Uploaded byarchwisp
PPTX, PDF2,270 views

Creating "Secure" PHP Applications, Part 1, Explicit Code & QA

The document provides tips for writing more secure PHP code such as using typing assertions and avoiding global variables, recommends using tools like PHPMD and PHPCS to analyze code quality and identify issues, and emphasizes the importance of unit testing, continuous integration, and secure deployment practices.

Downloaded 11 times
Explicit Code & QA
So, who are you, anyway? Bryan C. Geraghty Security Consultant at Security PS @archwisp I’m a Sr. PHP developer with a systems and security engineering background - turned application security consultant
Remember, layers Simpler is easier to test Don’t make assumptions Compromised browser = game over
These are not specifically security activities but they produce more stable code
Don’t rely on the server’s configuration Your bootstrap should Absolute Minimum set the defaults for any  Include paths PHP core functionality  Error reporting that your application is  Time zones using. These must be customizable for every environment e.g. (dev, staging, live)
Example Bootstrap <?php // All environment configuration for this application is done from this file ini_set('display_errors', 0); ini_set('error_reporting', -1); date_default_timezone_set('UTC'); $rootPath = dirname(__FILE__); set_include_path(sprintf( '%s%s%s%s', $rootPath, PATH_SEPARATOR, $rootPath, '/third-party' )); require_once('MindFrame2/AutoLoad.php'); MindFrame2_AutoLoad::install();
Don’t use global constants, variables, or registries  You can’t be certain that nobody else will ever use the same global constant name  Tracking down where a value is assigned to a global variable is usually very difficult  Global variables remove control of that variable from the current scope  Global registries are really just fancy global variables and the same problems apply
Value Reference Rules  Values should only be referenced in one of the following ways:  A direct reference in the current scope: $limit = $this->_objectPool->getConfig()- >getDefaultLimit();  A parameter: public function getUsers($limit) { return $this->_objectPool- >getMapper(‘User’)->fetchAll($limit); }
Don’t use function parameter defaults "There should be one-- and preferably only one -- obvious way to do it." - Tim Peters  Reduces understanding from the caller perspective  Often add unnecessary complexity  Represents the most common use-case  Other use-cases are often ignored entirely  Changing the default breaks all implementations  Adding parameters breaks default implementations
Default parameter example class User { public function __construct($name, $email, $status = self::STATUS_ACTIVE) { $this->_name = $name; $this->_email = $email; $this->_status = $status; } } function createUser($name, $email, $status) { $user = new User($name, email); return $this->_objectPoool->getMapper(‘User’)->create($user); }
Use explicit operators whenever possible This was actual production code. if ($sincedate && (int)$sincedate) { $param["UpdatedSinceDate"] = date("Y-m-d H:i:s", strtotime(time() - ((int)$sincedate)*60*60); } elseif ($sincedate && strtotime($sincedate)) { $param["UpdatedSinceDate"] = date("Y-m-d H:i:s", strtotime($sincedate)); } elseif(!isset($param["UpdatedSinceDate"])) { exit ("Invalid param UpdatedSinceDate"); } Do you think this code worked as the author intended when $sincedate was set to '2011-05-31'?
Use constants for possible values Constants cannot be re-defined, so using a constant for configuration limits your code to only ever be able to run in one configuration in a given stack. // Bad: This code cannot execute differently in the same stack define(‘PDO_FETCH_MODE’, 2); $dbi->fetchAll(PDO_FETCH_MODE); // Better: The value can change but this literal value means nothing without // referencing the documentation $dbi->fetchAll(2); // Best: Implemented using a meaningful constant which represents a *possible* value $dbi->fetchAll(PDO::FETCH_ASSOC);
Use wrappers for super-globals  $_REQUEST, $_GET, $_SESSION, and $_FILES are the most commonly used PHP super-globals but there are others  It’s easy to create some serious security problems  It’s best to use a wrapper for interacting with these variables
