Archive for the ‘Web Development’ Category

Out of boredom I decided to create a very simple wrapper class for mysql database management. This class, as I mentioned, is extremely simple. However, for those wishing to learn more about Object Oriented programming, and how to implement a class that is useful, this is a good place to start. Anyone wishing to learn more about OOP could take this basic class, and make it into something that is much more useful.

Note: This class is untested. I haven’t actually ran the code, but I reviwed it to make sure any simple syntax/conceptual errors were removed.

If there is a syntax error or anything you see, leave a comment below so I can fix it!

Functionality

The class has very limited functionality. It basically provides normal mysql functionality (like querying, fetching rows, and fetching all the rows of a result set) and has a built in sanitizing function.

Improvements

This class is by no means complete or even useful. However, there are many improvements that someone could add to this that would not only make this class fairly useful, but is also great practice. Some obvious improvements could be as follows:

  • function to build and execute a query based on function parameters (like table, what to select, and where/order by statements(s)
  • an insert function that builds and executes a query based on parameters (table to insert, array of columns, and an array of corresponding values
  • stronger validation/sanitization

There are many many more things you could add to this class. A little competition for the readers: Submit your version of the class below with added features. The best/coolest class will get a free page with links/advertisement to their website (or a website of their choice)


<?php
class DB_manager {
 private $database;//database you wish to connect to
 private $username;//mysql username
 private $password;//myysql password
 private $server;//mysql server to connect to
 private $link;//variable to hold mysql connection link
 private $currentResult = false;

 private $query;

 //simple error reporting function.
 private function reportError($error){
 echo $error;
 }

 //constructor
 public function __construct($username, $password, $server="localhost"){
 $this->server = $server;
 $this->username = $username;
 $this->password = $password;
 }

 //connect
 public function connect($database){
 $this->link=mysql_connect($this->server,$this->user,$this->pass);
 //make sure we connected correctly
 if (!$this->link) {//open failed
 $this->reportError("Could not connect to server: <b>$this->server</b>.");
 }
 $this->database = $database
 if(!@mysql_select_db($this->database, $this->link)) {//no database
 $this->reportError("Could not open database: <b>$this->database</b>.");
 }
 }

 //run query q
 public function query($q){
 $this->query = $this->string_escape($q);
 $this->currentResult = mysql_query($q);
 if (!$this->currentResult){
 $this->reportError("There was an error with your query: " . mysql_error();
 $this->currentResult = false;
 return false;
 }
 return $this->currentResult;
 }
 //returns row from the result a query returned
 public function fetch_row($assoc = true){
 if (!$this->currentResult){
 $this->reportError("There is no valid result set to return data from.");
 return false;
 }

 if ($assoc)
 return mysql_fetch_assoc($this->currentResult);
 else
 return mysql_fetch_array($this->currentResult);

 }

 public function string_escape($s){
 return mysql_real_escape_string($s);
 }

 public function fetch_all($assoc = true){
 if (!$this->currentResult)
 $this->reportError("There is no valid result set to return data from.");
 return false;
 }

 $array = [];
 if ($assoc)
 while ($row = mysql_fetch_assoc($this->currentResult)){
 $array[] = $row;
 }
 }
 else {
 while ($row = mysql_fetch_array($this->currentResult)){
 $array[] = $row;
 }
 }

 return $array;
 }
}

//usage
$db = new DB_Manager('username', 'password', 'server (usually localhost');
$db->connect("databse_name");

$db->query("SELECT * FROM sometable");

$rows = $db->fetch_all();

foreach($rows as $r){
 print_r($r);
}

&nbsp;

&nbsp;

?>

If you have any questions, leave a comment!

As a frequent forum poster in a few programming help boards, I have noticed a lot of well meaning people simply don’t know how to ask a question right, and this leads to incomplete, or inadequate answers, or simply getting told off. The poster will ask follow up questions usually, in a strained struggle to get their question/homework/project completed, and usually these end up annoying those who do want to help (as they are of the same bad format as the original question) or get shuffled off to some distant tutorial on the other side of the internet.

The problem is that they simply don’t know how to ask their question correctly, or more commonly are so fed up with the problem that they can’t be bothered to do any research and formulate an intelligent question that will get an intelligent answer. For example, I often see posts like this.

Hi I have a problem. I want my code to print my birthday from the database, but it won’t. Help

Code here Code here

This may seem like a perfectly reasonable question to a novice because they simply don’t realize how vague of a question this is. The reason that the above code may not work could be one of multitudes of different things, from simple syntax errors to very complex server problems. No forum poster wants to have to prod the user for more information to fix the problem (unless its super obvious) so questions like these can go unanswered, or answered in the form of a question requesting more information.

 

So How do I ask?

