Seriously though, I hope this book will help me tweak my current team practices. Guess I'll find out after it arrives.

From my point of view, the discussion centered around what is the best 'default' visibility to use for methods. Another thing touched upon is the Open/Closed principle, which I think I subscribe to or may subscribe to(this depends on my ability to determine what half of the words in the entry mean).

Out of the whole discussion, here is the points I got (aka understood) out of it. Please correct me in the comments if I'm off base in any way.

Methods should only be public when necessary. This is to help reduce the amount of side-effects that can occur because of method overrides.

K, I can accept that and in thinking about my past code, I use to use protected more than private. I used public very sparingly.
Now I find, since I started unit testing, that I have a large amount of public functions than I've had in the past. That is because I can't figure out how to test private methods. One way that I can think of is to create public methods that allow you to test the private ones. Unfortunately, this makes me wonder why the method isn't public to begin with since it seems redundant and wasteful to have these public methods to access private methods.
Please note the key word methods, property accessors are a different story.
The best solution (I can think of) to testing private methods is Mock Objects. Unfortunately, even though I've started to use mocks/doubles more, I'm unsure if my implementation is correct. Until I'm confident in my understanding of mocks/doubles, I worry about having false positives in test results.

Another assertion that was made in the discussion was that private methods allow you to preserve the class' core functionality.
Unfortunately, no matter what the visibility of the method is, you're able to override it (and potentially mess with the core functionality you were trying to preserve).
Example:

class foo{
    private function foobar() {
        echo "foo\n";
        return "foo foo\n";
    }

    public function bar() {
        echo "w00t ";
        return $this->foobar();
    }
}

class bar extends foo{
    private function foobar() {
        return "bar\n";
    }

    public function baz() {
        echo $this->bar();
    }

    public function wut() {
        echo $this->foobar();
    }
}

$f=new bar();
$f->baz();
$f->wut();

By running the above code, you get:

w00t foo
foo foo
bar

If preservation of core functionality is your main concern, then you're better off using final.

So after all that rambling, you're probably wondering what I'm trying to get to. It still comes down to visibility's effect on inheritance. The way I see it, unless you declare the method as final, you can't lock down the parent functionality because private methods can still be overridden. Trying to figure out what level of visibility for a method is a situational call. There is no correct 'default' visibility. Sure private is safer because of least privilege but it makes testing a bear (or at least a bear at my current skill level in testing). Public potentially opens you up for abuse or misuse.

What I would still like to know is, how do you do class method visibility? How does that affect your testing methodology? Can someone give me an example (that isn't a singleton) where private is a better choice over protected? I like protected because it seems less limiting to me and my current coding style appreciates that degree of flexibility.

Short version: when creating your FK column, it helps to have the column definition of the FK match the column definition. In retrospec, this seems like a no-brainer but was the heart of my problem.

So, you want create a FK to an existing table. Lets start by creating our table.

CREATE TABLE IF NOT EXISTS Role(
Id INT(11) UNSIGNED NOT NULL AUTO_INCREMENT,
Name VARCHAR(255) NOT NULL UNIQUE,
Description TEXT DEFAULT NULL,
PRIMARY KEY(Id)
);

Pretend we pooped data into it and now it's a big pain in the ass to do a drop/create with how we want things.

First we add our column that will be the Foreign Key.

ALTER TABLE Role ADD COLUMN Parent int(11) UNSIGNED DEFAULT NULL;

Next we add an index. Why? because mysql says so and FKs rely on indexes

ALTER TABLE Role ADD INDEX Parent (Parent);

Now we add our constraint.

ALTER TABLE `Role` ADD CONSTRAINT `Parent` FOREIGN KEY(`Parent`) REFERENCES `Role`(`Id`) ON DELETE SET NULL ON UPDATE SET NULL;

For fun, do

ALTER TABLE Role ADD COLUMN Parent int(11) DEFAULT NULL;

for the first step. Everything will look awesome until you get to the the last step. You'll get a wonderful "Errno 150" error and spend a bunch of time googling various key words trying to figure out what went wrong. Well, at least I did.

exception 'Zend_Session_Exception' with message 'Session must be started before any output has been sent to the browser; output started...'

The problem was, of course, that the feedback from previous tests was already outputted to the screen. I could've solved this by playing with my test suite and just starting sessions at that level but that wouldn't have been the best solution. In fact, I'd qualify that solution under bandaids (solutions that mask a problem instead of fixing them). If you can't see why it is a bandaid, I'm happy to discuss it but for once, I"m going to try to stay on topic and not digress any further than I have.

So, here's the scenario:

• not enough time to refactor the class so that sessions are only called/created when necessary
• sessions are being called because we're testing some auth stuff which relies on session information, we might not be able to do DI (see above)
• we want to minimize contributing factors to test failure so session has to be called/destroyed for the tests that need it, all other tests should never have session existing

The solution? A little 'undocumented' static variable:

Zend_Session::$_unitTestEnabled = true;

Ok, undocumented is a bit misleading. You won't find out about it by looking at the Manual but will find it when you're digging through the API. So it is documented, just not well. I'm guessing because it is rare to encounter the exception. I'm not surprised that I encountered it since my projects always seem to have some degree of weirdness, which makes for an interesting learning curve thats compounded with Zend's curve.

public function setFoo($foo=null) {
	if (is_string($foo)||is_numeric($foo)) {
		$this->foo=$foo;
		return $this;
	}
	throw new Custom_Example_Exception("Please provide a proper string or numeric",Custom_Example_Exception::INVALID_TYPE);
}

public function setBar($bar=null) {
	if (is_string($bar)||is_numeric($bar)) {
		$this->bar=$bar;
		return $this;
	}
	throw new Custom_Example_Exception("Please provide a proper string or numeric",Custom_Example_Exception::INVALID_TYPE);
}

Notice a pattern there? Me too. If all my setters were like this, I could do

public function setProperty($property=null) {
	if (is_string($property)||is_numeric($property)) {
		$this->{$property}=$property;
		return $this;
	}
	throw new Custom_Example_Exception("Please provide a proper string or numeric",Custom_Example_Exception::INVALID_TYPE);
}

with appropriate traps in the __call() and maybe even __set() methods.

