php最佳实践
PHP has had many reputations over the years, but being insecure as a language never really was one of them.
多年来,PHP享有许多声誉,但作为一种语言而缺乏安全感从来没有真正成为其中之一。
The core team, all its faults notwithstanding, is rather quick in pouncing on all security matters, and updating PHP to the latest version will often allay all worries. But the end users, such as we are, tend to mess things up. We don’t update, we use outdated packages or packages with holes in them we’re not aware of, we use ancient extensions… we expose ourselves to risk in some truly creative ways.
尽管存在所有缺点,但核心团队仍会Swift解决所有安全问题,并且将PHP更新到最新版本通常可以消除所有麻烦。 但是像我们这样的最终用户往往会搞砸。 我们不更新,我们使用过时的程序包或其中我们不知道的有Kong的程序包,我们使用古老的扩展程序……我们以某些真正有创意的方式使自己承受风险。
Let’s start 2015 off right, shall we? This post will list important resources you should have in your brain/toolbelt before building anything with PHP in 2015. I’ll do my best to keep this post up to date, so it stays relevant indefinitely, but, like I said, I’ll need your help.
让我们从2015年开始吧,是吗? 这篇文章将列出您在2015年使用PHP构建任何东西之前应该在大脑/工具带中拥有的重要资源。我会尽力保持此帖子为最新状态,因此它会无限期保持相关性,但是, 就像我说的那样 ,我需要您的帮助。
It’s a good idea to keep a PHP cheat sheet handy so you can refer to some of the basic elements you’ll need to use frequently, without wasting unnecessary time.
最好随身携带一个PHP备忘单,这样您就可以参考一些经常需要使用的基本元素,而又不会浪费不必要的时间。
When I wrote about the cancer that is legacy code, I focused on application code. I still firmly believe that you should never develop for the lowest common denominator, else you risk becoming the very thing that’s holding your language’s progress back. That’s not the focus of this section, though. Recently, a new version related discussion ensued.
当我写关于遗留代码的癌症时 ,我专注于应用程序代码。 我仍然坚信,您永远不应该为最低的公分母而发展,否则您可能会成为阻碍语言发展的事情。 但是,这不是本节的重点。 最近,有关新版本的讨论随之而来。
CodeIgniter and WordPress are sticking with PHP 5.2 support (a version that’s been dead for four years now and shouldn’t exist on anyone’s server), and Anthony Ferrara responded in his blog post. Before you read this section any further, I implore you to read that post first. It’s important.
CodeIgniter和WordPress一直坚持对PHP 5.2的支持(该版本已经有4年的历史了,并且不应该存在于任何人的服务器上),并且Anthony Ferrara 在他的博客文章中回答。 在您进一步阅读本节之前,请您先阅读该内容。 这一点很重要。
What that post accomplished was getting some people too lazy to upgrade riled up.
那篇文章的成就是使有些人懒得升级。
They argued for legacy support without considering the damage they’re doing to the PHP ecosystem. Anthony wrote another post in which he further explains his stances, and finished up with yet another post taking apart installation percentages of old PHP versions across the web, comparing them to the stability list to find out how many servers running PHP out there are insecure by default and hackable – today. The results are frightening to say the least.
他们主张提供遗留支持,而没有考虑对PHP生态系统造成的损害。 Anthony在另一篇文章中进一步解释了他的立场,并在另一篇文章中总结了网络上旧PHP版本的安装百分比,将它们与稳定性列表进行比较,以找出有多少运行PHP的服务器不安全。默认且可入侵- 今天 。 至少可以说结果令人恐惧。
If you’re developing something and are running anything but the latest major version of PHP, I urge you to give these posts a thorough read. If your client insists on host X or version Y for whatever reason, refer them to these posts, educate them, and help them see the error of their ways – teach them about the vulnerabilities they’re introducing to their project, and tell them about the horrors that can happen if they don’t act before it’s too late. Upgrading your PHP’s version is not something you should file under “we can do that later”. Do it now, and do it often.
