PHP's Header function can come in quite handy when you're building your next greate web application.  Its powerful, but as a result, its tempting to misuse it to do even the simplest things, like permanent redirects.  Usually, its done like this:

Hmm, why does this poll  look so familiar?  Oh yeah, the options to vote on are word for word the same as my post on Avoiding Frustration with PHP Sessions.

HT: phpdeveloper.org

PHP's support for sessions make adding "state" to your web application super easy.  Bus because the illusion of state is maintained by storing a Session ID via a user's cookies, you might find yourself losing potentially productive hours chasing down bizarre client side bugs or opening up a potential security hole.  Here are 4 tips to help you avoid wasting your time and securing your site.

I installed to Akismet this weekend, to deal with a new flood of comment spam that had been getting by mod_security and my other measures. It literally took me 15 minutes to install, thanks to the libraries already available for it. In my case, I used the PHP5 library from Aching Brain dot Net. So far, its correctly identified potential comment spam, although I haven't had any real comments in quite a while, since I've been lazy about writing.

Poking around, like you do on your server, I noticed that php session files weren't being deleted, even after a few days. Turns out, PHP's automatic garbase collection is disabled on Debian. Instead, its replaced by a cron script that cleans out the /var/lib/php5 directory, which is where sessions are saved by default. If you're a security conscious PHP developer, you give each php application its own session save path. If you do that on a debian box, make sure you reenable garbase collection by setting seesion.gc_divisor to a positive integer.

So, if you're a leet php coder, you must have installed Smarty since it gives you a three-tier web application and separates your display logic from your business logic. Right? Maybe not. Just using a template system doesn't guarantee any of this, so don't let yourself be deceived in this way.

Snook.ca answers "CakePHP, is it worth it?" and provides a reasonable summary. He's also joined the CakePHP documentation team, after having mentioned in previous posts the he felt it was "lacklustre". Hat tip: phpdeveloper.org.

As much fun as maintaining my own psuedo framework is, and hacking away on our own framework/CMS at work, I've decided its time to try out CakePHP, one of the many php frameworks out there, to update a website I built three-plus years ago for my dad.

A good overview of the mod_security module for apache can be found at pathfinder.  Mod_security is a good application firewall that can help protect and apache server from common application level attacks (sql injection, email header injeciton, cross-site scripting) by inspecting the payload  of  requests coming to the server.  Its very useful in quickly putting up a security measure without having to inspect all the applications running on your server, which can be time consuming).

The drupal site has a page on tuning server performance.  While a few of the tips are specific to Drupal, the majority of them apply to anyone who's using a LAMP server.