Simulate strong/static types PHP is dynamically typed, so we cannot do true strong or static typing but we can put controls in place which provide the same protection. private function _buildSelectDatabaseTableSql($database_name, $table_name, array $select_data, array $order_by_columns, $offset, $limit) { MindFrame2_Core::assertArgumentIsNotBlank($database_name, 1, 'database_name'); MindFrame2_Core::assertArgumentIsNotBlank($table_name, 2, 'table_name'); MindFrame2_Core::assertArgumentIsInt($offset, 5, 'offset'); MindFrame2_Core::assertArgumentIsInt($limit, 6, 'limit'); $skel = "SELECTn %snFROMn %s.%sn%s%s%s%s;"; $sql = sprintf($skel, $this->_buildSelectTableSqlFieldClause($table_name), $this->getSharedModule()->escapeDbElementName($database_name), $this->getSharedModule()->escapeDbElementName($table_name), $this->_buildSelectTableSqlJoinClause( $this->getSharedModule()->getDatabase()->getName(), $table_name), $this->_buildSelectTableSqlWhereClause($table_name, $select_data), $this->_buildSelectTableSqlOrderByClause( $table_name, $order_by_columns), $this->_buildSelectTableSqlLimitClause($offset, $limit)); return $sql; }
Example Typing Assertions public static function assertArgumentIsInt($value, $position, $name) { if (!is_int($value)) { $skel = 'Expected integer value for argument #%d (%s), %s given'; $message = sprintf($skel, $position, $name, gettype($value)); throw new InvalidArgumentException($message); } } public static function assertArgumentIsNotBlank($value, $position, $name) { if (trim($value) === '') { $skel = 'Argument #%d (%s) cannot be blank'; $message = sprintf($skel, $position, $name); throw new InvalidArgumentException($message); } }
Use PHPMD & CodeSniffer This is the ./bin/codecheck script in MindFrame2 #!/bin/bash WD="`/usr/bin/dirname $0`/../"; echo Changing to working directory: $WD; cd $WD; if [ -z $1 ]; then DIR='.'; else DIR=$1; fi phpmd --exclude coverage $DIR text codesize,unusedcode,naming,design phpcs --ignore=coverage --standard=`pwd`/Standards/MindFrame2 $DIR phpcs --ignore=coverage --report=source --standard=`pwd`/Standards/MindFrame2 $DIR
Example PHPMD Output bryan@ubuntu-virtual ~/Code/MindFrame2 [130] $ ./bin/codecheck Dbms/Dbi Changing to working directory: ./bin/../ /home/bryan/Code/MindFrame2/Dbms/Dbi/Distributed.php:128 Avoid unused local variables such as '$partner'. /home/bryan/Code/MindFrame2/Dbms/Dbi/Distributed.php:185 Avoid unused local variables such as '$data'. /home/bryan/Code/MindFrame2/Dbms/Dbi/Distributed.php:199 Avoid unused local variables such as '$index'. /home/bryan/Code/MindFrame2/Dbms/Dbi/Distributed.php:240 Avoid unused private methods such as '_buildReplicaDatabaseSuffix'. /home/bryan/Code/MindFrame2/Dbms/Dbi/Single.php:25 This class has too many methods, consider refactoring it. /home/bryan/Code/MindFrame2/Dbms/Dbi/Single.php:150 Avoid unused parameters such as '$options'.
Example PHPCS Output FILE: /home/bryan/Code/MindFrame2/Dbms/Dbi/Single.php -------------------------------------------------------------------------------- FOUND 6 ERROR(S) AFFECTING 6 LINE(S) -------------------------------------------------------------------------------- 39 | ERROR | Public member variables ("_connection") are forbidden 62 | ERROR | Whitespace found at end of line 144 | ERROR | Whitespace found at end of line 160 | ERROR | Line exceeds maximum limit of 80 characters; contains 97 | | characters 195 | ERROR | Whitespace found at end of line 298 | ERROR | Line exceeds maximum limit of 80 characters; contains 81 | | characters --------------------------------------------------------------------------------
Unit testing / TDD  Test critical functionality at a minimum  Add edge cases to regression tests as they are discovered  Test-driven development only works if the entire team is dedicated to it  I personally don’t trust code that isn’t regression-tested; even if it was written by me
Continuous Integration  Automated system for code analysis and regression testing  There are a lot of continuous integration systems for PHP  If your tests aren’t automated, very few people will know or care when they break
Deployment  Manually copying files is riddled with problems  Tagging releases and re-deploying is a complicated and time-consuming process  Deployment systems automate the build and deployment process
ACLs MAC Thread limits Unwanted services
If you’re interested in an application security career, come talk with me.

