Basic/Moderate PHP

[oxidati0n]

Heres somethings many of you developers should generally take in mind when developing PHP.

1. Never ever allow a unprotected {$_POST} interfere with your database, It's just the common exploit for MySQL/PHP.

Two php functions you should look into to secure your PHP is addslashes() and mysql_real_escape_string(), Well that would personally keep you safe as a starter.

2. SEO links within a PHP file

Example: http://www.yourwebsite.com/index.php/Your_Account

note You could possibly include .html at the end to make it even more SEO'd :)

 

<?php
/* oxi */
$s = $_SERVER['PHP_SELF'];
$p = explode('/', $s);
foreach($p as $str) { if(!eregi('.php', $str)) { $page_name = $str; } }

if($page_name == "Your_Account")
{
print "Hey";
}
?>

 

3. Having standalone links

Example: http://www.yourwebsite.com/index.php?Your_Account

 

<?php
if(isset($_GET['Your_Account']))
{
print "Hey.";
}
?>

 

4. Setting cookies

<?php
if($_POST['username'])
{
setcookie("username", $_POST['username'], time()-60*60*24);
}

if($_COOKIE['username'])
{
print "Yay - We grabbed your cookie (No, we didn't rob your house) - ".$_COOKIE['username'];
}
?>

 

Misc.

htmlentities() - Change html tags into html-incompatible format. e.g. < into >

html_entity_decode() - Reverse of the above.

mysql_ping() - Notifies you if they is a MySQL connection.

mysql_fetch_assoc() - Basically mysql_fetch_array($result, MYSQL_ASSOC);

mysql_pconnect() - Runs a concurrent connection (cannot be stopped .. it's persistent - Not even mysql_close() can stop the connection).

Some risky functions:

eval() - Allows PHP coding to be executed.

[oxidati0n]

Re: Basic/Moderate PHP

Forgot to mention that SEO Links #2 does NOT require Apache or .htaccess :)

[Guest Anonymous]

Re: Basic/Moderate PHP

I think you mean stripslashes btw.

and using persistent connections is fine, but you will run out of file handles very quickly unless you really understand how pconnect works.

[Spudinski]

Re: Basic/Moderate PHP

I'd hate to argue with you, but some of the contents posted above is invalid.

Method one, addslashes() is almost the same as magic_quotes, magic_quotes is just automatically executed with super global variables.

Since PHP6 this has been removed, for the obvious reason that not everyone wants obfuscated strings by default.

With method two, the SEO, that is technically speaking incorrect, faking static pages will give you a better PageRank.

This does require mod_rewrite on an apache system, unless you want to use something else.

Method three, the $_GET variable needs an parameter and value to return true in your if statement.

<?php

// sample page: [url]http://www.example.com/page.php?sub_page[/url]
if (empty($_GET['sub_page')) { // since sub_page doesn't have any value...
   echo 'Invalid'; // it fails
}

// whereas 
// sample page: [url]http://www.example.com/page.php?sub_page=value[/url]
if (!empty($_GET['sub_page'])) { // since the array key holds a value...
   echo 'You have successfully requested vlaue'; // this is reached
}

?>

 

To make this work correctly and as expected, you need to utilize the QUERY_STRING key located within the $_SEVER array.

<?php

// sample page: [url]http://www.example.com/page.php?sub_page[/url]
if (!empty($_SERVER['QUERY_STRING'])) {
   echo 'This is the correct way.';
}

?>

[oxidati0n]

Re: Basic/Moderate PHP

 

I'd hate to argue with you, but some of the contents posted above is invalid.

You're not argueing, you're just talking. lol.

I am quite familiar with the Google Altogrithm and how it works and I know one thing of many, that a large majority of the pages Google picks up does not collect URL's which have ?.

Though they still do, but it does really depend on how long your webpage is - Non-Static Pages have higher chances of either not being indexed or having a incompleted URL which is leading a page which lead to a invalid page loading up for many. If you don't use anything relative to $_GET then you're ok but theres more of a chance you would. The URL is also more friendly.

What's more rememberal?

http://www.yourmyspace.com/profile.php?username=oxi

http://www.yourmyspace.com/profile.php/oxi.html

It might "just" be a little URL but the easier you make it for your visitors will mean your visitors will have a familiar knowledge on how the URL/URI works - Like Myspace. They use http://www.myspace.com/yournamehere - not http://www.myspace.com/profile.php?name=yournamehere, Simple - because it's rememberal. Whereas Facebook does, which is why they suck at SEO. They can't change it as Google has indexed it all and it will screw up all of the Search Engine traffic - Thanks to Mark Zuckerberg. But they don't care, they're still big - even without Google.

Folder based is also compatible but .html seems to be more of a brand on MIME types right now.

mod_rewrite just rewrites the URLs, but the fact is everyone doesn't use cPanel therefore they won't have Apache as cPanel/WHM has a built-in compliance with Apache. So you have to make alternatives rather than limiting to what your script has compatibilities with.

If you wish to use $_GET with empty values (e.g. /page.php?index) you're better off using isset() as it does the same thing. empty() just shows if the value is empty or not whereas isset() is if the key of the $_GET is valid rather than the value.

Many websites do use that technique as it's more popular and does the same thing, the file name would be marked by Google bots as a folder and the .html page would be marked as a static page - therefore indexing the page and not interrupting any errors if you used the question mark and appropriate variables. If you have a better page format you have a better chance of having more indexed page and increasing your chance of a good PageRank, Google can only give you a Valid PageRank if you're actually on Google right?

Nyna - For method one, It's definately not stripslashes() - because let's say this for example.

Let's say in the $_POST['value'] I posted I'm going to quote "What's your name?"

$string_value = $_POST['value'];

$string_value = stripslashes($string_value);

mysql_query("INSERT INTO comments VALUES ('$string_value');");

that means it would output INSERT INTO comments VALUES ('I'm going to quote "What's your name?"'); which will definately output a MySQL error. Stripslashes is from when you collect the data from the database and then print it to your visitors.

[Guest Anonymous]

Re: Basic/Moderate PHP

 

Nyna - For method one, It's definately not stripslashes() - because let's say this for example.

Let's say in the $_POST['value'] I posted I'm going to quote "What's your name?"

$string_value = $_POST['value'];

$string_value = stripslashes($string_value);

mysql_query("INSERT INTO comments VALUES ('$string_value');");

that means it would output INSERT INTO comments VALUES ('I'm going to quote "What's your name?"'); which will definately output a MySQL error. Stripslashes is from when you collect the data from the database and then print it to your visitors.

Depends on how you write your database backend. Personally I find stored procedures or prepared queries are perfectly safe with stripslashes. Even using mysql_real_escape_string is sufficient, but then I'd never use such a construct:

mysql_query("INSERT INTO comments VALUES ('$string_value');");

it's non-portable, messy, difficult to read, and may cause problems if you altered the table definition. 6 years of commercial PHP dev work with a number of SQL engines have taught me that stripslashes is probably the fastest and simplest mechanism -- I may be wrong, but it works for me.