Questions about this topic? Sign up to ask in the talk tab.

PHP

From NetSec
Revision as of 23:30, 27 May 2012 by LashawnSeccombe (Talk | contribs) (code)

Jump to: navigation, search

PHP Hypertext Preprocessor Language is a server side interpreted language written in C that runs primarily on Linux environments. PHP scripts can be run directly or served as webpages.

RPU0j.png This article needs immediate attention, and is in desperate need of content.

Development Environment

PHP CLI

Xochipilli says
Many Linux distributions package the PHP CLI separately
  • php -l check syntax
  • php -v version
  • php -e oneliner

Pear/Pecl

Your first application

Variables and data types

PHP is a dynamically-typed language, consisting of integers, arrays, associative arrays, strings, and classes.

Boolean Logic

Ternary Conditionals

Loops

User Input

User-Defined Functions

Defining functions in PHP is accomplished using the function keyword, followed by the function name and comma delimited arguments, surrounded by parenthesis:

 
function myFunction(arg1, arg2) {
...
}
 

If the function is encapsulated in an object, you may specify the visibility of the function, public, protected or private.

 
class MyClass
{
    public function myFunction(arg1, arg2) {
    ...
    }
...
}
 

Unlike some programming languages, like Perl or Python, PHP member functions implicitly extract their parent into the $this variable.

Security

code

Dangerous functions

  • include()
  • eval()
  • mysql_query()
  • pgsql_query()
  • phpinfo()
  • system()

Dangerous practices

  • include()
  • echo(), print(), sprintf()
  • string sanitizing using non-recursive string replacement
  • improper type handling

Best practices

  • File inclusion
  • Type Handling
 
$clean_int = (int)$dangerous_int;
 
  • XSS
  • SQL Injection

Preventing SQL injection in PHP applications is relatively simple, so long as you are thorough. String input, surrounded by single quotes can be sanitized with mysql_real_escape_string(), which will escape dangerous characters such as single quotes (as well as \, so that you cannot escape the escapes!). Sanitizing integer input can be done simply by casting the input to integer.

php.ini

See Also : PHP Patching

PHP is part of a series on programming.
<center>
</center>