What are namespaces and why are they convenient?

‘Namespaces’ are default in almost every other (OOP) language, such as C++ and C#. They separate classes and other objects (such as methods) in logical units, mostly to avoid name collisions. A program (or web site, as is probably the case in php) may use several frameworks and libraries. These may hold methods and/or classes that are named the same, for example a class named Date. Prior to php 5.3, this would lead to the well known error “Could not redeclare class Date in file/name.php on line no“. This, of course, could be a problem when you want to use multiple frameworks and/or third-party libraries.

The problem of name colissions was dealt with before by using something called ‘poor man’s namespacing’, which has been used in, for example, the Zend Framework. This looks something like this:

< ?php
class Zend_Search_Lucene_Analysis_Analyzer_Common_TextNum_CaseInsensitive extends Zend_Search_Lucene_Analysis_Analyzer_Common_TextNum
{
	public function __construct()
	{
		$this->addFilter(new Zend_Search_Lucene_Analysis_TokenFilter_LowerCase());
	}
}

This of course is not very handy all the time. So, how do namespaces solve this problem?

Namespaces in php 5.3

A namespace in php can be thought of as an extra layer around (part of) your code. Every class en method name within it is unique and does not conflict with classes or methods with the same name in other namespaces.

To declare a namespace in php, use the keyword ‘namespace’ on the first line of your file. Your classes and methods you define below it. All code within that file will be in that namespace. Let’s look at an example on how to use namespaces:

< ?php
namespace MichielvdVelde\Core;
 
class Database
{
	public function __construct()
	{
	}
}

The class Database will now reside in the namespace MichielvdVelde\Core. If you were to make another namespace, which also holds a class named Database, this would be fine.

So, how do you use classes within a namespace? This is really kind of simple. There are two method.

Method one

Add the namespace to the declaration of the class. Like this:

< ?php
require_once 'MichielvdVelde/Core.php';
 
$db = new MichielvdVelde\Core\Database();

But this method is not really an improvement over poor man's namespacing. Therefore, there is a second method.

Method two

By using the 'use' keyward, you cam import namespaces in your code. This more closely resembles namespacing as implemented in other languages such as C++ and C#.

< ?php
require_once 'MichielvdVelde/Core.php';
 
use MichielvdVelde\Core as CORE;
 
$db= new CORE\Database();

As you can see, this is more aliasing than really importing. But still, this method is very useful.

Gotcha's

Functions are also part of namespaces

When defining functions in files with the 'namespace' keyword at the top, thsey are also part of that namespace.

< ?php
namespace MichielvdVelde\Core;
 
function getDatabase()
{
}

< ?php
require_once 'MichielvdVelde/Core.php';
 
getDatabase(); // Geeft E_FATAL error: Undefined function getDatabase()
 
use MichielvdVelde\Core as CORE;
 
CORE\getDatabase(); // This does work

Autoload changes

Autoload on Windows does not use the \ very well. You may need to change your autoload function for this:

< ?php
function __autoload($className)
{
	$className = str_replace('\\', DIRECTORY_SEPARATOR, $className) . '.php';
	require $className;
}
 
$db = new MichielveVelde\Core\Database();

Also note that you need to define __autoload within the global scope. If you define it within a namespace, php won't find it. If you do want to use the autolaod function from within a namespace, use the spl_autoload_register function:

spl_autoload_register('MichielvdVelde\\Core\\Autoloader');

Conclusion

PHP 5.3 introduces support for namespaces which will be very handy in organizing and cleaning up your code. Although it may take some time for web hosters to support php 5.3, you can experiment with it by installing the latest version of XAMPP on your omputer, which has php 5.3 included.

On many web sites, visitors can register themselves, for example to be able to post on the forums or place comments. These users have to fill in a password, that allows only them to log in with that specific name on that specific user account.
But, how is this password stored? There are basically three methods, ranging from dumbest to smartest:

1. Clear text, the password directly into the database or other storage medium;
2. Encrypted, the password encrypted with an algorithm (e.g. AES), with a key;
3. Hashed; a one-way hash (e.g. MD5, SHA1).

As you might suspect, storing the password as clear text is the most idiotic thing you can do! Imagine a hacker breaks into your database; he instantly has all passwords for all users on your web site. Is that what you want? I think not.

Option two is storing the password as encrypted text. This requires an encryption algorithm, such as Advanced Encryption Standard, and a key. This requires the key to be stored as well, and no matter how good you put it away. On the other hand, it allows you to decrypt the password and use it for verification. And you can give them their original password when they’ve lost it. But this still isn’t the best solution. See option three.

