Top 10 PHP coding traps

 3 years ago 4,949 views
Presented by Damien Seguy

December 10, 2020

PHP has its own treasure chest of classic mistakes that surprises even the most seasoned expert : code that dies just by changing its namespace, strpos() that fails to find strings or arrays that changes without touching them. Do that get on your nerves too ? Let’s make a list of them, so we can always teach them to the new guys, spot them during code reviews and kick them out of our code once and for all. Come on, you’re not frightening us!

About Damien

Damien Seguy is CTO at Exakat Ltd., a company specialized in PHP code quality solutions for the industry. He leads the development of the exakat PHP static analysis engine, that automatically audit code for version compatibility, security and dead code. Since last millenium, Damien has contributed to PHP, as documentation author, elephpant breeder, conference UFO on all continents. He also enjoys machine learning, gremlin, 狮子头 and camembert.

Transcription (beta):

As you can see, I'm going to be Alps today with [inaudible] go through anyway. Some of them are next to the elephant out here. So what we have, we have a protein variable, you Skittles I think I negotiated three hours initially, and then the, it might be to do, or just 60 minutes to complete sufficient. But yeah, we have, have a very interesting doc then to cover lots of little trops and things you don't see, and then you, you suddenly have something might you, and that's exactly what I want. I want to display today. So this is, this is going to be extremely practical. I'm going to show you lots of coats and you should probably be able to apply a bunch of them media key. No, the remote setup is good for that because while you could actually coach, but maybe that can wait tomorrow, maybe just sit with me and listen to the different things, because then you will select the best one that's all tomorrow.

There's probably 70 or 80 slides. So I do expect some of the tricks are known. I also do expect that not all of them are known. So if one trick is not within your room, then just just wait for the next slide because something is coming up and I'm pretty sure you're going to learn something along the way. Now thank you for, for, for my care for the introduction. And indeed I am a, I am sincerely exec app. It's just a static analysis engine. We've been constricting each because since it's B five three, and of course we've been evolving with with the latest. So currently we are already combining PHP and testing for PHP eight one of course, I mean, PHB eight is already you know, passed for us. So it's been the glory that has been released it's really for, for production. So now we are getting ready for the next step. And so all the the tips and tricks I'm going to show you today are coming from this incredible journey of you know, reviewing millions and millions of lines of code. I think I've passed the [inaudible].

So it's mostly a number, but I kind of feels like something. You know, it's like it's a step. I will probably call myself a native spent retirement because you may have seen I both of the oldest one. So if you see behind me the one you see is the first, each key elephants are usually recognize it with the little blue lines because you sent a route brought blueprints. So the product that came back group looks to be mistakes. But I'm also never seeing the next generation of PHB. And with we're going to have, along with Vincent [inaudible], who's the original drawer of the hand. we are how's it at fathering, I would say as she's breathing in you a new generation for the infinity, which we [inaudible] at that point, I'm a little late, so I can't really offer, offer you the link to them, to the Krista presales and you know, we can, we can order it before it's actually produced.

But that's going to show up in a few, few days, so get ready for, for that. And if you want your very own PHP, eight elements, then that's going to be the occasion. Now just before we start and we dive directly into the code, I will just give you a little bit of background. I have littered the slides with the four different codes that would allow you to understand where we are. Okay. So I mean, code can be very deceiving and it can be listen, you can say what you want or, or the solution. So when there is this little lady bird, it means that it's a book, it's a bird, or probably one waiting, maybe not that abuse, but that we come back and bite you at some point. The scale the rocket is for them, but a performance potential.

Now the performance potential potentially safe may be very low and we're going to see a bunch of micro optimizations. There's also a bunch of those were extremely deep. So depending on the way you use it probably forget the micro optimization, but if it's good for you, then the dress one are basically the way of the elephants. These, this is the way we do it in each me that might be completely specific or that maybe a specific feature that is less known, but that has been made for it. So that's the way PCP does some of the other things we mentioned about, you mentioned with Mike, it should be being more iterative in this presentation. So I would like to hear the questions along the during the presentation. So feel free to use the chat to actually send me the question as you like it so that we get them in context and hopefully that's tell me to select them.

