CMU529: Full-Stack Web Development

Session 10: Advanced PHP Features & Security

Duration: 3 hours

Topics: Advanced PHP features, security best practices, performance optimization

Session Timeline

10 min: Registration & waiting

20 min: Opening slides

45 min: Task 1

15 min: Break/Catch up

20 min: Secondary slides

45 min: Task 2

Remaining: Self-study

Advanced PHP Features Overview

Key Areas:

  • Object-Oriented Programming (OOP)
  • Namespaces & Autoloading
  • Advanced Error Handling
  • Security Best Practices
  • Performance Optimization

Object-Oriented Programming

<?php
  class User {
    private $id;
    private $username;
    private $email;

    public function __construct($username, $email) {
      $this->username = $username;
      $this->email = $email;
    }

    public function getUsername() {
      return $this->username;
    }
  }

  $user = new User("john_doe", "john@example.com");
  echo $user->getUsername(); // Output: john_doe
?>

Namespaces

<?php
  namespace App\Models;

  class Product {
    private $name;
    private $price;

    public function __construct($name, $price) {
      $this->name = $name;
      $this->price = $price;
    }
  }

  // Using the class
  use App\Models\Product;
  $product = new Product("Laptop", 999.99);
?>

Advanced Error Handling

<?php
  set_error_handler(function($severity, $message, $file, $line) {
    throw new ErrorException($message, 0, $severity, $file, $line);
  });

  try {
    $result = 10 / 0;
  } catch (ErrorException $e) {
    error_log("Error: " . $e->getMessage());
    echo "An error occurred. Please try again.";
  } finally {
    restore_error_handler();
  }
?>

Security Best Practices

Essential Security Measures:

  • Input Validation & Sanitization
  • SQL Injection Prevention
  • XSS Protection
  • CSRF Protection
  • Password Hashing

Input Validation & Sanitization

<?php
  function validateEmail($email) {
    return filter_var($email, FILTER_VALIDATE_EMAIL);
  }

  function sanitizeInput($input) {
    $input = trim($input);
    $input = stripslashes($input);
    $input = htmlspecialchars($input, ENT_QUOTES, 'UTF-8');
    return $input;
  }

  $email = sanitizeInput($_POST['email']);
  if (validateEmail($email)) {
    // Process valid email
  }
?>

SQL Injection Prevention

<?php
  // BAD - Vulnerable to SQL injection
  $username = $_POST['username'];
  $query = "SELECT * FROM users WHERE username = '$username'";

  // GOOD - Using prepared statements
  $stmt = $pdo->prepare("SELECT * FROM users WHERE username = ?");
  $stmt->execute([$username]);
  $user = $stmt->fetch();

  // Also good - Using named parameters
  $stmt = $pdo->prepare("SELECT * FROM users WHERE username = :username");
  $stmt->execute(['username' => $username]);
?>

XSS Protection

<?php
  // Prevent XSS attacks
  function escapeOutput($data) {
    if (is_array($data)) {
      return array_map('escapeOutput', $data);
    }
    return htmlspecialchars($data, ENT_QUOTES, 'UTF-8');
  }

  $userInput = "<script>alert('XSS')</script>";
  echo escapeOutput($userInput);
  // Output: &lt;script&gt;alert('XSS')&lt;/script&gt;
?>

CSRF Protection

<?php
  session_start();

  // Generate CSRF token
  if (!isset($_SESSION['csrf_token'])) {
    $_SESSION['csrf_token'] = bin2hex(random_bytes(32));
  }

  // In form
  echo '<input type="hidden" name="csrf_token" value="' . $_SESSION['csrf_token'] . '">';

  // Verify token
  if ($_POST['csrf_token'] !== $_SESSION['csrf_token']) {
    die('CSRF token validation failed');
  }
?>

Password Security

<?php
  // Hash password
  $password = "user_password";
  $hashedPassword = password_hash($password, PASSWORD_DEFAULT);

