Getting started in PHP can be a daunting experience. With that in mind, these 20 tips will teach you how to follow best practices, and save lives…kitty lives.

0. Program as Often as You Possibly Can

Programming often and with purpose will make the lessons you learn stick.

Did you study a foreign language in school? Studied all the parts of speech, learned the verbs and how to conjugate them, followed along as your teacher said common phrases?

How much of that language do you still speak?

If you’re answer is, “none,” I’m willing to bet it’s due to the fact that you never actually used the language — you only studied it. But if you can still hold up a conversation, it’s likely because you actually spent some time speaking that language outside of the learning environment. Perhaps you spent a year abroad, or worked a job where a second language was necessary?

Whatever the reason, you retained it because you used it in real-life situations and put it into a personal context that is much easier to recall later.

PHP is a foreign language, just like Spanish or French. In order to become comfortable with it, you need to use it outside of the classroom setting. Tutorials and sample projects are great for teaching the fundamentals, but unless you’re applying those concepts to your own projects, it will be much more difficult to apply those fundamentals in context and burn them into your memory.

So, don’t worry that you “don’t know enough” to build a project. When you choose your project, you have a valid reason to research and implement a concept. Programming often and with purpose will make the lessons you learn stick.

1. Get Familiar with the PHP Manual

Every list of tips for beginners has this tip, and for good reason.

Learning to navigate the PHP documentation is the single most useful thing you can do for yourself as a programmer.

If you look in my browser history at the sites I most often visit, the PHP manual will be right at the top. I don’t suspect that will change for as long as PHP remains my programming language of choice.

At first, the manual does look rather daunting — it doesn’t seem to be particularly easy to browse, and the navigation can be a bit awkward at times. However, you’ll get the hang of it quickly.

Perhaps the best thing to know about the PHP manual is that most functions can be looked up using the pattern http://php.net/function-name in your address bar. For example, to look up the strpos() function, use http://php.net/strpos, and for array_key_exists(), use http://php.net/array-key-exists. (NOTE: pay attention to the omission of parentheses and the substitution of hyphens (-) for the underscore (_) in the address.)

1a. Read the Comments!

It’s easy to overlook the comments, but do yourself a favor and have a look through them. If you’re getting an unexpected result from a function, chances are someone has spotted it and explained it in the comments.

You can also pick up a plethora of great tips and ideas from the developer community by reading through comments.

2. Take Advantage of the Huge Online PHP Community

In addition to the PHP manual, there are wonderful developer communities all over the internet. Some of my personal favorites include StackOverflow.com and the W3Schools.com forum.

Additionally, Twitter is a surprisingly excellent place to post PHP questions. If you tag a tweet with #PHP, it’s likely someone in the community will spot it and lend a hand.

A Note About Twitter: Of course, anything that’s useful will inevitably be overrun with spammers and those sorry individuals who deeply misunderstood the purpose of social media. If you’re going to use Twitter as a support network, you’ll probably want to routinely block or hide the accounts which spew job postings or retweet everything that mentions PHP.

Just remember: as you get better, please try to pay it forward. The development community needs everyone to pitch in, and it won’t be long before you’ll have the ability to answer questions for other beginners. Don’t turn a deaf ear.

3. Don’t Put Off Best Practices for Later

As you’re learning, you’re going to hear a lot about “best practices” in programming; stuff like prepared statements and PEAR coding standards.

Do not put off learning this stuff because it seems hard.

If something is a best practice, it’s not because we (meaning other PHP developers) got together and said, “How can we make life harder for the noobs?”

Best practices exist to keep your scripts secure, fast, and manageable. Learn them as early as you can. In fact, don’t even bother learning the wrong way.

It takes just about the exact same amount of learning to figure out mysql_query() as it does to learn PDO or MySQLi. So if you start with your choice of the latter two, you’re starting with a strong foundation in database interaction and, really, you’ve put in less overall effort.

4. Don’t Put Off Best Practices for Later!

I just wanted to make sure you saw this.

Seriously, folks. Don’t take shortcuts. Every time you violate best practices because the right way seems “too hard,” BP dips a kitten in crude oil.

So if you won’t do it for yourself, your projects, your peers, or the advancement of the community at large, at least consider the kittens.

5. Make Code Self-Documenting

If you need to squeeze characters off your variable names to shave .2ms off your script’s execution time, there’s likely a whole different problem going on.

It’s tempting, early on, to be “clever” with your variable and function names. Maybe you read an article about performance, or saw a code snippet that accomplished a ton of work in two lines of code. Maybe you want to create your own “signature style” of coding. Maybe you just heard that I hate it and you wanted to piss me off.

Whatever your temptation, resist it at all costs.

Consider the following snippet of code:

1
2
3
4
5
6
7
8
9
10
11
12
13

<?php
 
 $a = b('jason.lengstorf@copterlabs.com');
 
 $c = explode('@', $a);
 
 $d = $c[1];
 
 echo 'The email address ', $a, ' belongs to the domain ', $d, '.';
 
 function b($e) { return htmlentities($e, ENT_QUOTES); }
 
?>

Does that make any sense to you?

Of course, you can figure out what it does, but why force anyone trying to work in your code to spend the extra 1-5 minutes scratching his head, trying to remember what $c is storing.

So let’s take that code and make it self-documenting:

1
2
3
4
5
6
7
8
9
10
11
12
13

<?php
 
 $email = sanitize_string('support@google.com');
 
 $email_pieces = explode('@', $email);
 
 $domain = $email_pieces[1];
 
 echo 'The email address ', $email, ' belongs to the domain ', $domain, '.';
 
 function sanitize_string($string) { return htmlentities($string, ENT_QUOTES); }
 
?>

There. Much better. Now, just by glancing at the code, you can get the general idea of what’s going on. No head-scratching, no muttered curses, and most importantly, no real difference.

Sure, you save a few bytes with short variable names. But, honestly, if you need to squeeze characters off your variable names to shave .2ms off your script’s execution time, there’s likely a whole different problem going on.

6. Add a Comment to Anything You Had to Think About

Comments are the sign of a competent programmer.

Comments are not the sign of a novice. In fact, as I see more and more code that’s not mine, I’m starting to think that comments are the sign of a competent programmer, as they seem to be the only ones doing it.

If your code is self-documenting, you won’t require too many comments. However, no matter how clear your variable and function names are, you’ll always have spots where the action taken simply isn’t that obvious.

When that happens, slap a comment in there. “Future You” will give “Present You” a high five when the time comes to update the script.

As a rule of thumb, if you had to stop and think for a few seconds about what needed to happen to make the script work properly, it’s probably a good spot for a quick note.

Consider the following:

1
2

$pieces = explode('.', $image_name);
$extension = array_pop($pieces);

What does that do? Did you have to stop and think about it? Do you still not know for sure what’s stored in $extension?

Look at that snippet again, but with one quick comment:

1
2

// Get the extension off the image filename
$pieces = explode('.', $image_name); $extension = array_pop($pieces);

Now, even if you don’t know how or why that code works, you at least know that $extension refers specifically to an image extension. If that saves “Future You” or another developer five seconds of processing the script’s intent, it was well worth your ten seconds of effort to add the comment in the first place.

As with most things, moderation is key. Too few comments and you risk leaving the next developer (or Future You) puzzled by a code snippet, which can even lead to accidental breaking of code because the solution, without explanation, might look silly or superfluous. Too many and it becomes too difficult to scan through your code, which is equally frustrating.

Moderation is key.

7. Learn Docblock and Use It

If I could be sure every developer in the world would do one thing with absolute consistency, I think it would be the use of the Docblock commenting standard.

I have a few reasons for my strong support of Docblock:

1. It requires one to think about the what and why for each file, function, method, and so on.
2. It gives a clear description of the expected types for parameters and return values in functions/methods
3. It provides a quick description of what the code does
4. When coupled with one of the many IDEs that support Docblock, it creates code hinting (which allows you to see a description and expected parameters/return values for the method or function you’re using)

This tip does border on the upper level of beginner, but I group this under “best practices to be learned as quickly as possible.” Feel free to skip it, but before you do, think about the kittens.

Docblock shows its versatility best when used to document a class:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38

/**
 * A simple class to get the sum or difference of $_foo and a value
 *
 * @author Pat Herlihy
 * @copyright 2011 Pat Herlihy
 * @license http://www.opensource.org/licenses/mit-license.html
*/ 
 
class Pat_Test
{
 
 /**
  * The value to use in addition and subtraction
  * @var int
 */
 private $_foo = 0;
 
 /**
  * Adds a value to $_foo and returns the sum *
  * @param int $add_me The value to add to $_foo
  * @return int The sum of $_foo and $add_me
*/
public function add_to_foo( $add_me=0 )
{
  return $this->_foo += $add_me;
}
 
 /**
  * Subtracts a value from $_foo and returns the difference
  * @param int $subtract_me The value to subtract from $_foo
  * @return int The difference of $_foo and $subtract_me
*/
public function subtract_from_foo( $subtract_me=0 )
{
  return $this->_foo -= $subtract_me;
}
 
}

At first it might look overwhelming, but the benefits are very much worth taking the time to familiarize yourself with the syntax.

8. Don’t Be Too Hardcore to Use an IDE

If you don’t already know the type, you will soon: the developers who think real programmers don’t use IDEs.

Now, look: if you want to impress people, learn to juggle. Refusing to use anything but Emacs in the command line to write scripts will not get you chicks or grant you instant hacker status; it will, however, hang a sign on your forehead warning your coworkers that you are, in fact, That Guy.

Don’t be That Guy.

There is nothing wrong with using software to give you on-the-fly syntax highlighting, error-checking, and code hints.

How in-depth your IDE goes is entirely up to you. Personally, I really like Netbeans. I’ve heard tons of praise for Coda for Mac (though it’s not really an IDE), and I previously used Eclipse before moving to Netbeans.

Whatever IDE you choose, you’ll see your coding speed increase and your facepalm-worthy bugs decrease. Further, as you expand your code library, you’ll have code hinting for all of your custom software. (Because you’re using Docblock, right? Right?!)

Don’t think IDEs are uncool — no matter what “That Guy” tries to tell you.

9. Group Common Code Into Functions

If you see an action repeated, it’s time to strongly consider moving that code into a function.

When you first start programming, it’s easy to start at the top of the page and work down, adding each piece of code right where it’s needed.

However, when you code this way, you’ll begin to notice that certain pieces of code are appearing over and over again. This is a minefield when it comes to maintenance and upgrades, because you have to hunt through each file for every occurrence of that action to change its functionality.

If you see an action repeated, even if it’s only twice, it’s time to strongly consider moving that code into a function.

Consider the following for example:

1
2
3
4
5
6
7
8
9
10
11
12
13

$unclean1 = '<a href="javascript:alert(\'Holy Crap!\');">Click Me!</a>';
 
$detagged1 = strip_tags($unclean1);
$deslashed1 = stripslashes($detagged1);
$clean1 = htmlentities($deslashed1, ENT_QUOTES, 'UTF-8');
 
$unclean2 = "Let's call Björn!";
 
$detagged2 = strip_tags($unclean2);
$deslashed2 = stripslashes($detagged2);
$clean2 = htmlentities($deslashed2, ENT_QUOTES, 'UTF-8');
 
echo $clean1, "<br />", $clean2;

As you can see, both of those strings required a few steps before they could be considered safe to use. However, you’ll also notice that those same steps could be considered necessary for every bit of information that is passed to the script.

This is an instance where using a function instead is far more desirable:

1
2
3
4
5
6
7
8
9
10
11
12
13

$unclean1 = '<a href="javascript:alert(\'Holy Crap!\');">Click Me!</a>'; $unclean2 = "Let's call Björn!";
 
$clean1 = sanitize_input($unclean1);
$clean2 = sanitize_input($unclean2);
 
echo $clean1, "<br />", $clean2;
 
function sanitize_input( $input )
{
  $detagged = strip_tags($input);
  $deslashed = stripslashes($detagged);
  return htmlentities($deslashed, ENT_QUOTES, 'UTF-8');
}

By wrapping the common code in a function, it’s a bit easier to see what’s going on, and it’s much easier to edit the steps you want to take when sanitizing your input.

10. Group Related Functions Into Classes

Getting a handle on OOP is another one of those things that I file under “best practices to learn as quickly as possible.”

If you have a handful of functions that all deal with database actions, you can save yourself a lot of time and effort by grouping them into classes.

Learning object-oriented programming is definitely outside the scope of this list, but I felt it was definitely worth mentioning in this beginners’ list.

