THETHE DIVDIVIDEIDE AN OO LAYERED APPROACH TO WEB APPS REFERENCES IN PHP HOMO XAPIAN The Search for a Better Search .Engine OBJECT PERSISTENCE IN PHP CROSCROSSINGSING Major PHP Contributor DERICK RETHANS Gives you an In-Depth Look at VOLUME IV - ISSUE 6VOLUME IV - ISSUE 6 JUNE 05 FFEEAATTUURREESS 14 CROSSING THE DIVIDE OBJECT PERSISTENCE IN PHP Forgetting storage and focusing on functionality by Theo Spears 23 An OO Layered Approach to Web Apps You can more confidently develop code by knowing its place and responsibilities by Ronel Rumibcay 37 References in PHP: An In-Depth Look PHP’s handling of variables explained by Derick Rethans 47 Homo Xapian: The Search for a Better Search .Engine Open-source search technology that you can integrate directly into your PHP scripts by Marco Tabini 06.2005 Download this month’s code at: hhttttpp::////wwwwww pphhppaarrcchh ccoomm//ccooddee// DDEEPPAARRTTMMEENNTTSS 6 EDITORIAL Political Internals 7 WHAT’S NEW 10 TIPS & TRICKS CAPTCHA That Form Dealing with misuse of online forms by Ben Ramsey 55 TEST PATTERN The Construction Industry Dependencies and Object Construction by Marcus Baker 61 PRODUCT REVIEW Agata 7 Report Generator A cross-platform database reporting tool by Peter B. MacIntyre 67 Exit(0); Tales from the Script by Marco Tabini EEDDIITTOORRIIAALL T here’s an interesting discussion taking place, on the PHP-Internals mailing list, as I type this. A couple of days ago, Andi bravely resur- rected the PHP 5.1 thread that began many months ago, and it’s started a flood of discussion. The Internals list is a strange beast. It can lay nearly dormant for weeks at a time, and then, overnight it seems, the sleeping giant is awakened with an onslaught of comments and opinions. It’s a really strange feeling to wake up and find a list that usually gets 5 or fewer posts overnight, suddenly dominating my inbox with several dozen loud messages. The topic du jour, this time around is, once again, GOTO support in PHP. What seems like a little more than half of the “voters” (not that many of them actually carry much weight amongst the PHP core devel- opers) are for GOTO support, while the other bunch, a slightly more con- servative (some might even say “wise”) bunch are against it. I, for one, am completely undecided on this issue—I see benefits to both sides. Yes, GOTO would be nice for certain types of deeply nested parsing algorithms (I love playing with the PHP tokenizer, for example), and for other things like code generation (many current code-generating packages—for other languages—employ liberal use of GOTO-like con- structs). But the other side of the story is that I know that within months of a released GOTO implementation, I’ll get stuck debugging a huge plate of PHP-spaghetti. Some of the code I’ve had to maintain without GOTO has been knotty enough, thank you. So, once again, we’re at the crossroads of power and simplicity. The really interesting part of this thread, for me, though, is the politi- cal stance that people have taken with this discussion. I’ve got a certain amount of respect for an equal amount of zealotry. But don’t cross the line. Fortunately, we haven’t seen much mudslinging, yet. I’ll give it another few hours—it’s only a matter of time before someone starts whining about how “[favorite language] has this feature, we must have it!” and this someone is met with a swift verbal kick from a member of the PHP Group, reminding him that “PHP is not [favorite language]!” It should be interesting to see how this all pans out. Fortunately, I’ve got a fresh beer, and an air-conditioned pub to keep me company while I write this, and the drama plays out. As far as this issue goes, I believe it’s the best one since I started edit- ing, three issues ago. We’ve got a lot of really great content, this month, especially interesting, for me at least, is the in-depth look at PHP variable internals, by Derick Rethans. Security Corner is on a mini-hiatus to make room for the return of Tips & Tricks, which has a new author (whom you’ll meet when you flip the pages). Summer is here! Well, at least in the northern hemisphere. Enjoy read- ing this issue on your patio, or while floating on your pool (unless, of course, you’re a PDF subscriber; in which case, the pool might not be such a good idea, unless you’ve printed a copy). June 2005 ● PHP Architect ● www.phparch.com php|architect Volume IV - Issue 6 June, 2005 Publisher Marco Tabini Editorial Team Arbi Arzoumani Peter MacIntyre Eddie Peloke Graphics & Layout Aleksandar Ilievski Managing Editor Emanuela Corso News Editor Leslie Hill news@phparch.com Authors Marcus Baker, Peter B. MacIntyre, Ben Ramsey, Derick Rethans, Theo Spears, Ronel Sumibcay, Marco Tabini php|architect (ISSN 1709-7169) is published twelve times a year by Marco Tabini & Associates, Inc., P.O. Box 54526, 1771 Avenue Road, Toronto, ON M5M 4N5, Canada. Although all possible care has been placed in assuring the accuracy of the contents of this magazine, including all associated source code, list- ings and figures, the publisher assumes no responsibilities with regards of use of the information contained herein or in all associated material. Contact Information: General mailbox: info@phparch.com Editorial: editors@phparch.com Subscriptions: subs@phparch.com Sales & advertising: sales@phparch.com Technical support: support@phparch.com Copyright © 2003-2005 Marco Tabini & Associates, Inc. — All Rights Reserved TM Political Internals June 2005 ● PHP Architect ● www.phparch.com 7 What’s NEW ? > PHP-MultiShop 0.7 Php-MultiShop.com releases the latest version of their CMS and eCommerce system, version 0.7. The website describes php-multishop as:" Php-MultiShop is a CMS & e- Commerce System, an OpenSource platform to realize a virtual mall that includes vari- ous shops and contents. The user will have a global vision of the portal, to read the most interesting content (news, forums, curiosities, suggestions, reviews, cultural or commer- cial events, fairs, recipes, tourist itineraries, .) and will have the possibility to visit the shop desired. Every shop will have all the functions and the personalization of a traditional e-commerce web-site, as if it were independent from the virtual mall. It will have its own internet domain and could be administrated in full autonomy by its own administrator. At the same time, it can be distinct from the mall and other shops thanks to the per- sonalized graphics, individual style, organization, contents and products, like every shop in a real market place. Besides, being part of a large place able to attract different typologies of visitors and consumers, it will be visible and more easily findable, increas- ing its audience and potential market. Php-MultiShop is written in PHP, run on Apache webserver and MySQL database serv- er, and is able to run on any PHP and MySQL environment, including Linux, Solaris, BSD, Mac OS X, and Microsoft Windows environments. To realize the portal, the popular CMS PhpNuke is used, and for each shop the efficient osCommerce e-commerce suite." Check out Php-MultiShop at php-multishop.com . eZ publish 3.6 ez.no announces:" eZ systems is proud to announce the release of eZ publish 3.6. This release presents yet another big step forward for eZ publish, with many improvements throughout the system. eZ publish 3.6 is loaded with new features. The most significant new fea- tures are: • Support for database transactions • Real preview of new content in the administration interface • HTML caching of static pages • Improved support for internal links in XML fields • Vastly improved template syntax • A developer toolbar to clear cache and enable debug features on the fly" Visit ez.no for all the latest informa- tion or to download. ZEND Core for IBM Beta IBM announces the release of the ZEND Core for IBM Beta. IBM describes the core as: "a seamless out-of-the- box, easy to install and supported PHP development and production environ- ment. The product includes tight inte- gration with DB2, the IBM Cloudscape database server, and native support for XML and Web Services, while also sup- porting increased adoption of Service Oriented Architectures (SOA). It deliv- ers a rapid development and deploy- ment foundation for database driven applications and offers an upgrade path from the easy-to-use, lightweight Cloudscape database to the mission critical DB2, by providing a consistent API between the two." Get all of the latest information from http://www-306.ibm.com/ software/data/info/zendcore/ MySQL 5.0.6 MySQL 5.0.6 has been released and is ready for download. Some changes in this release include: • The GRANT and REVOKE statements now support an object_type clause to be used for disambiguating whether the grant object is a table, a stored function, or a stored pro- cedure. Use of this clause requires that you upgrade your grant tables. • Added a --show-warnings option to mysql to cause warnings to be shown after each statement if there are any. This option applies to interactive and batch mode. In inter- active mode, \w and \W may be used to enable and disable warning display. • SHOW VARIABLES now shows the slave_compresed_protocol, slave_load_tmpdir and slave_skip_errors system variables. • If strict SQL mode is enabled, VARCHAR and VARBINARY columns with a length greater than 65,535 no longer are silently converted to TEXT or BLOB columns. Instead, an error occurs. Check out http://dev.mysql.com/doc/mysql/en/news-5-0-6.html for more changes. WWhhaatt’’ss NNeeww??>> June 2005 ● PHP Architect ● www.phparch.com 8 Check out some of the hottest new releases from PEAR. File_Fstab 2.0.2 File_Fstab is an easy-to-use package which can read & write UNIX fstab files. It presents a pleasant object-oriented inter- face to the fstab. Features: • Supports blockdev, label, and UUID specification of mount device. • Extendable to parse non-standard fstab formats by defining a new Entry class for that format. • Easily examine and set mount options for an entry. • Stable, functional interface. • Fully documented with PHPDoc. SOAP 0.9.1 Implementation of SOAP protocol and services File_Archive 1.3.0 This library is strongly object oriented. It makes it very easy to use, writing simple code, yet the library is very powerfull. It lets you easily read or generate tar, gz, tgz, bz2, tbz, zip, ar (or deb) archives to files, memory, mail or standard out- put. See http://poocl.la-grotte.org for a tutorial Crypt_Blowfish 1.0.1 This package allows you to perform two-way blowfish on the fly using only PHP. This package does not require the Mcrypt PHP extension to work. Looking for a new PHP Extension? Check out some of the lastest offerings from PECL. big_int 1.0.7 Functions from this package are useful for number theory applications. For example, in two-keys cryptography. See /tests/RSA.php in the package for example of simple implementation of RSA-like cryptoalgorithm. See http://pear.php.net/packages/Crypt_RSA/ project for more complex