//Example from http://guzzlephp.org/
$client = new Client($url);
$request = $client->get('/user')->setAuth('user', 'pass');
$response = $request->send();

jQuery also operates in a similar manner, using the same principle. The technique is called method chaining, and is quite useful in cases where a class has many public methods that could be called upon with each others’ output.

If you wanted, the above example could conceivably be rewritten like this:

$client = new Client($url);
$path = $client->get('/user');
$request = $path->setAuth('user', 'pass');
$response = $request->send();

This works because of the way chainable methods are set up. The secret to making it work is that every method must return the entire object. What you’re doing when you chain Method A with Method B ($object->methodA()->methodB) is calling Method B from the object returned by Method A, which it returned from the object that called it to begin with.

Here’s an example class that permits chaining, since there’s no way that code could be more syntactically awkward than that sentence:

class MyClass {

	function __construct() {
		$this->thing = "a";
	}

	function addB() {
		$this->thing .= "b";
		return $this;
	}

	function addC() {
		$this->thing .= "c";
		return $this;
	}

	function __tostring() {
		return $this->thing;
	}

}

$obj = new MyClass();
echo $obj->addB()->addC(); //outputs "abc"
echo $obj->addB(); //outputs "ab"
echo $obj->addC(); //outputs "ac"
echo $obj; //outputs "a"

When you initialize the object, the constructor sets the thing property to be a. Each one of the methods returns $this, which of course is the entire object. So if you call addB(), it adds b to the string and then returns $this. So you can chain the addC() method, which is basically calling it on the $this that addB() returned.

I hope this helps you understand method chaining. It took me a little while to figure it out, and explaining it clearly is about as easy as reading this probably is.

It’s fairly easy to write such a function. The basic idea is to loop around four times—once for each segment—and have a nested loop that runs five times, picking a random character each time. Here’s what I came up with:

function generate_key_string() {

	$tokens = 'ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789';
	$segment_chars = 5;
	$num_segments = 4;
	$key_string = '';

	for ($i = 0; $i < $num_segments; $i++) {

		$segment = '';

		for ($j = 0; $j < $segment_chars; $j++) {
    			$segment .= $tokens[rand(0, 35)];
		}

		$key_string .= $segment;

		if ($i < ($num_segments - 1)) {
    			$key_string .= '-';
		}

	}

	return $key_string;

}

The $tokens string contains the characters that are valid in the key, so the loop can pick from it. The $segment_chars and $num_segments variables are the number of characters in a segment and the number of segments in the key, respectively. $key_string is an empty string that the loop will add the characters into.

The first for loop runs four times, assuming the desired result is four segments in the key. The inner loop picks a character out of $tokens at random each time it goes around. (PHP strings are also arrays, with the each character having its own numerical offset.) The characters are tacked onto the $segment string.

Then the segment is joined with the $key_string, and a dash character is applied if the loop isn’t on the final segment yet. End result: something like H8OV7-HNTB5-JLLOH-W8FG2.

Now how can you make sure the key is unique when it’s generated?

do {
	$key_string = generate_key_string();
	$result = $db->query("SELECT license_key FROM my_license_key_table WHERE license_key = '$key_string'");
	//$db is a PDO object. If you're not familiar with PDO, check out http://www.webmaster-source.com/2011/08/05/getting-your-feet-wet-with-pdo-and-migrating-old-mysql-code/
} while ($result != false);

You generate a new key string with the function, check to see if it exists in your database, and lather/rinse/repeat until that is no longer the case. Usually you won’t have collisions too often, so it will only need to run once. I’m too lazy to figure out the probability, but considering there are 52,521,875 possible combinations for one 5-character segment…you’re probably not going to run into performance issues anytime soon. And if you do, just add another segment onto your key strings.

The process required to add the new uploader is a bit different, but not too much more difficult. I was able to adapt the old tutorial a little, so it shouldn’t be too hard to replace some code in an existing project and get the new uploader instead of the old.

