As it currently stands, this question is not a good fit for our Q&A format. We expect answers to be supported by facts, references, or expertise, but this question will likely solicit debate, arguments, polling, or extended discussion. If you feel that this question can be improved and possibly reopened, visit the help center for guidance.
Closed 10 years ago.
I am about half way through coding my own Php Content Management System from scratch, but now I am nearing the end of coding new features and making it look good and am now being faced with the big issue of security. I know little about the security side of Php except the fact that it is very vulnerable with SQL injection etc. Let's just say my website was going to have loads of user generated content and be like facebook, is that something one person could secure by themselves or am I better off paying someone to do it for me? if so, anyone know how much that would cost?
Any feedback would be greatly appreciated.
Update:
Any opinions on http://www.incapsula.com ?
With so many mature PHP CMS systems available, the only reasons I can think of for writing one of your own would be as an exercise (to learn something), as a challenge (to see if you could), or if you needed some specific feature that the existing ones didn't have. Even if you did want a special feature, I'd still look at extending an existing CMS rather than writing one from scratch - many of them cater for modules and / or plug-ins.
Pros:
It is fun to build your own CMS.
You will learn a lot. It might be the best way to learn PHP, since you will have to deal with a lot of different aspects of it.
Cons:
Your first CMS will always have a "funny" design.
You will have bugs and security holes (but most of the times, people will not notice the security holes). ;)
You will have to spend (much) more time on your CMS than what it would take to build the site with an existing CMS.
Conclusion:
Of course you shoud build your own CMS! You are not a real PHP programmer if you never have built your own CMS.
Is it worth it?
Completely up to you. I'd say it depends on what your goals are with this CMS (generating revenue, just for fun, etc) It's nice to be able to show someone and say "I made that from nothing!"
The only start up costs would be your domain name and monthly web hosting (unless you hire people.) $1.18 annual for a godaddy domain, $8 for hostmonster hosting.
Security's a big issue yes, but maybe that shouldn't be the deciding point in doing what you want or not. There's alot of documentation on stackoverflow and others regarding the subject that could help you.
I've recently created a CMS from scratch with no prior knowledge of anything beyond basic HTML. It's rewarding in many ways and you may even find yourself going down a programming career path.
I think it'd be better to learn how to protect your system. Securing php systems is actually not that big a deal, considering you were able to code your system from scratch.
Just remember, to prevent sql injection: always escape user input entered to the database, mysql_real_escape_string() usually does the job. And use htmlentities() before displaying the content in html pages.
Read on securing your PHP and you'll save yourself the trouble of paying someone to do it, plus it'll help on other projects.
Trust nobody - especially anonymous people! Therefore inject into you mayor asset some safe data. Seems rather wise strategy
Why make your own CMS? Drupua, wordexpress. Jomala might do with some tweaks?!
Yes it is worth making a CMS from scratch. Because you have/only have the features that you only need. Which makes the script less extensive and fit your needs like an Armani suit. Let's consider Wordpress as an example, when your site gets terribly big you would need to terribly tweak it. It has alot of features, and some of them you might not need. The pro if using already-available ones is the community finds the script's bug/holes for you and all you need to do is just update the script.
As for the security part, you can try to find the holes by yourself or hire someone of which their rates may vary. But you might not want to entrust your script to others unless they're trustworthy.
Related
As it currently stands, this question is not a good fit for our Q&A format. We expect answers to be supported by facts, references, or expertise, but this question will likely solicit debate, arguments, polling, or extended discussion. If you feel that this question can be improved and possibly reopened, visit the help center for guidance.
Closed 10 years ago.
One of my freelancer friend work with wordpress, he knows basic php, but does not working in core php program. During his work he take sample code from Google and then edit that code and use on his client project. It always works and he says he could understand most of the language. Because he works in basic level of c,c++,java,html,css,php. His motto is -- work and learn though it takes much time.
On the other hand, another my friend learn php from very basic and want to be a core programmer. His motto is -- first learn then work with less time.
I am just confused what can i do. If everything is possible from Google after learning basic php then why i learn php very deeply. Is it good to code myself whether all type of code is available on internet?
I think that skill level is tied to compensation. The better skills you have, the more valuable you are. A lot more people can take some PHP code off the Internet, changed it up and make something work. However, a lot fewer people can build architecturally sound and solid software solution to some problem.