11. Use Constants, Not Globals

PHP allows you to define your own constants with the function define().

When I first started programming on larger projects, I found myself using global variables more often than seemed necessary or reasonable. Admitting you have a problem is the first step.

I was storing things like application-wide data (such as the site’s name or the maximum image width) and database credentials in variables, and I found myself required to use the $GLOBALS superglobal to access this information.

Then I realized PHP allows you to define your own constants with the function define().

A constant is a great way to store information like the aforementioned app-wide data and database info. An additional bonus is that it can’t be modified, so you can’t accidentally overwrite your database password somewhere later in the script.

As a matter of best practices, the use of globals is generally discouraged to begin with, so the use of constants is preferred anyways. Review the following code for an example and see for yourself:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17

<?php
 
define('FOO', 'constant value');
 
$bar = 'global value';
 
echo baz();
 
function baz()
{
   $constant = ' Constant: ' . FOO;
   $global = 'Global: ' . $GLOBALS['bar'];
 
   return $constant . "<br />\n" . $global;
}
 
?>

12. Don’t Be Afraid to Use Includes

Often, as you’re building larger products, it will make a lot of sense to break it apart into smaller chunks, or include files.

A generally accepted way to look at includes is to put any bit of code that will be used in multiple scripts into an include file (such as your database connection details, the header and footer data that is common across the whole site, utility functions like your input sanitization actions, etc.) so it can be pulled in by the file that needs it, rather than being copy-pasted.

For example, on a site with multiple pages, a standard template may emerge that looks something like this:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18

<?php
 
// Application-wide data and database connection
require_once 'constants.inc.php';
require_once 'database.inc.php';
 
// Utility functions
require_once 'utilities.inc.php';
 
// Header markup
require_once 'header.inc.php';
 
/* * Page-specific processing goes here */
 
// Footer markup
require_once 'footer.inc.php';
 
?>

13. Don’t Obsess Over Performance

This is a point of near-paralysis for some developers, and it’s really too bad; there is a blurry line between writing efficient code and wasting time trying to squeeze an extra 5ms out of a script’s execution.

Definitely read a few performance articles and learn some of the major pitfalls that can drag your scripts to a slow crawl, but don’t waste extra time refactoring your code to change double quotes to single quotes because you found out it was a tiny fraction faster.

Use your head, avoid the big problems, and keep your ears open, in case a tip you’ve never heard comes along to speed up your code, but don’t make it a race.

No one can tell the difference between a 25ms page load and a 40ms page load. Make sure it’s not 700ms and move on to more important things.

14. Avoid Marrying HTML to Your Scripts

This can be tricky, but do your best to avoid tangling up your HTML markup in your PHP. It’s nearly impossible to get away from it completely, but try to make sure that you don’t include any non-essential HTML markup in your code.

Consider the following:

1

echo '<div class="example-div"><p>This is some test content.</p></div>';

Was it necessary for that code to wrap the paragraph tag in a div? Could it have been modified to only include the paragraph tag that holds the text? Have a look at an alternative solution:

1
2
3

<div class="example-div">
   <?php echo '<p>This is some test content.</p>'; ?>
</div>

Note: This example is grossly oversimplified. Generating HTML with PHP is usually more of an issue when dealing with a complex function or method that organizes a dataset. The point I’m trying to make is that it can sometimes be tempting to include more markup than is necessary in the output.

In most cases you can keep the HTML outside the PHP, which makes things easier to read and, usually, easier to work with as well.

15. Try to Use at Least One Unfamiliar Concept in Every Project

Push yourself outside your comfort zone.

You’re never going to learn if you keep doing the same old thing. Try out a concept that you’re not quite comfortable with on every project you possibly can.

Don’t be over-ambitious, but definitely push yourself outside your comfort zone. It gives you a challenge, saves you from getting bored doing the same old thing over and over again, and forces you to progress as a developer.

Look at the project, find all the bits that you know well (or at least well enough), and then pick an area you’d like to understand. Sign up for it. Then do it.

16. Don’t Be Too Proud to Change

You will be wrong. Frequently. But that’s not a bad thing.

As you improve, you’ll find newer, better solutions to problems that you’ve faced in the past. Don’t feel stupid; you’re learning.

But it’s extremely important that you don’t become attached to the code you write. Don’t think your way is better just because it’s your way. If you happen across a great solution that makes yours look like a Band-Aid on a bullet wound, use it! Pay attention to what’s different and what you did that could have been better. File that away under, “Things I’ve Learned.”

Never allow yourself to believe that an inelegant solution is acceptable because it’s yours. That’s hubris (which, if you’re not aware, doesn’t generally result in happy fun times).

17. Validate

If you’re a web programmer, start becoming familiar with input validation as soon as possible.

Keep in mind: validation is quite different from sanitization.

Input validation is the practice of making sure data matches the format you’ve requested, like checking an email field for a valid email address or ensuring that a submitted username is 8-20 alphanumeric characters.

It can be tedious and a pain in the ass, but making sure that only valid data makes it through your processing scripts will enhance the user experience and avoid a lot of bugs in the scripts that have to use the data later on.

18. Whitelists Instead of Blacklists

If you’re not on top of your blacklist, vulnerabilities appear.

In plenty of situations, you’ll want to block or get rid of certain tags, words, email addresses, or other various bits of data.

A common solution is to use a blacklist: a collection of the tags, terms, etc. that aren’t allowed.

This poses a problem, however; you have to be more clever than the person trying to do something naughty. For instance, in the case of disabling JavaScript in posts, you might blacklist the onclick attribute, as well as most of the event attributes, but what if you forget one? What if a new one is added to the spec sometime in the future?

If you’re not on top of your blacklist, vulnerabilities appear.

However, to save headache later, use a whitelist whenever possible. A whitelist is the opposite of a blacklist: a collection of allowed tags, terms, etc.

For instance, in the strip_tags() function, you can provide a whitelist to specify which tags are allowed in strings:

1

strip_tags($string, '<em><strong><tt>');

Now your problem is most likely going to be that you can actually do less than you wanted, but that’s far safer and usually less of an emergency to handle.

You can’t get away with it in every situation, but saying what is allowed vs. what isn’t will provide you with more confidence and control over your scripts.

19. Learn to Count Like a Computer

Are you looking for tip #20? Remember that in nearly all cases, counts in PHP start at 0, so this is actually the 20th tip. You’ll find this to be the case in most languages; don’t let this one trip you up!

Summary

If you’re a beginner, the tips covered above will help you take great strides toward good habits and best practices. Don’t get overwhelmed if all of this is news to you; take things one step at a time (see tip #15).

Do you have a PHP tip for beginners? An addendum to one of the tips above? A question? Let us know in the comments!

Understanding Object-Oriented Programming

Object-oriented programming is a style of coding that allows developers to group similar tasks into classes. This helps keep code following the tenet “don’t repeat yourself” (DRY) and easy-to-maintain.

“Object-oriented programming is a style of coding that allows developers to group similar tasks into classes.”

One of the major benefits of DRY programming is that, if a piece of information changes in your program, usually only one change is required to update the code. One of the biggest nightmares for developers is maintaining code where data is declared over and over again, meaning any changes to the program become an infinitely more frustrating game of Where’s Waldo? as they hunt for duplicated data and functionality.

OOP is intimidating to a lot of developers because it introduces new syntax and, at a glance, appears to be far more complex than simple procedural, or inline, code. However, upon closer inspection, OOP is actually a very straightforward and ultimately simpler approach to programming.

Understanding Objects and Classes

Before you can get too deep into the finer points of OOP, a basic understanding of the differences between objects and classes is necessary. This section will go over the building blocks of classes, their different capabilities, and some of their uses.

Recognizing the Differences Between Objects and Classes

Photos by Instant Jefferson and John Wardell

“Developers start talking about objects and classes, and they appear to be interchangeable terms. This is not the case, however.”

Right off the bat, there’s confusion in OOP: seasoned developers start talking about objects and classes, and they appear to be interchangeable terms. This is not the case, however, though the difference can be tough to wrap your head around at first.

A class, for example, is like a blueprint for a house. It defines the shape of the house on paper, with relationships between the different parts of the house clearly defined and planned out, even though the house doesn’t exist.

An object, then, is like the actual house built according to that blueprint. The data stored in the object is like the wood, wires, and concrete that compose the house: without being assembled according to the blueprint, it’s just a pile of stuff. However, when it all comes together, it becomes an organized, useful house.

Classes form the structure of data and actions and use that information to build objects. More than one object can be built from the same class at the same time, each one independent of the others. Continuing with our construction analogy, it’s similar to the way an entire subdivision can be built from the same blueprint: 150 different houses that all look the same but have different
families and decorations inside.

Structuring Classes

The syntax to create a class is pretty straightforward: declare a class using the class keyword, followed by the name of the class and a set of curly braces ({}):

1
2
3
4
5
6
7
8

<?php
 
class MyClass
{
    // Class properties and methods go here
}
 
?>

After creating the class, a new class can be instantiated and stored in a variable using the new keyword:

1

$obj = new MyClass;

To see the contents of the class, use var_dump():

1

var_dump($obj);

Try out this process by putting all the preceding code in a new file called test.php in [your local] testing folder:

1
2
3
4
5
6
7
8
9
10
11
12

<?php
 
class MyClass
{
	// Class properties and methods go here
}
 
$obj = new MyClass;
 
var_dump($obj);
 
?>

Load the page in your browser at http://localhost/test.php and the following should display:

1

object(MyClass)#1 (0) { }

In its simplest form, you’ve just completed your first OOP script.

Defining Class Properties

To add data to a class, properties, or class-specific variables, are used. These work exactly like regular variables, except they’re bound to the object and therefore can only be accessed using the object.

To add a property to MyClass, add the following code to your script:

1
2
3
4
5
6
7
8
9
10
11
12

<?php
 
class MyClass
{
    public $prop1 = "I'm a class property!";
}
 
$obj = new MyClass;
 
var_dump($obj);
 
?>

The keyword public determines the visibility of the property, which you’ll learn about a little later in this chapter. Next, the property is named using standard variable syntax, and a value is assigned (though class properties do not need an initial value).

To read this property and output it to the browser, reference the object from which to read and the property to be read:

1

echo $obj->prop1;

Because multiple instances of a class can exist, if the individual object is not referenced, the script would be unable to determine which object to read from. The use of the arrow (->) is an OOP construct that accesses the contained properties and methods of a given object.

Modify the script in test.php to read out the property rather than dumping the whole class by modifying the code as shown:

1
2
3
4
5
6
7
8
9
10
11
12

<?php
 
class MyClass
{
    public $prop1 = "I'm a class property!";
}
 
$obj = new MyClass;
 
echo $obj->prop1; // Output the property
 
?>

Reloading your browser now outputs the following:

1

I'm a class property!

Defining Class Methods

Methods are class-specific functions. Individual actions that an object will be able to perform are defined within the class as methods.

For instance, to create methods that would set and get the value of the class property $prop1, add the following to your code:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22

<?php
 
class MyClass
{
    public $prop1 = "I'm a class property!";
 
    public function setProperty($newval)
    {
        $this->prop1 = $newval;
    }
 
    public function getProperty()
    {
        return $this->prop1 . "<br />";
    }
}
 
$obj = new MyClass;
 
echo $obj->prop1;
 
?>

Note — OOP allows objects to reference themselves using $this. When working within a method, use $this in the same way you would use the object name outside the class.

To use these methods, call them just like regular functions, but first, reference the object they belong to. Read the property from MyClass, change its value, and read it out again by making the modifications below:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26

<?php
 
class MyClass
{
    public $prop1 = "I'm a class property!";
 
    public function setProperty($newval)
    {
        $this->prop1 = $newval;
    }
 
    public function getProperty()
    {
        return $this->prop1 . "<br />";
    }
}
 
$obj = new MyClass;
 
echo $obj->getProperty(); // Get the property value
 
$obj->setProperty("I'm a new property value!"); // Set a new one
 
echo $obj->getProperty(); // Read it out again to show the change
 
?>

Reload your browser, and you’ll see the following:

1
2

I'm a class property!
I'm a new property value!

“The power of OOP becomes apparent when using multiple instances of the
same class.”

