- How can the following line of code be improved?
$db->query("insert into foo values($id,$bar)")
- Use addslashes and sprintf to avoid security holes and make the code cleaner
B. Split the query over several lines
C. Use mysql_query() instead of $db->query()
D. Define the table fields that will be affected by the INSERT statement
E. Use mysql_query() instead of $db->query() and addslashes to avoid security hole
Answers A, B, and D are correct. First of all, you need to ensure that the query is secure; this is done by executing addslashes (or the equivalent function for your DBMS of choice) to prevent scripting attacks. If your query is long, it's not a bad idea to split it over several lines to get a better overview of your code. Use sprintf() where possible to make the code cleaner. Finally it's always a good idea to define the table fields that will be filled by an INSERT statement to prevent unexpected errors if the table changes.
You developed a big application accessed by several thousand users at the same time. Suddenly, your web server stops responding and users are getting connection errors. What could have happened?
A. The database server was terminated because of the unusually high amount of database accesses.
B.The web server was misconfigured so that it ran into virtual memory usage and consequent resource starvation because of too many child processes.
C. You didn't optimize your code design properly.
Answer B is correct. Although it could be possible that the database server was killed because of the many requests from the users, they should at least be able to see the HTML pages from the website because the web server would still be running. If connections are timing out, it is likely that the server ran into swap space because of misconfiguration of the number of concurrent web server child processes and crashed because of resource starvation.
You are in a team of developers working on a number of different business applications. Your project manager tells you that in two weeks another three PHP developers will join the team and that you have to ensure that they will be ready to dive in to the current PHP code without problems. What could you do?
A.Write proper end user documentation on how to use the web front end.
B. Write proper end user documentation and generate proper PHPDoc comments inside the code to get an API documentation.
C. The absence of documentation will actually encourage the new developers to delve more deeply into the code.
Answer B is correct—or, at least, as correct as you can get in a general situation. The key here is that you should write proper documentation at the same time as you're writing your code. You could then use a tool such as PHPDocumentor to generate a nicely formatted API documentation in HTML or PDF and make it available to any new developers who join your team.
Suppose that you are receiving input from the user in the form of the string "0mydeviceid" for a field for which you only allow valid numeric values. You want to test if this variable is equal to 0 and, if it isn't, output an error. Which comparison operation should you use?
A. (0 = "0mydeviceid")
B. (0 == "0mydeviceid")
C. (0 === "0mydeviceid")
D. None of the above
Answer D is correct. Because PHP is automatically trying to convert the string "0mydeviceid" to 0 when comparing it with the equal operator == , your condition in answer B evaluates to true even though the user input is not a valid numeric value. The expression in answer C, on the other hand, correctly determines that the user input is not a valid integer—but that will always be the case because you're likely to always receive user input in the form of a string—so, even if that string can be converted to an integer value, the identity test will fail.
| DISCLAIMER: The content provided in this article is not warranted or guaranteed by Developer Shed, Inc. The content provided is intended for entertainment and/or educational purposes in order to introduce to the reader key ideas, concepts, and/or product reviews. As such it is incumbent upon the reader to employ real-world tactics for security and implementation of best practices. We are not liable for any negative consequences that may result from implementing any information covered in our articles or tutorials. If this is a hardware review, it is not recommended to open and/or modify your hardware. |
/ 7 