It all depends on what you want, if you want to be a top notch software developer, then you should have an attitude of one and try to improve all the time. If you want to get buy and make some money tweaking WordPress sites, fine. A lot of people do fine with that.
I am not exactly sure what kind of answer you are expecting, but I can tell you this:
I have been working for more than 10 years as a programmer, and I am STILL learning every day with every new project, and even though google is a great help and the kind of info you get there is just incredible, it still doesn't replace your own knowledge and programming skills. Every example you can find on google will still need tweaking and that is where you will NEED to know what you are doing.
I think the point is this: If you are going to work making small websites, charging $10 / hour and just doing basic contact, signup and data forms, then forget about learning php deeply, your friend is right to learn as he goes. And in this case, you should dedicate your time to learn other very important skills like databases, SEO, mobile compatibility, etc, those will give you a greater opportunity to get more customers and projects.
However, if you intend to become a serious programmer and work in large projects, charging 3 or 4 times that amount, then forget about small websites and learn deep programming logic that you can apply in any kind of language or situation.
In the end, there is not right or wrong path, it just depends of your own goals and needs.
I'm using Drupal a lot right now for large e-commerce websites that connect to in-store POS systems. There is no way I would be able to just take code from Google to create these websites. Sure, I can "borrow" simple snippets from documentation; however, on a professional project... this doesn't get you far.
If you want to create an unsecured website, waste 90% of your time on simple bugs that someone with basic knowledge could fix instantly... then sure go the lazy route.
it depends on your objective. If your objective is to "learn PHP", then you should definitely learn how to use the language, etc. that way you can make things on your own, rather than having to google things on how to do it.
Googling for solutions is okay as well, however, if you don't know how the code runs, or understand how it works, you won't be able to change it on your own to make it work with what you are trying to do. That is the benefit of understanding the language; you can take existing code, and modify it to make it better or work for you.
To apply correct solutions you need to understand how they work, and what are limits for the particular solution, be able to adopt such solution to the problem. It is like if you would build from cubes - when you are child, you need only basic gravitation rules, but if you want to build really big tower from same cubes you need know more physics and maths, and possible, to choose another construction units.
As it currently stands, this question is not a good fit for our Q&A format. We expect answers to be supported by facts, references, or expertise, but this question will likely solicit debate, arguments, polling, or extended discussion. If you feel that this question can be improved and possibly reopened, visit the help center for guidance.
Closed 10 years ago.
I just now completed javascript in 24 hours now i want to move to advanced javascript, can someone suggest me advanced javascript books. I am pretty well versed in HTML and CSS and a novice at PHP. Me and my friend are planning to create a website(think it as a social networking site for college or something similar to that) so what should i learn to do that. Is PHP JS and HTML are enough? Can you suggest me books for this. Thank you
24 hours isn't enough to fully understand any language beyond its syntax and how to accomplish some basic tasks. Before tackling a large social networking project, try to make smaller, simpler programs or layouts.
To fully realize your social network, you'll need to know PHP (or Ruby, or Python, or C++ if you're crazy), HTML, probably JS, and some sort of data store; usually an SQL implementation or one of the newer NoSQL databases. It's not something you can throw together in a week or a month unless you really know what you're doing.
Start small, with a blog or a forum engine. That alone will take weeks. Then work your way up.
I will suggest You to learn some security in php like sql_injection and xss.If you are familiar with them then you should learn some ajax with javascript and jquery.It will very helpful to provide a interactivity like facebook
Quoting the advice from Gordon
if you want to become an expert programmer, google SOLID, buy GOF, buy POEAA, buy Clean Code, lookup GRASP, DDD, CQRS, DCI … but dont ask for PHP books. That's the most reasonable suggestion I can give you when you ask for Expert PHP books really.
maybe start here: ustream.tv/recorded/22783515
and you have just got he overview of language ... no one can be perfect in 24 hour even i think john skeet cant do that so you need to learn at lease 2 month to get a good or ok level knowledge
and also there is a level of website like if you think you want to make a website for a college which might have not many feature you can do this by some knowledge of php ,html,jS,ajax and basic database but if you want to make eCommerce website or a website like so working than you need highest level of knowledge
It depends on what kind of website you're trying to develop.
If you are looking for a highly interactive modern website, I would really suggest learning Flash, ActionScript, and continuing on JavaScript. Taking a good look into HTML standards and animation would also be extremely useful.
