Download presentation
Presentation is loading. Please wait.
1
Web Programming Week 6 Old Dominion University Department of Computer Science CS 418/518 Fall 2010 Martin Klein 10/05/10
2
Server-Side Input Validation (Chapter 8 in book, 7 in sample code) Client-side input validation is nice but not a replacement for server-side validation –client-side security == no security malicious or broken clients –client-side (Javascript) examples: http://www.codeave.com/javascript/category.asp?u_category=Forms http://www.codeave.com/javascript/category.asp?u_category=Forms Server-side can be built using: –empty(), is_numeric(), is_string(), is_bool(), is_array(), is_object(), etc. –http://us2.php.net/manual/en/ref.var.phphttp://us2.php.net/manual/en/ref.var.php
3
Separate URI to Handle Errors … if (empty($var1)) { $errors.= "$var1 should not be empty"; } if (!is_numeric($var2)) { $errors.= "$var2 should be a number"; } // check all anticipated error conditions … if (empty($errors)) { // do interesting work } else { $errors = urlencode($errors); header("Location: http://foo.edu/error.php?error=$errors");http://foo.edu/error.php?error=$errors }
4
Same URI to Handle Errors … if (empty($var1)) { $errors.= "$var1 should not be empty"; } if (!is_numeric($var2)) { $errors.= "$var2 should be a number"; } // check all anticipated error conditions … if (empty($errors)) { // do interesting work } else { internal_error_function($errors); } function internal_error_function ($errors) { // generate pretty HTML response // provide link to start over }
5
Same URI with Error Argument … if (empty($var1)) { $errors.= "$var1 should not be empty"; } if (!is_numeric($var2)) { $errors.= "$var2 should be a number"; } // check all anticipated error conditions … if (empty($errors)) { // do interesting work } else { $errors = urlencode($errors); header("Location:".$_SERVER["REQUEST_URI"]."?errors=$errrors"; }
![Same URI with Error Argument … if (empty($var1)) { $errors.= $var1 should not be empty ; } if (!is_numeric($var2)) { $errors.= $var2 should be a number ; } // check all anticipated error conditions … if (empty($errors)) { // do interesting work } else { $errors = urlencode($errors); header( Location: .$_SERVER[ REQUEST_URI ]. errors=$errrors ; }](http://images.slideplayer.com./15/4517903/slides/slide_5.jpg "Same URI with Error Argument … if (empty($var1)) { $errors.= $var1 should not be empty ; } if (!is_numeric($var2)) { $errors.= $var2 should be a number ; } // check all anticipated error conditions … if (empty($errors)) { // do interesting work } else { $errors = urlencode($errors); header( Location: .$_SERVER[ REQUEST_URI ]. errors=$errrors ; }")
6
Encoding/Decoding URLs RFC-1738 requires “unsafe” and “reserved” characters to be encoded in URIs: –http://www.rfc-editor.org/rfc/rfc1738.txthttp://www.rfc-editor.org/rfc/rfc1738.txt –Reserved examples “/”, “:”, “?”… –Unsafe examples [space], “%”, “#”… PHP urlencode(), urldecode() –http://us2.php.net/manual/en/function.urlencode.phphttp://us2.php.net/manual/en/function.urlencode.php –http://us2.php.net/manual/en/function.urldecode.phphttp://us2.php.net/manual/en/function.urldecode.php More info: –http://www.blooberry.com/indexdot/html/topics/urlencoding.htmhttp://www.blooberry.com/indexdot/html/topics/urlencoding.htm
![Encoding/Decoding URLs RFC-1738 requires unsafe and reserved characters to be encoded in URIs: – –Reserved examples / , : , … –Unsafe examples [space], % , # … PHP urlencode(), urldecode() – – More info: –](http://images.slideplayer.com./15/4517903/slides/slide_6.jpg "Encoding/Decoding URLs RFC-1738 requires unsafe and reserved characters to be encoded in URIs: – –Reserved examples / , : , … –Unsafe examples [space], % , # … PHP urlencode(), urldecode() – – More info: –")
7
Escaping HTML <?php $orig = "I'll \"walk\" the dog now"; $a = htmlentities($orig); $b = html_entity_decode($a); echo $a; // I'll "walk" the <b>dog</b> now echo $b; // I'll "walk" the dog now ?> See: http://www.w3schools.com/PHP/func_string_htmlentities.asp http://php.net/manual/en/function.htmlentities.php http://us2.php.net/manual/en/function.html-entity-decode.php http://www.w3schools.com/PHP/func_string_html_entity_decode.asp Also: http://en.wikipedia.org/wiki/Lightweight_markup_languagehttp://en.wikipedia.org/wiki/Lightweight_markup_language
8