Option three: hashes
The third option is in my opinion, and that of a lot of people who know, hashing. A hash is, according to Wikipedia:

A cryptographic hash function is a deterministic procedure that takes an arbitrary block of data and returns a fixed-size bit string, the (cryptographic) hash value, such that an accidental or intentional change to the data will change the hash value. The data to be encoded is often called the “message”, and the hash value is sometimes called the message digest or simply digest.

So, a hash is a string that is based 0n the original text. This is handy, as it is almost impossible to reverse the hash, so the password is safe. And when you need to check a password, you simply hash the inputted password too and compare.

What kind of hash functions are there? Basicly, the following two are the most used:

1. MD5
2. SHA(1)

MD5
MD5 stands for Message Digest 5, and has been developed by Ron Rivest in 1991 to replace MD4. How can you use it in php?

// Method one
$hash = md5("password");
// Method two
$hash = hash('MD5', "password");

This results in a 32-digits hexadecimal string, for example 5f4dcc3b5aa765d61d8327deb882cf99. This is always the same for the same string. This provides a great method for password saving, because the password can never (or, with extreme difficulty) be reverse-engineered. When you need to check a password, you simply hash that too, and compare the strings.

SHA1
SHA1 is another cryptographic hash function. According to Wikipedia:

The SHA hash functions are a set of cryptographic hash functions designed by the National Security Agency (NSA) and published by the NIST as a U.S. Federal Information Processing Standard. SHA stands for Secure Hash Algorithm.

SHA1 generates a hexadecimal string of 40 characters, instead of the 32 of MD5. SHA1 is considered more secure. Using this in php is not more difficult:

// Method one
$hash = sha1("password");
// Method two
$hash = hash('SHA1', "password");

This generates the has, for example 5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8.

This is it for now. I’ll write an article about cracking hash ciphers in the furure, which is mainly brute-forcing. Bye-bye.

$connection = new mysqli('localhost','username','password');

Or, even worse:

mysql_connect('localhost','username','password');

This of course is hopelessly outdated, and with PHP version 6 on the way, will soon be removed from the standard installed libraries. But there is a better, more Object Oriented way to connect to your database, and that is PHP Data Objects.

What is PDO?
According to php.net:

The PHP Data Objects (PDO) extension defines a lightweight, consistent interface for accessing databases in PHP. Each database driver that implements the PDO interface can expose database-specific features as regular extension functions. Note that you cannot perform any database functions using the PDO extension by itself; you must use a database-specific PDO driver to access a database server.

PDO provides a data-access abstraction layer, which means that, regardless of which database you’re using, you use the same functions to issue queries and fetch data. PDO does not provide a database abstraction; it doesn’t rewrite SQL or emulate missing features. You should use a full-blown abstraction layer if you need that facility.

PDO ships with PHP 5.1, and is available as a PECL extension for PHP 5.0; PDO requires the new OO features in the core of PHP 5, and so will not run with earlier versions of PHP.

Connecting to your MySQL database
So, how does one use it? Below is an example for MySQL (other databases might require a slightly different approach):

$connectionString = "mysql:host=localhost;dbname=database";
$pdo = new PDO($connectionString, 'username', 'password');

Now you can use the $pdo variable to do things, e.g.:

Retrieve information from tables

$results = $pdo->query("SELECT * FROM table");
foreach($results as $result)
{
	echo $result['field'] . "<br />\r\n";
}

This is how you can read data from your database tables. Note that you don’t use the while loop and the fetch_num or fetch_assoc (or similar) in this case, but a foreach loop. You can access the field values as you would in an ordinary array.

Queries that don’t return anything: the wrong way to do it
For queries that don’t return anything, for example INSERT and UPDATE queries, PDO provides the exec method. This method returns the amount of rows affected (if any) by the query. Using it is simple:

$pdo->exec("INSERT INTO 'table' (id, value) VALUES ('1','this is the value')");

But this method is susceptible to SQL injections. Therefore, the PDO class gives us another method to insert or alter information in/from the database: prepared statements. A prepared statement is SQL injection safe and the right way to do things, especially if you need to insert or alter user submitted information. Here an example of how to use prepared statements:

$stmt = $pdo->prepare("INSERT INTO table (name, value) VALUES (:name, :value)");
$stmt->bindParam(':name', $name);
$stmt->bindParam(':value', $value);
 
// insert a row
$name = 'one';
$value = 1;
$stmt->execute();

This is a safe way to insert or update data in your database. Of course you can use prepared statements with SELECT queries as well.

The Basics
This provides you with the basics to select, insert and update data from.to your MySQL database. Later I will expand on this subject, and dive into the more complex possibilities of PDO, as wel as how to access other databases than MySQL.

Related Links

• PDO on php.net
• SQL Injection on Wikipedia