Basic web development in php


Published on

A presentation with an accompanying example app to help beginners start build basic web applications. The example does not need a web or database server but can be used to display a web page and save data. Basic tenants for for protecting a PHP web application from HTML injection, cross-site scripting, and SQL injection are covered in the slides and the example. The accompanying example application is highly commented to help with understanding why certain actions are taken.

Published in: Software
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Basic web development in php

  1. 1. Build better code
  2. 2. Who Am I? Adam Englander @adam_englander • DirectEdge Brands Director of Software Development • Coupla CTO • Founder/Organizer of Las Vegas PHP Users Group • Co-Organizer of Las Vegas Developers Users Group • #VegasTech Enthusiast
  3. 3. Overview In this presentation you will learn how to build a web page that does the following:  Interacts with the user via HTML forms  Stores data in a database  Displays data stored in a database  Handles errors properly  Prevents injection attacks  Runs without installing a web server
  4. 4. Interacting with users via forms  Use the “post” action in your forms  Post data is accessible via the $_POST super global variable  Validate submitted data  Use htmlentities() when setting form data to prevent HTML injection and Cross-site scripting (XSS)
  5. 5. Storing Data in a Database  Use PDO when possible  Plenty of tutorials and examples  Allows for prepared statements to prevent SQL injection  Saves memory with result cursors  Allows use of multiple back-ends  Use prepared statements to prevent SQL injection attacks  Use exception error mode for ease of error handling
  6. 6. Displaying Data Stored in a Database  Use PDO – see last slide  Loop with fetch instead of fetch all to save on memory  If you are filtering data, use prepared statements and bind to prevent SQL injection attacks
  7. 7. Handle Errors Properly  Turn off error display to the user  Use try/catch exception handling to reduce complexity  Show the user a generic error message that can be tracked back to the error logs  Place as much data as possible in the error logs without risking exposing secret or private data
  8. 8. Prevents Injection Attacks  Use prepared statements with binding to prevent SQL injection  Validate input data to prevent malicious data being stored or shown to the user  Use htmlentities() to encode HTML and prevent HTML injection and cross-site scripting (XSS)
  9. 9. Run a PHP Web App Without Installing a Separate Web Server  As of PHP 5.4, PHP has a built in web server  Provides a simple way for building, testing, and debugging a web application without installing a bunch of infrastructure.  The built in web server SHOULD NOT be used for a live application
  10. 10. Lets See an Example in Action A sample application that provides a registration book of sorts is available to download/checkout on my Github account: Download the zip or clone the repository to see a highly commented example on how to accomplish the items in these slides.