Well, this depends entirely on the question. But a general formula for asking good questions, and seeming like you actually care about the Why of the answer, rather than just the answer is as follows:

  • First research the problem. For very simple problems, this can save a lot of time debugging, since someone else is bound to have run into the same problem. Generally, if I have some sort of error I will start by Googling the actual error text. Remember, Google is your friend, and should always be the first resort!
  • Try to debug yourself. Debugging is a practice learned through experience, but some helpful tips are as follows (Note these are rather specific to PHP, but the concept can be applied to anything):
  1. Output all the variables in question. Do they have values you think they have? If not trace where these values are set.
  2. If its a MySQL problem, make sure you are checking if there was a MySQL error. If there was, make sure you note it in any posts you make.
  3. Turn error reporting on. Generally, when people have simple syntax errors and don’t see them, its because error reporting is turned off.
  4. Comment out everything in your script until  you pinpoint the problem line.
  • Once you have tried debugging without success, you can make your post. Make sure you list all the steps you took to debug, and post the relevant code. DO NOT POST ALL THE CODE. You don’t know how many posts I skip over because someone just posted their whole page, HTML and all on the page. Not only does this make it seem like you simply don’t care about the other posters, but it is incredibly irritating to see a whole HTML page slathered on a forum post. Posting the relevant code makes it seem like you actually care not only about the problem, but about the posters who want to help you. It is also a good way to test yourself. Its easy to post the whole page, but its a little harder to figure out what exactly is relevant to the problem.
  • Make sure that if you are posting code, you post it in code BBCode tags if the forums supports them (and most coding forums do)

 

Why?

Why should you follow the above directions? Well, it’s not just about getting a good answer (which following the above advice will really help). Debugging and figuring out problems is half of the battle in coding. Many times, when people who post questions like my example above get their answers, its generally in the form of code you can copy paste and move on. This may make fixing things quicker and easier, but what happens when you are on your own? Being able to debug is a very important part of programming, and while asking for help is never a bad thing, when you go through the steps of trying to solve the problem yourself, you understand the problem better. After doing a little research, you may not find the answer, but you may find some tid bits of information that you didn’t know before. Above all, learning how to program efficiently is the most important part!

Also, when you put forth the effort to research your problem, it shows on the post. Its obvious when you clearly haven’t even tried to solve this problem, opting instead to just post generic SOS messages on various forums  until someone solves your problem. Its also obvious when you put forth the effort to try to solve the problem, and are generally interested in not only fixing the problem, but not repeating the mistake you made. When someone has clearly put some effort, I will put forth equal effort into not only solving the problem, but also explaining it. I usually end up posting a few paragraphs of explanation along with annotated code (that I may have even tested on my local server!) For those who simply want the answer, and don’t care about the underlying problem, I simply put a few words of explanation and  a code snippet, and I almost never test the code. Think about it. Why should I put forth effort into fixing your problem that you aren’t willing to put effort into fixing.

 

Hopefully this gives the question poster good perspective on what a help poster thinks, and the internet will see better questions!

In my previous post (which you can reach here: http://blackscorner.me/2011/09/29/strings-and-interpolation-a-love-story-part-1/) I discussed interpolation in PHP.  Apart from professing my love for PHP’s implementation of interpolation (+1 poet points to me!), I showed some examples of its uses, and compared that to the equivalent statements using concatenation. However, besides novice PHP coders, intermediate coders and above usually know about interpolation (whether or not they know it goes by that name). However, many intermediate coders (and some advanced!) don’t know the full capabilities of PHP’s interpolation implementation. The examples I showed in the previous post only show one part of the story! There are actually two different syntax’s for interpolation in PHP, simple (which was shown in the previous example) and complex (which I will discuss in this article).

Lets take a look at an example of simple syntax just to refresh our memory (coders are notoriously forgetful!):

$var = "variable";

echo "I am a $var";

A lot of coders wrongly assume that this is the only form of interpolation available in PHP, and thus conclude that if you want to use, say, an element in an array, or an attribute of an object, you have to use concatenation. When given a scenario in which you want to use an array element in a string, many would write the following:


$arr = array("element1", "element2", "element3");
echo "the value at index 1 is: " . $arr[1];

However, PHP can interpolate the element $arr[1] using simple syntax! The above echo statement is equivalent to the following:

echo "The value at index 1 is: $arr[1]";

The same goes for associative arrays! So the following is also valid:


$assoc = array("key1" => "value1", "key2" => "value2");
echo "The value of the array at the key 'key1' is: $assoc[key1]";