For the sake of simplicity, let’s start with the same HTML snippet as in the old tutorial. This goes along with the rest of the HTML for your admin page, or wherever in the admin you’re trying to add an upload field.

<label for="upload_image">
	<input id="upload_image" type="text" size="36" name="ad_image" value="http://" /> 
	<input id="upload_image_button" class="button" type="button" value="Upload Image" />
	<br />Enter a URL or upload an image
</label>

Now we need to load up the necessary JavaScript files.

add_action('admin_enqueue_scripts', 'my_admin_scripts');

function my_admin_scripts() {
	if (isset($_GET['page']) && $_GET['page'] == 'my_plugin_page') {
		wp_enqueue_media();
		wp_register_script('my-admin-js', WP_PLUGIN_URL.'/my-plugin/my-admin.js', array('jquery'));
		wp_enqueue_script('my-admin-js');
	}
}

We bind the my_admin_scripts() function to the admin_enqueue_scripts hook, and enqueue both the media scripts and our own JavaScript file. Also, the scripts will only be loaded if the current page is equal to “my_plugin_page,” which you would of course replace with the slug your admin menu has.

Now for the complicated part: the script that hooks into the uploader. Continuing with the above example, it would be named my-admin.js.

jQuery(document).ready(function($){


	var custom_uploader;


	$('#upload_image_button').click(function(e) {

		e.preventDefault();

		//If the uploader object has already been created, reopen the dialog
		if (custom_uploader) {
			custom_uploader.open();
			return;
		}

		//Extend the wp.media object
		custom_uploader = wp.media.frames.file_frame = wp.media({
			title: 'Choose Image',
			button: {
				text: 'Choose Image'
			},
			multiple: false
		});

		//When a file is selected, grab the URL and set it as the text field's value
		custom_uploader.on('select', function() {
			attachment = custom_uploader.state().get('selection').first().toJSON();
			$('#upload_image').val(attachment.url);
		});

		//Open the uploader dialog
		custom_uploader.open();

	});


});

When the button is clicked, it creates a new instance of the wp.media object and configures it to only accept a single file, since the text field can only hold one file URL. Then it binds a function to the selection action, which gets the file attributes when an image is chosen and sets the #upload_image text field value to the file’s URL.

Providing everything went as expected, you should have a form field that will accept an arbitrary URL, or allow the user to upload one.

There’s a lot of outdated information on the Web that leads new PHP users astray, propagating bad practices and bad code. This must stop. PHP: The Right Way is an easy-to-read, quick reference for PHP best practices, accepted coding standards, and links to authoritative tutorials around the Web.

PHP: The Right Way is a useful guide to how to write PHP that won’t make other developers cringe in horror. It starts off with some tips on how to manage your development environment and then gets to the good part: what not to do. Advice is featured on matters such as database access, password hashing, and other security issues.

The site is an excellent central resource that gives a good overview of things that every beginning PHP developer should be aware of.

It makes it super easy to do something like this:

using phpColors\Color;
$color = new Color("#eeeeee");

if ( $color->isLight() ) {
	$gradient = $color->makeGradient();
	// array( "light" => "the_light_color_hex", "dark" => "the_dark_color_hex" )
}

phpColors [GitHub]

The PHP contributors want to help combat this problem—at least among companies using PHP, obviously the issue is by no means limited to PHP developers—with the new API. A couple of simple functions that even the most novice of developers can use will automatically take care of the hashing using bcrypt with a reasonable work factor.

The proposed syntax is something like this:

//hashing a new password
$hash = password_hash($password_entered);

//Checking a password
if (password_verify($password_entered, $hash_from_database)) {
    //password is valid if password_verify() returns true
}

For compatibility with versions of PHP prior to 5.5, you can even download a PHP implementation that will automatically be disabled in a PHP 5.5 environment.

