Lecture 4 Wednesday, January 27, 2016
PHP through Apache Last week, we talked about building command line scripts This week, we will transition to building scripts that will run through the web server, Apache, that will be viewable in a browser 1
Differences in Input As mentioned last week, the biggest difference between the two interfaces for programming is how we receive input and provide output While different, providing input will (mostly) be different due to the fact that we need to wrap everything in HTML code to properly display it in a browser window For input, think about our command line applications and how we received input 2
Differences in Input Command Line Input Method Command line arguments ($argv) Standard input (STDIN) Equivalent in Web Browser Query strings ($_GET) Forms ($_POST) 3
Note about Forms with $_GET and $_POST Note that we can send forms over $_GET instead of $_POST However, it is not ideal because all data in $_GET is sent through the URL: o Generally has a limit of about 2048 characters in a URL, limiting how much data can be sent over a form o Sensitive data (such as a password) would be captured in the URL, and thus, appear in the user s browser history 4
$_GET and Query Strings The syntax of a URL is: http://host.domain/file.php?querystring The query string consists of data, in the form variable=value Multiple piece of data can be strung together with & 5
$_GET and Query Strings Suppose you had the URL: http://cs383.mathcs.wilkes.edu/myfile.php?newsid=1 8&theme=2 Our variables are newsid (18) and theme (2) If we were to add print_r($_get); the output would be: Array( [newsid] => 18 [theme] => 2 ) We can access these with $_GET["newsid"] and $_GET["theme"] 6
Register Globals You may see a solution on the Internet to a problem that suggests you turn on register globals in the INI settings of PHP Register globals means, if you had the URL http://cs383.mathcs.wilkes.edu/script.php?userid=10, then you could access the variable in the query string directly with $userid rather than $_GET["userid"] DON T TURN IT ON 7
Register Global This creates a HUGE security risk Suppose your script had a variable that had $userid in it, which kept track of who was logged in Somebody could add?userid=3to the end of a URL, and if your script is not explicitly checking for somebody to add their own query strings, it could allow them to take over the account of whoever had the userid 3 8
Validating Input Because PHP is flexible in that the explicit variable definitions are neither necessary nor allowed, this makes checking input somewhat complicated Suppose we had the URL http://cs383.mathcs.wilkes.edu/script.php?x= (some value for x) We want to make sure the value supplied for x in the query string is an integer How do we do this? 9
Validating Input First, note that, even if this value came from a form or a link we put on the page, we cannot assume that the input is valid Why not? Even if we use Javascript on a form to validate input is good, somebody can create their own form that submits to submit.php anyway, surpassing the Javascript validation 10
Validating Input First, we need to verify that a value for x was actually supplied in the query string We can do this with the function isset($var), which verifies that the variable provided was initialized somewhere Example: isset($_get["x"]) 11
Validating Input Now, we need to verify that the integer is a value If you look in the PHP documentation, you can see that it looks like we have a few functions that can do this... But we actually don t These functions will not do what we really want them to 12
Validating Input One function you will find is is_int($var) However, this checks if the type, as it is stored, is an int, not if the actual value is an int Note that we don t call the part of the URL we are extracting these variables from a query integer, but it is in fact a query string Examples: o o is_int(4) => true is_int("4") => false Since the latter is how the variable would appear from a query string, this function will not work 13
Validating Input Next, you may come across the function intval($var) This converts strings into integers However, it essentially takes a string and strips out all numeric characters Examples: o intval("4") => 4 o Intval("4.6") => 46 Since the latter would just simply take a floating point and remove the decimal to completely change our input, this function will not work 14
Validating Input We have the function, is_numeric($var), which will tell us if something is a numeric value Examples: o is_numeric(4) => true o is_numeric("4") => true o is_numeric("4.6") => true This gets us almost there, but it will still return true for floating points 15
Validating Input Workaround: Cast the variable as an integer, and compare it to the original if they re equal, it must be an integer: is_numeric($var) && $var == (int)$var So, putting this all together, to verify that a variable x is provided in a query string, and it is an integer, our code would be: if(isset($_get["x"]) && is_numeric($_get["x"]) && $_GET["x"] == (int)$_get["x"]) { // is an int } else { // is not an int } 16
Validating Input Why does this work? Unlike other languages, the following WILL evaluate to true: 0.2 == "0.2" Although the previous functions would have found a distinction between 0.2 and "0.2" PHP otherwise does not 17
Validating Input It may be tempting to avoid adding $_GET["x"]so many times to put in your code, first: $x = $_GET["x"]; However, the code will no longer work You have now set $x 18
Newlines If you ran the following code in a command line script called print.php: <?php print "Hello"; print "World";?> The output would be: dilbert > php print.php HelloWorlddilbert > 19
Newlines If you ran the following code in a command line script called print.php: <?php print "Hello\n"; print "World\n";?> The output would be: dilbert > php print.php Hello World dilbert > 20
Newlines If you ran the following code in a web script called print.php: <?php print "Hello"; print "World";?> The output would be: HelloWorld And the HTML source code would look like: HelloWorld 21
Newlines If you ran the following code in a web script called print.php: <?php print "<p>hello</p>"; print "<p>world</p>";?> The output would be: Hello World And the HTML source code would look like: HelloWorld 22
Newlines If you ran the following code in a web script called print.php: <?php print "Hello\n"; print "World\n";?> The output would be: HelloWorld And the HTML source code would look like: Hello World 23
Newlines If you ran the following code in a web script called print.php: <?php print "<p>hello</p>\n"; print "<p>world</p>\n";?> The output would be: Hello World And the HTML source code would look like: Hello World 24
Newlines In command line scripts, \n is needed to add newlines, while <p></p> tags are needed in web scripts \n is needed in web scripts to clean up the code the source code of our scripts to make it readable Otherwise, if something in one of our PHP scripts is not properly working for the design, it would be difficult to debug the HTML because it would appear on one giant line 25