Notice the lack of single quotes around the associative array’s key. As I said earlier, you can also use simple syntax to interpolate an objects attributes (or properties). Obviously the property in question has to be public. The following illustrates what I mean:

class foo {
public $var;
function __construct(){
$var = "World!";
     }
}
$foo = new foo();
//the following statements are equivalent
echo "Hello " . $foo->var;
echo "Hello $foo->var";
Here are some more examples for clarification (taken from the PHP manual)
<?php
$juices = array("apple", "orange", "koolaid1" => "purple");

echo "He drank some $juices[0] juice.".PHP_EOL;
echo "He drank some $juices[1] juice.".PHP_EOL;
echo "He drank some juice made of $juice[0]s.".PHP_EOL; // Won't work
echo "He drank some $juices[koolaid1] juice.".PHP_EOL;

class people {
public $john = "John Smith";
public $jane = "Jane Smith";
public $robert = "Robert Paulsen";

public $smith = "Smith";
}

$people = new people();

echo "$people->john drank some $juices[0] juice.".PHP_EOL;
echo "$people->john then said hello to $people->jane.".PHP_EOL;
echo "$people->john's wife greeted $people->robert.".PHP_EOL;
echo "$people->robert greeted the two $people->smiths."; // Won't work
?>
Awesome right! But thats not all! Not even close. PHP also has complex syntax (which I mentioned above). Despite what you may think, its not called complex syntax because it is in itself complex, but rather because it allows you to interpolate complex expressions. To use complex notation, you must use curly brackets ({ and }) to surround your expression you want interpolated. The PHP manual describes complex notations functionality as follows:
Any scalar variable, array element or object property with a string representation can be included via this syntax. Simply write the expression the same way as it would appear outside the string, and then wrap it in { and }. Since { can not be escaped, this syntax will only be recognized when the $ immediately follows the {. Use {\$ to get a literal {$.
Lets look at an example shall we! This will show improper use of complex syntax, then 2 examples of correct use. I will use a simple variable here.
<?php
$great = 'fantastic';

// Won't work, outputs: This is { fantastic}
echo "This is { $great}";
// Works, outputs: This is fantastic
echo "This is {$great}";
echo "This is ${great}";
?>
Of course you can also use complex notation with object properties and array elements as I did above with simple syntax
<?php
echo "This square is {$square->width} centimeters broad.";
echo "This works: {$arr['key']}";</div>
?>
Notice that I used single quotes in the array element example. Complex syntax is the only place you can use single quoted array keys, as opposed to simple syntax which, as shown above, can’t have the single quotes (if you are curious why this is, leave a comment and ill try to get back to you).  Where complex syntax really shines though, is its ability to interpolate more complex expressions than simple object propertys or array elements. For example, say you are taking advantage of PHP’s variable variables (link will be below). Assume you have a function called getName() which returns the name of the variable you want to access. You can do
<?php
function getName(){ return 'var'; }
//note single quotes and thus lack of interpolation
$var = 'value of $var';

echo "This is the value of the var named by
the return value of getName(): {${getName()}}";
//output: This is the value of the var named by the return value of getName(): value of $var
//of course, if the function is a method of some class, you can also do this:
$object = new Some_Class_With_getName_Method();
echo "This is the value of the var named by the return value of \$object->getName(): {${$object->getName()}}";
?>
Unfortunately, you can’t interpolate just the return value from a function. So the following won’t work:
<?php
// Won't work, outputs: This is the return value of getName(): {getName()}
echo "This is the return value of getName(): {getName()}";
?>
Unfortunately, since PHP depends on the variable sigil ($) to proceed the opening curly bracket to use complex syntax, interpolating functions is impossible. But PHP’s ability to interpolate many things really makes it an amazing language. What is truly unfortunate is that many programmers are unaware of how far PHP’s capabilities go! Most know about simple syntax, but many are unaware of the power of complex syntax.
Here are a bunch more examples (from the PHP manual) of things that will and won’t work with complex syntax so you can get an idea of its use.
<?php
// Show all errors
error_reporting(E_ALL);

$great = 'fantastic';

// Won't work, outputs: This is { fantastic}
echo "This is { $great}";

// Works, outputs: This is fantastic
echo "This is {$great}";
echo "This is ${great}";

// Works
echo "This square is {$square->width}00 centimeters broad.";

// Works, quoted keys only work using the curly brace syntax
echo "This works: {$arr['key']}";

// Works
echo "This works: {$arr[4][3]}";

// This is wrong for the same reason as $foo[bar] is wrong  outside a string.
// In other words, it will still work, but only because PHP first looks for a
// constant named foo; an error of level E_NOTICE (undefined constant) will be
// thrown.
echo "This is wrong: {$arr[foo][3]}";

// Works. When using multi-dimensional arrays, always use braces around arrays
// when inside of strings
echo "This works: {$arr['foo'][3]}";

// Works.
echo "This works: " . $arr['foo'][3];

echo "This works too: {$obj->values[3]->name}";

echo "This is the value of the var named $name: {${$name}}";

echo "This is the value of the var named by the return value of getName(): {${getName()}}";

echo "This is the value of the var named by the return value of \$object->getName(): {${$object->getName()}}";

// Won't work, outputs: This is the return value of getName(): {getName()}
echo "This is the return value of getName(): {getName()}";
?>
<?php
class foo {
var $bar = 'I am bar.';
}

