Chapter 2: Understanding and Avoiding Security Risks
Identifying the Sources of Risk
Minimizing User-Input Risks
Not Revealing Sensitive Information
Summary
Chapter 3: PHP Best Practices
Best Practices for Naming Variables and Functions
Best Practices for Function/Method
Best Practices for Database
Best Practices for User Interface
Best Practices for Documentation
Best Practices for Web Security
Best Practices for Source Configuration Management
Summary
Part II
Chapter 4: Architecture of an Intranet Application
Understanding Intranet Requirements
Building an Intranet Application Framework
Creating a Database Abstraction Class
Creating an Error Handler Class
Creating a Built-In Debugger Class
Creating an Abstract Application Class
Creating a Sample Application
Summary
Chapter 5: Central Authentication System
How the System Works
Creating an Authentication Class
Creating the Central Login Application
Creating the Central Logout Application
Creating the Central Authentication Database
Testing Central Login and Logout
Making Persistent Logins in Web Server Farms
Summary
Chapter 6: Central User Management System
Identifying the Functionality Requirements
Creating a User Class
User Interface Templates
Creating a User Administration Application
Creating a User Password Application
Creating a Forgotten-Password Recovery Application
Summary
Chapter 7: Intranet System
Identifying Functionality Requirements
Designing the Database
Designing and Implementing the Intranet Classes
Setting Up Application Configuration Files
Setting Up the Application Templates
Intranet Home Application
Installing Intranet Applications from the CD- ROM
Testing the Intranet Home Application
Summary
Chapter 8: Intranet Simple Document Publisher
Identifying the Functionality Requirements
The Prerequisites
Designing the Database
The Intranet Document Application Classes
Setting up Application Configuration Files
Setting Up the Application Templates
The Document Publisher Application
Installing Intranet Document Application
Testing Intranet Document Application
Summary
Chapter 9: Intranet Contact Manager
Functionality Requirements
Understanding Prerequisites
The Database
The Intranet Contact Manager Application Classes
The Application Configuration Files
The Application Templates
The Contact Category Manager Application
The Contact Manager Application
Installing Intranet Contract Manager
Testing Contract Manager
Summary
Chapter 10: Intranet Calendar Manager
Identifying Functionality Requirements
Understanding Prerequisites
Designing the Database
The Intranet Calendar Application Event Class
The Application Configuration Files
The Application Templates
The Calendar Manager Application
The Calendar Event Manager Application
Installing the Event Calendar on Your Intranet
Testing the Event Calendar
Summary
Chapter 11: Internet Resource Manager
Functionality Requirements
Understanding the Prerequisites
Designing the Database
Designing and Implementing the Internet Resource Manager Application Classes
Creating Application Configuration Files
Creating Application Templates
Creating a Category Manager Application
Creating a Resource Manager Application
Creating a Resource Tracking Application
Creating a Search Manager Application
Installing an IRM on Your Intranet
Testing IRM
Security Concerns
Summary
Chapter 12: Online Help System
Functionality Requirements
Understanding the Prerequisites
Designing and Implementing the Help Application Classes
Creating Application Configuration Files
Creating Application Templates
Creating the Help Indexing Application
Creating the Help Application
Installing Help Applications
Testing the Help System
Security Considerations
Summary
Part III
Chapter 13: Tell-a-Friend System
Functionality Requirements
Understanding Prerequisites
Designing the Database
Designing and Implementing the Tell- a- Friend Application Classes
Creating Application Configuration Files
Creating Application Templates
Creating the Tell-a-Friend Main Menu Manager Application
Creating a Tell-a-Friend Form Manager Application
Creating a Tell-a-Friend Message Manager Application
Creating a Tell-a-Friend Form Processor Application
Creating a Tell-a-Friend Subscriber Application
Creating a Tell-a-Friend Reporter Application
Installing a Tell-a-Friend System
Testing the Tell-a-Friend System
Security Considerations
Summary
Chapter 14: E-mail Survey System
Functionality Requirements
Architecture of the Survey System
Designing the Database
Designing and Implementing the Survey Classes
Designing and Implementing the Survey Applications
Developing Survey Execution Manager
Setting Up the Central Survey Configuration File
Setting Up the Interface Template Files
Testing the Survey System
Security Considerations
Summary
Chapter 15: E-campaign System
Features of an E-campaign System
Architecting an E-campaign System
Designing an E-campaign Database
