Dynamic Website Security
When the page lots, you won't see the PHP code but in lieu see the contents of the included file. In the case above, you would see your navigation links etc where they ought to be.
At a most basic level, PHP can be used to simplify the navigation of a web-site by using the include function. This, added to each page of the web-site can be used to include a html file that contains the sites navigation links. The main advantage of this is that the webmaster can basically adjust that file, in lieu of every single page on the site. Obviously if your site has thousands of pages, this is going to save you some time! The include() function fundamentally tells the server your web-site is hosted on, to take what is in the included file & put it in to the code of your page. Typical use of the include function is as follows:
There's lots of things a typical user can do which may cause you irritation, or in the case of a purchase form, cause you to never receive the order, e.g. mistyping their e-mail address! This is why form validation is important. When a user makes a mistake regarding form field input, they ought to be notified by your form processing script, & instructed to correct the error & resubmit. This is usually a simple thing to do by using regular expressions to validate e-mail address & using a random anti-spam number generator to cease spam bots. Do not use CAPTCHAs! They are over rated & frustrating to most users. A simple digit number that is randomly generated & rendered out as a picture will suffice to cease automated form filling bots.
The next step up in using PHP to enhance your site is for a contact form. This is where the first security concerns come up. A contact form will permit someone to enter information in to the fields which is sent to your PHP file that processes that information. User entered information must never be trusted!
The largest threat is a MySQL injection assault. This is where a user types in some PHP & SQL code in to a field in your form. That information is then sent to the form, & your processing script interprets that as commands & functions, not as raw text. So if someone where to send an SQL string that looked something like "DELETE * from myblog", every record in "myblog" would be deleted & that would be the finish of your weblog, posts & comments to boot! Other sneaky things people may try to do include sending a set of commands to your script that lead to them being able to place a link somewhere on your site. This is often completed by using the fwrite function to append code to of your html files.
So, some simple validation techniques as well as a random number picture generator will suffice for 90% of the site owners & weblog owners out there. In the event you plan on using MySQL with some aspect of your web-site, such as letting users upload information for things like profiles etc, then you will need to go a step further.
$name = strip_tags($_GET['namefieldfromform'];
These are no little issues, they must be addressed or people could wreck your designs for web domination! The solution is simple. There's functions that can be used to help secure your forms & scripts. The first is to make use of a function known as strip_tags($myvar), where "$myvar" is the variable that contains the input from the form. A working example would look something like this:
$query = "INSERT INTO picture (sourceurl, thumburl, ratings, dateadded, description, submitedby, section, keywords) VALUES ('$efilename', '$thumbname', '0', '$date', '$desc', '$name', '$cat', '$tags')";
You would then escape those variables that are in the query thusly:
mysql_real_escape_string($efilename);
This strips any tags that the user may have entered in to your form. It is useful for stopping people from adding in their own links to sites in things like comments.
The other & more important function is mysql_real_escape_string(). It is a tiny trickier to make use of but still simple to implement. First you must construct the query you are going to send to your database:
mysql_real_escape_string($thumbname);
mysql_real_escape_string($date);
mysql_real_escape_string($desc);
mysql_real_escape_string($name);
mysql_real_escape_string($tags);
mysql_real_escape_string($cat);
This will make positive that those variables have no harmful text or code inside them, & so are safe to make use of with the database.
Keep in mind to never trust information that is entered by users, as you never know who might be trying to cause trouble!
At a most basic level, PHP can be used to simplify the navigation of a web-site by using the include function. This, added to each page of the web-site can be used to include a html file that contains the sites navigation links. The main advantage of this is that the webmaster can basically adjust that file, in lieu of every single page on the site. Obviously if your site has thousands of pages, this is going to save you some time! The include() function fundamentally tells the server your web-site is hosted on, to take what is in the included file & put it in to the code of your page. Typical use of the include function is as follows:
There's lots of things a typical user can do which may cause you irritation, or in the case of a purchase form, cause you to never receive the order, e.g. mistyping their e-mail address! This is why form validation is important. When a user makes a mistake regarding form field input, they ought to be notified by your form processing script, & instructed to correct the error & resubmit. This is usually a simple thing to do by using regular expressions to validate e-mail address & using a random anti-spam number generator to cease spam bots. Do not use CAPTCHAs! They are over rated & frustrating to most users. A simple digit number that is randomly generated & rendered out as a picture will suffice to cease automated form filling bots.
The next step up in using PHP to enhance your site is for a contact form. This is where the first security concerns come up. A contact form will permit someone to enter information in to the fields which is sent to your PHP file that processes that information. User entered information must never be trusted!
The largest threat is a MySQL injection assault. This is where a user types in some PHP & SQL code in to a field in your form. That information is then sent to the form, & your processing script interprets that as commands & functions, not as raw text. So if someone where to send an SQL string that looked something like "DELETE * from myblog", every record in "myblog" would be deleted & that would be the finish of your weblog, posts & comments to boot! Other sneaky things people may try to do include sending a set of commands to your script that lead to them being able to place a link somewhere on your site. This is often completed by using the fwrite function to append code to of your html files.
So, some simple validation techniques as well as a random number picture generator will suffice for 90% of the site owners & weblog owners out there. In the event you plan on using MySQL with some aspect of your web-site, such as letting users upload information for things like profiles etc, then you will need to go a step further.
$name = strip_tags($_GET['namefieldfromform'];
These are no little issues, they must be addressed or people could wreck your designs for web domination! The solution is simple. There's functions that can be used to help secure your forms & scripts. The first is to make use of a function known as strip_tags($myvar), where "$myvar" is the variable that contains the input from the form. A working example would look something like this:
$query = "INSERT INTO picture (sourceurl, thumburl, ratings, dateadded, description, submitedby, section, keywords) VALUES ('$efilename', '$thumbname', '0', '$date', '$desc', '$name', '$cat', '$tags')";
You would then escape those variables that are in the query thusly:
mysql_real_escape_string($efilename);
This strips any tags that the user may have entered in to your form. It is useful for stopping people from adding in their own links to sites in things like comments.
The other & more important function is mysql_real_escape_string(). It is a tiny trickier to make use of but still simple to implement. First you must construct the query you are going to send to your database:
mysql_real_escape_string($thumbname);
mysql_real_escape_string($date);
mysql_real_escape_string($desc);
mysql_real_escape_string($name);
mysql_real_escape_string($tags);
mysql_real_escape_string($cat);
This will make positive that those variables have no harmful text or code inside them, & so are safe to make use of with the database.
Keep in mind to never trust information that is entered by users, as you never know who might be trying to cause trouble!