$foo = new foo();
$bar = 'bar';
$baz = array('foo', 'bar', 'baz', 'quux');
echo "{$foo->$bar}\n";
echo "{$foo->$baz[1]}\n";
?>
<?php
 class foo {
 var $bar = 'I am bar.';
 }$foo = new foo();
 $bar = 'bar';
 $baz = array('foo', 'bar', 'baz', 'quux');
 echo "{$foo->$bar}\n";
 echo "{$foo->$baz[1]}\n";
 ?>
<?php
// Show all errors.
error_reporting(E_ALL);

class beers {
const softdrink = 'rootbeer';
public static $ale = 'ipa';
}

$rootbeer = 'A & W';
$ipa = 'Alexander Keith\'s';

// This works; outputs: I'd like an A & W
echo "I'd like an {${beers::softdrink}}\n";

// This works too; outputs: I'd like an Alexander Keith's
echo "I'd like an {${beers::$ale}}\n";
?>
Well I hope you enjoyed reading about string interpolation as much as I enjoyed writing about it. PHP really is an amazing language, and touches like this are what really set it apart from other languages, and is what’s key to PHP’s wide success.
Links of Interest
Part 1:
String Parsing (Go here for a full explanation of the examples I posted, as well as comments and discussion about it):
Simple Syntax:
Variable Variables:

I am a frequent forum goer to the website http://www.phpfreaks.com/ (My username is Mikesta707), and one thing I see a lot from PHP novices is a question like

Hey, I am trying to echo a string, but it doesn’t look right. I’m using a variable and but instead of its value all I see is the php code! my code looks like

$str = "Poop";

echo 'I have to take a $str';

please halp!

Now, anyone who has uses PHP at an intermediate level or higher will tell this hypothetical novice to either use double quotes, or concatenate. The solutions would be as follows


$str = "Poop";

echo "I have to take a $str";//double quotes

echo 'I have to take a ' . $str;//concatenation

And of course, their error will be fixed, and they can go on their merry way, or post about another problem they have. In addition to the above solutions, one could also use heredoc syntax, but that is generally reserved for multi-line strings and can be a little complex for a new programmer. Many forum posters wouldn’t bother even mentioning it.

Anyways, what many posters fail to do in these cases, is explain why what they wrote failed. As a result of this, even people who know to use double quotes or concatenate will often not really know why you have to do that, beyond “uh.. just because man.”  In my experience as a forum poster for phpfreaks, I see a solution that concatenates rather than using double quotes more frequently, and this produces a very interesting effect.

Concatenation is simple enough, and easy to rationalize the use of without wondering why you were wrong. Without knowing about the use of double quotes (or simply not realizing), one may naturally assume, after having the above problem and being told to concatenate, that they can’t put variables inside strings.

This is half correct, as it is true with single quotes, but incorrect in terms of double quotes. This can lead an overall assumption that if you want to create a string that is composed partly of one or more variables, then you must always concatenate. Over the years I have worked with quite a few developers who have been looking over my shoulder while I am writing some code, and told me, “Hey, you gotta concatenate there!” or something along those lines when using double quotes. Usually this will come with the look of quiet satisfaction at having corrected (or thinking they corrected) a fellow coder’s mistake.

Unfortunately, because of this assumption many people miss out on one of my favorite features of PHP called Interpolation,  as well as having a somewhat faulty understanding of how strings work in PHP. For those who don’t know, interpolation is defined by Wikipedia as the following:

The process of evaluating an expression or string literal containing one or more variables, yielding a result in which the variables are replaced with their corresponding values in memory. It is a specialized instance of concatenation.

Now this basically means that when you put a variable inside of a string, PHP does a sort of replace, where the name of the variable (say, $str) is replaced with its value (say, “Poop”). PHP supports interpolation, but only when using double quotes or the heredoc string syntax. To take a simple example:

//The following are all equivalent
$n = "Mike";
echo "Hi i'm $n";//interpolation
echo 'Hi i\'m ' . $n;//concatenation
echo <<<EOT
Hi i'm $n
EOT;//heredoc syntax

As I said earlier, Interpolation is one of my favorite attributes of PHP. Interpolation isn’t supported in many languages (Perl, Tcl, Ruby and most unix shells are the others). PHP uses a sigil, or a symbol attached to a variable to show its a variable (and not a global constant), unlike many languages (including C, C++, C#, java, javascript, etc.) so interpolation is possible. Interpolation really makes creating strings that would be complex or look ugly in other languages easy and clean. Lets compare two strings, one in PHP and one in C++/C#/Java/ect…


//assume we have created 3 variables, $a $b and $c in PHP, and a b and c in C++

//PHP string
$str = "The first 3 letters of the alphabet are $a $b and $c";

//equivalent string in C++/C#/java/etc...
//assume we have the proper header includes
string str = "The first 3 letters of the alphabet are " + a + " " + b + " and " + c;

As you can see, the PHP version is much easier on the eyes, and much nicer to write! Of course, most languages that don’t support interpolation have a specialized form of interpolation in function form using string formatting (for example, printf() from C/Lisp).

