Developing Web Applications with PHP

1
Developing Web Applications with PHP

• RAD for the World Wide Web

2
Introduction

• Netcraft Statistics
• 20,917,850 domains, 1,224,183 IP addresses

3
Programming Language Popularity
4
Introduction

• What is PHP?
• PHP stands for "PHP Hypertext Preprocessor
• An embedded scripting language for HTML like ASP
  or JSP
• A language that combines elements of Perl, C, and
  Java

5
Introduction

• History of PHP
• Created by Rasmus Lerdorf in 1995 for tracking
  access to his resume
• Originally a set of Perl scripts known as the
  Personal Home Page tools
• Rewritten in C with database functionality
• Rewritten again in and released as version 2.0 in
  November of 1997

6
Introduction

• History of PHP (cont.)
• Rewritten again in 1997 by Andi Gutmans and Zeev
  Suraski OOP features
• More functionality added, database support,
  protocols and APIs
• The core is rewritten in 1998 by Zeev and Andi
  and dubbed the Zend Engine
• Version 4.0 released in 2000

7
Introduction

• History of PHP (cont.)
• Version 5.0 includes version 2.0 of the Zend
  Engine
• New object model is more powerful and intuitive
• Objects are no longer passed by value they now
  are passed by reference
• Increases performance and makes OOP more
  attractive

8
Introduction

• Performance
• Zdnet Statistics
• PHP ? about 47 pages/second
• Microsoft ASP ? about 43 pages/second
• Allaire ColdFusion ? about 29 pages/second
• Sun Java JSP ? about 13 pages/second From PHP
  HOWTO, July 2001

9
PHP Language Basics

• The Script Tags
• All PHP code is contained in one of several
  script tags
• lt?// Some code?gt
• lt?php// Some code here// This is the preferred
  method ?gt

10
PHP Language Basics

• The Script Tags (cont.)
• ltscript languagePHP"gt // Some code
  herelt/scriptgt
• ASP-style tags
• Introduced in 3.0 may be removed in the future
• lt // Some code heregt

11
PHP Language Basics

• The Script Tags (cont.)
• Echo Tags
• lttablegtlttrgt lttdgtNamelt/tdgtlttdgtlt? name
  ?gtlt/tdgtlt/trgtlttrgt lttdgtAddresslt/tdgtlttdgtlt?
  address ?gtlt/tdgtlt/trgtlt/tablegt

12
PHP Language Basics

• Hello World! An Example
• Like Perl, there is more than one way
• lt?php echo Hello World! ?gt
• lt?php greeting Hello World!
  printf(s, greeting)php?gt
• ltscript languagePHPgt hello Hello
  world World! print hello .
  worldlt/scriptgt

13
PHP Language Elements

• Variables
• start with followed by name
• name must start with _ or alphabetic
• name can contain _ or alphanumeric
• Operators
• Arithmetic - /
• Assignment -
• Bitwise \ ltlt gtgt
• Comparison ! lt gt lt gt
• Logical and or xor !

14
PHP Language Basics

• Constants, Data Types and Variables
• Constants define a string or numeric value
• Constants do not begin with a dollar sign
• Examples
• define(COMPANY, Acme Enterprises)
• define(YELLOW, FFFF00)
• define(PI, 3.14)
• define(NL, ltbrgt\n)
• Using a constant
• print(Company name . COMPANY . NL)

15
PHP Language Basics

• Constants, Data Types and Variables
• Data types
• Integers, doubles and strings
• isValid true // Boolean
• 25 // Integer
• 3.14 // Double
• Four // String
• Total value // Another string

16
PHP Language Basics

• Constants, Data Types and Variables
• Data types
• Strings and type conversion
• street 123
• street street . Main Street
• city Napervillestate IL
• address street
• address address . NL . city, state
• number address 1 // number equals
  124

17
PHP Language Basics

• Constants, Data Types and Variables
• Data types
• Arrays
• Perl-like syntax for hashes
• arr array("foo" gt "bar", 12 gt true)
• same as
• arrfoo bar
• arr12 true

18
PHP Language Basics

• Constants, Data Types and Variables
• Arrays (cont.)
• lt?php arr array("somearray" gt array(6 gt
  5, 13 gt 9, "a" gt
  42)) echo arr"somearray"6 // 5
  echo arr"somearray"13 // 9 echo
  arr"somearray""a" // 42?gt

