ÄúµÄλÖãºÑ°ÃÎÍøÊ×Ò³£¾±à³ÌÀÖÔ°£¾PHP ±à³Ì£¾PHP 5 Power programming
Team LiB
Previous Section Next Section

5.10. Summary

PHP is easily embedded into HTML files, displaying HTML forms that collect data entered by users and files that users upload. Collecting information from users presents security issues for the web site and for any user information stored at the web site. For security, PHP should have register_globals set to Off. To attack your web site or steal your data, the bad guys use techniques like cross-site scripting (executing pieces of client side scripting on your site) and SQL injection (inserting malicious code into queries run on your database). To protect against attacks, you must distrust all data that originates from users. You need to carefully validate all data that you receive from users and test it carefully to be sure it is safe, not dangerous to your web site. You can protect your web site when users upload files by checking the file size and type of the uploaded file. In addition, you can protect the information that is visible in your browser address windowinformation passed in the URLby hashing it using one of several methods, including a PEAR class, called Crypt_HMAC, which was developed for hashing purposes. Hashing is also useful to protect passwords stored for the purpose of authenticating users. Another useful measure to protect your web site from user mistakes or bad-guy attacks is to develop your own error handler to recognize when something is not as it should be and to handle the problem.

For a web application to be useful, the application data must be available to all the web pages in the application during a user session. One way to pass data from one web page to the next is by using cookies. When the user accesses the web page, a login page is displayed and the account and password entered by the user into the form are checked against the account and pass word that are stored for the user. If the user is authenticated, a cookie is set. The information in the cookie is automatically passed with any requested page. A second method of making data persistent across web pages is to use the PHP session features. Once you start a PHP session, you can store variables that are available to other scripts in the session.

Once you know all the pieces you need for your web application, you need to organize them into a useful whole. One common method of organization is called "one script serves all," which means that index.php handles all the requests for different pages. Another common organization is "one script per function." A general principle is to separate layout from logic. After you organize the pieces into a comprehensive application, you're off to the races.

    Team LiB
    Previous Section Next Section