To sum things up, I absolutely love interpolation, and think its one of the most amazing features of PHP. Its a very simple feature, but elegant at the same time, and extremely useful. Out of all of PHP’s amazing features, I know that I use this one the most. I love interpolation so much actually, that I plan on writing a part 2 to this post very soon. It will probably be a tad bit shorter, but will have some good information.

Part 2: [Click me]

Links of Interest:

String parsing (Interpolation):
http://www.php.net/manual/en/language.types.string.php#language.types.string.parsing

Single quotes:
http://www.php.net/manual/en/language.types.string.php#language.types.string.syntax.single

Double quotes:
http://www.php.net/manual/en/language.types.string.php#language.types.string.syntax.double

Heredoc:
http://www.php.net/manual/en/language.types.string.php#language.types.string.syntax.heredoc

Interpolation (Wikipedia):
http://en.wikipedia.org/wiki/Variable_(computer_science)#Interpolation

I few weeks ago I wrote a tutorial on how to validate your PHP variables. That is the precursor to this post (You can read it here: http://blackscorner.me/2011/07/28/when-and-how-to-validate-your-php-variables/) in which I explain the basics of validating your PHP variables that you get for use with MySQL (or other SQLs) queries.

In order to get the most out of this tutorial, you will need to be familiar with the following

  • The subjects discussed in the precursor post
  • basic SQL queries
  • using MySQL or other SQLs and PHP together
  • Escape characters (for example how is ‘ different from \’)

Whats The Point?

You may wonder why we need to go through all of this sanitation nonsense in the first place. Well when using SQLs, like MySQL along with user input (Like say storing some information that they gave the website via a form), your site could be vulnerable to what is called a SQL injection. SQL injections, and how they work is a pretty broad topic (one beyond the scope of this post), but they basically consist of a user injecting bad SQL into your query to make it do something you don’t want. Lets take a very basic example:

Lets say that we have a user login system, and the query we use to make sure the login details is correct is:

SELECT * FROM user_table WHERE username=’$username’ AND password=’$password’

Assume that $username and $password are defined earlier in the script. Now if we don’t validate the script, a malicious user can enter something like:

‘ OR 1=1 —

Now, that may seem like a useless string, but now lets look at what our query looks like

SELECT * FROM user_table WHERE username=” OR 1=1 — 

Now the rest after — doesn’t matter because the — operator basically tells SQL to ignore everything after it. It is kind of like commenting out a line of code in PHP. Now what will happen is that 1=1 is always true, so the query will be true, and return a row from your table. The first row specifically in our case with the query above. This would allow a user to access someones account without the proper username and password. If you are unlucky, the admin account (if there is one) may be the first account (since its usually the first account created), and now the malicious user has access to administrative powers. Bad news

So How do we Stop them?

Well, removing all vulnerabilities from your site is almost impossible (as cyber security is an ever changing field) but protecting from SQL injections is pretty straight forward. PHP has a function made just for stopping the kind of attack you see above, but before we start using it on anything and everything we have to be aware of a few things. First, the magic quotes setting for PHP. Nowadays it is usually turned off, and it is recommended that it be turned off. What this setting does is when turned off, it automatically escapes all strings. This is a dangerous action because it is sort of like a 1 size fits all glove for sanitation that has terrible effects depending on the data. You want to sanitize SQL versus HTML vs. bbcode differently. However, if it is on in your system, you can do the following.

if (get_magic_quotes_gpc()==1){
 //its on, lets undo what happened
 //do this for all variables
 $_POST['username'] = stripslashes($_POST['username']);
 $_POST['password'] = stripslashes($_POST['password']);
 //the rest of the post variables you are gonna use.

Now of course it would just be easier to turn this setting off in your php.ini. Consult the manual for details on turning this setting off. The stripslashes() function basically does is remove all the slashes that PHP adds in order to escape the data. PHP adds backslashes before single and double quotes. As you should know, escaping slashes lets you add them to strings that are delimited by them!

 

Now the second thing I need to mention is that we need to consider what type of data we are using. If we are using string data (like usernames, passwords, etc.) then we should escape the string to prevent our basic SQL injection from happening. If it is number data, we should just convert whatever they entered into a number so we don’t have to worry about escaping it. (Entering a string where a number should be in a query will break the script, and may even show an error message that gives the attacker more information about your system. So lets go over each different scenario.

Strings:

For strings, PHP provides a very useful function called mysql_real_escape_string(). It accepts a string as a parameter and and returns the string escaped in such a way to make it safe from basic SQL injections like the one above. So lets give a code example and see what would happen if the attacker tried the simple SQL injection.


//assume we have turned off magic quotes.

