Switch to the new GitHub style.

Because Dropbox can play in traffic.

Author: Phil Sturgeon

convert.php

@@ -1,16 +1,15 @@
 <?php
 
 $dirName = './web/_posts';
-// $outputDirName = '/Users/phil/Dropbox/phptherightway/manuscript';
-$outputDirName = './output';
+$outputDirName = './manuscript';
 
 $dir = new DirectoryIterator($dirName);
 
 $contentArray = [];
 
 foreach ($dir as $fileinfo) {
     if (!$fileinfo->getExtension() == 'md') {
-        continue;   
+        continue;
     }
 
     // Split the 00-00-00-Some-Content.md name into useful info
@@ -55,7 +54,7 @@
 // Now output all that info to new markdown files
 foreach ($contentArray as $chapterNum => $chapterContent) {
     file_put_contents("{$outputDirName}/converted/chapter{$chapterNum}.txt", $chapterContent);
-    
+
     $bookTxtContent .= "converted/chapter{$chapterNum}.txt\n";
 }
 

output/.gitkeep renamed to manuscript/.gitkeep

@@ -0,0 +1,17 @@
+converted/chapter1.txt
+converted/chapter2.txt
+converted/chapter3.txt
+converted/chapter4.txt
+converted/chapter5.txt
+converted/chapter6.txt
+converted/chapter7.txt
+converted/chapter8.txt
+converted/chapter9.txt
+converted/chapter10.txt
+converted/chapter11.txt
+converted/chapter12.txt
+converted/chapter13.txt
+converted/chapter14.txt
+converted/chapter15.txt
+converted/chapter16.txt
+converted/chapter17.txt