The new Secure Password Hashing API in PHP 5.5 [GitHub]

Setup was a little bit of a hassle at first, due to some dependency issues with the development version I was trying to install. I would definitely recommend downloading the stable version from GitList.org. The installation instructions are simple enough, though the script seems to prefer having its own domain or subdomain. (GitList doesn’t use absolute URLs, and there is no documented configuration option to set a base directory other than the domain root.)

Once you get it up and running, it’s a convenient way to view commits. I’d probably be using it regularly if I wasn’t already hosting my private repositories on BitBucket.

If not, here’s a brief history lesson. In order to help newbies write functioning MySQL queries, they thought it would be a great idea to automatically escape input data with slashes, overwriting the $_POST, $_GET and $_REQUEST globals. So if someone submitted hello, I'm Steve through a form, it would be immediately converted to hello, I\'m Steve so the apostrophe wouldn’t cause issue if a naive user tried inserting it into a database.

But what if you weren’t going to dump the data into a MySQL database? Too bad, it’s now full of slashes and you have to use stripslashes() on the variable. Also, you could conceivably end up with something like hello, I\\\'m Steve if you try escaping the data yourself before inserting the data into a database. It was a massive headache, and the normal practice ended up being “check to see if magic quotes are enabled at the top of your script, and strip the slashes out if the feature is activated. Then handle database queries with prepared statements or by properly escaping the data.”

Fortunately, the PHP project eventually came to their senses and deprecated magic quotes, finally removing the feature entirely with the new PHP 5.4.

Now…back to WordPress.

I was investigating an issue with a plugin where extraneous slashes were appearing in strings processed by $wpdb->insert() when I found this gem in wp-includes/load.php:

/**
 * Add magic quotes to $_GET, $_POST, $_COOKIE, and $_SERVER.
 *
 * Also forces $_REQUEST to be $_GET + $_POST. If $_SERVER, $_COOKIE,
 * or $_ENV are needed, use those superglobals directly.
 *
 * @access private
 * @since 3.0.0
 */
function wp_magic_quotes() {
	// If already slashed, strip.
	if ( get_magic_quotes_gpc() ) {
	        $_GET    = stripslashes_deep( $_GET    );
	        $_POST   = stripslashes_deep( $_POST   );
	        $_COOKIE = stripslashes_deep( $_COOKIE );
	}

	// Escape with wpdb.
	$_GET    = add_magic_quotes( $_GET    );
	$_POST   = add_magic_quotes( $_POST   );
	$_COOKIE = add_magic_quotes( $_COOKIE );
	$_SERVER = add_magic_quotes( $_SERVER );

	// Force REQUEST to be GET + POST.
	$_REQUEST = array_merge( $_GET, $_POST );
}

It checks to see if the server has Magic Quotes enabled. But instead of stripping the slashes when the feature is active, which is the standard practice, it adds slashes when it’s disabled. If I were working at a desk when I saw that, I would have hit my head on it.

Purportedly, it’s for backwards-compatibility with older, poorly-coded themes and plugins. While I understand the predicament, it’s a backwards solution. It encourages poor development practices, and creates obstacles for those trying to do things properly.

I hope they end up phasing this out sometime, but for now, we’ll just have to make do with this solution:

$post = array_map('stripslashes_deep', $_POST);
$get = array_map('stripslashes_deep', $_GET);
$request = array_map('stripslashes_deep', $_REQUEST);

Let’s start with the basics of setting up the form, and handling the uploaded file. Then we can tackle some of the security issues.

For the upload to work, you must add enctype="multipart/form-data" to your form tag. This signals that the POST request will contain upload data as well as the form field values.

Among fields you’ll need are a hidden field named MAX_FILE_SIZE, which tells the client not to accept a file over a certain number of bytes (300000, or 300 kilobytes, in this example) as well as the file upload field itself.

