why Object-Based Database Connections Rock
You can pretty much guarantee that any dynamic website is going to, at some point in time, connect to a database. It is a good idea to have a bit of knowledge about how your particular language works with different databases, and what tools are at your disposal. If you’ve worked with databases in PHP for any length of time, you’ve probably came across the MySQL library. Functions like mysql_connect() and mysql_query() are extremely common. However, you can save yourself a lot of time by not using them.
Now, before you explode on me, let me explain my reasoning. Every time you have to type out the words mysql_query() you might be wasting your time. This is because if you ever have to switch databases, involve multiple servers, or have any other weird database configurations brought to your code, you are required to go back and change all of those commands you just typed. Let’s take this example:
mysql_connect(); // A mysql_connect() call with no parameters uses php.ini's default settings.
$result = mysql_query("SELECT * FROM table");
This seems like a very simple command. It connects to the database, and makes a query. And for very small sites, this may be the perfect solution. However, if you code everyday like this you could be setting yourself up for a lot of work. Let’s say your boss calls and tells you that you have to grab data from another server. That shouldn’t be too hard. We can just modify our script to grab data from the new server.
mysql_connect();
$result = mysql_query("SELECT * FROM table");
mysql_connect("differenthost.com", "differentuser", "differentpass");
$result2 = mysql_query("SELECT * FROM table2");
Now we have made multiple connections and have gotten data from each server. But what if this was more complicated? What if you had to make a query to Server A, use that to make a query on Server B, and then make a third query on Server A. You could try messing around with link identifiers, but that is going to get messy:
$server1 = mysql_connect();
$result = mysql_query("SELECT * FROM table", $server1);
$server2 = mysql_connect("differenthost.com", "differentuser", "differentpass");
$result2 = mysql_query("SELECT * FROM table2", $server2);
$result3 = mysql_query("SELECT * FROM table 3", $server1);
Well, that isn’t too bad. But what if Server A suddenly switches to a Non-MySQL protocol? You’re going to have to go back and rework all of your logic, and this is only on a 7 line script. If you’re dealing with thousands and thousands of lines of code, managing servers is going to be hard unless you are using a proper object to control how the queries get sent.
With objects, you can create an object, assign it to a variable, and then anyone who wants to make a query can simply call the query() method on that object. It doesn’t matter what server is being queried on, it doesn’t care what type of server it is, or anything else for that matter. As long as you return an array with the results they want, it will work. This also means that when you change how a database is accessed, you only have to change it in one place.
Let’s first define what a Database Connection object should look like:
abstract class DatabaseConnection{
abstract public function connect($host, $user, $pass);
abstract public function disconnect();
abstract public function query($queryString);
}
Right now, this object is abstract, which means that what the functions actually do have not been defined. We’ve simply defined what functions must be available, and what arguments they need to accept. For this DatabaseConnection, we’ve made it simple. A connection simply needs a way to connect, disconnect, and make a query.
Let’s make one in MySQL:
class MySQLConnection{
public function connect($host, $user, $pass)
{
$this->connection = mysql_connect($host, $user, $pass);
}
public function disconnect()
{
mysql_close($this->connection);
}
public function query($queryString)
{
return mysql_query($queryString, $this->connection);
}
}
As you can see, this is a very simple connection. And you can call it like this:
$db = new MySQLConnection;
$db->connect("host", "user", "pass");
$db->query("SELECT * FROM table");
But this isn’t the fun part. Let’s say we have the above code with the multiple databases, but used objects instead:
$db = new MySQLConnection;
$db->connect("host", "user", "pass");
$db->query("SELECT * FROM table");
$db2 = new MySQLConnection;
$db2->connect("host2", "user2", "pass2");
$db2->query("SELECT * FROM table");
$db->query("SELECT * FROM table");
Now, let’s say we wanted to use a different type of database. Instead of having to change a bunch of code, we change one line and nothing else:
$db = new PDOConnection;
$db->connect("host", "user", "pass");
$db->query("SELECT * FROM table");
$db2 = new MySQLConnection;
$db2->connect("host2", "user2", "pass2");
$db2->query("SELECT * FROM table");
$db->query("SELECT * FROM table");
Now, wasn’t that easy? And in large projects, this saves hours and hours of time because you only have to change a couple lines to make a change. Using the old-fashion way, you’d have to change each line that called mysql_query(), and get its PDO equivalent.
Try it out. Use an object based database connection on your next project. Not only will it save you time, it gives you a ton more flexibility in how you connect to your database.
Introduction to PHP – Revamped
This was originally posted several months ago. I have updated it and brought it back as I still believe that PHP is one of the world’s most used web-based programming languages.
We live in a world dominated by internet, which is being used by hundreds of millions of people everyday, yet most of these people don’t know much about what it is being ran on. Here I’ll try to explain where exactly PHP steps in and works its magic. Hopefully this gives you a better understanding of what happens behind the scenes.