If I don't do that during the presentation, then I will then fall after it so you can come, stay in, check with me. That's that's no problem. I can answer more specific questions or, you know, very dark specific problems that I mentioned. So questions did free to address them, not on the chat. Now I'm not going to talk more. Now I'm going to let the talk, the colds talk by itself. And, and we could start by probably one of the most agenda in he didn't teach the book. I pretty sure everyone knows it. So this is not going to be a surprise, but at least you will understand now the real bugs on the side, but here is the legendary STR posts problems. So it's the applause is their position. You can notice that there there's no underscore because this is such an odd function that well, basically it was created before, before it was quite a long time ago where we don't, we didn't have any formatting, so it's kind of strange, but it's, the policy is going to tell you the position of one string, the second one.

So were middle age inside the first one, which is hearing a variable called stream, and it will return the offset and the offset in each be ministering starts at zero so equal. Is there a possible return in the position starting? Is there a zero or something? Of course, larger than zero. And the thing is if the S the stream could not be found in the bigger one, then you put a written force. That's where the problem stops, meaning that you cannot differentiate in PHP between a force and a zero, because the two of them evaluates to force meaning that's the first line a, that you're looking for is on the first director of the stream. It will always always be four. And that means that you're going to meet some bunch of situations because even though it's, their post is finding the string, then it will return a position that is now mistaken with the zero.

So not found, and then it will just evaporate and you're going to lose a bunch of occurrences that should be there. The solution and the way of Austrians. Well, there are several of them that are, that have to be known. The first one and the classic one is always use the triple a goal that will not only check the value, but you can also check the actual type of the value. So here on the first one, if you do a comparison, you're looking for the situation where the AI could not be found. And then this is a situation where you will have to do a, the correct reaction behind, but this would not be mistaken with finding a, on the first position of the street. If you really want to toy with the situation and don't want to do the compare trouble comparison all the time, if it's not a zero, then you're safe to use either double or triple.

So again, really the discretion that that's possible. I would say by default, it's better to keep using always the trickle, but not in a zero values. Then it's, it's, it's interesting at that point and I'm sure we can see you. If I look straight to the camera, this is the moment where I usually ask the audience, how many functions neatly speech B functions behave the same, because you can actually no a pause for this problem. This is not the only one that is actually affected by the syndrome. There are, there are lots of other PHP functions and does now out of, I would say a contingent of probably like 4,000 native function. Can you think how many of them behave the same as their POS, which is that it may either return the value that may end up being meld or zero or a real an error that is going to be forced.

Can you think of a number like five function, 10 function, 20 functions? Well, actually I researched them and there's like 26 of them. Not all of them are very common, but some of them might actually bite you there's of course stay apostle it's in the middle. And along all the cousins, steer IPOs as their boss, some nurse that's current exact might actually return nothing more surprising, also find good content to show comparing folded contents, and you expect the results inside the content back to region emphasize you're going to confuse the fact that you cannot read the file with the fact that the file was found, but so just be careful, lots of features assumptions are actually affected by the same problem. So locate yourself within my, at one of those the good news since we are already in age I do assume that every one of you have moved to [inaudible], but you sure you're excited at least, but one of the great reason and the best reason of course, to move to three is the appearance of STR contains.

And instead of contains is going to do what would basically expect the stair boss to be to be doing, which is spotting the fo the S the middle is due to the stack and returning true or false. This is, this is if we cannot spot the position. And most of the time we don't care about it, but this one will only, only return to a false show. So a lot is, and I rented a little bit to validate that we now have the normal prefix fostering STR underscore. So it's easier to spot and understand that this is a string function, but though the way of of the elephants with SPH is going to move a bunch of them. I expect at least 90% of the estate proceeds age to move to this function and, and get rid of the bird.

Now, maybe you were not impressed by this first part, but there is another lesser legend around the state parks. And there is another one that is less known, but it's still steam. And this is not called that the apprentices either is fine because maybe not back spread, but the revolver around that, something like this what do we have here? [inaudible] Verify with the beat, some data piece of string run it against the signature that is related to this data and compare it with what you could find with. So very standard, the verification, if this is working, then if there's verification is okay, then you will look to the login. Otherwise you can imagine those you know, false behavior. But what's interesting to us is the way that I'm going to assess and verify and openness to say very excited when we turn three kinds of values of course it will return one as success.

It's still accurate during a bullying, but one is going to be closing out a zero for failure. So that's exactly the, the way the core data is behaving. And we also get minus one for an error. Now I want you to think a little bit about what happens here. So one for success, zero for failure reminders, one for error, there were a fair number sense of failure. We, in the situation where it actually works, but we can not verify. And the error is that something is wrong. So for example, the data is either to be too small or it's in a rain. This major is not complete, or there could be something wrong. So this is really in some, you know, the algorithm could not run on the data that was provided, but what you have to remember is that one and zero, all with both maps to true and false that's that's okay.