$username = mysql_real_escape_string($_POST['username']);
$password = mysql_real_escape_string($_POST['password']);

$query = "SELECT * FROM user_table WHERE username='$username' AND password='$password'";
//rest of login stuff below

Now lets see what our injected query would look like

SELECT * FROM user_table WHERE username=’\’ or 1=1 –‘ AND password=”

Here we see that our escape string function made the ‘ that originally broke our query harmless, and this will not let them login as you would expect. Awesome right!

Numbers

Now  if you are expecting the user to enter in a number into the query, we should whatever they enter into a number. So that even if they enter some malicious text, it will be converted to a harmless number. Now assuming we want an integer number, we can easily do something like


$area_code = intval($_POST['area_code']);

//rest of code

Now, if you need a float number, you can use the floatval function instead of intval()!

 

Now What?

Well, we have sanitized some stuff, but not everthing! What if we are getting some information that we will show on our users profile page (like a description or a bio). In fields like these, the user can enter any HTML they want, and could even enter malicious HTML/Javascript or include malicious HTML/Javascript from another site. This is known as Cross Site Scripting (XSS) and is a very real threat to many websites. Now, the most basic way to stop this is to turn all html into html entities. That way, even if they enter HTML, it becomes harmless. HTML entities are special characters that represent HTML characters that you don’t won’t to be interpreted as HTML. For example, the less than sign (<) This can be used to show a mathematical inequality, but in HTML it denotes the beginning of an HTML tag (like <a for example). When you want to show the less than sign without the browser trying to interpret it as HTML, you use HTML entities.

PHP provides a function that converts all HTML special characters into their respective entities called, you guessed it! htmlentities(). Now lets show an example


$bio = htmlentities($_POST['bio']);

Now if the user enters some HTML, it will instead be harmless html entities.

Now, if we want to remove the HTML outright, there is also a function for that. We can use the strip_tags() function which will remove all tags. We can also specify tags to exclude from removal, which would allow you to allow users to enter links, or text formatting tags, but not other tags. For example


$bio = strip_tags($_POST['bio']);//remove all html tags
//or
$Bio = strip_tags($_POST['bio'], "<p><a>");//allow links and paragraph tags

 

And thats it for basic validation! After reading this and the previous article, you should be able to add some basic security to your website! Now there is much more to the website security field than just this, but following these simple steps should allow you to protect your site against most basic attacks. Here are some links to the functions used

 

mysql_real_escape_string(): http://php.net/manual/en/function.mysql-real-escape-string.php

htmlentities(): http://php.net/manual/en/function.htmlentities.php

intval()/floatval(): http://php.net/manual/en/function.intval.php  http://www.php.net/manual/en/function.floatval.php

string_tags(): http://php.net/manual/en/function.strip-tags.php

 

 

 

Sanitizing and validating user data to make it safe for processing is a very hot topic today, and not at all an exact science. It is very important, as many websites out there are susceptible to many different types of attacks since they don’t try to sanitize or verify any of the data they get from a user.

Now, this is a huge topic, and truly beyond the scope of a single blog post, but I am going to go through the simplest cases which should help most amateur or new web developers protect their site. To make sense out of this tutorial, you should have a basic understanding of:

  • basic PHP syntax
  • how to get input into the $_GET and $_POST super globals
  • basic string manipulation
Validation is important, because it can avoid any type of input that doesn’t even make any sense. This can make sanitizing much simpler, because you have a rough idea of what to expect at that point. Since validation usually comes first in PHP scripts, I will go over that first.
Note: I will be going over the PHP side of things, and won’t really be paying attention to or talking about creating the forms on the front end. That is simple enough and you should know how to do this before reading any further. I will also only be going over validation. I will make my next post about sanitation to complete the tutorial.

We don’t need no.. Validation!

So what is validation exactly? Well consider this: Lets say we have a simple user signup form. This form excepts an email address. We can validate this particular part of the form by making sure that its an actual email address and not some garbage. If it isn’t a valid email address, we can stop the script from inserting stuff into our database, and let the user know through some error message that the email is invalid!

Now, validating an email address may seem like a no-brainer and most secure sites on the internet already do this. Now the question becomes how? Well for emails, doing simple string checks (Like checking for the position of the @ character, or making sure there are no random characters that don’t belong in an email address) can work, the best way is to use what is called regular expressions or regex. Regex itself is a very broad topic, and so I won’t really be going over it beyond a simple explanation. So what is Regex? Well at its base its a mathematical concept that tries to match strings based on a pattern. It uses patterns to do this. You can look at a tutorial for it here: http://www.regular-expressions.info/tutorial.html

So, what kind of pattern do we need for an email address? Well luckily for us and most new web developers, the pattern to match an email address is a commonly used on, and so a quick google search will find us the answer! Consider the following


$pattern = "/^[a-zA-Z0-9._-]+@[a-zA-Z0-9-]+\.[a-zA-Z.]{2,5}$/";//this is the pattern we will use to determine if its an email

//it may look scary, but don't worry, you don't have to change it or understand it to use it!?
//its a good idea to read through a tutorial for regex so it atleast makes a little bit of sense though

$email = $_POST['email'];//the input from our form

if (!preg_match($pattern, $email)){
echo "Your email was invalid! Please press the back button and enter a valid email address";
exit();
}

So in this code we created our pattern that would match the email address. Then we extracted the input email address from the $_POST super global array, and tried to match them. If they did match, no error would pop up, but if they didn’t then the user would be given an error message and told to re-enter the email address. This is validation folks! A very simple implementation, but validation nonetheless. The pattern may seem scary, but don’t worry about it. We won’t ever really need to change it, and I will go over a simpler regex pattern with a more comprehensive description farther down.

