184
Chapter 11 Security
9. What is the purpose of the
open_basedir
directive?
A. To indicate the directory that
include()
calls will use as a base.
B. To restrict file open access to a specific directory.
C. To set the working directory.
D. To allow additional file open access than that granted by
safe_mode
.
Answer B is correct. Answer A is incorrect because the behavior of
include()
is
unchanged. Answer C is incorrect because the working directory does not depend
on
open_basedir
. Answer D is incorrect because
open_basedir
is not affected by
whether
safe_mode
is enabled.
10. Which of the following activities can
safe_mode
help prevent?
A. Browsing the filesystem with a specially crafted PHP script.
B. Writing a Bash shell script to read session data.
C. Browsing the filesystem with a specially crafted Perl script.

Comparison operators
n
Performance
n
Caching
n
Portability
Techniques You’ll Need to Master
n
Writing readable code
n
Proper commenting
n
Comparing heterogeneous data
n
Debugging
13 7090 ch12 7/16/04 8:44 AM Page 185
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
186
Chapter 12 Debugging and Performance
n
Identifying and preventing performance bottlenecks
n
Preventing performance issues
n
Improving database performance
n
Using content and bytecode caching
Coding Standards
Writing your code in a structured manner is, perhaps, the smartest decision you can

187
Coding Standards
Flattening if Statements
Consider the following snippet of code:
if ($is_allocated)
{
if ($has_been_mangled)
{
if ($foo == 5)
{
print “foo is 5”;
}
else
{
print “You entered the wrong data!”;
}
}
else
{
return false;
}
}
else
{
return false;
}
As you can see, the many nested
if
statements here cause the code to look very busy
and difficult to read.An easy way to improve the situation consists of “flattening” your

Splitting Single Commands Across Multiple Lines
One of the great things about PHP is that it doesn’t require you to write a single state-
ment all on one line of code. In fact, any statement can be split across an arbitrary num-
ber of lines without any change in its functionality—provided, of course, that the split
doesn’t take place in the middle of a text string.This is particularly useful when you have
a complex line of code that spans a large number of characters:
$db->query(“select foo,
bar,
mybar as foobar
from tbl1
where tbl1.mybar=’foo’”);
This database query is split over several lines.The main advantage here is that you can
immediately see what the query does, which tables are involved, and which conditions
you are placing in the
where
clause. If the same query had been placed all on the same
line, understanding its purpose would have taken a lot more effort, and the risk of intro-
ducing new bugs by modifying it would have been greater.
Concatenation Versus Substitution
If you are inserting data into a long string—such as a database query—you can use the
concatenation operator, but doing so often limits your ability to read the query properly:
$db->query
(“insert into foo(id,bar)
values(‘“.addslashes($id).
“‘,’”.addslashes($bar).”’)”);
On the other hand, you could just use one of the
printf()
functions to do the job for
you:
$db->query(sprintf(“insert into foo(id,bar) values(‘%s’,’%s’)”,

and ASP tags can all be turned off through PHP configuration directives.
Thus, the following
<?php print “Testing 1 2 3” ?>
is longer than
<?= “Testing 1 2 3” ?>
But not quite as portable. Note, also, that there is a subtle difference between
print
and
echo
. Although they are both language constructs, the former acts as a function—mean-
ing that it actually returns a value (always a Boolean
True
)—whereas the latter does not.
Thus, the following code is valid, although quite pointless:
<?php echo print (10) ?>
One Equal, Two Equals, Three Equals
How often did you write the following code?
if ($a = 5)
{
print “a is 5”;
}
If you’re like most programmers, the answer is an unfortunate “often.”The problem here
is caused by the fact that the
if
statement allows for any operations to take place inside
its condition—including assignments.Thus, the preceding line is not technically incor-
rect, but it’s obviously not what the author intended to perform, as it will always be eval-
uated to true, making the
if
statement pointless and, what’s worse, changing the value

fall in the assignment trap again!
There’s Equal and Equal
As we mentioned in Chapter 1, PHP is a loosely typed language.This means that, under
the right circumstances, it will automatically juggle data types to perform its operations
according to how programmers are most likely to want it to.
There are scenarios, however, in which this is not a desirable approach, and you want,
instead, PHP to be strict and literal in the way it compares data. Consider, for example,
what would happen if you were dealing with information coming from a patient’s med-
ical record. In this situation, you’ll want to make sure that nothing is left to chance and
that PHP doesn’t attempt to interpret user input in too liberal a way.
Generally speaking, it’s always a good idea to use the identity operators (
===
and
!==
)
whenever you know that a value has to be of a certain type:
if ($a !== 0) {
echo ‘$a is not an integer zero’;
}
Testing for Resource Allocation
One of the most common mistakes that causes code to become unreliable consists of
using external resources without ensuring that they are available. For example, look at
the following code:
13 7090 ch12 7/16/04 8:44 AM Page 190
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
191
Ternary Operators and if Statements
$res = mysql_query(“select foo from bar”);
while ($row = mysql_fetch_array($res))
{

yourself (and your entire team), you could adopt one of the many abstraction layers
available or write one yourself.This way, the actual error management can be performed
in a centralized location (the abstraction layer), and you won’t have to write too much
code.
It’s important to keep in mind that this process is required whenever you interact
with an external resource, be it a database, a file, or a network connection.
Starting with PHP 5, you can use other error-control structures known as exceptions.
However, remember that these are not available in PHP 4 and, therefore, cannot be used
to solve a problem that appears in the exam.
Ternary Operators and
if
Statements
if
statements are necessary control structures for all but the simplest of PHP scripts. As a
result, sometimes they will tend to be very complex, even if you nest them on various
levels.
13 7090 ch12 7/16/04 8:44 AM Page 191
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.