As artists think alike…

I’m always at most careful and concerned about security and especially idiot-proofing whenever I’m into developing some usual stuffs. PHP specifically, does not only provide it’s "FREEness", but also the handiest functions I always do not miss to consider. Here are my Top 8.

1-2. addslashes() and mysql_real_escape_string()

These two functions are a bit related, in a sense that these provide security especially in handling things with your database queries. As their name suggest, the first function adds slashes (escapes) to these characters in a string: ‘, ", \, while mysql_real_escape_string() escapes \x00, \n, \r, \, ‘, " and \x1a. In a more complicated security issue, most programmers prefer mysql_real_escape_string() since it prevents certain loop holes like escaping quotes (characters) which later lead to SQL injection.

3. stripslashes()

If slashes may be added to strings, then at some point, you would also need to strip them out. This is when stripslashes() comes in. Though I don’t really often use this function, but it becomes handy when you need to print an HTML code through a JavaScript code all from a PHP source. Just don’t forget this function, surely you will have to remember it as soon as you would need its purpose.

4-5. urlencode() and urldecode()

Printing anchors, source urls, url outputs, form validation using GET or POST method, urlencode() musn’t be missed out for use. Usually, the absence of this function especially when handling anchors result to broken links (which of course would be pretty inconvenient for your visitors). There are certain characters like %, &, ?, spaces, and other more special characters which are read differently on URLs which should be encoded first before passing it. While of course, urldecode() does the opposite. It decodes encoded URLs and reads them back on how they should be read.

6. trim()

Though this one’s not as important as the other mentioned functions, but this would definitely help in idiot-proofing. You know, some users may be too idiot to follow certain instructions that leading and tailing spaces are not accepted but still they submit their inputs with these. It would rather lead to flaws and unexpected results, so better trim out those spaces first before validating strings.

7. strip_tags()

Most web programmers just take this function for granted, but by the time their website layouts would act strange and get mixed up, they’ll start investigating and end up never knowing HOW. It’s because without strip_tags() just means your website will definitely become very very prone to hacks. A simple example would be the insertion of a <strong style="font-size:100px;"> string.

8. htmlentities()

My favorite of ‘em all. Nearly most of my PHP echoes come along with this (unless especially not needed). This encodes special characters into HTML readable characters like < (less than) to &gt; and " (quote) to &quot; This is very important when printing values for HTML tag attributes, since you would no longer need to bother for misprinting strings.

These are just pieces of advises and functions I recommend you mustn’t miss to consider. Mark them "strictly for security purposes", and everything will run as smoothly as a web should be.

The data that needs to be passed when using the POST method in AJAX must be properly encoded, especially if it contains special characters which are out of the standard ASCII range. Javascript provides 3 encoding functions which may be used for this case: escape(); encodeURI(); and encodeURIComponent(); But these functions have certain limitations, and these limitations are discussed here: Comparing escape(), encodeURI(), and encodeURIComponent()

I often use AJAX in most of my web projects and because of a certain need that I have to allow special characters to be passed, I found a suitable function which will effectively encode most characters:

  function urlencode(url){
      var SAFECHARS = "0123456789" + // Numeric
      "ABCDEFGHIJKLMNOPQRSTUVWXYZ" + // Alphabetic
      "abcdefghijklmnopqrstuvwxyz" +
      "-_.!~*’()";                   // RFC2396 Mark characters
      var HEX = "0123456789ABCDEF";
        var spec = new Array();
   
        spec["8364"] = 132; spec["8218"] = 133; spec["402"] = 134; spec["8222"] = 135;
        spec["8230"] = 136; spec["8224"] = 137; spec["8225"] = 138; spec["710"] = 139;
        spec["8240"] = 140; spec["352"] = 141; spec["8249"] = 142; spec["338"] = 143;
        spec["381"] = 144; spec["8216"] = 145; spec["8217"] = 146; spec["8220"] = 147;
        spec["8221"] = 148; spec["8226"] = 149; spec["8211"] = 150; spec["8212"] = 151;
        spec["732"] = 152; spec["8482"] = 153; spec["353"] = 154; spec["8250"] = 155;
        spec["339"] = 156; spec["382"] = 157; spec["376"] = 158;
   
      var plaintext = url;
      var encoded = "";
      for (var i = 0; i < plaintext.length; i++ ) {
      var ch = plaintext.charAt(i);
      if (ch == " ") {
          encoded += "+"; // x-www-urlencoded, rather than %20
      } else if (SAFECHARS.indexOf(ch) != -1) {
          encoded += ch;
      } else {
          var charCode = ch.charCodeAt(0);
          if (charCode > 255) {
              encoded += "%";
              encoded += HEX.charAt((spec[charCode.toString()] >> 4) & 0xF);
              encoded += HEX.charAt(spec[charCode.toString()] & 0xF);
          } else {
              encoded += "%";
              encoded += HEX.charAt((charCode >> 4) & 0xF);
              encoded += HEX.charAt(charCode & 0xF);
              }
          }
      }
      return encoded;
  }

I got this function from Mabaloo.com but I’ve improved a bit of it just for it to support some characters out of the standard ASCII range.

Speed is probably Google’s most favorite word. As I noticed, their applications, websites, mail provider, and even their newest browser, the Google Chrome, carefully takes consideration on how fast the performance of each. One simple proof is their most popular search engine homepage: www.Google.com. Try to check out this page and take a look of its source code by right clicking on it and select "View Page Source" or the like. You’ll notice that the code for that certain page and even the pages for the search results are not written and formatted line by line in a readable manner. I believe that this has nothing to do with enhancing security but most probably, this is designed intentionally to optimize speed.

How then does writing it that way improves speed? There’s just one simple explanation: white spaces (which includes spaces, tabs, and line breaks; except for string constants and separators for keywords and tags) are ignored by internet browsers upon reading HTML codes, but still consume memory spaces with 1 byte per character. Remember that HTML codes are sent from web servers byte per byte to client applications such as internet browsers. So, even those unnecessary white spaces consume time upon transfer. Simply, they still burn some bandwidth, and in order to take care of these, they just have to be removed.

Fact: Line breaks have 2 characters each: the character with ASCII value of 10; and with ASCII value of 13. This means, per line break consumes 2 bytes. Imagine if you have a well formatted HTML page with 100 lines of code, even excluding those tabs and spaces, then it has just unnecessarily consumed 200 bytes of memory. If there are about 1 million users requesting for the same page in one second, then that website has just wasted 200 million bytes of memory using up bandwidth. That is more than 190 Mb per instance.

Now you won’t wonder why Google tops among all of the current search engines.