If you are looking for how to make an e-commerce website or something similar, improve your knowledge on PHP. Ajax in JavaScript is also extremely useful, as you don't want your customers waiting forever if you have a slow connection. SQL, along with some kind of database engine (I'd suggest MySQL) is mandatory, or your users can't buy anything. But that's far down the track.
I think most websites split into those two categories.
But then again, some beforehand practice is definitely needed. No book on sale, as far as I'm concerned, will give you enough knowledge to build your own good website straight up. It takes experience, and not just of coding, but more of the study of user friendliness and what makes up that.
Really depends on what you need. ;)
Learn Web Security. Start with the book Essential PHP Security. Then check out the question What should every programmer know about web development on programmers.stackexchange.
I'd suggest you first read this post in Stack Exchange Programmers:
https://softwareengineering.stackexchange.com/questions/46716/what-should-every-programmer-know-about-web-development
It is a very similar question to yours, and has many helpful answers.
As it currently stands, this question is not a good fit for our Q&A format. We expect answers to be supported by facts, references, or expertise, but this question will likely solicit debate, arguments, polling, or extended discussion. If you feel that this question can be improved and possibly reopened, visit the help center for guidance.
Closed 12 years ago.
Now days most of PHP web development companies use PHP frameworks or open source products for developing websites but is that a right approach? If so but what will happen to the PHP programmer skill and knowledge?
Don’t you think using approaches such as “PHP frameworks or open source modification” will kill the programmer skill over the time? Is that really worth it a website developer becomes a better PHP framework writer instead of being a better PHP programmer?
I absolutely have to disagree here. When is started programming, it was PHP and I had no clue what I did. I wrote everything myself and had no will to even look at framework. I spend way too much time in work that repeated again and again.
Frameworks are one of the most useful tools IMO (not only web frameworks)
They speed up development in lots of ways
Looking at the sources, I learnt more about good practices, design decisions, directions to think to
Taking bits and pieces of the framework and use it in other apps where the use of a framework is not possible
They help you focus more on your work (MVC, DRY, KISS, ...) instead of fiddling around with the basic
Most established frameworks have a huge user-base and are very well tested.
I think looking at other code helps you be better and more efficient over time. SO is a very good example of this.
Using a framework doesn't make you a weaker programmer, otherwise I could argue you should write you next web app in assembeler, not much fun.
A framework should be thought of more like an extention to a language, a DSL if you like. For example CakePHP is just PHP with extra cool-stuff that makes handling databases and sessions "cake" - excuse the pun.
By using a framework you take the 'yuk' out of preogramming, and allow yourself to treat data as objects, for example.
If you still feel you shouldn't use a framework, then write one, then use it! By this reasoning you should also go and rewrite the PHP libraries and interpreter, however I don't recomend it.
In my opinion, I don't think frameworks "kills the skills" at all, instead it allows skills and more creative workflows to develop, which ultimately leads to enhanced skill. Also, the understanding of how large scale applications are developed are increased with effective use of well developed frameworks, which is definitely a big plus in the end too.
It allows applications to be developed more quickly and efficiently; and the end result is what matters. If you write PHP and don't know assembly, it doesn't mean you've lost your skill - you've simply focused on a higher level of technological progress in this modern age.
I think it's important to know some of the underlying concepts, such as creating and interacting with databases, OOP, design patterns. Frameworks can introduce you to these concepts without making you learn everything at once. They also have the advantage of several thousand hours of development time already invested, a community of testers and bug fixers, etc.
Anecdotally, you hear stories of people starting with a framework and slowly replacing parts of it as they optimize sections of their site. They distill the framework's operations down to their specific requirements. You can't take this route if you aren't a strong programmer.
Frameworks allow you to do work without reinventing the wheel. And the people working on this framework are probably a lot smarter than you, and they have spent a lot more time thinking about the code.
At the end of the day, it's about getting things done. Any given individual may be more productive with a third-party framework, or without. But a framework is the conclusion of any large project, whether you end up creating it yourself or you rely on the work of others.
To work on PHP based framework, you need to be a better PHP programmer.
so, your skill level will increase and it will not decrease...to tell with an example.
We can start writing all the program in assembly language, why do we use high level language...? If you find the answer for this, then you will get the answer for this problem too. :-)
As it currently stands, this question is not a good fit for our Q&A format. We expect answers to be supported by facts, references, or expertise, but this question will likely solicit debate, arguments, polling, or extended discussion. If you feel that this question can be improved and possibly reopened, visit the help center for guidance.
