Your SlideShare is downloading. ×
Diving into php
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×

Saving this for later?

Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime - even offline.

Text the download link to your phone

Standard text messaging rates apply

Diving into php

7,879
views

Published on

Course lecture for Fast, Easy, Complicated, and Powerful Web …

Course lecture for Fast, Easy, Complicated, and Powerful Web
http://fecpw.phiffer.org/

Published in: Education, Technology

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
7,879
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
7
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Diving into PHPFast, Easy, Complicated, and Powerful Web ITP, Spring 2011, section 1, session 1 Dan Phiffer dan@phiffer.org
  • 2. Diving into PHP
  • 3. A simple contentmanagement system1. Build a form for user input2. Store submissions in a database3. Retrieve submission data
  • 4. Basic form<form action="basic-form.php"> <input type="text" name="query" /> <input type="submit" name="button" value="Kablooey" /></form>
  • 5. Feedback<?phpecho $_REQUEST["query"];?><form action="basic-form.php"> <input type="text" name="query" /> <input type="submit" name="button" value="Kablooey" /></form>
  • 6. Feedback<?phpecho $_REQUEST["query"];?><form action="basic-form.php"> <input type="text" name="query" /> <input type="submit" name="button" value="Kablooey" /></form>
  • 7. What’s that ‘notice’ about?<?phpecho $_REQUEST["query"];?><form action="basic-form.php"> <input type="text" name="query" /> <input type="submit" name="button" value="Kablooey" /></form>
  • 8. Solution: check if it’s set<?phpif (isset($_REQUEST["query"])) { echo $_REQUEST["query"];}?><form action="basic-form.php"> <input type="text" name="query" /> <input type="submit" name="button" value="Kablooey" /></form>
  • 9. Dynamic strings<?phpif (isset($_REQUEST[query])) { echo "<h1>You wrote: {$_REQUEST[query]}</h1>";}?><form action="basic-form.php"> <input type="text" name="query" /> <input type="submit" name="button" value="Kablooey" /></form>
  • 10. Try it out
  • 11. Defining a new variable<?php$query = "";if (isset($_REQUEST["query"])) { $query = $_REQUEST["query"]; echo "<h1>You wrote: $query</h1>";}?><form action="basic-form.php" > <input type="text" name="query" value="<?php echo $query; ?>" /> <input type="submit" name="button" value="Kablooey" /></form>
  • 12. Step 1 complete!
  • 13. Wait, this is bad
  • 14. User types input...
  • 15. Clicks away... arbitraryJavaScript execution!
  • 16. We’ve been tricked intoadding an ‘onblur’attribute!
  • 17. Cross-site scripting (XSS)• A common security vulnerability• When content is unintentionally executed as code• We must handle user-submitted content very carefully
  • 18. Dangers of XSS• Users’ sessions could be hijacked• Passwords could be stolen• Your site could get spammed up• Puppies murdered, etc.
  • 19. Escaping user input<?php$query = "";if (isset($_REQUEST["query"])) { // htmlentities() turns " into &quot; $query = htmlentities($_REQUEST["query"]); echo "<h1>You wrote: $query</h1>";}?><form action="basic-form.php" > <input type="text" name="query" value="<?php echo $query; ?>" /> <input type="submit" name="button" value="Kablooey" /></form>
  • 20. Before & after escaping
  • 21. Now we’re really finishedwith step 11. Build a form for user input2. Store submissions in a database3. Retrieve submission data
  • 22. Adding a database
  • 23. Relational databases• Tables with columns and rows of individual data cells• SQL is the language for working with relational databases• MySQL is the database platform used by WordPress
  • 24. The four operations• Create new rows with INSERT• Read rows with SELECT• Update rows with UPDATE• Delete rows with DELETE• MySQL documentation
  • 25. MySQL clients• Sequel Pro (Mac OS X)• SQLWave, SQLMaestro (Windows)• phpMyAdmin (web-based)• Or from the command-line: ‘mysql’
  • 26. $ mysql -u root
  • 27. mysql> CREATE DATABASE
  • 28. -> tinydb CHARACTER SET utf8;