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34

<?php
 
class MyClass
{
    public $prop1 = "I'm a class property!";
 
    public function setProperty($newval)
    {
        $this->prop1 = $newval;
    }
 
    public function getProperty()
    {
        return $this->prop1 . "<br />";
    }
}
 
// Create two objects
$obj = new MyClass;
$obj2 = new MyClass;
 
// Get the value of $prop1 from both objects
echo $obj->getProperty();
echo $obj2->getProperty();
 
// Set new values for both objects
$obj->setProperty("I'm a new property value!");
$obj2->setProperty("I belong to the second instance!");
 
// Output both objects' $prop1 value
echo $obj->getProperty();
echo $obj2->getProperty();
 
?>

When you load the results in your browser, they read as follows:

1
2
3
4

I'm a class property!
I'm a class property!
I'm a new property value!
I belong to the second instance!

As you can see, OOP keeps objects as separate entities, which makes for easy separation of different pieces of code into small, related bundles.

Magic Methods in OOP

To make the use of objects easier, PHP also provides a number of magic methods, or special methods that are called when certain common actions occur within objects. This allows developers to perform a number of useful tasks with relative ease.

Using Constructors and Destructors

When an object is instantiated, it’s often desirable to set a few things right off the bat. To handle this, PHP provides the magic method __construct(), which is called automatically whenever a new object is
created.

For the purpose of illustrating the concept of constructors, add a constructor to MyClass that will output a message whenever a new instance of the class is created:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32

<?php
 
class MyClass
{
    public $prop1 = "I'm a class property!";
 
    public function __construct()
    {
        echo 'The class "', __CLASS__, '" was initiated!<br />';
    }
 
    public function setProperty($newval)
    {
        $this->prop1 = $newval;
    }
 
    public function getProperty()
    {
        return $this->prop1 . "<br />";
    }
}
 
// Create a new object
$obj = new MyClass;
 
// Get the value of $prop1
echo $obj->getProperty();
 
// Output a message at the end of the file
echo "End of file.<br />";
 
?>

Note — __CLASS__ returns the name of the class in which it is called; this is what is known as a magic constant. There are several available magic constants, which you can read more about in the PHP manual.

Reloading the file in your browser will produce the following result:

1
2
3

The class "MyClass" was initiated!
I'm a class property!
End of file.

To call a function when the object is destroyed, the __destruct() magic method is available. This is useful for class cleanup (closing a database connection, for instance).

Output a message when the object is destroyed by defining the magic method
__destruct() in MyClass:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37

<?php
 
class MyClass
{
    public $prop1 = "I'm a class property!";
 
    public function __construct()
    {
        echo 'The class "', __CLASS__, '" was initiated!<br />';
    }
 
    public function __destruct()
    {
        echo 'The class "', __CLASS__, '" was destroyed.<br />';
    }
 
    public function setProperty($newval)
    {
        $this->prop1 = $newval;
    }
 
    public function getProperty()
    {
        return $this->prop1 . "<br />";
    }
}
 
// Create a new object
$obj = new MyClass;
 
// Get the value of $prop1
echo $obj->getProperty();
 
// Output a message at the end of the file
echo "End of file.<br />";
 
?>

With a destructor defined, reloading the test file results in the following output:

1
2
3
4

The class "MyClass" was initiated!
I'm a class property!
End of file.
The class "MyClass" was destroyed.

“When the end of a file is reached, PHP automatically releases all resources.”

To explicitly trigger the destructor, you can destroy the object using the
function unset():

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40

<?php
 
class MyClass
{
    public $prop1 = "I'm a class property!";
 
    public function __construct()
    {
        echo 'The class "', __CLASS__, '" was initiated!<br />';
    }
 
    public function __destruct()
    {
        echo 'The class "', __CLASS__, '" was destroyed.<br />';
    }
 
    public function setProperty($newval)
    {
        $this->prop1 = $newval;
    }
 
    public function getProperty()
    {
        return $this->prop1 . "<br />";
    }
}
 
// Create a new object
$obj = new MyClass;
 
// Get the value of $prop1
echo $obj->getProperty();
 
// Destroy the object
unset($obj);
 
// Output a message at the end of the file
echo "End of file.<br />";
 
?>

Now the result changes to the following when loaded in your browser:

1
2
3
4

The class "MyClass" was initiated!
I'm a class property!
The class "MyClass" was destroyed.
End of file.

Converting to a String

To avoid an error if a script attempts to output MyClass as a string, another magic method is used called __toString().

Without __toString(), attempting to output the object as a string results in a fatal error. Attempt to use echo to output the object without a magic method in place:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40

<?php
 
class MyClass
{
    public $prop1 = "I'm a class property!";
 
    public function __construct()
    {
        echo 'The class "', __CLASS__, '" was initiated!<br />';
    }
 
    public function __destruct()
    {
        echo 'The class "', __CLASS__, '" was destroyed.<br />';
    }
 
    public function setProperty($newval)
    {
        $this->prop1 = $newval;
    }
 
    public function getProperty()
    {
        return $this->prop1 . "<br />";
    }
}
 
// Create a new object
$obj = new MyClass;
 
// Output the object as a string
echo $obj;
 
// Destroy the object
unset($obj);
 
// Output a message at the end of the file
echo "End of file.<br />";
 
?>

This results in the following:

1
2
3

The class "MyClass" was initiated!
 
Catchable fatal error: Object of class MyClass could not be converted to string in /Applications/XAMPP/xamppfiles/htdocs/testing/test.php on line 40

To avoid this error, add a __toString() method:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46

<?php
 
class MyClass
{
    public $prop1 = "I'm a class property!";
 
    public function __construct()
    {
        echo 'The class "', __CLASS__, '" was initiated!<br />';
    }
 
    public function __destruct()
    {
        echo 'The class "', __CLASS__, '" was destroyed.<br />';
    }
 
    public function __toString()
    {
        echo "Using the toString method: ";
        return $this->getProperty();
    }
 
    public function setProperty($newval)
    {
        $this->prop1 = $newval;
    }
 
    public function getProperty()
    {
        return $this->prop1 . "<br />";
    }
}
 
// Create a new object
$obj = new MyClass;
 
// Output the object as a string
echo $obj;
 
// Destroy the object
unset($obj);
 
// Output a message at the end of the file
echo "End of file.<br />";
 
?>

In this case, attempting to convert the object to a string results in a call to the getProperty() method. Load the test script in your browser to see the result:

1
2
3
4

The class "MyClass" was initiated!
Using the toString method: I'm a class property!
The class "MyClass" was destroyed.
End of file.

Tip — In addition to the magic methods discussed in this section, several others are available. For a complete list of magic methods, see the PHP manual page.

Using Class Inheritance

Classes can inherit the methods and properties of another class using the extends keyword. For instance, to create a second class that extends MyClass and adds a method, you would add the following to your test file:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51

<?php
 
class MyClass
{
    public $prop1 = "I'm a class property!";
 
    public function __construct()
    {
        echo 'The class "', __CLASS__, '" was initiated!<br />';
    }
 
    public function __destruct()
    {
        echo 'The class "', __CLASS__, '" was destroyed.<br />';
    }
 
    public function __toString()
    {
        echo "Using the toString method: ";
        return $this->getProperty();
    }
 
    public function setProperty($newval)
    {
        $this->prop1 = $newval;
    }
 
    public function getProperty()
    {
        return $this->prop1 . "<br />";
    }
}
 
class MyOtherClass extends MyClass
{
    public function newMethod()
    {
        echo "From a new method in " . __CLASS__ . ".<br />";
    }
}
 
// Create a new object
$newobj = new MyOtherClass;
 
// Output the object as a string
echo $newobj->newMethod();
 
// Use a method from the parent class
echo $newobj->getProperty();
 
?>

Upon reloading the test file in your browser, the following is output:

1
2
3
4

The class "MyClass" was initiated!
From a new method in MyOtherClass.
I'm a class property!
The class "MyClass" was destroyed.

Overwriting Inherited Properties and Methods

To change the behavior of an existing property or method in the new class, you can simply overwrite it by declaring it again in the new class:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56

<?php
 
class MyClass
{
    public $prop1 = "I'm a class property!";
 
    public function __construct()
    {
        echo 'The class "', __CLASS__, '" was initiated!<br />';
    }
 
    public function __destruct()
    {
        echo 'The class "', __CLASS__, '" was destroyed.<br />';
    }
 
    public function __toString()
    {
        echo "Using the toString method: ";
        return $this->getProperty();
    }
 
    public function setProperty($newval)
    {
        $this->prop1 = $newval;
    }
 
    public function getProperty()
    {
        return $this->prop1 . "<br />";
    }
}
 
class MyOtherClass extends MyClass
{
    public function __construct()
    {
        echo "A new constructor in " . __CLASS__ . ".<br />";
    }
 
    public function newMethod()
    {
        echo "From a new method in " . __CLASS__ . ".<br />";
    }
}
 
// Create a new object
$newobj = new MyOtherClass;
 
// Output the object as a string
echo $newobj->newMethod();
 
// Use a method from the parent class
echo $newobj->getProperty();
 
?>

This changes the output in the browser to:

1
2
3
4

A new constructor in MyOtherClass.
From a new method in MyOtherClass.
I'm a class property!
The class "MyClass" was destroyed.

Preserving Original Method Functionality While Overwriting Methods

To add new functionality to an inherited method while keeping the original method intact, use the parent keyword with the scope resolution operator (::):

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57

<?php
 
class MyClass
{
    public $prop1 = "I'm a class property!";
 
    public function __construct()
    {
        echo 'The class "', __CLASS__, '" was initiated!<br />';
    }
 
    public function __destruct()
    {
        echo 'The class "', __CLASS__, '" was destroyed.<br />';
    }
 
    public function __toString()
    {
        echo "Using the toString method: ";
        return $this->getProperty();
    }
 
    public function setProperty($newval)
    {
        $this->prop1 = $newval;
    }
 
    public function getProperty()
    {
        return $this->prop1 . "<br />";
    }
}
 
class MyOtherClass extends MyClass
{
    public function __construct()
    {
        parent::__construct(); // Call the parent class's constructor
        echo "A new constructor in " . __CLASS__ . ".<br />";
    }
 
    public function newMethod()
    {
        echo "From a new method in " . __CLASS__ . ".<br />";
    }
}
 
// Create a new object
$newobj = new MyOtherClass;
 
// Output the object as a string
echo $newobj->newMethod();
 
// Use a method from the parent class
echo $newobj->getProperty();
 
?>

This outputs the result of both the parent constructor and the new class’s constructor:

1
2
3
4
5

The class "MyClass" was initiated!
A new constructor in MyOtherClass.
From a new method in MyOtherClass.
I'm a class property!
The class "MyClass" was destroyed.

Assigning the Visibility of Properties and Methods

For added control over objects, methods and properties are assigned visibility. This controls how and from where properties and methods can be accessed. There are three visibility keywords: public, protected, and private. In addition to its visibility, a method or property can be declared as static, which allows them to be accessed without an instantiation of the class.

“For added control over objects, methods and properties are assigned visibility.”

Note — Visibility is a new feature as of PHP 5. For information on OOP compatibility with PHP 4, see the PHP manual page.

Public Properties and Methods

All the methods and properties you’ve used so far have been public. This means that they can be accessed anywhere, both within the class and externally.

Protected Properties and Methods

When a property or method is declared protected, it can only be accessed within the class itself or in descendant classes (classes that extend the class containing the protected method).

Declare the getProperty() method as protected in MyClass and try to access it directly from outside the class:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54

<?php
 
class MyClass
{
    public $prop1 = "I'm a class property!";
 
    public function __construct()
    {
        echo 'The class "', __CLASS__, '" was initiated!<br />';
    }
 
    public function __destruct()
    {
        echo 'The class "', __CLASS__, '" was destroyed.<br />';
    }
 
    public function __toString()
    {
        echo "Using the toString method: ";
        return $this->getProperty();
    }
 
    public function setProperty($newval)
    {
        $this->prop1 = $newval;
    }
 
    protected function getProperty()
    {
        return $this->prop1 . "<br />";
    }
}
 
class MyOtherClass extends MyClass
{
    public function __construct()
    {
        parent::__construct();
		echo "A new constructor in " . __CLASS__ . ".<br />";
    }
 
    public function newMethod()
    {
        echo "From a new method in " . __CLASS__ . ".<br />";
    }
}
 
// Create a new object
$newobj = new MyOtherClass;
 
// Attempt to call a protected method
echo $newobj->getProperty();
 
?>

Upon attempting to run this script, the following error shows up:

1
2
3
4

The class "MyClass" was initiated!
A new constructor in MyOtherClass.
 
