Acheive Scalability and Security?

Aaron · 03-30-2008, 06:31 AM

I think I've gotten fairly good with PHP and MySQL now, so I need a little help on a few other big issues.
Scalability
What document heriarchy is the most scalable? Have a new folder with an index.php such as below:
<public_html>
<index.php />
<about>
<index.php />
</about>
<articles>
<index.php />
<articleOne />
<articleTwo />
<articleThree />
</articles>
</public_html>

Also, if I use this, how would I do a CMS-type program? I can't use GET variables, because that ruins crawlability. Also, if this were mostly automated, how would I link to includes?

I develop on my local machine mostly, so I cannot use absolute URLs for everything. How can I link to all the external scripts with documents all over the place?

Smarty... Heard about it, but isn't it nothing more than simplified

PHP Code:


			
<?php echo $title?>

?

Im sure there are plenty of Scalability problems I missed, but I will have to get to those later. The main thing I want is to be able to support and update an entire site (large one) quickly and easily. Not to mention add onto it. Like, having a gallery, and then in the gallery adding on member pages and member galleries that are like deviantart-ish (hypothetical).

Security
Big companies like Microsoft and Adobe can't keep their applications away from Warez, but Cpanel and WHMCS can? What are they doing to stop their programs from being cracked? I know you can actively send out notices to people's hosts like VBulletin, but everything else is pretty much reversable, right?

OOP?
Everyone is so happy about OOP, but does it really help at all?

PHP Code:


			
$box = new box();

$box->color->"red";

echo $this->box->color; #not sure if this is right.

Seems the same as a boring old function to me.

I'll come back to this tomorrow if I remember anything... Feel free to offer up information.

TlcAndres · 03-30-2008, 01:50 PM

Actually you can use get just look up mod_rewrite.

Village Idiot · 03-30-2008, 02:15 PM

Smarty is a code style separation program. Instead of having your code and style together, you have all your code then you display the template. It makes the code easier to read and the style easier to update.

OOP is only useful for things you use over and over again. I keep my user system in a class. Instead of

PHP Code:


			
//init the user
$id = $sql_clean($_COOKIE("id"));
$pass =   $sql_clean($_COOKIE("password"));

if(auth($id,$pass) == true)
{
mysql_query("pull up the user");
//assign the user vars
$user_name = mysql_result();
// .....
}
echo "Welcome $user_name";

That would be fine and dandy for one single page, but what if you have 20 pages to do this on? That would get cumbersome, especially if you had to change one little thing. The best way is to put it in an object (I also keep my data in one).

PHP Code:


			
<?
include("../head.php");

//class instances
$data = new input;
$user = new user($data->cookie("id"),$data->cookie("pass"));

//auth
if($user->auth() == false)
{
    $flags .="Please login";
}

if($flags != NULL)
{
    echo $flags;
}

else
{
    echo "Welcome $user->name";
}

When used in many files, that is easier to read and easier to manage. Instead of creating all your variables again, you are working with an object.

Here are the classes used above, I use these in most everything I do

PHP Code:


			
class user
{
    public $id;
    public $username;
    public $password;
    public $rank;
    //this function returns true if it verifies the user and false if it does not
    function auth()
    {
        $login_query = mysql_query("SELECT * FROM `users` WHERE `id` = '$this->id' AND `pass` = '$this->pass'");
        if(mysql_num_rows($login_query)<1)
        {
            $this->rank = 0;
            return false;
        }
        //if it is authenticated, set the other variables
        $this->username = mysql_result($login_query,'0',"username");
        $this->rank = mysql_result($login_query,'0',"rank");
        return true;
    }
    
    //this must be run after auth, if it not 2 thigs will happen
    //1. The data could be forged, this function does not authenticate the data
    //2. rank will return 0 because it is not set
    function admin_auth()
    {
        if($this->rank != 3)
        {
            return false;
        }
        return true;
    }
    
    function premium_auth()
    {
        if($this->rank > 1)
        {
            return true;
        }
        return false;
    }
    
    function __construct($id,$pass)
    {
        $this->id = $id;
        $this->pass = $pass;    
    }
}

class input
{
    private function sql_safe($value) 
    {
        // Stripslashes
        if (get_magic_quotes_gpc()) 
        {
            $value = stripslashes($value);
        }