Regular Expressions More Info: http://us2.php.net/regex http://oreilly.com/catalog/9780596528126/http://us2.php.net/regex http://oreilly.com/catalog/9780596528126/ if ( !preg_match("/([0-9]{2})-([0-9]{2})-([0-9]{4})/", $_POST['movie_release'], $reldatepart) ) { $error.= "Please+enter+a+date+with+the+dd-mm-yyyy+format"; } Attention: "ereg" has been deprecated as of PHP 5.3 and hence will cause a warning! if $_POST['movie_release'] == 31-05-1969 then: $reldatepart[0] = 31-05-1969 $reldatepart[1] = 31 $reldatepart[2] = 05 $reldatepart[3] = 1969
![Regular Expressions More Info: if ( !preg_match( /([0-9]{2})-([0-9]{2})-([0-9]{4})/ , $_POST[ movie_release ], $reldatepart) ) { $error.= Please+enter+a+date+with+the+dd-mm-yyyy+format ; } Attention: ereg has been deprecated as of PHP 5.3 and hence will cause a warning.](http://images.slideplayer.com./15/4517903/slides/slide_8.jpg "if $_POST[ movie_release ] == then: $reldatepart[0] = $reldatepart[1] = 31 $reldatepart[2] = 05 $reldatepart[3] =")
9
Date/Time More info: http://us2.php.net/manual/en/ref.datetime.php http://us2.php.net/manual/en/ref.datetime.php $movie_release = mktime ( 0, 0, 0, $reldatepart['2'], $reldatepart['1'], $reldatepart['3']); // $seconds_since_Jan1st1970 = mktime(hour,min,sec,month,day,year)
![Date/Time More info: $movie_release = mktime ( 0, 0, 0, $reldatepart[ 2 ], $reldatepart[ 1 ], $reldatepart[ 3 ]); // $seconds_since_Jan1st1970 = mktime(hour,min,sec,month,day,year)](http://images.slideplayer.com./15/4517903/slides/slide_9.jpg "Date/Time More info: $movie_release = mktime ( 0, 0, 0, $reldatepart[ 2 ], $reldatepart[ 1 ], $reldatepart[ 3 ]); // $seconds_since_Jan1st1970 = mktime(hour,min,sec,month,day,year)")
10
Apache httpd.conf % less /etc/apache2/httpd.conf … # # Customizable error responses come in three flavors: # 1) plain text 2) local redirects 3) external redirects # # Some examples: #ErrorDocument 500 "The server made a boo boo." #ErrorDocument 404 /missing.html ErrorDocument 404 /error.php?404 #ErrorDocument 404 "/cgi-bin/missing_handler.pl" #ErrorDocument 402 http://www.example.com/subscription_info.html # …
11
SMTP Mesg Return-Path: Received: from exchange.cs.odu.edu (darkisland.csnet.cs.odu.edu [128.82.4.212]) by unixmail.cs.odu.edu (8.14.2/8.14.2) with ESMTP id o94LPccJ021124 (version=TLSv1/SSLv3 cipher=RC4-MD5 bits=128 verify=NOT) for ; Mon, 4 Oct 2010 17:25:38 -0400 (EDT) Resent-Date: Mon, 4 Oct 2010 17:25:38 -0400 (EDT) Resent-Message-Id: Resent-From: Received: from unixmail.cs.odu.edu (128.82.4.9) by darkisland.csnet.cs.odu.edu (128.82.4.212) with Microsoft SMTP Server id 8.2.176.0; Mon, 4 Oct 2010 17:25:38 -0400 Received: from mln-web (mln-web.cs.odu.edu [128.82.4.82]) by unixmail.cs.odu.edu (8.14.2/8.14.2) with SMTP id o94LPblD021121 for ; Mon, 4 Oct 2010 17:25:38 -0400 (EDT) Message-ID: Received: by mln-web (sSMTP sendmail emulation); Mon, 4 Oct 2010 17:17:12 -0400 From: added by portage for apache Date: Mon, 4 Oct 2010 17:17:12 -0400 To: Subject: Error Page MIME-Version: 1.0 Content-Type: text/html; charset="iso-8859-1" Error occurred on Monday, October 4, 2010 at 17:17:12:2010 Error received was a 404 error. The page that generated the error was: /~mklein/code/code/ch08/error.php.02.php?404 The generated error message was: "Page Not Found" Error Page - (Error Code 404) The page you are looking for cannot be found <a href="mailto:sysadmin@localhost.com">Contact the system administrator if you feel this to be in error PHP syntax: mail($to,$subject,$body,$headers)
![SMTP Mesg Return-Path: Received: from exchange.cs.odu.edu (darkisland.csnet.cs.odu.edu [ ]) by unixmail.cs.odu.edu (8.14.2/8.14.2) with ESMTP id o94LPccJ (version=TLSv1/SSLv3 cipher=RC4-MD5 bits=128 verify=NOT) for ; Mon, 4 Oct :25: (EDT) Resent-Date: Mon, 4 Oct :25: (EDT) Resent-Message-Id: Resent-From: Received: from unixmail.cs.odu.edu ( ) by darkisland.csnet.cs.odu.edu ( ) with Microsoft SMTP Server id ; Mon, 4 Oct :25: Received: from mln-web (mln-web.cs.odu.edu [ ]) by unixmail.cs.odu.edu (8.14.2/8.14.2) with SMTP id o94LPblD for ; Mon, 4 Oct :25: (EDT) Message-ID: Received: by mln-web (sSMTP sendmail emulation); Mon, 4 Oct :17: From: added by portage for apache Date: Mon, 4 Oct :17: To: Subject: Error Page MIME-Version: 1.0 Content-Type: text/html; charset= iso Error occurred on Monday, October 4, 2010 at 17:17:12:2010 Error received was a 404 error.](http://images.slideplayer.com./15/4517903/slides/slide_11.jpg "The page that generated the error was: /~mklein/code/code/ch08/error.php.02.php 404 The generated error message was: Page Not Found Error Page - (Error Code 404) The page you are looking for cannot be found <a href= >Contact the system administrator if you feel this to be in error PHP syntax: mail($to,$subject,$body,$headers).")
Similar presentations
