Jan 28 2012 - 12:02 PM
Several useful techniques in web development
I learned some interesting techniques while working on the Survey Sidekick project, and I would love to share with you guys. I hope these will be useful and helpful to you:
In PHP development, I found several techniques:
1. Calling magic:
If a class implements __call(), then if an object of that class is called with a method that doesn't exist __call() is called instead.
Example: (found in Survey SideKick\Models\AppModel.php.__call)
/*
function __call($method_name, $method_args) {
return call_user_func_array( Array($this->dbms, $method_name), $method_args );
}
*/
2. Managing magic quotes(a big hole in PHP)
In PHP, the magic_quotes state could be turned on. When magic_quotes are on, all ' (single-quote), " (double quote), \ (backslash) and NUL's are escaped with a backslash automatically. The fact that the Magic Quotes settings can be turned on and off is a major problem. If it were either always on or always off, the
problem would not be as severe.So it is crucial for application developers to know whether magic_quotes_gpc or magic_quotes_runtime are
turned on when coding.
In Survey Sidekick\lib\Controller.main, it lists a good way to check magic_quotes state:
# if the system admin has turned on magic quotes, disable them
/*
if( get_magic_quotes_gpc() ) {
$_REQUEST = stripslashes_deep($_REQUEST);
$_POST = stripslashes_deep($_POST);
$_GET = stripslashes_deep($_GET);
$_COOKIE = stripslashes_deep($_COOKIE);
}
*/
3. Yet Another Framework(Yaf)
The Yet Another Framework(Yaf) extension is a PHP framework, used for developing web application, It provides OO interfaces to PHPer
for developing web application.
####################################
One interesting technique I found in django part:
#####################################
Cross Site Request Forgery protection (CSRF):
The CSRF middleware and template tag provides easy-to-use protection against "Cross Site Request Forgeries". This type of attack occurs when a malicious Web site contains a link, a form button or some javascript that is intended to perform some action on your Web site, using the credentials of a logged-in user who visits the malicious site in their browser. A related type of attack, ‘login CSRF', where an attacking site tricks a user's browser into logging into a site with someone else's credentials, is also covered.
In django you can you csrf token to implement that technique:
In any template that uses a POST form, use the csrf_token tag inside the