manuscript/Book.txt

@@ -0,0 +1,102 @@
+
+
+# Getting Started {#getting_started_title}
+
+
+
+## Use the Current Stable Version (5.6) {#use_the_current_stable_version_title}
+
+If you are getting started with PHP, start with the current stable release of [PHP 5.6][php-release]. PHP has added 
+powerful [new features](#language_highlights) over the last few years. Though the incremental version number difference 
+between 5.2 and 5.6 is small, it represents _major_ improvements. If you are looking for a function or its usage, the 
+documentation on the [php.net][php-docs] website will have the answer.
+
+[php-release]: http://php.net/downloads.php
+[php-docs]: http://php.net/manual/
+
+
+## Built-in web server {#builtin_web_server_title}
+
+With PHP 5.4 or newer, you can start learning PHP without installing and configuring a full-fledged web server.
+To start the server, run the following command from your terminal in your project's web root:
+
+
+{lang="console"}
+~~~~~~~~
+> php -S localhost:8000
+~~~~~~~~
+
+* [Learn about the built-in, command line web server][cli-server]
+
+
+[cli-server]: http://php.net/features.commandline.webserver
+
+
+## Mac Setup {#mac_setup_title}
+
+OS X comes prepackaged with PHP but it is normally a little behind the latest stable. Mountain Lion has 5.3.10,
+Mavericks has 5.4.17 and Yosemite has 5.5.9, but with PHP 5.6 out that is often not good enough.
+
+There are multiple ways to install PHP on OS X.
+
+### Install PHP via Homebrew
+
+[Homebrew] is a powerful package manager for OS X, which can help you install PHP and various extensions easily.
+[Homebrew PHP] is a repository that contains PHP-related "formulae" for Homebrew, and will let you install PHP.
+
+At this point, you can install `php53`, `php54`, `php55` or `php56` using the `brew install` command, and switch
+between them by modifying your `PATH` variable.
+
+### Install PHP via phpbrew
+
+[phpbrew] is a tool for installing and managing multiple PHP versions. This can be really useful if two different
+applications/projects require different versions of PHP, and you are not using virtual machines.
+
+### Compile from Source
+
+Another option that gives you control over the version of PHP you install, is to [compile it yourself][mac-compile].
+In that case be sure to have installed either [Xcode][xcode-gcc-substitution] or Apple's substitute
+["Command Line Tools for XCode"] downloadable from Apple's Mac Developer Center.
+
+### All-in-One Installers
+
+The solutions listed above mainly handle PHP itself, and do not supply things like Apache, Nginx or a SQL server.
+"All-in-one" solutions such as [MAMP][mamp-downloads] and [XAMPP][xampp] will install these other bits of software for
+you and tie them all together, but ease of setup comes with a trade-off of flexibility.
+
+
+[Homebrew]: http://brew.sh/
+[Homebrew PHP]: https://github.com/Homebrew/homebrew-php#installation
+[phpbrew]: https://github.com/phpbrew/phpbrew
+[mac-compile]: http://php.net/install.macosx.compile
+[xcode-gcc-substitution]: https://github.com/kennethreitz/osx-gcc-installer
+["Command Line Tools for XCode"]: https://developer.apple.com/downloads
+[mamp-downloads]: http://www.mamp.info/en/downloads/
+[xampp]: http://www.apachefriends.org/en/xampp.html
+
+
+## Windows Setup {#windows_setup_title}
+
+PHP is available in several ways for Windows. You can [download the binaries][php-downloads] and until recently you
+could use a '.msi' installer. The installer is no longer supported and stops at PHP 5.3.0.
+
+For learning and local development you can use the built in webserver with PHP 5.4+ so you don't need to worry about
+configuring it. If you would like an "all-in-one" which includes a full-blown webserver and MySQL too then tools such
+as the [Web Platform Installer][wpi], [Zend Server CE][zsce], [XAMPP][xampp], [EasyPHP][easyphp] and [WAMP][wamp] will
+help get a Windows development environment up and running fast. That said, these tools will be a little different from
+production so be careful of environment differences if you are working on Windows and deploying to Linux.
+
+If you need to run your production system on Windows then IIS7 will give you the most stable and best performance. You
+can use [phpmanager][phpmanager] (a GUI plugin for IIS7) to make configuring and managing PHP simple. IIS7 comes with
+FastCGI built in and ready to go, you just need to configure PHP as a handler. For support and additional resources
+there is a [dedicated area on iis.net][php-iis] for PHP.
+
+
+[php-downloads]: http://windows.php.net
+[wpi]: http://www.microsoft.com/web/downloads/platform.aspx
+[zsce]: http://www.zend.com/en/products/server-ce/
+[xampp]: http://www.apachefriends.org/en/xampp.html
+[easyphp]: http://www.easyphp.org/
+[wamp]: http://www.wampserver.com/en/
+[phpmanager]: http://phpmanager.codeplex.com/
+[php-iis]: http://php.iis.net/

