When working with the forms we are required to get all the form fields names and values at some point of time. In PHP the form values are returned in the form of array. We need to retrieve all the values in the form of pair(name,value) type.
This type of task will be used when we have hundred of variabes in a single form and we are confused with what form name the value is associated.
There are two ways to find the solutions:
1 method:
if ($_POST) {
echo htmlspecialchars(print_r($_POST, true));
}
2 Method:
foreach (array_keys($_POST) as $key) {
$$key = $_POST[$key];
print "$key is ${$key}
";
}
Tuesday, August 18, 2009
Read post array data
Monday, August 10, 2009
Php hacking techniques part 1
Techniques for securing user input, then extended those techniques to applications where database input and output is required, looking at some SQL security issues. next is to deal with file operations and file uploads, looking specifically at the security issues involved with accessing files based on some user supplied filename, and user-supplied files (uploaded files).
What Are Sessions?
Sessions are a PHP construct allowing persistent data to be retained across HTTP connections. In English, sessions allow you to store the values of certain variables across page visits. This is achieved by serializing the data (converting it to some binary representation) and writing it out to a file (or a database, or wherever you tell it), when a page is finished processing in PHP. When the next page (or that same page some time later) is processed, and PHP is told to start a session, it will check if the user already has a session, and read their data back in, unserializing it and assigning the variables. This allows you to keep track of a user across multiple visits, or while browsing multiple pages on your site.
For example, you can create a shopping cart using sessions, storing an array of items added to the cart in a session variable, and loading it on every page. When the user clicks 'Add to cart' you can add the item to the array, and it will be saved for the next page the user goes to. The whole array can be fetched on your checkout page and appropriate processing will take place.
How Do Sessions Work?
As many probably know, HTTP is a stateless protocol. By stateless, I mean that any HTTP connection is unaware of previous connections made by the same client, to the same server (persistent connections excepting). There are two useful ways in which PHP can pass identification information between pages in order to uniquely associate a user with a session.
PHP can use cookies to store a session ID. The cookie value is sent on every request, so PHP can match that up to its session data and retrieve the correct set of variables for that user. Another way is to pass the session ID in URLs. In order to do this, URL rewriting must be enabled.
Passing session data in URLs is not recommended since it is possible to pass your session onto another user if you give them a link which contains your session ID, and the session ID data is more easily attackable than in a cookie. URL-based session tracking should be used only where cookies cannot.
Using $_SESSION
PHP provides a super-global variable named $_SESSION. By super-global I mean it is a global variable which you may access without going via $_GLOBALS or stating global $_SESSION within a function. In this way, it behaves like $_GET and $_POST.
$_SESSION is, in fact, an associative array. The keys are variable names, and the values are the stored session data for that variable name.
Using $_SESSION is preferred over the use of session_register() to register ordinary global variables as session variables, especially when register_globals is enabled, since global variables may be more easily changed inadvertently than the contents of $_SESSION. It is still possible to alias ordinary global variables to their equivalents within $_SESSION,
$username = &$_SESSION["username"];
Here, the & indicates a reference, or alias. It is then possible to use $username instead of $_SESSION["username"], but note that $username is an ordinary variable, and you will have to access as $_GLOBALS["username"] or global $username from within a function.
Trusting Session Data
Since a session ID can be spoofed, it is always wise to perform some extra validation where possible. The simplest mechanism would be to store the IP address of the client to whom the session ID was issued, and compare the client IP against that stored IP every session. This will prevent the basic security problems associated with passing links between computers (though not if the computers are on a private network and share a single public IP address).
Session data is also stored in files on the server. The default location is /tmp on UNIX, or the system temporary file directory on Windows. If /tmp is world-writable (or, in some cases, world-readable), or there are multiple websites hosted on a single server, storing session data in a public location is not secure. PHP provides a way to change the way session data is stored.