But minus one will also map to true because zero only mapped to force as an integral, anything as much to true. And that means that if you manage to sand, a good church nature into this, do this function, then the function would just bail. We turn an error minus one, and then we'll agree to log it. And that's basically the same kind of mistaken behavior on the return values. Then it's fair boss. This time there is a shorter list of functions that are behaving like that. There is, there is, there are searches 13 of them which is probably way too much [inaudible] is one of the worst I think necessarily PKS yes, verifier. So is, is one of the bad one because it's, it's used in you know, you know, the rough insecurity environment. I had hoped that of being the ones using ODBC or FTP anymore, but, you know, sit up and show just, just be careful with that.

The right way I would say are the modern way to do that nowadays in particular related to quick, aggressively a function is that the cryptography function will not let you run the rest of the code if it's if, as to return an error. So for example, one of Inns, which wasn't traditionally, could you be seven is now all which a means, or we don't need either or random leads just as expected, or if we threw an exception, and this means that you have now two different channels. One is for the actual values where you can go on with your happy path. And the other one is a situation that would basically let the wall application and stop. So you don't go on with something that will gives you opened. As I said, a random set of eyes is bad now, like that's, since we presented four.

So this is interesting. This is interesting to know that we see a normalization to a good wow, we're going to do a bunch of this transition, which are completely out of the blue, but sadly the top 10. So I have to cover both a lot of future, a lot of different corners of country, but now let's move to a Constance and fine is going to be our targets here in terms of yeah, interest defined itself is is potential for performance, not the big one after neat, but you have to consider that define ease of function. It's, it's going create a constant. And here has been to create a constant form of another constant so literal and another, another Constance, but since it's a function, it will be only executed when each viewer and the modern way is that host can be used outside of class.

So nowadays most of us are using conch as a class Constance, and that's how, truly how the construct keyword [inaudible], but we can also use it outside of class. And that will create a real con and the constant will be forced. And you could also be into the objects. So compared to design, which has to wait for execution to actually create the constant here we can save some times because the constant man be direct, he compared me to the cash, and that will be a one step less to do when when the call that we, and other aspect of define are going away or not actually covered by cost. the fact that it's the op cash in particular the third argument of defiance is going away. you cannot configure a constant that is both valued with, or without the kids, but you have to also consider that it's, this is not possible in each building.

So we always are, we have a constant that is case sensitive. So if I'm at is losing this advantage, and I would say the only situation is when you have to create dynamically constant sort of, we're starting to consider, you know, viable constraints, but some of those contents may be read from a Yammer logs and they find, and then like dumped into the peach prescript during the execution. So this is one situation where define is both completely negative, and it's the only solution where we don't know the constant execution but all situation up in where the constant can be created from other continents. So we've covered the situation where a is a complete, you know, literal term change, but we can apply even at constant time. And even before starting this attrition, we can use all the operators of KGB as long as you apply them to either later on, that's the case, for example, for constantly.

So literals numbers here are combined with stress and multiplication to create something that will end up being a constant and that we did pre-processed, which is kind of strange when you think about it's like pre processing PHB, which is already April text pre-processing. So it's pretty meta asset as a consent, but here again, you can basically prepare or leave the wallets question as you know, full expression. And then just at the last moment executed arrays are completely very, they can build with literals or with other constants, and that includes all the glass constants. So maybe if you're doing just old P at the time, then we can create insight Constance to make to other other values from, from other continents. If you need con conditions, since you cannot use controlled flow, because again, we're not exempted in anything you can still use the turnery, so you can add conditions on all the constants, someone who view this constant. And then we can decide that, for example, we work on one of the, of BOC depending on age, and finally, as we said, array work. But we have only one operator for that, which is plus, okay, not everyone knows that. Plus can be applied to a range where then the two rays will be merged and have a written above the other. But yeah, it's possible to many periods, the little video rates.

So that's usually leaves the, the find function as a very, like just one single use, which is for dynamic constants. So let's move on with [inaudible] potential repeated prints. Here is one piece of code that's actually way slower than it should be because we're basically calling the same operation several times with different arguments. And are there other as a rule of thumb if you can reduce the number of calls to the same functions with different argument, you always always gain in terms of speed. So here, instead of doing like three prints one after each other, just because we want them to be extremely readable inside the coach, the first thing of course is just to make just one whole, the first reflects of course, is to turn the three different strings to one by the captivation. And that's, that's natural.