Ok so we know how to validate email addresses. What about other information? Well, besides email addresses, validating other data depends on what you expect, and what rules you have given your users for that specific field. So for example, on one site, a username may have to be at least 6 characters while on another it may have to be at least 4. Some except only numbers and letters, while others allow dots and such. Lets go over some of the most common ways to validate other fields to give you an idea of what to do, and then you can adapt what you have learned to your specific site.

Username/Password minimum length

This is a very common and very easy type of validation. For this, we will use the strlen function. Consider the following


$min_uname_len = 5;//usernames must be 5 characters long at least
$min_pword_len = 4;//passwords must be at least 4 characters long

$username = $_POST['username'];
$password = $_POST['password'];

if (strlen($username) < $min_uname_len){
//error!
echo "Username's must be at least 5 characters. Please go back and try again!";
exit();
}
if (strlen($password) < $min_pword_len){
//error!
echo "Passwords must be at least 4 characters long. Please go back and try again!";
exit();
}

In the code above, we simply use the strlen function to make sure that the password and username are at least the minimum required lengths in order to continue. If they aren’t, like with the email validation, we show the user an error, and stop the execution of the script.

Restricted Characters

This is another very common type of validation that consists of not letting the user use certain characters in their input, or restricting all characters but alpha numeric characters. This, like the above, can be different from site to site, but I will go over a simple case, and you can try to figure out how to adapt it to your specific site.

Here I will use regex again, but it will be a much simpler pattern than the one we used with email. I will try to explain it so that you can alter it to fit your needs. Consider the following:


$pattern = "/[a-zA-Z0-9_-]/";
$username = $_POST['username'];//we want to restrict all characters but numbers, letters, and underscores in the username

if (!preg_match($pattern, $username)){
echo "You can only use numbers, letters and underscores in your username!";
exit();
}

So what does that regex mean? Well the / characters is simply a delimiter which is required in PHP. / is the most commonly used delimiter but you can use any delimiter you want (but if you use a delimiter that may appear in your pattern, you have to escape it in the pattern. Since / doesn’t appear at all in our pattern, we don’t have to escape anything, and our regex looks cleaner!). The [ and ] characters signify that we are using a character class. What this means is that any of the characters specified in that class will match the string. If the string contains characters that aren’t in that class, than the string will not match. The inside of the character class is pretty straight forward. We use whats called a range of characters (the first one being lowercase a to lowercase z, or a-z as we have written. The second is uppercase letters, and the last is numbers). After the three ranges, we also stick an underscore at the end so we can allow underscores to be used in the username. Not too scary right!

And link the rest of the validation code blocks, we show the user an error and exit the script if the username isn’t valid. Regular expressions are an extremely valuable tool, and can be made to match many different types of strings. Here we show how to match based on what characters you will allow, but you could easily alter it to show what character we shouldn’t allow. This I will let you do some research on to try and find out (doing your own research and experimentation is important and a great learning exercise!) If you are having a hard time figuring it out, then shoot me a comment or email and I will try to help out!

The second part of this article can be read here: http://blackscorner.me/2011/08/04/when-and-how-to-sanitize-your-php-variables/

If you have any questions/comments, please don’t be afraid to share! Hope you enjoyed reading this tutorial and learned from it!

In this tutorial I will be giving a basic introduction into PHP’s arrays. I will discuss how PHP implements them, how they differ and are similar to other languages, and basic use and functionality. Before you start learning, you should be familiar with the following

  • Basic PHP syntax
  • Variable use
  • Basic programming concepts (if statements, looping, etc.)

Basics

PHP arrays behave much like Vectors from C++, Lists from C#, Hash tables, associative arrays, etc. the syntax for creating one is very simple. There is a PHP function called array() which will return the array you would like based on what you specify in the argument list. Consider the following

 

$array1 = array();//this will create an empty array.

$array2 = array("item1", "item2", "item3");//this will create a numeric zero based array
echo $array2[1];//Output: item1

//the array function also supports setting up your own kay value pairs.
$array3 = array("key1" => "value1",  "key2", "value2");//this is an example if an associative array
echo $array3['key1'];//Output: value1

Pretty easy right? The key difference between the first 2 arrays and the last array is the keys you use to extract the values in the array. The first two are known as numeric arrays, since they use numeric keys (or in PHP terms, offsets). The last array used string keys, and is known as an associative array. Now you may be wondering when you would want to use one type versus the other. Well obviously this depends entirely on the context of your program, but I will give some examples of when one may be more useful than the other.

