Chapter 2: Understanding and Avoiding Security Risks
Identifying the Sources of Risk
Minimizing User-Input Risks
Not Revealing Sensitive Information
Summary
Chapter 3: PHP Best Practices
Best Practices for Naming Variables and Functions
Best Practices for Function/Method
Best Practices for Database
Best Practices for User Interface
Best Practices for Documentation
Best Practices for Web Security
Best Practices for Source Configuration Management
Summary
Part II
Chapter 4: Architecture of an Intranet Application
Understanding Intranet Requirements
Building an Intranet Application Framework
Creating a Database Abstraction Class
Creating an Error Handler Class
Creating a Built-In Debugger Class
Creating an Abstract Application Class
Creating a Sample Application
Summary
Chapter 5: Central Authentication System
How the System Works
Creating an Authentication Class
Creating the Central Login Application
Creating the Central Logout Application
Creating the Central Authentication Database
Testing Central Login and Logout
Making Persistent Logins in Web Server Farms
Summary
Chapter 6: Central User Management System
Identifying the Functionality Requirements
Creating a User Class
User Interface Templates
Creating a User Administration Application
Creating a User Password Application
Creating a Forgotten-Password Recovery Application
Summary
Chapter 7: Intranet System
Identifying Functionality Requirements
Designing the Database
Designing and Implementing the Intranet Classes
Setting Up Application Configuration Files
Setting Up the Application Templates
Intranet Home Application
Installing Intranet Applications from the CD- ROM
Testing the Intranet Home Application
Summary
Chapter 8: Intranet Simple Document Publisher
Identifying the Functionality Requirements
The Prerequisites
Designing the Database
The Intranet Document Application Classes
Setting up Application Configuration Files
Setting Up the Application Templates
The Document Publisher Application
Installing Intranet Document Application
Testing Intranet Document Application
Summary
Chapter 9: Intranet Contact Manager
Functionality Requirements
Understanding Prerequisites
The Database
The Intranet Contact Manager Application Classes
The Application Configuration Files
The Application Templates
The Contact Category Manager Application
The Contact Manager Application
Installing Intranet Contract Manager
Testing Contract Manager
Summary
Chapter 10: Intranet Calendar Manager
Identifying Functionality Requirements
Understanding Prerequisites
Designing the Database
The Intranet Calendar Application Event Class
The Application Configuration Files
The Application Templates
The Calendar Manager Application
The Calendar Event Manager Application
Installing the Event Calendar on Your Intranet
Testing the Event Calendar
Summary
Chapter 11: Internet Resource Manager
Functionality Requirements
Understanding the Prerequisites
Designing the Database
Designing and Implementing the Internet Resource Manager Application Classes
Creating Application Configuration Files
Creating Application Templates
Creating a Category Manager Application
Creating a Resource Manager Application
Creating a Resource Tracking Application
Creating a Search Manager Application
Installing an IRM on Your Intranet
Testing IRM
Security Concerns
Summary
Chapter 12: Online Help System
Functionality Requirements
Understanding the Prerequisites
Designing and Implementing the Help Application Classes
Creating Application Configuration Files
Creating Application Templates
Creating the Help Indexing Application
Creating the Help Application
Installing Help Applications
Testing the Help System
Security Considerations
Summary
Part III
Chapter 13: Tell-a-Friend System
Functionality Requirements
Understanding Prerequisites
Designing the Database
Designing and Implementing the Tell- a- Friend Application Classes
Creating Application Configuration Files
Creating Application Templates
Creating the Tell-a-Friend Main Menu Manager Application
Creating a Tell-a-Friend Form Manager Application
Creating a Tell-a-Friend Message Manager Application
Creating a Tell-a-Friend Form Processor Application
Creating a Tell-a-Friend Subscriber Application
Creating a Tell-a-Friend Reporter Application
Installing a Tell-a-Friend System
Testing the Tell-a-Friend System
Security Considerations
Summary
Chapter 14: E-mail Survey System
Functionality Requirements
Architecture of the Survey System
Designing the Database
Designing and Implementing the Survey Classes
Designing and Implementing the Survey Applications
Developing Survey Execution Manager
Setting Up the Central Survey Configuration File
Setting Up the Interface Template Files
Testing the Survey System
Security Considerations
Summary
Chapter 15: E-campaign System
Features of an E-campaign System
Architecting an E-campaign System
Designing an E-campaign Database
Understanding Customer Database Requirements
Designing E-campaign Classes
Creating Common Configuration and Resource Files
Creating Interface Template Files
Creating an E-campaign User Interface Application
Creating a List Manager Application
Creating a URL Manager Application
Creating a Message Manager Application
Creating a Campaign Manager Application
Creating a Campaign Execution Application
Creating a URL Tracking and Redirection Application
Creating an Unsubscription Tracking Application
Creating a Campaign Reporting Application
Testing the E-Campaign System
Security Considerations
Summary
Part IV
Chapter 16: Command-Line PHP Utilities
Working with the Command-Line Interpreter
Building a Simple Reminder Tool
Building a Geo Location Finder Tool for IP
Building a Hard Disk Usage Monitoring Utility
Building a CPU Load Monitoring Utility
Summary
Chapter 17: Apache Virtual Host Maker
Understanding an Apache Virtual Host
Defining Configuration Tasks
Creating a Configuration Script
Developing makesite
Installing makesite on Your System