<form method="post" enctype="multipart/form-data">
	<input type="hidden" name="MAX_FILE_SIZE" value="300000" />
	<input type="file" id="myupload" name="myupload" />
	<input type="submit" name="submit" value="Submit" />
</form>

This form is going to submit to itself (that is, the PHP file that outputs the form is also the script that processes the data) so it is unnecessary to specify an action value for the form.

The code that processes the upload is actually just a couple lines. The rest is error-checking.

if ($_POST['submit']) { //If the form was submitted, commence doing stuff

	if ($_FILES['myupload']['error'] != 0) {
		//The upload failed for some reason, so output a human-friendly error message for the corresponding error number.
		$errcode = array(
			"No errors",
			"File exceeded the PHP INI upload_max_filesize value.",
			"File exceeded the maximum allowed size.",
			"Partial upload.",
			"No file uploaded.",
			"UPLOAD_ERR_NO_TMP_DIR",
			"UPLOAD_ERR_CANT_WRITE",
			"UPLOAD_ERR_EXTENSION",
			"UPLOAD_ERR_EMPTY"
		);
		$error = $errcode[$_FILES['myupload']['error']];
		echo "Error: " . $error;
	}
	else {
		//No errors, so we can move the uploaded file to our uploads directory
		move_uploaded_file($_FILES['myupload']['tmp_name'], "./uploads/".$_FILES['myupload']['name']);
		unset($_FILES);
	}

}

The most important part here is the move_uploaded_file() function, which does what it says on the box. The first argument is the temporary path of the uploaded file (which $_FILES[‘myupload’][‘tmp_name’] contains) and the second is the destination. In the example, I set it to use the name of the uploaded file (you may want to rename it) and put it in ./uploads.

That should be enough for a basic file uploader, but it does absolutely nothing to check that the uploaded data is what you’re expecting. It could be exploited terribly easily.

To combat abuse, you should add some checks. A couple of good things to look for are:

• The MIME type. Inspect the uploaded file and make sure it’s an image file (or whatever kind of document you’re wanting).
• The existence of “.php” in the filename.

It’s also a good idea for you to set the permissions of your uploads folder to disallow execution of shell scripts.

Checking the MIME type of an image is surprisingly easy, since there’s a handy function built-in to retrieve that information from a valid image file.

$imgdata = getimagesize($_FILES['myupload']['tmp_name']);
if (!in_array($imgdata['mime'], array( 'image/gif', 'image/png', 'image/jpeg', 'image/pjpeg' ))) {
	//This isn't an image file. Better display an error and NOT move the image to its permanent spot. The temp file will be deleted automatically.
}

Preventing PHP files from being uploaded, fortunately, doesn’t require a scary Regular Expression. You can just use strpos() to check for the presence of a substring.

if (strpos(strtolower($_FILES['ad_img']['name']), '.php') !== false) {
	//Stop right there. Why does an image file have '.php' in it?
}

That’s enough to discourage your average script kiddie, though someone with real skill might be able to find a way to get around such checks. If anybody has something to add, I’d like to hear it.

The getimagesize() function returns an array containing the width and height and the content type.

//Basic usage
$info = getimagesize($filename);
$width = $info[0];
$height = $info[1];
$format = $info['mime'];

//Alternate one-liner suggested by the manual
list($width, $height, $type, $attr) = getimagesize($filename);

This function is really useful for handling image uploads, since you can’t necessarily trust the MIME type that $_FILES reports. The function actually inspects the file to ascertain the type, rather than relying on what the client reports. Also, you may want to make sure that the uploaded images match the dimensions you have in mind.

Here’s how I like to handle it:

$imgdata = getimagesize($_FILES['image_upload']['tmp_name']);

if ($imgdata[0] > 640 || $imgdata[1] > 480) {
	$errors[] = "Your image is too big!";
}

if (!in_array($imgdata['mime'], array( 'image/gif', 'image/png', 'image/jpeg', 'image/pjpeg' ))) {
	$errors[] = "Your file should be a PNG, JPG or GIF!";
}