Fatal error: Call to protected method MyClass::getProperty() from context '' in /Applications/XAMPP/xamppfiles/htdocs/testing/test.php on line 55

Now, create a new method in MyOtherClass to call the getProperty() method:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59

<?php
 
class MyClass
{
    public $prop1 = "I'm a class property!";
 
    public function __construct()
    {
        echo 'The class "', __CLASS__, '" was initiated!<br />';
    }
 
    public function __destruct()
    {
        echo 'The class "', __CLASS__, '" was destroyed.<br />';
    }
 
    public function __toString()
    {
        echo "Using the toString method: ";
        return $this->getProperty();
    }
 
    public function setProperty($newval)
    {
        $this->prop1 = $newval;
    }
 
    protected function getProperty()
    {
        return $this->prop1 . "<br />";
    }
}
 
class MyOtherClass extends MyClass
{
    public function __construct()
    {
        parent::__construct();
		echo "A new constructor in " . __CLASS__ . ".<br />";
    }
 
    public function newMethod()
    {
        echo "From a new method in " . __CLASS__ . ".<br />";
    }
 
    public function callProtected()
    {
        return $this->getProperty();
    }
}
 
// Create a new object
$newobj = new MyOtherClass;
 
// Call the protected method from within a public method
echo $newobj->callProtected();
 
?>

This generates the desired result:

1
2
3
4

The class "MyClass" was initiated!
A new constructor in MyOtherClass.
I'm a class property!
The class "MyClass" was destroyed.

Private Properties and Methods

A property or method declared private is accessible only from within the class that defines it. This means that even if a new class extends the class that defines a private property, that property or method will not be available at all within the child class.

To demonstrate this, declare getProperty() as private in MyClass, and attempt to call callProtected() from
MyOtherClass:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59

<?php
 
class MyClass
{
    public $prop1 = "I'm a class property!";
 
    public function __construct()
    {
        echo 'The class "', __CLASS__, '" was initiated!<br />';
    }
 
    public function __destruct()
    {
        echo 'The class "', __CLASS__, '" was destroyed.<br />';
    }
 
    public function __toString()
    {
        echo "Using the toString method: ";
        return $this->getProperty();
    }
 
    public function setProperty($newval)
    {
        $this->prop1 = $newval;
    }
 
    private function getProperty()
    {
        return $this->prop1 . "<br />";
    }
}
 
class MyOtherClass extends MyClass
{
    public function __construct()
    {
        parent::__construct();
        echo "A new constructor in " . __CLASS__ . ".<br />";
    }
 
    public function newMethod()
    {
        echo "From a new method in " . __CLASS__ . ".<br />";
    }
 
    public function callProtected()
    {
        return $this->getProperty();
    }
}
 
// Create a new object
$newobj = new MyOtherClass;
 
// Use a method from the parent class
echo $newobj->callProtected();
 
?>

Reload your browser, and the following error appears:

1
2
3
4

The class "MyClass" was initiated!
A new constructor in MyOtherClass.
 
Fatal error: Call to private method MyClass::getProperty() from context 'MyOtherClass' in /Applications/XAMPP/xamppfiles/htdocs/testing/test.php on line 49

Static Properties and Methods

A method or property declared static can be accessed without first instantiating the class; you simply supply the class name, scope resolution operator, and the property or method name.

“One of the major benefits to using static properties is that they keep their stored values for the duration of the script.”

To demonstrate this, add a static property called $count and a static method called plusOne() to MyClass. Then set up a do...while loop to output the incremented value of $count as long as the value is less than 10:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66

<?php
 
class MyClass
{
    public $prop1 = "I'm a class property!";
 
    public static $count = 0;
 
    public function __construct()
    {
        echo 'The class "', __CLASS__, '" was initiated!<br />';
    }
 
    public function __destruct()
    {
        echo 'The class "', __CLASS__, '" was destroyed.<br />';
    }
 
    public function __toString()
    {
        echo "Using the toString method: ";
        return $this->getProperty();
    }
 
    public function setProperty($newval)
    {
        $this->prop1 = $newval;
    }
 
    private function getProperty()
    {
        return $this->prop1 . "<br />";
    }
 
    public static function plusOne()
    {
        return "The count is " . ++self::$count . ".<br />";
    }
}
 
class MyOtherClass extends MyClass
{
    public function __construct()
    {
        parent::__construct();
        echo "A new constructor in " . __CLASS__ . ".<br />";
    }
 
    public function newMethod()
    {
        echo "From a new method in " . __CLASS__ . ".<br />";
    }
 
    public function callProtected()
    {
        return $this->getProperty();
    }
}
 
do
{
    // Call plusOne without instantiating MyClass
    echo MyClass::plusOne();
} while ( MyClass::$count < 10 );
 
?>

Note — When accessing static properties, the dollar sign
($) comes after the scope resolution operator.

When you load this script in your browser, the following is output:

1
2
3
4
5
6
7
8
9
10

The count is 1.
The count is 2.
The count is 3.
The count is 4.
The count is 5.
The count is 6.
The count is 7.
The count is 8.
The count is 9.
The count is 10.

Commenting with DocBlocks

“The DocBlock commenting style is a widely
accepted method of documenting classes.”

While not an official part of OOP, the DocBlock commenting style is a widely accepted method of documenting classes. Aside from providing a standard for
developers to use when writing code, it has also been adopted by many of the most popular software development kits (SDKs), such as Eclipse and NetBeans, and will be used to generate code hints.

A DocBlock is defined by using a block comment that starts with an additional asterisk:

1
2
3

/**
 * This is a very basic DocBlock
 */

The real power of DocBlocks comes with the ability to use tags, which start with an at symbol (@) immediately followed by the tag name and the value of the tag. DocBlock tags allow developers to define authors of a file, the license for a class, the property or method information, and other useful information.

The most common tags used follow:

• @author: The author of the current element (which might be a class, file, method, or any bit of code) are listed using this tag. Multiple author tags can be used in the same DocBlock if more than one author is credited. The format for the author name is John Doe .
• @copyright: This signifies the copyright year and name of the copyright holder for the current element. The format is 2010 Copyright Holder.
• @license: This links to the license for the current element. The format for the license information is
  http://www.example.com/path/to/license.txt License Name.
• @var: This holds the type and description of a variable or class property. The format is type element description.
• @param: This tag shows the type and description of a function or method parameter. The format is type $element_name element description.
• @return: The type and description of the return value of a function or method are provided in this tag. The format is type return element description.

A sample class commented with DocBlocks might look like this:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54

<?php
 
/**
 * A simple class
 *
 * This is the long description for this class,
 * which can span as many lines as needed. It is
 * not required, whereas the short description is
 * necessary.
 *
 * It can also span multiple paragraphs if the
 * description merits that much verbiage.
 *
 * @author Jason Lengstorf <jason.lengstorf@ennuidesign.com>
 * @copyright 2010 Ennui Design
 * @license http://www.php.net/license/3_01.txt PHP License 3.01
 */
class SimpleClass
{
    /**
     * A public variable
     *
     * @var string stores data for the class
     */
    public $foo;
 
    /**
     * Sets $foo to a new value upon class instantiation
     *
     * @param string $val a value required for the class
     * @return void
     */
    public function __construct($val)
    {
        $this->foo = $val;
    }
 
    /**
     * Multiplies two integers
     *
     * Accepts a pair of integers and returns the
     * product of the two.
     *
     * @param int $bat a number to be multiplied
     * @param int $baz a number to be multiplied
     * @return int the product of the two parameters
     */
    public function bar($bat, $baz)
    {
        return $bat * $baz;
    }
}
 
?>

Once you scan the preceding class, the benefits of DocBlock are apparent: everything is clearly defined so that the next developer can pick up the code and never have to wonder what a snippet of code does or what it should contain.

Comparing Object-Oriented and Procedural Code

There’s not really a right and wrong way to write code. That being said, this section outlines a strong argument for adopting an object-oriented approach in software development, especially in large applications.

Reason 1: Ease of Implementation

“While it may be daunting at first, OOP actually provides an easier approach to dealing with data.”

While it may be daunting at first, OOP actually provides an easier approach to dealing with data. Because an object can store data internally, variables don’t need to be passed from function to function to work properly.

Also, because multiple instances of the same class can exist simultaneously, dealing with large data sets is infinitely easier. For instance, imagine you have two people’s information being processed in a file. They need names, occupations, and ages.

The Procedural Approach

Here’s the procedural approach to our example:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42

<?php
 
function changeJob($person, $newjob)
{
    $person['job'] = $newjob; // Change the person's job
    return $person;
}
 
function happyBirthday($person)
{
    ++$person['age']; // Add 1 to the person's age
    return $person;
}
 
$person1 = array(
    'name' => 'Tom',
    'job' => 'Button-Pusher',
    'age' => 34
);
 
$person2 = array(
    'name' => 'John',
    'job' => 'Lever-Puller',
    'age' => 41
);
 
// Output the starting values for the people
echo "Person 1: ", print_r($person1, TRUE), "";
echo "Person 2: ", print_r($person2, TRUE), "";
 
// Tom got a promotion and had a birthday
$person1 = changeJob($person1, 'Box-Mover');
$person1 = happyBirthday($person1);
 
// John just had a birthday
$person2 = happyBirthday($person2);
 
// Output the new values for the people
echo "Person 1: ", print_r($person1, TRUE), "";
echo "Person 2: ", print_r($person2, TRUE), "";
 
?>

When executed, the code outputs the following:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24

Person 1: Array
(
    [name] => Tom
    [job] => Button-Pusher
    [age] => 34
)
Person 2: Array
(
    [name] => John
    [job] => Lever-Puller
    [age] => 41
)
Person 1: Array
(
    [name] => Tom
    [job] => Box-Mover
    [age] => 35
)
Person 2: Array
(
    [name] => John
    [job] => Lever-Puller
    [age] => 42
)

While this code isn’t necessarily bad, there’s a lot to keep in mind while coding. The array of the affected person’s attributes must be passed and returned from each function call, which leaves margin for error.

To clean up this example, it would be desirable to leave as few things up to the developer as possible. Only absolutely essential information for the current operation should need to be passed to the functions.

This is where OOP steps in and helps you clean things up.

The OOP Approach

Here’s the OOP approach to our example:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46

<?php
 
class Person
{
    private $_name;
    private $_job;
    private $_age;
 
    public function __construct($name, $job, $age)
    {
        $this->_name = $name;
        $this->_job = $job;
        $this->_age = $age;
    }
 
    public function changeJob($newjob)
    {
        $this->_job = $newjob;
    }
 
    public function happyBirthday()
    {
        ++$this->_age;
    }
}
 
// Create two new people
$person1 = new Person("Tom", "Button-Pusher", 34);
$person2 = new Person("John", "Lever Puller", 41);
 
// Output their starting point
echo "Person 1: ", print_r($person1, TRUE), "";
echo "Person 2: ", print_r($person2, TRUE), "";
 
// Give Tom a promotion and a birthday
$person1->changeJob("Box-Mover");
$person1->happyBirthday();
 
// John just gets a year older
$person2->happyBirthday();
 
// Output the ending values
echo "Person 1: ", print_r($person1, TRUE), "";
echo "Person 2: ", print_r($person2, TRUE), "";
 
?>

This outputs the following in the browser:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27

Person 1: Person Object
(
    [_name:private] => Tom
    [_job:private] => Button-Pusher
    [_age:private] => 34
)
 
Person 2: Person Object
(
    [_name:private] => John
    [_job:private] => Lever Puller
    [_age:private] => 41
)
 
Person 1: Person Object
(
    [_name:private] => Tom
    [_job:private] => Box-Mover
    [_age:private] => 35
)
 
Person 2: Person Object
(
    [_name:private] => John
    [_job:private] => Lever Puller
    [_age:private] => 42
)

There’s a little bit more setup involved to make the approach object oriented, but after the class is defined, creating and modifying people is a breeze; a person’s information does not need to be passed or returned from methods, and only absolutely essential information is passed to each method.

“OOP will significantly reduce your workload if implemented properly.”

On the small scale, this difference may not seem like much, but as your applications grow in size, OOP will significantly reduce your workload if implemented properly.

Tip — Not everything needs to be object oriented. A quick function that handles something small in one place inside the application does not necessarily need to be wrapped in a class. Use your best judgment when deciding between object-oriented and procedural approaches.

Reason 2: Better Organization

Another benefit of OOP is how well it lends itself to being easily packaged and cataloged. Each class can generally be kept in its own separate file, and if a uniform naming convention is used, accessing the classes is extremely simple.

Assume you’ve got an application with 150 classes that are called dynamically through a controller file at the root of your application filesystem. All 150 classes follow the naming convention class.classname.inc.php and reside in the inc folder of your application.

