Lecture 3: Web Servers / PHP and Apache. CS 383 Web Development II Monday, January 29, 2018

Similar documents
Lecture 4. Wednesday, January 27, 2016

Lecture 6: More Arrays & HTML Forms. CS 383 Web Development II Monday, February 12, 2018

Lecture 18: Server Configuration & Miscellanea. Monday, April 23, 2018

Lecture 5. Monday, February 1, 2016

Lecture 10: Working with Files. CS 383 Web Development II Monday, March 12, 2018

If you re the administrator on any network,

PHP. MIT 6.470, IAP 2010 Yafim Landa

CSC209. Software Tools and Systems Programming.

Lecture 13: MySQL and PHP. Monday, March 26, 2018

COMP519 Practical 15 PHP (1)

CS101 Lecture 04: How the Web Works Publishing Web pages. What You ll Learn Today

Web Servers and Security

Web Servers and Security

CSC209. Software Tools and Systems Programming.

L.A.M.P. Stack Part I

Architecture. Steven M. Bellovin October 31,

Architecture. Steven M. Bellovin October 27,

Using RANCID. Contents. 1 Introduction Goals Notes Install rancid Add alias Configure rancid...

Web pages are a complex undertaking. The basic web page itself isn t

COMP519 Practical 5 JavaScript (1)

CSE 390a Lecture 3. Multi-user systems; remote login; editors; users/groups; permissions

We want to install putty, an ssh client on the laptops. In the web browser goto:

Security issues. Unit 27 Web Server Scripting Extended Diploma in ICT 2016 Lecture: Phil Smith

These are notes for the third lecture; if statements and loops.

Course Wiki. Today s Topics. Web Resources. Amazon EC2. Linux. Apache PHP. Workflow and Tools. Extensible Networking Platform 1

Web Application Development (WAD) V th Sem BBAITM(Unit-1) By: Binit Patel

Principles of Bioinformatics. BIO540/STA569/CSI660 Fall 2010

Lecture 7: Dates/Times & Sessions. CS 383 Web Development II Wednesday, February 14, 2018

web.py Tutorial Tom Kelliher, CS 317 This tutorial is the tutorial from the web.py web site, with a few revisions for our local environment.

Module 10A Lecture - 20 What is a function? Why use functions Example: power (base, n)

CSE : Python Programming

K-RATE INSTALLATION MANUAL

week8 Tommy MacWilliam week8 October 31, 2011

Web Security. Jace Baker, Nick Ramos, Hugo Espiritu, Andrew Le

1 Installation (briefly)

Some things to watch out for when using PHP and Javascript when building websites

CS1 Lecture 3 Jan. 22, 2018

Kollaborate Server. Installation Guide

PHP and MySQL for Dynamic Web Sites. Intro Ed Crowley

K-SEARCH TRIAL INSTALLATION MANUAL

CSCI 201 Lab 1 Environment Setup

Guide for Building Web Application Using PHP and Mysql

Let's Look Back. We talked about how to create a form in HTML. Forms are one way to interact with users

Intro to Programming. Unit 7. What is Programming? What is Programming? Intro to Programming

CCMS Installation Instructions

C++ Data Types. 1 Simple C++ Data Types 2. 3 Numeric Types Integers (whole numbers) Decimal Numbers... 5

OptiRain Open 2 Installation Guide for LInux. This guide provides general instructions for installing OptiRain Open 2 on a Linux based server.

CS1 Lecture 3 Jan. 18, 2019

TECH 4272 Operating Systems

Table of Contents. 1. Introduction 1. 1 Overview Business Context Glossary...3

CSCB20 Week 8. Introduction to Database and Web Application Programming. Anna Bretscher* Winter 2017

Compiling Software on UNIX. System Administration Decal Spring 2009 Lecture #4 George Wu Slides prepared by Joshua Kwan

Lecture 8: Images. CS 383 Web Development II Monday, February 19, 2018

CS 11 java track: lecture 1

Getting Started with Ingres and PHP April 8 th 2008

Introduction. Installation. Version 2 Installation & User Guide. In the following steps you will:

What is PHP? [1] Figure 1 [1]

Computer Science 2500 Computer Organization Rensselaer Polytechnic Institute Spring Topic Notes: C and Unix Overview

System Administration for Beginners

CSCE 120: Learning To Code

A QUICK GUIDE TO PROGRAMMING FOR THE WEB. ssh (then type your UBIT password when prompted)

:

A Brief Introduction to the Linux Shell for Data Science

Create-A-Page Design Documentation

CSCI 1100L: Topics in Computing Lab Lab 11: Programming with Scratch

CS61C Machine Structures. Lecture 4 C Pointers and Arrays. 1/25/2006 John Wawrzynek. www-inst.eecs.berkeley.edu/~cs61c/

PHP INTERVIEW QUESTION-ANSWERS

Lecture 05 I/O statements Printf, Scanf Simple statements, Compound statements

CS 161 Computer Security

Hello everyone! Page 1. Your folder should look like this. To start with Run your XAMPP app and start your Apache and MySQL.

