Chapter 2: Understanding and Avoiding Security Risks
Identifying the Sources of Risk
Minimizing User-Input Risks
Not Revealing Sensitive Information
Summary
Chapter 3: PHP Best Practices
Best Practices for Naming Variables and Functions
Best Practices for Function/Method
Best Practices for Database
Best Practices for User Interface
Best Practices for Documentation
Best Practices for Web Security
Best Practices for Source Configuration Management
Summary
Part II
Chapter 4: Architecture of an Intranet Application
Understanding Intranet Requirements
Building an Intranet Application Framework
Creating a Database Abstraction Class
Creating an Error Handler Class
Creating a Built-In Debugger Class
Creating an Abstract Application Class
Creating a Sample Application
Summary
Chapter 5: Central Authentication System
How the System Works
Creating an Authentication Class
Creating the Central Login Application
Creating the Central Logout Application
Creating the Central Authentication Database
Testing Central Login and Logout
Making Persistent Logins in Web Server Farms
Summary
Chapter 6: Central User Management System
Identifying the Functionality Requirements
Creating a User Class
User Interface Templates
Creating a User Administration Application
Creating a User Password Application
Creating a Forgotten-Password Recovery Application
Summary
Chapter 7: Intranet System
Identifying Functionality Requirements
Designing the Database
Designing and Implementing the Intranet Classes
Setting Up Application Configuration Files
Setting Up the Application Templates
Intranet Home Application
Installing Intranet Applications from the CD- ROM
Testing the Intranet Home Application
Summary
Chapter 8: Intranet Simple Document Publisher
Identifying the Functionality Requirements
The Prerequisites
Designing the Database
The Intranet Document Application Classes
Setting up Application Configuration Files
Setting Up the Application Templates
The Document Publisher Application
Installing Intranet Document Application
Testing Intranet Document Application
Summary
Chapter 9: Intranet Contact Manager
Functionality Requirements
Understanding Prerequisites
The Database
The Intranet Contact Manager Application Classes
The Application Configuration Files
The Application Templates
The Contact Category Manager Application
The Contact Manager Application
Installing Intranet Contract Manager
Testing Contract Manager
Summary
Chapter 10: Intranet Calendar Manager
Identifying Functionality Requirements
Understanding Prerequisites
Designing the Database
The Intranet Calendar Application Event Class
The Application Configuration Files
The Application Templates
The Calendar Manager Application
The Calendar Event Manager Application
Installing the Event Calendar on Your Intranet
Testing the Event Calendar
Summary
Chapter 11: Internet Resource Manager
Functionality Requirements
Understanding the Prerequisites
Designing the Database
Designing and Implementing the Internet Resource Manager Application Classes
Creating Application Configuration Files
Creating Application Templates
Creating a Category Manager Application
Creating a Resource Manager Application
Creating a Resource Tracking Application
Creating a Search Manager Application
Installing an IRM on Your Intranet
Testing IRM
Security Concerns
Summary
Chapter 12: Online Help System
Functionality Requirements
Understanding the Prerequisites
Designing and Implementing the Help Application Classes
Creating Application Configuration Files
Creating Application Templates
Creating the Help Indexing Application
Creating the Help Application
Installing Help Applications
Testing the Help System
Security Considerations
Summary
Part III
Chapter 13: Tell-a-Friend System
Functionality Requirements
Understanding Prerequisites
Designing the Database
Designing and Implementing the Tell- a- Friend Application Classes
Creating Application Configuration Files
Creating Application Templates
Creating the Tell-a-Friend Main Menu Manager Application
Creating a Tell-a-Friend Form Manager Application
