book

PHP Cookbook, 2nd Edition

by Adam Trachtenberg, David Sklar

August 2006

Intermediate to advanced

810 pages

19h 15m

English

O'Reilly Media, Inc.

Read now

Unlock full access

A Note Regarding Supplemental Files
Preface
Who This Book Is ForWhat Is in This BookOther ResourcesConventions Used in This BookComments and QuestionsAcknowledgments
1. Strings
1.0. Introduction1.1. Accessing Substrings1.2. Extracting Substrings1.3. Replacing Substrings1.4. Processing a String One Byte at a Time1.5. Reversing a String by Word or Byte1.6. Expanding and Compressing Tabs1.7. Controlling Case1.8. Interpolating Functions and Expressions Within Strings1.9. Trimming Blanks from a String1.10. Generating Comma-Separated Data1.11. Parsing Comma-Separated Data1.12. Generating Fixed-Width Field Data Records1.13. Parsing Fixed-Width Field Data Records1.14. Taking Strings Apart1.15. Wrapping Text at a Certain Line Length1.16. Storing Binary Data in Strings1.17. Program: Downloadable CSV File
2. Numbers
2.0. Introduction2.1. Checking Whether a Variable Contains a Valid Number2.2. Comparing Floating-Point Numbers2.3. Rounding Floating-Point Numbers2.4. Operating on a Series of Integers2.5. Generating Random Numbers Within a Range2.6. Generating Biased Random Numbers2.7. Taking Logarithms2.8. Calculating Exponents2.9. Formatting Numbers2.10. Formatting Monetary Values2.11. Printing Correct Plurals2.12. Calculating Trigonometric Functions2.13. Doing Trigonometry in Degrees, Not Radians2.14. Handling Very Large or Very Small Numbers2.15. Converting Between Bases2.16. Calculating Using Numbers in Bases Other Than Decimal2.17. Finding the Distance Between Two Places
3. Dates and Times
3.0. Introduction3.1. Finding the Current Date and Time3.2. Converting Time and Date Parts to an Epoch Timestamp3.3. Converting an Epoch Timestamp to Time and Date Parts3.4. Printing a Date or Time in a Specified Format3.5. Finding the Difference of Two Dates3.6. Finding the Difference of Two Dates with Julian Days3.7. Finding the Day in a Week, Month, or Year3.8. Validating a Date3.9. Parsing Dates and Times from Strings3.10. Adding to or Subtracting from a Date3.11. Calculating Time with Time Zones3.12. Accounting for Daylight Savings Time3.13. Generating a High-Precision Time3.14. Generating Time Ranges3.15. Using Non-Gregorian Calendars3.16. Using Dates Outside the Range of an Epoch Timestamp3.17. Program: Calendar
4. Arrays
4.0. Introduction4.1. Specifying an Array Not Beginning at Element 04.2. Storing Multiple Elements Per Key in an Array4.3. Initializing an Array to a Range of Integers4.4. Iterating Through an Array4.5. Deleting Elements from an Array4.6. Changing Array Size4.7. Appending One Array to Another4.8. Turning an Array into a String4.9. Printing an Array with Commas4.10. Checking if a Key Is in an Array4.11. Checking if an Element Is in an Array4.12. Finding the Position of a Value in an Array4.13. Finding Elements That Pass a Certain Test4.14. Finding the Largest or Smallest Valued Element in an Array4.15. Reversing an Array4.16. Sorting an Array4.17. Sorting an Array by a Computable Field4.18. Sorting Multiple Arrays4.19. Sorting an Array Using a Method Instead of a Function4.20. Randomizing an Array4.21. Removing Duplicate Elements from an Array4.22. Applying a Function to Each Element in an Array4.23. Finding the Union, Intersection, or Difference of Two Arrays4.24. Making an Object Act like an Array4.25. Program: Printing a Horizontally Columned HTML Table
5. Variables
5.0. Introduction5.1. Avoiding == Versus = Confusion5.2. Establishing a Default Value5.3. Exchanging Values Without Using Temporary Variables5.4. Creating a Dynamic Variable Name5.5. Using Static Variables5.6. Sharing Variables Between Processes5.7. Encapsulating Complex Data Types in a String5.8. Dumping Variable Contents as Strings
6. Functions
6.0. Introduction6.1. Accessing Function Parameters6.2. Setting Default Values for Function Parameters6.3. Passing Values by Reference6.4. Using Named Parameters6.5. Creating Functions That Take a Variable Number of Arguments6.6. Returning Values by Reference6.7. Returning More Than One Value6.8. Skipping Selected Return Values6.9. Returning Failure6.10. Calling Variable Functions6.11. Accessing a Global Variable Inside a Function6.12. Creating Dynamic Functions
7. Classes and Objects
7.0. Introduction7.1. Instantiating Objects7.2. Defining Object Constructors7.3. Defining Object Destructors7.4. Implementing Access Control7.5. Preventing Changes to Classes and Methods7.6. Defining Object Stringification7.7. Specifying Interfaces7.8. Creating Abstract Base Classes7.9. Assigning Object References7.10. Cloning Objects7.11. Overriding Property Accesses7.12. Calling Methods on an Object Returned by Another Method7.13. Aggregating Objects7.14. Accessing Overridden Methods7.15. Using Method Polymorphism7.16. Defining Class Constants7.17. Defining Static Properties and Methods7.18. Controlling Object Serialization7.19. Introspecting Objects7.20. Checking if an Object Is an Instance of a Specific Class7.21. Autoloading Class Files upon Object Instantiation7.22. Instantiating an Object Dynamically7.23. Program: whereis
8. Web Basics
8.0. Introduction8.1. Setting Cookies8.2. Reading Cookie Values8.3. Deleting Cookies8.4. Redirecting to a Different Location8.5. Detecting Different Browsers8.6. Building a Query String8.7. Reading the Post Request Body8.8. Generating HTML Tables with Alternating Row Styles8.9. Using HTTP Basic or Digest Authentication8.10. Using Cookie Authentication8.11. Flushing Output to the Browser8.12. Buffering Output to the Browser8.13. Compressing Web Output8.14. Reading Environment Variables8.15. Setting Environment Variables8.16. Communicating Within Apache8.17. Program: Web Site Account (De)activator8.18. Program: Tiny Wiki

