Dav

Hi,

I am a budding web designer (I've learnt to hard-code HTML from scratch) and desire to move on to create dynamic content/update driven websites possibly in PHP? I have heard that PHP is much like C, but I have no experience in either.

I would like:

1. to be able to add pages with content based on a template.
2. to be able to add news content to the front page.
3. to be able to login as admin to change these settings (is this a neccessity, as I could just have a hidden page?)

Thanks, and if you have any tips, they would be much appreciated.

trache

1. It is probably better for you to code a routine that will read a template and parse certain variables when you output the templates contents. You could have a template editor (a basic TEXTAREA HTML code with some PHP File I/O) if you wanted to edit the template over the Internet (and not locally on a shell or something). Use arrays and str_replace (fastest), ereg_replace (slower than former, but not noticeably so) for substitution.

2 & 3: User and Admin pages can be separate or coded together (you just output certain other fields if a session cookie is set for an administrative user) to make it easier, or code two separate pages one for viewing (user) and one for editing (administrative). It's really up to you. Don't let the user input passwords on a GET query, since they will show up unencrypted (if you didn't encrypt them first) in your browser URL.

One thing I would like to stress: Don't trust any user input. I mean that. And for those of you reading this, watch what I do:

$query = "SELECT * FROM news WHERE item =" . $id;

and in the browser, one could go like this:

http://yourhost/page.php?id=;DROP DATABASE mydb;

Can you guess what happens next? The query now turns into this:

$query = "SELECT * FROM news WHERE item =;DROP DATABSE mydb;";

The first query will error, but the second one will go through nice and dandy - along with your database!

Of course, with PHP register_globals can help with this.. but don't do it anyway because you can never be sure what version of PHP you're using or the state of register_globals (where both can be sought after programatically).

I've just demonstrated an SQL injection. DON'T LET IT HAPPEN, or I will find you and slap you upside your head so fast you'll choke on the recoil.

Check input with regexes, variable type checking (making sure a string is a string and an integer is an integer) or just plain switch cases.. but don't let anyone muck with it.

__________________
"You looked at me as if I was eating runny eggs in slow motion." - Gord Downie of The Tragically Hip

Dav

When I said "budding" I really meant clueless, and I didn't understand a word you said. Damn. Sorry.

Fallon

He meant that if you use a SQL backend to your page, be VERY careful as people can and probably will delete stuff. Generally it's a huge security issue with a database. Speaking of which, I need to try that at home on my pages.
If you use a PHP/SQL combo, you'll need to write a function that'll scan the users input into the page so that it doesn't contain any important things like ', ", ;, DROP, DELETE and a bunch of others.

Dav

So has anyone got any idea where I can source some scripts? I can play around at home with Apache, but like I said Ive got no idea about PHP or anything, I know what it can do, I just want to experiment so it'll make managing websites easier. Any decent tutorials?

sailor

Sorry to jack the thread a bit here, but Trache and Fallon, Id really appreciate some more input like that I code all my PHP assuming registered globals is off, but my hosts dont always have it so. Any other good tips? How would you recommend I prevent SQL injection? Any tutorial sites?

If you dont wanna jack the thread too much, feel free to shoot me a PM.

__________________
"Good people do not need laws to tell them to act responsibly, while bad people will find a way around the laws."
--Plato

Fallon

Right off the top of my head, I'd make an array with all the banned keywords/items and have a function that'd go thru anything that may go to the dbto check that there isn't any bad stuff in there. I believe phpbuilder.com or some such site had some anti-SQL Injection snippets that you can use. But ya, I'm creating a relatively good sized site and I have had to do all this fun stuff.

edit: fixed the link

trache

Dav:

My apologies for assuming. How much do you know about PHP, and Apache (which PHP is best with IMO). What about SQL servers?

First, I would definitely get what's called a shell account on a UNIX server, or boot up one of your own UNIX/Linux servers at home. You'll learn a great deal about what systems websites are most often run on. Get some experience with IIS (Microsoft's webserver platform), but I wouldn't dive right into it. A lot of the same concepts fit both pieces of software.

Second, install all of the packages yourself (direct from source code if you can help it) if you can. It will help ease you into learning UNIX/Linux/BSD which is a Good Thing(tm).l

Configure the packages to run together in what's more commonly referred to as LAMP (if you're running on Linux that is) - "Linux Apache MySQL PHP".