Creating a Tell-a-Friend Message Manager Application
Creating a Tell-a-Friend Form Processor Application
Creating a Tell-a-Friend Subscriber Application
Creating a Tell-a-Friend Reporter Application
Installing a Tell-a-Friend System
Testing the Tell-a-Friend System
Security Considerations
Summary
Chapter 14: E-mail Survey System
Functionality Requirements
Architecture of the Survey System
Designing the Database
Designing and Implementing the Survey Classes
Designing and Implementing the Survey Applications
Developing Survey Execution Manager
Setting Up the Central Survey Configuration File
Setting Up the Interface Template Files
Testing the Survey System
Security Considerations
Summary
Chapter 15: E-campaign System
Features of an E-campaign System
Architecting an E-campaign System
Designing an E-campaign Database
Understanding Customer Database Requirements
Designing E-campaign Classes
Creating Common Configuration and Resource Files
Creating Interface Template Files
Creating an E-campaign User Interface Application
Creating a List Manager Application
Creating a URL Manager Application
Creating a Message Manager Application
Creating a Campaign Manager Application
Creating a Campaign Execution Application
Creating a URL Tracking and Redirection Application
Creating an Unsubscription Tracking Application
Creating a Campaign Reporting Application
Testing the E-Campaign System
Security Considerations
Summary
Part IV
Chapter 16: Command-Line PHP Utilities
Working with the Command-Line Interpreter
Building a Simple Reminder Tool
Building a Geo Location Finder Tool for IP
Building a Hard Disk Usage Monitoring Utility
Building a CPU Load Monitoring Utility
Summary
Chapter 17: Apache Virtual Host Maker
Understanding an Apache Virtual Host
Defining Configuration Tasks
Creating a Configuration Script
Developing makesite
Installing makesite on Your System
Testing makesite
Summary
Chapter 18: BIND Domain Manager
Features of makezone
Creating the Configuration File
Understanding makezone
Installing makezone
Testing makezone
Summary
Part V
Chapter 19: Web Forms Manager
Functionality Requirements
Understanding Prerequisites
Designing the Database
Designing and Implementing the Web Forms Manager Application Classes
Creating the Application Configuration Files
Creating Application Templates
Creating the Web Forms Submission Manager Application
Creating the Web Forms Reporter Application
Creating the CSV Data Exporter Application
Installing the Web Forms Manager
Testing the Web Forms Manager
Security Considerations
Summary
Chapter 20: Web Site Tools
Functionality Requirements
Understanding Prerequisites
Designing the Database
Designing and Implementing the Voting Tool Application Class
Creating the Application Configuration Files
Creating the Application Templates
Creating the Vote Application
Installing the Voting Tool
Testing the Voting Tool
Summary
Part VI
Chapter 21: Speeding Up PHP Applications
Benchmarking Your PHP Application
Buffering Your PHP Application Output
Compressing Your PHP Application Output
Caching Your PHP Applications
Summary
Chapter 22: Securing PHP Applications
Controlling Access to Your PHP Applications
Securely Uploading Files
Using Safe Database Access
Recommended php.ini Settings for a Production Environment
Limiting File System Access for PHP Scripts
Running PHP Applications in Safe Mode
Summary
Part VII
Appendix A: What's on the CD-ROM
System Requirements
What's on the CD
Troubleshooting
Appendix B: PHP Primer
Object-Oriented PHP
Appendix C: MySQL Primer
Using MySQL from the Command- Line
Using phpMyAdmin to Manage MySQL Database
Appendix D: Linux Primer
Installing and Configuring Apache 2.0
Installing and Configuring MySQL Server
Installing and Configuring PHP for Apache 2.0
Common File/Directory Commands
Index
Wiley Publishing, Inc. End-User License Agreement
Nội dung