19
PHP Language Elements

• Statements
• terminated by a semicolon () or the closing PHP
  tag.
• compound statements enclosed in braces
• Comments
• C / / , C //.. and shell style
• Types
• array, boolean, floating-point, integer, string,
  object
• arrays behave as hash tables
• var1 36.7 varmy name Marianne Brown
• key needs to be either an integer or string
• value can be anything

20
PHP Control Structures

• if-then-else
• if (expr)
• stmt
• elseif (expr)
• stmt
• else
• stmt

21
PHP Control Structures

• while loop
• while (expr)
• stmt
• do-while loop
• do
• stmt
• while (expr)

22
PHP Control Structures

• for loop
• for (expr1 expr2 expr3)
• stmt
• switch statement
• switch (expr)
• case 0 stmt
• break
• case 1
• case 2 stmt
• break
• default stmt

23
PHP Functions

• The function keyword declares a function.
• function square(num)
• return num num
• echo square(4) // outputs 16

24
Functions
function add(a, b) return a
b function swap(a, b) c a a
b b a count 0 function inc()
global count count
25
PHP Functions

• header() send http header to client
• setcookie() send cookie to client
• mail() send email from php
• dns_get_mx() check mail exchange record
• connection_status() check connection status,
  e.g. abort, timeout
• gethostbyname() get IP address of host
• ftp functions ftp_connect(), ftp_login(),
  ftp_fget(), ftp_fput(),

26
PHP Classes

• class Cart
• var todays_date
• var name
• var owner
• function Cart()
• this-gttodays_date date(Y-m-d)
• function addItem(code, descript, qty)
• / stuff /
• cart new Cart
• cart-gtaddItem(002564,1kg Tin Beans, 10)

27
FORM Handling

• GET
• _GET'name'
• POST
• _POST'name'
• or just use the more general method
• _REQUESTname

28
FORM Example
ltform action"test.php" method"post"gt lttablegt
lttrgt ltthgtNamelt/thgt lttdgtltinput
type"text" name"name"gtlt/tdgt lt/trgt lttrgt
ltthgtAgelt/thgt lttdgtltinput type"text"
name"age"gtlt/tdgt lt/trgt lt/tablegt lt/formgt
ltpgtHello lt?_POST'name'?gt. You are
lt?_POST'age'?gt years old.lt/pgt
29
Session

• Start session - session_start()
• Need to call before output
• If session has started already, load registered
  session variables. Otherwise, create a new
  session.
• Uses cookies to identify session (PHPSESSID)
• Session variables stored on server
• _SESSIONname value
• isset(_SESSIONname)
• session_destroy()

30
PHP Include

• Universal header and footer
• Create a file called header.php. This file will
  have all of theheader HTML code. You can use
  FrontPage/Dreamweaver to create the header, but
  remember to remove the closing lt/BODYgt and
  lt/HTMLgt tags.

31
PHP Include

• Universal header and footer
• Next, create a file called footer.php. This file
  will have all of the footer HTML code.

32
PHP Include

• Universal header and footer
• This is the basic template that you will use on
  all of the pages. Make sure you name the files
  with a .php extension so that the server will
  process the PHP code. In this example, we assume
  the header and footer files are located in the
  same directory.

33
Built-in Functions

• What comes In the box?
• Array Manipulator Functions
• sort, merge, push, pop, slice, splice, keys,
  count
• keysarray array_keys(somearray)
• asort(somearray) // sorts - preserves
  associations
• String Manipulation Functions
• Strlen, trim, substr, ucfirst, ucwords,
  strtolower, strtoupper, strstr, strcasecmp,
  strtok, str_replace,
• explode, implode, join - array/string
  transformations
• Date and Time Functions
• getdate, mkdate, date, gettimeofday, localtime,
  strtotime, time

34
Built-in Functions

• What comes In the box?
• Directory Functions
• Platform independent
• Error Handling Functions
• Recover from warnings and errors
• Filesystem Functions
• Access flat files
• Check directory, link, and file status
  information
• Copy, delete, and rename files

35
Built-in Functions

• Regular Expressions
• Regular expression syntax identical to PERL
• Functions
• preg_match(pattern, string, matches)
• preg_match_all(pattern, string)
• preg_replace(pattern, replacement, string)
• array preg_split(pattern, string)

36
Regex Example
lthtmlgt ltheadgtlttitlegtRegex in PHPlt/titlegtlt/headgt ltb
odygt lth1gtUsing Regex in PHPlt/h1gt lt?php test
"cookiesmultipackchocolatebrownies" parts
preg_split("//", test) echo "ltulgt" while
(list(key, val) each(parts)) echo
"ltligtkey vallt/ligt" echo "lt/ulgt" ?gt lt/bod
ygt lt/htmlgt
37
Built-in Functions

