Transcript the Powerpoint presentation

NMD202 Web Scripting
Week3
What we will cover today
 Includes
 Exercises
 PHP Forms
 Exercises
 Server side validation
 Exercises
Includes
The include($filename) statement includes
and evaluates the specified file.
require($filename), does the same thing
except it halt execution if $filename is not found
include_once($filename),
require_once($filename), file is included only
once if called several times
Includes
Security Considerations:
PHP Injection – Technique that exploits
Vulnerabilities that allows attacker to include
files with malicious code
Exercises
Redo last exercise (student table) but split your file
into logical sections (templating), ie:Include the head
of your document, the body, the footer, etc. Place the
stud array (model) in an external file and include it in
the main script.
PHP forms
When using forms, some sort of server side
scripting is needed to handle the submitted
data.
Basically All form elements and data submitted
through them will be available on the server to
be manipulated
PHP forms
2 Different Methods to submit data:
Get: Uses the querystring to submit the data
Post: Uses the post method of the HTTP
protocol to submit data
PHP forms
Get: should be used when page after form
submission needs to be bookmarked
Post: Should be used when information to
submit is huge or sensitive
PHP forms
All info submitted in the form is either available
in the $_GET or $_Post Superglobals
depending on the method used.
Entries in the superglobal array will match the
attribute “name” in the form elements
Exercises
Redo the student exercise using a form to input
the filter instead of the querystring, use the post
method. After applying filter (form
submission)make sure form retains the entry
for usability purposes.
Tip: Check the $_POST if it contains data, if
empty display all table, if not apply the filter.
Includes
Security Considerations:
Register Globals – All entries in $_GET and
$_POST are automatically extracted into
variables.
Relying on this feature is highly discouraged.
PHP forms
Security Considerations: (bypass authentication by making
bad use of register globals)
<?php
// define $authorized = true only if user is authenticated
if (authenticated_user()) {
$authorized = true;
}
// Because we didn't first initialize $authorized as false, this might be
// defined through register_globals, like from GET auth.php?authorized=1
// So, anyone can be seen as authenticated!
if ($authorized) {
include "/highly/sensitive/data.php";
}
?>
PHP forms Validation
Data validation should always be used with
submitted data:
-Security reasons
-Data quality
System should never rely just on client side
validation (usability enhancer)
PHP forms Validation
Data validation should always be used with
submitted data:
-Security reasons
-Data quality
System should never rely just on client side
validation (Client side to be used just as a
usability enhancer)
PHP forms Validation
Validation procedure to check validity Data
Data is valid – Proceed (Insert database,
perform some action) and display feedback
Data is not valid – Do not proceed, Present the
form (entries pre-filled with submitted data,
except password fields) and feedback providing
info on which fields validation failed
PHP forms Validation
<?php
function dataValidates(){
//logic validation here;
//return true/false;
}
$valid = false;
if (form has been submitted)
{
$valid = dataValidates();
}
if ($valid)
{
//Do some background action here (submit data Database, send email, etc)
}
?>
<html>
.....
<?php
if ($valid){
//display html for valid data submitted (Feedback)
}
else{
//display html for invalid data submitted (Warning messages)
}
?>
Exercises
Build a form to submit data about a user registration:
First Name, Last Name, Email, password, Confirm
password.
Make all fields required, email must be a valid email
(check for the @ symbol) and passwords must match.
If info is valid display a table with all the details and
hide the form field. If not display the form field with error
messages next to the appropriate elements