COMP combinational logic 1 Jan. 18, 2016

Lab 4: Basic PHP Tutorial, Part 2

Reversing. Time to get with the program

Contents. Note: pay attention to where you are. Note: Plaintext version. Note: pay attention to where you are... 1 Note: Plaintext version...

Note about compatibility: This module requires that PHP is enabled on the server. You should verify that your host offers PHP prior to installation.

Real Web Development. yeah, for real.

Setting up the Apache Web Server

Intro. Scheme Basics. scm> 5 5. scm>

Formal semantics of loosely typed languages. Joep Verkoelen Vincent Driessen

CSC209H Lecture 1. Dan Zingaro. January 7, 2015

Web Engineering (Lecture 08) WAMP

CS 220: Introduction to Parallel Computing. Beginning C. Lecture 2

PHP 5 Introduction. What You Should Already Know. What is PHP? What is a PHP File? What Can PHP Do? Why PHP?

Biocomputing II Coursework guidance

Introduction to Linux

Lab 2 Building on Linux

EASYLAMP REDHAT V1.0 DOCUMENT OWNER: OUDHUIS, JONATHAN INGRAM MICRO CLOUD EUROPE

Bash command shell language interpreter

CS 1110 SPRING 2016: GETTING STARTED (Jan 27-28) First Name: Last Name: NetID:

If Statements, For Loops, Functions

6.01, Spring Semester, 2008 Assignment 3, Issued: Tuesday, February 19 1

CSE 390a Lecture 4. Persistent shell settings; users/groups; permissions

HCW Human Centred Web. HuCEL: Keywords Experiment Manual. School of Computer Science. Information Management Group

ULTEO OPEN VIRTUAL DESKTOP CENTOS 6.0 SUPPORT

C Shell Tutorial. Section 1

Lecture 17. Monday, November 17, 2014

CMSC 201 Spring 2018 Lab 01 Hello World

Setting up a LAMP server

COSC 2P91. Introduction Part Deux. Week 1b. Brock University. Brock University (Week 1b) Introduction Part Deux 1 / 14

EZ Admin Helper Addon

Transcription:

Lecture 3: Web Servers / PHP and Apache CS 383 Web Development II Monday, January 29, 2018

Server Configuration One of the most common configurations of servers meant for web development is called a LAMP server o Linux o Apache o MySQL o PHP Some servers explicitly have a LAMP option Others do not, but have all of the components in their repositories 1

Linux We are familiar with Linux through the other courses and labs The key to the Linux component is our file ownership/permissions that we ve learned 2

Apache We ll come back to this in a second 3

MySQL MySQL runs as a process in the background that we connect to We can either connect from the command line with the mysql command, or use libraries to connect from programming languages with out account logins 4

PHP PHP scripts are stored in regular files on a filesystem Thus, any user on the system who wants to run the PHP script must be able to read the file on the system 5

Back to Apache Apache runs as a process on the server All processes on a system must be run as somebody o Run ps aux on dilbert these are the processes running, with the user who is running the process listed in the first column We need somebody who can run the Apache web server, and also access our files 6

Apache By default, root is the only user who can access anybody s files But this is a horrible idea people connecting to webpages are theoretically executing code as the admin of the system Solution: We need to use another user, and set the permissions on the file so that new user can create it 7

Apache If we run ps aux grep apache on dilbert, we will see the running processes for the web server On our system (Ubuntu), they are run by www-data, as configured automatically by aptitude, the package manager Thus, we need to configure out scripts to be able to be read by www-data 8

Apache If you manually set up Apache on a server, the admin must create a new user (named whatever they want) and configure this server to do so If you use repositories supplied by the Linux distribution (yum for Fedora), they generally choose the name in their configuration scripts that come through the repository Also note, on some systems, that the web server is simply known as httpd, rather than apache 9