The controller can implement PHP’s __autoload() function to dynamically pull in only the classes it needs as they are called, rather than including all 150 in the controller file just in case or coming up with some clever way of including the files in your own code:

1
2
3
4
5
6

<?php
    function __autoload($class_name)
    {
        include_once 'inc/class.' . $class_name . '.inc.php';
    }
?>

Having each class in a separate file also makes code more portable and easier to reuse in new applications without a bunch of copying and pasting.

Reason 3: Easier Maintenance

Due to the more compact nature of OOP when done correctly, changes in the code are usually much easier to spot and make than in a long spaghetti code procedural implementation.

If a particular array of information gains a new attribute, a procedural piece of software may require (in a worst-case scenario) that the new attribute be added to each function that uses the array.

An OOP application could potentially be updated as easily adding the new property and then adding the methods that deal with said property.

A lot of the benefits covered in this section are the product of OOP in combination with DRY programming practices. It is definitely possible to create easy-to-maintain procedural code that doesn’t cause nightmares, and it is equally possible to create awful object-oriented code.

Summary

At this point, you should feel comfortable with the object-oriented programming style. Learning OOP is a great way to take your programming to that next level. When implemented properly, OOP will help you produce easy-to-read, easy-to-maintain, portable code that will save you (and the developers who work with you) hours of extra work. Are you stuck on something that wasn’t covered in this article? Are you already using OOP and have some tips for beginners? Share them in the comments!

Step 1: Creating Database Tables

It’s always a good idea to start with creating a good data model when building an application. Let’s describe our application in one sentence: We are going to make a forum which has users who create topics in various categories. Other users can post replies. As you can see, I highlighted a couple of nouns which represent our table names.

Users

• Categories
• Topics
• Posts

These three objects are related to each other, so we’ll process that in our table design. Take a look at the scheme below.

Looks pretty neat, huh? Every square is a database table. All the columns are listed in it and the lines between them represent the relationships. I’ll explain them further, so it’s okay if it doesn’t make a lot of sense to you right now.

I’ll discuss each table by explaining the SQL, which I created using the scheme above. For your own scripts you can create a similar scheme and SQL too. Some editors like MySQL Workbench (the one I used) can generate .sql files too, but I would recommend learning SQL because it’s more fun to do it yourself. A SQL introduction can be found at W3Schools.

Users Table

1
2
3
4
5
6
7
8
9
10

CREATE TABLE users (
user_id 	INT(8) NOT NULL AUTO_INCREMENT,
user_name	VARCHAR(30) NOT NULL,
user_pass  	VARCHAR(255) NOT NULL,
user_email	VARCHAR(255) NOT NULL,
user_date	DATETIME NOT NULL,
user_level	INT(8) NOT NULL,
UNIQUE INDEX user_name_unique (user_name),
PRIMARY KEY (user_id)
) TYPE=INNODB;

The CREATE TABLE statement is used to indicate we want to create a new table, of course. The statement is followed by the name of the table and all the columns are listed between the brackets. The names of all the fields are self-explanatory, so we’ll only discuss the data types below.

user_id

“A primary key is used to uniquely identify each row in a table.”

The type of this field is INT, which means this field holds an integer. The field cannot be empty (NOT NULL) and increments which each record inserted. At the bottom of the table you can see the user_id field is declared as a primary key. A primary key is used to uniquely identify each row in a table. No two distinct rows in a table can have the same value (or combination of values) in all columns. That might be a bit unclear, so here’s a little example.

There is a user called John Doe. If another users registers with the same name, there’s a problem, because: which user is which? You can’t tell and the database can’t tell either. By using a primary key this problem is solved, because both topics are unique.

All the other tables have got primary keys too and they work the same way.

user_name

This is a text field, called a VARCHAR field in MySQL. The number between brackets is the maximum length. A user can choose a username up to 30 characters long. This field cannot be NULL. At the bottom of the table you can see this field is declared UNIQUE, which means the same username cannot be registered twice. The UNIQUE INDEX part tells the database we want to add a unique key. Then we define the name of the unique key, user_name_unique in this case. Between brackets is the field the unique key applies to, which is user_name.

user_pass

This field is equal to the user_name field, except the maximum length. Since the user password, no matter what length, is hashed with sha1(), the password will always be 40 characters long.

user_email

This field is equal to the user_pass field.

user_date

This is a field in which we’ll store the date the user registered. It’s type is DATETIME and the field cannot be NULL.

user_level

This field contains the level of the user, for example: ’0′ for a regular user and ’1′ for an admin. More about this later.

Categories Table

1
2
3
4
5
6
7

CREATE TABLE categories (
cat_id 		 	INT(8) NOT NULL AUTO_INCREMENT,
cat_name	 	VARCHAR(255) NOT NULL,
cat_description 	VARCHAR(255) NOT NULL,
UNIQUE INDEX cat_name_unique (cat_name),
PRIMARY KEY (cat_id)
) TYPE=INNODB;

These data types basically work the same way as the ones in the users table. This table also has a primary key and the name of the category must be an unique one.

Topics Table

1
2
3
4
5
6
7
8

CREATE TABLE topics (
topic_id		INT(8) NOT NULL AUTO_INCREMENT,
topic_subject  		VARCHAR(255) NOT NULL,
topic_date		DATETIME NOT NULL,
topic_cat		INT(8) NOT NULL,
topic_by		INT(8) NOT NULL,
PRIMARY KEY (topic_id)
) TYPE=INNODB;

This table is almost the same as the other tables, except for the topic_by field. That field refers to the user who created the topic. The topic_cat refers to the category the topic belongs to. We cannot force these relationships by just declaring the field. We have to let the database know this field must contain an existing user_id from the users table, or a valid cat_id from the categories table. We’ll add some relationships after I’ve discussed the posts table.

Posts Table

1
2
3
4
5
6
7
8

CREATE TABLE posts (
post_id 		INT(8) NOT NULL AUTO_INCREMENT,
post_content		TEXT NOT NULL,
post_date 		DATETIME NOT NULL,
post_topic		INT(8) NOT NULL,
post_by		INT(8) NOT NULL,
PRIMARY KEY (post_id)
) TYPE=INNODB;

This is the same as the rest of the tables; there’s also a field which refers to a user_id here: the post_by field. The post_topic field refers to the topic the post belongs to.

“A foreign key is a referential constraint between two tables. The foreign key identifies a column or a set of columns in one (referencing) table that refers to a column or set of columns in another (referenced) table.”

Now that we’ve executed these queries, we have a pretty decent data model, but the relations are still missing. Let’s start with the definition of a relationship. We’re going to use something called a foreign key. A foreign key is a referential constraint between two tables. The foreign key identifies a column or a set of columns in one (referencing) table that refers to a column or set of columns in another (referenced) table. Some conditions:

• The column in the referencing table the foreign key refers to must be a primary key
• The values that are referred to must exist in the referenced table

By adding foreign keys the information is linked together which is very important for database normalization. Now you know what a foreign key is and why we’re using them. It’s time to add them to the tables we’ve already made by using the ALTER statement, which can be used to change an already existing table.

We’ll link the topics to the categories first:

1

ALTER TABLE topics ADD FOREIGN KEY(topic_cat) REFERENCES categories(cat_id) ON DELETE CASCADE ON UPDATE CASCADE;

The last part of the query already says what happens. When a category gets deleted from the database, all the topics will be deleted too. If the cat_id of a category changes, every topic will be updated too. That’s what the ON UPDATE CASCADE part is for. Of course, you can reverse this to protect your data, so that you can’t delete a category as long as it still has topics linked to it. If you would want to do that, you could replace the ‘ON DELETE CASCADE’ part with ‘ON DELETE RESTRICT’. There is also SET NULL and NO ACTION, which speak for themselves.

Every topic is linked to a category now. Let’s link the topics to the user who creates one.

1

ALTER TABLE topics ADD FOREIGN KEY(topic_by) REFERENCES users(user_id) ON DELETE RESTRICT ON UPDATE CASCADE;

This foreign key is the same as the previous one, but there is one difference: the user can’t be deleted as long as there are still topics with the user id of the user. We don’t use CASCADE here because there might be valuable information in our topics. We wouldn’t want that information to get deleted if someone decides to delete their account. To still give users the opportunity to delete their account, you could build some feature that anonymizes all their topics and then delete their account. Unfortunately, that is beyond the scope of this tutorial.

Link the posts to the topics:

1

ALTER TABLE posts ADD FOREIGN KEY(post_topic) REFERENCES topics(topic_id) ON DELETE CASCADE ON UPDATE CASCADE;

And finally, link each post to the user who made it:

1

ALTER TABLE posts ADD FOREIGN KEY(post_by) REFERENCES users(user_id) ON DELETE RESTRICT ON UPDATE CASCADE;

That’s the database part! It was quite a lot of work, but the result, a great data model, is definitely worth it.

Step 2: Introduction to the Header/Footer System

Each page of our forum needs a few basic things, like a doctype and some markup. That’s why we’ll include a header.php file at the top of each page, and a footer.php at the bottom. The header.php contains a doctype, a link to the stylesheet and some important information about the forum, such as the title tag and metatags.

header.php

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="nl" lang="nl">
<head>
	<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
	<meta name="description" content="A short description." />
	<meta name="keywords" content="put, keywords, here" />
	<title>PHP-MySQL forum</title>
	<link rel="stylesheet" href="style.css" type="text/css">
</head>
<body>
<h1>My forum</h1>
	<div id="wrapper">
	<div id="menu">
		<a class="item" href="/forum/index.php">Home</a> -
		<a class="item" href="/forum/create_topic.php">Create a topic</a> -
		<a class="item" href="/forum/create_cat.php">Create a category</a>
 
		<div id="userbar">
		<div id="userbar">Hello Example. Not you? Log out.</div>
	</div>
		<div id="content">

The wrapper div will be used to make it easier to style the entire page. The menu div obviously contains a menu with links to pages we still have to create, but it helps to see where we’re going a little bit. The userbar div is going to be used for a small top bar which contains some information like the username and a link to the logout page. The content page holds the actual content of the page, obviously.

The attentive reader might have already noticed we’re missing some things. There is no or tag. They’re in the footer.php page, as you can see below.

1
2
3
4
5

</div><!-- content -->
</div><!-- wrapper -->
<div id="footer">Created for GigaSpartan.com</div>
</body>
</html>

When we include a header and a footer on each page the rest of the page get embedded between the header and the footer. This method has got some advantages. First and foremost, everything will be styled correctly. A short example:

1
2
3
4
5
6
7
8
9
10
11
12

<?php
$error = false;
if($error = false)
{
 	//the beautifully styled content, everything looks good
 	echo '<div id="content">some text</div>';
}
else
{
 	//bad looking, unstyled error :-(
}
?>

As you can see, a page without errors will result in a nice page with the content. But if there’s an error, everything looks really ugly; so that’s why it’s better to make sure not only real content is styled correctly, but also the errors we might get.

Another advantage is the possibility of making quick changes. You can see for yourself by editing the text in footer.php when you’ve finished this tutorial; you’ll notice that the footer changes on every page immediately. Finally, we add a stylesheet which provides us with some basic markup – nothing too fancy.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119

body {
	background-color: #4E4E4E;
	text-align: center;			/* make sure IE centers the page too */
}
 
#wrapper {
	width: 900px;
	margin: 0 auto; 			/* center the page */
}
 
#content {
	background-color: #fff;
	border: 1px solid #000;
	float: left;
	font-family: Arial;
	padding: 20px 30px;
	text-align: left;
	width: 100%;				/* fill up the entire div */
}
 
#menu {
	float: left;
	border: 1px solid #000;
	border-bottom: none;		/* avoid a double border */
	clear: both;				/* clear:both makes sure the content div doesn't float next to this one but stays under it */
	width:100%;
	height:20px;
	padding: 0 30px;
	background-color: #FFF;
	text-align: left;
	font-size: 85%;
}
 
#menu a:hover {
	background-color: #009FC1;
}
 
#userbar {
	background-color: #fff;
	float: right;
	width: 250px;
}
 
#footer {
	clear: both;
}
 
/* begin table styles */
table {
	border-collapse: collapse;
	width: 100%;
}
 
table a {
	color: #000;
}
 
table a:hover {
	color:#373737;
	text-decoration: none;
}
 
th {
	background-color: #B40E1F;
	color: #F0F0F0;
}
 
td {
	padding: 5px;
}
 
/* Begin font styles */
h1, #footer {
	font-family: Arial;
	color: #F1F3F1;
}
 
h3 {margin: 0; padding: 0;}
 
/* Menu styles */
.item {
	background-color: #00728B;
	border: 1px solid #032472;
	color: #FFF;
	font-family: Arial;
	padding: 3px;
	text-decoration: none;
}
 
.leftpart {
	width: 70%;
}
 
.rightpart {
	width: 30%;
}
 
.small {
	font-size: 75%;
	color: #373737;
}
#footer {
	font-size: 65%;
	padding: 3px 0 0 0;
}
 
.topic-post {
	height: 100px;
	overflow: auto;
}
 
.post-content {
	padding: 30px;
}
 
textarea {
	width: 500px;
	height: 200px;
}

Step 3: Getting Ready for Action

Before we can read anything from our database, we need a connection. That’s what connect.php is for. We’ll include it in every file we are going to create.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16

<?php
//connect.php
$server	= 'localhost';
$username	= 'usernamehere';
$password	= 'passwordhere';
$database	= 'databasenamehere';
 
if(!mysql_connect($server, $username,  $password))
{
 	exit('Error: could not establish database connection');
}
if(!mysql_select_db($database)
{
 	exit('Error: could not select the database');
}
?>

Simply replace the default values of the variables at the top of the page with your own date, save the file and you’re good to go!