• What comes In the box?
• IMAP Functions
• Manipulate mail boxes via the IMAP protocol
• LDAP Functions
• Works with most LDAP servers
• Mail Functions
• mail(recipient, subject, message)
• CCVS Interface to Red Hats credit system

38
Built-in Functions

• What comes In the box?
• Database Functions
• dba dbm-style abstraction layer
• dBase
• Frontbase
• Informix
• Ingres II
• Interbase
• mSQL

39
Built-in Functions

• What comes In the box?
• Database Functions (cont.)
• MySQL
• Oracle
• PostgreSQL
• SQL Server
• MING
• Macromedia Flash
• PDF
• Create/manipulate PDF files dynamically

40
lt?php class DAO private link private
db public function __construct(host,
dbname) link mysql_connect(host
) db mysql_select_db(dbname,
link) if (!db)
die("Unable to connect to database\n")
public function getPeople()
query "select from QuinnsTable"
if (result mysql_query(query))
i 0 while (data
mysql_fetch_object(result))
peoplei data
i return people
else //
Check result. This shows the actual query sent to
MySQL, and the error. Useful for debugging.
message 'Invalid query ' .
mysql_error() . "\n . 'Whole query ' . query
die(message) ?gt
41
Built-in Functions

• What comes In the box?
• POSIX Functions
• Manipulate process information
• Semaphore and Socket Functions
• Available only on Unix
• Session Management Functions

42
Numeric Value Validation

• All data passed to PHP (GET/POST/COOKIE) ends up
  being a string. Using strings where integers are
  needed is not only inefficient but also dangerous.

• // integer validation
• if (!empty(_GET'id'))
• id (int) _GET'id'
• else
• id 0
• // floating point number validation
• if (!empty(_GET'price'))
• price (float) _GET'price'
• else
• price 0

• Casting is a simple and very efficient way to
  ensure variables do in fact contain numeric
  values.

43
Validating Strings

• PHP comes with a ctype, extension that offers a
  very quick mechanism for validating string
  content.

• if (!ctype_alnum(_GET'login'))
• echo "Only A-Za-z0-9 are allowed."
• if (!ctype_alpha(_GET'captcha'))
• echo "Only A-Za-z are allowed."
• if (!ctype_xdigit(_GET'color'))
• echo "Only hexadecimal values are
  allowed"

44
Path Validation

• Values passed to PHP applications are often used
  to specify what file to open. This too needs to
  be validated to prevent arbitrary file access.

• http//example.com/script.php?path../../etc/passw
  d
• lt?php
• fp fopen(/home/dir/_GETpath, r)
• ?gt

45
Path Validation

• PHP includes a basename() function that will
  process a path and remove everything other than
  the last component of the path, usually a file
  name.

• lt?php
• _GETpath basename(_GETpath)
• // only open a file if it exists.
• if (file_exists(/home/dir/_GETpath))
• fp fopen(/home/dir/_GETpath, r)
• ?gt

46
XSS

• Cross Site Scripting (XSS) is a situation where
  an attacker injects HTML code, which is then
  displayed on the page without further validation.
• Can lead to embarrassment.
• Session take-over.
• Password theft.
• User tracking by 3rd parties.

47
Preventing XSS

• Prevention of XSS can be as simple as filtering
  input data via one of the following
• htmlspecialchars()
• Encodes , , lt, gt,
• htmlentities()
• Convert anything that there is HTML entity for.
• strip_tags()
• Strips anything that resembles HTML tag.

48
Preventing XSS

• str strip_tags(_POST'message')
• // encode any foreign special chars
• str htmlentities(str)
• // maintain new lines, by converting them to ltbr
  /gt
• echo nl2br(str)
• // strip tags can be told to "keep" certain tags
  
• str strip_tags(_POST'message',
  'ltbgtltpgtltigtltugt')
• str htmlentities(str)
• echo nl2br(str)

• Tag allowances in strip_tags() are dangerous,
  because attributes of those tags are not being
  validated in any way.

49
Tag Allowance Problems

• ltb style"font-size 500px"gt
• TAKE UP ENTIRE SCREEN
• lt/bgt
• ltu onmouseover"alert('JavaScript is allowed')"gt
• ltb style"font-size 500px"gtLot's of textlt/bgt
• lt/ugt
• ltp style"background url(http//tracker.com/image
  .gif)"gt
• Let's track users
• lt/pgt

50
Error Reporting

• By default PHP will print all errors to screen,
  startling your users and in some cases disclosing
  privileged information.
• File paths.
• Un-initialized variables.
• Sensitive function arguments such as passwords.
• At the same time, disabling error reporting would
  make bug tracking near impossible.