Understanding Customer Database Requirements
Designing E-campaign Classes
Creating Common Configuration and Resource Files
Creating Interface Template Files
Creating an E-campaign User Interface Application
Creating a List Manager Application
Creating a URL Manager Application
Creating a Message Manager Application
Creating a Campaign Manager Application
Creating a Campaign Execution Application
Creating a URL Tracking and Redirection Application
Creating an Unsubscription Tracking Application
Creating a Campaign Reporting Application
Testing the E-Campaign System
Security Considerations
Summary
Part IV
Chapter 16: Command-Line PHP Utilities
Working with the Command-Line Interpreter
Building a Simple Reminder Tool
Building a Geo Location Finder Tool for IP
Building a Hard Disk Usage Monitoring Utility
Building a CPU Load Monitoring Utility
Summary
Chapter 17: Apache Virtual Host Maker
Understanding an Apache Virtual Host
Defining Configuration Tasks
Creating a Configuration Script
Developing makesite
Installing makesite on Your System
Testing makesite
Summary
Chapter 18: BIND Domain Manager
Features of makezone
Creating the Configuration File
Understanding makezone
Installing makezone
Testing makezone
Summary
Part V
Chapter 19: Web Forms Manager
Functionality Requirements
Understanding Prerequisites
Designing the Database
Designing and Implementing the Web Forms Manager Application Classes
Creating the Application Configuration Files
Creating Application Templates
Creating the Web Forms Submission Manager Application
Creating the Web Forms Reporter Application
Creating the CSV Data Exporter Application
Installing the Web Forms Manager
Testing the Web Forms Manager
Security Considerations
Summary
Chapter 20: Web Site Tools
Functionality Requirements
Understanding Prerequisites
Designing the Database
Designing and Implementing the Voting Tool Application Class
Creating the Application Configuration Files
Creating the Application Templates
Creating the Vote Application
Installing the Voting Tool
Testing the Voting Tool
Summary
Part VI
Chapter 21: Speeding Up PHP Applications
Benchmarking Your PHP Application
Buffering Your PHP Application Output
Compressing Your PHP Application Output
Caching Your PHP Applications
Summary
Chapter 22: Securing PHP Applications
Controlling Access to Your PHP Applications
Securely Uploading Files
Using Safe Database Access
Recommended php.ini Settings for a Production Environment
Limiting File System Access for PHP Scripts
Running PHP Applications in Safe Mode
Summary
Part VII
Appendix A: What's on the CD-ROM
System Requirements
What's on the CD
Troubleshooting
Appendix B: PHP Primer
Object-Oriented PHP
Appendix C: MySQL Primer
Using MySQL from the Command- Line
Using phpMyAdmin to Manage MySQL Database
Appendix D: Linux Primer
Installing and Configuring Apache 2.0
Installing and Configuring MySQL Server
Installing and Configuring PHP for Apache 2.0
Common File/Directory Commands
Index
Wiley Publishing, Inc. End-User License Agreement
Nội dung
returned with a value of 3 from the user interface shown by confirmMessage(). This indicates that the user has confirmed the new message, which is then written to the database addMessage(). ■ Similarly, when the user decides to modify an existing message and run() is called with cmd set to modify, the step parameter value can be 1, 2, or 3 — calling displayMsgAddModMenu(), confirmMessage(), and modifyMessage(), respectively — or null. ■ If the user decides to delete an existing message and the run method is called with cmd set to delete, deleteMessage() is called. ■ If the user does not specify any message operations (add, modify, delete), the user is shown the main message interface using displayMsgMngrMenu(). ■ In summary, run() decides which functionality is requested by the user and calls the appropriate message method to perform the desired operations. ◆ deleteMessage(): This method finds the message ID of the message to be deleted and deletes that message from the database. If this method is called without a proper message ID, it shows an error message. It works as follows: ■ If it is called without a message ID ($mid) as a query parameter, it shows an alert message and returns null. ■ Else, a message object called $msgObj is created and the deleteMessage() of the object is called with the $mid value to delete the message. The status of this operation is stored in $status variable. ■ A theme template object called $themeTemplate is created and set up in the usual way to load the user-selected theme template file. ■ A status message template ($STATUS_TEMPLATE) is loaded in a template object called $template as usual. If the $status is true, a status mes- sage indicating that the message is deleted is inserted into the $tem- plate content block. Also, deleteViewers() is called to remove all the users from the message’s viewer table. This is done to ensure that, when a message is deleted, the system does not attempt to show the viewers a nonexistent message. ■ If the message could not be deleted, $status is false, and a message indicating the failure is inserted in the $template object’s content block. ■ Finally, the contents of the $template object are inserted into the $themeTemplate object’s content block, and the results are printed on the user’s browser screen. 