You're going to see that all over the place. And it's actually not the most important because we have reduced the number of coach definitely less, less print, just one, but that's what we're here again, but we are creating a concatenation just for the fact that it's produced less because we don't even keep that connectivity in sight. I w we create the continuation because we can't only have one argument prints. And so we kind of navigated to create a bigger dimension, but we already know what we want to do with that. We just want to output the different contents, the, a, the content of the B and the C altogether. And you have to know that equal particular is able, which is like the cousin of prince is able to end on an arbitrary number of arguments. And if you don't make that a good explanation, then it would just equal one value after each other.

So here, instead of saying, I want to do the echo and concatenate everything, then teach this concatenation we just say, okay, just echo all these elements one after the child and PHB will visit, he just output all of them. And forestry likes that because it will actually do the concatenation into its own buffer. We'll just collect the values you have for each other and put them into you now. What I liked with that is that if you want to go back to the initial syntax, then we can also make the coma at the end of the line. And it's always a joy to ask people, ask questions, like, why didn't you put a column at the end of this night? And it's like, because it's, it's like a half a call, so we can, we can really mystify it. But then as you can see, we can spread that across lines into this readable.

And that's that's an important and why we are there. The thing that you really don't want to to do is to put brackets around karma around eco in particular. If you started using those square miles between eco, then it is not possible to have several, like just even one combine setter around disease. And most of the time it's just equaling or disease and one variable, then it looks like it's a functional goal. And the parent is just accept one value. And as long as, as soon as you start at least several values, then the parent is, is, cannot accept. So we'll organize, and then you'll kind of start equal and we're going to start again, but it is not a function per se, like teach as it's just a structure and does not allow a number of things in particular, it cannot touch it. That's true. That's true. So just, just to be cool as it is, like it's difficult and the arguments and we'll be fine. So we mentioned that we want to avoid the number of calls and reduce them. And I would suggest to submit a little trick here. That's that's actually a have the same the same source. The court you have here is basically writing are these all as yes.

CSV, so reflect a CSV file. So you don't know why it was already, that's not important, but we have been defined. We write every element from the array and write it down. Oh, there's, there's definitely the performance problems here. Any particular expertise view will actually flush to the disk at every call just to avoid you in buffering and losing something along the way. If currencies, we will always, always do that. Meaning that every role you have in particular are to very small. Then every time you write something on the disc, then of course, it's a waiting time to make sure that the described and says, okay, we can, we can move on. Now. We can really remove the call to efficacy is that could be, it could be nice if we could just show the wall array into the that's not the kids.

That's not the way it works. It really requires one rule after each other. So we kind of stuck with the forage and at the same time we can't really remove this, but seasonally, because it's also doing something important, which is the the escaping for the CAS. There's a huge number of rules. And there's always a good someone who wants to say, oh yeah, it's pretty easy to format something into CSV. I would point you toward the bugs, got tsp.net website, which actually has all the nations for for this function. And you will see that it's not. So you cannot really replace F footsies because if you rely on PHP, then you know, it's been tested and it's been better. So how can we actually split that up and not write to the disk that often, but there's something that you can, you can use, which is that since I've put CSV in really requires a file, you can give it a file as quickly, or that's the name of it.

And that's exactly what we're doing on the first line here. So there's a SDF open. And when you use the protocol called teach P memory, it will basically allocate a bunch of memory inside PHB so that you can use it exactly as far. Then we're going to use again, the export CSVs in a way, I mean, as a insane idea for, for rich and this time, there is no more flush to the disc because since we were writing from memory, this is going to be far faster. And in particular, we have one piece of memory that we collect all the CSV that you want to revise. So we ended up with this big concatenation that still applies the RO escaping that we want from Putri now, and these, remember this spot in particular, once you're down with writing everything into the memory, then you have to do the rewind, otherwise the pointers at the end of the P the memory, and to lose the fight with content, but then to rewind what you just written and then use it to direct it, dump everything into one and five on the, and now you've saved army as many roles that live inside the first array for each, but you've written everything into a memory very fast.

And you just stand back to two to five, very fast, basically you're pleasing, or you're trading, as you say, CPU performance with memories. Okay. So you should kind of creating a few gigabytes of CSV, please by doing that. But it's, you're, you know, writing a lot then of course your memory can, can exhaust, and that will be put to that, but it used to be no more. We can work also in one batches so we can insert and sort this way anyway, there's it? The the big greener reads a good trick when you want to avoid doing too many back and forth in the dusk, then just [inaudible].

