book

Real-World Solutions for Developing High-Quality PHP Frameworks and Applications

Name: Real-World Solutions for Developing High-Quality PHP Frameworks and Applications
ISBN: 9780470872499

by Sebastian Bergmann, Stefan Priebsch

May 2011

Intermediate to advanced

408 pages

11h 56m

English

Wrox

Read now

Unlock full access

Copyright
ABOUT THE AUTHORS
CREDITS
FOREWORD
INTRODUCTION
ABOUT THIS BOOKIs This a PHP Book?Structure of the BookABOUT THE CASE STUDY AUTHORSRobert Lemke, TYPO3 Association, and Karsten Dambekalns, TYPO3 AssociationBenjamin Eberlei, direkt:effekt GmbHMatthew Weier O'Phinney, Zend Technologies Ltd.Tobias SchlittFabien Potencier, Sensio LabsKore NordmannMichael Lively Jr., Selling Source LLCChristiane Philipps, Rebate Networks GmbH, and Max Horváth, Vodafone GmbHManuel Pichler, OnVista Media GmbH, and Sebastian Nohn, Ligatus GmbHLars Jankowfsky, swoodoo AGJens GrochtdreisBrian ShireArne Blankerts, thePHP.ccERRATAP2P.WROX.COM
I. Foundations
1. Software Quality
1.1. EXTERNAL QUALITY1.2. INTERNAL QUALITY1.3. TECHNICAL DEBT1.4. CONSTRUCTIVE QUALITY ASSURANCE1.5. CLEAN CODE1.5.1. Explicit and Minimal Dependencies1.5.2. Clear Responsibilities1.5.3. No Duplication1.5.4. Short Methods with Few Execution Branches1.6. SOFTWARE METRICS1.6.1. Cyclomatic Complexity and npath Complexity1.6.2. Change Risk Anti-Patterns (CRAP) Index1.6.3. Non-Mockable Total Recursive Cyclomatic Complexity1.6.4. Global Mutable State1.6.5. Cohesion and Coupling1.7. TOOLS1.7.1. PHPUnit1.7.2. phploc1.7.3. PHP Copy-Paste-Detector (phpcpd)1.7.4. PHP Dead Code Detector (phpdcd)1.7.5. PHP_Depend (pdepend)1.7.6. PHP Mess Detector (phpmd)1.7.7. PHP_CodeSniffer (phpcs)1.7.8. bytekit-cli1.7.9. PHP_CodeBrowser (phpcb)1.7.10. CruiseControl and phpUnderControl1.7.11. Hudson1.7.12. Arbit1.8. CONCLUSION
2. Software Testing
2.1. BLACK BOX AND WHITE BOX TESTS2.2. HOW MANY TESTS ARE NEEDED?2.3. SYSTEM TESTS2.3.1. Browser Testing2.3.2. Automated Tests2.3.3. Test Isolation2.3.4. Acceptance Tests2.3.5. Limits of System Tests2.4. UNIT TESTS2.4.1. Return Values2.4.2. Dependencies2.4.3. Side Effects2.5. REAL-LIFE EXAMPLE2.5.1. Analyzing the Code to Test2.5.2. Setting Up a Test Environment2.5.3. Avoid Global Dependencies2.5.4. Test Independently from Data Sources2.5.5. Testing Asynchronous Events2.5.6. Storing Changes in the Database2.5.7. Unpredictable Results2.5.8. Encapsulating Input Data2.5.9. Further Reflections2.6. CONCLUSION
II. Best Practices
3. TYPO3: The Agile Future of a Ponderous Project
3.1. INTRODUCTION3.1.1. The History of TYPO3: Thirteen Years in Thirteen Paragraphs3.1.2. Daring to Start Over!3.1.3. Our Experience with Testing3.2. POLICIES AND TECHNIQUES3.2.1. Bittersweet Elephant Pieces3.2.2. Test-Driven Development3.2.3. Tests as Documentation3.2.4. Continuous Integration3.2.5. Clean Code3.2.6. Refactoring3.2.7. Programming Guidelines3.2.8. Domain-Driven Design3.3. COURSE OF ACTION IN DEVELOPMENT3.3.1. Developing New Code3.3.2. Extending and Modifying Code3.3.3. Optimizing Code3.3.3.1. Speed3.3.3.2. Readability3.3.4. Finding and Fixing Bugs3.3.5. Disposing of Old Code3.4. TEST RECIPES3.4.1. Inadvertently Functional Unit Test3.4.2. Access to the File System3.4.3. Constructors in Interfaces3.4.4. Testing Abstract Classes3.4.5. Testing Protected Methods3.4.6. Use of Callbacks3.5. INTO THE FUTURE