File Permissions File permissions are critical when making a web application available to a web server File permissions are usually stored as octals Octals can represent 8 different values, using numbers 0 through 7 10

File Permissions There are three different digits in the octal form of a file permission o The first digit is for the user that owns the file o The second digit is for the group that owns the file o The third digit is for all users on the system 11

File Permissions To assign permissions to one of these three, you add up the permissions o 4 means read permission o 2 means write permission o 1 means execute permission If we want the group owner of the file to have read and execute access, the value of that digit would be 5 (4 for read + 1 for execute) 12

File Permissions Because these use binary numbers, two different combinations of permissions cannot equal the same value We will see this later in the course when we talk about configuration options for PHP 13

File Permissions To assign an octal file permission to a file, we use the chmod command (short for change mode): chmod octal filename Example: Suppose we had the file foo.php and wanted to assign the permissions 755: chmod 755 foo.php If you had a directory with subdirectories and files, you can use the R option to apply the permission to all of them: chmod R 755 foo/ 14

File Permissions So, suppose we want the owner of the file index.php to be able to read, write, and execute the file; the group owner of the file to be able to read and execute the file; all other users to be able to execute the file o First digit: 4 (read) + 2 (write) + 1 (execute) = 7 o Second digit: 4 (read) + 1 (execute) = 5 o Third digit: 1 (execute) = 1 o Octal permission: 751 o Command: chmod 751 index.php 15

File Permissions Thus, for our scripts to be able to be run as www-data, we need to set the permissions of our files to 644, and our directories to 755 o group and other are set to 4, which is read o owner is set to 6, which is read + write (obviously, we need to be able to add code to our file, so we must be able to write to it) o Directories need execute access 16

But We ve created another problem by solving this one Now, the www-data user can access our files and so can every other user on our system o This exposes your source code, passwords, etc. o This means if you have a script that uploads or generates any files, the files are owned by the www-data user, not you and thus, you can t access them 17

AssignUserID AssignUserID allows you to run PHP as another user on a system Thus, we will run our own apache processes as ourselves This will allow us to set permissions on the scripts so that only we have access to them 18

AssignUserID Your web directories have been setup to use AssignUserID if accessed at an alternate URL called a virtual host o http://mathcs.wilkes.edu/~username/ will run the files as www-data o http://username.mathcs.wilkes.edu/ will run the files as you We will talk about the configuration of virtual hosts later this semester 19

AssignUserID To ensure everything is working as expected: o Make a directory inside your webdocs called cs383 (where all of your work this semester will be stored) o Give this directory the permission 700 o Create a file inside your cs383 directory called hello.php that contains the patented Hello World program to ensure everything is working o Give this file the permission 600 o Visit this at http://username.mathcs.wilkes.edu/hello.php to ensure that it does works o Visit http://mathcs.wilkes.edu/~username/hello.php to ensure that it does not work 20

Warning #1 If you put files in your webdocs directory and make them publicly readable so that www-data (and anybody else) can read them, this means anybody can go on dilbert and read your source code If somebody else in the class goes into your webdocs and copies your code because you made a file publically readable, you will be considered to be as equally responsible for cheating as they are and will face the same consequences All files should be readable only by you and executed through AssignUserID 21

phpinfo() phpinfo() is a function that takes no arguments that does just what it s name implies dumps out information about PHP It can be used on the command line or in a web script Information includes: o Version numbers o Modules installed o Configuration settings o Environment/server variables Create a file called info.php that contains the following: <?php phpinfo();?> 22

PHP Configuration The settings for PHP on a web server are stored in a file called php.ini There is a separate file for each version of PHP o /etc/php5/cli/php.ini for scripts run on the command line o /etc/php5/apache2/php.ini for scripts run through the web server You can change the PHP configuration by: o Edit the php.ini file (if you have admin access) o Create your own php.ini file and set your virtual host to use it (if you have admin access) o Use the ini_set() function to override a settings o Settings in an.htaccess file o Use a function for a specific option to override it s setting 23

Warning #2 If you Google issues you are having with code, it may direct you to change values that come from php.ini DO NOT CHANGE ANY OF THESE VALUES IN YOUR ASSIGNMENTS UNLESS YOU ARE DIRECTED TO DO SO Often, people post solutions without fully understanding the scope of their suggestions, Some PHP settings can change crucial security settings that may open up holes that were previously closed Example: Register Globals (now removed from PHP) 24

Warning #2 Often, php.ini is configured for this class to ensure no shortcuts are taken All assignments I give can be completed using the php.ini settings that are listed on dilbert If it cannot, I will supply you with the necessary changes to the php.ini settings 25