Lets say we have an array of all 50 states, and their capitals. Now we could use a numeric array, but then we, as the programmer, would have to remember which position each individual capitol is when we needed to use it. However, with an associative array, we can use the keys as the state name, and the values as the capitol. This makes it much easier to get a specific states capitol because we won’t have to remember or look back to see where, say, Connecticut’s capitol is located in the array. Consider the following

//numeric array
$capitols = array("Hartford", "Albany", ...etc);//this would be a numeric array

echo "The capitol of North Dakota is: " . $capitols[??];// hmm which offset is it? There are so many I don't quite remember and have to look it up in the arrays definition

//or we could do this
$capitols = array("Connecticut" => "Hartford", "New York" => "Albany", ... etc.);//

echo "The capitol of Tennessee is: " . $capitols['Tennessee'];//Now there is no doubt as to where the capitol of Tennessee is located in the array

Adding/Updating our array

Adding things to a PHP array is even simpler than making one. There are a few different ways of doing this. The most basic way is tothe use the square bracker ([]) operator with a new key and some value. Consider the following


$numeric_array = array("value0", "value1");
$numeric_array[2] = "value2";
//we dont actually need to add them in order. The following is valid and will execute
$numeric_array[17] = "value3";

$associative_array = array("key0" => "value0", "key1"=> "value1");
$associative_array['key2'] = "value2";

Easy peasy! Now there is also a third way to add things to an array. The syntax is to use empty square brackets along with the assignment operator. This syntax is mostly used with numeric arrays, because it adds the value to the next available numeric offset. Consider the following

$numeric_array = array("value0", "value1");
$numeric_array[] = "value2";//value2 is set to the value of $numeric_array[2] since 2 is the next available offset.

You can use the above with an associative array, but it would add the value at the key 0 (assuming it is a pure associative array). This is perfectly valid code, but now instead of having an associative array, you have a hybrid array. There isn’t anything inherently wrong with this, and hybrid arrays certainly have their place, but in general it makes the most sense to use this syntax with numeric arrays.

 

Now what?

Well now that we have an array, what can we do with it. Besides the obvious use of arrays, PHP comes with a bunch of different functions and constructs that make using arrays awesome and very worthwhile. You should already know about for loops, but PHP also provides a foreach loop (like what Java or C# has) which can iterate through an array. The syntax is fairly simple. There are two types. The simplest type is as follows:

foreach($array as $value)

What this does is inside the for loops code block, $value takes on each different value in the array as the loop iterates though. So if our array had the values: value1, value2, value3, value4 then $value would contain value1 in the first iteration, then value2 in the second, and so on. The second type is the same and is as follows:

foreach($array as $key => $value)

As I said, this iterates through each value in the array in the order they were added, but also sets $key to each key at that specific value. For numeric arrays, $key would be 0, 1, 2, etc.. in order (assuming you have an ordered numeric array). This type is especially useful with associative arrays since you may not know the exact order of the array, but you need to do a different line of code depending on the key.

Now, I mentioned functions earlier, and you can look at the whole list of array functions that PHP provides here: http://php.net/manual/en/ref.array.php

 

The ones I find myself using the most I will discuss below. Make sure you read the manual entry for each function (Link provided) as there are quite a few code examples and notes about the usage of these functions

count($array): This function returns the size of the array provided in the argument list. Very useful for determining the size of an array that is build dynamically.

sort($array): This sorts an array from lowest to highest. If you have string values, they are sorted lexicograhically by default, but provides certain flags as an optional parameter which allows you to specifiy how it should sort the array (numerically, strings, etc.).

shuffle($array): This function randomizes the order of the array provided in the argument list. This function is very useful when you want to print or otherwise use the array you created in a random order.

in_array($needle, $haystack): This function looks through the array ($haystack) and returns whether or not the value specified ($needle) in inside of the array. This function is extremely useful, and I find myself using it all the time. An example of usage would be when you are trying to see if one variable is equal to one of any number of different values. Instead of using the equality operator (==) many times chained together with ors (||), you can put all the values you are testing in an array, and use the in_array function.

 

Now, this guide is a very simplistic introduction to PHP arrays, and there are many many more functions and uses for arrays. Perhaps I will write a more advanced tutorial on array usage at a later date.

Some useful links you may want to check out:

The list of PHP’s array functions: http://php.net/manual/en/ref.array.php
The PHP manual entry for arrays: http://php.net/manual/en/language.types.array.php
A Tizag.com tutorial on PHP arrays: http://www.tizag.com/phpT/arrays.php
A website for all things PHP. They have some of the best PHP help forms, and I am a staff member here:  http://www.phpfreaks.com