如果您正在开发某些东西,并且正在运行最新的主要PHP版本以外的任何东西,我敦促您对这些文章进行全面的阅读。 如果您的客户出于任何原因坚持使用主机X或版本Y,请引导他们参阅这些帖子,进行培训,并帮助他们了解自己的方式中的错误-教给他们有关他们在项目中引入的漏洞,并告诉他们有关如果他们在为时已晚之前不采取行动,就会发生恐怖。 不应将PHP的版本升级到“我们以后可以做”下。 立即执行,并经常执行。
Inspired by the aforementioned discussions, Phil Sturgeon compiled a table of current PHP versions supported by various hosts. You can find it at PhpVersions.info or if you’d like to contribute and add some missing values, on Github.
受上述讨论的启发, Phil Sturgeon编制了一张表格,列出了各种主机支持的当前PHP版本。 您可以在PhpVersions.info上找到它,或者如果您想贡献并添加一些缺失的值,请在Github上找到 。
I recommend you steer clear of all shared hosting in general – there are extremely cheap VPS providers out there now, like DigitalOcean (feel free to check them out via my ref link for a leg up).
我建议您避开所有共享主机,现在,那里有非常便宜的VPS提供商,例如DigitalOcean(可通过我的参考链接免费检出它们)。
Don’t be these guys. It starts out innocent and simple, but when you end up having to lend out your partner while doing someone else’s laundry, it stops being fun.
不要这些家伙。 它从一开始就简单而简单,但是当您不得不在洗别人的衣服时借给伴侣时,它就不再有趣了。
When opting for a VPS, other than saving you from sharing an environment with everyone else or being susceptible to the instability of a system as introduced by someone else, setting up your own server from scratch is a fun and rewarding experience you should be familiar with anyway. Besides, you can see on the list that barely anyone has the latest PHP version as the default one – why settle for anything but the latest software when starting a new project?
选择VPS时,除了要避免与其他人共享环境或容易受到其他人介绍的系统不稳定的影响外,从头开始设置自己的服务器是您应该熟悉的有趣而有益的体验无论如何。 此外,您可以在列表上看到几乎没有人将最新PHP版本作为默认版本-为什么在启动新项目时除了最新的软件之外,别无其他选择?
Encryption is crazy important today. Not just as a means of defending yourself from government snooping, but also as a way to make sure your clients and website visitors are protected as well and aren’t leaking any personal data. With advocates such as Ilya Grigorik and his pitches for TLS to Google announcing it would favor websites with HTTPS in search results, there’s no question about the ever increasing importance of HTTPS, even for simple websites.
今天,加密非常重要。 不仅是为了保护自己免受政府的监视,而且是为了确保您的客户和网站访问者也受到保护并且不会泄漏任何个人数据。 Ilya Grigorik等倡导者及其向Google 提出TLS的倡导者宣布,它将在搜索结果中偏爱使用HTTPS的网站,毫无疑问,即使对于简单网站,HTTPS的重要性也越来越高。
While there are workarounds to getting HTTPS everywhere, one shouldn’t rely on those – it’s our responsibility as web developers to improve the web at large. HTTPS is not directly related to PHP, but whenever you’re starting a new PHP project it’s generally easier to set up your server to use HTTPS before you start coding, rather than in the middle of a project. To help you get through this often cryptic, daunting and discouraging task, (at least until Let’s Encrypt is out) Chris Palmer put together this Google Doc.
尽管有各种变通办法可以使HTTPS遍地开花 ,但不应依赖那些变通办法–作为Web开发人员,我们有责任改善整个Web。 HTTPS是没有直接关系PHP,但每当你开始一个新PHP项目它通常更容易设置你的服务器在开始编码,而不是在项目中期之前 ,使用HTTPS。 为了帮助您完成这项通常难以理解,令人生畏和令人沮丧的任务,(至少要等到我们加密之前), 克里斯·帕尔默(Chris Palmer)整理了这份Google文档 。
Don’t be these guys.