PHP through Apache Last week, we talked about building command line scripts This week, we will transition to building scripts that will run through the web server, Apache, that will be viewable in a browser 26

Differences in Input As mentioned last week, the biggest difference between the two interfaces for programming is how we receive input and provide output While different, providing input will (mostly) be different due to the fact that we need to wrap everything in HTML code to properly display it in a browser window For input, think about our command line applications and how we received input 27

Differences in Input Command Line Input Method Command line arguments ($argv) Standard input (STDIN) Equivalent in Web Browser Query strings ($_GET) Forms ($_POST) 28

Note about Forms with $_GET and $_POST Note that we can send forms over $_GET instead of $_POST However, it is not ideal because all data in $_GET is sent through the URL: o Generally has a limit of about 2048 characters in a URL, limiting how much data can be sent over a form o Sensitive data (such as a password) would be captured in the URL, and thus, appear in the user s browser history 29

$_GET and Query Strings The syntax of a URL is: http://host.domain/file.php?querystring The query string consists of data, in the form variable=value Multiple piece of data can be strung together with & 30

$_GET and Query Strings Suppose you had the URL: http://cs383.mathcs.wilkes.edu/myfile.php?newsid=1 8&theme=2 Our variables are newsid (18) and theme (2) If we were to add print_r($_get); the output would be: Array( [newsid] => 18 [theme] => 2 ) We can access these with $_GET["newsid"] and $_GET["theme"] 31

Register Globals You may see a solution on the Internet to a problem that suggests you turn on register globals in the INI settings of PHP Register globals means, if you had the URL http://cs383.mathcs.wilkes.edu/script.php?userid=10, then you could access the variable in the query string directly with $userid rather than $_GET["userid"] DON T TURN IT ON 32

Register Global This creates a HUGE security risk Suppose your script had a variable that had $userid in it, which kept track of who was logged in Somebody could add?userid=3 to the end of a URL, and if your script is not explicitly checking for somebody to add their own query strings, it could allow them to take over the account of whoever had the userid 3 33

Validating Input Because PHP is flexible in that the explicit variable definitions are neither necessary nor allowed, this makes checking input somewhat complicated Suppose we had the URL http://cs383.mathcs.wilkes.edu/script.php?x= (some value for x) We want to make sure the value supplied for x in the query string is an integer How do we do this? 34

Validating Input First, note that, even if this value came from a form or a link we put on the page, we cannot assume that the input is valid Why not? Even if we use Javascript on a form to validate input is good, somebody can create their own form that submits to submit.php anyway, surpassing the Javascript validation 35

Validating Input First, we need to verify that a value for x was actually supplied in the query string We can do this with the function isset($var), which verifies that the variable provided was initialized somewhere Example: isset($_get["x"]) 36

Validating Input Now, we need to verify that the integer is a value If you look in the PHP documentation, you can see that it looks like we have a few functions that can do this... But we actually don t These functions will not do what we really want them to 37

Validating Input One function you will find is is_int($var) However, this checks if the type, as it is stored, is an int, not if the actual value is an int Note that we don t call the part of the URL we are extracting these variables from a query integer, but it is in fact a query string Examples: o is_int(4) => true o is_int("4") => false Since the latter is how the variable would appear from a query string, this function will not work 38

Validating Input Next, you may come across the function intval($var) This converts strings into integers However, it essentially takes a string and strips out all numeric characters Examples: o intval("4") => 4 o Intval("4.6") => 46 Since the latter would just simply take a floating point and remove the decimal to completely change our input, this function will not work 39

Validating Input We have the function, is_numeric($var), which will tell us if something is a numeric value Examples: o is_numeric(4) => true o is_numeric("4") => true o is_numeric("4.6") => true This gets us almost there, but it will still return true for floating points 40

Validating Input Workaround: Cast the variable as an integer, and compare it to the original if they re equal, it must be an integer: is_numeric($var) && $var == (int)$var So, putting this all together, to verify that a variable x is provided in a query string, and it is an integer, our code would be: if(isset($_get["x"]) && is_numeric($_get["x"]) && $_GET["x"] == (int)$_get["x"]) { // is an int } else { // is not an int } 41

Why does this work? Validating Input Unlike other languages, the following WILL evaluate to true: 0.2 == "0.2" Although the previous functions would have found a distinction between 0.2 and "0.2" PHP otherwise does not 42

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback