Category: General

What are magic methods, magic quotes, short tags in php?

Magic Methods:

PHP functions that start with a double underscore – a “__” – are called magic functions (and/or methods) in PHP. They are functions that are always defined inside classes, and are not stand-alone (outside of classes) functions. The magic functions available in PHP are: __construct(), __destruct(), __call(), __callStatic(), __get(), __set(), __isset(), __unset(), __sleep(), __wakeup(), __toString(), __invoke(), __set_state(), __clone(), and __autoload().

Why are they called Magic Methods?
The definition of a magic function is provided by the programmer – meaning you, as the programmer, will actually write the definition. This is important to remember – PHP does not provide the definitions of the magic functions – the programmer must actually write the code that defines what the magic function will do. But, magic functions will never directly be called by the programmer – actually, PHP will call the function ‘behind the scenes’. This is why they are called ‘magic’ functions – because they are never directly called, and they allow the programmer to do some pretty powerful things.

PHP: What are magic methods?

Magic Quotes:
Magic Quotes is a process that automagically escapes incoming data to the PHP script. It’s preferred to code with magic quotes off and to instead escape the data at runtime, as needed.

This feature has been DEPRECATED as of PHP 5.3.0 and REMOVED as of PHP 5.4.0.

Short Tags:
< ?= Hello World ? >
Output is displayed directly to the browser.

– PHP also allows for short open tags which are discouraged because they are only available if enabled with short_open_tag php.ini configuration file directive
– Can have problems with portability if the server does not allow short tags
– Can interfere with XML documents.

Ajax and XMLHttpRequest

Ajax – an acronym for Asynchronous JavaScript and XML)[1] is a group of interrelated Web development techniques used on the client-side to create asynchronous Web applications. With Ajax, Web applications can send data to, and retrieve data from, a server asynchronously (in the background) without interfering with the display and behavior of the existing page. Data can be retrieved using the XMLHttpRequest object. Despite the name, the use of XML is not required; JSON is often used instead (see AJAJ), and the requests do not need to be asynchronous.

Technologies involved:
HTML (or XHTML) and CSS for presentation
The Document Object Model (DOM) for dynamic display of and interaction with data
XML for the interchange of data, and XSLT for its manipulation
The XMLHttpRequest object for asynchronous communication
JavaScript to bring these technologies together

XMLHttpRequest (XHR) is an API available to web browser scripting languages such as JavaScript. It is used to send HTTP or HTTPS requests to a web server and load the server response data back into the script. All browsers supports XMLHttpRequest.

typical use: 

var xhttp = new XMLHttpRequest();
xhttp.onreadystatechange = function() {
    if (this.readyState == 4 && this.status == 200) {
       // Typical action to be performed when the document is ready:
       document.getElementById("demo").innerHTML = xhttp.responseText;
    }
};
xhttp.open("GET", "filename", true);
xhttp.send();

With Jquery : 

$('#main-menu a').click(function(event) {
   event.preventDefault();
 
   $.ajax(this.href, {
      success: function(data) {
         $('#main').html($(data).find('#main *'));
         $('#notification-bar').text('The page has been successfully loaded');
      },
      error: function() {
         $('#notification-bar').text('An error occurred');
      }
   });
});

Sorting Algorithms

1) Merge Sort

– O(n log n) comparison based sorting algorithm (best case, worst case, avg case)
– Produces a stable sort (implementation preserves the input order of equal elements in the sorted output)
– Top Down Implementation and Bottom Up Implementation
– Is more efficient at handling slow-to-access sequential media. Merge sort is often the best choice for sorting a linked list
– Uses more memory (2n locations)
– Can be parallelized

2) Quick Sort
– Avg O(n log n) , Worst Case O(n ^ 2)
– Is comparison based sorting
– In place partioning algorithm and hence uses O(log n) additional space
– Can be parallelized (like mergesort)
– Depending on implementation may or may not be a stable sort
– Low memory required
– Useful in cases where data is in RAM, not useful in cases where data lives on disk (In that case use merge sort)
– usually faster than mergesort
– The worst-case running time for quicksort is O(n2), which is unacceptable for large data sets and can be deliberately triggered given enough knowledge of the implementation, creating a security risk

