Lecture 3: Web Servers / PHP and Apache CS 383 Web Development II Monday, January 29, 2018
Server Configuration One of the most common configurations of servers meant for web development is called a LAMP server o Linux o Apache o MySQL o PHP Some servers explicitly have a LAMP option Others do not, but have all of the components in their repositories 1
Linux We are familiar with Linux through the other courses and labs The key to the Linux component is our file ownership/permissions that we ve learned 2
Apache We ll come back to this in a second 3
MySQL MySQL runs as a process in the background that we connect to We can either connect from the command line with the mysql command, or use libraries to connect from programming languages with out account logins 4
PHP PHP scripts are stored in regular files on a filesystem Thus, any user on the system who wants to run the PHP script must be able to read the file on the system 5
Back to Apache Apache runs as a process on the server All processes on a system must be run as somebody o Run ps aux on dilbert these are the processes running, with the user who is running the process listed in the first column We need somebody who can run the Apache web server, and also access our files 6
Apache By default, root is the only user who can access anybody s files But this is a horrible idea people connecting to webpages are theoretically executing code as the admin of the system Solution: We need to use another user, and set the permissions on the file so that new user can create it 7
Apache If we run ps aux grep apache on dilbert, we will see the running processes for the web server On our system (Ubuntu), they are run by www-data, as configured automatically by aptitude, the package manager Thus, we need to configure out scripts to be able to be read by www-data 8
Apache If you manually set up Apache on a server, the admin must create a new user (named whatever they want) and configure this server to do so If you use repositories supplied by the Linux distribution (yum for Fedora), they generally choose the name in their configuration scripts that come through the repository Also note, on some systems, that the web server is simply known as httpd, rather than apache 9
File Permissions File permissions are critical when making a web application available to a web server File permissions are usually stored as octals Octals can represent 8 different values, using numbers 0 through 7 10
File Permissions There are three different digits in the octal form of a file permission o The first digit is for the user that owns the file o The second digit is for the group that owns the file o The third digit is for all users on the system 11
File Permissions To assign permissions to one of these three, you add up the permissions o 4 means read permission o 2 means write permission o 1 means execute permission If we want the group owner of the file to have read and execute access, the value of that digit would be 5 (4 for read + 1 for execute) 12
File Permissions Because these use binary numbers, two different combinations of permissions cannot equal the same value We will see this later in the course when we talk about configuration options for PHP 13
File Permissions To assign an octal file permission to a file, we use the chmod command (short for change mode): chmod octal filename Example: Suppose we had the file foo.php and wanted to assign the permissions 755: chmod 755 foo.php If you had a directory with subdirectories and files, you can use the R option to apply the permission to all of them: chmod R 755 foo/ 14
File Permissions So, suppose we want the owner of the file index.php to be able to read, write, and execute the file; the group owner of the file to be able to read and execute the file; all other users to be able to execute the file o First digit: 4 (read) + 2 (write) + 1 (execute) = 7 o Second digit: 4 (read) + 1 (execute) = 5 o Third digit: 1 (execute) = 1 o Octal permission: 751 o Command: chmod 751 index.php 15
File Permissions Thus, for our scripts to be able to be run as www-data, we need to set the permissions of our files to 644, and our directories to 755 o group and other are set to 4, which is read o owner is set to 6, which is read + write (obviously, we need to be able to add code to our file, so we must be able to write to it) o Directories need execute access 16
But We ve created another problem by solving this one Now, the www-data user can access our files and so can every other user on our system o This exposes your source code, passwords, etc. o This means if you have a script that uploads or generates any files, the files are owned by the www-data user, not you and thus, you can t access them 17
AssignUserID AssignUserID allows you to run PHP as another user on a system Thus, we will run our own apache processes as ourselves This will allow us to set permissions on the scripts so that only we have access to them 18
AssignUserID Your web directories have been setup to use AssignUserID if accessed at an alternate URL called a virtual host o http://mathcs.wilkes.edu/~username/ will run the files as www-data o http://username.mathcs.wilkes.edu/ will run the files as you We will talk about the configuration of virtual hosts later this semester 19
AssignUserID To ensure everything is working as expected: o Make a directory inside your webdocs called cs383 (where all of your work this semester will be stored) o Give this directory the permission 700 o Create a file inside your cs383 directory called hello.php that contains the patented Hello World program to ensure everything is working o Give this file the permission 600 o Visit this at http://username.mathcs.wilkes.edu/hello.php to ensure that it does works o Visit http://mathcs.wilkes.edu/~username/hello.php to ensure that it does not work 20
Warning #1 If you put files in your webdocs directory and make them publicly readable so that www-data (and anybody else) can read them, this means anybody can go on dilbert and read your source code If somebody else in the class goes into your webdocs and copies your code because you made a file publically readable, you will be considered to be as equally responsible for cheating as they are and will face the same consequences All files should be readable only by you and executed through AssignUserID 21
phpinfo() phpinfo() is a function that takes no arguments that does just what it s name implies dumps out information about PHP It can be used on the command line or in a web script Information includes: o Version numbers o Modules installed o Configuration settings o Environment/server variables Create a file called info.php that contains the following: <?php phpinfo();?> 22