So that's a, that's a nice one. Well, let's move on and let's go back to our bug situations that we've seen already. Here's a, here's a sufficient situation, but you may, that may surprise you. We've got two different ways to do the same thing. Well, be in three CS one, and then we do a logical composition between VNC and we've got two options. We have the letter symbol, and so you can read it. And the other one is the, all the other one that is similar. Now, again, I would like you to sit a little bit and consider that those two lines, the two second lines and what we're a one content contain at the end of the screens and what we'll need to contain them at the screen. Just being to take a seat while you think about it, okay. Option ranges from true or false.

So then you combine, you know, PNC ended up to obtain another million, or you can also get numbers from zero to three with the other issue, but what would be the one you expect? Well, you'd be surprised, but the first one is going to be three. And the second one is going to be one. And what happens is that the first one, the end of the richer with the letters as a lower priority than the equal. Now you don't have to ask me why, because this is really weird, but the two are very jurors do not have the same rating. And the second line eight to the double and percent of a higher priority than equal leave, that one reads the code PHP will first come to ASB. Okay. A one is B, but then since, and as a lower priority, then B will I treat the assigned to a Y the results of this assimilation is again, the same value that was assigned.

So we stick with three and three is combining receive, but now there's no more isolation. Destination has already been. And then this nation will just, the expression would just be lost because there's nothing to actually collect it or reuse. On the other hand, when you go with a two 82 is the, but since a double N percent as a higher priority is then we hit well and it goes first and BNCs are first combined. And then the result is given to eight to, and in that we've got two different results. If you wanted to add the two expressions to behave exactly the same, who must include the parentheses, anytime you use the symbols I've, I've run two companies and teams, which actually only likes the metric. There are later operators because those are the ones that are easier to read and understand, but they also run into that kind of problems where like half of the expression was never executed and was just ditch every time.

So generally speaking, it's probably safer to always use the symbols. And if you really want to use the the other ones probably use parentheses to make sure that there'll be expression is what you do is acute. And I would say that the most important is just stick to one of the two be consistent in your ways, use one of the two conventions, because otherwise you're going to have someone along the way. Now, apparently precedence is something that still happens. I there's, there's the one we've seen here, but there's also this one, which is not a problem by itself, but it's something I cannot treat my staff. I don't know if you've ever tried to read that the government is not each instance of how it's, we're just creating [inaudible].

But as for me, I just read that not the, which is instead of class. So that should be turned into a brilliant, and then the winch should not be shouldn't, you know turn is not an object. So it's going to be focused and actually instance outside of a much higher precedence than not. So the hunch of this expression will really be each instance off STD task first, which is going to be true. And then the knots is going to be take you into the, as for me, I don't read that as a human. I find it really hard to, I always always put parentheses around just to make sure. And that's, you know, in case of doubt, that's probably a safe defense mechanism, but yeah. Order matters and that's, that's an impact you will have on that. You can also have this kind of order that matters.

So eighth is be, and until you know, specifically for in college, then the contamination and the plus at the same of residents. So it's not as weird as the previous one where there was actually due to different that they lost precedents. But here they have the same meaning that the first one that happens is the one that matter. And then the second while we just take over what's left. So until [inaudible], so it still works in [inaudible] and typically creates, then not, may be concatenated with the original literal string leading to a larger string. And then the result of this longer string deter will be added to B. And since B is a number, the first one will be tested to another number. And obviously we started with a dollar sign, so that's going to be zero, and you're going to display two, just like last half of the string.

Again, if you want to save yourself from the bug, so avoid missing them, which is probably a safer way to read, but that's use parentheses to make sure that you have the right order, or you can move to ESPN. Okay. That's the second reason you have to move to which creates now perhaps the addition is of ion precedents than concatenations. So what will happen here is definitely where we see first is B three and then the free will, you can continue with the rest of the, of the stream and we'll end up with something that's actually what you're expecting. You expect human need for it, not surprising situations here is when you end up with that kind of calculation. Maybe you skip that on [inaudible]. there is a New York ranger that was intravenous, which is the double power and then the double asterix.

