[OWASP_PHPSEC] use of require_once

Abbas Naderi abiusx at owasp.org
Tue Jul 30 20:16:17 UTC 2013


Hello,
I'm not forcing my opinion. Here are the reasons:

1. Your first link is 404
2. I asked for a deep namespace project WITHOUT FACADES. All of those that you have mentioned, have a lot of facades just to provide access to all those layers of namespaces, conveniently.
3. PSR-0 is set by 20 frameworks, out of which 17 do not comply to it (I bet you didn't know that ;) )
4. Its not the question of autocomplete working, maybe you haven't read the convention page. Its the matter of finding stuff with autocomplete, e.g when you are trying to do a SQL function which is safe, you probably look for phpsec\SQL() function, not phpsec\Database\Adapters\Default\SQL(), you see the point?
5. require_once performance:

- The time difference between require_once() vs. require() is so tiny, it's almost always insignificant in terms of performance.  The one exception is if you have a very large application that has hundreds of require*() calls.

From PHP official website comments (at conclusion of a benchmark code).

Also you can try your own benchmark. BUT EVEN IF IT WAS, we are a security library. Robustness outperforms performance.

6. We are introducing replacement functions, for time, randomness, and a lot of other php functions under phpsec namespace, so USE keyword can not be actually used.

Thanks
-A
______________________________________________________________
Notice: This message is digitally signed, its source and integrity are verifiable.
If you mail client does not support S/MIME verification, it will display a file (smime.p7s), which includes the X.509 certificate and the signature body.  Read more at Certified E-Mail with Comodo and Thunderbird in AbiusX.com

On Mordad 8, 1392, at 10:29 PM, Chris White <cwhite at remarinc.com> wrote:

