Well I’m tired of reinventing the wheel. Since it’s fifth installment, PHP provides an API easing access to all types of databases called PDO functions. All the features you need are in there, coded in C by NASA engineers and is likely better than anything I could come up with.

You really should read up on the PDO if you currently maintain a custom database access object — or none at all. Also, as the documentation points out, this is not a full-blown database abstraction layer (to run MySQL, Oracle or others transparently) it’s a data-access abstraction layer (so make sure your queries are properly formed for the database you want to use).

Learning what not to do

On TMT, I used to handle sessions manually by storing the encrypted value of the user’s id in a cookie. That’s is highly unrecommended for security reasons as its fairly easy to hack your way around using an id that isn’t yours (and which might be the administrator’s!).

I experimented by storing so-called ‘unique’ values I generated and stored in MySQL to have better validation when decrypting the cookie, but since you can spoof most $_SERVER values (which provides the user’s IP), it really wasn’t good enough.

Hardcore PHP-ing

You can override the whole session object using PHP’s session_set_save_handler() function. Basically, you re-program what the object does when it reads and writes session values or when it destroys itself.

Instead of writing the session values to a file on the server like the default behavior is set to do, you can redirect the data handling to an insert or update query in your favorite database.

Advantages

The most obvious advantage is that you can keep the sessions alive as long as your server is live, more or less. You can also change the condition of how session expiration are done. For instance, through a simple MySQL query, TMT sessions can be kept for one week before being destroyed if no activity is logged.

I’ve read it’s safer to store session values that way too, as a possible hacker would need the database’s password to access it. While I’m not sure how harder this method actually makes it for hackers in reality, I really feel safer to use PHP’s native object rather than a shaky class I would have written.

Fully using PHP’s native session object allows more flexibility as you are very close to Apache. You can therefore validate with confidence (not blind confidence though) that the user is indeed human and not a spam bot, save the user’s preferred language or do whatever else your website offers as possible features without fear. In my previous horrible system, it wasn’t even a possibility.

Examples

Apart from stalker at ruun dot de’s very good comment on PHP.net’s documentation page, I found Tony Marston’s version of the object. The latter is harder to grasp as he uses his own object-oriented system to get database data — that’s good practice, but a bit harder to learn from. You can also see TMT’s class in our SVN repository.

The important thing is just to understand what you’re trying to do rather than copy pasting each of our codes. TMT’s only started working once I grasped the concept.

What made it nebulous was that instead of having a message from PHP describing a known error like ” ‘)’ expected on line 64 “, I was triggering an Internal Server Error on Apache when loading the website and the parser was outputting unicode garbage when I tried to load the class directly from the browser (instead of nothing at all because I don’t print data right from the class).

I have to admit I could have been a bit keener on the issue just by looking a the garbage the file was making. It turns out that my code editor, TextWrangler, had changed the encoding type of the file from UTF-8 to the Macintosh charset when I inserted the © character straight in the document without using it’s HTML counterpart &copy.

The change of charset and/or the use of special characters in the source code stopped the PHP parser. I can’t explain why as I don’t have much access to the configuration files to my server’s PHP version nor do I know how PHP reads the .php files, but I think it was due to the use of multiple charsets in the same rendering call. For instance the main class was using the Mac charset while the subclasses it was importing used UTF-8 encoding.

The frustrating part is really how this whole deal was created out of laziness. Apple offers a wide selection of special characters by doing a [alt + most keys] combination. I thought I’d save some time by using their copyright sign instead of sticking with &copy.

At least, this episode forced me into cleaning the quote quite a lot by splitting my pages into modules which reflect the content’s architecture. The Tank should show a light performance boost now. Very light though, hehehe.