Two good sites that I have run into in my travels (neither of which I've really used, since I already knew a lot of what they teach) are www.phpbuilder.net and www.evolt.org

Both are written from the perspective of a web-coder type geek and with newbies in mind.

I realize this sounds like a lot, but trust me it's all worth it even if you are not going to persue web design as a career.

Dav, I'm not sure if you're familiar with regular expressions, but they come into very handy and are *very* powerful at checking input. At its heart is a short syntax for text type (be it string, digit, character etc) and you use it to make sure a certain variable you have fits criteria you've set. PERL uses the concept heavily for all of its string matching and processing. PHP has a family of functions for this as well.

Sailor, to answer your question you can easily use is_string, is_integer etc etc to check for certain variable types, as well as ereg* to check for regular expressions.

Use the PHP $_* family of variables ($_GET, $_POST, $_SERVER) instead of registered globals (for example, the "id" field in my reply above would be $_GET['id']) which would normally let you use $id (hackers can write a script that will attack your server manually using the HTTP headers and they can perform a POST request and change the url with a ?id= on the end and your script could use the GET url?id= and have that variable changed quite easily). Hopefully that last sentence wasn't too confusing!

I'm not sure if PHP will allow any attacks get by that easily anymore since 4.0 came out, but it's worth the extra line or two of code and it will definitely be a lot more secure.

Oh, and php.net has very good documentation (although a lot of the user comments mention a lot of conflicts to the contrary) for its language. At the beginning of the documentation is a short tutorial on the language itself.

__________________
"You looked at me as if I was eating runny eggs in slow motion." - Gord Downie of The Tragically Hip

Fallon

Heh, I'm at a moderate point of coding in PHP and I barely grasped that
What he's saying here is that in a webpage address, now this is for the new programmers out there, that you can form a url that contains data that will be used in the next webpage.
So I could create a link onto a page that was like www.mypage.com/index.php?name=Fallon&site=TFP
It has two variables in it, name and site
Now, on index.php, you could have a variable that checks the URL of the page, and it sees the ? so it says, Hey, there's some good shit in this url, and it's shit I can use. To get the two variables, you'd do $_GET['name'] which would return Fallon and $_['site'] would return TFP. Now you could enter those into your index.php page anywhere you'd like and use accordingly. Now a hacker could be like, "well well well... I can be a evil hacker and break stuff and whatnot" So they could manually type into their browser http://www.mypage.com/index.php?name...te=I_love_porn
That's a bit simplistic but you can see where things may go wrong in that example.

blurri

i've been coding for a while, but i just started web programming relatively recently. i'd heard of SQL injection, i just didnt realize it was so stupidly simple as that. thanks for pointing this out.

trache

Fallon - thanks for taking my geekspeak and turning it into English.

I have a tough time trying to explain things to people whom don't understand my way of explanaining. That goes to show you I'm a grunt and will probably never be a teacher.

__________________
"You looked at me as if I was eating runny eggs in slow motion." - Gord Downie of The Tragically Hip

Dav

Thanks for that Trache, I have used IIS before, I did as a part of a Network Admin Course, so I am taking quite a leap from Networking to proper programming. I would like to use a windows based system, as I dont have enough partition space for a second OS, and I cant be arsed downloading Linux, although I understand what your saying about understanding unix\linux. I know no PHP, but thanks for pointing out that list.

In terms of career, I am a Networker, but I do write webpages now and again, there are very basic, but now that ive gotten The GIMP Im looking forward to writing some schmick looking pages

sailor

Dav, the good thing about PHP is that it is crazy easy. You can install Apache, mySQL, and PHP in about 30 minutes and figure your way around PHP pretty quickly. I am by no means an excellent programmer, but I managed to figure it out enough to crank out a basic Content Management System in a couple days.

__________________
"Good people do not need laws to tell them to act responsibly, while bad people will find a way around the laws."
--Plato

Fallon

I think out of the three, MySQL is probably the hardest to install and that's because you need to get the config file in the right place. I believe PHP and Apache have an Install Program so you don't need to do anything at all really.

sailor

On a windows box? All you do is unzip the binaries. Ive had more problems getting PHP to play nice than mySQL. All of them are pretty easy, though.

Linux is a bit more complex. Unless you run Debian, of course--apt-get install mysql-server and you're done

__________________
"Good people do not need laws to tell them to act responsibly, while bad people will find a way around the laws."
--Plato