别这些人 。
Follow best practices in password protection, generation, encryption and authentication. Read books and use packages like those suggested on the SecuringPHP site.
遵循密码保护,生成,加密和身份验证方面的最佳做法。 阅读书籍并使用SecuringPHP网站上建议的软件包。
PHP The Right Way is responsible for improving the life of many a PHP project out there. In book form or digital, PTRW is an indispensable resource for making sure you’re fit to handle the challenges of modern app development. If you feel like it’s missing something or just want to contribute with typo corrections or alternative resources and guides, feel free to do so via Github.
PHP正确的方法负责改善许多PHP项目的寿命。 PTRW以书本形式或数字形式提供,是确保您适合应付现代应用程序开发挑战的必不可少的资源。 如果您感觉缺少任何东西,或者只是想对错字更正或其他资源和指南做出贡献,请随时通过Github进行 。
Almost two years ago, Fabien Potencier of Symfony fame announced the creation of a list of vulnerable packages for PHP. A year and a half later, this became standard part of Symfony and was turned into open source public domain property. You could now post your composer.lock file to their API or the web interface, or even the CLI tool, and it would check your project for vulnerabilities. However, this still required one step from the end users, and we’re lazy, lazy people.
大约两年前,Symfony的Fabien Potencier 宣布为PHP创建了一系列易受攻击的软件包 。 一年半后,这成为Symfony的标准部分,并变成了开源公共领域财产。 您现在可以将composer.lock文件发布到他们的API或Web界面,甚至CLI工具中,它将检查您的项目中是否存在漏洞。 然而,这仍然需要从最终用户的一个步骤,我们是懒惰,懒惰的人。
Enter Roave team, the laziest of us. They made a security-advisories package which uses this database of known vulnerabilities. As Marco Pivetta explains in his blog post, you require it in your project like any other package, but instead of downloading anything, the package serves as a meta-package, not downloading anything and instead checking for whether the bad versions are required in your project. It will warn you and prevent even the attempt to download those packages, saving you not only a checking step, but a step that includes deleting them as well.
进入我们最懒的Roave团队。 他们制作了一个安全建议程序包,该程序包使用此已知漏洞数据库。 正如Marco Pivetta在他的博客文章中解释的那样,您需要像其他任何软件包一样在项目中要求它,但该软件包不作为下载任何内容的工具,而是用作元软件包,不下载任何内容,而是检查您的版本是否需要不良版本项目。 它将警告您,甚至阻止您尝试下载那些软件包,不仅节省了检查步骤,还节省了包括删除它们的步骤。
I urge everyone doing PHP development to include this in their projects. By jointly attacking the common vectors of insecurity, we’ll be one step closer to eradicating security holes on a large scale.
我敦促每个进行PHP开发的人员都将其包含在他们的项目中。 通过共同攻击不安全的常见媒介,我们将进一步消除大规模的安全漏洞。
We’ve compiled lists of common mistakes before. Read the following posts to learn what to avoid:
我们之前已经编译了常见错误列表。 阅读以下文章,了解要避免的事情:
TopTal’s list of 10 Most Common Mistakes PHP Programmers make
TopTal列出的10个PHP程序员最常犯的错误
7 More Mistakes Commonly Made by PHP Developers
PHP开发人员常见的7个错误
18 Critical Oversights in Web Development
18 Web开发中的关键监督
By keeping these in mind, you’ll save yourself a world of trouble and major headaches down the road.
只要牢记这些,您就可以为自己节省很多麻烦和麻烦。
Use Vagrant! Even PTRW says so.
使用流浪汉! 甚至PTRW也是如此。
Vagrant helps you run cloned environments in small, headless virtual machines that forward requests to ports inside the machine, letting you use your host’s browser and your host’s IDE without interference. Want to nest a virtual machine inside a virtual machine? You can do that too, and it’s all completely safe! We’ve got a bunch of Vagrant tutorials and explanations under the Vagrant tag, so if you’re confused about the technology, read up.