51
Solution?

• This problem can be solved by disabling
  displaying of error messages to screen
• ini_set(display_errors, FALSE)
• And enabling logging of errors
• ini_set(log_errors, TRUE)
• to a file
• ini_set(error_log, /var/log/php.log)
• or to system central error tracking facility
• ini_set(error_log, syslog)

52
Session Security

• Sessions are a common tool for user tracking
  across a web site.
• For the duration of a visit, the session is
  effectively the users identity.
• If an active session can be obtained by 3rd
  party, it can assume the identify of the user
  whos session was compromised.

53
Securing Session ID

• To prevent session id theft, the id can be
  altered on every request, invalidating old values.

• lt?php
• session_start()
• if (!empty(_SESSION)) // not a new session
• session_regenerate_id(TRUE) // make new session
  id
• ?gt

• Because the session changes on every request, the
  back button in a browser will no longer work,
  as it will make a request with the old session id.

54
Session Validation

• Another session security technique is to compare
  the browser signature headers.

• session_start()
• chk _at_md5(
• _SERVER'HTTP_ACCEPT_CHARSET' .
• _SERVER'HTTP_ACCEPT_ENCODING' .
• _SERVER'HTTP_ACCEPT_LANGUAGE' .
• _SERVER'HTTP_USER_AGENT')
  
• if (empty(_SESSION))
• _SESSION'key' chk
• else if (_SESSION'key' ! chk)
• session_destroy()

55
PHP MVC

• PHP doesnt quite provide all that we really want
  to implement a MVC
• You would like to forward the user to a
  particular view cant
• We can include a particular view as needed

56
PHP MVC
57
index.php
lt?php // All interaction goes through the index
and is forwarded // directly to the
controller include_once("controller/Controller.ph
p") controller new Controller() controller-
gtinvoke() ?gt
58
model/Book.php
lt?php class Book public title public
author public description public
function __construct(title, author,
description) this-gttitle
title this-gtauthor author
this-gtdescription description ?gt
59
model/Model.php
lt?php include_once("model/Book.php") class
Model public function getBookList()
// here goes some hardcoded values to
simulate the database return array(
"Jungle Book" gt new Book("Jungle Book",
"R. Kipling", "A classic book."),
"Moonwalker" gt new Book("Moonwalker", "J.
Walker", ""), "PHP for Dummies" gt
new Book("PHP for Dummies", "Some Smart Guy",
"") ) public function
getBook(title) // we use the
previous function to get all the books
// and then we return the requested one.
// in a real life scenario this will be done
through // a database select command
allBooks this-gtgetBookList()
return allBookstitle ?gt
60
view/viewbook.php
lthtmlgt ltheadgtlt/headgt ltbodygt lt?php
echo 'Title' . book-gttitle . 'ltbr/gt'
echo 'Author' . book-gtauthor . 'ltbr/gt'
echo 'Description' . book-gtdescription .
'ltbr/gt' ?gt lt/bodygt lt/htmlgt
61
view/booklist.php
lthtmlgt ltheadgtlt/headgt ltbodygt lttablegt
lttbodygt lttrgtlttdgtTitlelt/tdgtlttdgtAuthorlt/td
gtlttdgtDescriptionlt/tdgtlt/trgt lt/tbodygt
lt?php foreach (books as book)
echo
'lttrgtlttdgtlta href"index.php?book' .
book-gttitle . '"gt' . book-gttitle .
'lt/agtlt/tdgtlttdgt' .
book-gtauthor . 'lt/tdgtlttdgt' . book-gtdescription
. 'lt/tdgtlt/trgt' ?gt
lt/tablegt lt/bodygt lt/htmlgt
62
controller/Controller.php
lt?php include_once("model/Model.php") class
Controller public model public
function __construct()
this-gtmodel new Model()
63
controller/Controller.php
public function invoke() if
(!isset(_GET'book'))
// no special book is requested, we'll show a
list of all available books books
this-gtmodel-gtgetBookList()
include 'view/booklist.php'
else // show the
requested book book
this-gtmodel-gtgetBook(_GET'book')
include 'view/viewbook.php'
?gt
64
PHP MVC
65
Another Example

• Forward information from one page to the next as
  a user fills out a multi-part form.
• Model
• Lives in _SESSION
• Views
• Contain the forms
• Controller
• Adds data to the model as it comes in and
  includes the appropriate view