Testing makesite
Summary
Chapter 18: BIND Domain Manager
Features of makezone
Creating the Configuration File
Understanding makezone
Installing makezone
Testing makezone
Summary
Part V
Chapter 19: Web Forms Manager
Functionality Requirements
Understanding Prerequisites
Designing the Database
Designing and Implementing the Web Forms Manager Application Classes
Creating the Application Configuration Files
Creating Application Templates
Creating the Web Forms Submission Manager Application
Creating the Web Forms Reporter Application
Creating the CSV Data Exporter Application
Installing the Web Forms Manager
Testing the Web Forms Manager
Security Considerations
Summary
Chapter 20: Web Site Tools
Functionality Requirements
Understanding Prerequisites
Designing the Database
Designing and Implementing the Voting Tool Application Class
Creating the Application Configuration Files
Creating the Application Templates
Creating the Vote Application
Installing the Voting Tool
Testing the Voting Tool
Summary
Part VI
Chapter 21: Speeding Up PHP Applications
Benchmarking Your PHP Application
Buffering Your PHP Application Output
Compressing Your PHP Application Output
Caching Your PHP Applications
Summary
Chapter 22: Securing PHP Applications
Controlling Access to Your PHP Applications
Securely Uploading Files
Using Safe Database Access
Recommended php.ini Settings for a Production Environment
Limiting File System Access for PHP Scripts
Running PHP Applications in Safe Mode
Summary
Part VII
Appendix A: What's on the CD-ROM
System Requirements
What's on the CD
Troubleshooting
Appendix B: PHP Primer
Object-Oriented PHP
Appendix C: MySQL Primer
Using MySQL from the Command- Line
Using phpMyAdmin to Manage MySQL Database
Appendix D: Linux Primer
Installing and Configuring Apache 2.0
Installing and Configuring MySQL Server
Installing and Configuring PHP for Apache 2.0
Common File/Directory Commands
Index
Wiley Publishing, Inc. End-User License Agreement
Nội dung
isNodeOf() This method determines whether the current IP is a part of the given network. This is how it works: ◆ It first takes the octets of both IPs (the current IP and the network IP) into two arrays named $currentOctets and $networkOctets. ◆ It removes the fourth octet of the network IP (if it exists) and the current IP. ◆ Each octet (three in total) of the current IP is matched with the octets of the network IP. The match counter $matchCount is incremented with each successful match. ◆ The method returns TRUE if the match counter is exactly equal to the number of octets of the network; otherwise, it returns FALSE. isNetworkAddr() This method determines whether the given IP is a network address. It first takes the octets of the IP in an array. Then it determines whether the given IP is a network address by matching it with any of the following three conditions: whether the length of the array is less than four; whether the second to last element of the octet array is a zero; and whether the second to last element of the octet array is an “x”. Designing and implementing the DataCleanup class The DataCleanup class is used to clean up form data collected from the user. The ch19/apps/class/class.DataCleanup.php file on the CD-ROM implements this class, which implements the methods described in the following sections. DataCleanup() This is the constructor method. Basically, it is used by the caller application to instantiate the class. cleanup_none() This is the basic cleanup method, which does the simple job of returning the string passed to the method as a parameter without any formatting. cleanup_ucwords() This method takes a string as a parameter and returns it after formatting the first character of each word into an uppercase character. 666 Part V: Internet Applications 25 549669 ch19.qxd 4/4/03 9:27 AM Page 666 cleanup_ltrim() This method returns the given string after removing all whitespace from the left of it. cleanup_rtrim() This method returns the given string after removing all whitespace from the right of it. cleanup_trim() This method returns the given string after removing all whitespace around it. cleanup_lower() This method takes a string as a parameter and returns it after converting all the characters to lowercase characters. Designing and implementing the DataValidator class The DataValidator class is used to validate form data collected from the user. The ch19/apps/class/class.DataValidator.php file on the CD-ROM implements this class, which implements the methods described in the following sections. DataValidator() This is the constructor method. Basically, it is used by the caller application to instantiate the class. validate_size() This method validates the size of the input. This is how it works: ◆ It takes as parameters the data to be validated ($str), the size permitted ($size), and the type of the data ($type). ◆ The $size parameter is provided as a string that has “size=” at the beginning. Therefore, the method first gets the actual permitted size by removing the string “size=” from the given $size. ◆ The method directly returns TRUE if it finds that the permitted size is “any”. ◆ Otherwise, $size is passed into the get_size() method to find the mini- mum and maximum allowed size. ◆ Depending on the type (text/number) of the data, the validate_string_ size() method or the validate_number_range() method is called to validate the size of the data. Chapter 19: Web Forms Manager 667 25 549669 ch19.qxd 4/4/03 9:27 AM Page 667 get_size() This method takes the permitted size as a string and returns an array with informa- tion about the minimum and maximum allowed size. This is how it works: ◆ It first checks whether there is a ‘-’ in the given size string, which means that two sizes are provided on either side of the ‘-’, indicating both a minimum and a maximum. Otherwise, the method assumes that the given size is the only size