Tilted Forum Project Discussion Community - View Single Post

trache · 08-18-2004, 06:21 AM

Dav:

My apologies for assuming. How much do you know about PHP, and Apache (which PHP is best with IMO). What about SQL servers?

First, I would definitely get what's called a shell account on a UNIX server, or boot up one of your own UNIX/Linux servers at home. You'll learn a great deal about what systems websites are most often run on. Get some experience with IIS (Microsoft's webserver platform), but I wouldn't dive right into it. A lot of the same concepts fit both pieces of software.

Second, install all of the packages yourself (direct from source code if you can help it) if you can. It will help ease you into learning UNIX/Linux/BSD which is a Good Thing(tm).l

Configure the packages to run together in what's more commonly referred to as LAMP (if you're running on Linux that is) - "Linux Apache MySQL PHP".

Two good sites that I have run into in my travels (neither of which I've really used, since I already knew a lot of what they teach) are www.phpbuilder.net and www.evolt.org

Both are written from the perspective of a web-coder type geek and with newbies in mind.

I realize this sounds like a lot, but trust me it's all worth it even if you are not going to persue web design as a career.

Dav, I'm not sure if you're familiar with regular expressions, but they come into very handy and are *very* powerful at checking input. At its heart is a short syntax for text type (be it string, digit, character etc) and you use it to make sure a certain variable you have fits criteria you've set. PERL uses the concept heavily for all of its string matching and processing. PHP has a family of functions for this as well.

Sailor, to answer your question you can easily use is_string, is_integer etc etc to check for certain variable types, as well as ereg* to check for regular expressions.

Use the PHP $_* family of variables ($_GET, $_POST, $_SERVER) instead of registered globals (for example, the "id" field in my reply above would be $_GET['id']) which would normally let you use $id (hackers can write a script that will attack your server manually using the HTTP headers and they can perform a POST request and change the url with a ?id= on the end and your script could use the GET url?id= and have that variable changed quite easily). Hopefully that last sentence wasn't too confusing!

I'm not sure if PHP will allow any attacks get by that easily anymore since 4.0 came out, but it's worth the extra line or two of code and it will definitely be a lot more secure.

Oh, and php.net has very good documentation (although a lot of the user comments mention a lot of conflicts to the contrary) for its language. At the beginning of the documentation is a short tutorial on the language itself.

08-18-2004, 06:21 AM	#8 (permalink)
trache Insane	Dav: My apologies for assuming. How much do you know about PHP, and Apache (which PHP is best with IMO). What about SQL servers? First, I would definitely get what's called a shell account on a UNIX server, or boot up one of your own UNIX/Linux servers at home. You'll learn a great deal about what systems websites are most often run on. Get some experience with IIS (Microsoft's webserver platform), but I wouldn't dive right into it. A lot of the same concepts fit both pieces of software. Second, install all of the packages yourself (direct from source code if you can help it) if you can. It will help ease you into learning UNIX/Linux/BSD which is a Good Thing(tm).l Configure the packages to run together in what's more commonly referred to as LAMP (if you're running on Linux that is) - "Linux Apache MySQL PHP". Two good sites that I have run into in my travels (neither of which I've really used, since I already knew a lot of what they teach) are www.phpbuilder.net and www.evolt.org Both are written from the perspective of a web-coder type geek and with newbies in mind. I realize this sounds like a lot, but trust me it's all worth it even if you are not going to persue web design as a career. Dav, I'm not sure if you're familiar with regular expressions, but they come into very handy and are very powerful at checking input. At its heart is a short syntax for text type (be it string, digit, character etc) and you use it to make sure a certain variable you have fits criteria you've set. PERL uses the concept heavily for all of its string matching and processing. PHP has a family of functions for this as well. Sailor, to answer your question you can easily use is_string, is_integer etc etc to check for certain variable types, as well as ereg* to check for regular expressions. Use the PHP $_* family of variables ($_GET, $_POST, $_SERVER) instead of registered globals (for example, the "id" field in my reply above would be $_GET['id']) which would normally let you use $id (hackers can write a script that will attack your server manually using the HTTP headers and they can perform a POST request and change the url with a ?id= on the end and your script could use the GET url?id= and have that variable changed quite easily). Hopefully that last sentence wasn't too confusing! I'm not sure if PHP will allow any attacks get by that easily anymore since 4.0 came out, but it's worth the extra line or two of code and it will definitely be a lot more secure. Oh, and php.net has very good documentation (although a lot of the user comments mention a lot of conflicts to the contrary) for its language. At the beginning of the documentation is a short tutorial on the language itself. __________________ "You looked at me as if I was eating runny eggs in slow motion." - Gord Downie of The Tragically Hip