But that would mean that it's a power, power just replace exactly the power function. Assumption is thinking, you know, keeping the same number by itself, a number of time. And here we are using this power or arranger to calculate minus three power to again, with a live audience. It's always funny because at that point of the presentation, usually people are getting wary of the trap are lately around show. You can look at that and say, that's going to be nine. Okay. Minus three, power to power. Two is always positive. And of course, I'm going to tell you that when you do that in speech, Peachtree would very proudly display minus. Now, how come, how come is that happening? The thing you don't see, and that's also rely on parsing of PHB is that the Magnuson, the three are two different elements. PHP was find the minus, realize that there is nothing believe before.

So we consider it's going to affect beer affecting the next element. And the next element is three, except that power quite naturally taught as a higher precedence over minus. So PHB will say, oh, I have a three behind, but since there's a power, then I actually have to get you the power first. So we'll get the three power to that nine. That's fine. And then you will come by and say, oh yeah, I forgot. There's the minus. And you end up with the minus nine, basically. That's why mathematicians aids us British anyway. No one when he's actually, you know, literally get scored with this all by like that, or even using power as it is, but he may actually end up writing literals once in a while in India with that kind of comments. But then to see that again a little later, but when we're there I'm going to go back to my initial piece of code and we're going to consider this little girl again, this is maybe a bug, but more like a vulnerability.

So if you consider it correctly initially we were using the doublet and percent and the number on consent works to turn, you know, values into bullying. So that's really logical. One, the single end percent will actually many played the bits. It's the Bitwise operation within that. It will actually consider three as a field of boots [inaudible] and we'll do the same. We will merge it with the sea and we'll get some results. The lesson on feature here is that this works, and that will actually output an integral if both of the operants, is it integral, which will also operate on strings. And it will actually output the stream. If you combine two string with one of those Bitwise operators. So here, if you combine combine a and P I have switched the 10% to the carrots. So it's it's an X or operator.

It's one of those operators with the percent of the bike. So if you combine a and P but basically amp will be turned into the ASCII code and they're asked to coach a real, then the Bitwise compared, and then the wizard will be turned again, back into a stream. Well, that's what all this work, but apparently in 1995, this is the way PHP was dragging, you know, drawing features from C. How does that look like? Well, I had to really, to, to try that with different values of different leaders, and you can see here, I've kept the, a fixed, and I've tried to see what happens. I change the season to different values, and I always use the ampersand and actually found out quite loudly that we should do a a hundred percent key. You wouldn't get as a one and then a 10% cute and get to zero.

And then in person argue again, find out her three, the three on the last column, you will see, this is definitely on the original. It's supposed to be a street. So this is why you actually don't some, any progression to the internet basically gives me a feeling that, which is also good chewing, you know, the results of this not disappearing, but it makes sense. I mean, like our, the operator we've seen the precedents, we've seen this one kind of makes sense. I can read that. It's just that you have to understand that combining two different strings now turning to another string, and that can be used in a situation like this one. I would give you a second also to contemplate that piece of work.

Okay. As you can see, there is not a single level. There's only punctuation was, was meant to be like that. There's also not a single space and it's kind of difficult to understand what the hell is this doing? We can find the initial tag, the opening tag with the APL. So we know that whatever has been executed is going to be displayed. And then you've got, you've got to start looking at it, but the important parts you would see is the little carrot, this actually in green the first gallery you see somewhere in the left and it actually stuck between two other streets, which are the students I've been made on verbose so that they really look like very weird. But if you combine them, given what we've seen in terms of using the elevator, then you will get this string. So the first part of the, of the, of the speech is actually creating their get stream.

And now you see the silly column in the middle of the coach. So, you know, what's going to be happening later on. We have a daughter, a dollar sign. So we actually in the ACCC the dot our underscore gets viable with an argument called underscore because PHB aids, when we can get always a user constant that will be falling back to a string. And then there is a parentheses though the world of it is going to be a call a function, meaning that the second part of is the source code is going to call a function for which you provide one argument and it could execute the second argument, which is the oldest function. And if you're still looking for a way or to understand how someone managed to inject code into an application and execute it, this is because that kind of a piece of code usually defeats in kind of fingers.

It's kind of fun to read into, understand, not really use it. Let's move on read numbers. If you haven't heard about that, they are gone. They are no more real numbers in future. Yeah, it's a quite a surprise, but who's using real numbers. You need it probably a little bit before accounting, then that's probably done the accounting, English, PHB but real numbers are gone. Actually. They were two of them. They were real numbers and they were slopes. The floats are still here and they're now being standardized. So it's, you're still using this in a numbers, then move to this one and just remove the float. It's a mere matter of changing the type testing to float instead of real and type test. And the test of his floats into is really into these. Don't, don't use the overwhelmed in there. It's, it's actually gone.