More Related Content

PDF
Benchmarking Perl (Chicago UniForum 2006)
bybrian d foy
 
PPTX
PHP Traits
bymattbuzz
 
PDF
Business Rules with Brick
bybrian d foy
 
PDF
Learning Perl 6 (NPW 2007)
bybrian d foy
 
ODP
Modernising Legacy Code
bySamThePHPDev
 
PDF
Benchmarking Perl Lightning Talk (NPW 2007)
bybrian d foy
 
PDF
Learning Perl 6
bybrian d foy
 
PDF
Php tips-and-tricks4128
byPrinceGuru MS
 
Benchmarking Perl (Chicago UniForum 2006)
bybrian d foy
 
PHP Traits
bymattbuzz
 
Business Rules with Brick
bybrian d foy
 
Learning Perl 6 (NPW 2007)
bybrian d foy
 
Modernising Legacy Code
bySamThePHPDev
 
Benchmarking Perl Lightning Talk (NPW 2007)
bybrian d foy
 
Learning Perl 6
bybrian d foy
 
Php tips-and-tricks4128
byPrinceGuru MS
 

What's hot

PDF
Beginning PHPUnit
byJace Ju
 
PPS
Php security3895
byPrinceGuru MS
 
PDF
Functional Structures in PHP
byMarcello Duarte
 
KEY
Dsl
byphoet
 
KEY
Can't Miss Features of PHP 5.3 and 5.4
byJeff Carouth
 
PDF
Perl6 in-production
byAndrew Shitov
 
PPT
Corephpcomponentpresentation 1211425966721657-8
byPrinceGuru MS
 
PDF
The Joy of Smartmatch
byAndrew Shitov
 
PDF
The Art Of Readable Code
byBaidu, Inc.
 
PDF
Text in search queries with examples in Perl 6
byAndrew Shitov
 
PDF
Introduction to Twig
bymarkstory
 
PDF
Improving Dev Assistant
byDave Cross
 
KEY
(Parameterized) Roles
bysartak
 
PDF
Zend Certification Preparation Tutorial
byLorna Mitchell
 
PDF
Symfony2 and Doctrine2 Integration
byJonathan Wage
 
PDF
Smarty
byMohammad Bagher Adib Behrooz
 
KEY
Good Evils In Perl (Yapc Asia)
byKang-min Liu
 
PDF
The art of readable code (ch1~ch4)
byKi Sung Bae
 
PDF
Perl6 grammars
byAndrew Shitov
 
PDF
Making the most of 2.2
bymarkstory
 
Beginning PHPUnit
byJace Ju
 
Php security3895
byPrinceGuru MS
 
Functional Structures in PHP
byMarcello Duarte
 
Dsl
byphoet
 
Can't Miss Features of PHP 5.3 and 5.4
byJeff Carouth
 
Perl6 in-production
byAndrew Shitov
 
Corephpcomponentpresentation 1211425966721657-8
byPrinceGuru MS
 
The Joy of Smartmatch
byAndrew Shitov
 
The Art Of Readable Code
byBaidu, Inc.
 
