13337

I was browsing around the PHP online manual (the single best resource for learning about PHP) and I came up with several things that I didn't know about that were pretty interesting.

1. Alternate syntax for control structures (if, while, etc)

   <?php $a = "b";
   if($a == "a"): ?>
   a = a
   <?php elseif($a == "b"): ?>
   a = b
   <?php else: ?>
   a = ?
   <?php endif; ?>

2. Changing modified and accessed time of a file

   touch("fake.txt", time()-1*60*60*24*365, time()-1*60*60*24*365);

3. Highlighting a file for PHP syntax with one line

   highlight_file('file.php');

Actually, I already knew about all of these, I just wanted to share

There's something I have recently noticed among PHP "security experts" (people who have had their software criticized at some point or other for poor security, and Googled "php security"). For some reason, some PHP developers have this idea that mysql_escape_string or mysql_real_escape_string is the answer to all of their problems. Wrong, wrong, wrong, wrong, wrong, wrong, WRONG. Read the rest of this entry »

Ronald over at 0×000000.com recently posted something on his blog that made me stop and think for a minute. He says that many PHP programmers are nothing more than data entry monkeys who clack away at their keyboards without any sort of technical understanding of what it is they're doing. I can't say I completely disagree - for instance, a critical vulnerability I published almost a year ago still has not been patched by the software vendor. You know how long the fix is? It's one line. But you know what? Their solution is easier - just delete the offending file. I won't name any names, but if you do a little bit of digging you should be able to figure out who I'm talking about. I do think there are people who know what they are doing and try to improve themselves when they write code, but I also think Ronald has a very valid point - most people couldn't give a damn about security or efficiency; they just want to write their scripts and forget about them.

PHP Version:

function toascii($s){
	$tmp = "";
	for($i=0;$i<strlen($s);$i++){
		$tmp .= "&#" .hexdec(bin2hex($s[$i])) . ";";
	}
	return htmlentities($tmp);
}

Python Version:

import urllib
def encodeDork(s):
	tmp = ""
	for i in xrange(0,len(s)): tmp += "&#" + str(int(binascii.b2a_hex(s[i]), 16)) + ";"
	return urllib.quote(tmp)

Something quick I did.. Very useful for blocked Google queries

For whatever reason, the ternary operator is not used very often in PHP. Hell, I didn't even know what it was until several months ago. However, it is a very useful tool. Basically, it's a short way of condensing if statements with only one result. Example:

if($_GET['variable'] == "yes"){
	$flag = true;
}
else{
	$flag = false;
}

That's 6 lines of code for something that is VERY simple. Let's look at the ternary operator version:

$flag = $_GET['variable'] == "yes" ? true : false;

One line! Much better. Let me explain how this works. When using the ternary operator, you have 3 statements, arranged like so:

[statement 1] ? [statement 2] : [statement 3]

They evaluate like this: if [statement 1] evaluates true, then [statement 2], or else [statement 3]. So, in our example, if you set the $_GET['variable'] to "yes", $flag would equal true, otherwise it is set to false. However, it's not just limited to one statement. For example:

$flag = $_GET['variable'] == "yes" ? ($_GET['variable2'] != "no" ? true : false) : false;

If $_GET['variable'] is yes, and $_GET['variable2'] isn't no, then flag is true, otherwise it is false. That would've taken a lot more code without the ternary operator, wouldn't it? Yet we managed to do it in an entire one line.