9. Form
9.0. Introduction9.1. Processing Form Input9.2. Validating Form Input: Required Fields9.3. Validating Form Input: Numbers9.4. Validating Form Input: Email Addresses9.5. Validating Form Input: Drop-Down Menus9.6. Validating Form Input: Radio Buttons9.7. Validating Form Input: Checkboxes9.8. Validating Form Input: Dates and Times9.9. Validating Form Input: Credit Cards9.10. Preventing Cross-Site Scripting9.11. Working with Multipage Forms9.12. Redisplaying Forms with Inline Error Messages9.13. Guarding Against Multiple Submission of the Same Form9.14. Processing Uploaded Files9.15. Preventing Global Variable Injection9.16. Handling Remote Variables with Periods in Their Names9.17. Using Form Elements with Multiple Options9.18. Creating Drop-Down Menus Based on the Current Date
10. Database Access
10.0. Introduction10.1. Using DBM Databases10.2. Using an SQLite Database10.3. Connecting to an SQL Database10.4. Querying an SQL Database10.5. Retrieving Rows Without a Loop10.6. Modifying Data in an SQL Database10.7. Repeating Queries Efficiently10.8. Finding the Number of Rows Returned by a Query10.9. Escaping Quotes10.10. Logging Debugging Information and Errors10.11. Creating Unique Identifiers10.12. Building Queries Programmatically10.13. Making Paginated Links for a Series of Records10.14. Caching Queries and Results10.15. Accessing a Database Connection Anywhere in Your Program10.16. Program: Storing a Threaded Message Board
11. Sessions and Data Persistence
11.0. Introduction11.1. Using Session Tracking11.2. Preventing Session Hijacking11.3. Preventing Session Fixation11.4. Storing Sessions in a Database11.5. Storing Sessions in Shared Memory11.6. Storing Arbitrary Data in Shared Memory11.7. Caching Calculated Results in Summary Tables
12. XML
12.0. Introduction12.1. Generating XML as a String12.2. Generating XML with the DOM12.3. Parsing Basic XML Documents12.4. Parsing Complex XML Documents12.5. Parsing Large XML Documents12.6. Extracting Information Using XPath12.7. Transforming XML with XSLT12.8. Setting XSLT Parameters from PHP12.9. Calling PHP Functions from XSLT Stylesheets12.10. Validating XML Documents12.11. Handling Content Encoding12.12. Reading RSS and Atom Feeds12.13. Writing RSS Feeds12.14. Writing Atom Feeds
13. Web Automation
13.0. Introduction13.1. Fetching a URL with the Get Method13.2. Fetching a URL with the Post Method13.3. Fetching a URL with Cookies13.4. Fetching a URL with Arbitrary Headers13.5. Fetching a URL with an Arbitrary Method13.6. Fetching a URL with a Timeout13.7. Fetching an HTTPS URL13.8. Debugging the Raw HTTP Exchange13.9. Marking Up a Web Page13.10. Cleaning Up Broken or Nonstandard HTML13.11. Extracting Links from an HTML File13.12. Converting Plain Text to HTML13.13. Converting HTML to Plain Text13.14. Removing HTML and PHP Tags13.15. Responding to an Ajax Request13.16. Integrating with JavaScript13.17. Program: Finding Stale Links13.18. Program: Finding Fresh Links
14. Consuming Web Services
14.0. Introduction14.1. Calling a REST Method14.2. Calling a SOAP Method with WSDL14.3. Calling a SOAP Method Without WSDL14.4. Debugging SOAP Requests14.5. Using Complex SOAP Types14.6. Setting SOAP Types14.7. Using SOAP Headers14.8. Using Authentication with SOAP14.9. Redefining an Endpoint14.10. Catching SOAP Faults14.11. Mapping XML Schema Data Types to PHP Classes14.12. Calling an XML-RPC Method14.13. Using Authentication with XML-RPC
15. Building Web Services
15.0. Introduction15.1. Serving a REST Method15.2. Serving a SOAP Method15.3. Accepting Arguments in a SOAP Method15.4. Generating WSDL Automatically15.5. Throwing SOAP Faults15.6. Processing a SOAP Header15.7. Generating a SOAP Header15.8. Using Authentication with SOAP15.9. Serving an XML-RPC Method
16. Internet Services
16.0. Introduction16.1. Sending Mail16.2. Sending MIME Mail16.3. Reading Mail with IMAP or POP316.4. Posting Messages to Usenet Newsgroups16.5. Reading Usenet News Messages16.6. Getting and Putting Files with FTP16.7. Looking Up Addresses with LDAP16.8. Using LDAP for User Authentication16.9. Performing DNS Lookups16.10. Checking if a Host Is Alive16.11. Getting Information About a Domain Name
17. Graphics
17.0. Introduction17.1. Drawing Lines, Rectangles, and Polygons17.2. Drawing Arcs, Ellipses, and Circles17.3. Drawing with Patterned Lines17.4. Drawing Text17.5. Drawing Centered Text17.6. Building Dynamic Images17.7. Getting and Setting a Transparent Color17.8. Reading EXIF Data17.9. Serving Images Securely17.10. Program: Generating Bar Charts from Poll Results
