MCIS/UA PHP Training 2003 Chapter 9 Web Techniques, Security, - - PowerPoint PPT Presentation

mcis ua
SMART_READER_LITE
LIVE PREVIEW

MCIS/UA PHP Training 2003 Chapter 9 Web Techniques, Security, - - PowerPoint PPT Presentation

Dec 29, 2023 765 likes •1.14k views

MCIS/UA PHP Training 2003 Chapter 9 Web Techniques, Security, & Design Introduction This chapter will cover several miscellaneous topics concerning web application design in PHP and in general that were not covered elsewhere.

slide-1
SLIDE 1

PHP Training 2003 Chapter 9 Web Techniques, Security, & Design

MCIS/UA

slide-2
SLIDE 2

Introduction

  • This chapter will cover several miscellaneous topics

concerning web application design in PHP and in general that were not covered elsewhere.

  • Persistence
  • Error handling
  • Maintenance
  • Security
  • Design
  • PHP5 preview

persistence

slide-3
SLIDE 3

Persistence

  • >
slide-4
SLIDE 4

Persistence

hidden form variables

slide-5
SLIDE 5

Persistence

  • Persistence (sometimes referred to as state) refers

to the ability to retain information between web requests and across servers

  • In PHP

, this is primarily done in any of the following ways:

  • Hidden form variables
  • Session data
  • Cookies

hidden form variables

slide-6
SLIDE 6

Hidden Form Variables

  • Hidden form variables can be used to pass

information from one web request to the next

  • Persistent only for the next web request
  • Not necessarily secure (can be spoofed)
  • use the 'form_hidden' form element
  • See modify.php for an example

$form->add_element('form_hidden', array('name' => 'shortname'), $shortname); session data

slide-7
SLIDE 7

Session Data

  • Data stored in the $_SESSION array will

automatically be retained across web requests

  • Persistent across the entire "session"

$_SESSION['uniqueid'] = 'covertka';

  • Session data can extend to multi-dimensions

$_SESSION['names']['covertka'] = 'Kent Covert'; $_SESSION['names']['tepeds'] = 'Dirk Tepe';

  • More secure than form data or cookies

cookies

slide-8
SLIDE 8

Cookies

  • Cookies are name/value pairs of data that are stored

within the user's browser

  • Can also be arrays - but stored as individual items
  • Persistence can be current session or longer

(basically indefinite)

  • Not necessarily secure (can be spoofed)
  • Cookies are tied to browser (not user)
  • Cookies are set using the setcookie() function

setcookie(name [,value [,expire [,path [,domain [,secure]]]]]);

  • >
slide-9
SLIDE 9

Cookies

  • Can contain the following attributes:
  • name - the name for the cookie - no whitespace or semi-

colons - must be unique for this domain

  • value - the value for the cookie - should be less than 3.5

KB

  • expire - when the cookie should expire - specified as

number of seconds since 1/1/1970 GMT - if not specified, then cookie expires at end of session

  • path - the URL path this cookie should apply to - if not

specified, applies to the current directory only

  • domain - the IP domain that the cookie should apply to - if

not specified, applies to the current host only

  • secure - if set, will only apply the cookie to https

connections

  • >
slide-10
SLIDE 10

Cookies

setcookie('uniqueId', 'covertka'); setcookie( 'uniqueId', #name 'covertka', #value mktime(0, 0, 0, 1, 1, 2030), #expire '/', #path '.muohio.edu', #domain 0); #secure setcookie('names[covertka]', 'Kent Covert');

  • >
slide-11
SLIDE 11

Cookies

  • Cookies are returned in the $_COOKIE array

$uniqueId = $_COOKIE['uniqueid']; $name = $_COOKIE['names']['covertka']; error handling

slide-12
SLIDE 12

Persistence Summary

error handling

Hidden Form Data Session Data Cookies Secure no relatively no Lifetime session session session or any other time Can be used by other applications yes no yes Tied to session/user session/user browser

slide-13
SLIDE 13

Error Handling

  • We will discuss the following items:
  • Normal error handling
  • Changing default error handling
  • Error report suppression
  • Triggering errors
  • Custom error handling
  • PHP5 error handling

Normal

slide-14
SLIDE 14

Normal Error Handling

  • Under normal conditions, any statement that produces a

warning or error, will cause a message to be displayed.

  • warnings - execution continues
  • errors - execution stops

Warning : fopen("nonexistentfile.txt", "r") - No such file or directory in /usr/local/www/share/ htdocs/phpdev/covertka/test2.php on line 3

  • Most functions return an error value (false, NULL, etc)
  • Textual error messages are generally stored in the

$php_errormsg global variable following an error

error_reporting()

slide-15
SLIDE 15

Changing default error handling

  • Which conditions are reported can be controlled

with the error_reporting() function.

  • Parameter is an bitfield of the conditions to report.
  • By default, error_reporting is set to the following:

error_reporting(E_ALL & ~E_NOTICE)

  • A list of error constants can be found in the PHP

documentation

error_suppression

slide-16
SLIDE 16

Error Report Suppression

  • Error reporting can be suppressed for any statement

by preceeding it with an @.