Text in search queries with examples in Perl 6
byAndrew Shitov
 
Introduction to Twig
bymarkstory
 
Improving Dev Assistant
byDave Cross
 
(Parameterized) Roles
bysartak
 
Zend Certification Preparation Tutorial
byLorna Mitchell
 
Symfony2 and Doctrine2 Integration
byJonathan Wage
 
Smarty
byMohammad Bagher Adib Behrooz
 
Good Evils In Perl (Yapc Asia)
byKang-min Liu
 
The art of readable code (ch1~ch4)
byKi Sung Bae
 
Perl6 grammars
byAndrew Shitov
 
Making the most of 2.2
bymarkstory
 

Similar to Creating "Secure" PHP Applications, Part 1, Explicit Code & QA

KEY
Workshop quality assurance for php projects tek12
byMichelangelo van Dam
 
PDF
Advanced Php - Macq Electronique 2010
byMichelangelo van Dam
 
PDF
Preparing for the next PHP version (5.6)
byDamien Seguy
 
PDF
Quality Assurance for PHP projects - ZendCon 2012
byMichelangelo van Dam
 
PDF
Building Testable PHP Applications
bychartjes
 
PPTX
php programming.pptx
byrani marri
 
PDF
Static analysis saved my code tonight
byDamien Seguy
 
PDF
08 Advanced PHP #burningkeyboards
byDenis Ristic
 
PPT
Php Best Practices
byAnsar Ahmed
 
PPT
Php Best Practices
byAnsar Ahmed
 
DOCX
Php5 certification mock exams
byecho liu
 
PDF
Living With Legacy Code
byRowan Merewood
 
PDF
Workshop quality assurance for php projects - phpdublin
byMichelangelo van Dam
 
PDF
Php Crash Course - Macq Electronique 2010
byMichelangelo van Dam
 
PDF
Tool Up Your LAMP Stack
byLorna Mitchell
 
PDF
Tool up your lamp stack
byAgileOnTheBeach
 
PPTX
Secure programming with php
byMohmad Feroz
 
PPTX
Continuous feature-development
bynhm taveer hossain khan
 
PPTX
Introduction in php part 2
byBozhidar Boshnakov
 
PDF
Dutch PHP Conference 2013: Distilled
byZumba Fitness - Technology Team
 
Workshop quality assurance for php projects tek12
byMichelangelo van Dam
 
Advanced Php - Macq Electronique 2010
byMichelangelo van Dam
 
Preparing for the next PHP version (5.6)
byDamien Seguy
 
Quality Assurance for PHP projects - ZendCon 2012
byMichelangelo van Dam
 
Building Testable PHP Applications
bychartjes
 
php programming.pptx
byrani marri
 
Static analysis saved my code tonight
byDamien Seguy
 
08 Advanced PHP #burningkeyboards
byDenis Ristic
 
Php Best Practices
byAnsar Ahmed
 
Php Best Practices
byAnsar Ahmed
 
Php5 certification mock exams
byecho liu
 
Living With Legacy Code
byRowan Merewood
 
Workshop quality assurance for php projects - phpdublin
byMichelangelo van Dam
 
Php Crash Course - Macq Electronique 2010
byMichelangelo van Dam
 
Tool Up Your LAMP Stack
byLorna Mitchell
 
Tool up your lamp stack
byAgileOnTheBeach
 
Secure programming with php
byMohmad Feroz
 
Continuous feature-development
bynhm taveer hossain khan
 
Introduction in php part 2
byBozhidar Boshnakov
 
Dutch PHP Conference 2013: Distilled
byZumba Fitness - Technology Team
 

Recently uploaded

PDF
Q8 DIGITAL IDENTITY HUB - WSO2 Oxygenate Italy 2025
byProfesia Srl, Lynx Group
 
PPTX
Practical tips for keeping your C# code base clean
byDennis Doomen
 
PDF
Leonard Janke and Petra Drotleff On Moral and Cybersecurity
byPetra Drotleff
 
PPTX
OutSystems ONE 2025-recap presentation.pptx
bymostafaothman27
 
PDF
MicroPython presentation - PyConFr Lyon 2025 - Amine Bendahmane
byAmine Bendahmane
 
PDF
The new commer in Oracle memory architecture _Database Box).pdf
byAlireza Kamrani
 
PPTX
Building Smarter Integrations with MuleSoft_ MCP Server and Cursor in Action ...
byKunal Gupta
 