Introduction
Now, there are many different programming languages you can learn, but I am just going to focus on one of the easiest and most convenient called PHP. PHP is a programming language that runs things like Drupal and WordPress, so it will probably also be the most useful to the average user.
The Internet is a World of Servers.
Before we get into PHP, lets talk about the Internet. Whenever you want to visit a website, such as http://chacha102.com, your computer connects to a box on the internet. This box is called a ‘server’, and is located somewhere in the world. It looks very much like your computer, and it’s plugged into the internet the same way your computer is. Whenever a browser wants a page, it tries to finds the server that hosts the website you are looking for, and asks for the page you want, which the server then gives back and your browser shows you.
PHP: The Middleman
When your browser connects to the server and asks for a page, PHP steps in. In the old day of servers, files were stored on the server and when you requested the file, the server would just give it to you. In today’s servers, instead of immediately giving you the file you requested, the web server looks through the file for PHP code. If it finds any PHP code, it processes the code, and sends the resulting page to the user.
Because of this action, PHP is very secure. The PHP code is being processed on the server, before the page is ever sent to the browser. This means that no matter who is connecting to your website, they will all get the same page. Unlike Javascript or other client-side programming languages, PHP doesn’t require the person connecting to the website to have PHP installed. Instead, all you need to run a PHP-based website is a server that has PHP on it. This also affects some other parts of the web-development process.
Javascript and PHP
One of the questions most frequently asked is how to make PHP and Javascript communicate with each other. The problem is many people don’t know that PHP is server-based (runs before the page is sent to the browser) and Javascript is browser-based (runs once the page is sent to the browser). This means that they cannot communicate back and forth. In order for you to get data from Javascript to PHP, you need to request another page on the server, and give it the data you want to send. (This is called AJAX)
I hope this helps you grasp a better understanding of PHP. As one of the most widely used programming languages out there, it is a good idea to know what it can and can’t do.
Sanitizing User Input: There’s More than You Think
Thousands of websites are constantly under attack by hackers and other malicious users. There are groups on the internet specifically devoted to causing havoc and others who simply want to see what they can get away with. One of the first line’s of defense you can instill into your program to protect against these types of users is to properly sanitize user input. However, before we can talk about how to sanitize user input, we must first find out what it is.
What is User Input?
The definition of user input that we will use is anything that can is sent to the server via user. These values can contain all sorts of things and should be sanitized to make sure that it only contains what you want.
While some user input might be easy to spot, you should be aware of all the different ways users can get data into your system. The first, and most obvious one is through form fields. You are asking a user to type data into your form, and then submitting it. The submitted data should always be checked for bad data, and this bad data should be removed. We’ll talk about removing bad data in a minute.
There are also other types of user input. Cookies, for instance, are user input. While it takes a technically-savy user to change the values, it is very possible to change, create and delete cookies on any machine. Another common form of user input is URL parameters. For those who aren’t sure what URL parameters are, they are the key-value pairs found in a URL after the question mark. In the following URL, the key value parameter “key1=value” is user input: “http://example.com/?key1=value”.
Finally, headers are user input. Headers such as HTTP_REFERER and others are able to be spoofed by the client, which can end up impacting your service.
So, how do I sanitize it?
So, now that we know what we can’t trust, how do we use it in a way that is reliable? Most of today’s languages comes with a multitude of modern ways to make sanitize data. However, you should know what each method does, and when the use them.
Escaping
One method of sanitization is called escaping. Escaping takes characters that have special meanings in a language, and tell the compiler to remove the special meaning. This is most common when you are entering data into a database, such as MySQL. While I won’t go too much into escaping, the part you need to know is that data being entered into a database should be escaped properly. You’ll want to do some Google research to find your proper escaping mechanism. (You can even read the database’s manual to create your own)
Stripping
Another common form of sanitization is stripping. This is when you remove specific letters or sets of letters completely from the string. Suppose that you wanted a user to enter a username. You might want to strip out all characters that are not either letters or numbers.
A widely used practice for websites is HTML tag stripping. This type of stripping identifies HTML tags inside of a string and removes them. This ensures that when you go to display that data, it can’t be used to change the HTML structure of your page.
Converting
Converting dangerous characters into non-dangerous characters is also very useful. Instead of stripping HTML tags from a string, you could convert all of the brackets characters into their html entities so they display as angle brackets on the page, but aren’t treated as actual HTML.
Restricting
The final form of sanitization I’ll talk about is restricting the number of values to a predefined group. Let’s say you have a field that your user can enter a 2 letter state abbreviation. To sanitize this, you can define a list of state abbreviations in your code, and check if what the user entered is in that list. If it isn’t, you can reject the value and tell your user that this is invalid data. (While this is a method of validation, it can also be considered sanitization)
Validation and Sanitization are not the same.