$fh = @fopen("nonexistentfile.txt","r");

  • Only suppresses the reporting of the error
  • $fh will still contain FALSE

triggering errors

slide-17
SLIDE 17

Triggering errors

  • An application can trigger an error with the

trigger_error() function

trigger_error(message[, type]);

  • message is the textual error message to display (and

put in $php_errormsg)

  • type is the error level to generate:
  • E_USER_ERROR
  • E_USER_WARNING
  • E_USER_NOTICE

custom error handling

slide-18
SLIDE 18

Custom Error Handling

  • An application can replace PHP's global error

handler with its own custom global error handler with the set_error_handler() function. $oeh = set_error_handler('myErrorHandler');

  • Returns the old error hander
  • All runtime warnings and notices will be sent to the

custom error handler

  • Does not include fatal errors, parse errors,

internal PHP errors, etc.

  • >
slide-19
SLIDE 19

Custom Error Handling

  • Custom error handlers should be defined with the

following parameters:

  • error - error code
  • error string - textual error message
  • filename - name of file the error occurred in,
  • ptional
  • line number - line number where error occurred,
  • ptional
  • symbols - copy of the active symbol table, optional

example

slide-20
SLIDE 20

Custom Error Handling

function myerrorhandler($error, $error_string, $filename, $line, $symbols) { die("Got to myerrorhandler: $error_string"); } set_error_handler('myerrorhandler'); PHP5

slide-21
SLIDE 21

PHP5 Error Handling

  • PHP5 will introduce the try...catch methodology

that's used in C++, Java, etc.

try { $fh = fopen($filename,"r"); $content = fget($fh, 1024); fclose($fh); } catch(Exception $e) { $emsg = $e->getMesage(); die "An error occurred reading the file: $emsg"; }

  • PHP5 is in beta now.

example

slide-22
SLIDE 22

Maintenance

  • Several items can help with long-term maintenance
  • File/URL paths
  • Published URLs
  • Class/Objects/Libraries

File/URL paths

slide-23
SLIDE 23

File/URL paths

  • File/URL paths change over the life of an application
  • Development -> Staging -> Production
  • Future maintenance/modifications
  • Pain for Technical Services and Data Admin

solutions

slide-24
SLIDE 24

File/URL paths

  • Use relative URLs whenever possible

$navmenu = array("Search" => "search.php");

  • When full URLs or paths are needed, use pre-

defined constants if possible

  • MU_WEB_HOST - https://webdev.admin.muohio.edu
  • MU_WEB_APP_DIR - /phpdev
  • MU_WEB_STATIC_DIR - /static
  • MU_FS_APP_DIR - /usr/local/www/share/htdocs/phpdev
  • MU_FS_STATIC_DIR - /usr/local/www/share/htdocs/static

published URLs

slide-25
SLIDE 25

Published URLs

https://admsol02.mcs.muohio.edu:11180/phpapps/ finance/raises.php

X https protocol required X Specific machine X Port X Specific file X No webcache X Long URL X Not flexible/maintainable

better

slide-26
SLIDE 26

Published URLs

http://www.admin.muohio.edu/phpapps/finance/raises/

https protocol optional No specific machine No ports No specific files Uses webcache More flexible

X Specific path X Long URL

best

slide-27
SLIDE 27

Published URLs

http://www.muohio.edu/raises/

https protocol optional (currently not allowed) No specific machine No ports No specific files Uses webcache Short URL Most flexible (bookmarks still a problem...today)

classes/objects/libraries

slide-28
SLIDE 28

Classes/Objects/ Libraries

  • Begin thinking of code reuse.

do

slide-29
SLIDE 29

Security

  • Some security concerns have already been dealt with
  • r disabled
  • register_globals is disabled
  • >
slide-30
SLIDE 30

Security

  • Be wary of any user-controlable data: form data,

cookies, etc.

  • Don't use in filenames (e.g. '/etc/passwd' or '../../../

index.php')

  • Don't use in system() function

system("grep somefile.txt $username"); print $username; covertka; rm -r / 2> /dev/null

  • Don't use in eval() function
  • >
slide-31
SLIDE 31

Security

  • Use SQL placeholders
  • $_REQUEST variable is populated in the following
  • rder:
  • Get variables
  • Post variables
  • Cookies
  • >
slide-32
SLIDE 32

Security

  • Don't trust that your form processing PHP program

was actually called from the form you wrote

  • Easily spoofed
  • Use session variables rather than cookies or

hidden form elements if in doubt

  • >
slide-33
SLIDE 33

Security

  • PHP (and most other Web App Development

environments) trusts everyone with development access to the system

  • If your application has information that must be

secured from others on the system, use Zend Encoder

design

slide-34
SLIDE 34

Design

  • >
slide-35
SLIDE 35

Design

  • People don't read web pages.
  • Data driven, not function driven
  • Think of MS Word
  • >
slide-36
SLIDE 36

Questions?