Making the web

Hey there! Welcome to Making the Web - my personal blog about website development. Feel free to subscribe to my RSS feed to keep up with the latest. Alternatively, subscribe by email. Hope you enjoy this article!

This post is part 1 of a 3 part series. For the other parts, visit these posts:

More Tips for faster PHP scripts
Even More Tips for faster PHP scripts

I have listed my top tips for writing faster (optimized) PHP code:

1. Multiple arguments with echo
When you use echo, you probably use something like this:

echo $variable1 . 'string1' . $variable2 . $variable3;

But, you may be forgetting that echo can take multiple arguments. So you can write it like this:

echo $variable1 , 'string1' , $variable2 , $variable3;

Passing multiple arguments to echo is faster than joining the strings first, and then passing them to echo. I done a little test in PHP. I echoed 10 different strings 500 thousand times, firstly with the concatenation (joining) method, and then with the multiple arguments method. Here are my results:

Time for concatenation method: 37.83755 seconds
Time for multiple arguments method: 37.68789 seconds
Time saved: 0.15966 seconds; 0.396%

As you can see, the difference is very small. It is not worth going over all your old PHP scripts and changing the dots to commas, unless you are extremely desperate for speed. It is more a case of preference, than there being a best way.

Oh, and another small tip (without it's own number): use echo instead of print - it's faster!

__('Read the rest of this entry »')

This article is provided for information only. Only use the information within this article to create "hacker-proof" applications.

SQL Injection is a way that hackers can execute SQL code, by exploiting a security vulnerability in an application. It allows hackers to get email addresses, passwords and other information from databases.

Before you include any input into a SQL query, the data should be correctly escaped.

Image a MySQL query, in PHP like this:

mysql_query('SELECT email FROM `users` WHERE username = "'.$_POST['username'].'" AND password = "'.$_POST['password'].'"');

If you are using input data like this in a query, then you have a huge security vulnerability with your website. Everything should be fine if $_POST['username'] and $_POST['username'] are something like these:

mike16 , password

But, image what would happen if $_POST['username'] and $_POST['password'] contained this:

none" OR "" = "

That input would make the query like this (input highlighted with bold):

mysql_query('SELECT email FROM `users` WHERE username = "none" OR "" = "" AND password = "none" OR "" = ""');

If this was a login form, a hacker would be able to access anyones account, without the need for their password or username. Once in their account, the hacker could get personal information, delete their account or edit it.

Luckily, there is a way to make the data safe before using it in a query. The input has to be escaped. With MySQL in PHP you can use the mysql_real_escape_string() function:

mysql_query('SELECT email FROM `users` WHERE username = "'.mysql_real_escape_string($_POST['username']).'" AND password = "'.mysql_real_escape_string($_POST['password']).'"');

If a hacker did then insert none" OR "" = " or something else, it would look similar to this:

mysql_query(SELECT email FROM `users` WHERE username = "none\" OR \"\" = \"" AND password = "none\" OR \"\" = \"");

This query is now safe, and, as you can see, it protects from SQL Injection.

I just thought that I'd write to tell you about a 1 to 1 messaging system I have released under a Creative Commons license.

The messaging system is the first version and my first ever attempt (but, still pretty good I think). Version 2 of this system can be seen at http://22talk.com. Version 1 is similar in some ways and allows users to communicate with each other easily, as well as send emoticons and nudges.

It's coded in PHP and requires MySQL.

Download it now from http://planetsourcecode.com/vb/scripts/ShowCode.asp?txtCodeId=2284&lngWId=8