226 Part II: Developing Intranet Solutions 10 549669 ch07.qxd 4/4/03 9:25 AM Page 226 ◆ confirmMessage(): This method shows a preview of the message after the user has added or modified one and gets his confirmation. It also con- firms that the message is a valid one or shows appropriate error messages. If the user chooses to cancel from this screen, she is taken back to the add/modify menu, where she can edit her message and continue. This method works as follows: ■ When the method is called, the user has either created a new message or modified an existing message. So the method receives the message title ($title), publication date ($msgDate), body ($msg), current time- stamp ($currentTS), operation mode ($mode), message ID ($mid) (only if editing an existing message), and viewer list ($viewers). ■ A local variable $date is created using the month ($m), day ($d), and year ($y) of the given publication date. ■ If the given date is invalid or less than the current date, the method shows an alert message indicating a bad publication date and returns null. ■ The method checks to see whether the title, body, or viewer list is empty. If any of them are not defined by the user in the previous step, an alert message is shown and the method returns null. ■ Using a current timestamp from the mktime() function, a new time- stamp containing the current hour, minute, and second, along with the user-given month, day, and year, is created in the $realDate variable. ■ A theme template object called $themeTemplate is created and set up in the usual way to load the user-selected theme template file. ■ Similarly, a message preview template ($MSG_PREVIEW_TEMPLATE) is loaded in a template object called $template as usual. All user-sup- plied data are embedded into the preview template. ■ Finally, the contents of the $template object are inserted into the $themeTemplate object’s content block, and the results are printed on the user’s browser screen. ◆ modifyMessage(): This method gets the modified message information, such as message ID, message title, publish date, message contents, and viewer IDs, and updates the database. It shows the appropriate confirma- tion message if no error is found. Otherwise, it shows the appropriate error message. Here’s how it works: ■ If the method is called without a viewer list, it shows an alert message and returns. ■ A message object called $msgObj is created with the current message ID ($mid), which is supplied to the method as a query parameter. Chapter 7: Intranet System 227 10 549669 ch07.qxd 4/4/03 9:25 AM Page 227 ■ The isRead() method of the $msgObj is called to determine whether the chosen message has already been read. The message cannot be modified if other users have already acknowledged reading it. Changing this message now would be unethical. The best approach is to add a new message using the modified content so that the users can see it again. Therefore, if the message is already read, addMessage() is called to add the modification as a new message. ◆ addMessage(): This method gets new message information, such as mes- sage title, publish date, message contents, and viewer IDs, and inserts the message data into the database. It shows the appropriate confirmation message if no error is found. Otherwise, it shows the appropriate error message. Here’s how it works: ■ If the method is called without a viewer list, it shows an alert message and returns. ■ A message object called $msgObj is created. ■ We add the new message using the addMessage() method of the $msgObj. The status of this operation is stored in the $status variable. ■ If $status is true, a status message indicating that the message is added is inserted in the $template content block, and addViewers() is called to add the viewers of this message. If the message could not be added, $status is false, and a message indicating the failure is inserted in the $template object’s content block. ■ The contents of the $template object are inserted into the $themeTemplate object’s content block, and the results are printed on the user’s browser screen. ◆ displayMsgMngrMenu(): This method displays the initial message man- ager options menu available only to administrators, because only admin- istrators can modify or delete messages. This is how it works: ■ A message manager template ($MSG_MNGR_TEMPLATE) is loaded in a template object called $template. ■ A new message object called $msgObj is created. ■ The template includes buttons to add, modify, and delete messages and a list of messages from which the user can choose messages to modify or delete. 