while(list($cmdID, $cmdName) = each($cmdArray)) { $cmdOptions .= “<option value=$cmdID>$cmdName</option>”; } $template = new Template($TEMPLATE_DIR); $template->set_file(‘fh’, $MY_TEMPLATE); $template->set_block (‘fh’, ‘mainBlock’, ‘main’); $template->set_var(‘USERNAME’, $user); $template->set_var(‘CMD_OPTIONS’, $cmdOptions); $template->parse(‘main’,’mainBlock’, FALSE); $template->pparse(‘output’, ‘fh’); This example uses bad_screen.ihtml, shown in Listing 3-2, as the HTML interface file. A while loop is used to create $cmdOptions. Notice that some HTML tags are embedded in the following line: $cmdOptions .= “<option value=$cmdID>$cmdName</option>”; This violates the principle of keeping all HTML out of the code. There are situations in which it isn’t possible to keep the HTML out, but in creating combo boxes you can. Listing 3-2: bad_screen.ihtml <html> <head><title>My Document</title></head> <! BEGIN mainBlock > <body bgcolor=”#ffffff”> <h1>Hello {USERNAME} </h1> <form> <select name=”cmd”> {CMD_OPTIONS} </select> <input type=submit> </form> </body> <! END mainBlock > </html> Listing 3-3 shows a modified version of Listing 3-2. Here the combo box (select list) is shown as an embedded block called optionBlock within the mainBlock in the template. The <option value=”{CMD_ID}”>{CMD_NAME}</option> line is looped when the block is populated. 56 Part I: Designing PHP Applications 05 549669 ch03.qxd 4/4/03 9:24 AM Page 56 Listing 3-3: good_screen.ihtml <html> <head><title>My Document</title></head> <! BEGIN mainBlock > <body bgcolor=”#ffffff”> <h1>Hello {USERNAME} </h1> <form> <select name=”cmd”> <! BEGIN optionBlock > <option value=”{CMD_ID}”>{CMD_NAME}</option> <! BEGIN optionBlock > </select> <input type=submit> </form> </body> <! END mainBlock > </html> To generate the combo box without having any HTML code inside the PHP application, we modify the last code segment as follows: $TEMPLATE_DIR = ‘/some/path’; $MY_TEMPLATE = ‘bad_screen.ihtml’; $cmdArray = array( ‘1’ => ‘Add’, ‘2’ => ‘Modify’, ‘3’ => ‘Delete’ ); $template = new Template($TEMPLATE_DIR); $template->set_file(‘fh’, $MY_TEMPLATE); $template->set_block (‘fh’, ‘mainBlock’, ‘main’); $template->set_block (‘mainBlock’, ‘optionBlock’, ‘options’); while(list($cmdID, $cmdName) = each($cmdArray)) { $template->set_var(‘CMD_ID’, $cmdID); $template->set_var(‘CMD_NAME’, $cmdName); $template->parse(‘options’,’optionBlock’, TRUE); } Chapter 3: PHP Best Practices 57 05 549669 ch03.qxd 4/4/03 9:24 AM Page 57 $template->set_var(‘USERNAME’, $user); $template->parse(‘main’,’mainBlock’, FALSE); $template->pparse(‘output’, ‘fh’); The embedded block optionBlock is populated using the while loop, which replaced the CMD_ID, and CMD_NAME inside the loop. The parse() method that is called to parse the optionBlock has the append flag set to TRUE. In other words, when the block is parsed, the output of the last parsed block is appended to the cur- rent one to make the list of options. Finally, the mainBlock is parsed as usual and the combo box is generated com- pletely from the interface template, without needing HTML tags in the PHP code. Reducing template code When using the Template object to display a user interface, you may think that many calls to the set_var() method are needed to replace template tags. For example: // OK - could be better $TEMPLATE_DIR = ‘/some/path’; $MY_TEMPLATE = ‘screen.ihtml’; $template = new Template($TEMPLATE_DIR); $template->set_file(‘fh’, $MY_TEMPLATE); $template->set_block (‘fh’, ‘mainBlock’, ‘main’); $template->set_var(‘FIRST’, $first); $template->set_var(‘LAST’, $last); $template->set_var(‘EMAIL’, $email); $template->set_var(‘AGE’, $age); $template->set_var(‘GENDER’, $gender); $template->parse(‘main’,’mainBlock’, false); $template->pparse(‘output’, ‘fh’); If you are assigning a lot of template variables to values like in the previous code segment, you can reduce the number of set_var() calls by combining all of the calls into a single call. This will speed up the application since a single call is faster than many calls to a method. An improved version of this script is shown below. // BETTER $TEMPLATE_DIR = ‘/some/path’; $MY_TEMPLATE = ‘screen.ihtml’; 58 Part I: Designing PHP