Step 4: Displaying the Forum Overview

Since we’re just started with some basic techniques, we’re going to make a simplified version of the forum overview for now.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15

<?php
//create_cat.php
include 'connect.php';
include 'header.php';
 
echo '<tr>';
	echo '<td class="leftpart">';
		echo '<h3><a href="category.php?id=">Category name</a></h3> Category description goes here';
	echo '</td>';
	echo '<td class="rightpart">';
			echo '<a href="topic.php?id=">Topic subject</a> at 10-10';
	echo '</td>';
echo '</tr>';
include 'footer.php';
?>

There you have it: a nice and clean overview. We’ll be updating this page throughout the tutorial so that it becomes more like the end result, step by step!

Step 5: Signing up a User

Let’s start by making a simple HTML form so that a new user can register.

A PHP page is needed to process the form. We’re going to use a $_SERVER variable. The $_SERVER variable is an array with values that are automatically set with each request. One of the values of the $_SERVER array is ‘REQUEST_METHOD’. When a page is requested with GET, this variable will hold the value ‘GET’. When a page is requested via POST, it will hold the value ‘POST’. We can use this value to check if a form has been posted. See the signup.php page below.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96

<?php
//signup.php
include 'connect.php';
include 'header.php';
 
echo '<h3>Sign up</h3>';
 
if($_SERVER['REQUEST_METHOD'] != 'POST')
{
    /*the form hasn't been posted yet, display it
	  note that the action="" will cause the form to post to the same page it is on */
    echo '<form method="post" action="">
 	 	Username: <input type="text" name="user_name" />
 		Password: <input type="password" name="user_pass">
		Password again: <input type="password" name="user_pass_check">
		E-mail: <input type="email" name="user_email">
 		<input type="submit" value="Add category" />
 	 </form>';
}
else
{
    /* so, the form has been posted, we'll process the data in three steps:
		1.	Check the data
		2.	Let the user refill the wrong fields (if necessary)
		3.	Save the data
	*/
	$errors = array(); /* declare the array for later use */
 
	if(isset($_POST['user_name']))
	{
		//the user name exists
		if(!ctype_alnum($_POST['user_name']))
		{
			$errors[] = 'The username can only contain letters and digits.';
		}
		if(strlen($_POST['user_name']) > 30)
		{
			$errors[] = 'The username cannot be longer than 30 characters.';
		}
	}
	else
	{
		$errors[] = 'The username field must not be empty.';
	}
 
	if(isset($_POST['user_pass']))
	{
		if($_POST['user_pass'] != $_POST['user_pass_check'])
		{
			$errors[] = 'The two passwords did not match.';
		}
	}
	else
	{
		$errors[] = 'The password field cannot be empty.';
	}
 
	if(!empty($errors)) /*check for an empty array, if there are errors, they're in this array (note the ! operator)*/
	{
		echo 'Uh-oh.. a couple of fields are not filled in correctly..';
		echo '<ul>';
		foreach($errors as $key => $value) /* walk through the array so all the errors get displayed */
		{
			echo '<li>' . $value . '</li>'; /* this generates a nice error list */
		}
		echo '</ul>';
	}
	else
	{
		//the form has been posted without, so save it
		//notice the use of mysql_real_escape_string, keep everything safe!
		//also notice the sha1 function which hashes the password
		$sql = "INSERT INTO
					users(user_name, user_pass, user_email ,user_date, user_level)
				VALUES('" . mysql_real_escape_string($_POST['user_name']) . "',
					   '" . sha1($_POST['user_pass']) . "',
					   '" . mysql_real_escape_string($_POST['user_email']) . "',
						NOW(),
						0)";
 
		$result = mysql_query($sql);
		if(!$result)
		{
			//something went wrong, display the error
			echo 'Something went wrong while registering. Please try again later.';
			//echo mysql_error(); //debugging purposes, uncomment when needed
		}
		else
		{
			echo 'Successfully registered. You can now <a href="signin.php">sign in</a> and start posting! :-)';
		}
	}
}
 
include 'footer.php';
?>

A lot of explanation is in the comments I made in the file, so be sure to check them out. The processing of the data takes place in three parts:

• Validating the data
• If the data is not valid, show the form again
• If the data is valid, save the record in the database

The PHP part is quite self-explanatory. The SQL-query however probably needs a little more explanation.

1
2
3
4
5
6
7

INSERT INTO
       users(user_name, user_pass, user_email ,user_date, user_level)
VALUES('" . mysql_real_escape_string($_POST['user_name']) . "',
       '" . sha1($_POST['user_pass']) . "',
       '" . mysql_real_escape_string($_POST['user_email']) . "',
       NOW(),
       0);

On line 1 we have the INSERT INTO statement which speaks for itself. The table name is specified on the second line. The words between the brackets represent the columns in which we want to insert the data. The VALUES statement tells the database we’re done declaring column names and it’s time to specify the values. There is something new here: mysql_real_escape_string. The function escapes special characters in an unescaped string , so that it is safe to place it in a query. This function MUST always be used, with very few exceptions. There are too many scripts that don’t use it and can be hacked real easy. Don’t take the risk, use mysql_real_escape_string().

“Never insert a plain password as-is. You MUST always encrypt it.”

Also, you can see that the function sha1() is used to encrypt the user’s password. This is also a very important thing to remember. Never insert a plain password as-is. You MUST always encrypt it. Imagine a hacker who somehow manages to get access to your database. If he sees all the plain-text passwords he could log into any (admin) account he wants. If the password columns contain sha1 strings he has to crack them first which is almost impossible.

Note: it’s also possible to use md5(), I always use sha1() because benchmarks have proved it’s a tiny bit faster, not much though. You can replace sha1 with md5 if you like.

If the signup process was successful, you should see something like this:

Try refreshing your phpMyAdmin screen, a new record should be visible in the users table.

Step 6: Adding Authentication and User Levels

An important aspect of a forum is the difference between regular users and admins/moderators. Since this is a small forum and adding features like adding new moderators and stuff would take way too much time, we’ll focus on the login process and create some admin features like creating new categories and closing a thread.

Now that you’ve completed the previous step, we’re going to make your freshly created account an admin account. In phpMyAdmin, click on the users table, and then ‘Browse’. Your account will probably pop up right away. Click the edit icon and change the value of the user_level field from 0 to 1. That’s it for now. You won’t notice any difference in our application immediately, but when we’ve added the admin features a normal account and your account will have different capabilities.

The sign-in process works the following way:

• A visitor enters user data and submits the form
• If the username and password are correct, we can start a session
• If the username and password are incorrect, we show the form again with a message

The signin.php file is below. Don’t think I’m not explaining what I’m doing, but check out the comments in the file. It’s much easier to understand that way.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107

<?php
//signin.php
include 'connect.php';
include 'header.php';
 
echo '<h3>Sign in</h3>';
 
//first, check if the user is already signed in. If that is the case, there is no need to display this page
if(isset($_SESSION['signed_in']) &amp;&amp; $_SESSION['signed_in'] == true)
{
	echo 'You are already signed in, you can <a href="signout.php">sign out</a> if you want.';
}
else
{
	if($_SERVER['REQUEST_METHOD'] != 'POST')
	{
		/*the form hasn't been posted yet, display it
		  note that the action="" will cause the form to post to the same page it is on */
		echo '<form method="post" action="">
			Username: <input type="text" name="user_name" />
			Password: <input type="password" name="user_pass">
			<input type="submit" value="Sign in" />
		 </form>';
	}
	else
	{
		/* so, the form has been posted, we'll process the data in three steps:
			1.	Check the data
			2.	Let the user refill the wrong fields (if necessary)
			3.	Varify if the data is correct and return the correct response
		*/
		$errors = array(); /* declare the array for later use */
 
		if(!isset($_POST['user_name']))
		{
			$errors[] = 'The username field must not be empty.';
		}
 
		if(!isset($_POST['user_pass']))
		{
			$errors[] = 'The password field must not be empty.';
		}
 
		if(!empty($errors)) /*check for an empty array, if there are errors, they're in this array (note the ! operator)*/
		{
			echo 'Uh-oh.. a couple of fields are not filled in correctly..';
			echo '<ul>';
			foreach($errors as $key => $value) /* walk through the array so all the errors get displayed */
			{
				echo '<li>' . $value . '</li>'; /* this generates a nice error list */
			}
			echo '</ul>';
		}
		else
		{
			//the form has been posted without errors, so save it
			//notice the use of mysql_real_escape_string, keep everything safe!
			//also notice the sha1 function which hashes the password
			$sql = "SELECT
						user_id,
						user_name,
						user_level
					FROM
						users
					WHERE
						user_name = '" . mysql_real_escape_string($_POST['user_name']) . "'
					AND
						user_pass = '" . sha1($_POST['user_pass']) . "'";
 
			$result = mysql_query($sql);
			if(!$result)
			{
				//something went wrong, display the error
				echo 'Something went wrong while signing in. Please try again later.';
				//echo mysql_error(); //debugging purposes, uncomment when needed
			}
			else
			{
				//the query was successfully executed, there are 2 possibilities
				//1. the query returned data, the user can be signed in
				//2. the query returned an empty result set, the credentials were wrong
				if(mysql_num_rows($result) == 0)
				{
					echo 'You have supplied a wrong user/password combination. Please try again.';
				}
				else
				{
					//set the $_SESSION['signed_in'] variable to TRUE
					$_SESSION['signed_in'] = true;
 
					//we also put the user_id and user_name values in the $_SESSION, so we can use it at various pages
					while($row = mysql_fetch_assoc($result))
					{
						$_SESSION['user_id'] 	= $row['user_id'];
						$_SESSION['user_name'] 	= $row['user_name'];
						$_SESSION['user_level'] = $row['user_level'];
					}
 
					echo 'Welcome, ' . $_SESSION['user_name'] . '. <a href="index.php">Proceed to the forum overview</a>.';
				}
			}
		}
	}
}
 
include 'footer.php';
?>

This is the query that’s in the signin.php file:

1
2
3
4
5
6
7
8
9
10

SELECT
	user_id,
	user_name,
	user_level
FROM
	users
WHERE
	user_name = '" . mysql_real_escape_string($_POST['user_name']) . "'
AND
	user_pass = '" . sha1($_POST['user_pass'])

It’s obvious we need a check to tell if the supplied credentials belong to an existing user. A lot of scripts retrieve the password from the database and compare it using PHP. If we do this directly via SQL the password will be stored in the database once during registration and never leave it again. This is safer, because all the real action happens in the database layer and not in our application.

If the user is signed in successfully, we’re doing a few things:

1
2
3
4
5
6
7
8
9
10

<?php
//set the $_SESSION['signed_in'] variable to TRUE
$_SESSION['signed_in'] = true;
//we also put the user_id and user_name values in the $_SESSION, so we can use it at various pages
while($row = mysql_fetch_assoc($result))
{
 	$_SESSION['user_id'] = $row['user_id'];
 	$_SESSION['user_name'] = $row['user_name'];
}
?>

First, we set the ‘signed_in’ $_SESSION var to true, so we can use it on other pages to make sure the user is signed in. We also put the username and user id in the $_SESSION variable for usage on a different page. Finally, we display a link to the forum overview so the user can get started right away.

Of course signing in requires another function, signing out! The sign-out process is actually a lot easier than the sign-in process. Because all the information about the user is stored in $_SESSION variables, all we have to do is unset them and display a message.