18. Security and Encryption
18.0. Introduction18.1. Preventing Session Fixation18.2. Protecting Against Form Spoofing18.3. Ensuring Input Is Filtered18.4. Avoiding Cross-Site Scripting18.5. Eliminating SQL Injection18.6. Keeping Passwords Out of Your Site Files18.7. Storing Passwords18.8. Dealing with Lost Passwords18.9. Verifying Data with Hashes18.10. Encrypting and Decrypting Data18.11. Storing Encrypted Data in a File or Database18.12. Sharing Encrypted Data with Another Web Site18.13. Detecting SSL18.14. Encrypting Email with GPG
19. Internationalization and Localization
19.0. Introduction19.1. Listing Available Locales19.2. Using a Particular Locale19.3. Setting the Default Locale19.4. Localizing Text Messages19.5. Localizing Dates and Times19.6. Localizing Currency Values19.7. Localizing Images19.8. Localizing Included Files19.9. Managing Localization Resources19.10. Using gettext19.11. Setting the Character Encoding of Outgoing Data19.12. Setting the Character Encoding of Incoming Data19.13. Manipulating UTF-8 Text
20. Error Handling, Debugging, andTesting
20.0. Introduction20.1. Finding and Fixing Parse Errors20.2. Creating Your Own Exception Classes20.3. Printing a Stack Trace20.4. Reading Configuration Variables20.5. Setting Configuration Variables20.6. Hiding Error Messages from Users20.7. Tuning Error Handling20.8. Using a Custom Error Handler20.9. Logging Errors20.10. Eliminating “headers already sent” Errors20.11. Logging Debugging Information20.12. Using a Debugger Extension20.13. Writing a Unit Test20.14. Writing a Unit Test Suite20.15. Applying a Unit Test to a Web Page20.16. Setting Up a Test Environment
21. Performance Tuning and Load Testing
21.0. Introduction21.1. Timing Function Execution21.2. Timing Program Execution21.3. Profiling with a Debugger Extension21.4. Stress Testing Your Web Site21.5. Avoiding Regular Expressions21.6. Using an Accelerator
22. Regular Expressions
22.0. Introduction22.1. Switching from ereg to preg22.2. Matching Words22.3. Finding the nth Occurrence of a Match22.4. Choosing Greedy or Nongreedy Matches22.5. Finding All Lines in a File That Match a Pattern22.6. Capturing Text Inside HTML Tags22.7. Preventing Parentheses from Capturing Text22.8. Escaping Special Characters in a Regular Expression22.9. Reading Records with a Pattern Separator22.10. Using a PHP Function in a Regular Expression
23. Files
23.0. Introduction23.1. Creating or Opening a Local File23.2. Creating a Temporary File23.3. Opening a Remote File23.4. Reading from Standard Input23.5. Reading a File into a String23.6. Counting Lines, Paragraphs, or Records in a File23.7. Processing Every Word in a File23.8. Picking a Random Line from a File23.9. Randomizing All Lines in a File23.10. Processing Variable-Length Text Fields23.11. Reading Configuration Files23.12. Modifying a File in Place Without a Temporary File23.13. Flushing Output to a File23.14. Writing to Standard Output23.15. Writing to Many Filehandles Simultaneously23.16. Escaping Shell Metacharacters23.17. Passing Input to a Program23.18. Reading Standard Output from a Program23.19. Reading Standard Error from a Program23.20. Locking a File23.21. Reading and Writing Custom File Types23.22. Reading and Writing Compressed Files
24. Directories
24.0. Introduction24.1. Getting and Setting File Timestamps24.2. Getting File Information24.3. Changing File Permissions or Ownership24.4. Splitting a Filename into Its Component Parts24.5. Deleting a File24.6. Copying or Moving a File24.7. Processing All Files in a Directory24.8. Getting a List of Filenames Matching a Pattern24.9. Processing All Files in a Directory Recursively24.10. Making New Directories24.11. Removing a Directory and Its Contents24.12. Program: Web Server Directory Listing24.13. Program: Site Search
25. Command-Line PHP
25.0. Introduction25.1. Parsing Program Arguments25.2. Parsing Program Arguments with getopt25.3. Reading from the Keyboard25.4. Running PHP Code on Every Line of an Input File25.5. Reading Passwords25.6. Program: Command Shell
26. PEAR and PECL
26.0. Introduction26.1. Using the PEAR Installer26.2. Finding PEAR Packages26.3. Finding Information About a Package26.4. Installing PEAR Packages26.5. Upgrading PEAR Packages26.6. Uninstalling PEAR Packages26.7. Installing PECL Packages
Index
About the Authors
Colophon
Copyright

