Things to do before you present your php project

In this article I’m going to share to you some of the things that you need to check before you present your php project. Some of these things often get left out and actually stays unpatched. Yup! I’m talking about errors here. Errors which only shows up accidentally. Errors which can only appear by letting an idiot or a monkey use your system. Yes, systems are made for humans but sometimes you need to act like a monkey in order to uncover the errors.

 

String Sanitization
Sanitizing your string is number one on this list folks. Most of the web applications today uses databases to store and retrieve data. And to store and retrieve data, we use SQL or the Standard Query Language. And SQL only allows certain keywords, you actually get an error if you don’t comply with the syntax just like with any programming language.
So where does string sanitization enter from here? Here’s an example query to let you understand where will we need string sanitization, try to run it if you don’t know the output yet:

SELECT * FROM def_transactions WHERE transactionID='''

That’s just the query, in php it looks like this:

<?php
$transaction_id = $_POST['trans_id'];
$db->query("SELECT * FROM def_transactions WHERE transactionID='$transaction_id');
?>

You can conclude now that the same SQL error will pop out if someone inputs a single quote on the transaction id field. Go ahead and try it.

So how do we sanitize the string?The simplest way to sanitize a string is already built-in to php. The mysql_real_escape_string() function. You use it this way:

<?php
$transaction_id = mysql_real_escape_string($_POST['trans_id']);
$db->query("SELECT * FROM def_transactions WHERE transactionID='$transaction_id');
?>

The error won’t bother you again. What mysql_real_escape_string() does is to escape all the characters which are invalid in SQL. You might say that it’s an addslashes() on steroids.

 

Empty Results
Second on the list is empty results. Its crucial to check if the query that you’re trying to call actually returns any result set. You’re asking for trouble if you don’t perform checks. Consider the following example:

<?php

$name = $_POST[‘name’]; $results = $db->get_results("SELECT * FROM tbl_people WHERE name LIKE ‘%$name%’"); foreach($results as $r){ echo $r->name.'<br/>'; } ?>

So what’s wrong with the code above? Aside from the fact that we didn’t perform sanitization. You might also noticed that we’ve gone ahead and loop through the results without even checking if there are any results at all. The code returns an error which tells you that the argument passed to the foreach loop is invalid. To fix the code we change it to the one below.

<?php$name = $_POST[‘name’];
$results = $db->get_results("SELECT * FROM tbl_people WHERE name LIKE ‘%$name%’");
    if(!empty($results)){
        foreach($results as $r){
            echo $r->name.'<br/>';
        }
    }
?>

 

Thorough Checking
Before you present any application you must thoroughly check that its working fine and that errors doesn’t show up here and there. But test your application in such a way that errors will actually show up. Here’s how:

  • Input all sorts of crazy stuff, symbols, and other unnecessary characters on the text fields.
  • Test all the possibilities, not just one. For example, if you have a function that returns either true or false based on the value of the argument that is passed to it, then test it in such a way that you see true and false. Don’t conclude that its working 100% if you’ve only seen one side of the coin.
  • Examine your application. If you see something that you think isn’t user friendly, something that you think might cause some errors in the future, or a text field which shouldn’t take a specific data type. Then take note of it and change it if you have enough time. Don’t push lots of changes overnight if you think you can’t make it.
  • Make sure that the flow of the program is correct.
  • Let others use your application. And ask them for suggestions or if they’ve seen any errors.

 

Turn Off Error Reporting
This might be your last option. Turning off error reporting is not advisable if you’re still in the process of testing your application. But if you don’t want anyone to be seeing errors while your presenting your application this is your best bet. To turn off error reporting just uncomment the production values just like the one below, you can use the find tool to quickly jump to the lines below:

; display_errors
;   Default Value: On
;   Development Value: On
    Production Value: Off

; display_startup_errors
;   Default Value: Off
;   Development Value: On
    Production Value: Off

; error_reporting
;   Default Value: E_ALL & ~E_NOTICE
;   Development Value: E_ALL | E_STRICT
    Production Value: E_ALL & ~E_DEPRECATED

; html_errors
;   Default Value: On
;   Development Value: On
    Production value: Off

Here’s a sample code that will issue an error if the default values for error reporting are being used:

<?php
echo $a;
?>

Here’s what you usually get if you run the code above:
image

And here’s what you get if you uncomment the production values for error reporting:

image

Awesome, but I only recommend this one as  a last resort. Be careful to comment out the production values after your presentation as this might give you the illusion that there is nothing wrong with your program.

 

Conclusion
I guess that’s it! You’ve learned some of the things that you should do before presenting your php application. These tips might also apply to other programming project not just in php. I hope you enjoyed reading!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s