PHP Hypertext Preprocessor: Tools for Webpage Management Michael Watson ICTN 4040-001 Michael Watson Page 1 4/17/2006
In today s use of the Internet, webpage design is an interest for both businesses and the home user. Managing the way information is viewed and obtained through the access of the website has become an essential part of the web culture. Many advantages have arisen out of the near instant access the world now has to information. There are also many risks that are presented to that data. To make the transition into the ease of use we enjoy today, many different ideas and programs have been created to aid in the formation and modification of websites. Many web programmers have enjoyed PHP for corporations and home pages. Like all things created for mass use, flaws have been identified and ways to extricate unauthorized information have been discovered. This paper will identify the need for coding of web page language, its ease of use and security, and show some of the pioneer companies and programs stemming from PHP. Through the explanation of the strengths and weaknesses, one can determine their need for using the code for their own benefit. Personal Home Page tools or PHP originated out of the desire for tools to track the passage of information from a website to the users who accessed it. Rasmus Ledorf pioneered the code for PHP out of a small set of Perl scripts for his personal use. As his language gained acceptance, others began to research and revise it to enable many more to enjoy its simplicity and technical advantages. PHP is an HTML-embedded scripting language. Much of its syntax is borrowed from C, Java and Perl with a couple of unique PHP-specific features thrown in. The goal of the language is to allow web developers to write dynamically generated pages quickly (What is PHP?, Achour, 2006). While created for the use in a home system, the project soon gained acceptance as a solid language for the managing of web page details. Contributed information from Wikipedia Michael Watson Page 2 4/17/2006
has stated that Ledorf implemented the code to display his résumé and to collect certain data, such as how much traffic his page was receiving (PHP, 2006). As with any of the convenient features enjoyed today on the Internet, someone used a simple need to create an easier way to enjoy the passage of information. And from this created language, more and more features were added. To define what PHP has become known as today, would be to tell the story of many coded programs and languages, edited and debugged many times over in order to achieve a higher level of user satisfaction. The combined efforts of the creators and editors of the language made all efforts to keep the code an open-source, fully scalable entity. They have a belief that the information they compiled should be used and enjoyed freely by anyone who wants to improve the performance of their website s activities. The official PHP website stated that the code is especially suited for Web development and can be embedded into HTML (Achour, 2006). By using special identifiers in the text, PHP will allow you to jump into and out of "PHP mode" (Achour, 2006). These tags will allow the compiled code to work in a mode that takes advantage of the properties of both HTML and PHP. To be exact, the coded preprocessor resides in the HTML document itself. Users of the code can be found across the Internet, varying from the basic home user interested in testing the code, to large corporations that use its server-side distributions to handle the data of clients and employees. Having been upgraded to include more current technology, it is easy to see why a scripting language can grow in popularity at an exponential rate. A user s ability to obtain and edit the code is not only permitted, it is encouraged. This creates an endless amount of opportunity to create Michael Watson Page 3 4/17/2006
solutions to problems that have been found with current technology, and the ability to edit the software for future dilemmas. PHP also supports the Open Database connection standard for database interconnectivity. PHP uses many of today s more common web applications to exchange data. APIA is a growing peer-to-peer network that allows the transmission of large data files over connections held by the PHP in the network layer. PHPBB is the open source bulletin board system that allows forums, an email-like messaging system, and an extensive list of options for you to control while using the forums on your system (PHPBB, 2006). By using the forum, users can post unlimited questions for response, allow exchange of new ideas, and the linking to downloadable files through FTP. PHP also has the ability to reproduce images and file attachments, along with complex streamed videos and flash movie sequences. With C as its native language, users who are familiar with the C language will find adaptation to PHP rather seamless. Anyone who has experience with a C-style language will soon understand PHP. In C-style languages we can also include JavaScript and Java. In fact, much of PHP's functionality is provided by wrappers around the underlying system calls (Pushman, 2000). A command line interface allows a more complex and intricate way to code the page, giving the editor the ability to observe any errors in a line-by-line output. A more common method for the less advanced user is the GUI that has been created and circulated for download and use. Many of the powerful commands that can be found in the CLI are available for the GUI user. So why would one use PHP? An article in the Web Developer s Journal gives reasons including, but not limited to: Michael Watson Page 4 4/17/2006
