Digital's Quick and Dirty Guide to PHP

[Order]

Ok, since this section needs a little help, this should help, and agian, m0g you are more then welcome to convert these little tutorials into tutorials, it is up to you.

Every week, I will try to post one tutorial pertaining to PHP, in the end hopefully I will cover most of the issues relating to PHP.

If you forget your functions, or want to continue learning PHP, go to the The PHP Manual!

[Order]

This Weeks Guide: January 19th, 2004

I will cover the basics of handling variables, perhaps the most important bit of information to use in PHP. Variables are like cups, that contain water, or in the case of PHP, they hold data. Unlike in C/C++ or a lot of other languages, PHP does not seperate data types (i.e One Vaiable can contain numbers, words, letters, decimals, etc).

Here is a small sample of how to create a variable called hello:

PHP Code:

<?php

  $hello = "Hello World!";
  echo $hello;
?>

If that were to be ran in a *.php page on a server, it would output to the screen the words "Hello World!". The echo function displays the information stored in $hello. All Variables start with $. Now we will do a little math with variables, of course, you cannot add words, so we will use numbers, which are called integers.

PHP Code:

<?php
  $a = 1;
  $b = 3;
  $c = $a * $b - 3;

  echo $c;
?>

This is an interesting peice of code, you can manipulate PHP in such a way as to be able to handle almost any type of math. I chose a simple example here which cancels itself out. First, I assigned a the integer 1, b the integer 3, and then I gave c the value of a * b - 3. PHP will process the math before assigning anything to c, so 1 * 3 - 3 would by 0, hense c would be 0, and that would be what is sent to the screen with echo.

Now, say you have two or three strings that you want to put into one variable, how can you add them together without using math, it is simple, you can combine several variables or strings together using '.', a period! Here is an example.

PHP Code:

<?php
  $name = "Digital";
  $hello = "Hello, ";
  $end = "!";

  // Will make those three vars into one.
  $complete = $hello . $name . $end;

  echo $complete;
?>

That simple, you will get "Hello, Digital!" if you were to run it in a php file. As you can see, PHP makes it real easy to handle variables. Next week, we will cover another form of variable, arrays, which bring variables into a new light.

Why do you use double quotes when not outputting anything? Every time the parser sees double quotes it expects output, and when output does not happen it slows the script down.

[ConceptualMind]

Hey Peyton, glad your posting.

Digital, Peyton has a VAST knowledge of PHP and other coding languages. He's a coding GURU. He knows his stuff.

[Order]

Quote:

Originally posted by Peyton
Why do you use double quotes when not outputting anything? Every time the parser sees double quotes it expects output, and when output does not happen it slows the script down.

I only do that for strings, I know that you can use ' and ' to achieve the same, but I learned with " and ", so it is what I use. I have noticed no slowdown between " and '

Regardless of the way you learned it, using a double quote is incorrect.

Of course you don't notice any difference between the two, but in a larger script it can make a difference.

[Order]

Quote:

Originally posted by Peyton
Regardless of the way you learned it, using a double quote is incorrect.

Of course you don't notice any difference between the two, but in a larger script it can make a difference.

For what I am teaching, small scripts, it works, however thanks for letting it be known that you can use ' instead of ", however both work.

Sort of like CSS and the <font> tag. Both work, but one is incorrect.

Though, I promise you there are speed differences.

[ConceptualMind]

Hehe... Digtal looks like you have a bit of competition. I told you Peyton knows his stuff, he just needs to post a bit more. We could all learn from him.

[Order]

Quote:

Originally posted by Subject2Failure
Hehe... Digtal looks like you have a bit of competition. I told you Peyton knows his stuff, he just needs to post a bit more. We could all learn from him.

Yes, however programmers do compete.. so I have a feeling that there will be a few heated discussions in the future..

[Evdawg]

Quote:

Originally posted by Digital
Yes, however programmers do compete.. so I have a feeling that there will be a few heated discussions in the future..

heated discussions are good! That means I learn from both of you!

[ConceptualMind]

Peyton is more active on other forums though. He stops by to check his PM's ... or if I tell him to. Oh, if you didn't notice he's the one I'm working with for our design company.