However, my situation is that not all the setters for my class follow this pattern so that solution means that I have to make __call() look for specific setters.

public function __call($method,$args) {
	$trapThese=array("Foo","Bar","Baz");
	preg_match('/set(*.?)/im',$method,$matches);
	if (!empty($matches)&&in_array($matches[1],$trapThese)) {
		if(is_string($args[0])||is_numeric($args[0])) {
		$propertyName=strtolower($matches[1]);
			$this->{$propertyName}=$args[0];
		}
		throw new Custom_Example_Exception("Please provide a proper string or numeric.\nException trapped in call to $method",Custom_Example_Exception::INVALID_TYPE);
	} else {
		$this->{$method}($args);
	}
}

And I'm pretty sure that this code snippet ($this->{$method}($args);) is the Wrong Way of Doing It. So I'll just have to settle for the redundant setFoo(),setBar,etc even though a part of me knows that there has to be a Better Way. Or maybe there is just No Way of Doing It Well.

I think it is probably only a matter of preference but in terms of testability, elegance, maintainability, whatever...what do you prefer, doing a magic __call() or making setFoo(),setBar(),setBaz,etc.

Take the following for example:

// assume taht $log is a valid instance of Zend_Log
$log->addEventItem('foo','bar');

It looks like it should work, right? It won't because the correct method call would be

$log->setEventItem('foo','bar');

As I explained in the introduction, the 'bad log priority' exception will be thrown for this sort of error. This error will occur because Zend_Log overloads the __call function so that you can do

$log->priorityName('message');
// instead of logging with the log method
$log->log('message',Zend_Log::PRIORITY_NAME);

So if you're like me and get this exception but only see a method where this error is being thrown, you now know why and hopefully be less confused and aggrevated.

I wish I could provide a solution to this issue but I see no way that Zend_Log can contextually tell if you're wanting to use the priorityName shortcut or not. This only leaves the option of removing the the priorityName shortcut entirely, which will break somebody's code. The shortcut is nice because of its flexibility but definitely a case where flexibility can increase complexity or rather, flexibility leading into complications that require complex understanding. I haven't had time to read all the arguments in the comments on the flexibility/complexity issue that Federico Cargnelutti brought up recently to have an overall opinion on the matter but in regards to Zend_Log, the flexibility should've been left out. I would've preferred that Zend kept it simple and just made log the only method of logging. Or maybe I'm an edge case that logs more information than the initial event items give me.

cavaet: i'm not an expert on anything and a n00b at a lot of things

liked the article, however I want to disagree that it isn't a csrf attack since "The attack works by including a link or script in a page that accesses a site to which the user is known (or is supposed) to have authenticated" (according to wikipedia [oh no, i'm that guy. *sigh*]). @ramsey said it didn't affect him because he wasn't logged in on the website.

It seems to me that it used clickjack ui redressing to carry out the authentication exploit.

Want to know the funny thing? The only reason I logged into the website was to follow @shiflett.

Joining the wordle meme late in the game because I just got ff java plugin to work.

In the article, Stefan shows how strpos or stripos to locate a desired string or block of text.

The example he gives is as follows:

if ( stripos($sentence, 'string') ) {
   // yes it does
} else {
   // no it doesn't
}

The problem with this example is that it will yield a false positive. This is a common mistake made by a lot of people. If we examine the php manual entry further we see, "Returns the numeric position of the first occurrence of needle in the haystack string." The key word being numeric. This means if the string position is 0, then the expression ( stripos($sentence, 'string') ) will evaluate to false.

EDIT: Expanded explaination on why this can yield a false positive. If the string your searching for is at the beginning of the sentence, then the position returned is 0. When php reaches the statement if ( stripos($sentence, 'string') ) it interprets the return value (0) as false.

Here is a more expanded example:

$eval=(stripos('The quick brown fox jumped over the lazy dog','The'));

echo '($eval) : ';
echo ($eval) ? "pass\n" : "fail whale\n";
echo '($eval==0) : ';
echo ($eval==0) ? "pass\n" : "fail whale\n";
echo '($eval===false)';
echo ($eval===false) ? "pass\n" : "fail whale\n";
echo 'eval is '.$eval."\n";

/**
output is:

($eval) : fail whale
($eval==0) : pass
($eval===false)fail whale
eval is 0

*/

As you can see, if you want to properly search for a string using stripos or strpos, you must test for the boolean value of false ($eval===false). Alternately, you can use regex, if you're comfortable with it. I'm of the opinion that learning some basic regex doesn't ever hurt you.

I want to re-iterate that I wanted to leave this whole post as a comment but that doesn't seem possible right now since that email has yet to arrive and the article requires login for commenting.