4. Unit Testing Bad Practices
4.1. WHY TEST QUALITY MATTERS4.2. BAD PRACTICES AND TEST SMELLS4.2.1. Duplication in Test Code4.2.2. Assertion Roulette and Eager Test4.2.3. Fragile Test4.2.4. Obscure Test4.2.4.1. Problems with Global State4.2.4.2. Indirect Testing4.2.4.3. Obscure Test Names4.2.5. Lying Test4.2.6. Slow Test4.2.7. Conditional Logic in Tests4.2.8. Self-validating Tests4.2.9. Web-surfing Tests4.2.10. Mock Overkill4.2.11. Skip Epidemic4.3. CONCLUSION
5. Quality Assurance at Digg Inc.
5.1. PROBLEMS WE ARE FACING5.1.1. Legacy Code Base5.1.2. How Do We Solve These Problems?5.1.2.1. Size Does Matter5.1.2.2. Team Size5.1.2.3. Project Size5.1.2.4. Code Size5.1.2.5. Unit Testing and You5.1.3. Choosing a Testing Framework5.1.4. Working with an Expert5.1.4.1. One Week in a Room5.2. TRAINING OUR TEAM5.3. WRITING TESTABLE CODE5.3.1. Avoid Static Methods5.3.2. Dependency Injection5.4. MOCK OBJECTS5.4.1. Overview5.4.2. Database5.4.3. Loosely Coupled Dependencies5.4.4. Subject/Observer for Testing Class Internals5.4.5. Memcached5.4.6. Mocking a Service-Oriented Architecture5.4.6.1. Model5.4.6.2. Service Query5.4.6.3. Service Endpoint5.4.6.4. The Base Classes5.5. DIGG'S QUALITY ASSURANCE PROCESS5.5.1. Testing5.5.1.1. Planning the Testing Effort5.5.1.2. Tasks5.5.1.3. Automation5.5.2. Benefits5.5.2.1. Testing Early5.5.2.2. Testing Often5.5.2.3. Challenges5.6. CONCLUSION
III. Servers and Services
6. Testing Service-Oriented APIs
6.1. THE PROBLEMS6.2. SOLUTIONS6.2.1. API Credentials6.2.2. API Limits6.2.3. Offline Testing of Service Protocols6.2.4. Offline Testing of Concrete Services6.3. CONCLUSION
7. Testing a WebDAV Server
7.1. ABOUT THE eZ WEBDAV COMPONENT7.1.1. WebDAV7.1.2. Architecture7.2. DEVELOPMENT CHALLENGES7.2.1. Requirements Analysis7.2.2. TDD after RFC7.2.3. Testing a Server7.3. AUTOMATED ACCEPTANCE TESTS WITH PHPUNIT7.3.1. Capturing Test Trails7.3.2. Test Recipe7.3.3. Integration into PHPUnit7.3.3.1. A Custom Test Case7.3.3.2. The Acceptance Test Suite7.3.3.3. Acceptance Tests by Example7.4. CONCLUSION
IV. Architecture
8. Testing symfony and symfony Projects
8.1. TESTING A FRAMEWORK8.1.1. The symfony Release Management Process8.1.1.1. Long-term Support8.1.1.2. Code Coverage8.1.2. Tests versus Real Code8.1.3. Running the Test Suite8.1.4. Main Lessons Learned8.1.4.1. Never Use the Singleton Design Pattern in PHP8.1.4.2. Decouple Your Code with Dependency Injection8.1.4.3. Lower the Number of Dependencies between Objects with an Event Dispatcher8.2. TESTING WEB APPLICATIONS8.2.1. Lowering the Barrier of Entry of Testing8.2.2. Unit Tests8.2.2.1. Easy to Install8.2.2.2. Easy to Learn8.2.2.3. Fun to Use8.2.3. Functional Tests8.2.3.1. The Browser Simulator8.2.3.2. The Fixtures8.2.3.3. The CSS3 Selectors8.2.3.4. Testing Forms8.2.3.5. Debugging8.3. CONCLUSION
9. Testing the ezcGraph Component