QuickSort is more popular than Merge Sort because it:

Is in-place (MergeSort requires tons of extra memory).
Has a small hidden constant

3) Heap Sort

– Heapsort is part of the selection sort family. Is a comparison based sorting algo.
– it has the advantage of a more favorable worst-case O(n log n) runtime
– Heapsort is an in-place algorithm, but it is not a stable sort
– Quicksort is typically faster than Heapsort, but the worst-case running time for quicksort is O(n2), which is unacceptable for large data sets and can be deliberately triggered given enough knowledge of the implementation, creating a security risk
– Merge sort requires ?(n) auxiliary space, but heapsort requires only a constant amount.

Merge sort has several advantages over heapsort:
Merge sort on arrays has considerably better data cache performance, often outperforming heapsort on modern desktop computers because merge sort frequently accesses contiguous memory locations (good locality of reference); heapsort references are spread throughout the heap.
Heapsort is not a stable sort; merge sort is stable.
Merge sort parallelizes well and can achieve close to linear speedup with a trivial implementation; heapsort is not an obvious candidate for a parallel algorithm.
4) Intro Sort

Design Patterns

In software engineering, a design pattern is a general repeatable solution to a commonly occurring problem in software design. A design pattern isn’t a finished design that can be transformed directly into code. It is a description or template for how to solve a problem that can be used in many different situations.

There are three basic kinds of design patterns:

  • creational
  • structural
  • behavioral

Creational patterns provide instantiation mechanisms, making it easier to create objects in a way that suits the situation.

Structural patterns generally deal with relationships between entities, making it easier for these entities to work together.

Behavioral patterns are used in communications between entities and make it easier and more flexible for these entities to communicate.

References :
http://sourcemaking.com/design_patterns/factory_method

https://refactoring.guru/design-patterns/

 

================================ BEHAVIORAL =================================

Summary of Good REST Api Design

Summary of points about good RESTful API design from below talk:

Definition: Representational state transfer (REST) or RESTful Web services are one way of providing interoperability between computer systems on the Internet. REST-compliant Web services allow requesting systems to access and manipulate textual representations of Web resources using a uniform and predefined set of stateless operations

https://blog.apigee.com/detail/restful_api_design

1) 2 base urls
a) for collection (/dogs)
b) for a single element (/dogs/bo)
2) POST, GET, PUT, DELETE
3) nouns are good, verbs are bad
4) Assocations GET /owners/bob/dogs
5) Complex Associations – Sweep under the carpet (behind the question mark)
(/dogs?state=barking&color=red)
6) pagination (offset, limit or start, count)
7) searching ( global: /search?q=fluffy+dog , scoped: /owners/bob/dogs/search?q=fluffy+dog)
8) versioning (as far to the left as possible)
9) give me exactly what i need

  • a) /people:(id,first_name,last_name)
  • b) ?fields=id,first_name,last_name

10) output format

  • a) /venue.json
  • b) ?output=json

11) Standardize Error Formats
12) Make dog to bark (/dog?event=bark)

Security in web applications

Some common terms in web application security testing:

Password Cracking:  In order to log in to the private areas of the application, one can either guess a username/ password or use some password cracker tool for the same. Lists of common usernames and passwords are available along with open source password crackers.  Enforce a complex password (e.g. with alphabets, number and special characters, with at least a required number of characters)

URL manipulation:  Check all ranges of input variables. Dont accept values which are not needed by the application. Avoid forming dynamic variables.

SQL Injection: This is the process of inserting SQL statements through the web application user interface into some query that is then executed by the server.  Escape the quotes. Use mysql_escape_string or equivalent.

Cross Site Scripting:  When a user inserts HTML/ client-side script in the user interface of a web application and this insertion is visible to other users, it is called XSS. All HTML tags should be scrubbed from the variables. Dont use eval directly on any user input.

Spoofing: The creation of hoax look-alike websites or emails is called spoofing.  Use identity images like the ones Yahoo! and bank websites are using so that user is confident he is logging on to the correct system.

Crumbs: To ensure user has come from a  previous page in the flow and not directly.