Defensive Programming Redux

Transcript

1. Defensive Programming

2. Don't trust anyone

3. Don't trust users (bobby tables)

4. Filter all input data

5. Built-in filter_var() function

6. http://php.net/manual/en/function.filter-var.php http://php.net/manual/en/filter.filters.php

7. if (filter_var($_GET["name"], FILTER_VALIDATE_EMAIL)) { // email is valid } if

   (filter_var($_GET["age"], FILTER_VALIDATE_INT)) { // age is valid } if (filter_var($_GET["url"], FILTER_VALIDATE_URL)) { // url is valid }

8. if ($email = filter_var($_GET["name"], FILTER_SANITIZE_EMAIL)) { // $email is valid

   } if ($age = filter_var($_GET["age"], FILTER_SANITIZE_NUMBER_INT)) { // $age is valid } if ($url = filter_var($_GET["url"], FILTER_SANITIZE_URL)) { // $url is valid }

9. Built-in htmlentities() function

10. http://php.net/manual/en/function.htmlentities.php

11. <div class="comments"> <?php foreach ($comments as $comment): ?> <div class="comment">

    <?php echo htmlentities($comment); ?> </div> <?php endforeach; ?> </div>

12. Filter all database input

13. $pdo = new PDO("sqlite:users.db"); $statement = $pdo->prepare("SELECT name FROM users

    where id = :id"); $statement->bindParam(":id", $_GET["id"], PDO::PARAM_INT); $statement->execute();

14. Don't trust developers (you're one)

15. Write tests!

16. https://cleancoders.com http://grumpy-learning.com

17. Use interfaces

18. interface Transport { public function send($to, $from, $subject, $message); }

    class MailTransport implements Transport { public function send($to, $from, $headers, $body) { // ... } }

19. class Email { protected $transport; public function __construct(Transport $transport) {

    $this->transport = $transport; } public function send() { // $this->transport->send(); } }

20. Single Responsibility Principle

21. "every class should have a single responsibility, and that responsibility

    should be entirely encapsulated by the class"

22. class Transaction { public function charge() { // ... }

    public function notify() { // ... } }

23. interface Charger { public function charge(); } interface Notifier {

    public function notify(); }

24. class Transaction { protected $charger; protected $notifier; public function __construct(Charger

    $charger, Notifier $notifier) { $this->charger = $charger; $this->notifier = $notifier; } // ... }

25. http://en.wikipedia.org/wiki/Single_responsibility_principle

26. Type check

27. function charge(Card $card) { // ... } function notify(array $errors)

    { // ... } function process(callable $success, callable $error) { // ... }

28. Built-in assert() function

29. function addCustomer($name, $age) { assert(is_string($name), "Name is not a string.");

    assert(is_int($age), "Age is not an integer."); // ... }

30. Getters/setters

31. class Transaction { public $charger; public $notifier; } $transport =

    new Transport($charger, $notifier); $transport->charger = "moo"; // ...a great big error!

32. class Transaction { protected $charger; public function setCharger(Charger $charger) {

    $this->charger = $charger; } }

33. Optional types

34. https://igor.io/2014/01/10/functional-library-null.html

35. $user = $repo->find($id); if (!$user) { return null; } $address

    = $user->getAddress(); if (!$address) { return null; } return $address->asText();

36. return $repo->find($id) ->map(method("getAddress")) ->reject(null) ->map(method("asText"));

37. Stronger types (everyone needs a hobby)

38. Boxing

39. class StringObject { protected $data; public function __construct($data) { $this->data

    = $data; } public function value() { return $this->data; } }

40. function log(StringObject $string) { // look ma, no assert()! echo

    $string->value(); } $string = new StringObject("hello world"); log($string);

41. Augmented types

42. https://github.com/box/augmented_types

43. /** * @param string $pattern * @param string $string *

    @return string[] */ function split($pattern, $string) { return preg_split($regex, $string, -1, PREG_SPLIT_NO_EMPTY); }

44. Thanks! @assertchris tutorials.io