9.1. DEVELOPMENT PHILOSOPHY9.2. GRAPH COMPONENT9.2.1. Architecture9.2.2. Test Requirements9.3. DRIVER MOCKING9.3.1. Mock the Driver9.3.2. Multiple Assertions9.3.3. Structs9.3.4. Expectation Generation9.3.5. Conclusion9.4. TESTING BINARY DATA9.4.1. The Drivers9.4.2. Expectation Generation9.4.3. SVG9.4.3.1. XML Comparison9.4.3.2. Floating-point Problems9.4.4. Bitmap Creation9.4.4.1. Bitmap Comparison9.4.4.2. GD Version Differences9.4.5. Flash9.4.5.1. The Assertion9.5. CONCLUSION
10. Testing Database Interaction
10.1. INTRODUCTION10.2. REASONS NOT TO WRITE DATABASE TESTS10.3. WHY WE SHOULD WRITE DATABASE TESTS10.4. WHAT WE SHOULD TEST10.5. WRITING TESTS: MOCKING DATABASE CONNECTIONS10.6. WRITING TESTS: PHPUNIT DATABASE EXTENSION10.6.1. The Database Test Case Class10.6.2. Establishing the Test Database Connection10.6.3. Creating Data Sets10.6.3.1. XML Data Sets10.6.3.2. Flat XML Data Sets10.6.3.3. CSV Data Sets10.6.3.4. YAML Data Sets10.6.3.5. Database Data Sets10.6.3.6. Data Set Decorators10.6.3.6.1. Filter Decorator10.6.3.6.2. Composite Decorator10.6.3.6.3. Replacement Decorator10.6.3.7. Generating Data Sets10.6.4. Data Operations10.6.5. Creating Tests10.6.5.1. Testing the Loading of Data10.6.5.2. Testing the Modification of Data10.6.6. Using the Database Tester10.7. APPLYING TEST-DRIVEN DESIGN TO DATABASE TESTING10.8. USING DATABASE TESTS FOR REGRESSION TESTING10.8.1. Testing Problems with Data10.8.2. Testing Problems Revealed by Data10.9. CONCLUSION
V. Q&A in the Large
11. Quality Assurance at studiVZ
11.1. INTRODUCTION11.1.1. About studiVZ11.2. ACCEPTANCE TESTS11.2.1. Acceptance Tests in Agile Environments11.3. SELENIUM11.3.1. The Selenium Extension of PHPUnit11.4. THE TECHNICAL SETUP OF STUDIVZ11.4.1. Development Environment11.4.2. Test Environment11.5. BEST PRACTICES11.5.1. Sins of Our Youth11.5.1.1. Monolithic Tests11.5.1.2. Static Users11.5.2. Strategy Change11.5.2.1. Atomic Tests with Dynamic Test Data11.5.2.2. Robust Selenium Tests11.5.2.3. Test Scope Must Be Clear11.5.2.4. Common Functionality or Browser Compatibility as Well?11.5.2.5. Fix Tests Right Away!11.5.2.6. Stabilize Locators, and Use IDs11.5.2.7. Speed, the Sore Subject11.5.2.8. Recipes for Last-Minute Features11.5.2.9. Tests Are Software Too11.5.2.10. Capture and Replay versus Programming Tests11.5.2.11. The Team: a Good Mix11.6. WE NEED A DSL11.6.1. Internal DSL11.6.2. Testing_SeleniumDSL 1.011.6.2.1. Problem: Context Sensitivity11.6.3. Testing_SeleniumDSL 2.0—a Draft11.6.4. State and Outlook on Version 2.011.7. CONCLUSION
12. Continuous Integration
12.1. INTRODUCTION12.1.1. Continuous Integration12.1.1.1. Configuration12.1.1.2. Build Management and Automated Tests12.1.1.3. Version Management12.1.1.4. Continuous Integration12.1.2. Static Analysis12.1.2.1. Code Clones12.1.2.2. Refactoring12.1.2.3. Software Metrics12.1.2.4. Classic Metrics12.1.2.4.1. Lines of Code12.1.2.4.2. Number of Classes, Methods, and Functions in a System12.1.2.4.3. Cyclomatic Complexity12.1.2.5. Object-Oriented Metrics12.1.2.5.1. Instability, Abstraction, and Distance12.1.2.5.2. Code Rank12.1.2.5.3. Getting a Quick Overview12.1.2.6. RATS12.2. INSTALLATION12.3. CONFIGURATION12.3.1. Static Tests12.3.1.1. Programming Conventions12.3.1.2. Coding Guidelines12.3.1.3. Gradual Introduction into Legacy Projects12.3.1.4. Coding Standards in the Daily Work12.3.1.5. Syntax Analysis12.3.2. Dynamic Tests12.3.3. Reporting12.3.3.1. Notification in the Case of Errors12.3.3.2. Statistics12.3.3.3. PHP_CodeBrowser12.3.4. Deliverables12.4. OPERATIONS12.5. ADVANCED TOPICS12.5.1. Continuous Deployment12.5.2. Using a Reverse Proxy12.5.3. Continuous Integration and Agile Paradigms12.6. CONCLUSION
