PHP under controlKeep an eye on your source code

Agenda

The age of industrialisation for PHP

How to keep this code under control

Technics and tools

Organizing teams for quality

Speaker

Damien Seguy

Nexen (.net), AlterWay Group

Expert services on LAMP hosting

Raise elePHPants

Monthly PHP stats

damien.seguy@nexen.net

Keep an eye on the codeSecurity

Performances

Code quality

Maintenance But

Bigger teams

Changing teams

Long projects

Lots of code

Set up a coding reference

Set up the rules

Share them

Keep them simple

"No bug" is not a rule

Don't try to catch everything

Reference suggestions

Security

Filter incoming data

Protect data

Quality

Short functions

No globals

Performances

Less require (_once)

No eval()

Maintenance

Sensible symbols

CamelCaps or underscores

Searching the codeGrep

preg_match()

Tokenizer

Grep

Fast, efficient, will always find something

Will find way too much

Difficult to find larger structures (function, class)

Great when you know what to look for

Great with one liners

Grep targets

Search for

$_GET, $_POST, $_COOKIE, $_SERVER, $[A-Z]

filter with dot, comma, parenthesis

var_dump, print_r

mysqli_query, mysqli_fetch_, mysqli_error

_once

Grep charts

if(isset($_POST['sgoogle'])){

// Traverse each _REQUEST data adn put them in ...

$GLOBALS['HTTP_POST_VARS'] =& $_POST;

$_REQUEST["comments_threadId"] = 0;

$game["desc"] = $_POST['description'];

$comments_t_query .= "?$c_name=" . $_REQUEST["$c_name"];

var_dump($aux);

Grep charts

Tiki-wiki (http://tikiwiki.org/)

1422 PHP files

456850 lignes of code

178 occurrences $_POST

7634 occurrences of $_REQUEST

56 var_dump

Regexing PHP code

perl -m

More complex regex calls

Sometimes easier to write as PHP

Still a wide net

Only search for strings, not code

Regex examples

Spotting heredocs

if (preg_match_all('/<<<(\S*)(.*?)(\1)/is', $code, $r)) {

Globals affectations

/=\s*\$_[A-Z]/s

But how to get strings?

/'[^']*'/ (Try 'No this won\'t work';)

Regex stats

No HereDocs

2645 SELECT

Grep got us 7861, including .sql files, </select> tags

1059 affectations of incoming values ($_REQUEST...)

Tokenizer

Your own PHP analyser!

Included since PHP 4.3

Exact with PHP semantics

Huge list of tokens

Must be processed

Rebuild large structure

[1] => Array ( [0] => 266 [1] => print [2] => 1 )

[2] => Array ( [0] => 370 [1] => [2] => 1 )

[3] => ( [4] => " [5] => Array ( [0] => 314 [1] => hello [2] => 1 )

[6] => Array ( [0] => 309 [1] => $world [2] => 1 )

[7] => Array ( [0] => 314 [1] => ! [2] => 1 )

[8] => " [9] => ) [10] => ;

<?php print ("hello $world! "); ?>

[1] => Array ( [0] => PHP token [1] => PHP code [2] => Script line ) [2] => "

Tokenizer

Extract variables names, arguments, function call

61 $foo, 2 $ccc

2 $feature_community_friends_permission_dep

all $a .... $z except $o and $q

124 variables only used once...

Other ideas?

VLD

Vulcan Logic Disassembler

Tokenizer, but worse

xDebug

Great for execution time

Error handler (great for PHP 4->5)

PHP is dynamic : tough on vars

Require automated browsing

Tools

PHP error reporting (E_STRICT)

PHP Code Sniffer (PEAR)

PHP Mess detector (PHP Unit)

phpCallGraph

Managing the finds

Count every value of previous searchs

every night / every commit

Graph it and act upon changes

phpUnderControl (.org)

Progressive implementation

Set up your reference

Organize a few tests

Graph them, and act upon violation

When 0 (or stable), add extra tests

Organizing teamsSet up code cross-reviews

Have developpers teamed by two

Each one review the other's code

Every one has the same reference

Google mondriantool

Organizing teams

It distributes the reviews among developpers

not team lead, not current hierarchy

Senior can take on junior, or recent employes

Both might benefit

Works even under load

Questions?damien.seguy@nexen.nethttp://www.nexen.net/english.php

Texte