PDF
Data Center Exit to Cloud _ Managed Datacenter Migration.pdf
byAstuteBusiness
 
PPTX
2025 - AI terms & Meanings for Marketers
byashishav29
 
PDF
MathML Core in WebKit
byIgalia
 
PDF
GDG Boise - Innovating with Google Cloud Artificial Intelligence
byJoey Brown
 
PPTX
A GREEN BUSINESS TOOLKIT FOR EARLY-STAGE ENTREPRENEURS (1).pptx.pptx
bylearnskillsofficial1
 
PDF
Fighting CVEs in Embedded Linux with the Yocto Project and OTA Updates
byLeon Anavi
 
PDF
Access Linux File System in RHEL - RHCSA (RH124).pdf
byLinuxCert Guru
 
PDF
Session 4 - Agentic Testing with UiPath Agents
byDianaGray10
 
PDF
Q3'25 Financial Results and Earnings Presentation
byDropbox
 
PDF
How Tridens DevSecOps Ensures Compliance, Security, and Agility
byTridens
 
PDF
The Smol Training Playbook: The Secrets to Building World-Class LLMs
byRazin Mustafiz
 
PPTX
Sephora UAE API Service Real-Time Product & Price Data Access.pptx
bycreativeclicks1733
 
PDF
How Generative AI Helps US Healthcare Startups Save 40.pdf
byimoliviabennett
 
Q8 DIGITAL IDENTITY HUB - WSO2 Oxygenate Italy 2025
byProfesia Srl, Lynx Group
 
Practical tips for keeping your C# code base clean
byDennis Doomen
 
Leonard Janke and Petra Drotleff On Moral and Cybersecurity
byPetra Drotleff
 
OutSystems ONE 2025-recap presentation.pptx
bymostafaothman27
 
MicroPython presentation - PyConFr Lyon 2025 - Amine Bendahmane
byAmine Bendahmane
 
The new commer in Oracle memory architecture _Database Box).pdf
byAlireza Kamrani
 
Building Smarter Integrations with MuleSoft_ MCP Server and Cursor in Action ...
byKunal Gupta
 
Data Center Exit to Cloud _ Managed Datacenter Migration.pdf
byAstuteBusiness
 
2025 - AI terms & Meanings for Marketers
byashishav29
 
MathML Core in WebKit
byIgalia
 
GDG Boise - Innovating with Google Cloud Artificial Intelligence
byJoey Brown
 
A GREEN BUSINESS TOOLKIT FOR EARLY-STAGE ENTREPRENEURS (1).pptx.pptx
bylearnskillsofficial1
 
Fighting CVEs in Embedded Linux with the Yocto Project and OTA Updates
byLeon Anavi
 
Access Linux File System in RHEL - RHCSA (RH124).pdf
byLinuxCert Guru
 
Session 4 - Agentic Testing with UiPath Agents
byDianaGray10
 
Q3'25 Financial Results and Earnings Presentation
byDropbox
 
How Tridens DevSecOps Ensures Compliance, Security, and Agility
byTridens
 
The Smol Training Playbook: The Secrets to Building World-Class LLMs
byRazin Mustafiz
 
Sephora UAE API Service Real-Time Product & Price Data Access.pptx
bycreativeclicks1733
 
