NMD202 Web Scripting

Week3

What we will cover today

Includes Exercises PHP Forms Exercises Server side validation Exercises

Includes

The include($filename) statement includes and evaluates the specified file.

require($filename), does the same thing except it halt execution if $filename is not found

include_once($filename), require_once($filename), file is included only once if called several times

Includes

Security Considerations:

PHP Injection – Technique that exploits Vulnerabilities that allows attacker to include files with malicious code

Exercises

Redo last exercise (student table) but split your file into logical sections (templating), ie:Include the head of your document, the body, the footer, etc. Place the stud array (model) in an external file and include it in the main script.

PHP forms

When using forms, some sort of server side scripting is needed to handle the submitted data.

Basically All form elements and data submitted through them will be available on the server to be manipulated

PHP forms

2 Different Methods to submit data:

Get: Uses the querystring to submit the data

Post: Uses the post method of the HTTP protocol to submit data

PHP forms

Get: should be used when page after form submission needs to be bookmarked

Post: Should be used when information to submit is huge or sensitive

PHP forms

All info submitted in the form is either available in the $_GET or $_Post Superglobals depending on the method used.

Entries in the superglobal array will match the attribute “name” in the form elements

Exercises

Redo the student exercise using a form to input the filter instead of the querystring, use the post method. After applying filter (form submission)make sure form retains the entry for usability purposes.

Tip: Check the $_POST if it contains data, if empty display all table, if not apply the filter.

Includes

Security Considerations:

Register Globals – All entries in $_GET and $_POST are automatically extracted into variables.

Relying on this feature is highly discouraged.

PHP formsSecurity Considerations: (bypass authentication by making bad use of register globals)

<?php

// define $authorized = true only if user is authenticated

if (authenticated_user()) {

$authorized = true;

}

// Because we didn't first initialize $authorized as false, this might be

// defined through register_globals, like from GET auth.php?authorized=1

// So, anyone can be seen as authenticated!

if ($authorized) {

include "/highly/sensitive/data.php";

}

?>

PHP forms ValidationData validation should always be used with submitted data:

-Security reasons

-Data quality

System should never rely just on client side validation (usability enhancer)

PHP forms ValidationData validation should always be used with submitted data:

-Security reasons

-Data quality

System should never rely just on client side validation (Client side to be used just as a usability enhancer)

PHP forms ValidationValidation procedure to check validity Data

Data is valid – Proceed (Insert database, perform some action) and display feedback

Data is not valid – Do not proceed, Present the form (entries pre-filled with submitted data, except password fields) and feedback providing info on which fields validation failed

PHP forms Validation<?php

function dataValidates(){

//logic validation here;

//return true/false;

}

$valid = false;

if (form has been submitted)

{

$valid = dataValidates();

}

if ($valid)

{

//Do some background action here (submit data Database, send email, etc)

}

?>

<html>

.....

<?php

if ($valid){

//display html for valid data submitted (Feedback)

}

else{

//display html for invalid data submitted (Warning messages)

}

?>

Exercises

Build a form to submit data about a user registration: First Name, Last Name, Email, password, Confirm password.

Make all fields required, email must be a valid email (check for the @ symbol) and passwords must match.

If info is valid display a table with all the details and hide the form field. If not display the form field with error messages next to the appropriate elements