Closed 11 years ago.
My company is looking for a new web developer and we are eager to find someone that would be efficient as soon as hired and capable of making quality code. I will have to take interview and I would like to give them an assignment, so I can see
their general programming skills
if they are able to use CSS
the general quality of what they product
and probably so much more
The only problem I don't have good ideas of what to give to them. Some of the candidate would probably be working in some other company so it should be something like 8 hours work at maximum (like one week end) but it should be complicate enough to show their skills.
So far I was thinking :
a contact manager
a CD/BOOK manager
a blog ?
guys if you have some ideas opinions, please share!
Also the assignment would be in PHP using the Zend Framework, so it has to take in the calculation candidates might not be so experienced with the framework.
I don't think you should give them such a long "test". In my opinion if you want to do something like this, make it a simple 5-20 minute application. Perhaps a small address book manager that stores name/number and maybe 1-2 other fields. But nothing too complicated. And tell them that it only needs simple styling to look "ok" but nothing fancy is required. If it were me, I really wouldn't want to do "homework" for an interview.
I'm an experienced software developer who would fit your description, and I'd walk away from the interview the moment I was asked to do any unpaid work that would take more than an hour. Only the desperate and/or inexperienced are going to bite on something like that, and neither of them are going to be able immediately contribute on your project.
Ask them to send a code sample
If they don't have a code sample they've cleared with previous employers, ask for a personal code sample
Google them and find the kind of stuff they've produced vs. what they've sent you
Ask for a technical reference, and ask the reference what kind of work they've produced
Hire them on a contract-to-perm/part-time contingency basis. If, after two weeks, they're not living up to your expectations, end the contract with no hard feelings either way.
I don't think many of these answers are from the employer side of the relationship. Writing a function on a whiteboard gives me a tiny glance at someone's potential, and essentially no real picture of efficiency. There's always a chance that they've memorized a really cool way to reverse a string in place and remove duplicates from a list and count the bits in a byte because those questions are all over the internet.
I've had interviews with people that turned out to be nothing but posers (I guess liars would be a better term for it), so I think it's incredibly important to have some kind of tangible piece of work. I'm not saying 8 hours, but it gives you a few better hints:
How is it packaged - a zip with a build? Or a text file pasted into an email.
Is there any documentation?
Is there a sensible algorithm or is it brute force?
Are there objects or is it a whole mess of static gunk in one class?
We're hiring Software Developers that need to be able to design as well as code -- the probation period should not be the first time a person writes more than a method for you - by the time an ass is in a seat, you've spent a lot of money just to find out they get lost trying to write a method with business value.
I'll admit that people can fake it on assignments (this is usually, but not always, pretty easy to flush out in a post-assignment interview), I've had far more success hiring people with good code assignments than hiring people with a great resume and great interview.
If the job isn't important enough for someone to spend a couple hours writing some code (which we ostensibly love to do anyway, right?), then I'm glad they wouldn't do it, because I wouldn't hire them.
It would probably be better to have them write some code on a white-board in person than a take home assignment. You can learn a lot more about the candidate that way, such as how efficiently he/she solves problems and thought process.
Giving them a take home assignment doesn't really give you a clue as to how efficient they are. You could have two candidates, both of whom turn in the exact same thing, yet one of them did it twice as fast. You would have no way of knowing.
I have to agree with the other answers: if an interviewer asked me to do a take home assignment that was too long, I wouldn't do it.
As others have written, asking people to do so much work for free is insulting.
Assuming you can find some victims, how confident are you that you would be able to objectively esatblish which one produced a better finished article?
Why are you so obsessed about the Zend framework? I would much rather employ someone with a solid understanding of programming, good problem solving and communication skills than someone who can only demonstrate competence with a very specific set of tools - presumably tools where you already have a strong skills base.
Indeed one of the things I look for in candidates is what new knowledge and interpretation they can bring and how it might complement the existing team. I would even value good knowledge of procedural, OO and non-procedural programming alongside knowledge of HTTP over specific skills in PHP.
When I interviewed candidates for PHP programming posts, I had a carefully prepared PHP script (about 1 page full) which was lousy with bugs and bad style (using register globals, calls to header after output started, functions which are not called, using numbered instead of associative arrays, function args in the wrong order, using computationally expensive functions when simpler ones would have surficed....) which only used common PHP function calls and gave them 30 minutes (with access to a internet connected computer) to identify what was wrong with it.
