Some things to watch out for when using PHP and Javascript when building websites

Similar documents
Web Programming TL 9. Tutorial. Exercise 1: String Manipulation

How To Upload Your Newsletter

A QUICK GUIDE TO PROGRAMMING FOR THE WEB. ssh (then type your UBIT password when prompted)

Chapter 7:- PHP. Compiled By:- Sanjay Patel Assistant Professor, SVBIT.

Webshop Plus! v Pablo Software Solutions DB Technosystems

Lecture 8. Conditionals & Control Flow

Lecture 3: Web Servers / PHP and Apache. CS 383 Web Development II Monday, January 29, 2018

HTML 5 Form Processing

Lab 4: Basic PHP Tutorial, Part 2

Zend Studio 3.0. Quick Start Guide

WEB SECURITY WORKSHOP TEXSAW Presented by Solomon Boyd and Jiayang Wang

If you re the administrator on any network,

Table of Contents. 1. Introduction 1. 1 Overview Business Context Glossary...3

Using WS_FTP. Step 1 - Open WS_FTP LE and create a Session Profile.

Web Application Development (WAD) V th Sem BBAITM(Unit-1) By: Binit Patel

Architecture. Steven M. Bellovin October 31,

Controlled Assessment Task. Question 1 - Describe how this HTML code produces the form displayed in the browser.

User Scripting April 14, 2018

We aren t getting enough orders on our Web site, storms the CEO.

PHP. MIT 6.470, IAP 2010 Yafim Landa

Lecture 4. Wednesday, January 27, 2016

GDB Tutorial. A Walkthrough with Examples. CMSC Spring Last modified March 22, GDB Tutorial

ITEC447 Web Projects CHAPTER 9 FORMS 1

PHP INTERVIEW QUESTION-ANSWERS

Attacks Against Websites. Tom Chothia Computer Security, Lecture 11

Developing Online Databases and Serving Biological Research Data

Web Servers and Security

Lesson 17 Transcript: Troubleshooting

Lecture 12. PHP. cp476 PHP

This Tutorial is for Word 2007 but 2003 instructions are included in [brackets] after of each step.

GET /index.php HTTP/1.1 Host: User- agent: Mozilla/4.0

Writing Perl Programs using Control Structures Worked Examples

Extend EBS Using Applications Express

Session 3: JavaScript - Structured Programming

L.A.M.P. Stack Part I

3 The Building Blocks: Data Types, Literals, and Variables

PHP and MySQL for Dynamic Web Sites. Intro Ed Crowley

PHP. Introduction. PHP stands for PHP: Hypertext Preprocessor PHP is a server-side scripting language, like ASP PHP scripts are executed on the server

Senior Technical Specialist, IBM. Charles Price (Primary) Advisory Software Engineer, IBM. Matthias Falkenberg DX Development Team Lead, IBM

Welcome to the Bash Workshop!

c122mar413.notebook March 06, 2013

Web Servers and Security

National College of Ireland BSc in Computing 2017/2018. Deividas Sevcenko X Multi-calendar.

WORKING IN TEAMS WITH CASECOMPLETE AND SUBVERSION. Contents

Lab 4: create a Facebook Messenger bot and connect it to the Watson Conversation service

Attacks Against Websites 3 The OWASP Top 10. Tom Chothia Computer Security, Lecture 14

Exercise 1 Using Boolean variables, incorporating JavaScript code into your HTML webpage and using the document object

cis20.2-spring2010-sklar-lecii.4 1

Mobile Computing Professor Pushpedra Singh Indraprasth Institute of Information Technology Delhi Activity Logging Lecture 16

TABLE OF CONTENTS. Fish Data Submission FAQs and Trouble-shooting Guide January 2013

Client Side Scripting. The Bookshop

Café Soylent Green Chapter 12

Security issues. Unit 27 Web Server Scripting Extended Diploma in ICT 2016 Lecture: Phil Smith

COMP519 Practical 5 JavaScript (1)

PHP for PL/SQL Developers. Lewis Cunningham JP Morgan Chase

But before understanding the Selenium WebDriver concept, we need to know about the Selenium first.