There's no missing anymore, especially since each year. Now I like, I like to mention that, but beside the fact that it's maybe a surprise that he don't have any more real numbers because you would just have floats, but like one year you'll have to go and I wasn't going to be served. The, I could bring that and actually prepare the slide. They realized that I could read the documentation a little more. And then I went again to launch that famous function wrong, which basically takes one of those long investment member and turn them into something that has less numbers. So that's, that's good. This is one for three, four, five, six, and you just want to, this knows, then you just pass the album's number two as two of them, which were around the the number two decimals. If you could zero, then he could also run this the minute the two to interfere with everything beyond the 15 Jamie, Julia, next indigo, a Jewish life to understand that the second argument accepts negative numbers and then allow you to round something to the next interrupts or thousands.

So if you're manipulating Switzer counting again, and you want to run up to a billion that we just asked to choose the right number and not, you know, juggle between you know, the division by a thousand and then the main, well besides round, which is surprising by itself. It's interesting to know that when you're dealing with PHB and probably other languages looking at the documentation is always, always a source of discovery and new things every day. So even if you feel like, you know, and, and just to make sure and Francis system, the thing I am, one of the author of the PGB documentation, I did translate this documentation three times in French. So you can know that I, the reading round several times, but it was took me another 10 years to realize that I didn't know that. And I actually learned something. So feel free, go there. There's a lot of special behaviors that have documented that will impress your coworkers. And that's a good source to start off [inaudible].

But anyway other than other features, that can be interesting. This is going to be a simple one. If you have to do a substrate mission just to extract a string, and I see that all over the place everywhere, just don't use three sub strain. So you one are corrected. Okay. So we have a street name. We want to extract one ledger at the position. Boss calling a function is, is not the solution. And as it's the case, as we language using a function called is a lot more expensive than just putting an operator. And in particular, to extract one character, then very simple. There is the renovation for strings, and you can use it directly and extract the string back. It's interesting for, you mentioned, mentioned the position and there you go. You've got the, you've got to know that this was, this has actually evolved a lot in PHP seven in particular arts, two different live events.

The first one is that it is now possible to use negative position inside substream because the case, but also inside the index remain that the position of the string will be counted from the beginning of on the end of the stream instead of from the beginning. So that's, that's really important if I, if you want to access something from the end of the stream, that's an easy way to do it. The other thing, and that was almost part of the minus one problem. Remember minus three power is that this, this position was not possible inside another stream. So something that you see on the second line that our stream brackets minus one that was not possible because PHB was constantly considering this as two elements minus one, and he's not accepted now in case we seven one that was fixed. I don't know exactly who heard you complaining about that archive piece of code, you know, using stream, manage one inside another stream, but someone from the PHP group lesson heard me maybe, and then they fixed it.

So you can use it as much as you can. You cannot do with disposition. Argument is using strings because we are talking about single bike access and not move out. So if you're dealing with here, this is Jenny's, Jenny's where new Tobias access. One of the positions, you will end up with a half of of this trip. So don't do that. This will be a situation where you don't use stress substring, but you will actually use in the motorbikes upstream. That was the case before, and you still have to do that personal single bites strings. This is, this is this is just, oh, some stream. Substring actually as another potential problem, potential part of governments, which is when it's being used with another string manipulation function. It's not always obvious that substring enlist at Lauer will lead to something that is actually slow.

But I mean, if you were just like extracting from S function, a stream, two elements, and the original, the line are not very important because that's not, what's important. Like what did we do here? We basically called string lower first. So we take the stream, the one string and then just make it all lowercase. And from there, we decide to use the sub stream as a second call for which we just extract legally beads on that street. You have to consider that basically we were doing the lowering of the caves on the WordStream to probably ditch and remove most of the stream and just keep a little bit of it. So it's not obvious, but probably you should replace or reverse the order of the functions. So that substrate is called first. So you first start by shortening the stream, and then you do the rate there, the reduction, the change of case, because then they start to our, we always, always right work on something that is at worst, as large as initially at best, it will be shorter.

So it is less work and more speed. And most of the time it's not very visible, but when you're talking to something that is inside the stream, or it's being used a lot, then you start who starts in some performances, appearing inside instead of stream, just like we add for a step boss, you have to consider that they are a lot of teachers functions that are reducing the stream. And that's the example you see with your name, do you mean will possibly keep the same stream as long as the [inaudible], but at best, it's going to reduce the size of the stream. So it's always better for the DNA inside and yesterday at an hour. And of course, it's there to now work and replaced by other functions that are working under stress. And I will give you an example that I, I discovered recently also is for example, explode has a third argument, which is rarely used, but that limits the number of elements being read. So it should make it a, this last third, third strip.