> Abbas,
>  
> I think we have a fundamental disconnect on this and won’t budge, so I will keep this short.
>  
> Class loading without require_once: https://gist.github.com/jwage/221634
> Project that uses deep namespaces: https://github.com/symfony/symfony and pretty much every other major framework / project. (PSR-0 -https://github.com/php-fig/fig-standards/blob/master/accepted/PSR-0.md - has more examples)
>  
> Does autocomplete work no matter the namespace depth? Yes
> Does require_once / include_once come with marginal performance degradation? Yes – a Google search away from a wealth of information.
>  
> \phpsec\Logging\{class} is hardly cumbersome and remedies any ambiguity.
> Don’t want to type it all the time? “use phpsec\Logging\{class}”
>  
> Thanks,
>  
> Chris White
> Network Administrator
> Remar, Inc.
> Work: 615-449-0231
> Cell: 615-948-1388
>  
> From: Abbas Naderi [mailto:abiusx at owasp.org] 
> Sent: Tuesday, July 30, 2013 12:25 PM
> To: Chris White
> Cc: owasp_php_security_project at lists.owasp.org
> Subject: Re: [OWASP_PHPSEC] use of require_once
>  
> Hello Chris,
> Namespaces are good, in PHP they are nasty and hard to work with (not like C#). They significantly reduce the rapid development process, and require introduction of facades. If you know a project big enough that uses namespaces, is succesfull and has no facades, let me know.
>  
> PHP developers (and not everybody coding in PHP, professional ones only) use PHP because its rapid. They certainly can use Java, but they are more professional and intend to create more features in an hour than Java developers. The fact that there are many PHP newbies has nothing to do with this, only because PHP does not force a steep learning curve on you.
>  
> Without facades, one has to search the API index to find the features they need. With one namespace and proper tools inside it, one does not. Autocomplete will take care of it. 
>  
> Now as I understand, namespaces are for packages, i.e each package has one namespace, thats why I don't understand why a simple PHP library or framework should have a couple dozen namespaces introduces, each having a couple classes, each having a few methods. This is against object oriented design (lots of talk about this from bobmartin and martinfowler).
>  
> As for the require and require_once, its exactly like you said. Defining a class twice, causes errors which are REALLY hard to fix by someone who does not know the library, so robustnses speaks for itself here. We have the same concept even in C. 
>  
> Its actually very fast in terms of performance, as it keeps a hash list. As for memory consumption, each PHP file consumes much more memory than a record in a hash table for it. So performance wise, it almost adds no overhead. You don't believe me? Profile a sample php code.
>  
> I actually like Java, but Java is for conservatives without creativity. It controls yours hands and everything you get to do. C, Python and Ruby are exactly the other way around, but make it too messy. PHP is the proper amount of dung.
>  
> -Abbas
> ______________________________________________________________
> Notice: This message is digitally signed, its source and integrity are verifiable.
> If you mail client does not support S/MIME verification, it will display a file (smime.p7s), which includes the X.509 certificate and the signature body.  Read more at Certified E-Mail with Comodo and Thunderbird in AbiusX.com
>  
> On Mordad 8, 1392, at 8:17 PM, Chris White <cwhite at remarinc.com> wrote:
> 
> 
> Abbas,
>  
> Namespaces are a feature of object oriented programming – not just Java (C++, .NET, Python, Ruby, etc). Its use lies in the ability to logically compartmentalize similar classes, which makes them more meaningful and tightly coupled to a developer. A shallow system can obfuscate related classes fairly quickly. I don’t like Java, either. That doesn’t mean that it doesn’t have any good concepts. In fact, I believe the developers using Java on average are much more skilled than the average PHP developer and better implement sound programming practices.
>  
> Don’t let your dislike for Java make you avoid good ideas. There is a reason so many object oriented languages take advantage of these features.
>  
> As for require vs require_once: your assumption that one is for classes and another for non-object oriented PHP files is a fallacy. Require_once is used in cases where there is potential to load a file twice. This is beneficial when loading a file twice can overwrite assigned variables, properties (static objects), or run a procedure multiple times in the case of a non-object oriented file. When loading a file twice is not harmful to code or there is no potential to load it twice, then require is the preferred method.
>  
> Thanks,
>  
> Chris White
> Network Administrator
> Remar, Inc.
> Work: 615-449-0231
> Cell: 615-948-1388
>  
> From: Abbas Naderi [mailto:abiusx at owasp.org] 
> Sent: Tuesday, July 30, 2013 10:26 AM
> To: Chris White
> Cc: owasp_php_security_project at lists.owasp.org
> Subject: Re: [OWASP_PHPSEC] use of require_once
>  
> We have had this discussion, going deeper is Java like. Even one namespace is not a good thing, but we're dealing with facade functions, so that's not an issue for now.
>  
> require_once is needed for loading classes and definitions. require is used for running php file, usually those that produce output not define things. There is not much overhead. PHP is an interpreted language, and performance is not really an issue here.
> -A
> ______________________________________________________________
> Notice: This message is digitally signed, its source and integrity are verifiable.
> If you mail client does not support S/MIME verification, it will display a file (smime.p7s), which includes the X.509 certificate and the signature body.  Read more at Certified E-Mail with Comodo and Thunderbird in AbiusX.com
>  
> On Mordad 8, 1392, at 3:55 PM, Chris White <cwhite at remarinc.com> wrote:
> 
> 
> 
> Finally! It is not as lonely in the PSR-x boat anymore. No need to recreate the wheel here, guys. Just utilize one of their sample loaders. You won’t even have to change namespaces or classnames. Although, I am in favor of going deeper than just \phpsec\. ;)
>  
> Chris White
> Network Administrator
> Remar, Inc.
> Work: 615-449-0231
> Cell: 615-948-1388
>  
> From: owasp_php_security_project-bounces at lists.owasp.org [mailto:owasp_php_security_project-bounces at lists.owasp.org] On Behalf Of Sven Rautenberg
> Sent: Tuesday, July 30, 2013 5:48 AM
> To: Minhaz A V; owasp_php_security_project at lists.owasp.org
> Subject: Re: [OWASP_PHPSEC] use of require_once
>  
> Yes. Just have a look at how "PSR-0" autoloading is done.
> 
> 
> 
> Minhaz A V <minhazav at gmail.com> schrieb:
> will it be changed to require  after autoloading is done?
>  
> 
> On Tue, Jul 30, 2013 at 3:30 PM, Minhaz A V <minhazav at gmail.com> wrote:
> Can I know how will autoloading be accomplished and what it exactly means?
>  
> 
> On Tue, Jul 30, 2013 at 3:26 PM, Sven Rautenberg <sven at rtbg.de> wrote:
> It's probably because of the current lack of autoloading, but I think this will be addressed.
> 
> 
> 
> Minhaz A V <minhazav at gmail.com> schrieb:
> while going through the codes I found the use of require_once at many places
> why isn't require  being used, when require_once  has computational overheads, it consumes more memory and is slower
>  
> reference: http://stackoverflow.com/questions/186338/why-is-require-once-so-bad-to-use
>  
>  
>  
> 
> OWASP_PHP_Security_Project mailing list
> OWASP_PHP_Security_Project at lists.owasp.org
> 
> 
> 
>  
> https://lists.owasp.org/mailman/listinfo/owasp_php_security_project
> 
> Regards,
> 
> Sven
>  
>  
> 
> Mit freundlichen Grüßen
> 
> Sven Rautenberg
> _______________________________________________
> OWASP_PHP_Security_Project mailing list
> OWASP_PHP_Security_Project at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp_php_security_project
>  
> _______________________________________________
> OWASP_PHP_Security_Project mailing list
> OWASP_PHP_Security_Project at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp_php_security_project

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp_php_security_project/attachments/20130731/e3df4091/attachment-0001.html>


More information about the OWASP_PHP_Security_Project mailing list