nmd202 web scripting week3. what we will cover today includes exercises php forms exercises server...
TRANSCRIPT
NMD202 Web Scripting
Week3
What we will cover today
Includes Exercises PHP Forms Exercises Server side validation Exercises
Includes
The include($filename) statement includes and evaluates the specified file.
require($filename), does the same thing except it halt execution if $filename is not found
include_once($filename), require_once($filename), file is included only once if called several times
Includes
Security Considerations:
PHP Injection – Technique that exploits Vulnerabilities that allows attacker to include files with malicious code
Exercises
Redo last exercise (student table) but split your file into logical sections (templating), ie:Include the head of your document, the body, the footer, etc. Place the stud array (model) in an external file and include it in the main script.
PHP forms
When using forms, some sort of server side scripting is needed to handle the submitted data.
Basically All form elements and data submitted through them will be available on the server to be manipulated
PHP forms
2 Different Methods to submit data:
Get: Uses the querystring to submit the data
Post: Uses the post method of the HTTP protocol to submit data
PHP forms
Get: should be used when page after form submission needs to be bookmarked
Post: Should be used when information to submit is huge or sensitive
PHP forms
All info submitted in the form is either available in the $_GET or $_Post Superglobals depending on the method used.
Entries in the superglobal array will match the attribute “name” in the form elements
Exercises
Redo the student exercise using a form to input the filter instead of the querystring, use the post method. After applying filter (form submission)make sure form retains the entry for usability purposes.
Tip: Check the $_POST if it contains data, if empty display all table, if not apply the filter.
Includes
Security Considerations:
Register Globals – All entries in $_GET and $_POST are automatically extracted into variables.
Relying on this feature is highly discouraged.
PHP formsSecurity Considerations: (bypass authentication by making bad use of register globals)
<?php
// define $authorized = true only if user is authenticated
if (authenticated_user()) {
$authorized = true;
}
// Because we didn't first initialize $authorized as false, this might be
// defined through register_globals, like from GET auth.php?authorized=1
// So, anyone can be seen as authenticated!
if ($authorized) {
include "/highly/sensitive/data.php";
}
?>
PHP forms ValidationData validation should always be used with submitted data:
-Security reasons
-Data quality
System should never rely just on client side validation (usability enhancer)
PHP forms ValidationData validation should always be used with submitted data:
-Security reasons
-Data quality
System should never rely just on client side validation (Client side to be used just as a usability enhancer)
PHP forms ValidationValidation procedure to check validity Data
Data is valid – Proceed (Insert database, perform some action) and display feedback
Data is not valid – Do not proceed, Present the form (entries pre-filled with submitted data, except password fields) and feedback providing info on which fields validation failed
PHP forms Validation<?php
function dataValidates(){
//logic validation here;
//return true/false;
}
$valid = false;
if (form has been submitted)
{
$valid = dataValidates();
}
if ($valid)
{
//Do some background action here (submit data Database, send email, etc)
}
?>
<html>
.....
<?php
if ($valid){
//display html for valid data submitted (Feedback)
}
else{
//display html for invalid data submitted (Warning messages)
}
?>
Exercises
Build a form to submit data about a user registration: First Name, Last Name, Email, password, Confirm password.
Make all fields required, email must be a valid email (check for the @ symbol) and passwords must match.
If info is valid display a table with all the details and hide the form field. If not display the form field with error messages next to the appropriate elements