Changing The Session File Path
The location in which PHP saves session data can be set using the php.ini directive session.save_path, or the string below in httpd.conf or a virtual host configuration.
php_value session.save_path "/home/test/sessions/"
It is important to ensure that your session data path is included in the paths allowed by open_basedir, if you have open_basedir settings or PHP Safe Mode enabled.
The data representation used for saving session data to files can be controlled with the session.serialize_handler directive in php.ini. By default, PHP uses its own built in format, but the WDDX ( http://www.wddx.org ) format can be used also. Set the type using one of the lines below.
(in php.ini ...)
session.serialize_handler wddx
or
session.serialize_handler php
(or in httpd.conf ...)
php_value session.serialize_handler wddx
or
php_value session.serialize_handler php
Storing Session Data In A Database
When you use on-disk files to store session data, those files must be readable and writeable by PHP. On a multi-user hosting system, it is possible for other users to access your session data through the PHP process (but see the commentary on open_basedir in part 5 of this series. The best way to secure your session data is to store it in a database.
Unfortunately, there is no direct way to store session data in a database using the php.ini directives, but luckily PHP provides a mechanism for customised session storage handlers. The function session_set_save_handler() allows you to register handler functions for session management. These functions must be written in PHP (or made available as a PHP extension).
session_set_save_handler(open_fn, close_fn, read_fn, write_fn,
destroy_fn, gc_fn)
To use these user-supplied session storage handlers, you must set session.save_handler to the value user, and the value of session.save_path should be the name of the database into which you're saving session data (so that the session save handler functions you define can locate and use that database). The value of session.name can be used as the name of the table within the database.
(httpd.conf)
php_value session.save_handler user
php_value session.save_path dbname
php_value session.name session_data
Next, a table for storing session data must exist in the database. At the minimum, your session handler should keep track of the session ID, the expiration time, and the serialized session data. The SQL below creates a simple table for storing this data.
CREATE TABLE session_data (
sessionid text not null PRIMARY KEY,
expiration timestamp,
sessiondata text not null
);
The final task is to create the functions which manage this session store, and register them with session_set_save_handler(). The open_fn must open the database connection, the close_fn must close it and perform any associated cleanup tasks, and the read_fn and write_fn functions must read and write session data respectively. destroy_fn is called when a session ends and is destroyed, and gc_fn is called when session data is garbage collected. These operations must be mapped into database queries by your PHP code. The prototypes for the functions are given below, and parameters passed are explained.
function open_fn($save_path, $session_name)
$save_path is the value of session.save_path, $session_name is the value of session.name
function close_fn()
Takes no arguments
function read_fn($session_id, $data)
$session_id is the session ID for which PHP requests the associated session data to be returned
function write_fn($session_id)
$session_id is the session ID for which PHP requests that $data be associated with in the session store (database)
function destroy_fn($session_id)
$session_id is the ID of a session which may be removed from the store
function gc_fn($max_time)
$max_time is the oldest last modified time to retain in the session store. Sessions with an older modified time than this are to be removed from the store.
-- Continued in Next pPrt
Friday, August 7, 2009
Php check File exists
When we are working with the directory structure we are in need of checking the files whether the file exists in the particular directory structure or not. In PHP we have the predefined function called file_exists() which checks the directory structure and returns a Boolean variable as the output. We can also check the file extension of the selected file also.
Here we may need only certain type of files to be displayed in a list of files. Like we may have the file name starting with "testing".
Below is an example which demonstrates the file_exists function and if the file exists then it checks for the file extension condition.
//==========
// Configuration
//==========
$directory = '/var/www/'; //Folder path
$lookingfor = 'testing'; //what to look for
$flag = false;
$ext = array( '.jpg' , '.gif' , '.png' );
for( $i = 0; count( $ext ) > $i; $i++ )
{
if( file_exists( $directory . $lookingfor . $ext[$i] ) )
{
$flag = true;
$name = $lookingfor . $ext[$i];
}
}
if( $flag == true )
{
echo 'found file!';
//echo $name;
}
?>
Saturday, July 18, 2009
php explode and implode
Explode
Returns an array of strings, each of which is a substring of string formed by splitting it on boundaries formed by the string delimiter .