How Generative AI Helps US Healthcare Startups Save 40.pdf
byimoliviabennett
 

Creating "Secure" PHP Applications, Part 1, Explicit Code & QA

  • 1.
  • 2.
    So, who areyou, anyway? Bryan C. Geraghty Security Consultant at Security PS @archwisp I’m a Sr. PHP developer with a systems and security engineering background - turned application security consultant
  • 3.
    Remember, layers Simpler iseasier to test Don’t make assumptions Compromised browser = game over
  • 4.
    These are notspecifically security activities but they produce more stable code
  • 5.
    Don’t rely onthe server’s configuration Your bootstrap should Absolute Minimum set the defaults for any  Include paths PHP core functionality  Error reporting that your application is  Time zones using. These must be customizable for every environment e.g. (dev, staging, live)
  • 6.
    Example Bootstrap <?php // Allenvironment configuration for this application is done from this file ini_set('display_errors', 0); ini_set('error_reporting', -1); date_default_timezone_set('UTC'); $rootPath = dirname(__FILE__); set_include_path(sprintf( '%s%s%s%s', $rootPath, PATH_SEPARATOR, $rootPath, '/third-party' )); require_once('MindFrame2/AutoLoad.php'); MindFrame2_AutoLoad::install();
  • 8.
    Don’t use globalconstants, variables, or registries  You can’t be certain that nobody else will ever use the same global constant name  Tracking down where a value is assigned to a global variable is usually very difficult  Global variables remove control of that variable from the current scope  Global registries are really just fancy global variables and the same problems apply
  • 9.
    Value Reference Rules Values should only be referenced in one of the following ways:  A direct reference in the current scope: $limit = $this->_objectPool->getConfig()- >getDefaultLimit();  A parameter: public function getUsers($limit) { return $this->_objectPool- >getMapper(‘User’)->fetchAll($limit); }
  • 10.
    Don’t use functionparameter defaults "There should be one-- and preferably only one -- obvious way to do it." - Tim Peters  Reduces understanding from the caller perspective  Often add unnecessary complexity  Represents the most common use-case  Other use-cases are often ignored entirely  Changing the default breaks all implementations  Adding parameters breaks default implementations
  • 11.
    Default parameter example classUser { public function __construct($name, $email, $status = self::STATUS_ACTIVE) { $this->_name = $name; $this->_email = $email; $this->_status = $status; } } function createUser($name, $email, $status) { $user = new User($name, email); return $this->_objectPoool->getMapper(‘User’)->create($user); }
  • 12.
    Use explicit operatorswhenever possible This was actual production code. if ($sincedate && (int)$sincedate) { $param["UpdatedSinceDate"] = date("Y-m-d H:i:s", strtotime(time() - ((int)$sincedate)*60*60); } elseif ($sincedate && strtotime($sincedate)) { $param["UpdatedSinceDate"] = date("Y-m-d H:i:s", strtotime($sincedate)); } elseif(!isset($param["UpdatedSinceDate"])) { exit ("Invalid param UpdatedSinceDate"); } Do you think this code worked as the author intended when $sincedate was set to '2011-05-31'?
  • 13.
    Use constants forpossible values Constants cannot be re-defined, so using a constant for configuration limits your code to only ever be able to run in one configuration in a given stack. // Bad: This code cannot execute differently in the same stack define(‘PDO_FETCH_MODE’, 2); $dbi->fetchAll(PDO_FETCH_MODE); // Better: The value can change but this literal value means nothing without // referencing the documentation $dbi->fetchAll(2); // Best: Implemented using a meaningful constant which represents a *possible* value $dbi->fetchAll(PDO::FETCH_ASSOC);
  • 14.
    Use wrappers forsuper-globals  $_REQUEST, $_GET, $_SESSION, and $_FILES are the most commonly used PHP super-globals but there are others  It’s easy to create some serious security problems  It’s best to use a wrapper for interacting with these variables
  • 15.
