I have read a tweet about PHP programming today that made me furious.

“Handling complex logic in PHP is like doing the LSATs after shock therapy”

What is wrong with this statement? It moves responsibility from coder to the coding language and that is completely wrong in this case.

Firstly, PHP has syntax similar to C, which is used to code programs much more complex than most of websites. Almost all control statements are similar or same.  Although there are differences, I doubt anyone would argue that there is a significant lack of logic control statements in PHP than in C. Although PHP lacks specific PC programming libraries, it has very little to do with implementing logic of application.

So, what might cause such statements?

The top reason for problems handling logic is bad quality of the code (software quality measures how well software is designed (quality of design), and how well the software conforms to that design (quality of conformance)). PHP, similarly to C, is a very flexible language. And you need to and think work to produce good, quality code.

Thus, what is code quality characteristics related to implementing logic in PHP?

1. Separation of concerns. You should not handle logic, input, output, database, exceptions in single big file. Implement these as functions, or use libraries and frameworks. There is no excuse to not use a PHP framework nowadays, except when modifying old application source. And yes, I made such mistakes myself in the past.
2. Avoid logic shortcuts, like die(), exit() and break (in cycles, not in switch) statements if you can. They make code much harder to comprehend in the long run. Perfect function or method has a single return statement as well.
3. Use right model of computation to process information gathered. Logic will look nasty in all the languages as long as you have no foundation how to handle it. And the worst is, these programming models are already here for decades, like FSMs. Simply, they are used in software programming, but not so in web programming.
4. Comments, documentation, sane names of variables and no hacking. One of the reasons for bad code is “quick fixes”, when quick, undocumented fixes are applied to program code that no one understands later on. Even worse, they are applied to the system/framework core without any documenting sometimes. That might leave you stuck with un-updated version of some framework for long time.
5. It is better to comply with framework programming model than implement couple different models in single system. If you are using hook and plugin based framework as wordpress, stick to it, and know its features, internal logic and limitations.

If you will know these 5 things, all you will have to curse is your code or framework/cms you are using. But not the PHP.

I had read a post at sitepoints about 16 php 5 frameworks. I will not argue the fact that frameworks are good and you should use one. What saddens me is that the key points of comparison are omitted in the post.

So, how to compare different php 5 frameworks? Let us see.

1. Paradigms used. Although MVC is mainstream now, it is not a single paradigm in php development. There are frameworks that are event based only. Additionally, there are different paradigms for different application layers, for example CRUD for database (model) layer, pretty well supported in php cake. Zend does not have module layer at all, you need to use your own database access, as example.

2. Modularity and reusability of framework. Although MVC provides modularity on controller- basis, additional modularity is required to re-use code between applications. This is important for developing bigger project that share modules.

3. Php version support. Some frameworks require specific versions of php5. This means that you have limited options for hosting.

4. Shared hosting support. You might need that before project kicks in. Some frameworks behave weirdly on shared hosting, as they need specific setup.

5. Proof of concept and maturity. Have you seen applications developed with the framework? Is framework developer community active or dormant? I would shun a framework without some real-world example sites.

Have something to add? Comment bellow!

Voting is quite basic element of any site that claims to be social. This is a basic tool to get opinion of visitors on topics and works as viral marketing too. However, sooner or later your visitors will question if your script is secure enough to avoid fake voting bots. So let’s cover couple ways how to avoid bots voting for your topics. 

Unwanted votes fall into 2 main categories: intentional and unintentional. Unintentional ones might be search engines that try visiting your pages and similar. Intentional ones are made by people that want to screw voting statistics. Unintentional voters can be avoided using robots.txt exclusion, though one should not rely on it. You will not avoid intentional voters that way.

First, the vote should be a form element or javascript link. The reason is quite simple – a regular link is likely to be visited by search engines and it will screw up your voting results. Also, it is quite easy to add a link to any command line browser script. Although basic checking of browsers is a good thing, it will not work – the browser variable can be set freely in many of these scripts and it will protect from search engines and not malicious voting. Still, blocking most of the popular site grabbers in your .htaccess file might be a good idea.

Putting a limit on votes from the same IP has problems on its own as well. Although this makes voting more secure, it is quite unsuitable for local sites. There are cases when there are many users behind common firewall and share same IP address. This would make your site unusable for them. Also, it is quite easy to change one’s IP address with proxy while writing script. 

Checking cookies is the most popular way of handling votes, though writing script handling them is quite easy as well. The most interesting variation of such voting script was implanting voting cookie from an image in the voting page and later checking for the value in the voting script. This prevented most basic form of voters that handle single page only. 

Also, it is a good idea to check referrer of the vote (aka page the user came from). If the referrer is blank, you can be very sure that the user is either bot, or came to vote directly. 

Captcha is quite good at preventing false votes as well, though it does not protect from manual multi-voting. The problem is that it ads complexity to the voting process so less people are ready to express their opinion. 

An alternative for captcha is using serials in the voting forms. These serials are checked with the value stored either in cookie or db upon voting. Sadly, this will not protect from better voting script. 

So, how to choose right method for you?

Here some suggestions: 

1. Decide how much secure your form has to be. What will force people wanting particular result ? In some cases you do not have to use protection against intentional voters.
2. Do not use captchas for simple votes – you will get less input on topic
3. Upon vote, log everything into db: Time, referer, browser, ip, cookie value. Later you can use that data to see if some of the data repeats too often.
4. It will not hurt to check server logs. Typical voting script will not bother to load CSS/images/JS. Look for queries from IP that does not load any images or scripts and just votes.
5. Look for spikes in the data gathered. 

I have to admit that Komodo Edit 4.4 is the editor I use the most for editing and developing. What I like is code collapsing/expanding, quite nice syntax help, also SSH2 support, which is a must for any editor. Additionally, it is free (there is a paid Komodo IDE version too). Overall, quite nice tool.

However, there are couple of points where it could improve as well.

First, Komodo edit’s project management is far from satisfactory. It automatically adds files in the same directory as project file to project, which is not desirable behavior sometimes. Quite often project files are used for keeping shortcuts to important files in remote server only, so the “projects” are quite messed up. The more project you got, the more messy it looks

What’s even worse, the files in project are handled by their name, and not by name and location like it should be. So, you can not add 2 files with same name to same project, even if locations are completely different. One co-worker even lost content of one file due to this “nice” Komodo edit’s feature.

The remote access to files needs a fine-tune too. In previous versions, reloading a project would change active remote dir to the one of last file loaded. Nowadays it does not change it, and it feels like a downgrade in capabilities – I have to browse more till I can edit the files required.

Overall veto: Komodo Edit is more geared towards local project development with some ocasional edits on remote server. Quite good tool if you are cheap