228 Part II: Developing Intranet Solutions 10 549669 ch07.qxd 4/4/03 9:25 AM Page 228 ■ The list is loaded using the getAllMessages() method of the $msgObj object. ■ The contents of the $template object are inserted into the $themeTemplate object’s content block, and the results are printed on the user’s browser screen. ◆ displayMsgAddModMenu(): This method displays the add/modify message interfaces. This is how it works: ■ Checks whether the message ID has been supplied when this method is called with the ‘modify’ parameter. If the message ID has not been supplied, the method shows the appropriate error message and returns the user to the previous page. Otherwise, it creates the new message object, $msgObj, and stores the message contents, publish date, and title attributes of the message into variables for later use. ■ A message add/modify template ($MSG_ADD_TEMPLATE) is loaded in a template object called $template. ■ The template includes a Web form for taking input of the message title, message contents, publish date, and view rights. If this method is called with the ‘modify’ parameter, it loads the specified message informa- tion into the Web form. ■ The contents of the $template object are inserted into the $themeTemplate object’s content block, and the results are printed on the user’s browser screen. ◆ unhtmlentities(): This method is the exact reverse of the htmlenti- ties() method in the PHP API. ◆ authorize(): This method authorizes access to this application. It works as follows: ■ It uses getUID() to check whether the current user ID is positive. Because all valid user IDs are positive numbers, it creates a DBI object called $user_dbi that points to the central user-authentication data- base (USER_DB_URL). ■ A user object called $userObj is created using the $user_dbi and cur- rent user ID. ■ The current user type is tested using getType() to determine whether it is administrator (ADMIN_TYPE) or not. If the current user is of type administrator, the $isAdmin variable is set to TRUE and it returns TRUE. For nonadministrative users, this method will return TRUE if cmd = add ; otherwise, it returns FALSE. Chapter 7: Intranet System 229 10 549669 ch07.qxd 4/4/03 9:25 AM Page 229 Access reporter application The access reporter application, access_reporter.php, shows the access report of the current user. It is included on the CD-ROM in the ch07/apps directory. It has the following methods: ◆ run(): When the application is run, this method is called. It basically decides which functionality is requested by the user and calls the appro- priate method to perform the desired operations. It does the following: ■ Creates a theme object, $this->themeObj. ■ Stores the current user’s theme choice in $this->theme by calling the getUserTheme() method of the theme object created. ■ If the application is called with cmd = “Force Login”, logUserIn() is called. Similarly, cmd = “Force Logout” calls logUserOut(). These two operations are done when an administrator wants to manually log in or log out a user. ■ Calls the reportDriver() method to show the access report. ◆ logUserOut(): This method logs out the specified user. It works as follows: ■ Checks whether the administrator provided the given date and time is valid. Otherwise, it shows the appropriate error message to the user and returns to the previous page. ■ Checks whether the given date and time correspond to the future. If they do, it shows the appropriate error message to the user and returns to the previous page. ■ Creates a new ActivityAnalyzer object called $analyzer. ■ Uses the logUserOut() method of the $analyzer object to log out the user. ■ Calls the reportDriver() method to render the updated access report. ◆ logUserIn(): This method logs in the specified user. It works as follows: ■ Checks whether the given date and time is valid. If they aren’t, it shows the appropriate error message to the user and returns to the previous page. ■ Checks whether the given date and time correspond to the future. If they do, it shows the appropriate error message to the user and returns to the previous page. ■ Creates a new ActivityAnalyzer object called $analyzer. 230 Part II: Developing Intranet Solutions 10 549669 ch07.qxd 4/4/03 9:25 AM Page 230 . screen. ◆ unhtmlentities(): This method is the exact reverse of the htmlenti- ties() method in the PHP API. ◆ authorize(): This method authorizes access to this application. It works as follows: ■ It. 4/4/03 9:25 AM Page 229 Access reporter application The access reporter application, access_reporter .php, shows the access report of the current user. It is included on the CD-ROM in the ch07/apps