manuscript/converted/.gitkeep

@@ -0,0 +1,211 @@
+
+
+# Security {#security_title}
+
+
+## Web Application Security {#web_application_security_title}
+
+There are bad people ready and willing to exploit your web application. It is important that you take necessary
+precautions to harden your web application's security. Luckily, the fine folks at
+[The Open Web Application Security Project][1] (OWASP) have compiled a comprehensive list of known security issues and
+methods to protect yourself against them. This is a must read for the security-conscious developer.
+
+* [Read the OWASP Security Guide][2]
+
+
+[1]: https://www.owasp.org/
+[2]: https://www.owasp.org/index.php/Guide_Table_of_Contents
+
+
+## Password Hashing {#password_hashing_title}
+
+Eventually everyone builds a PHP application that relies on user login. Usernames and passwords are stored in a
+database and later used to authenticate users upon login.
+
+It is important that you properly [_hash_][3] passwords before storing them. Password hashing is an irreversible, one
+way function performed against the user's password. This produces a fixed-length string that cannot be feasibly
+reversed. This means you can compare a hash against another to determine if they both came from the same source string,
+but you cannot determine the original string. If passwords are not hashed and your database is accessed by an
+unauthorized third-party, all user accounts are now compromised. Some users may (unfortunately) use the same password
+for other services. Therefore, it is important to take security seriously.
+
+**Hashing passwords with `password_hash`**
+
+In PHP 5.5 `password_hash()` was introduced. At this time it is using BCrypt, the strongest algorithm currently
+supported by PHP. It will be updated in the future to support more algorithms as needed though. The `password_compat`
+library was created to provide forward compatibility for PHP >= 5.3.7.
+
+Below we hash a string, and then check the hash against a new string. Because our two source strings are different
+('secret-password' vs. 'bad-password') this login will fail.
+
+
+{lang="php"}
+~~~~~~~~
+<?php
+require 'password.php';
+
+$passwordHash = password_hash('secret-password', PASSWORD_DEFAULT);
+
+if (password_verify('bad-password', $passwordHash)) {
+    // Correct Password
+} else {
+    // Wrong password
+}
+~~~~~~~~  
+
+
+* [Learn about `password_hash()`] [1]
+* [`password_compat` for PHP >= 5.3.7 && < 5.5] [2]
+* [Learn about hashing in regards to cryptography] [3]
+* [PHP `password_hash()` RFC] [4]
+
+
+[1]: http://php.net/function.password-hash
+[2]: https://github.com/ircmaxell/password_compat
+[3]: http://en.wikipedia.org/wiki/Cryptographic_hash_function
+[4]: https://wiki.php.net/rfc/password_hash
+
+
+## Data Filtering {#data_filtering_title}
+
+Never ever (ever) trust foreign input introduced to your PHP code. Always sanitize and validate foreign input before
+using it in code. The `filter_var()` and `filter_input()` functions can sanitize text and validate text formats (e.g.
+email addresses).
+
+Foreign input can be anything: `$_GET` and `$_POST` form input data, some values in the `$_SERVER` superglobal, and the
+HTTP request body via `fopen('php://input', 'r')`. Remember, foreign input is not limited to form data submitted by the
+user. Uploaded and downloaded files, session values, cookie data, and data from third-party web services are foreign
+input, too.
+
+While foreign data can be stored, combined, and accessed later, it is still foreign input. Every time you process,
+output, concatenate, or include data in your code, ask yourself if the data is filtered properly and can it be trusted.
+
+Data may be _filtered_ differently based on its purpose. For example, when unfiltered foreign input is passed into HTML
+page output, it can execute HTML and JavaScript on your site! This is known as Cross-Site Scripting (XSS) and can be a
+very dangerous attack. One way to avoid XSS is to sanitize all user-generated data before outputting it to your page by
+removing HTML tags with the `strip_tags()` function or escaping characters with special meaning into their respective
+HTML entities with the `htmlentities()` or `htmlspecialchars()` functions.
+
+Another example is passing options to be executed on the command line. This can be extremely dangerous (and is usually
+a bad idea), but you can use the built-in `escapeshellarg()` function to sanitize the executed command's arguments.
+
+One last example is accepting foreign input to determine a file to load from the filesystem. This can be exploited by
+changing the filename to a file path. You need to remove `"/"`, `"../"`, [null bytes][6], or other characters from the
+file path so it can't load hidden, non-public, or sensitive files.
+
+* [Learn about data filtering][1]
+* [Learn about `filter_var`][4]
+* [Learn about `filter_input`][5]