  // Verify password
  if (password_verify($password, $hashedPassword)) {
    echo "Password is correct";
  }

  // Check if password needs rehashing
  if (password_needs_rehash($hashedPassword, PASSWORD_DEFAULT)) {
    $newHash = password_hash($password, PASSWORD_DEFAULT);
  }
?>

Performance Optimization

Optimization Techniques:

  • Database Query Optimization
  • Caching Strategies
  • Code Optimization
  • Memory Management

Database Query Optimization

<?php
  // BAD - N+1 query problem
  $users = $pdo->query("SELECT * FROM users")->fetchAll();
  foreach ($users as $user) {
    $orders = $pdo->query("SELECT * FROM orders WHERE user_id = " . $user['id']);
  }

  // GOOD - Single query with JOIN
  $stmt = $pdo->query("SELECT u.*, o.* FROM users u LEFT JOIN orders o ON u.id = o.user_id");
  $results = $stmt->fetchAll();

  // Use indexes
  // CREATE INDEX idx_user_email ON users(email);
?>

Caching Strategies

<?php
  // Simple file caching
  function getCachedData($key, $callback, $ttl = 3600) {
    $cacheFile = "cache/" . md5($key) . ".cache";

    if (file_exists($cacheFile) && (time() - filemtime($cacheFile)) < $ttl) {
      return unserialize(file_get_contents($cacheFile));
    }

    $data = $callback();
    file_put_contents($cacheFile, serialize($data));
    return $data;
  }

  $products = getCachedData('products', function() use ($pdo) {
    return $pdo->query("SELECT * FROM products")->fetchAll();
  });
?>

Code Optimization

<?php
  // BAD - Inefficient loops
  for ($i = 0; $i < count($array); $i++) {
    echo $array[$i];
  }

  // GOOD - Optimized loops
  $count = count($array);
  for ($i = 0; $i < $count; $i++) {
    echo $array[$i];
  }

  // Even better - foreach
  foreach ($array as $item) {
    echo $item;
  }
?>

Memory Management

<?php
  // Set memory limit
  ini_set('memory_limit', '256M');

  // Process large datasets in chunks
  $offset = 0;
  $limit = 1000;

  do {
    $stmt = $pdo->prepare("SELECT * FROM large_table LIMIT ? OFFSET ?");
    $stmt->execute([$limit, $offset]);
    $rows = $stmt->fetchAll();

    foreach ($rows as $row) {
      // Process row
    }

    $offset += $limit;
  } while (count($rows) == $limit);
?>

Task 1: Security Implementation

Create a secure user registration system:

  • Implement input validation for username, email, and password
  • Add CSRF protection to the registration form
  • Hash passwords using password_hash()
  • Prevent SQL injection using prepared statements
  • Add XSS protection for output
  • Implement proper error handling

Time: 45 minutes

Advanced Features

Additional Advanced Topics:

  • File Upload Security
  • Session Security
  • API Security
  • Logging & Monitoring

File Upload Security

<?php
  function validateFileUpload($file) {
    $allowedTypes = ['image/jpeg', 'image/png', 'image/gif'];
    $maxSize = 5 * 1024 * 1024; // 5MB

    if ($file['error'] !== UPLOAD_ERR_OK) {
      return false;
    }

    if (!in_array($file['type'], $allowedTypes)) {
      return false;
    }

    if ($file['size'] > $maxSize) {
      return false;
    }

    return true;
  }
?>

Task 2: Performance Optimization

Optimize an existing e-commerce application:

  • Implement database query optimization
  • Add caching for product listings
  • Optimize image loading and storage
  • Implement pagination for large datasets
  • Add error logging and monitoring
  • Optimize memory usage

Time: 45 minutes

Session Summary

Key Takeaways:

  • Advanced PHP features enhance code organization and reusability
  • Security is critical - always validate, sanitize, and protect
  • Performance optimization improves user experience
  • Proper error handling and logging are essential
  • Follow best practices for production applications

Next Session: Modern JavaScript Libraries