PHP Configuration The settings for PHP on a web server are stored in a file called php.ini There is a separate file for each version of PHP o /etc/php5/cli/php.ini for scripts run on the command line o /etc/php5/apache2/php.ini for scripts run through the web server You can change the PHP configuration by: o Edit the php.ini file (if you have admin access) o Create your own php.ini file and set your virtual host to use it (if you have admin access) o Use the ini_set() function to override a settings o Settings in an.htaccess file o Use a function for a specific option to override it s setting 23
Warning #2 If you Google issues you are having with code, it may direct you to change values that come from php.ini DO NOT CHANGE ANY OF THESE VALUES IN YOUR ASSIGNMENTS UNLESS YOU ARE DIRECTED TO DO SO Often, people post solutions without fully understanding the scope of their suggestions, Some PHP settings can change crucial security settings that may open up holes that were previously closed Example: Register Globals (now removed from PHP) 24
Warning #2 Often, php.ini is configured for this class to ensure no shortcuts are taken All assignments I give can be completed using the php.ini settings that are listed on dilbert If it cannot, I will supply you with the necessary changes to the php.ini settings 25
PHP through Apache Last week, we talked about building command line scripts This week, we will transition to building scripts that will run through the web server, Apache, that will be viewable in a browser 26
Differences in Input As mentioned last week, the biggest difference between the two interfaces for programming is how we receive input and provide output While different, providing input will (mostly) be different due to the fact that we need to wrap everything in HTML code to properly display it in a browser window For input, think about our command line applications and how we received input 27
Differences in Input Command Line Input Method Command line arguments ($argv) Standard input (STDIN) Equivalent in Web Browser Query strings ($_GET) Forms ($_POST) 28
Note about Forms with $_GET and $_POST Note that we can send forms over $_GET instead of $_POST However, it is not ideal because all data in $_GET is sent through the URL: o Generally has a limit of about 2048 characters in a URL, limiting how much data can be sent over a form o Sensitive data (such as a password) would be captured in the URL, and thus, appear in the user s browser history 29
$_GET and Query Strings The syntax of a URL is: http://host.domain/file.php?querystring The query string consists of data, in the form variable=value Multiple piece of data can be strung together with & 30
$_GET and Query Strings Suppose you had the URL: http://cs383.mathcs.wilkes.edu/myfile.php?newsid=1 8&theme=2 Our variables are newsid (18) and theme (2) If we were to add print_r($_get); the output would be: Array( [newsid] => 18 [theme] => 2 ) We can access these with $_GET["newsid"] and $_GET["theme"] 31
Register Globals You may see a solution on the Internet to a problem that suggests you turn on register globals in the INI settings of PHP Register globals means, if you had the URL http://cs383.mathcs.wilkes.edu/script.php?userid=10, then you could access the variable in the query string directly with $userid rather than $_GET["userid"] DON T TURN IT ON 32
Register Global This creates a HUGE security risk Suppose your script had a variable that had $userid in it, which kept track of who was logged in Somebody could add?userid=3 to the end of a URL, and if your script is not explicitly checking for somebody to add their own query strings, it could allow them to take over the account of whoever had the userid 3 33
Validating Input Because PHP is flexible in that the explicit variable definitions are neither necessary nor allowed, this makes checking input somewhat complicated Suppose we had the URL http://cs383.mathcs.wilkes.edu/script.php?x= (some value for x) We want to make sure the value supplied for x in the query string is an integer How do we do this? 34
Validating Input First, note that, even if this value came from a form or a link we put on the page, we cannot assume that the input is valid Why not? Even if we use Javascript on a form to validate input is good, somebody can create their own form that submits to submit.php anyway, surpassing the Javascript validation 35
Validating Input First, we need to verify that a value for x was actually supplied in the query string We can do this with the function isset($var), which verifies that the variable provided was initialized somewhere Example: isset($_get["x"]) 36
Validating Input Now, we need to verify that the integer is a value If you look in the PHP documentation, you can see that it looks like we have a few functions that can do this... But we actually don t These functions will not do what we really want them to 37
Validating Input One function you will find is is_int($var) However, this checks if the type, as it is stored, is an int, not if the actual value is an int Note that we don t call the part of the URL we are extracting these variables from a query integer, but it is in fact a query string Examples: o is_int(4) => true o is_int("4") => false Since the latter is how the variable would appear from a query string, this function will not work 38
Validating Input Next, you may come across the function intval($var) This converts strings into integers However, it essentially takes a string and strips out all numeric characters Examples: o intval("4") => 4 o Intval("4.6") => 46 Since the latter would just simply take a floating point and remove the decimal to completely change our input, this function will not work 39
Validating Input We have the function, is_numeric($var), which will tell us if something is a numeric value Examples: o is_numeric(4) => true o is_numeric("4") => true o is_numeric("4.6") => true This gets us almost there, but it will still return true for floating points 40
Validating Input Workaround: Cast the variable as an integer, and compare it to the original if they re equal, it must be an integer: is_numeric($var) && $var == (int)$var So, putting this all together, to verify that a variable x is provided in a query string, and it is an integer, our code would be: if(isset($_get["x"]) && is_numeric($_get["x"]) && $_GET["x"] == (int)$_get["x"]) { // is an int } else { // is not an int } 41
Why does this work? Validating Input Unlike other languages, the following WILL evaluate to true: 0.2 == "0.2" Although the previous functions would have found a distinction between 0.2 and "0.2" PHP otherwise does not 42