- Running on most of today s platforms seamlessly - Extendible code, that can be rewritten and compiled into the dynamic loading mechanism - Running on several HTTP interfaces such as Apache, AOLserver, and Roxen - A long list of database interoperability, including MS SQL, Oracle, Informix and others - Speed. Due to a small footprint, the coding usually runs as a module and loads very quickly - Open sourced code. The problems encountered by the system can be quickly countered with a change to the coding, which can be done by anyone with the expertise. (Pushman, 2000) In the further production and developing of the php software kit, the Zend Corporation has become known as the leader in the industry for allowing distribution and acquisition of new products. Andi Gutmans and Zeev Suraski created PHP3 which is now the distribution currently offered by Zend. They have declared on their website that the company delivers the next generation products and services necessary for developing, deploying and managing enterprise-class PHP applications (2006). Zend has found a way to manage and deliver the multiple products and contributions to the toolkit in a very concise and accessible way. They offer several advancements such as the Zend core, a tested bundle of the php software that is supported by the professionals working at Zend. There is an optimizer which uses compression technology to run the files up to forty percent faster. Other improvements include the Studio product for editing, and the Zend Guard which improves on security by finding known flaws in the Michael Watson Page 5 4/17/2006
written code. Maybe the most important characteristic of the company is the offering of certification in the field of PHP. Zend has courses, books and certifications that are renowned as the leading corporation in the field of PHP web page management. Current products under development at Zend include the new version php4 and a debugging system for most current applications. Security issues plague the Internet today. With the ever-expanding data coverage that has been enabled by broadband connections and easier to find ISP s, more and more people have information on the web. As with any version of software, someone can normally spend long enough finding a flaw and will then exploit it for gaining information. Who will be at risk with the flaws of PHP? With over 20 million pages being done in PHP, there are risks out there. Flaws range from mild indentification failure to critical mistakes that allow some users to bypass the verification portions of the software and access files without receiving permission. Some of the cited incidents include a negative reference problem and a Stephen Esser had discovered that the pack() and unpack() functions are subject to integer overflows that can lead to a heap buffer overflow and a heap information leak (Esser, 2004). Some of the technical problems can be solved by installing a new version that addresses the lack of security. In an article posted on Internet Security Systems, they state that PHP version 4.3.0 fails to properly restrict access to the CGI SAPI module. If a Web server has this module enabled, a remote attacker could access the CGI binary and use it to read any file readable by the owner of the Web server process, and possibly execute arbitrary PHP code on the Web server by injecting PHP code into a file readable by the CGI binary (ISS, 2003). Michael Watson Page 6 4/17/2006
With these and other breaches of security, some users have set out to become a tiger team of sorts and find any holes that make the system insecure. These teams are the ones who will add to the security of future versions. As with all software, PHP will be continually updated with beta test versions and fully operable final versions that will be released according to need. Personal home page tools was created to add ease to the production of web page functions. As it gained acceptance for its ease of use, scalability and open-source form, other teams and companies joined in the effort to improve the toolkit. By embedding the code into existing HTML, PHP can combine the best features of existing code and add benefits of its own. With growing companies like Zend leading the way in advertising and promoting the software, the popularity will only continue to grow in the future. With that growth, more and more users will expand on the ideas and contribute their ideas to the improvement of the toolkit. As with any coded software, PHP hypertext preprocessor has holes in the security of its execution. Again, with the code being distributed as open source, many teams and experts are purposely exploiting the faults and then finding ways to counter them. These actions will lead to the development teams ability to make better versions of the code. PHP has become popular within the last decade, and continues to gain wide acceptance and many companies will be seeking web designers that have been trained to use and understand the advantages and disadvantages available to them. Michael Watson Page 7 4/17/2006
References and Works Cited: 1. Mehdi, Achour; Betz, Friedhelm et. al. (2006) What is PHP? http://us3.php.net/manual/en/introduction.php#intro-whatis March 27, 2006 2. Wikipedia PHP(2006). http://en.wikipedia.org/wiki/php April 15, 2006 3. PHP Creating Communities (2006). http://www.phpbb.com/ April 11, 2006 4. Pushman, Jalal (2000). Why PHP? http://www.webdevelopersjournal.com/articles/why_php.html April 12 2006 5. Zend Inc. Driving PHP to the Enterprise. (2006) http://www.zend.com/company April 13, 2006 6. Esser, Stephen PHP: Multiple Vulnerabilities. (2006) http://www.gentoo.org/security/en/glsa/glsa-200412-14.xml April 15, 2006 * Michael Watson Page 8 4/17/2006
7. Internet Security Systems PHP could allow access to the CGI SAPI. (2003) http://xforce.iss.net/xforce/xfdb/11343 April 13 2006 * Asterisk refers to a reputable proceeding or article. Michael Watson Page 9 4/17/2006