13. swoodoo: A True Agile Story
13.1. INTRODUCTION13.2. EVOLUTION: ONLY THE STRONG SURVIVE13.2.1. How We Reached the eXtreme Side13.3. AND WHILE WE ARE WORKING...13.4. THE ART OF EVOLUTION13.4.1. Lack of Experience13.4.2. The Java-developer-coding-in-PHP Phenomenon13.4.3. The Nobody-but-me-understands-my-code Developer13.5. CONCLUSION
VI. Non-Functional Aspects
14. Usability
14.1. ANYTHING GOES, BUT WHAT IS THE PRICE?14.2. DESIGN ASPECTS14.2.1. Accessibility14.2.2. Readability14.2.3. Labels for Form Elements14.2.4. Navigating by Keyboard14.2.5. Effective Contrast14.2.6. Logo Links to Home Page14.2.7. Alternative Texts for Images14.2.8. Background Image in Background Color14.2.9. Usable Print Version14.2.10. Visible Links14.2.11. Good Bookmarks14.2.12. No Frames14.2.13. Scalable Fonts14.3. TECHNICAL ASPECTS14.3.1. Performance14.3.1.1. Semantic Code14.3.1.2. Fewer Requests14.3.1.3. CSS Sprites14.3.1.4. JavaScript on Bottom, CSS on Top14.3.1.5. Link CSS Instead of Importing14.3.2. JavaScript14.4. USER GUIDANCE14.4.1. The "Fold" Myth14.4.2. Feedback on Interaction14.4.3. Navigation14.4.4. Pop-ups and Other Annoyances14.4.5. Habits and Expectations14.4.6. Fault Tolerance and Feedback14.5. TESTING USABILITY14.6. CONCLUSION
15. Performance Testing
15.1. INTRODUCTION15.1.1. Tools15.1.2. Environmental Considerations15.2. LOAD TESTING15.2.1. Apache Bench15.2.2. Pylot15.2.3. Other Load Testing Tools15.3. PROFILING15.3.1. Callgrind15.3.2. KCachegrind15.3.3. APD15.3.4. Xdebug15.3.5. XHProf15.3.6. OProfile15.4. SYSTEM METRICS15.4.1. strace15.4.2. Sysstat15.4.3. Custom Instrumentation15.5. COMMON PITFALLS15.5.1. Development versus Production Environments15.5.2. CPU Time15.5.3. Micro-Optimizations15.5.4. PHP as the Glue15.5.5. Priority of Optimization15.6. CONCLUSION
16. Security
16.1. WHAT IS SECURITY?16.2. SECURE BY DESIGN16.2.1. Operations16.2.2. Physical Access16.2.3. Software Development16.2.3.1. No Security by Obscurity16.2.3.2. Separation of Concerns16.2.3.3. A Matter of Rights16.2.3.4. Error Handling16.2.3.5. Basic Settings16.3. WHAT DOES SECURITY COST?16.4. THE MOST COMMON PROBLEMS16.4.1. A10: Unvalidated Redirects and Forwards16.4.2. A9: Insufficient Transport Layer Protection16.4.3. A8: Failure to Restrict URL Access16.4.4. A7: Insecure Cryptographic Storage16.4.5. A6: Security Misconfiguration16.4.6. A5: Cross-Site Request Forgery (CSRF/XSRF)16.4.7. A4: Insecure Direct Object References16.4.8. A3: Broken Authentication and Session Management16.4.9. A2: Cross-Site Scripting (XSS)16.4.10. A1: Injection16.5. CONCLUSION
17. Conclusion
BIBLIOGRAPHY