Now that we’ve set the $_SESSION variables, we can determine if someone is signed in. Let’s make a last simple change to header.php:

Replace:

1

<div id="userbar">Hello Example. Not you? Log out.</div>

With:

1
2
3
4
5
6
7
8
9
10
11

<?php
<div id="userbar">
 	if($_SESSION['signed_in'])
 	{
 	 	echo 'Hello' . $_SESSION['user_name'] . '. Not you? <a href="signout.php">Sign out</a>';
 	}
 	else
 	{
 		echo '<a href="signin.php">Sign in</a> or <a href="sign up">create an account</a>.';
 	}
</div>

If a user is signed in, he will see his or her name displayed on the front page with a link to the signout page. Our authentication is done! By now our forum should look like this:

Step 7: Creating a Category

We want to create categories so let’s start with making a form.

1
2
3
4
5

<form method="post" action="">
 	Category name: <input type="text" name="cat_name" />
 	Category description: <textarea name="cat_description" /></textarea>
	<input type="submit" value="Add category" />
 </form>

This step looks a lot like Step 4 (Signing up a user’), so I’m not going to do an in-depth explanation here. If you followed all the steps you should be able to understand this somewhat quickly.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31

<?php
//create_cat.php
include 'connect.php';
 
if($_SERVER['REQUEST_METHOD'] != 'POST')
{
    //the form hasn't been posted yet, display it
    echo '<form method='post' action=''>
 	 	Category name: <input type='text' name='cat_name' />
 		Category description: <textarea name='cat_description' /></textarea>
 		<input type='submit' value='Add category' />
 	 </form>';
}
else
{
    //the form has been posted, so save it
    $sql = ìINSERT INTO categories(cat_name, cat_description)
 	   VALUES('' . mysql_real_escape_string($_POST['cat_name']) . ì',
 		     '' . mysql_real_escape_string($_POST['cat_description']) . ì')';
    $result = mysql_query($sql);
    if(!$result)
    {
        //something went wrong, display the error
        echo 'Error' . mysql_error();
    }
    else
    {
        echo 'New category successfully added.';
    }
}
?>

As you can see, we’ve started the script with the $_SERVER check, after checking if the user has admin rights, which is required for creating a category. The form gets displayed if it hasn’t been submitted already. If it has, the values are saved. Once again, a SQL query is prepared and then executed.

Step 8: Adding Categories to index.php

We’ve created some categories, so now we’re able to display them on the front page. Let’s add the following query to the content area of index.php.

1
2
3
4
5
6

SELECT
 	categories.cat_id,
	categories.cat_name,
 	categories.cat_description,
FROM
 	categories

This query selects all categories and their names and descriptions from the categories table. We only need a bit of PHP to display the results. If we add that part just like we did in the previous steps, the code will look like this.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49

<?php
//create_cat.php
include 'connect.php';
include 'header.php';
 
$sql = "SELECT
			cat_id,
			cat_name,
			cat_description,
		FROM
			categories";
 
$result = mysql_query($sql);
 
if(!$result)
{
	echo 'The categories could not be displayed, please try again later.';
}
else
{
	if(mysql_num_rows($result) == 0)
	{
		echo 'No categories defined yet.';
	}
	else
	{
		//prepare the table
		echo '<table border="1">
			  <tr>
				<th>Category</th>
				<th>Last topic</th>
			  </tr>';	
 
		while($row = mysql_fetch_assoc($result))
		{
			echo '<tr>';
				echo '<td class="leftpart">';
					echo '<h3><a href="category.php?id">' . $row['cat_name'] . '</a></h3>' . $row['cat_description'];
				echo '</td>';
				echo '<td class="rightpart">';
							echo '<a href="topic.php?id=">Topic subject</a> at 10-10';
				echo '</td>';
			echo '</tr>';
		}
	}
}
 
include 'footer.php';
?>

Notice how we’re using the cat_id to create links to category.php. All the links to this page will look like this: category.php?cat_id=x, where x can be any numeric value. This may be new to you. We can check the url with PHP for $_GET values. For example, we have this link:

1

category.php?cat_id=23

The statement echo $_GET[ëcat_id'];’ will display ’23′. In the next few steps we’ll use this value to retrieve the topics when viewing a single category, but topics can’t be viewed if we haven’t created them yet. So let’s create some topics!

Step 9: Creating a Topic

In this step, we’re combining the techniques we learned in the previous steps. We’re checking if a user is signed in, we’ll use an input query to create the topic and create some basic HTML forms.

The structure of create_topic.php can hardly be explained in a list or something, so I rewrote it in pseudo-code.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18

<?php
if(user is signed in)
{
	//the user is not signed in
}
else
{
	//the user is signed in
	if(form has not been posted)
	{
		//show form
	}
	else
	{
		//process form
	}
}
?>

Here’s the real code of this part of our forum, check the explanations below the code to see what it’s doing.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142

<?php
//create_cat.php
include 'connect.php';
include 'header.php';
 
echo '<h2>Create a topic</h2>';
if($_SESSION['signed_in'] == false)
{
	//the user is not signed in
	echo 'Sorry, you have to be <a href="/forum/signin.php">signed in</a> to create a topic.';
}
else
{
	//the user is signed in
	if($_SERVER['REQUEST_METHOD'] != 'POST')
	{
		//the form hasn't been posted yet, display it
		//retrieve the categories from the database for use in the dropdown
		$sql = "SELECT
					cat_id,
					cat_name,
					cat_description
				FROM
					categories";
 
		$result = mysql_query($sql);
 
		if(!$result)
		{
			//the query failed, uh-oh :-(
			echo 'Error while selecting from database. Please try again later.';
		}
		else
		{
			if(mysql_num_rows($result) == 0)
			{
				//there are no categories, so a topic can't be posted
				if($_SESSION['user_level'] == 1)
				{
					echo 'You have not created categories yet.';
				}
				else
				{
					echo 'Before you can post a topic, you must wait for an admin to create some categories.';
				}
			}
			else
			{
 
				echo '<form method="post" action="">
					Subject: <input type="text" name="topic_subject" />
					Category:'; 
 
				echo '<select name="topic_cat">';
					while($row = mysql_fetch_assoc($result))
					{
						echo '<option value="' . $row['cat_id'] . '">' . $row['cat_name'] . '</option>';
					}
				echo '</select>';	
 
				echo 'Message: <textarea name="post_content" /></textarea>
					<input type="submit" value="Create topic" />
				 </form>';
			}
		}
	}
	else
	{
		//start the transaction
		$query  = "BEGIN WORK;";
		$result = mysql_query($query);
 
		if(!$result)
		{
			//Damn! the query failed, quit
			echo 'An error occured while creating your topic. Please try again later.';
		}
		else
		{
 
			//the form has been posted, so save it
			//insert the topic into the topics table first, then we'll save the post into the posts table
			$sql = "INSERT INTO
						topics(topic_subject,
							   topic_date,
							   topic_cat,
							   topic_by)
				   VALUES('" . mysql_real_escape_string($_POST['topic_subject']) . "',
							   NOW(),
							   " . mysql_real_escape_string($_POST['topic_cat']) . ",
							   " . $_SESSION['user_id'] . "
							   )";
 
			$result = mysql_query($sql);
			if(!$result)
			{
				//something went wrong, display the error
				echo 'An error occured while inserting your data. Please try again later.' . mysql_error();
				$sql = "ROLLBACK;";
				$result = mysql_query($sql);
			}
			else
			{
				//the first query worked, now start the second, posts query
				//retrieve the id of the freshly created topic for usage in the posts query
				$topicid = mysql_insert_id();
 
				$sql = "INSERT INTO
							posts(post_content,
								  post_date,
								  post_topic,
								  post_by)
						VALUES
							('" . mysql_real_escape_string($_POST['post_content']) . "',
								  NOW(),
								  " . $topicid . ",
								  " . $_SESSION['user_id'] . "
							)";
				$result = mysql_query($sql);
 
				if(!$result)
				{
					//something went wrong, display the error
					echo 'An error occured while inserting your post. Please try again later.' . mysql_error();
					$sql = "ROLLBACK;";
					$result = mysql_query($sql);
				}
				else
				{
					$sql = "COMMIT;";
					$result = mysql_query($sql);
 
					//after a lot of work, the query succeeded!
					echo 'You have successfully created <a href="topic.php?id='. $topicid . '">your new topic</a>.';
				}
			}
		}
	}
}
 
include 'footer.php';
?>

I’ll discuss this page in two parts, showing the form and processing the form.

Showing the form
We’re starting with a simple HTML form. There is actually something special here, because we use a dropdown. This dropdown is filled with data from the database, using this query:

1
2
3
4
5
6

SELECT
 	cat_id,
 	cat_name,
 	cat_description
FROM
 	categories

That’s the only potentially confusing part here; it’s quite a piece of code, as you can see when looking at the create_topic.php file at the bottom of this step.

Processing the form

The process of saving the topic consists of two parts: saving the topic in the topics table and saving the first post in the posts table. This requires something quite advanced that goes a bit beyond the scope of this tutorial. It’s called a transaction, which basically means that we start by executing the start command and then rollback when there are database errors and commit when everything went well.

1
2
3
4
5
6
7
8
9
10
11

<?php
//start the transaction
$query  = "BEGIN WORK;";
$result = mysql_query($query);
//stop the transaction
$sql = "ROLLBACK;";
$result = mysql_query($sql);
//commit the transaction
$sql = "COMMIT;";
$result = mysql_query($sql);
?>

The first query being used to save the data is the topic creation query, which looks like this:

1
2
3
4
5
6
7
8
9

INSERT INTO
	topics(topic_subject,
               topic_date,
               topic_cat,
               topic_by)
VALUES('" . mysql_real_escape_string($_POST['topic_subject']) . "',
       NOW(),
       " . mysql_real_escape_string($_POST['topic_cat']) . ",
       " . $_SESSION['user_id'] . ")

At first the fields are defined, then the values to be inserted. We’ve seen the first one before, it’s just a string which is made safe by using mysql_real_escape_string(). The second value, NOW(), is a SQL function for the current time. The third value, however, is a value we haven’t seen before. It refers to a (valid) id of a category. The last value refers to an (existing) user_id which is, in this case, the value of $_SESSION[ëuser_id']. This variable was declared during the sign in process.

If the query executed without errors we proceed to the second query. Remember we are still doing a transaction here. If we would’ve got errors we would have used the ROLLBACK command.

1
2
3
4
5
6
7
8
9
10

INSERT INTO
        posts(post_content,
        post_date,
        post_topic,
        post_by)
VALUES
        ('" . mysql_real_escape_string($_POST['post_content']) . "',
         NOW(),
         " . $topicid . ",
         " . $_SESSION['user_id'] . ")

The first thing we do in this code is use mysql_insert_id() to retrieve the latest generated id from the topic_id field in the topics table. As you may remember from the first steps of this tutorial, the id is generated in the database using auto_increment.

Then the post is inserted into the posts table. This query looks a lot like the topics query. The only difference is that this post refers to the topic and the topic referred to a category. From the start, we decided to create a good data model and here is the result: a nice hierarchical structure.

Step 10: Category View

We’re going to make an overview page for a single category. We’ve just created a category, it would be handy to be able to view all the topics in it. First, create a page called category.php.

A short list of the things we need:

Needed for displaying the category

• cat_name
• cat_description

Needed for displaying all the topics

• topic_id
• topic_subject
• topic_date
• topic_cat

Let’s create the two SQL queries that retrieve exactly this data from the database.

1
2
3
4
5
6
7
8

SELECT
    cat_id,
    cat_name,
    cat_description
FROM
    categories
WHERE
    cat_id = " . mysql_real_escape_string($_GET['id'])

The query above selects all the categories from the database.