  • 29. mysql> USE tinydb;
  • 30. mysql> CREATE TABLE tinytable
  • 31. -> (id INTEGER PRIMARY KEY AUTO_INCREMENT);
  • 32. mysql> ALTER TABLE tinytable ADD COLUMN
  • 33. -> content TEXT;
  • 34. mysql> INSERT INTO tinytable
  • 35. -> (id, content)
  • 36. -> VALUES (1, Hello, world!);
  • 37. mysql> SELECT * FROM tinytable;
  • 38. Let’s build a tiny wiki!
  • 39. A simple contentmanagement system1. Build a form for user input2. Store submissions in a database3. Retrieve submission data
  • 40. A simple contentmanagement system1. Build a form for user input2. Store submissions in a database3. Retrieve submission data
  • 41. Basic form<!DOCTYPE html><html> <head> <meta http-equiv="Content-type" content="text/html; charset=utf-8" /> <title>Tiny wiki</title> </head> <body> <?php $content = ""; // We need to load the content! ?> <form action="tiny-wiki.php" method="post"> <input type="text" name="content" value="<?php echo $content; ?>" /> <input type="submit" value="Update" /> </form> </body></html>
  • 42. Add a load function<?php$content = load_content();function load_content() { // Load content from the database return "";}?>
  • 43. Add a database function<?php$db = connect_to_database();$content = load_content($db);function load_content($db) { // Load content from the database return "";}function connect_to_database() { // Connect to the database}?>
  • 44. Connecting to thedatabasefunction connect_to_database() { $host = "127.0.0.1"; $port = 8889; $user = "root"; $pass = "root"; $name = "tinydb"; $dsn = "mysql:host=$host;port=$port;dbname=$name"; return new PDO($dsn, $user, $pass);}
  • 45. Querying the databasefunction load_content($db) { $sql = "SELECT * FROM tinytable ORDER BY id DESC"; $query = $db->query($sql); $results = $query->fetchAll(); $row = $results[0]; return $row["content"];}
  • 46. tiny-wiki.php <?php $db = connect_to_database(); $content = load_content($db); function load_content($db) { $sql = "SELECT * FROM tinytable ORDER BY id DESC"; $query = $db->query($sql); $results = $query->fetchAll(); $row = $results[0]; return $row[content]; } function connect_to_database() { $host = "127.0.0.1"; $port = 8889; $user = "root"; $pass = "root"; $name = "tinydb"; $dsn = "mysql:host=$host;port=$port;dbname=$name"; return new PDO($dsn, $user, $pass); } ?> <form action="tiny-wiki.php" method="post"> <input type="text" name="content" value="<?php echo $content; ?>" /> <input type="submit" value="Update" /> </form>
  • 47. Result
  • 48. A simple contentmanagement system1. Build a form for user input2. Store submissions in a database3. Retrieve submission data
  • 49. Core logic<?php$db = connect_to_database();$content = load_content($db);if (!empty($_REQUEST["content"])) { save_content($db, $_REQUEST["content"]); $content = htmlentities($_REQUEST["content"]);}?>
  • 50. Saving the contentfunction save_content($content) { $sql = "INSERT INTO tinytable (content) VALUES ($content)"; $db->query($sql);}
  • 51. Save the content
  • 52. A simple contentmanagement system1. Build a form for user input2. Store submissions in a database3. Retrieve submission data
  • 53. Wait, this is bad
  • 54. How does it work?$content = "); drop table tinytable; --";$sql = "INSERT INTO tinytable (content) VALUES ($content)";
  • 55. How does it work?$content = "); drop table tinytable; --";$sql = "INSERT INTO tinytable (content) VALUES ($content)";// Result: (-- is a comment in SQL)// "INSERT INTO tinytable (content)// VALUES (); drop table tinytable; --)
  • 56. SQL injection• Another security vulnerability, similar to cross site scripting• When user data is unintentionally executed as SQL• Escaping works here also (also, prepared statements)
  • 57. Escape the user inputfunction save_content($db, $content) { $content = $db->quote($content); $sql = "INSERT INTO tinytable (content) VALUES ($content)"; // no more single quotes $db->query($sql, array($content));}
  • 58. Done!• Download the files• Try running the tiny wiki on your own local Apache/MySQL/PHP• Get familiar with the PHP manual