Your SlideShare is downloading. ×
0
Diving into PHPFast, Easy, Complicated, and Powerful Web   ITP, Spring 2011, section 1, session 1         Dan Phiffer dan@...
Diving into PHP
A simple contentmanagement system1. Build a form for user input2. Store submissions in a database3. Retrieve submission data
Basic form<form action="basic-form.php">  <input type="text" name="query" />  <input type="submit" name="button" value="Ka...
Feedback<?phpecho $_REQUEST["query"];?><form action="basic-form.php">   <input type="text" name="query" />   <input type="...
Feedback<?phpecho $_REQUEST["query"];?><form action="basic-form.php">   <input type="text" name="query" />   <input type="...
What’s that ‘notice’ about?<?phpecho $_REQUEST["query"];?><form action="basic-form.php">   <input type="text" name="query"...
Solution: check if it’s set<?phpif (isset($_REQUEST["query"])) {   echo $_REQUEST["query"];}?><form action="basic-form.php...
Dynamic strings<?phpif (isset($_REQUEST[query])) {   echo "<h1>You wrote: {$_REQUEST[query]}</h1>";}?><form action="basic-...
Try it out
Defining a new variable<?php$query = "";if (isset($_REQUEST["query"])) {   $query = $_REQUEST["query"];   echo "<h1>You wr...
Step 1 complete!
Wait, this is bad
User types input...
Clicks away... arbitraryJavaScript execution!
We’ve been tricked intoadding an ‘onblur’attribute!
Cross-site scripting (XSS)• A common security vulnerability• When content is unintentionally  executed as code• We must ha...
Dangers of XSS• Users’ sessions could be hijacked• Passwords could be stolen• Your site could get spammed up• Puppies murd...
Escaping user input<?php$query = "";if (isset($_REQUEST["query"])) {   // htmlentities() turns " into &quot;   $query = ht...
Before & after escaping
Now we’re really finishedwith step 11. Build a form for user input2. Store submissions in a database3. Retrieve submission...
Adding a database
Relational databases• Tables with columns and rows of  individual data cells• SQL is the language for working with  relati...
The four operations• Create new rows with INSERT• Read rows with SELECT• Update rows with UPDATE• Delete rows with DELETE•...
MySQL clients• Sequel Pro (Mac OS X)• SQLWave, SQLMaestro (Windows)• phpMyAdmin (web-based)• Or from the command-line: ‘my...
$ mysql -u root
mysql> CREATE DATABASE
-> tinydb CHARACTER SET utf8;
mysql> USE tinydb;
mysql> CREATE TABLE tinytable
-> (id INTEGER PRIMARY KEY AUTO_INCREMENT);
mysql> ALTER TABLE tinytable ADD COLUMN
-> content TEXT;
mysql> INSERT INTO tinytable
-> (id, content)
-> VALUES (1, Hello, world!);
mysql> SELECT * FROM tinytable;
Let’s build a tiny wiki!
A simple contentmanagement system1. Build a form for user input2. Store submissions in a database3. Retrieve submission data
A simple contentmanagement system1. Build a form for user input2. Store submissions in a database3. Retrieve submission data
Basic form<!DOCTYPE html><html>  <head>    <meta http-equiv="Content-type"           content="text/html; charset=utf-8" />...
Add a load function<?php$content = load_content();function load_content() {  // Load content from the database  return "";...
Add a database function<?php$db = connect_to_database();$content = load_content($db);function load_content($db) {  // Load...
Connecting to thedatabasefunction connect_to_database() {  $host = "127.0.0.1";  $port = 8889;  $user = "root";  $pass = "...
Querying the databasefunction load_content($db) {  $sql = "SELECT * FROM tinytable ORDER BY id DESC";  $query = $db->query...
tiny-wiki.php    <?php    $db = connect_to_database();    $content = load_content($db);    function load_content($db) {   ...
Result
A simple contentmanagement system1. Build a form for user input2. Store submissions in a database3. Retrieve submission data
Core logic<?php$db = connect_to_database();$content = load_content($db);if (!empty($_REQUEST["content"])) {  save_content(...
Saving the contentfunction save_content($content) {  $sql = "INSERT INTO tinytable (content)          VALUES ($content)"; ...
Save the content
A simple contentmanagement system1. Build a form for user input2. Store submissions in a database3. Retrieve submission data
Wait, this is bad
How does it work?$content = "); drop table tinytable; --";$sql = "INSERT INTO tinytable (content)        VALUES ($content)";
How does it work?$content = "); drop table tinytable; --";$sql = "INSERT INTO tinytable (content)        VALUES ($content)...
SQL injection• Another security vulnerability, similar  to cross site scripting• When user data is unintentionally  execut...
Escape the user inputfunction save_content($db, $content) {  $content = $db->quote($content);  $sql = "INSERT INTO tinytab...
Done!• Download the files• Try running the tiny wiki on your  own local Apache/MySQL/PHP• Get familiar with the PHP manual
Diving into php
Diving into php
Diving into php
Upcoming SlideShare
Loading in...5
×