allowed, and hence it returns the given size as both minimum and maximum size. ◆ If there is a ‘-’ in the given parameter, the method explodes the string and determines the minimum and maximum allowed size. ◆ It then looks for a ‘KB’ or ‘MB’ in the string that identifies the maximum size. If it finds such a string, this method converts the sizes accordingly (it multiplies by 1024 in the case of ‘KB’) and keeps them in the associative array. ◆ Finally, the array indicating the minimum and maximum allowed size is returned. validate_number_range() This method takes three numbers as input (the number to be validated, the upper bound, and the lower bound) and determines whether the first number falls within the other two numbers. validate_string_size() This method validates the length of the string. It takes the string and the two bounds (minimum and maximum length) and determines whether the string length is within the boundary allowed. validate_name() This method determines whether the given string is a valid name by checking it for numbers and unusual characters (anything other than the alphabets). validate_org_name() This method determines whether the given string is a valid organization name by checking it for unusual characters (anything other than the alphabet, numeric char- acters, or the comma, period, and hyphen). validate_number() This method determines whether the given string is a valid number by allowing only numeric characters and the period (“.”). 668 Part V: Internet Applications 25 549669 ch19.qxd 4/4/03 9:27 AM Page 668 validate_any_string() This method takes a string as input and always returns TRUE. validate_email() This method takes a string as input and determines whether it is a valid e-mail address by using a complex regular expression taken from http://www.php.net/ manual/en/function.preg-match.php . validate_url() This method validates the given string by checking it for valid schemes (http, https, or ftp). validate_file_size() This method determines whether the given file size falls within the specified allowed size. This method uses the get_size() method to determine the allowed maximum and minimum size. Designing and implementing the FormSubmission class The FormSubmission class is used to process the submission of the form. The ch19/ apps/class/class.FormSubmission.php file on the CD-ROM implements this class, which implements the methods described in the following sections. FormSubmission() This is the constructor method. It sets member variables $DBI (to hold the DBI object), $ID (to hold the form ID), $KNOWN_FORMS (to hold the array of known forms), and $ERRORS (to hold the array of errors). hasError() This method determines whether the array for holding the errors is empty, returning either TRUE or FALSE. getErrors() This method returns the member variable $ERROR, which is an array of the errors. getErrorMessage() This method is used to retrieve the form-specific error messages. This is how it works: ◆ This method takes two parameters: $lang (for the language of the error message) and $err (for the error/array of errors). ◆ If $err is not supplied, this method takes $ERROR, the member variable of the class. Chapter 19: Web Forms Manager 669 25 549669 ch19.qxd 4/4/03 9:27 AM Page 669 ◆ If $err is given as a string and not an array, this method gets the single error message from the member variable $FORM_ERRORS, which is set in the loadConfigFile() method. ◆ If $err is an array, each of the error messages is retrieved from $FORM_ERRORS and returned as one string (by imploding a line break among them). setupForm() This method is used for the form setup. This is how it works: ◆ It uses the member variable $FORM_FIELDS, which is set in the loadConfigFile() method. ◆ $FORM_FIELDS is an associative array that holds all the field names of the form and their configurations. This method breaks down each of the field’s configurations and sets them as member variables to be used later. isKnownForm() This method determines whether the current form is one of the known and config- ured forms by matching its ID with IDs of the $KNOWN_FORMS array. loadConfigFile() This method is responsible for loading the configuration file specific to the form. Every form to be managed has its own configuration file. Therefore, this method identifies the configuration file for the current form and includes it for later usage. It sets member variables $FORM_FIELDS, $FORM_ERRORS, and $FILE_LOAD_FIELDS from that configuration file. processForm() This method takes care of the entire processing of the form submission. This is how it works: ◆ It first calls the haveRequiredData() method to determine whether all of the form’s required data has been submitted. If not, it returns with the proper error signal. ◆ It then calls the validateData() method to validate the given data. If it fails, it returns with the proper failure signal. ◆ The cleanupData() method is called to clean up the given data. ◆ After that, submitData() is invoked to insert the data into the database. ◆ The uploadFile() method is called to manage any file uploads. ◆ The method then sends outbound (to user) and/or inbound (to admin) e-mails, if specified in the form configuration. 670 Part V: Internet Applications 25 549669 ch19.qxd 4/4/03 9:27 AM Page 670 . valid e-mail address by using a complex regular expression taken from http://www .php. net/ manual/en/function.preg-match .php . validate_url() This method validates the given string by checking it for. is used to validate form data collected from the user. The ch19/apps/class/class.DataValidator .php file on the CD-ROM implements this class, which implements the methods described in the following. class is used to clean up form data collected from the user. The ch19/apps/class/class.DataCleanup .php file on the CD-ROM implements this class, which implements the methods described in the following