Embedding Google Docs in Blackboard Interactive Table of Contents

CTG Basic Troubleshooting

Agenda. 1. Brief History of PHP. 2. Getting started. 3. Examples

Architecture. Steven M. Bellovin October 27,

(Frequently Asked Questions)

CGI Programming. What is "CGI"?

Intro. Scheme Basics. scm> 5 5. scm>

Moodle Plugin for CopySafe Web -- Installation for Moodle 3.5 and later --

BUSINESS CARDS. WHEN ORDERING, REFERENCE BID # on your requisition. Example: Qty of Business Cards for John Runnels

Some Facts Web 2.0/Ajax Security

Stanko Tadić

Multimedia im Netz Online Multimedia Winter semester 2015/16. Tutorial 03 Minor Subject

SPMS Security Issues. JACoW Team Meeting 2011 SINAP. Ivan Andrian JACoW

Jackson State University Department of Computer Science CSC / Advanced Information Security Spring 2013 Lab Project # 3

Things to note: Each week Xampp will need to be installed. Xampp is Windows software, similar software is available for Mac, called Mamp.

Sucuri Webinar Q&A HOW TO IDENTIFY AND FIX A HACKED WORDPRESS WEBSITE. Ben Martin - Remediation Team Lead

Case study on PhoneGap / Apache Cordova

COMP284 Scripting Languages Lecture 11: PHP (Part 3) Handouts

Web Server Setup Guide

How to Create a NetBeans PHP Project

If you re serious about Cookie Stuffing, take a look at Cookie Stuffing Script.

Electronic Examinations e-exams Using Open Source Software

Welcome to the Bash Workshop!

Phpmyadmin Error In Processing Request Error Code 200

Microsoft Expression Web Basics of Creating a Web Site

Installing Dolphin on Your PC

What is PHP? [1] Figure 1 [1]

File Handling with PHP

cwhois Manual Copyright Vibralogix. All rights reserved.

ParaChat v9.12 Hosted Documentation - PDF

Creating a Website Using Weebly.com (June 26, 2017 Update)

Here are the steps in downloading the HTML code for signatures:

Table of contents. Pure ASP Upload 3 Manual DMXzone

TUTORIAL FOR IMPORTING OTTAWA FIRE HYDRANT PARKING VIOLATION DATA INTO MYSQL

Electric Paoge. Browser Scripting with imacros in Illuminate

Web Hosting. Important features to consider

H E R ALD LE AD E R P H OTO.COM

Xerte. Guide to making responsive webpages with Bootstrap

Hello everyone! Page 1. Your folder should look like this. To start with Run your XAMPP app and start your Apache and MySQL.

$this->dbtype = "mysql"; // Change this if you are not running a mysql database server. Note, the publishing solution has only been tested on MySQL.

Web Programming with PHP

Lecture 7: Dates/Times & Sessions. CS 383 Web Development II Wednesday, February 14, 2018

Quick Start Manual for Mechanical TA

Embedding SoftChalk In Blackboard. SoftChalk Create 9

Transcription:

Some things to watch out for when using PHP and Javascript when building websites Les Hatton 10 Sep 2003 1 PHP PHP is a C-like language which evolved from Perl scripts originally produced by Rasmus Lerdorf and intended to make the construction of Web sites with dynamic content in general and access to SQL databases in particular easier to accomplish. It accomplishes this task remarkably well. It has gone through three major revisions under the care of many other developers and represents today a formidably good example of just how effective Open Source development can be. There remain a few gotchas in practice which have got me at least once so I thought I would document them as a service to other users. 1.1 Linguistic problems 1.1.1 $$ in a variable name All PHP variables use $ to precede them. If you inadvertently put $$ in front of them, PHP says nothing and you do not access the object contents, (my guess is you access the object address). Its typographically hard to see and it fails silently. Beware - this has caught me at least three times. 1.1.2 General and local names If you use session management in PHP (and you should as it makes handling variables with a wider scope than a single web page much easier), watch out for the following. Arrays in PHP are indexed by naming the element, for example. Consider the following statement:- $hello = $HTTP_SESSION_VARS[ hello ]; On the face of it, this initialises a local variable called $hello from the contents of the array element called hello. However, PHP has an initialisation option, (they are usually set in /etc/php.ini or something similar). which will globalise these for convenience making $hello synonymous with the array element. In other words, if globalisation is on:- $hello = 0; 1

