Archive for May, 2009

PHP Performance – Optimize, Eliminate or Scale

May 14th, 2009 1 comment

Get several more uses from your toothpaste by placing the tube in boiling water for several minutes to loosen up the toothpaste inside, then pulling the tube down across the edge of the bathroom counter to scrape all of the toothpaste from the bottom of the tube to the top.

Once this technique no longer yields more toothpaste from the tube, use a pair of scissors to cut the tube open about an inch or two from the top. Open the top part and use your toothbrush to scrape the toothpaste out of the inside of the tube.

-Associated Content

When it comes to improving performance in a PHP system, there are a few different approaches you can take.  First, find out where your system performance can best be improved – see PHP Optimization – Where to Start.  Once you know where your biggest bottlenecks are, you can try to optimize through them, but at some point, you’ll reach the limits of what optimization can do for you –  run out of toothpaste, so to speak.  There are two widely used performance techniques beyond optimization – eliminate it, or scale it out.

Read more…

Categories: PHP Performance

PHP Security – Escape proof SQL injection in ORDER BY clause

May 13th, 2009 4 comments

It’s a well known, well documented, and well abused fact that SQL injection attacks can take place in the WHERE clause of a SQL statement. The commonly applied practice among professionals is to run user input through mysql(i)_real_escape_string(). However, this only protects against user variables within quoted values, and does not protect against SQL injection attacks elsewhere in the query.

One place that is commonly vulnerable is in the ORDER BY clause. Many developers either do not understand that mysql(i)_real_escape_string does not protect them from these types of attacks, or do not think that meaningful SQL injection can be done at this point in the query on a single statement engine like MySQL. As a result, this vulnerability can be found and exploited in many applications and websites, both commercial and open source, personal and corporate. Read more…

Categories: PHP Security

PHP Optimization – Where to start

May 11th, 2009 1 comment

“Our web app is slow,” complained the boss.
“Well, I hear that using commas instead of periods with echo() makes PHP faster,” replied the code monkey.
“Well, let’s try optimizing that,” said the boss.

$100k later.
“Well, it’s still slow after that change. I guess we’ve reached the limits of PHP. Time to switch to Java.”

If you run a website that becomes successful, at some point, you’re going to run into performance issues. Heck, you may only need a single visitor with some scripts to bring it to a crawl. There are a few different approaches often used for optimizing PHP, but really only one right one. First there’s the old school way, dump in a bunch of var_dumps of script execution time and hope to find a slow spot. Not very efficient.

Then there’s what I like to call the cluster-bomb optimizing approach. These are those lists of 40 things to do to optimize PHP and the like. I call this the cluster-bomb approach because you’re just throwing a bunch of tiny optimizations all over the place hoping that you hit one that’s causing your performance issues. A lot of these recommendations will leave you with a trashed collection of unmaintainable code. A cluster-f*** of code so to speak.

Very rarely will the majority of these recommendations actually make an impact to a real-world performance issue. I know this because I regularly fix real-world performance issues, and I rarely follow most of the optimization “tips” in those lists.

And then there’s the profiling method. This I think is the only right way to begin any sort of optimization process, in PHP or any other language. For the uninitiated, a profiler is a process that will sit with your script handler and generate a detailed log of exactly what happened during a script run, how long a subprocess took, etc. You can then take this log and get a visual representation of your scripts performance. From there, it’s really easy to see where the performance bottlenecks are in the system, and give you a good idea of where the best effort could be put in optimization.

Read more…

Categories: PHP Performance