Functions to avoid for PHP and WordPress Developers

secure php and wordpress

PHP, the language powering WordPress has evolved significantly in recent years. The programming language is now on version 7 and performing better and more securely than ever before.

As PHP and the web has matured much of the functions of PHP have been improved upon or replaced. However Functions that have long past their glory days, together with misinformation on the proper usage, still linger.

By updating to the latest version of PHP problems that can occur by using this code can be avoided as those the functions are deprecated and begin to lose their support.

It is not always possible to update, so some developers may find themselves with access to code that they can use but shouldn’t

In this article, I will look at some of the functions that PHP and WordPress developers should take caution with and avoid altogether when attempting to build a secure website. These are functions known to developers should be avoided.

By now it is widely known that magic quotes and globals are no no’s in PHP security and thankfully newer versions of the language do not support this. You will also be hard-pressed to find a host that allowed this code on their servers too.

Going beyond these obvious security flaws to avoid are some common misconceptions over when to be alert using outdated functions or functions frequently used that go beyond their otherwise safe purpose.

The below are my big never use in PHP Functions.

Passwords

The worst offending, outdated code, a problem I come across is password hashing.

A common misconception is that MD5 and Shar1 should be used for this purpose. This is absolutely wrong and completely outdated. Unfortunately, this is a real problem as some education institutions still teach outdated PHP password hashing.

With MD5 and Shar1 all hashes can ultimately be linked back to one source.

PHP now comes with its own inbuilt Password hashing functions, this is the most advisable method to use for your password hashing needs. For now at least. This function uses BCrypt which uses a built-in salt meaning it is impossible to get two hashes with the same value with the same source password. This is unlike password hashing with MD5 and Shar1 where the hash for a given word will be the same.

Hashing a password is a one-way system that cannot be reversed into its original state. This is distinct from encryption that can be decrypted back to its original state.

Websites now exist with the dedicated purpose of breaking MD5 and Shar1 hashes and can do so in seconds with billions of known hashes stored in databases known as rainbow tables. Previously it was the case that these hashing functions would take years to break but that was with the most sophisticated technology of the time, and this has moved on.

There are several arguments that support MD5 and Shar1. Despite some misinformation that is around it is not the case that either of these hashing function can be hashed inside each other to create a stronger password. Nor is it the case that the websites that are dedicated to breaking hashes can have only a small pool of possible passwords to serve up a password that matches the hash provided.

Ultimately users will create themselves insecure passwords but good security should never rely on user input.

eval

The original purpose of this function was to evaluate a string as PHP code.

This purpose has been found to be open to manipulation and injection, not actually escaping anything, can pass through a raw request to be executed on the server, this potential could be from malicious user input. In worst case scenario a hacker might wipe out entire server.

Rasmus Lerdorf, the founder of PHP himself disapproves of the use of eval function. He once even said “If `eval()` is the answer, you’re almost certainly asking the wrong question.””.

globals

Global can change a variable state so can change something from a local to a global state, for instance, a variable inside a function or closure that is a local state, but prefix it with global and it potentially turns it into a global state.

This is bad because you can then access a variable outside of that function that should only be inside that function.
If you need to access the variable, then the function should be returning the value instead.

Another problem with global is the potential to interfere with an existing varible without realizing it or where that variable has come from.

Risky PHP

These PHP Functions have good wholesome real world intentions but do come with certain risks attached. For this reason, they have fallen out of favor among developers.

file_get_contents

This function has the potential to expose you to man in the middle attacks.

Over the file_get_contents() function is a useful common practice for call an external URL. The danger is when the remote pages that are fetched, the integrity of the HTTPS protocol connection is not always checked. This would then leave the file_get_contents() page result open to contain anything the attacker places there.

extract

The use of the extract function has lost popularity. The useful little function was once used by developers who just wanted to create living variables out of the key => value pairs in their code.

Developers should watch out because when extracting $_GET and $_POST this exposes vulnerabilities. The danger with extract is you don’t know what your extracting. The risk here is that you may find you are extracting malicious input data from the user.

If this is unavoidable, then the web developer should be sure to sanitize data resulting from the extract before it is used.

WordPress dangers

WordPress builts on PHP and provides a library of its own useful functions to make use of when developing plugins and functionality for the popular CMS. Here are some common user mistakes with some of these functions.

dd_query_arg

Not so long ago WordPress developers were mistakingly believing that this WordPress function sanitized their URL’s. This was caused by misleading information in the documentation. Some website continue to use this safely as a result meaning website owners are not as safe from XSS attacks as they thought they were.

is_admin

The problem with this function lies in the name. It looks like it will tell you if the user is an admin. In fact, what it indeed does is indicated that the code is on the administration side of the site as opposed to the front end viewable by the average visitor.

Read more

Speed your development workflow with these Chrome extensions

A very popular browser choice among developers is Google Chrome. And a great but often underused feature of Chrome is its Extension Store. As a developer, you can use this resource to access a multitude of free tools that will help you cut down on some of the most tedious tasks in development.

After all, as rewarding and interesting that development may be, it’s still true that tasks such as browser testing and link testing can be very dull ways to spend huge chunks of time.

Development Extensions

These Chrome extensions will help you speed up your development workflow right from your browser.