Content preview from PHP Cookbook, 2nd Edition

Chapter 18. Security and Encryption

Introduction

Web application security is an important topic that’s gaining more attention from both the developers who create web applications, and the attackers who try to exploit them. As a PHP developer, your applications are sure to be the target of many attacks, and you need to be prepared.

A large number of web application vulnerabilities are due to a misplaced trust in data provided by third parties. Such data is known as input, and it should be considered tainted until proven otherwise. If you display tainted data to your users, you create cross-site scripting (XSS) vulnerabilities. Recipe 18.4 explains how to avoid these by escaping your output. If you use tainted data in your SQL queries, you can create SQL injection vulnerabilities. Recipe 18.5 shows you how to eliminate these.

When using data provided by third parties, including the data provided by your users, it is important to first verify that it is valid. This process is known as filtering, and Recipe 18.3 shows you how to guarantee that all input is filtered.

Not all security problems can be solved by filtering input and escaping output. Session fixation, an attack discussed in Recipe 18.1, causes a victim to use a session identifier chosen by an attacker. Cross-site request forgeries, a type of attack discussed in Recipe 18.2, cause a victim to send a request of an attacker’s choosing.

Closely related to security is encryption, a powerful tool that can help boost your application’s ...

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

Read now

Unlock full access

More than 5,000 organizations count on O’Reilly

O’Reilly covers everything we've got, with content to help us build a world-class technology community, upgrade the capabilities and competencies of our teams, and improve overall team performance as well as their engagement.

Julian F.

Head of Cybersecurity

I wanted to learn C and C++, but it didn't click for me until I picked up an O'Reilly book. When I went on the O’Reilly platform, I was astonished to find all the books there, plus live events and sandboxes so you could play around with the technology.

Addison B.

Field Engineer

I’ve been on the O’Reilly platform for more than eight years. I use a couple of learning platforms, but I'm on O'Reilly more than anybody else. When you're there, you start learning. I'm never disappointed.

Amir M.

Data Platform Tech Lead

I'm always learning. So when I got on to O'Reilly, I was like a kid in a candy store. There are playlists. There are answers. There's on-demand training. It's worth its weight in gold, in terms of what it allows me to do.

Mark W.

Embedded Software Engineer

Publisher Resources

ISBN: 0596101015Errata Page

Cloud Computing

Data Engineering

Data Science

AI & ML

Programming Languages

Software Architecture

IT/Ops

Security

Design

Business

Soft Skills

PHP Cookbook, 2nd Edition

by Adam Trachtenberg, David Sklar

Chapter 18. Security and Encryption

Introduction

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.