If you look at this last expression, we're just exploding a long stream, not surely something very long in two elements, and we're only going to collect the first and the second, why do we need to do something more than just you know, extract the 12 minutes and then drop the rest. If you do not provide the last argument, then explode will actually process the most string into smaller bits. And then in the end, just spot that needs to write two of them and then ditch the rest. If you mentioned to explore that, yes, we do not want more than two. Then at least it, we stop as soon as it doesn't do that anymore. And it will save you some work major. This is probably some kind of you know, in depth defense, meaning that even if someone can show it it into stream really long, and we sort of go last sentence, then we would only work for two elements and that we keep the, the script, the script working very there for the same length of a length of time. Each time.

What we've seen for, for strings is also possible for arrange just be a little more careful because here we have no early slides we replaced. Substream, that's basically the same the same concept and a map we'll be publishing publicity actual hour. You just have to be careful that if you need, for example, salting, then maybe you are, you still have to do the soap on the water way before slicing it. Otherwise you may end up with a ranking for, you know, the ways or each internship. You have to deal with either really wrong sorting cause otherwise, yeah, arrays is going to be to be working the same infrastructure for Australia. So first reduce the data set and then work on it. That's going to save you a lot of time.

Let's move on. We've got here a bunch of detailed one of my, probably one of my favorites functions you with what we've gone to the Ray coming in and you just want to extract the ball, view it so we can see [inaudible] this sub-array as a name and aversion. And basically what we want to extract is a bunch of things. This is a very classic problems. You can read that from a design, from a database afraid that got did that. I said, just want to extract one element every time. And what you do is usually you go to a storage and as we said, 4,000 and TSP functions, there's one bound to do it. You can use a red color and the red column will basically take your rates out. If we go into the array and extract on the one you watch it's a lot smaller, right?

It's a lot faster because it doesn't pass the code and it's actually completely native to see. It's very, very efficient and it's really nice. The second interesting part with red column is that we've got an also works on object. And so here, if the properties perfect, then a red column means something external will have access to it and works on objects. So if you're dealing with video object that you're reading from the back from the better means or doctorate objects, which are all the same, then you can apply it and extract the value you're interested in. Even as objects in two of them are completely the same. If you want a special province, then you have to be careful when you use the magic pen because should explains then it's kind of possible, but just going with get is going to work.

The private is not accessible. You cannot read it. We actually default to get, but before the 14, forget which we'll also check the presence of this province within that. If you want to use a red Calum and on the glass, then you actually have to also create the magic method is set. We set this letters is a on a magic function is used more a number of those interfaces in this peer library and will be called to check if the value exists inside the class. So it will be called before going forget. And if you pull out, if you make the the sets you see, I cannot easily make it just always true. But if you make sure that the value is is actually displayed correctly, then the curriculum works also a magic numbers on the magic properties. So that's, that's really nice to see.

And finally, if you want to access private property, well, it's kind of difficult to the only tricks that you have to know is that truly check if the grant class is the same as the one that is being accessed. So here, if you want to access the value a inside the object that are created in the middle of the function, then you have to, you have to be yourself inside the same function and feature. You will not check that the current class is the same as the object. So from there, you can actually use it to extract a special private bank, kind of weird, but that's it. And finally with the Redex column will return at least like video column from a SQL table, but you can also ask it to read index the values and turn it into. So the first example we use to say that we wanted to extract the names, but we also want to index that whose version.

And as against you, once you pull that, then all these the functions in full the property has been moved from the rain to now, I'm actually looking at that and thinking that problem, that it might be that the version of nature has been switched. So please check, check the documentation. I've got a, I've got demanding feeling, but at least you can re index and extract an actual Ash from, from a kind of multi-dimensional array in one call. And I still find this, these, wow, we're talking about loops. I still see a bunch of looks like those those days. So the famous, you know, a four loop, which actually downs the array every, every single time. So here, we're basically reviewing your week all the way, but every time while we start from zero, we increment by one and we made sure that it's not it's not reaching another type of attack...

SPONSORS

PHP Tutorials and Videos

SPONSORS

PHP Tutorials and Videos
No comments found.

SPONSORS

PHP Tutorials and Videos