Chrome Extension - Web Developer

Web Developer
Get the extension

If I could only install one extension, then this would be my choice. With this extension, a developer will be able to gain a lot of information on their project.

I find the most useful features of this extension is the ability to disable things like javaScript, cookies, CSS styles and images. I also find it very useful to outline elements based on their type. This could be floated elements and absolutely positioned elements as well as floated elements and headings.

I also really like how I can work with forms, this is really useful for when testing the forms I have built are working correctly. With the Web Developer extension, I can quickly complete mundane tasks like clearing form fields and checking and unchecking form fields.

Web Developer Checklist
Get the extension

I like my websites to be the best they can be, and for this reason, I keep the Web Developer Checklist as part of my toolkit.

The Checklist extension will test your website to make sure it is mobile worthy and passes SEO, accessibility and security essentials.

It is even possible to check the quality of code. However, I have my IDE also checking this for me as I write code based on Laraval Artisan standards.

Pesticide
Get the extension

I think the name for this handy, simple extension is perfect, sometimes when working with front-end development, the code issues can feel like a real bug hunt.

The purpose of this extension is to outline all CSS elements to see the placement on a page better and help to identify a problem which could otherwise feel like hunting down a pest in your code.

Browser testing – Browserling and IETab
Get Browserling
Get IETab

Testing in multiple browsers is definitely one of those tedious tasks mentioned earlier. The bad news is there is no getting away from browser testing; however, it’s definitely not as painful as it used to be and there are now extensions that mean you can do it all in one tab.

One such extension is Broswerling. This is a live interactive cross-browser testing service, and it provides cross-browser testing for web developers and web designers. Also, it provides quick access to all the most popular browsers on the most popular operating systems.

Link Checker
Get the extension

Much like browser checking, link checking is also an essential highly tedious task. The Chrome browser extension Link Checker has one simple but powerful purpose which is to make this tedious task a thing of the past.

Extensions for designers

Chrome Extension – Spectrum

Here are some of the best extensions for front-end designer to speed up real-world, everyday tasks.

WhatFont
Get the extension

The WhatFont extension in invaluable when it comes to identifying a font. Sometime when browsing the web I come across a website that uses terrific typography but determining what makes it so great is not always intuitive to developers and this extension makes that process so much easier.

Information can be found on type family and font size and, what’s more, it can help you find out if your typography find is available on Google API or even TypeKit if you prefer.

ColorZilla
Get the extension

If you find you frequently need to design a website around a specific color pallet, then this extension will be a great asset.

Often clients know they want their color scheme to match their logo or some other design work. Or even their existing website. What ColorZilla will do is use a color picker to select any shade in the browser and find the HEX or RGB code of those colors.

Spectrum
Get the extension

Color deficiencies are common but not widely accounted for by web designers. A color blind person may have a needlessly terrible time on a website you designed, but this can all be solved with a few adjustments to your design.

Spectrum is an extension that will allow you to see your website like a color blind person would do addressing the problem of wanting to help but not knowing how to.

Read more

Staying relevant in the 2018 web dev job market

stay relevant in web dev

Web development stays still for no one, anyone in the industry longer than 12 months can tell a newbie this from first-hand experience.

In 2018 it feels like this is the year the industry starts to feel the impact of recent disruptions and many web designers are already beginning to feel the effects of AI tools taking over tasks that were once a staple of their skill set.

Read more

Build on Bootstrap for fast and quality web design

website design

Bootstrap is the most popular HTML, CSS, and JS framework for developing responsive, mobile projects on the web.

You have probably come across Bootstrap as a web designer along with other technologies such as Sass, LESS, Grunt, Gulp, npm ect and felt like it you need to absorb an avalanche of knowledge before you can get started on your website. This can feel like overkill for smaller sites too.

Read more

Find a coding course that suits your learning style

learn to code

If you want to learn to code then following an online course is a good step in that direction. however, it’s an investment that can be costly, not just money but in time to.

There are numerous courses online and I have experience with many of them and with this knowledge I have put together a review of some of the most popular providers.

Read more

When to start using a framework for web development beginners

Many web development beginners ask the same questions about using frameworks.

Developers will frequently ask me:

Should I be using a Framework?

Which framework should I be using?

Which is the best framework will earn me the most money?

Which framework gives me the best chance of employment?

In this article, I will attempt to answer these questions from the perspective of a PHP developer. Many of the answers do cross over for developer interested in JavaScript.

Read more

Zero to WordPress hero, your guide to becoming a WordPress professional

Become a WordPress pro

So you have decided you would like to learn or level up your WordPress skills. Anyone can take this journey. Maybe you’re already a WordPress hobbyist, dabbling in your spare time or maybe you’re crossing over from another related field like frontend web developer.

WordPress is a wise choice. It’s easy to learn and easier than a lot of people think to lift your skills above the average. And when you get there you will find there is plenty of demand for skilled developers to work on the CMS that runs a good sized portion of the web.

So let’s get started!

Read more

Get familiar with browser developer tools for speedy debugging

Browser development tools have been around for a long time and have and for web designers, these form defined place in the workflow. I use development tools in my own projects very frequently to the point that I probably take them for granted. But every so often I do hear a new announcement or discover a trick that makes me remember how useful they are and how I really could not live without them.

Read more