Applications 05 549669 ch03.qxd 4/4/03 9:24 AM Page 58 $template = new Template($TEMPLATE_DIR); $template->set_file(‘fh’, $MY_TEMPLATE); $template->set_block (‘fh’, ‘mainBlock’, ‘main’); $template->set_var( array( ‘FIRST’ => $first, ‘LAST’ => $last, ‘EMAIL’ => $email, ‘AGE’ => $age, ‘GENDER’ => $gender ) ); $template->parse(‘main’,’mainBlock’, false); $template->pparse(‘output’, ‘fh’); In this example, a single instance of set_var() method is used to pass an unnamed associative array with template tags as keys and appropriate data as values. Best Practices for Documentation When you decide to develop software, you should create design and implementa- tion documentations. Design documentations include block diagrams that describe the system, flow charts that describe a specific process, class diagrams that show the class hierarchy, and so on. Implementation documentation also has flow charts to describe specific imple- mentation processes. Most importantly, though, you use inline code comments to describe what your code does. You can use single-line or multiple comments such as: <?php // This is a single-line comment $myName = ‘Joe Gunchy’; /* This is a multi-line comment that can span over multiple lines. */ $mySchool = ‘CSUS’; ?> Chapter 3: PHP Best Practices 59 05 549669 ch03.qxd 4/4/03 9:24 AM Page 59 All the code for this book is commented, although the inline code com- ments have been stripped out of the code listings printed in the book to reduce the number of lines and because the book covers each method in detail. However, you can get the commented version of the code on the accompanying CD-ROM and/or on the Web site for the book at www.evoknow.com/phpbook.php. Best Practices for Web Security In this section I will discuss a set of best practices that if practiced will result in bet- ter security for your Web applications. Keep authentication information away from prying eyes Many Web applications use authentication information to allow restricted access to the application using username/password or IP addresses. Similarly, all applica- tions using databases use database access information (host name, username/pass- word, port, etc.) that should never be revealed to any Web visitors. You should keep these authentication data away from prying eyes by using one of these methods: ◆ Store authentication data way from the Web document tree. Make your applications read authentication related files from outside the Web docu- ment tree so that these files are not browseable via Web. This will require that your Web server has read access to these files. No other user (other than the root) should have access to these files. ◆ If you cannot store authentication files outside your Web document tree for some reason, you need to make sure the authentication files are not browseable via the Web. This can be done by using file extensions and restricting these extensions from being served by the Web server. When using databases with applications always create a limited privilege user by following your database administration guide. This user should be allowed to only access the specific database that your application needs access to. You should never use a privileged database user account to access database from Web applications. Consult your database documentation for details on how to create limited privilege database users. 60 Part I: Designing PHP Applications 05 549669 ch03.qxd 4/4/03 9:24 AM Page 60 . such as: < ?php // This is a single-line comment $myName = ‘Joe Gunchy’; /* This is a multi-line comment that can span over multiple lines. */ $mySchool = ‘CSUS’; ?> Chapter 3: PHP Best Practices. the code on the accompanying CD-ROM and/or on the Web site for the book at www.evoknow.com/phpbook .php. Best Practices for Web Security In this section I will discuss a set of best practices. $template->set_var(‘CMD_NAME’, $cmdName); $template->parse(‘options’,’optionBlock’, TRUE); } Chapter 3: PHP Best Practices 57 05 549669 ch03.qxd 4/4/03 9:24 AM Page 57 $template->set_var(‘USERNAME’,