implementation of RSA-like crypto, which supports key generating, encrypting/decrypting, generating and validating of digital sign. The package has many bitset functions, which allow to work with arbitrary length bitsets. This package is much faster than bundled into PHP BCMath and consists almost all functions, which are implemented in PHP GMP extension, but it needn't any external libraries. svn 0.1 Bindings for libsvn. WinBinder 0.41.154 WinBinder is a new extension that allows PHP programmers to build native Windows applications. It wraps the Windows API in a lightweight, easy-to-use library so that program creation is quick and straightforward. intercept 0.3.0 Allows the user to have a user-space function called when the specified function or method is called. ingres 1.0 This extension supports Computer Associates's Ingres Relational Database. WWhhaatt’’ss NNeeww??>> June 2005 ● PHP Architect ● www.phparch.com 9 Oracle and Zend Partnership Oracle and Zend Technologies, Inc., the PHP company, and creator of products and services supporting the development, deployment and management of PHP-based applications, announced that the companies have partnered to produce Zend Core for Oracle™ - a fully test- ed and supported, free download that will deliver tight integration between Oracle Database and Zend's supported PHP environment, enabling developers to get up and running in minutes with PHP and Oracle infrastructure. Scheduled for availability in CQ3, Zend Core for Oracle will deliver reliability, productivity and flexibility to run PHP applications tight- ly integrated with Oracle Database. Zend will offer support and updates for Zend Core for Oracle, which will be compatible with Zend's existing products such as Zend Platform and Zend Studio. For more information visit: http://www.zend.com/ + The Zend PHP Certification Practice Test Book is now available! We're happy to announce that, after many months of hard work, the Zend PHP Certification Practice Test Book, written by John Coggeshall and Marco Tabini, is now available for sale from our website and most book sellers worldwide! The book provides 200 questions designed as a learning and practice tool for the Zend PHP Certification exam. Each question has been written and edited by four members of the Zend Education Board--the very same group who prepared the exam. The questions, which cover every topic in the exam, come with a detailed answer that explains not only the correct choice, but also the question's intention, pitfalls and the best strategy for tackling similar topics during the exam. For more information, visit hhttttpp::////wwwwww pphhppaarrcchh ccoomm//cceerrtt//mmoocckk__tteessttiinngg pphhpp H ow can we combat comment spam or verify that those using our forms are actually doing so from our pages and not some remote script out there? I don’t pretend to have the definitive answer, and, in fact, this month’s Tips & Tricks column doesn’t attempt to provide a concrete solu- tion, but I will point out a few erro- neous practices, show how they leave forms vulnerable by providing examples of scripts that can misuse your forms, and provide a few “best practices” for securing your forms. There are several popular meth- ods out there for protecting Web forms. Almost all of them, however, aim to accomplish the same result, which is to determine the difference between a human and a computer (or automated script). Some scripts embed a token of some sort in the form and set a cookie or session variable. Others provide the user with a CAPTCHA (Completely Automated Turing test to tell Computers and Humans Apart) image of a word or phrase that the user must enter. Some check the RReeffeerreerr header. Still others imple- ment some variant of each of these methods. The problem is that any script can simulate a valid user (read “human”) interaction with a form, and some feel that, as long as the script is properly simulating a user session, it’s okay. Yet, if your forms are set up improperly, these user- simulating scripts can continually access your script using the same session, potentially flooding you with spam. This month’s Tips & Tricks examines three popular methods of “securing” forms and shows how to keep external scripts from posting to them. The Embedded Token Method The simplest and perhaps most user-friendly method to “securing” a Web form is to use what I’m refer- ring to as the “embedded token” method. The embedded token method is simple because it only requires a few lines of code to implement, and it’s user-friendly because it does not June 2005 ● PHP Architect ● www.phparch.com 10 TTIIPPSS && TTRRIICCKKSS CAPTCHA That Form Before It Gets Away ! by Ben Ramsey Abuzz with discussions, arguments, and numerous opinions on solutions to the problem, the PHP community has been focused, lately, on how to pre- vent weblog comment spam and how to protect one’s forms in general— be they comment forms, e-mail forms, etc. The topic has graced the pages of blogs, and threads on the subject have adorned more than one mailing list. Some say it’s a PHP security problem; others blame the developers. But one thing is certain: it’s just plain annoying. . forget about storage and focus on functionality. CROSSING DIVIDE THE by Theo Spears FFEEAATTUURREE Crossing the Divide: Object Persistence in PHP June 2005. the pres- ence of a user agent (Web browser) visiting the form. The server either sets a session variable or asks the browser to set a cookie that is then