[Hornet]

Because I am me, I've been learning about web application security holes for some time. However, I have now started to learn PHP in earnest, and I'm now trying to defend my scripts against the usual attacks. After tearing out several patches of hair trying to make a half-decent variable checker, I finally decided to consult the PHP manual, deciding that someone else must have already done something similar. It turns out that they had - '^[^./][^/]*$' - was mentioned as an ereg parameter, and the code was about twenty lines shorter than what I was churning out, although it seems to be based on the same principles (even though I was using preg_match). But this now begs the question, What The Hell Does It Mean? I don't speak PHP parser (yet), so could someone tell me what that clump of ASCII is up to?

And what's more, looking at the code in question, surely the attacker could just close and exit the if statement and then carry on as he was before? The solution almost seems more dangerous than the cure. In case you wondered, I'm currently creating a download manager, and I'm trying to stop people traversing around by fiddling with the URL and then downloading password files and the like (I'd previously forced it to show me the entire downloads folder, for example).

I've already forced the script to append a .zip extension to the requested file, but that might not be enough. Your thoughts on that one? The PHP executable will be running with root access rights, so yes it could dish out the password files on a nix system (where it's headed when I'm done with it).
Hang on... Wouldn't it be easier (and safer) to catch and refuse any requests that contain non-alphanumeric characters, instead of trying to scan for any funny business? *Ponders*

I have never actually run a website (I just build them for friends), and so the answer to this next one may be painfully obvious to most of you. I keep getting one of two errors when my counter tries to write to a log file: one error is that the file or directory does not exist, and the other is that it isn't writable. I'm assuming that the first error is another manifestation of the second, but how can I solve it? The development server (aka my laptop with its professional hat on) is an XP machine running Apache 1.3 and PHP 4.2 if that helps. I presume I need to do a bit of chmodding? If so, how does one go about it?

I'm also having trouble making the script allow localhost as a referrer. Unlike the previous problem, this one's probably down to my coding. The bare-bones of the code in question goes _something_ like:

PHP Code:

$ref = $http_referrer;
if (preg_match ("/local/i", "$ref")) { 
header ("location /zips/afile.zip");
} else {
echo "Cheese"; } 


And please don't complain about my using preg_match - it's only until I get the blasted thing working, then I'll use something more refined. There isn't much that could go wrong, but Something's Up Somewhere. As a test I made a PHP file that outputs the referrer to the screen, and it shows the page I came from, so that's got me rightly flummoxed. Just what is going wrong?

Finally, I'm also playing around with overlaying one PNG image onto another. I'm not trying to make it output an image, but create a seperate one somewhere else, and I've tried six or seven different ways of doing it, but none seem to work as they should. What libraries/extensions do I need to do so? Phpinfo says that I have gd 2.0 or higher, yet many examples in the PHP manual don't work either. I doubt anyone here has tried to use PHP to create PNGs, but if you have some assistance would be muchly appreciated.

And if you actually took the time to read all of this post, then I admire your stamina!

[Hornet]

I've now solved the referrer and the log file problems, but the ASCII and PNG issues still need to be sorted, so some input would most useful.

I doubt this'll get a reply for ages, if at all, the Biorust forums being the paradox that they are, but I'm trying to amalgamate a collection of counter files into one large file. I'm using |> as a seperator, and I've got such a headache I can scarcely think to type let alone dig out PHP snippets for you, but this should be the right bit:

PHP Code:

$test="fish";
$wfile = file("count.db");
$i = 0;
echo ("$test");
echo ("$file");
echo ("$count");
echo ("<br><br>");
foreach($wfile as $value)
{
IF($value)
{
list($file,$count) = explode("|>", $value);
echo ("$file");
echo ("$count");
if ($file == $test) { print "I am $test";  } else { print "asd "; }
echo ("<br><br>");
$i++;
}
} 


Actually, it looks looks like one of my test files, but it'll do to give you an idea of how the thing's structured. Basically, how can I only change one line in the database? There are about 100 entries in all, so I'd prefer not to loop through everything and 'if' it to death scanning for the right line, then write the entire file back to itself with the exception of that one line. There must be an easier way...

[Order]

not working with files, you should look into mysql for storage of data. or better yet, look at php's dbm(?) support for file based database.