1
2
3
4
5
6
7
8
9

SELECT
    topic_id,
    topic_subject,
    topic_date,
    topic_cat
FROM
    topics
WHERE
    topic_cat = " . mysql_real_escape_string($_GET['id'])

The query above is executed in the while loop in which we echo the categories. By doing it this way, we’ll see all the categories and the latest topic for each of them.
The complete code of category.php will be the following:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85

<?php
//create_cat.php
include 'connect.php';
include 'header.php';
 
//first select the category based on $_GET['cat_id']
$sql = "SELECT
			cat_id,
			cat_name,
			cat_description
		FROM
			categories
		WHERE
			cat_id = " . mysql_real_escape_string($_GET['id']);
 
$result = mysql_query($sql);
 
if(!$result)
{
	echo 'The category could not be displayed, please try again later.' . mysql_error();
}
else
{
	if(mysql_num_rows($result) == 0)
	{
		echo 'This category does not exist.';
	}
	else
	{
		//display category data
		while($row = mysql_fetch_assoc($result))
		{
			echo '<h2>Topics in ′' . $row['cat_name'] . '′ category</h2>';
		}
 
		//do a query for the topics
		$sql = "SELECT
					topic_id,
					topic_subject,
					topic_date,
					topic_cat
				FROM
					topics
				WHERE
					topic_cat = " . mysql_real_escape_string($_GET['id']);
 
		$result = mysql_query($sql);
 
		if(!$result)
		{
			echo 'The topics could not be displayed, please try again later.';
		}
		else
		{
			if(mysql_num_rows($result) == 0)
			{
				echo 'There are no topics in this category yet.';
			}
			else
			{
				//prepare the table
				echo '<table border="1">
					  <tr>
						<th>Topic</th>
						<th>Created at</th>
					  </tr>';	
 
				while($row = mysql_fetch_assoc($result))
				{
					echo '<tr>';
						echo '<td class="leftpart">';
							echo '<h3><a href="topic.php?id=' . $row['topic_id'] . '">' . $row['topic_subject'] . '</a><h3>';
						echo '</td>';
						echo '<td class="rightpart">';
							echo date('d-m-Y', strtotime($row['topic_date']));
						echo '</td>';
					echo '</tr>';
				}
			}
		}
	}
}
 
include 'footer.php';
?>

And here is the final result of our categories page:

Step 11: Topic View

The SQL queries in this step are complicated ones. The PHP-part is all stuff that you’ve seen before. Let’s take a look at the queries. The first one retrieves basic information about the topic:

1
2
3
4
5
6
7

SELECT
    topic_id,
    topic_subject
FROM
    topics
WHERE
    topics.topic_id = " . mysql_real_escape_string($_GET['id'])

This information is displayed in the head of the table we will use to display all the data. Next, we retrieve all the posts in this topic from the database. The following query gives us exactly what we need:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15

SELECT
    posts.post_topic,
    posts.post_content,
    posts.post_date,
    posts.post_by,
    users.user_id,
    users.user_name
FROM
    posts
LEFT JOIN
    users
ON
    posts.post_by = users.user_id
WHERE
    posts.post_topic = " . mysql_real_escape_string($_GET['id'])

This time, we want information from the users and the posts table – so we use the LEFT JOIN again. The condition is: the user id should be the same as the post_by field. This way we can show the username of the user who replied at each post.

The final topic view looks like this:

Step 12: Adding a Reply

Let’s create the last missing part of this forum, the possibility to add a reply. We’ll start by creating a form:

1
2
3
4

<form method="post" action="reply.php?id=5">
    <textarea name="reply-content"></textarea>
    <input type="submit" value="Submit reply" />
</form>

The complete reply.php code looks like this.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45

<?php
//create_cat.php
include 'connect.php';
include 'header.php';
 
if($_SERVER['REQUEST_METHOD'] != 'POST')
{
	//someone is calling the file directly, which we don't want
	echo 'This file cannot be called directly.';
}
else
{
	//check for sign in status
	if(!$_SESSION['signed_in'])
	{
		echo 'You must be signed in to post a reply.';
	}
	else
	{
		//a real user posted a real reply
		$sql = "INSERT INTO
					posts(post_content,
						  post_date,
						  post_topic,
						  post_by)
				VALUES ('" . $_POST['reply-content'] . "',
						NOW(),
						" . mysql_real_escape_string($_GET['id']) . ",
						" . $_SESSION['user_id'] . ")";
 
		$result = mysql_query($sql);
 
		if(!$result)
		{
			echo 'Your reply has not been saved, please try again later.';
		}
		else
		{
			echo 'Your reply has been saved, check out <a href="topic.php?id=' . htmlentities($_GET['id']) . '">the topic</a>.';
		}
	}
}
 
include 'footer.php';
?>

The comments in the code pretty much detail what’s happening. We’re checking for a real user and then inserting the post into the database.

Finishing Up

Now that you’ve finished this tutorial, you should have a much better understanding of what it takes to build a forum. I hope my explanations were clear enough! Thanks again for reading.

Introduction

While the use of filters and validating data is one part of the security process, a web developer should be aware that Randomization, Obfuscation, and Cryptography in PHP can make a difference in the security of web applications. This tutorial will guide you through some simple techniques at creating and using random or unique values within your web applications, taking a look and applying some general obfuscation techniques, and looking deeper into the science of Cryptology and it’s use within PHP.

What you Will Learn

• How to generate random values with PHP
• Generating random Passwords
• Salting Passwords and Authenticating The User
• Obfuscation in PHP, an Overview
• Cryptography in PHP and it’s Applications

Generating Random Values

Dictionary.com defines randomization as:

“-verb: to order or select in a random manner, as in a sample or experiment, especially in order to reduce bias and interference caused by irrelevant variables; make random.”

Random number generation is determined in a variety of ways, however computational generators fall short of ‘true’ randomness as seen in nature or electronic noise(the fuzzy, screeching, black and white channel on TV). These computed values are regarded as pseudo-random.

PHP provides us with a couple of different ways to create random values. Let’s look at a few of the more popular functions.

1
2
3
4
5
6

<?php
rand(int $min, int $max);
mt_rand(int $min, int $max);
str_shuffle($str);
uniqid($prefix, more_entropy=);
?>

The two functions rand() and mt_rand() are likely the most widely used functions to generate a set of random numbers in PHP. The function rand(); is an older generator, and is falling out of use due to mt_rand(); which is faster, more reliable, and can handle a higher maximum integer value on some platforms. The function str_shuffle() does exactly what you would expect it to, it shuffles a string passed to it.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26

<?php
//Examples of mt_rand() usage
print mt_rand();//default
 
		echo "<br />";
 
print mt_rand(0, 20);//Outputs a random integer between 0 and 20
 
		echo "<br />";
 
//Examples of rand() usage
 
print rand();//default
 
		echo "<br />";
 
print rand(0, 25);//Outputs a random integer between 0 and 25
 
		echo "<br />";
 
//Example of str_shuffle usage
 
$string = 'abcefghijklmnopqrstuvwxyz';
 
print str_shuffle($string);//shuffles $string
?>

The rand() and mt_rand() functions both accept two parameters where $min is the lowest integer to start with, and $max being the largest integer to end with. The function str_shuffle takes one parameter, a string, outputting a shuffled mutation of the string. It acts the same as if you were shuffling a deck of cards.

While mt_rand(); will spit out a random integer, and str_shuffle will mix a string up, a function widely used to create random unique values is uniqid(). This generates a prefixed unique identifier based on the current time in microseconds(via php.net).

1
2
3
4
5
6
7
8
9

<?php
//Examples of uniqid() usage
 
print uniqid();//default
 
		echo "<br />";
 
print uniqid("GIGASPARTAN", TRUE);//Adding an additional prefix and setting more_entropy to TRUE
?>

The function uniqid() accepts two parameters the first appends a prefix to the results while the second, if set to TRUE, will add additional entropy to the end of the returned value.

Generating Random Passwords

There are a gazillion examples on the web which generate random passwords, all do a fine job at it. “But why,” you ask “would I need to generate a random password?” Well the answer, quite simply, is so you do not have to rely on the end user to provide themselves with a less than secure password at the get go. Generating random passwords is very useful in user registrations, or when a user makes a request because they have forgotten their password. Doing this ensures a strong password at the beginning of a users experience at your website, or can cut down lines of code when a user needs to gain access again.

Let’s look at some examples:Example 1

1
2
3
4
5
6
7
8
9
10
11

<?php
 
//A simple function which will output a random password
function randompassword($count){
 
$pass = str_shuffle('abcefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890@#%$*');
 
return substr($pass,3,$count);//returns the password
 
}
?>

This example shuffles a string with str_shuffle and will return a string within a counted range. So if you wanted to generate an 8 character password then you would pass 8 to the function randompassword, or randompassword(8) from your source code.

Example 2

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19

<?php
 
//Another example to create a random password
function anorandpass($count) {
 
	$m_rand = mt_rand(); //generate a random integer
 
	$u_id = uniqid("MNO!@#$%^&amp;*=+XYZ", TRUE);//create a unique identifier with some extra prefix and extra entropy
 
	$combine = $m_rand . $u_id;// Combine the variables to form a string
 
	$new = str_shuffle($combine);//shuffle our string
 
	return substr($new, 2, $count);//return the password
}
 
print anorandpass(8);
 
?>

In comparison, example one takes a static string and mixes it up then returns it, example two adds in more dynamic flavor(mmm tasty). In example two the string being shuffled is no longer static, but changes with each generation. While the first example is certainly sufficient in most cases to generate a strong password, the second example allows us to ensure the string length and characters will change with use, greatly decreasing the chance of a duplication.

Enforcing the use of strong passwords within a web application will deter users from visiting or signing up for a website. It is often a trade off between getting the traffic you desire, and ensuring the security of the application. I suggest allowing your users to create their own passwords at sign-up, or allow them to choose between the two.

Please Pass the Salt. Salting Passwords for Increased Security.

Salting passwords is an effective way to increase the security of your users accounts even if an attacker gains access to your database, if done right. It can be argued that, with access to the salt, an attacker can still gain your credentials. While this is true, applying some randomization techniques to the storage of passwords will make that process extremely difficult, especially if the storage of user information and content are divided into separate databases.

Why and How?

Again this falls under the “non-reliance of the end-user to provide themselves simple security” measure. Users generally use passwords which are easy to remember, and even use the same passwords across multiple websites(I know, right!?). Easy to remember passwords are generally words found in a dictionary and other kinds of values(ex. 12345, QWERTY). As developers we often scoff at this practice, but we cannot deny that it’s just the way things are.

In order for a web application to utilize a salt in a password, the application has to store it somewhere. It’s not recommended to use the same salt across an entire database of passwords, but to generate a unique salt per user. Generating one salt for an entire database actually decreases the security of the web application in a sense that if an attacker manages to crack it the entire scheme is broke, or if lost, renders the database useless. Creating a full fledged member registration system with all the bells and whistles is out of the scope of this tutorial, however we will be creating a simple system to use an example. Let’s look at generating a salt and applying some randomization techniques:

1. The Database Connection

Here is the SQL table that we will be using.

CREATE TABLE IF NOT EXISTS `users` (
  `usr_id` int(11) NOT NULL AUTO_INCREMENT,
  `usr_name` varchar(24) NOT NULL,
  `usr_pass` varchar(32) NOT NULL,
  `usr_email` varchar(255) NOT NULL,
  `usr_salt` varchar(255) NOT NULL,
  PRIMARY KEY (`usr_id`)
) ENGINE=MyISAM  DEFAULT CHARSET=latin1 ;

1
2
3
4
5
6
7
8
9
10
11
12
13

<?php
/*db_config.php*/
 
//database configuration
$db_host ="localhost" ; //will likely stay the same
$db_name = "thedbname"; //the name of the database table
$db_usr = "username"; //your database username
$db_pass = "password";//your database password
 
//Establish a connection with MySQL and select the database to use
mysql_connect($db_host, $db_usr, $db_pass) or die("MySQL Error: " . mysql_error());
mysql_select_db($db_name) or die("MySQL Error: " . mysql_error());
?>

2. The Registration File

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34

<?php
/*registration.php*/
 
//require our db_config.php file
require ('db_config.php');
 
//Check to see if the form has been submitted
if(!empty($_POST['username'])  &amp;&amp; !empty($_POST['email']) &amp;&amp; !empty($_POST['password'])) {
 
    //Escape our posted inputs
	$username = mysql_real_escape_string($_POST['username']);
	$email = mysql_real_escape_string($_POST['email']);
	$password = mysql_real_escape_string($_POST['password']);
 
    //generate a strong unique salt
	$salt_gen = uniqid(mt_rand());
 
    //Combine email, the password and the salt together
	$combine = $email . $password . $salt_gen;
 
    //md5 hash the combined password * Note: md5 is only used in this scenario as an example
	$newpassword = md5($combine);
 
    //insert the values into the database
	$registerquery = mysql_query("INSERT INTO users (usr_name, usr_pass, usr_email,  usr_salt) VALUES ('".$username."', '".$newpassword."', '".$email."', '".$salt_gen."')") or die("MySQL Error: ".mysql_error());
 
    //let the user know of success or failure
	if ($registerquery) {
		echo '<h1>Success</h1>';
	} else {
		echo '<h1>Failure</h1>';
	}
}
?>