Note:If delimiter is an empty string (""), explode() will return FALSE. If delimiter contains a value that is not contained in string and a negative limit is used, then an empty array will be returned. For any other limit , an array containing string will be returned.
Example:
// Example 1
$example = "test1 test2 test3 test4 test5 test6";
$pieces = explode(" ", $example);
echo $pieces[0]; // test1
echo $pieces[1]; // test2
// Example 2
$data = "foo:*:1023:1000::/home/foo:/bin/sh";
list($user, $pass, $uid, $gid, $gecos, $home, $shell) = explode(":", $data);
echo $user; // foo
echo $pass; // *
?>
limit parameter examples
$str = 'one|two|three|four';
// positive limit
print_r(explode('|', $str, 2));
// negative limit (since PHP 5.1)
print_r(explode('|', $str, -1));
?>
Output is
Array
(
[0] => one
[1] => two|three|four
)
Array
(
[0] => one
[1] => two
[2] => three
)
Implode
Returns a string containing a string representation of all the array elements in the same order, with the glue string between each element.
Note: implode() can, for historical reasons, accept its parameters in either order. For consistency with explode(), however, it may be less confusing to use the documented order of arguments.
Syntax:
string implode ( string $glue , array $pieces )
string implode ( array $pieces )
Example:
$array = array('lastname', 'email', 'phone');
$comma_separated = implode(",", $array);
echo $comma_separated; // lastname,email,phone
?>
Thursday, July 2, 2009
Advantages and disadvantages of PHP
What is PHP?
You will find this extension .php or the .php3 file extension in some of the popular sites too. Let us see that is this file extension, which language this extension refers to. Let us see what the main high lights of these language.
Hypertext preprocessor is the exact expansion of PHP, tough it doesn’t, fit to the exact spell, and it is adjusted to the word of mouth, called as PHP. PHP is a web scripting language. Let us see some the basic queries, which we come across php.
Who Wrote PHP?
Rasmus wrote PHP. PHP was started off accidentally, Rasmus was designing his web site, and he had planed to put a hit counter for his site. He decided to write a combination of Perl.
There were many enquires about the script which he used. Likewise, it slowly improved on and won the hearts of many programmers.
What type of scripting is PHP client or a server side?
PHP is a server side scripting language; server side scripting language is one, which has the capability of executing the script on the server and serving the output as a HTML File, server side script has the main advantage of interacting with the databases and to perform all types of server manipulations directly. Server side scripting language is responsible for manipulating the data which is filled in the entire web forms, any where in the net.
But this is not the case of a client side script. Some of the client side scripting languages is the JavaScript and VB script, but there are exceptions where, client side script can also be used for server side scripting, which is limited to some extent.
Can I use PHP with HTML?
Sure you can very well use HTML with PHP, like the other scripting languages you can do so. It is not a compulsory act for you to use PHP with the HTML. You can very well get the output with PHP alone. But the expected output, which is exhibited by PHP, is not that attractive for display. By attractive, I mean the formatting done by PHP.
Lets us take an example. You have a server side interaction with the database, which is used to manipulate and fetch a certain type of data based on the query, which is given out. Now, if you are going to display these data using PHP, which is fetched by PHP. The quality of output like the font face, font coloring and display areas are all disturbed, as well as being painful to locate and place the data. If HTML is used to present these data, the outlook of the data exhibited is gorgeous.
Can I Run PHP on the Windows Operating System?
You can very well run PHP on a windows machine. PHP is a cross platform support language, which means, PHP can run on various platforms like the Linux, Windows etc. Your web servers PWS, IIS, Apache can be configured to work PHP.
Is it easy migrating from any other server side scripting languages to PHP?
If you are aware of programming concepts and the application of the logic, then, you will find it ok to code any programming language if you simply understand the syntax. At the same, other scripting languages and PHP, have virtually the same function methodology. The only thing that matters is your requirement, how you are going to apply the logic and code php to your logic.