Diving into php

8,076

Published on

Course lecture for Fast, Easy, Complicated, and Powerful Web
http://fecpw.phiffer.org/

Published in: Education, Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
8,076
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
8
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Transcript of "Diving into php"

  1. 1. Diving into PHPFast, Easy, Complicated, and Powerful Web ITP, Spring 2011, section 1, session 1 Dan Phiffer dan@phiffer.org
  2. 2. Diving into PHP
  3. 3. A simple contentmanagement system1. Build a form for user input2. Store submissions in a database3. Retrieve submission data
  4. 4. Basic form<form action="basic-form.php"> <input type="text" name="query" /> <input type="submit" name="button" value="Kablooey" /></form>
  5. 5. Feedback<?phpecho $_REQUEST["query"];?><form action="basic-form.php"> <input type="text" name="query" /> <input type="submit" name="button" value="Kablooey" /></form>
  6. 6. Feedback<?phpecho $_REQUEST["query"];?><form action="basic-form.php"> <input type="text" name="query" /> <input type="submit" name="button" value="Kablooey" /></form>
  7. 7. What’s that ‘notice’ about?<?phpecho $_REQUEST["query"];?><form action="basic-form.php"> <input type="text" name="query" /> <input type="submit" name="button" value="Kablooey" /></form>
  8. 8. Solution: check if it’s set<?phpif (isset($_REQUEST["query"])) { echo $_REQUEST["query"];}?><form action="basic-form.php"> <input type="text" name="query" /> <input type="submit" name="button" value="Kablooey" /></form>
  9. 9. Dynamic strings<?phpif (isset($_REQUEST[query])) { echo "<h1>You wrote: {$_REQUEST[query]}</h1>";}?><form action="basic-form.php"> <input type="text" name="query" /> <input type="submit" name="button" value="Kablooey" /></form>
  10. 10. Try it out
  11. 11. Defining a new variable<?php$query = "";if (isset($_REQUEST["query"])) { $query = $_REQUEST["query"]; echo "<h1>You wrote: $query</h1>";}?><form action="basic-form.php" > <input type="text" name="query" value="<?php echo $query; ?>" /> <input type="submit" name="button" value="Kablooey" /></form>
  12. 12. Step 1 complete!
  13. 13. Wait, this is bad
  14. 14. User types input...
  15. 15. Clicks away... arbitraryJavaScript execution!
  16. 16. We’ve been tricked intoadding an ‘onblur’attribute!
  17. 17. Cross-site scripting (XSS)• A common security vulnerability• When content is unintentionally executed as code• We must handle user-submitted content very carefully
  18. 18. Dangers of XSS• Users’ sessions could be hijacked• Passwords could be stolen• Your site could get spammed up• Puppies murdered, etc.
  19. 19. Escaping user input<?php$query = "";if (isset($_REQUEST["query"])) { // htmlentities() turns " into &quot; $query = htmlentities($_REQUEST["query"]); echo "<h1>You wrote: $query</h1>";}?><form action="basic-form.php" > <input type="text" name="query" value="<?php echo $query; ?>" /> <input type="submit" name="button" value="Kablooey" /></form>
  20. 20. Before & after escaping
  21. 21. Now we’re really finishedwith step 11. Build a form for user input2. Store submissions in a database3. Retrieve submission data
  22. 22. Adding a database
  23. 23. Relational databases• Tables with columns and rows of individual data cells• SQL is the language for working with relational databases• MySQL is the database platform used by WordPress
  24. 24. The four operations• Create new rows with INSERT• Read rows with SELECT• Update rows with UPDATE• Delete rows with DELETE• MySQL documentation
  25. 25. MySQL clients• Sequel Pro (Mac OS X)• SQLWave, SQLMaestro (Windows)• phpMyAdmin (web-based)• Or from the command-line: ‘mysql’
  26. 26. $ mysql -u root
  27. 27. mysql> CREATE DATABASE
  28. 28. -> tinydb CHARACTER SET utf8;
  29. 29. mysql> USE tinydb;
  30. 30. mysql> CREATE TABLE tinytable
  31. 31. -> (id INTEGER PRIMARY KEY AUTO_INCREMENT);
  32. 32. mysql> ALTER TABLE tinytable ADD COLUMN
  33. 33. -> content TEXT;