Content preview from Real-World Solutions for Developing High-Quality PHP Frameworks and Applications

Chapter 16. Security

Arne Blankerts

WHAT'S IN THIS CHAPTER?

Security defined
The Secure by Design paradigm
The Open Web Application Security Project's top 10 security risks

WHAT IS SECURITY?

When addressing the topic of security in the IT world, the first thing to do is define what the term "security" means and how customers as well as colleagues interpret it. If we were to ask politicians, security basically comes down to surveillance. And, of course, monitoring servers and infrastructure is a vital component, yet getting an alarm shows only one thing—that an attack has happened (and most likely was successful). Any type of surveillance or monitoring, by its very nature, triggers the alert but has no means to actually protect against it or the flaw in the application that made it possible. By this definition, monitoring is only one of many elements in a holistic security concept.

If we ask administrative IT staff what security means for them, the answer most probably goes in the direction of user accounting and permissions. It also covers the requirement to disable and remove unneeded services—so-called "hardening"—as well as applying strict firewall rules. Again, these answers are correct. But as already identified with surveillance, a secure infrastructure is not enough. Of course, it is of vital importance that the application, once developed, is executed in an environment that is trusted and relied upon. But even the best web application can't be secure if the database it connects ...

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

Read now

Unlock full access

More than 5,000 organizations count on O’Reilly

O’Reilly covers everything we've got, with content to help us build a world-class technology community, upgrade the capabilities and competencies of our teams, and improve overall team performance as well as their engagement.

Julian F.

Head of Cybersecurity

I wanted to learn C and C++, but it didn't click for me until I picked up an O'Reilly book. When I went on the O’Reilly platform, I was astonished to find all the books there, plus live events and sandboxes so you could play around with the technology.

Addison B.

Field Engineer

I’ve been on the O’Reilly platform for more than eight years. I use a couple of learning platforms, but I'm on O'Reilly more than anybody else. When you're there, you start learning. I'm never disappointed.

Amir M.

Data Platform Tech Lead

I'm always learning. So when I got on to O'Reilly, I was like a kid in a candy store. There are playlists. There are answers. There's on-demand training. It's worth its weight in gold, in terms of what it allows me to do.

Mark W.

Embedded Software Engineer

PHP 7: Real World Application Development

Publisher Resources

ISBN: 9780470872499Purchase book

Cloud Computing

Data Engineering

Data Science

AI & ML

Programming Languages

Software Architecture

IT/Ops

Security

Design

Business

Soft Skills

Real-World Solutions for Developing High-Quality PHP Frameworks and Applications

by Sebastian Bergmann, Stefan Priebsch

Chapter 16. Security

WHAT IS SECURITY?

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.