I primarily write JS for a living but because I freelance I often have to work with wordpress. After spending a few weeks digging into the internals I soon realized that every single wordpress project I've inherited–paid themes included–were horrendous and failed to utilize the most basic facilities provided by core.
In most of these projects a quick turnaround was more important than clean code (probably the cause of the aforementioned horrendous codebases), so I always just hacked away at the templates without every trying to gain a deep understanding of PHP, its recommended best practices, and security gotchas.
My question is, can you point me towards something like "PHP, the good parts"? I would like to know how to write well architected, performant, and secure PHP on the occasions I need to use it professionally. I know that PHP has a reputation as being dangerous by default, so knowing what not to do would be reassuring. So far all of the PHP books I've found have been fairly disappointing; covering all of the features without really detailing any best practices or opinions.
I don't use OO when I write PHP but it seems the real vulnerability there is the use of eval(). There is almost never a legitimate use for that function. I would definitely draw in to question the wisdom of OWASP deciding to classify this as a separate vulnerability. You should use the disable_functions directive in php.ini to hard-disable eval() (and other iffy functions) on production servers. One tutorial @ http://www.cyberciti.biz/faq/linux-unix-apache-lighttpd-phpi...
This tutorial disables curl_exec. Good luck getting any popular API client to work, they all use cURL... or if you're lucky, a modern-enough version of Guzzle that can use socket connections, but LOL that's opening another can of worms...
HTTP parsing is notoriously difficult and I'd rather trust cURL (which is battle-tested in a load of environments) than a PHP userspace library.
${parameter:-word}
Use Default Values. If parameter is unset or null, the expansion of word is substituted. Otherwise, the value of parameter is substituted.
Curious - exactly what man page do you find that in? I've always seen that construction but given that it just uses random punctuation it's impossible to Google it. I don't even know what those are called!!