zwws's 资料库

安全方面：

* 不要为 SQL 语句使用 PDO 参数传值，以防止 SQL injection.
* 务必使用 htmlspecialchars/htmlentities 和/或者 strip_tags 转义 html 和JavaScript 来防止 XSS（交叉站点脚本） 攻击.
* 务必使用 sessions 和安全套接字来防止 session 被劫持，采用 md5 校验和来验证 session ids. 在 session 里存储一个特殊的令牌 md5(uniqueid(rand(),time)) 放到一个隐含的表单提交项里：eg. $_SESSION["token"]===$FORM["token"].
* 务必使用 escapeshellarg/escapeshellcmd 调用外部命令防止命令行注入
* 务必从进入的http头删除分行符以防止http头提早终止 Do remove linebreaks from incoming headers to prevent early header termination and injection. Fixed >PHP5.1
* 采用 md5 校验和来序列化参数值和 sessionid来验证一致性
* 使用 === 来验证输入值以保证类型一致
* 设置以下参数来提高安全性：
o ini_set("display_errors",false);
o ini_set("log_errors",true);
o ini_set("error_log","path/to/php.log");
o ini_set("session.save_path","path/above/www"); or "mm" session module or store in a sqllite db
o php.ini expose_php=off
o php.ini register_globals=off
o Apache servertokens=prod
* 在任何用户特权提升的应用中，采用 session_regenerate
* 在商务交易中采用安全套接字

性能方面：

* Do use single quotes over double quotes.
* Do use switch over lots of if statements
* Do avoid testing loop conditionals with function tests every iteration eg. for($i=0;i<=count($x);$i++){...
* Do use foreach for looping collections/arrays.
o PHP4 items are byval
o >PHP5 items are byref
* Do consider using the Singleton Method when creating complex PHP classes.
* Do use POST over GET for all values that will wind up in the database for TCP/IP packet performance reasons.
* Do use ctype_alnum,ctype_alpha and ctype_digit over regular expression to test form value types for performance reasons.
* Do use full file paths in production environment over basename/fileexists/open_basedir to avoid performance hits for the filesystem having to hunt through the file path. Once determined, serialize and/or cache path values in a $_SETTINGS array. $_SETTINGS["cwd"]=cwd(./);
* Do use require/include over require_once/include_once to ensure proper opcode caching.
* Do use tmpfile or tempnam for creating temp files/filenames
* Do use a proxy to access web services (XML or JSOM) on foreign domains using XMLHTTP to avoid cross-domain errors. eg. foo.com<-->XMLHTTP<-->bar.com
* Do use error_reporting (E_ALL); during debug.
* Do set Apache allowoverride to "none" to improve Apache performance in accessing files/directories.
* Do use a fast fileserver for serving static content (thttpd). static.mydomain.com, dynamic.mydomain.com
* Do serialize application settings like paths into an associative array and cache or serialize that array after first execution.
* Do use PHP output control buffering for page caching of heavilty accessed pages
* Do use PDO prepare over native db prepare for statements. mysql_attr_direct_query=>1
* Do NOT use SQL wildcard select. eg. Select *
* Do use database logic (queries, joins, views, procedures) over loopy PHP.
* Do use shortcut syntax for SQL insers if not using PDO parameters parameters. eg. Insert INTO MYTABLE (FIELD1,FIELD2) VALUES (("x","y"),("p","q"));

工具方面：

* microtime() - Return current Unix timestamp with microseconds to mark performance.
* ab Apache Bench server benchmarking tool.(-n 1000, -c 500)
* Zend Performance Suite
* Callgrind/KCachegrind profiling tool.
* http_load multiprocessing http test client.
* xdebug helps you debugging your script by providing a lot of valuable debug information.
* PHP Security Scanner
* PECL APC opcode caching module.
o pecl install APC
o php.ini APC.STAT=0
o APC_STORE($_SETTINGS)