    Simulate strong/static types PHPis dynamically typed, so we cannot do true strong or static typing but we can put controls in place which provide the same protection. private function _buildSelectDatabaseTableSql($database_name, $table_name, array $select_data, array $order_by_columns, $offset, $limit) { MindFrame2_Core::assertArgumentIsNotBlank($database_name, 1, 'database_name'); MindFrame2_Core::assertArgumentIsNotBlank($table_name, 2, 'table_name'); MindFrame2_Core::assertArgumentIsInt($offset, 5, 'offset'); MindFrame2_Core::assertArgumentIsInt($limit, 6, 'limit'); $skel = "SELECTn %snFROMn %s.%sn%s%s%s%s;"; $sql = sprintf($skel, $this->_buildSelectTableSqlFieldClause($table_name), $this->getSharedModule()->escapeDbElementName($database_name), $this->getSharedModule()->escapeDbElementName($table_name), $this->_buildSelectTableSqlJoinClause( $this->getSharedModule()->getDatabase()->getName(), $table_name), $this->_buildSelectTableSqlWhereClause($table_name, $select_data), $this->_buildSelectTableSqlOrderByClause( $table_name, $order_by_columns), $this->_buildSelectTableSqlLimitClause($offset, $limit)); return $sql; }
  • 16.
    Example Typing Assertions publicstatic function assertArgumentIsInt($value, $position, $name) { if (!is_int($value)) { $skel = 'Expected integer value for argument #%d (%s), %s given'; $message = sprintf($skel, $position, $name, gettype($value)); throw new InvalidArgumentException($message); } } public static function assertArgumentIsNotBlank($value, $position, $name) { if (trim($value) === '') { $skel = 'Argument #%d (%s) cannot be blank'; $message = sprintf($skel, $position, $name); throw new InvalidArgumentException($message); } }
  • 17.
    Use PHPMD &CodeSniffer This is the ./bin/codecheck script in MindFrame2 #!/bin/bash WD="`/usr/bin/dirname $0`/../"; echo Changing to working directory: $WD; cd $WD; if [ -z $1 ]; then DIR='.'; else DIR=$1; fi phpmd --exclude coverage $DIR text codesize,unusedcode,naming,design phpcs --ignore=coverage --standard=`pwd`/Standards/MindFrame2 $DIR phpcs --ignore=coverage --report=source --standard=`pwd`/Standards/MindFrame2 $DIR
  • 18.
    Example PHPMD Output bryan@ubuntu-virtual~/Code/MindFrame2 [130] $ ./bin/codecheck Dbms/Dbi Changing to working directory: ./bin/../ /home/bryan/Code/MindFrame2/Dbms/Dbi/Distributed.php:128 Avoid unused local variables such as '$partner'. /home/bryan/Code/MindFrame2/Dbms/Dbi/Distributed.php:185 Avoid unused local variables such as '$data'. /home/bryan/Code/MindFrame2/Dbms/Dbi/Distributed.php:199 Avoid unused local variables such as '$index'. /home/bryan/Code/MindFrame2/Dbms/Dbi/Distributed.php:240 Avoid unused private methods such as '_buildReplicaDatabaseSuffix'. /home/bryan/Code/MindFrame2/Dbms/Dbi/Single.php:25 This class has too many methods, consider refactoring it. /home/bryan/Code/MindFrame2/Dbms/Dbi/Single.php:150 Avoid unused parameters such as '$options'.
  • 19.
    Example PHPCS Output FILE:/home/bryan/Code/MindFrame2/Dbms/Dbi/Single.php -------------------------------------------------------------------------------- FOUND 6 ERROR(S) AFFECTING 6 LINE(S) -------------------------------------------------------------------------------- 39 | ERROR | Public member variables ("_connection") are forbidden 62 | ERROR | Whitespace found at end of line 144 | ERROR | Whitespace found at end of line 160 | ERROR | Line exceeds maximum limit of 80 characters; contains 97 | | characters 195 | ERROR | Whitespace found at end of line 298 | ERROR | Line exceeds maximum limit of 80 characters; contains 81 | | characters --------------------------------------------------------------------------------
  • 20.
    Unit testing /TDD  Test critical functionality at a minimum  Add edge cases to regression tests as they are discovered  Test-driven development only works if the entire team is dedicated to it  I personally don’t trust code that isn’t regression-tested; even if it was written by me
  • 21.
    Continuous Integration  Automatedsystem for code analysis and regression testing  There are a lot of continuous integration systems for PHP  If your tests aren’t automated, very few people will know or care when they break
  • 22.
    Deployment  Manually copyingfiles is riddled with problems  Tagging releases and re-deploying is a complicated and time-consuming process  Deployment systems automate the build and deployment process
  • 23.
  • 24.
    If you’re interestedin an application security career, come talk with me.