is actually synonymous with:- $HTTP_SESSION_VARS[ hello ] = 0; However, if globalisation is not on, it only initialises a local copy. The rub is that if you use PHP on your ISP, you have no control over this and in general don t know whether its on or off, so you may find yourself initialising variables you did not intend to. I have done this on several occasions. Always choose your local variables to have a different name from the array index. 1.1.3 Correct way of using session start() I didn t read the documentation but got no warning. The correct way of using session start() and session id() is as follows. If you want to start a session for the first time but need the session ID:- session_start(); $SESSID = session_id(); If you want to restart a session for which you already have the session id. session_id($sessid); session_start(); But don t do what I did:- session_start($sessid); (Yes, I know I didn t RTFM, but a warning would have been nice.) 1.2 File permissions If you use PHP to open, read, write and close files using its fopen(), functions, be very careful about permissions. On the server at your ISP, you don t have any control over the username adopted by PHP when it runs and creates files on behalf of your web-site visitors. Watch out for the following:- Put any directories into which your PHP scripts create and use files above your web-site directory, (normally public html and linked to www). If the server has been set up correctly, for example, Apache, it will stop anybody accessing these files directly although they will be able to access them through your scripts as you intend. Make these directories 777 access so everybody can get at them, (through your web scripts of course). The fact that they are 777 doesn t mean to say that people can access them directly - the server should prevent this as described above. Be careful not to inadvertently edit the files created and accessed through your PHP scripts directly when as webmaster you log onto your web-site. If you do, your PHP scripts will no longer be able to access them as the file permissions will have been changed to reflect your direct access as webmaster. 2

2 Javascript Javascript is a bit of an abomination in comparison with some wondrous bugs. For example, you can embed in front of your forms in html a nice little Javascript checking function, something like: Script to check for blanks. function isblank(s) Check string has no blanks. for( var i = 0; i < s.length; ++i ) var c = s.charat(i); if ( (c!= ) (c!= \n ) (c!= \t ) ) return false; return true; Verifying function. function verify_form(f) var msg; var errors = ""; Loop through each field in the form. for( var i = 0; i < f.length; ++i ) var e = f.elements[i]; Check fields. if ( (e.value == "") isblank(e.value) ) errors += "\n- The field " + e.description + " must not be null and" + " must not contain blanks, tabs or newlines."; if (errors) 3

msg = "There are errors in this filename specification:-\n\n" + errors; </script> else alert(msg); return false; return true; <FORM METHOD="POST" NAME=array_length onsubmit= "this.form_value.description = Array length ; this_form_value.numeric = true; this_form_value.min = 0.0; return verify_form(this);" ACTION="<?php echo "$GDFSPATH/gdfs_accessarray.php";?>"> <TABLE WIDTH=100%> The idea here is that Javascript checks for non-numeric values or values less than zero when the client fills submits the form. Unfortunately, it only checks the first character, so Javascript not only thinks that 6.0 is a numeric value, which is comforting, but it also thinks that 6.;rm * is also numeric, which is not. Sigh. Always make sure that you check all values on the server using PHP. Don t just rely on Javascript checking running in the client s browser. Its not very reliable unfortunately. 2.1 Debugging tip You can use error log() in PHP when testing your scripts on your own machine. However, when you upload them, you may not be able to use error log() and you may have debugging problems for some of the reasons above even if everything appears fine on your test machine. Its a bit roundabout, but you can use mail() in PHP to e-mail you variable values to help with a tricky problem. Just make sure you restrict access to your shop while you are doing this. One nice way of doing this is to use a variable which indicates whether the site is open and a test variable, say $TEST MODE which restricts access to your top-level page unless it is set to the correct value. If you pass this as a GET variable, i.e. embedded in the URL, then you can pass this test value to enter your site knowing that external users cannot reach it, (because they will normally access the site through a link which passes a non-test mode). In PHP something like the following works well:- 4

if ( ($SITE_STATE == "CLOSED") && ($TEST_MODE!= "TEST") ) /* * Skip to "Site is closed, sorry." page */ I will add to this document as my experience grows. So far apart from the usual logic errors, the above is all I have found and PHP is an attractive way of developing web-sites for dynamic content such as shops. 5

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback