{"id":838,"date":"2010-01-19T16:15:26","date_gmt":"2010-01-19T08:15:26","guid":{"rendered":"http:\/\/www.tzlee.com\/blog\/?p=838"},"modified":"2010-01-21T00:30:42","modified_gmt":"2010-01-20T16:30:42","slug":"mvc-quick-hack-in-php","status":"publish","type":"post","link":"https:\/\/tzlee.com\/blog\/2010\/01\/mvc-quick-hack-in-php\/","title":{"rendered":"MVC Quick Hack in PHP, Tips on Web Development"},"content":{"rendered":"<p>Unlike Java, PHP wasn&#8217;t designed with <a href=\"http:\/\/en.wikipedia.org\/wiki\/Model%E2%80%93view%E2%80%93controller\">MVC<\/a> in mind, but with bigger projects MVC becomes important to keep code clean and readable. I&#8217;m sure a lot of crazy people in the class would have figured out their own MVC quick hack, but I&#8217;ll just share mine here.<\/p>\n<ul>\n<li>The <strong>Model<\/strong> shall remain as MySQL. I&#8217;m not going to <span style=\"text-decoration: line-through;\">spend<\/span> waste time creating beans-like objects because I personally believe beans are inefficient things for retrieving even the simplest of things. In PHP, the\u00a0<code>mysql_fetch_assoc()<\/code> function is really all that you need. The web is a stateless thing, let&#8217;s keep it that way.<\/li>\n<li>The <strong>Controller<\/strong> shall be the direct PHP file that gets called, i.e. your URL links to the controller, your form submits to the controller. The controller contains purely logic.<\/li>\n<li>The <strong>View<\/strong> shall be a PHP file that sits in another directory and gets called using the <code>include()<\/code> or <code>include_once()<\/code> function and contains HTML\/CSS\/JS and some bits of PHP such as loops for displaying content.<\/li>\n<\/ul>\n<p>Also, here&#8217;s some of my personal tips when developing public-facing web applications.<\/p>\n<ul>\n<li>Do create an error handling routine. You may implement this in any way you want, but I typically use an array and use the <code>array_push()<\/code> function to push errors into the array stack. If the array is empty, we know there&#8217;s no errors. But a simple array can be quite ugly, so you might want to create a data structure to take care of where exactly the error message shows.<\/li>\n<li>Always end your files with <code>.php<\/code>. Don&#8217;t end it with <code>.inc<\/code> or <code>.somethingelse<\/code> because you will be vulnerable to expose your source code, unless you configured Apache to parse <code>.inc<\/code> files as PHP. Even so, I&#8217;d still advise to keep the suffix as <code>.php<\/code> in an event the files get deployed on another server with missing Apache config. The lesser moving parts, the better.<\/li>\n<li>Always escape your string using <code>mysql_escape_string()<\/code> before querying the database to prevent <a href=\"http:\/\/en.wikipedia.org\/wiki\/Sql_injection\">SQL Injection<\/a>.<\/li>\n<li>Always take care of integer parsing. I like to use <code>intval()<\/code> because it doesn&#8217;t throw a fatal error. If it sees a string, it returns 0. This also prevents SQL Injection.<\/li>\n<li>Always clean up output using <code>htmlspecialchars()<\/code> to prevent <a href=\"http:\/\/en.wikipedia.org\/wiki\/Cross_site_scripting\">Cross-Site Scripting<\/a>.<\/li>\n<li>Never put filenames as parameters as you can be vulnerable to <a href=\"http:\/\/en.wikipedia.org\/wiki\/Path_traversal\">Path Traversal<\/a>. Try to use other methods if you need to have filenames passed around, such as server-side sessions or constants.<\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"<p>Unlike Java, PHP wasn&#8217;t designed with MVC in mind, but with bigger projects MVC becomes important to keep code clean and readable. I&#8217;m sure a lot of crazy people in the class would have figured out their own MVC quick&#8230; <a class=\"more-link\" href=\"https:\/\/tzlee.com\/blog\/2010\/01\/mvc-quick-hack-in-php\/\">Continue Reading &rarr;<\/a><\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[8],"tags":[162,163,158,160,159],"class_list":["post-838","post","type-post","status-publish","format-standard","hentry","category-tech","tag-mvc","tag-path-traversal","tag-php","tag-sql-injection","tag-xss"],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/tzlee.com\/blog\/wp-json\/wp\/v2\/posts\/838","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/tzlee.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/tzlee.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/tzlee.com\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/tzlee.com\/blog\/wp-json\/wp\/v2\/comments?post=838"}],"version-history":[{"count":9,"href":"https:\/\/tzlee.com\/blog\/wp-json\/wp\/v2\/posts\/838\/revisions"}],"predecessor-version":[{"id":840,"href":"https:\/\/tzlee.com\/blog\/wp-json\/wp\/v2\/posts\/838\/revisions\/840"}],"wp:attachment":[{"href":"https:\/\/tzlee.com\/blog\/wp-json\/wp\/v2\/media?parent=838"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/tzlee.com\/blog\/wp-json\/wp\/v2\/categories?post=838"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/tzlee.com\/blog\/wp-json\/wp\/v2\/tags?post=838"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}