This also meant that they could carry out the test in controlled conditions.
I would hope it was evident to the candidates that this was exclusively a test of their abilities rather than anything I might profit from - and debugging code is a lot harder than writing code.
C.
As it currently stands, this question is not a good fit for our Q&A format. We expect answers to be supported by facts, references, or expertise, but this question will likely solicit debate, arguments, polling, or extended discussion. If you feel that this question can be improved and possibly reopened, visit the help center for guidance.
Closed 10 years ago.
I'm not a fan of PHP or spaghetti code, or anything like that, but in my experience WordPress works amazingly well, it's well organized, and I've never come across any hard to understand code. The documentation is incredibly thorough, any security flaws are fixed within seconds, and it "just works". Not to mention that it does EVERYTHING, and it has an awesome plug-in system. Oh, and "the Loop" is awesome. I've never had any problems doing simple modifications to the code or to themes.
Can you guys give any specific examples of what you don't like about it, or what you would have programmed differently? I just don't understand why it gets such a bad rap. I wish my own software worked as well and had as many features and looked as nice.
I'm a fan of WordPress, but there are definitely issues that impede coders trying to work with it. As a small example, there's get_the_content() (returns) and the_content() (prints), but there's get_permalink() and the_permalink(). Then, there's just the_date(), because it accepts an argument indicating whether you want it to print or return. This kind of thing drives even an experienced WP person up the wall, because you've always got to be Googling the usage - and it speaks to a deeper lack of attention to detail in the code.
Another glaring issue is the lack of built-in caching. It even used to have it, but they ripped it out and never replaced it. You shouldn't need a third-party plugin to have basic caching in a system like WordPress, particularly with all the other bells and whistles it builds in.
To paraphrase (supposedly) Churchill, though, "WordPress is the worst blogging system... except for all the others".
I've written many custom applications in PHP/MySQL over the years - from tiny to huge. Not having taken the time to learn the details of WordPress, I find it very frustrating to work with (under the hood).
Subjectively:
Very poor naming conventions
Execution flow is bizarre
General lack of organization
Hard to audit what happens when
etc...
Their concepts of usability is great, and support for plugins is also great. I'd just love to see the system re-engineered with those principles, but with a disciplined and clear development methodology.
I'm sure the next guy would say "no it isn't, bla bla bla", but that is just my opinion after bumping into it (hosting, modifying) about 3 times.
It's a subjective question for sure. From experience I've notice WP takes way, way more server resources than other systems or my custom code. I've had to move WP sites off my servers as a consequence. So my experience suggests there are some memory use issues.
As an exercise try going through the code, tracing the logic from the start of a request to a page, and look at how many objects are loaded, how many methods are called before any HTML is output.
Apart from what's been mentioned already:
No sane templating system. All those years and they still have PHP code intertwined with HTML, and default templates that have no support for i18n or l10n whatsoever (hard-coded strings, hard-coded date formats, etc.).
Multiple entry points - maybe it's just me, but it's annoying. Especially when some of those are way too big.
When you have to be sure of a statement that is made by "everyone", if you can, is trying to check it for yourself.
And you can do something in your statement: just read Wordpress source code. Some modules are good, some are a mess, some others are just normal. But all of them compose a great blog system that are used by thousand of people around the world that are more interested in writing good stuff instead of complaining about "how ugly" is a particular source code. In summary, the Wordpress creators have a shippable product that is useful.
In the end, it doesn't matter. If you want a perfect blog system, you can always write one yourself.
Can you guys give any specific
examples of what you don't like about
it, or what you would have programmed
differently?
I would have added more comments.
On a separate note, the most recent version of Wordpress introduced a labyrinthine piece of code that denies access to pages that:
1. Aren't in a menu or submenu
2. Aren't in the $_registered_pages variable.
A lot of plugins for earlier versions of Wordpress have been broken by this new security measure.
Finally, sessions. Wordpress does its very best to get out of your way by handling all its session data in a separate manner from PHP's built-in $_SESSION variable, but it doesn't give you the option of starting the PHP session, you have to add that to the core program yourself. I haven't found documentation that would allow us WP hackers and plugin writers to take advantage of the pre-existing WP session yet, either.