Php – multi-language system and security with php

PHPSecuritystored-procedures

I'm coding a new site. İt's like StackExchange, a social site and a blog. I try to create a multi-language site, however I can't decide how to do it.

I have to use modules, so I must use OOP, while having multilanguage interface. How can I do that?

There are two language options (Turkish and English), used continuously (example: home page etc.) or not (some errors; example : "please enter your mail" etc.)

I can use a class and I use array (for used continuously),
I can use a class and an XML page (for errors),

or I can have a class and three language pages: Turkish, English and errors.

Which one gives the best performance?

Best Answer

From what I understand, you have two questions:

What to use to store language strings: XML or PHP arrays? Which one has better performances?

Arrays are read directly from source code. XML must be first parsed, then transformed in your case into an array. This means that the array approach is ways faster. Also, serialization is another approach which will give you better performance than XML.

But does this matter? In all cases you have to cache those things. In other words, you'll spend for example 800 ms. instead of 45 ms. loading the first page when the server starts, but then, every other page will spend 40 ms., no matter where and how language strings are stored.

What matters, on the other hand, is if you can easily change those strings. Personally, I prefer changing XML by hand, rather than changing PHP source code. There are also security considerations to take in account. Also, what if one day you would like to make an interactive tool enabling you to add and remove languages on the fly through web interface? With XML, it's quite easy. But not so easy if you use arrays directly.

I'm using mysqli. Of course I block html characters and I use mysqli_real_escape_string. But they are not enough.So, I use stored procedure.

Learn how to use parametrized queries. Seriously, it is the only way to avoid SQL Injection, and in all cases it must be mandatory to know that before starting to code any website.

PDO is also your friend, and avoids to be dependent forever on your choice of SQL server.

Related Solutions

PHP – Dynamic Class Inheritance Techniques

It looks like you are having a design issue here: Tables should not extend the Database Abstraction Layer. Instead the DAL should be injected into the table as a dependency.

abstract class Table {
    protected $dal;

    public function __construct(DAL $dal) {
        $this->dal = $dal;
    }

    // whatever else all tables have in common
}

class Table_User extends Table {
    public function someMethod() {
        $this->dal->someOtherMethod();
    }
}

$table = new MyTable($dal);
$table->someMethod();

That way you will create a DAL at some upper scope and pass it down. This will also allow you to use multiple different database engines at the same time.

Additionally you obviously should not create your tables directly in your controller but let a specialized class do that. For example you could use a factory:

class TableFactory {
    protected $dal;

    public function __construct(DAL $dal) {
        $this->dal = $dal;
    }

    public function createTable($name) {
        $className = 'Table_' . $name;
        return new $className($this->dal);
    }
}

That way you can create a table factory at some point with an injected DAL and pass that table factory around.

$table = $factory->createTable('User');

Php – Standards & compliances for secure web application development

There are wide variety of these standards and each BIG Player in software business has it's own guidelines. The approach and methodology on application security may vary or have common aspects depending on chosen development platform. As a good solid start you may look at the following articles for thought:

Best Answer

Related Solutions

PHP – Dynamic Class Inheritance Techniques

Php – Standards & compliances for secure web application development

Related Topic