February 2013
Intermediate to advanced
538 pages
20h 55m
English
Content preview from Programming PHP, 3rd EditionBecome an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
O’Reilly covers everything we've got, with content to help us build a world-class technology community, upgrade the capabilities and competencies of our teams, and improve overall team performance as well as their engagement.I wanted to learn C and C++, but it didn't click for me until I picked up an O'Reilly book. When I went on the O’Reilly platform, I was astonished to find all the books there, plus live events and sandboxes so you could play around with the technology.I’ve been on the O’Reilly platform for more than eight years. I use a couple of learning platforms, but I'm on O'Reilly more than anybody else. When you're there, you start learning. I'm never disappointed.I'm always learning. So when I got on to O'Reilly, I was like a kid in a candy store. There are playlists. There are answers. There's on-demand training. It's worth its weight in gold, in terms of what it allows me to do.
PHP Code
With the eval() function, PHP
allows a script to execute arbitrary PHP code. Although it can be useful
in a few limited cases, allowing any user-supplied data to go into an
eval() call is just begging to be
hacked. For instance, the following code is a security nightmare:
<html><head><title>Herearethekeys...</title></head><body><?phpif($_REQUEST['code']){echo"Executing code...";eval(stripslashes($_REQUEST['code']));// BAD!}?><form action="<?phpecho$_SERVER['PHP_SELF'];?>"><input type="text" name="code" /><input type="submit" name="Execute Code" /></form></body></html>
This page takes some arbitrary PHP code from a form and runs it as part of the script. The running code has access to all of the global variables for the script and runs with the same privileges as the script running the code. It’s not hard to see why this is a problem—type this into the form:
include("/etc/passwd");
Never do this. There is no practical way to ensure such a script can ever be secure.
You can globally disable particular function calls by listing
them, separated by commas, in the disable_functions configuration option in
php.ini. For example, you may never
have need for the system() function, so
you can disable it entirely with:
disable_functions = system
This doesn’t make eval() any
safer, though, as there’s no way to prevent important variables from being
changed or built-in constructs such as echo() being called.
Note that the preg_replace()
function with the /e option ...
Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.
Read now
Unlock full access
More than 5,000 organizations count on O’Reilly
O’Reilly covers everything we've got, with content to help us build a world-class technology community, upgrade the capabilities and competencies of our teams, and improve overall team performance as well as their engagement.Julian F.
I wanted to learn C and C++, but it didn't click for me until I picked up an O'Reilly book. When I went on the O’Reilly platform, I was astonished to find all the books there, plus live events and sandboxes so you could play around with the technology.Addison B.
I’ve been on the O’Reilly platform for more than eight years. I use a couple of learning platforms, but I'm on O'Reilly more than anybody else. When you're there, you start learning. I'm never disappointed.Amir M.
I'm always learning. So when I got on to O'Reilly, I was like a kid in a candy store. There are playlists. There are answers. There's on-demand training. It's worth its weight in gold, in terms of what it allows me to do.