Vagrant帮助您在无头的小型虚拟机中运行克隆的环境,这些虚拟机将请求转发到计算机内部的端口,从而使您可以使用主机的浏览器和主机的IDE,而不会受到干扰。 是否要将虚拟机嵌套在虚拟机中? 您也可以这样做,而且完全安全! 我们在Vagrant标签下有很多Vagrant教程和说明,所以如果您对技术感到困惑,请继续阅读。
Here at SitePoint, we have an officially endorsed fork of the Homestead Vagrant box (prepared by Laravel’s Taylor Otwell, but compatible with any framework and PHP application) called Homestead Improved. It’s runnable in under five minutes and you’ll have a completely encapsulated PHP environment to play in – with no fear of messing up your host OS or other projects. Made a mistake? Just destroy, rebuild, and you’re back where you started (with zero code lost) in a minute!
在SitePoint上,我们有Homestead Vagrant盒的正式认可分支(由Laravel的Taylor Otwell准备,但与任何框架和PHP应用程序兼容),称为Homestead Improvement 。 它可以在不到五分钟的时间内运行,并且您将拥有一个完全封装PHP环境,无需担心会弄乱您的主机OS或其他项目。 犯了一个错误? 只需销毁,重建,一分钟您就可以回到开始的位置(丢失零代码)!
Note that we’re using this box in all our tutorials, so getting familiar with it now will both save you some time in the long run, and help you follow along with everything we do with great ease, not to mention the effect it’ll have on your local development environment.
请注意,我们在所有教程中都使用了此框,因此,从长远来看,现在熟悉它既可以节省您一些时间,又可以帮助您轻松地完成我们所做的所有事情,更不用说它的效果了。在您当地的开发环境上。
Blackfire.io is a service from SensioLabs, the guys in charge of the Symfony framework and all its related technologies. It’s a transparent and low-overhead profiler able to analyze your code and alert you to issues with everything from application logic flow to interactions with the DB engines and even the cache layer. Blackfire is already installed in the Homestead Improved box mentioned above, so if you use our box or the original Homestead, you’re all set!
Blackfire.io是SensioLabs的服务,SensioLabs是Symfony框架及其所有相关技术的负责人。 这是一个透明且成本低廉的探查器,能够分析代码并警告您有关从应用程序逻辑流到与数据库引擎甚至是缓存层的交互等所有问题。 Blackfire已安装在上述“改进的Homestead”包装盒中,因此,如果您使用我们的包装盒或原始的Homestead,则一切准备就绪!
Catch problems before they throw a wrench into production! More detailed tutorials regarding Blackfire are coming soon!
在扳手投入生产之前发现问题! 有关Blackfire的更多详细教程即将推出!
We looked at some important links and resources for starting off your 2015 PHP projects properly, with performance and safety in mind. If you’re already using all these approaches, good for you – you can help us spread the word. Tell your friends and developer circles about it, direct them here, point the newbies who ask you how to get started our way and refer to the specific links in the post whenever someone tells you that legacy code should be supported and old PHP versions are fine. Send them here, and we’ll rough’em up!
我们着眼于性能和安全性,着眼于一些重要的链接和资源,这些链接和资源可正确启动您的2015 PHP项目。 如果您已经在使用所有这些方法,那么对您有好处-您可以帮助我们宣传。 告诉您的朋友和开发人员圈子,将其定向到此处,指出要求您入门的新手,并在有人告诉您应该支持旧代码且旧版本的 PHP很好的情况下,引用帖子中的特定链接。 。 将它们发送到这里,我们将开始工作!
Disagree with any of these? Would you add some critical resources that the resources we’ve linked to don’t already mention? Let us know – I’ll make sure the list gets updated!
不同意其中任何一个? 您是否会添加一些我们链接到的资源尚未提及的关键资源? 让我们知道–我将确保列表得到更新!
翻译自: https://www.sitepoint.com/php-tips-resources-best-practices-2015/
php最佳实践
相关资源:jdk-8u281-windows-x64.exe