+* [Learn about handling null bytes][6]
+
+### Sanitization
+
+Sanitization removes (or escapes) illegal or unsafe characters from foreign input.
+
+For example, you should sanitize foreign input before including the input in HTML or inserting it into a raw SQL query.
+When you use bound parameters with [PDO](#databases), it will sanitize the input for you.
+
+Sometimes it is required to allow some safe HTML tags in the input when including it in the HTML page. This is very
+hard to do and many avoid it by using other more restricted formatting like Markdown or BBCode, although whitelisting
+libraries like [HTML Purifier][html-purifier] exists for this reason.
+
+[See Sanitization Filters][2]
+
+### Validation
+
+Validation ensures that foreign input is what you expect. For example, you may want to validate an email address, a
+phone number, or age when processing a registration submission.
+
+[See Validation Filters][3]
+
+
+[1]: http://php.net/book.filter
+[2]: http://php.net/filter.filters.sanitize
+[3]: http://php.net/filter.filters.validate
+[4]: http://php.net/function.filter-var
+[5]: http://php.net/function.filter-input
+[6]: http://php.net/security.filesystem.nullbytes
+[html-purifier]: http://htmlpurifier.org/
+
+
+## Configuration Files {#configuration_files_title}
+
+When creating configuration files for your applications, best practices recommend that one of the following methods be
+followed:
+
+- It is recommended that you store your configuration information where it cannot be accessed directly and pulled in
+via the file system.
+- If you must store your configuration files in the document root, name the files with a `.php` extension. This ensures
+that, even if the script is accessed directly, it will not be output as plain text.
+- Information in configuration files should be protected accordingly, either through encryption or group/user file
+system permissions
+
+## Register Globals {#register_globals_title}
+
+**NOTE:** As of PHP 5.4.0 the `register_globals` setting has been removed and can no longer be used. This is only
+included as a warning for anyone in the process of upgrading a legacy application.
+
+When enabled, the `register_globals` configuration setting that makes several types of variables (including ones from
+`$_POST`, `$_GET` and `$_REQUEST`) available in the global scope of your application. This can easily lead to security
+issues as your application cannot effectively tell where the data is coming from.
+
+For example: `$_GET['foo']` would be available via `$foo`, which can override variables that have not been declared.
+If you are using PHP < 5.4.0 __make sure__ that `register_globals` is __off__.
+
+* [Register_globals in the PHP manual](http://php.net/security.globals)
+
+
+## Error Reporting {#error_reporting_title}
+
+Error logging can be useful in finding the problem spots in your application, but it can also expose information about
+the structure of your application to the outside world. To effectively protect your application from issues that could
+be caused by the output of these messages, you need to configure your server differently in development versus
+production (live).
+
+### Development
+
+To show every possible error during <strong>development</strong>, configure the following settings in your `php.ini`:
+
+
+{lang="ini"}
+~~~~~~~~
+display_errors = On
+display_startup_errors = On
+error_reporting = -1
+log_errors = On
+~~~~~~~~
+
+> Passing in the value `-1` will show every possible error, even when new levels and constants are added in future PHP
+> versions. The `E_ALL` constant also behaves this way as of PHP 5.4. -
+> [php.net](http://php.net/function.error-reporting)
+
+The `E_STRICT` error level constant was introduced in 5.3.0 and is not part of `E_ALL`, however it became part of
+`E_ALL` in 5.4.0. What does this mean? In terms of reporting every possible error in version 5.3 it means you must
+use either `-1` or `E_ALL | E_STRICT`.
+
+**Reporting every possible error by PHP version**
+
+* &lt; 5.3 `-1` or `E_ALL`
+* &nbsp; 5.3 `-1` or `E_ALL | E_STRICT`
+* &gt; 5.3 `-1` or `E_ALL`
+
+### Production
+
+To hide errors on your <strong>production</strong> environment, configure your `php.ini` as:
+
+
+{lang="ini"}
+~~~~~~~~
+display_errors = Off
+display_startup_errors = Off
+error_reporting = E_ALL
+log_errors = On
+~~~~~~~~
+
+With these settings in production, errors will still be logged to the error logs for the web server, but will not be
+shown to the user. For more information on these settings, see the PHP manual:
+
+* [error_reporting](http://php.net/errorfunc.configuration#ini.error-reporting)
+* [display_errors](http://php.net/errorfunc.configuration#ini.display-errors)
+* [display_startup_errors](http://php.net/errorfunc.configuration#ini.display-startup-errors)
+* [log_errors](http://php.net/errorfunc.configuration#ini.log-errors)