66
lt?php // Note that there is no html in this and
no printing class Controller public
function invoke() session_start()
if(_REQUEST'name')
_SESSION'name' _REQUEST'name'
if(_REQUEST'address')
_SESSION'address' _REQUEST'address'
switch (_SESSION'lastpage')
case '1' include
('View2.php') break
case '2' include ('View3.php')
break default
include ('View1.php')
?gt
67
lt?php session_start() _SESSION'lastpage'
'1' include("header.php") ?gt lth1gtView
1lt/h1gt ltform actionindex.php"
method"POST"gt Please enter your name ltinput
type"text" name"name"gt ltinput type"submit"
value"Submit"gt lt?php include("footer.php") ?gt
68
Tricks and Tips

• Coding
• Prototype your web pages first
• Separate the design of the site from the coding
• Turn repetitive code into functions
• Makes for more maintainable and reusable code
• Turn grunt code into functions
• Database access, configuration file access

69
Tricks and Tips

• Debugging
• Feature PHP is not a strongly typed language
• Variables can be created anywhere in your code
• Undocumented Feature PHP is not a strongly typed
  language
• Typos in variable names will cause stuff to happen

70
Tricks and Tips

• Debugging
• Use scripts to dump form and session variables
• Write scripts to dump data to discover bad or
  missing data

71
PHP 5

• Features
• Complete objects
• Objects with constructors
• Abstract classes
• Private, protected and abstract functions
• Private, protected and constant variables
• Namespaces
• Exception handling with try/catch blocks

72
Additional Information

• Some of the new functions added in version 5
• Arraysarray_combine() - Creates an array by
  using one array for keys and another for its
  values
• array_walk_recursive() - Apply a user function
  recursively to every member of an array
• Date and Time Related
• idate() - Format a local time/date as integer
• date_sunset() - Time of sunset for a given day
  and location
• date_sunrise() - Time of sunrise for a given day
  and location
• time_nanosleep() - Delay for a number of seconds
  and nano seconds
• Strings
• str_split() - Convert a string to an array
• strpbrk() - Search a string for any of a set of
  characters
• substr_compare() - Binary safe optionally case
  insensitive comparison of two strings from an
  offset, up to length characters
• Other
• php_check_syntax() - Check the syntax of the
  specified file
• php_strip_whitespace() - Return source with
  stripped comments and whitespace

73
Additional Resources

• PHP Manual http//docs.php.net/
• PHP Tutorial http//academ.hvcc.edu/kantopet/php/
  index.php
• PHP Coder http//www.phpide.de/
• JEdit http//www.jedit.org/
• PHP's creator offers his thoughts on the PHP
  phenomenon, what has shaped and motivated the
  language, and where the PHP movement is heading
  http//www.oracle.com/technology/pub/articles/php_
  experts/rasmus_php.html
• Hotscripts A large number of PHP scripts can be
  found at http//hotscripts.com/PHP/Scripts_and_Pr
  ograms/index.html

74
Resources

• PHP Downloads and Online Documentation
• www.php.net
• Community
• www.phpbuilder.com articles on PHP, discussion
  forums
• www.phpresourceindex.com over 1,000 PHP scripts
• www.phpvolcano.com PHP 5 information
• Newsgroups
• comp.lang.php

75
Questions?

• Any Questions
• www.php.net
• Community
• www.phpbuilder.com articles on PHP, discussion
  forums
• Newsgroups
• comp.lang.php

76
Exercise
77
STEP1 Install PHP
78
STEP2 Check the Installation

• Create a test PHP page.
• test.php

lt!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML
4.01//EN" "http//www.w3.org/TR/html4/st
rict.dtd"gt lthtmlgt ltheadgt lttitlegtPHP
Pagelt/titlegt lt/headgt ltbodygt lt? echo "lth1gtThe
First PHP Pagelt/h1gt" echo "ltpgtHello
World" ?gt lt/bodygt lt/htmlgt
79
STEP3 Check Options

• Create a page which shows PHP options.

.... lt? phpinfo() ?gt ....
80
STEP4 Test FORM

• Create an HTML page with FORM
• input name, age
• create submit button
• Create a PHP page
• show name and age

HTML
PHP
FORM
name XXXX age XX
name
age
submit
81
STEP5 Test Session
.... lt? if (!isset(_SESSION'count'))
_SESSION'count' 0 else
_SESSION'count' ?gt ltpgtcount
lt?_SESSION'count'?gtlt/pgt ltpgtlta
href"count.php"gtagainlt/agtlt/pgt ....