User Tools

Site Tools


php:specific_flaws

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

php:specific_flaws [2013/03/16 17:40] (current)
Line 1: Line 1:
 +==== PHP Specific Flaws ====
 +Sept 2012
  
 +=== GENERAL ===
 +
 +== Not an consistent way of returning results for some functions, (as **strpos**) ==
 + 
 +strpos() returns FALSE  when search is not succesful, otherwise integer. If you compare it using == operator, you'll get into trouble.
 +
 +<code php | strpos returns False evaluated wrongly to 0>
 +$haystack = "​ABC";​
 +$needle = "​D";​
 +$pos = strpos($haystack,​ $needle);
 +echo $haystack[$pos];​ // it will print wrongly A
 +</​code>​
 +
 +== No built-in accelerators ==
 +
 +Because every time PHP is recompiling the page, you might need an "​accelerator"​ implemented separately to improve the performance.
 +
 +== Register globals ==
 +
 +They are removed starting with 5.4, and they have been turned off for a long time. Constant source of insecurity in the past.
 +
 +== Not every construction is a function ==
 +
 +//array//() is not a function, there is no int() but (int) and also its alias, (integer) \\ 
 +The same for (bool), (boolean), etc. //echo//, //empty// is also not a function
 +
 +
 +=== OPERATORS ===
 +
 +== Type-coercing comparison operators will convert numeric strings to numbers ==
 +
 +If you compare:
 +
 +- a number with a string
 +
 +<code php | Compare a number with a string>
 +$a = 0;
 +$b = "​true";​
 +
 +var_dump($a == $b); // it gives true
 +
 +Transformations:​
 +"​12"​ -> 12
 +"​12a"​ -> 12
 +"​a12"​ -> 0
 +"​12a13"​ -> 12
 +</​code>​
 +
 +- the comparison involves numerical strings, then each string is converted to a number and the comparison performed numerically.
 +
 +
 +<code php | Wrong comparison>​
 +$a = "​1234567890123456789012345678901234567890";​
 +$b = "​1234567890123456789000000000000000000000";​
 +
 +var_dump($a == $b); // it will give you TRUE which is WRONG!
 +</​code>​
 +
 +=== VARIABLES ===
 +
 +== Names == 
 +
 +Variables names are case sensitive, functions and class names aren'​t.
 +
 +<code php | Difference between elements names>
 +class Test
 +{
 +    protected $one_var = 1;
 +    protected $ONE_VAR = 2;
 +
 +    public function __construct()
 +    {
 +        echo $this->​one_var."​\n";​ // valid
 +        echo $this->​ONE_VAR."​\n";​
 +    }
 +}
 +
 +$ob = new Test();
 +</​code>​
 +
 +Try to add
 +<code php |  Methods names aren't case sensitive>​
 +    public function one_method() {}
 +    public function ONE_METHOD() {}
 +</​code> ​   ​
 +and you'll get: "​Cannot redeclare..."​
 +
 +=== OPERATORS ===
 +
 +== Less (more) than ... operator (no safe version) ==
 +
 +<code php | Different results for similar operations>​
 +$a = "​123";​
 +$b = "​0124";​
 +
 +var_dump($a < $b) -> it will give True, so "​string $a is less than string $b"
 +strcmp($a, $b) -> it will say "​string $a is greated than string $b"
 +</​code>​
 +
 +
 +== Concatenation and Addition ​ ==
 +
 +In case of two strings, + operator is not overloaded! Point is always used for concatenation.
 +
 +== Arrays ==
 +
 +For an array you can use [] or {} to address an element ($a[12], $a{12}).
 +
 +//[]// Operator can address any variable, but it doesn'​t issue an error (only a Notice).
 +
 +<code php>
 +$a = 12; var_dump($a[1]);​ it will display NULL!
 +</​code>​
 +
 +
 +== Ternary operator is LEFT-to-RIGHT associative ==
 +
 +Unlike other programming languages.
 +
 +<code php | Ternary is left to right>
 +$choice = 1;
 +
 +$result = ($choice == 1) ? '​Yes'​ :
 +          ($choice == 2) ? '​No'​ : '​Maybe';​
 +
 +var_dump($result);​ // it will return No instead of Maybe
 +</​code>​
 +
 +=== FUNCTIONS ===
 +
 +== Functions names == 
 +
 +Functions names are very inconsistent:​ strpos but str_pad, urlencode but base64_encode \\ 
 +For arrays, some functions start with array_*, others don't.
 +
 +==  No module system == 
 +
 +- extensions are specified in php.ini and loaded in the global namespace
 +
 +==  Argument order not consistent == 
 +
 +//​array_filter($input,​ $callback)//​ versus //​array_map($callback,​ $input)// \\ 
 +//​strpos($haystack,​ $needle)// versus //​array_search($needle,​ $haystack)//​
 +
 +
 +==  Heavily based on C modules == 
 +
 +Large portions of PHP are just wrappers around C functions.
 +
 +== Confusing naming (//​vsprintf//​ and //​sprintf//​) == 
 +
 +If the function accepts an array of arguments, rather than a variable number of arguments, then we got two very similar version of the same thing (//​vprintf//​ versus //printf//, the same with //​sprintf//​)
 +
 +== Confusion for similar functions == 
 +
 +//explode// and //​str_split//​ (the difference is that explode accepts a separator)
 +
 +== Confusing returned results == 
 +
 +//​php_uname()//​
 +
 +On some older UNIX platforms, it may not be able to determine the current OS information in which case it will revert to displaying the OS PHP was built on.
 +
 +== Not a standard way to access database == 
 +
 +Three modes (for mysql for example): mysql extension, mysqli extension, PDO abstraction
 +
 +
 +=== REFERENCES ===
php/specific_flaws.txt ยท Last modified: 2013/03/16 17:40 (external edit)