Date post: | 06-Jun-2015 |
Category: |
Technology |
Upload: | damien-seguy- |
View: | 2,191 times |
Download: | 2 times |
PHP under controlKeep an eye on your source code
Agenda
The age of industrialisation for PHP
How to keep this code under control
Technics and tools
Organizing teams for quality
Speaker
Damien Seguy
Nexen (.net), AlterWay Group
Expert services on LAMP hosting
Raise elePHPants
Monthly PHP stats
Keep an eye on the codeSecurity
Performances
Code quality
Maintenance But
Bigger teams
Changing teams
Long projects
Lots of code
Set up a coding reference
Set up the rules
Share them
Keep them simple
"No bug" is not a rule
Don't try to catch everything
Reference suggestions
Security
Filter incoming data
Protect data
Quality
Short functions
No globals
Performances
Less require (_once)
No eval()
Maintenance
Sensible symbols
CamelCaps or underscores
Searching the codeGrep
preg_match()
Tokenizer
Grep
Fast, efficient, will always find something
Will find way too much
Difficult to find larger structures (function, class)
Great when you know what to look for
Great with one liners
Grep targets
Search for
$_GET, $_POST, $_COOKIE, $_SERVER, $[A-Z]
filter with dot, comma, parenthesis
var_dump, print_r
mysqli_query, mysqli_fetch_, mysqli_error
_once
Grep charts
if(isset($_POST['sgoogle'])){
// Traverse each _REQUEST data adn put them in ...
$GLOBALS['HTTP_POST_VARS'] =& $_POST;
$_REQUEST["comments_threadId"] = 0;
$game["desc"] = $_POST['description'];
$comments_t_query .= "?$c_name=" . $_REQUEST["$c_name"];
var_dump($aux);
Grep charts
Tiki-wiki (http://tikiwiki.org/)
1422 PHP files
456850 lignes of code
178 occurrences $_POST
7634 occurrences of $_REQUEST
56 var_dump
Regexing PHP code
perl -m
More complex regex calls
Sometimes easier to write as PHP
Still a wide net
Only search for strings, not code
Regex examples
Spotting heredocs
if (preg_match_all('/<<<(\S*)(.*?)(\1)/is', $code, $r)) {
Globals affectations
/=\s*\$_[A-Z]/s
But how to get strings?
/'[^']*'/ (Try 'No this won\'t work';)
Regex stats
No HereDocs
2645 SELECT
Grep got us 7861, including .sql files, </select> tags
1059 affectations of incoming values ($_REQUEST...)
Tokenizer
Your own PHP analyser!
Included since PHP 4.3
Exact with PHP semantics
Huge list of tokens
Must be processed
Rebuild large structure
[1] => Array ( [0] => 266 [1] => print [2] => 1 )
[2] => Array ( [0] => 370 [1] => [2] => 1 )
[3] => ( [4] => " [5] => Array ( [0] => 314 [1] => hello [2] => 1 )
[6] => Array ( [0] => 309 [1] => $world [2] => 1 )
[7] => Array ( [0] => 314 [1] => ! [2] => 1 )
[8] => " [9] => ) [10] => ;
<?php print ("hello $world! "); ?>
[1] => Array ( [0] => PHP token [1] => PHP code [2] => Script line ) [2] => "
Tokenizer
Extract variables names, arguments, function call
61 $foo, 2 $ccc
2 $feature_community_friends_permission_dep
all $a .... $z except $o and $q
124 variables only used once...
Other ideas?
VLD
Vulcan Logic Disassembler
Tokenizer, but worse
xDebug
Great for execution time
Error handler (great for PHP 4->5)
PHP is dynamic : tough on vars
Require automated browsing
Tools
PHP error reporting (E_STRICT)
PHP Code Sniffer (PEAR)
PHP Mess detector (PHP Unit)
phpCallGraph
Managing the finds
Count every value of previous searchs
every night / every commit
Graph it and act upon changes
phpUnderControl (.org)
Progressive implementation
Set up your reference
Organize a few tests
Graph them, and act upon violation
When 0 (or stable), add extra tests
Organizing teamsSet up code cross-reviews
Have developpers teamed by two
Each one review the other's code
Every one has the same reference
Google mondriantool
Organizing teams
It distributes the reviews among developpers
not team lead, not current hierarchy
Senior can take on junior, or recent employes
Both might benefit
Works even under load