1. Stupid Browser Tricks with PHP and JavaScript By Chris Winikka

2.  Isn’t JavaScript Validation Enough?  Some people turn off JavaScript  Some people have bad intentions  PHP is the only way to ensure that the information from a form is…  not empty  in the correct format  not filled with nasty, evil code ▪ with sharp pointy teeth  Why even use JavaScript?  convenience ▪ the user finds out something is missing before sending it off (before leaving the form page) ▪ it might catch a mistake in an email address  less processor time ▪ If the php file catches an error, it has two main options: ▪ It has to send the user back to the form page, or ▪ It gives a warning and forces the user to use the back button ▪ If you catch problems with JavaScript before running the processor, the php file may only have to be run once

3.  PHP, like all high-level computer languages has functions  built-in functions ▪ these are handy functions that the makers of php thought you might find useful  user-defined functions ▪ you get to create your own  What is a function?  function is reusable code  if there’s anything you want to do more than one time, you should write a function for it  You already used the date() function  you provided some codes  the function used those codes to format the date and time

4.  According to OWASP.org, there are 10 main security flaws  The top 2 flaws to prepare for are: 1. Cross-site Scripting Flaws (XSS): ▪ occur whenever an application takes user supplied data and sends it to a web browser without first validating or encoding that content. ▪ XSS allows attackers to execute script in the victim's browser which can hijack user sessions, deface web sites, possibly introduce worms, etc. 2. Injection Flaws: ▪ Injection occurs when user-supplied data is sent to an interpreter as part of a command or query. ▪ The attacker's hostile data tricks the interpreter into executing unintended commands or changing data.  There are other flaws to be concerned with, but we won’t cover those because…  We are not learning how to do passwords & password encryption  We are not learning how to do file uploads  For the most part our simple applications are not big targets  For more information on security, visit the Open Web Application Security Project (OWASP) websiteOpen Web Application Security Project (OWASP) website

5.  Validate  Make sure the data  Is in the correct format ▪ A number is an integer ▪ A name is in the form of a string ▪ An email is in the format of an email  Is not empty  Does not have any code you don’t want it to have

6.  The first step in validation is making sure variables aren’t empty  Unfortunately, a field filled with spaces is not technically empty  That’s why you need the trim() function  How it works:  Pass it a variable and  It removes white spaces before or after a field entry (in the variable)  Do it like so…  $name = trim($name);

7.  empty() – checks to see if a variable is empty or not  Pass it a variable  If the variable has no value (it’s empty), it returns True ▪ “Yes, it is empty”  If the variable does have a value (not empty), it returns False ▪ “No, it’s not empty”  The empty() function in its natural habitat  Typically, you use the empty() function to check to see if it is not empty ▪ For this, you use the special NOT code, “!” ▪ Place the exclamation mark (NOT) in front of the function  Example: ▪ if (!empty($variable)) { echo ‘ It’s not empty } else { echo ‘ It is empty } ▪ In plain English, if(!empty($variable)) means “If variable is NOT empty,…” ▪ The keyword, “else” is like saying, “otherwise…”

8.  Render command codes useless with the addslashes() function  Add slashes will add a slash in front of the following characters: ▪ single quote (') ▪ double quote (") ▪ backslash (\) ▪ NULL  Why is this important? ▪ Look at the following: ▪ SELECT * FROM users WHERE name='$username' AND pass='$password'; ▪ If a user enters the following for his/her password… ▪ ' OR '1'='1 ▪ To the database, the code now looks like this… ▪ SELECT * FROM users WHERE name='known_user' AND pass='' OR '1'='1'; ▪ My question to you is: Is 1 equal to 1? ▪ The answer is, “yes” ▪ The user now has password privileges (didn’t need to know the password to get it to work  Adding slashes renders that useless  Note: You can also remove the slashes with…  The stripslashes() function  Note also: this is not necessary as much with an email processor, but is critical for use with a database

9.  Use the preg_match() function  No, it is not a paternity test  It stands for perform a regular expressions match  How it Works:  int preg_match ( string $pattern, string $subject [, array &$matches [, int $flags [, int $offset ]]] )  You put in a pattern (called a regular expression) ▪ A regular expression, or regex for short, is a pattern describing a certain amount of text.  Put in a subject (the variable you want to check)  Optional: $matches – this is a variable that will capture the results of the search  Optional: flags – PREG_OFFSET_CAPTURE this changes the output of the function ▪ You’re welcome to research what this does and try to figure it out. ▪ But you’re on your own for that ▪ Good luck with that!  Optional: offset – this is in the form of a number and allows you to start the search from a different spot  What it Does (in plain English):  It returns the number of times $pattern matches  If there are any errors, it returns false

10.  Check to see if php is in a phrase  Note the slashes surrounding the word  The i after php indicates it’s a case insensitive search  Check for a whole word  The \b stands for a word boundary  It’s placed on both sides of the word, so it will only match the word “web” (spaces on both sides) if (preg_match("/\bweb\b/i", "PHP is the web scripting language of choice.")) { echo "A match was found."; } else { echo "A match was not found."; }