  34. 34. mysql> INSERT INTO tinytable
  35. 35. -> (id, content)
  36. 36. -> VALUES (1, Hello, world!);
  37. 37. mysql> SELECT * FROM tinytable;
  38. 38. Let’s build a tiny wiki!
  39. 39. A simple contentmanagement system1. Build a form for user input2. Store submissions in a database3. Retrieve submission data
  40. 40. A simple contentmanagement system1. Build a form for user input2. Store submissions in a database3. Retrieve submission data
  41. 41. Basic form<!DOCTYPE html><html> <head> <meta http-equiv="Content-type" content="text/html; charset=utf-8" /> <title>Tiny wiki</title> </head> <body> <?php $content = ""; // We need to load the content! ?> <form action="tiny-wiki.php" method="post"> <input type="text" name="content" value="<?php echo $content; ?>" /> <input type="submit" value="Update" /> </form> </body></html>
  42. 42. Add a load function<?php$content = load_content();function load_content() { // Load content from the database return "";}?>
  43. 43. Add a database function<?php$db = connect_to_database();$content = load_content($db);function load_content($db) { // Load content from the database return "";}function connect_to_database() { // Connect to the database}?>
  44. 44. Connecting to thedatabasefunction connect_to_database() { $host = "127.0.0.1"; $port = 8889; $user = "root"; $pass = "root"; $name = "tinydb"; $dsn = "mysql:host=$host;port=$port;dbname=$name"; return new PDO($dsn, $user, $pass);}
  45. 45. Querying the databasefunction load_content($db) { $sql = "SELECT * FROM tinytable ORDER BY id DESC"; $query = $db->query($sql); $results = $query->fetchAll(); $row = $results[0]; return $row["content"];}
  46. 46. tiny-wiki.php <?php $db = connect_to_database(); $content = load_content($db); function load_content($db) { $sql = "SELECT * FROM tinytable ORDER BY id DESC"; $query = $db->query($sql); $results = $query->fetchAll(); $row = $results[0]; return $row[content]; } function connect_to_database() { $host = "127.0.0.1"; $port = 8889; $user = "root"; $pass = "root"; $name = "tinydb"; $dsn = "mysql:host=$host;port=$port;dbname=$name"; return new PDO($dsn, $user, $pass); } ?> <form action="tiny-wiki.php" method="post"> <input type="text" name="content" value="<?php echo $content; ?>" /> <input type="submit" value="Update" /> </form>
  47. 47. Result
  48. 48. A simple contentmanagement system1. Build a form for user input2. Store submissions in a database3. Retrieve submission data
  49. 49. Core logic<?php$db = connect_to_database();$content = load_content($db);if (!empty($_REQUEST["content"])) { save_content($db, $_REQUEST["content"]); $content = htmlentities($_REQUEST["content"]);}?>
  50. 50. Saving the contentfunction save_content($content) { $sql = "INSERT INTO tinytable (content) VALUES ($content)"; $db->query($sql);}
  51. 51. Save the content
  52. 52. A simple contentmanagement system1. Build a form for user input2. Store submissions in a database3. Retrieve submission data
  53. 53. Wait, this is bad
  54. 54. How does it work?$content = "); drop table tinytable; --";$sql = "INSERT INTO tinytable (content) VALUES ($content)";
  55. 55. How does it work?$content = "); drop table tinytable; --";$sql = "INSERT INTO tinytable (content) VALUES ($content)";// Result: (-- is a comment in SQL)// "INSERT INTO tinytable (content)// VALUES (); drop table tinytable; --)
  56. 56. SQL injection• Another security vulnerability, similar to cross site scripting• When user data is unintentionally executed as SQL• Escaping works here also (also, prepared statements)
  57. 57. Escape the user inputfunction save_content($db, $content) { $content = $db->quote($content); $sql = "INSERT INTO tinytable (content) VALUES ($content)"; // no more single quotes $db->query($sql, array($content));}
  58. 58. Done!• Download the files• Try running the tiny wiki on your own local Apache/MySQL/PHP• Get familiar with the PHP manual
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×