Validation and Sanitization are very different. Validation is making sure that the data you have is correct. Sanitization is making sure that the data you have doesn’t contain anything that could cause damage to your program. Knowing how to use each of them is crucial in making a reliable and safe web application.
Free doesn’t work.
One of the biggest trend on the Internet today is free. If you look at the list of sites you probably use everyday, a majority of them have no charge tied to them. Google, Facebook, Twitter, and loads of other sites are sites that we use everyday, and it really doesn’t cost us a dime. Because we’ve used these services for so long, and we love them so much, it seems like if you wanted to start a business it would be obvious that you shouldn’t charge for your service. I mean, everything you use doesn’t charge and you wouldn’t want to make a product you would use right?
The problem that so many people seem to overlook is the fact that in most scenarios, free doesn’t work. Sure Google, Facebook and Twitter have all gotten their lucky streak by become gigantic websites that everybody uses but no one pays for. But the chances of you getting into the right industry at the right time, making the right connections and building the right service that you are going to be able to become a billion dollar business without charging a dime is so small that you might want to try a different tactic your first few times around.
37signals once posted this fantastic video that talks about the secret to making money online. They mention that far too many people try to shoot immediately for the big time, instead of working themselves up to it. The chances of you building a billion dollar company are very small. Millions of people start up businesses every year, and frankly we only see a ‘big new thing’ once every year or two. If the chances of building a billion dollar company weren’t very small, everyone would be doing it.
The odds are more in your favor if you try to build a million dollar company rather than a billion dollar company. Given, building a company, acquiring customers, and serving them is still hard. Getting to be a million dollar company is hard. But relatively it is a far easier than trying to become the next big thing. And in reality, wouldn’t you be happy with a million dollars?
What’s the takeaway?
Stop trying to make businesses that aim to be the next big thing. There are too many of them. The world has room for all sorts of companies that do their job well. The world needs all sorts of companies that do their job well. Make a company that consistently delivers to its customers. Make a company that delivers a quality product. Make a company that earns a reputation for being reliable, innovative, and for delivering beyond the expectations of its clients.
And then, after doing that, maybe take a chance at trying for the next big thing.
Globals: What they are, and why not to use them.
If you’ve programmed for a while, you’ve probably heard of the term ‘global variables’. The idea behind global variables is that they are available anywhere in your code, no matter if you are inside a function, class, or any other scope where you wouldn’t generally have access to variables outside that block.
In PHP, a sample of variable would be:
Global $global_var;
$global_var = "Hello";
function sayHi(){
Global $global_var;
echo $global_var;
}
sayHi(); // echos "Hello"
The reason this function works without having to pass in $global_var as an argument is because of the global keyword. The global keyword breaks through the barriers generally given to a function (no variables exist except super-globals and arguments), and allows access to this variable. This technique can come in handy a lot of places. WordPress uses it heavily to make the work template designers have to do with WordPress very minimal. But just because WordPress does it, doesn’t mean that it is a good practice.
What is so evil about globals?
Well, simply put, they make your code very unreliable. When you pass a variable into a function through an argument, the function explicitly requires that you supply that argument. By requiring that an argument be passed in, you are telling whoever is trying to call your function that your function won’t work without that argument present. However, by using globals you aren’t able to state any of this.
When you use a global, it is very hard for other developers to know what you need. For instance, the above function requires that a variable named $global_var is set, and it has some sort of value. If neither of these conditions are met, your function won’t work the way it is intended to. However, because it is never stated in the function parameter list that this function requires information (whatever is held in $global_var), anyone trying to call your function won’t know that they need to set $global_var before calling your function.
On the other hand, if you rewrote your function like this:
function sayHi($text){
echo $text;
}
$nonglobal_var = "Hello";
sayHi($nonglobal_var); // echos "Hello"
Now, the only way to call your function is by providing an argument. If someone doesn’t provide an argument, PHP will error on them and they will be forced to correct their code.
But I’m the only person working on my project, and I know what I need!
There are many programmers who write code alone, without anyone else needing to understand the code, who feel that it is unnecessary to state the requirements of a function upfront because they already know everything there is to know about the system. However, this is a very dangerous mentality to be had. Sure you might know what your application does now, and what the requirements are now, but will you still remember all of that in 10 years? 20 years? By writing as explicitly as possible, you make sure that no matter how long ago you wrote a piece of code, you are able to understand it and modify it.
Furthermore, you never really know if you will be the only person to ever work on this code. If the project you are working on turns out to be a gigantic hit, and you have to hire other programmers to add features, optimize, and prepare it for millions of users, you are going to have one hell of a time explaining the entire program to your new employees.
So, what is the take-away?
The takeaway from this is pretty straightforward. By using globals, you reducing the stability of your program because you don’t explicitly state what you need for a certain function to run. If you avoid globals, you will make your code more explicit and reliable, and you’ll be able to read it in 20 years and still know how your system works.