11.  Examine the Pattern and see if you can figure out the regular expression  For reference, read Regular Expressions Quick Start GuideRegular Expressions Quick Start Guide $email_pattern = '/^[^@\s ]+@([-a-z0-9]+\.)+[a- z]{2,}$/i'; if (preg_match($email_pattern, $_POST[‘email'])) { $email = $_POST[‘email']; } else { echo ' There was a problem with your email address '; }

12.  The specialcharacters() function: this converts certain characters from the character to their html entities  Example: $name = specialcharacters($name) ▪ & becomes & ▪ < becomes < ▪ > becomes >  Quote Style: you can add the quote style to the function call ▪ For example specialcharacters($name, ENT_QUOTES) ) ▪ ENT_QUOTES ▪ Single quotes ‘ become ' ▪ Double quotes “ become " ▪ ENT_COMPAT only translates double quotes (not single quotes) ▪ Note, this is the default mode ▪ ENT_NOQUOTES neither single nor double quotes are translated

13.  The htmlentities() function works just like special characters, but all characters that have an html entity will be translated  In addition to the special characters, all special entities in a particular character set get translated ▪ © becomes © ▪ / becomes / ▪ Etc.  This renders all html tags useless, so links, nasty javascript, & other meanies can’t work  The quote style option is exactly the same as the specialcharacters() function  You also have a character set that you can pass to the function depending on what characters you want translated  Default will work just fine

14. Your form processor should make use of a variety of validation checks  Make sure no fields are empty  Trim each variable with the trim() function  Check to make sure they are not empty using the empty() function  Check the email format  use preg_match() function (see previous slide)  Check to make sure integers are indeed integers (if you are asking for a number)  This isn’t necessary for the Feedback page  Sanitize your variables  Use the htmlentities() function  With databases, use the addslashes() method  Note: for hopefully obvious reasons, don’t sanitize your email variable or it won’t work as an email (the preg_match() function did that)

15.  If there’s any problem with the form (it’s invalid)…  Notify the user which fields if any are empty ▪ Let the user know were empty  Notify the user if the email is not in the correct format  Send the user back to the form  If there are no errors…  Notify the user if the form was submitted properly  Send the results using the mail() function  Send a confirmation email

16.  In order to write our form processor, we are going to create our own function to keep track of errors  Let’s call it “errorCheck()”  Goal: We want this function to…  check to see if a field is empty  check to see if the email field is in the incorrect format  If either is the case, we want to add the field name to the list of errors  return the list of errors

17. When writing our own functions, we need to…  decide what it’s going to do  come up with a name  errorCheck()  decide what information the function needs (this is called parameters)  we need a list ($errors)  we need a form field ($var)  we need the name of the variable ($name) ▪ if a field is empty, how could we add it to the errors?  decide what information the function will produce  return the list of errors  using the return statement  write our code  capture the results through a function call  create a variable that will receive the results of the function  Formula: $variable = function($parameter1, $parameter2, etc.)  $errors = errorCheck($errors, $_POST[‘name’], ‘name’)

18.  First of all, write your function definition before you call it  before you call it, you need to have values to send to the function (called “arguments”)  Errors ▪ we need to create this variable first: ▪ $errors = array();  Each field ▪ these come from the form when you click the submit button ▪ $_POST[‘name’]  Field name ▪ you will provide these in the form of a written out string ▪ ‘name’

19.  Goal: use preg_match to check email format  Plan the function:  Receives: ▪ $email  Performs: ▪ regular expression check  Returns: ▪ false if it fails the test ▪ true if it passes the test  Call the function:  Where is the best, most logical place to call the function?

20.  Goal: render all special characters that could run a command harmless  Plan the function:  Receives: ▪ Variable ($var)  Performs: ▪ Create a list ($pattern) of potentially harmful characters ▪ Create a list ($replacement) of html character entities preg_replace() function ▪ Runs the preg_replace() function (http://us2.php.net/preg_replace)http://us2.php.net/preg_replace  Returns: ▪ Cleaned up variable  Call the function  Only call it if ▪ there are no empty variables AND ▪ the email format is correct  Call it ▪ after you printed the correct results ▪ Before you run the email function

21.  Make sure nothing is empty  Make sure the email works  If there are no empty fields Or the email is incorrect:  Notify user there was a problem with the form  If there are errors ▪ Display all empty fields  If the email is incorrect ▪ Notify the user that it’s incorrect  Include a link back to the form page  Else (no problems)  Notify the user it was a success  Sanitize all variables mail() function  Run the mail() function (http://us3.php.net/mail)http://us3.php.net/mail

22. GENERAL CONCEPTS  Validation Concepts:  Why validate?  What validation includes  PHP v. JavaScript Validation  PHP Functions  Built-in Functions  User-defined Functions PHP BUILT-IN FUNCTIONS  Trim()  Empty()  Preg_match()  Preg_replace()  html_entities()  Htmlspecialcharacters()  Add_slashes()  Strip_slashes()  Mail()