The main area lies while migrating is the syntax understanding. PHP’s syntax is similar to the C language. People with basic knowledge of C will find it very easy migrating as well as other aspects, an easy task.
I am new to programming, is it easy to learn PHP?
If you are very blind to programming then it is difficult to learn PHP because you may need to learn the programming concepts. This means you require an understanding of the logic, and to be able to troubleshoot the program. If you happen to know at least one programming language, then it is very easy to learn PHP. PHP it is pretty easy compared to other scripting languages.
What are the databases that support PHP?
PHP is very much compatible with MYSQL and POSTGRESQL Databases. PHP also can be programmed to interact with any database right from a simple text file to DB2. It is believed that php interacting with the database has the highest performance, unlike the other scripting languages.
How fast is PHP compared with other scripting languages?
PHP is believed to be fast when compared with other programming languages because of execution speed. In the case of large interactions with the database PHP really plays a good role of execution in performing the interaction. Now, today’s major web sites have been migrating to PHP because of the performance.
PHP is open source. Will this work properly?
PHP is the only scripting language, which has won the hearts of many web servers, has been moving on enormously day-by-day, The main advantages of the open source is that, if there is a problem that particular problem is shared my millions of programmers across the world. But in the case of a licensed version scripting languages, it is very limited to a set of a small community.
As innovative ideas are studied from all the programmers across the world, new ideas are implemented then and there making the language strong.
There is no problem in using PHP, which is open source.
I shall conclude by saying that, all the scripting languages have its own merits and demerits. So, it is up to you to decide for a partial migration or a full migration.
What are the main Advantages of PHP?
Let us see some of the important advantages of PHP. There are a lot of advantages of PHP. When it is compared with other scripting languages, some of the important highlights are as follows.
Speed
PHP is considered to be the fastest, as stated previously, when compared with other programming languages. You can really feel the speed when you are going to, implement live over the web.
Normally when you try to connect a database and fetch certain data, it usually takes time to connect the database, execute the statement, and get the data across. When these operations are performed by PHP it is really faster when compared with other types of scripting languages. Not only for the speed when connecting the database but also while using over other important applications.
Because of its high performance of speed, PHP is being used for some of the important administrations like the server administration over the web, mail functionalities.
Open Source
PHP is open source, open source is one where the user is given a free license to remodel or recode PHP, according to their wish. You might wonder if you can I do these things without source code. Yes would be the answer. Source code is shipped with PHP. It is open source remember.
Multi Platform
PHP supports various platforms, which mean PHP can be installed on almost every operating system, like the window-x, Linux, etc. You may choose the appropriate version and follow the instructions accordingly given in the Manual.
Easy Syntax
PHP syntax is quite easy to code, all the syntax are similar to the C language syntax, If you are very new to the programming environment then it will be a bit difficult task for you to code the PHP.
What are the main disadvantages of PHP?
Every language or scripting language has its own advantages or the disadvantages. Likewise, PHP has some of its own disadvantages.
But these disadvantages can be overcome using advantage methods.
Some people say it is a direct disadvantage, while some people say an indirect disadvantage.
Disadvantage indirectly means some of the aspects and functionalities in PHP, which are not being able to complete using the direct functionality. This particular disadvantage can be overcome using an advantage method.
Let us take a simple example, say redirection. Writing a piece of code from the client side or the server side - in some of the scripting languages there is a single task to achieve this - a single function will do so. But in the case of PHP it is done indirectly.
One more disadvantage is the Error Handling. It is believed that PHP has very poor handling errors qualities. Even this disadvantage can be over come using a feasible advantage solution.
These are some of the disadvantages. Note again, that this disadvantage can be overcome by using the advantage solution.
It is up to you to decide, whether to migrate or learn PHP.
PHP is great in the terms of performance of speed, which is the main factor, which people expect these days.
Subscribe to:
Posts (Atom)
