Activity 1.1: Indexed Arrays in PHP

Transcription

1 Name: StudentID: Note: Please fill the online CES feedback for this course if you have not done so. We value your feedback and it helps us to improve the course. Note: All of you should be familiar with indexed and associative arrays (ie objects) from the javascript course content. If you aren't, make yourself known to teaching staff as soon as possible: there will be a very steep learning curve ahead in Activity 1 (multiple parts) if you are not up to speed! Activity 1.1: Indexed Arrays in PHP An array is a sequential list. The simplest is a numerically indexed array, indexed by integers starting at 0 : Compare the following Javascript and PHP code samples and explain what they do: Sample 1 <script> let numbers = [ 'zero', 'one', 'two', 'three', 'four' ]; document.write( numbers[2] ); /* OR */ alert( numbers[2] ); console.log( numbers ); // print out structure AND data </script> <?php $numbers = array( 'zero', 'one', 'two', 'three', 'four' ); // OR $numbers = [ 'zero', 'one', 'two', 'three', 'four' ]; // (PHP v5.4 onwards) echo $numbers[2]; /* OR */ print ($numbers[2]); print_r($numbers); // print out structure AND data /* OR */ $details = print_r($numbers, true ); // store structure AND data in a string echo $details; // print out structure AND data?>

2 Sample 2 <script> for (let i=0; i<numbers.length; i++) { document.write( numbers[i] + "<br>\n" ); </script> <?php for ($i=0; $i<count($numbers); $i++) { echo $numbers[$i]. "<br>\n";?> COSC2413/2426/ Web Programming Page 2 of 11

3 Activity 1.2: Associative Arrays in PHP As discussed in the last javascript tute and lab, associative arrays free us from having to use keys of sequential integers starting at 0. Compare the following Javascript and PHP code samples and explain how they work: Sample 1 <script> let letters = { zero: 'A', one: 'B', two: 'C', three: 'D', four: 'E' ; document.write( letters['two'] ); /* OR */ document.write( letters.two ); </script> <?php $letters = array( 'zero'=> 'A', 'one'=> 'B', 'two'=> 'C', 'three'=> 'D', 'four'=> 'E' ); echo $letters['two'];?> COSC2413/2426/ Web Programming Page 3 of 11

4 Sample 2 <script> for ( let key in letters ) { document.write( key + ': ' + letters [ key ] + "<br>" ); </script> <?php foreach ( $letters as $key => $letter ) { echo " $key : $letter <br>" ;?> COSC2413/2426/ Web Programming Page 4 of 11

5 Activity 1.3: Associative Arrays in PHP The real world is far more interesting than simple indexed lists can describe and it makes sense to use keys that have more meaning. Compare the $stupidpizza with the $smartpizza variable. What advantages do associative arrays offer? <?php // Indexed array $stupidpizza = [ 'large', // element 0 is large 'thin', // element 1 is thin 'capricciosa', // element 2 is capricciosa 15.5 // element 3 is 15.5 ]; // Associative array $smartpizza = [ 'size' => 'large', // ah... the size is large 'base' => 'thin', // ah... the base is thin 'type' => 'capricciosa', // ah... the type is capricciosa 'price' => 15.5 // ah... the price is $15.50 ];?> NB: You will find the terms keys and names interchangable when reading about key/value or name/value pairs. What is printed by the following PHP code samples? echo $mypizza[' size ']; echo $mypizza[' price ']; COSC2413/2426/ Web Programming Page 5 of 11

6 Activity 1.4: Example of a Real World Data Structure in PHP We can also put arrays inside arrays to create a data structure. This gives the data both shape and meaning: $mypizza = [ ' size ' => 'large', ' base ' => 'thin', ' type ' => 'capricciosa', ' extras ' => [ ' cheese ' => 'triple', ' anchovies ' => true, ' pineapple ' => true ], ' price ' => ]; /* Pizza data has both structure and meaning: mypizza object : size is large base is thin type is capricciosa list of extra toppings : cheese is triple add anchovies add pineapple price is $22.50 */ The "pizza" data in the associative array above looks more like a tree structure. This makes more sense than storing the data in a flat 1D data structure. COSC2413/2426/ Web Programming Page 6 of 11

7 What is printed by the following PHP code samples? echo $mypizza[' base ']; echo $mypizza[' extras '][' cheese ']; How can we check if the customer wants anchovies on their pizza? if ( $mypizza[' '][' '] == true ) { addanchovies(); Have another look at what is submitted from your cart page to the processing script. Is the POST data sent as an indexed array or as an associative array? (hint: look at the keys: are they numeric or useful strings?) COSC2413/2426/ Web Programming Page 7 of 11

8 Activity 2: Receiving & Processing $_GET and $_POST data Previously we looked at the form methods get (request data is visible in the url, much like a postcard) and post (request data is hidden inside the packets, much like a letter / envelope). In the lecture you were shown that data submitted by a form to the form-tester processing script can be accessed via the $_GET and $_POST variables. 1. How would you access something that has been submitted? eg from name="firstname", via post $firstname = $_POST[' ']; Unfortunately, a processing script cannot rely on a customer to submit reliable request data, even if the data has been validated using javascript. We should check, using internal / inbuilt php functions, to see if submitted data is set, empty, and in the format we expect (eg text, numeric etc) before assigning the value to variables. 2. How would you check to see if something has been submitted? eg from name="lastname"? if ( ($_POST[ ])) { $lastname = $_POST[ ];... COSC2413/2426/ Web Programming Page 8 of 11

9 3. How would you check to see if an isn t empty and is a valid address? eg from name=" "? if (! ($_POST[ ]) &&... ($_POST[ ], FILTER_VALIDATE_ ) { 4. How would you check to see if something is numeric? eg from name="age"? if ( ($_POST[ ]) ) { $age = $_POST[ ]; The more generalised checks should happen first. What is the best order to complete these checks? if ( && && ) { Is there anything else that could be done to clean up text input from users? COSC2413/2426/ Web Programming Page 9 of 11

10 Activity 3: Using Filters and Sanitizers Accepting user input, especially when storing input into a text file or database, is always a weak point of any computer system. Instead of writing ad-hoc regular expressions or convoluted string checking functions to check and sanitize (clean up) user input, a new function has been introduced to PHP to both check and help sanitize user input string. This function is also designed to evolve and operate at a "best practice" level with time. $ = $_POST[' ']; if (filter_var($ , FILTER_VALIDATE_ )) { echo "Valid "; else { echo "Did you mean to type '". filter_var($ , FILTER_SANITIZE_ )."'?"; // Will display: Did you mean to type 'alice.carroll@wonderland.com?' Each sanitize filter only removes, escapes or encodes particular characters according to its setting, so don't rely on it to fix up anything very broken. It is not an alternative to a human proof-reader or editor. It can also be used to check a range. Some might find the syntax cumbersome, but it can be used in place of a more complex if then else block: $age = $_POST['age']; $minage = 18; $maxage=150; if (filter_var($age, FILTER_VALIDATE_INT, array(" options " => array(" min_range "=>$minage, " max_range "=>$maxage))) === false) { echo("you are either too young, too old, or too "floaty" for this."); else { echo("welcome! Don't say you weren't warned..."); Honest users won't hack the form client side, but hackers will! Always double check data server side. COSC2413/2426/ Web Programming Page 10 of 11

11 Activity 4: Preventing Cross Site Scripting Attacks What can happen if a user enters javascript code into a blog's text field? eg <script>... /* some malicious code here */... </script> Here is an example from RMIT's previous LMS Blackboard: Cross Site Scripting Attack (XXS) How do the htmlspecialchars() and htmlentities() functions protect stored data from this security vulnerability? COSC2413/2426/ Web Programming Page 11 of 11