NMD202 Web Scripting Week3 What we will cover today Includes Exercises PHP Forms Exercises Server side validation Exercises Includes The include($filename) statement includes and evaluates the specified file. require($filename), does the same thing except it halt execution if $filename is not found include_once($filename), require_once($filename), file is included only once if called several times Includes Security Considerations: PHP Injection – Technique that exploits Vulnerabilities that allows attacker to include files with malicious code Exercises Redo last exercise (student table) but split your file into logical sections (templating), ie:Include the head of your document, the body, the footer, etc. Place the stud array (model) in an external file and include it in the main script. PHP forms When using forms, some sort of server side scripting is needed to handle the submitted data. Basically All form elements and data submitted through them will be available on the server to be manipulated PHP forms 2 Different Methods to submit data: Get: Uses the querystring to submit the data Post: Uses the post method of the HTTP protocol to submit data PHP forms Get: should be used when page after form submission needs to be bookmarked Post: Should be used when information to submit is huge or sensitive PHP forms All info submitted in the form is either available in the $_GET or $_Post Superglobals depending on the method used. Entries in the superglobal array will match the attribute “name” in the form elements Exercises Redo the student exercise using a form to input the filter instead of the querystring, use the post method. After applying filter (form submission)make sure form retains the entry for usability purposes. Tip: Check the $_POST if it contains data, if empty display all table, if not apply the filter. Includes Security Considerations: Register Globals – All entries in $_GET and $_POST are automatically extracted into variables. Relying on this feature is highly discouraged. PHP forms Security Considerations: (bypass authentication by making bad use of register globals) <?php // define $authorized = true only if user is authenticated if (authenticated_user()) { $authorized = true; } // Because we didn't first initialize $authorized as false, this might be // defined through register_globals, like from GET auth.php?authorized=1 // So, anyone can be seen as authenticated! if ($authorized) { include "/highly/sensitive/data.php"; } ?> PHP forms Validation Data validation should always be used with submitted data: -Security reasons -Data quality System should never rely just on client side validation (usability enhancer) PHP forms Validation Data validation should always be used with submitted data: -Security reasons -Data quality System should never rely just on client side validation (Client side to be used just as a usability enhancer) PHP forms Validation Validation procedure to check validity Data Data is valid – Proceed (Insert database, perform some action) and display feedback Data is not valid – Do not proceed, Present the form (entries pre-filled with submitted data, except password fields) and feedback providing info on which fields validation failed PHP forms Validation <?php function dataValidates(){ //logic validation here; //return true/false; } $valid = false; if (form has been submitted) { $valid = dataValidates(); } if ($valid) { //Do some background action here (submit data Database, send email, etc) } ?> <html> ..... <?php if ($valid){ //display html for valid data submitted (Feedback) } else{ //display html for invalid data submitted (Warning messages) } ?> Exercises Build a form to submit data about a user registration: First Name, Last Name, Email, password, Confirm password. Make all fields required, email must be a valid email (check for the @ symbol) and passwords must match. If info is valid display a table with all the details and hide the form field. If not display the form field with error messages next to the appropriate elements