        // Quote if not integer
        if (!is_numeric($value) || $value[0] == '0')
        {
            $value = mysql_real_escape_string($value);
        }
        return $value;
    }

    function get($var)
    {
        $var = $_GET[$var];
        $var = $this->sql_safe($var);
        return $var;
    }

    function post($var)
    {
        $var = $_POST[$var];
        $var = $this->sql_safe($var);
        return $var;
    }

    function cookie($var)
    {
        $var = $_COOKIE[$var];
        $var = $this->sql_safe($var);
        return $var;
    }
}

Aaron · 03-30-2008, 04:41 PM

What about security and being able to add side-programs?

Village Idiot · 03-30-2008, 08:36 PM

I'll address those when I have time (tomorrow most likely)

Aaron · 04-02-2008, 01:00 AM

What tools do you, as developers, find really helpful? Like, what couldn't you live without? What is the secret to your application? Do you think using smarty would be a good choice for me?

Village Idiot · 04-02-2008, 02:58 AM

Quote:

Originally Posted by Aaron

What about security and being able to add side-programs?

Security could have books written about it, all of it not to scratch the surface. There is no such thing as a 100% secure program, there is no fool proof method. Some day some genius will come along and find a mistake in the backend and exploit it. Even if its not your work, it could be the people who make the programming level functions.

Without knowing specifically what you need to know about security, the best I can tell you is don't just know what a function does, know how it does it. When you know how a function works, you are more likely to be able to spot security risks. Also, use google and find articles on security for what you are doing. If you have any specific questions about security, the others here and I will be glad to assist you.

Scalability is like coding styles. There is no "right" way to do it, but there are wrong ways. It's a skill that comes with time. The best way to form your style is though trial and error. What would you find easiest to add thing on to?

Quote:

Originally Posted by Aaron

What tools do you, as developers, find really helpful? Like, what couldn't you live without? What is the secret to your application? Do you think using smarty would be a good choice for me?

There really isn't a program that I can't do my work without. An IDE would increase productivity ten fold over say notepad, but it isnt required. I use notepad++ and filezilla. I have used others in the passed and would work fine if I had to change. I'm a very hands on type of programmer, I dont like letting the machine do much when I can do it.

Secret to my applications? I'm not sure what you mean.

Smarty is an application, its usefulness is dependent on the task.

Aaron · 04-02-2008, 03:22 AM

Specifically, I don't want my program being hacked. CPanel and WHMCS are two programs that haven't been hacked yet for some reason. I wanna do what they're doing :P

Village Idiot · 04-02-2008, 03:26 AM

How do you know that no security exploit has been found in them? They arent doing anything to guarantee a hacker will never get into it. If they have indeed stayed secure for all this time, it is luck or suppression of stories. They almost certainly have people as skilled as the hackers out there to test it, the probably also text very extensively before putting it out.

TlcAndres · 04-02-2008, 03:39 AM

If we're gonna talk about programming tools and such things - jQuery, and my own DB wrapper. My IDE just saves loads of times by auto-debugging all my stuff.

cPanel and WHM have been hacked, it's quite a fun hobby to do so on the underground circuit.

Aaron · 04-02-2008, 08:38 PM

I will check out JQuery, thanks.

Wheres the underground circuit? :P

How do they stop the Warezbb and projectw warez groups from hacking their programs? They do something that stops the average cracker.

TlcAndres · 04-02-2008, 09:06 PM

The average crackers is just meticulous and not necessarily full of know how (The average one, PDX know what they're doing) - and I'm not talking about Warez groups I speak of groups like BHU and people like VV1R3D and Munga Bunga though I haven't spoken to the latter in quite a while.

Aaron · 04-02-2008, 10:19 PM

Heheh, you seem to have all the contacts. Would they leave an application alone if you asked them to? :P

TlcAndres · 04-03-2008, 02:05 AM

Probably not but back on topic

If you really want to secure your source use ioncube, that just adds an extra layer so hackers don't have an understanding of the mechanics of the applications, use mysql_real_escape_string to filter...everything, turn off error display and instead have it logged and use complex passwords but as Village_Idiot says there will one day come a Genius hacker who will by some miracle find an exploit.

By "add-ons" do you mean something along the lines of navigating to index.php?mod=statistics and getting a stats page