Secure PHP Development- P10

Secure PHP Development- P10: Welcome to Secure PHP Development: Building 50 Practical Applications. PHPhas come a long way since its first incarnation as a Perl script. Now PHP is a powerfulWeb scripting language with object-oriented programming support. Slowlybut steadily it has entered the non-Web scripting arena often reserved for Perl andother shell scripting languages. Arguably, PHP is one of the most popular Web platforms.
Nội dung trích xuất từ tài liệu:
Secure PHP Development- P1016 Part I: Designing PHP Applications Listing 1-6 (Continued) // Setup the template block $t->set_block(“page”, “mainBlock” , “main”); // Set the template variable = value $t->set_var(“ERRORS”, $errors); $t->set_var(“NUM1”, $num1); $t->set_var(“NUM2”, $num2); $t->set_var(“OPERATOR”, $operator); $t->set_var(“RESULT”, $result); // Parse the template block with all // predefined key=values $t->parse(“main”, “mainBlock”, false); // Parse the entire template and // print the output $t->pparse(“OUT”, “page”); ?> The script can be called using a URL such as the following: http://yourserver/ch1/calc.php?num1=123&operator=%2B&num2=0 The calc.php script produces an output screen, as shown in Figure 1-1, using the calc.html template stored in ch1/templates. Figure 1-1: Output of the calc.php script. If the script is called without one or more inputs, it shows error messages. For example, say the user forgot to enter the operator, in such a case the output looks as shown in Figure 1-2. Chapter 1: Features of Practical PHP Applications 17Figure 1-2: Output of the calc.php script (calling without an operator). Similarly, if the operator is division (/) and the second number is 0, then thedivide by zero error message is shown, as in Figure 1-3.Figure 1-3: Output of calc.php script (divide by zero error message). So this script is able to catch input errors and even a run-time error caused bybad user input (divide by zero). But, sadly, this script is violating a design principleof a practical PHP application. Notice the following lines in the script:$errors .= “You did not enter number 1.”;// lines skipped$errors .= “You did not enter number 2.”;// lines skipped$errors .= “You did not enter the operator.”;// lines skipped$errors .= “Divide by zero is not allowed.”;18 Part I: Designing PHP Applications These error messages are in English and have HTML tags in them. This means if the end user wasn’t fond of the way the messages were shown, he or she would have to change them in the code and potentially risk modification of the code that may result in bugs. Also, what if the end user spoke, say, Spanish, instead of English? This also means that the end user would have to change the code. A bet- ter solution is shown in Listing 1-7 and Listing 1-8. Listing 1-7: calc2.php Chapter 1: Features of Practical PHP Applications 19 // If operation is + do addition: num1 + num2 if (!strcmp($operator, ‘+’)) { $result = $num1 + $num2; // If operation is - do subtraction: num1 - num2 } else if(! strcmp($operator, ‘-’)) { $result = $num1 - $num2; // If operation is * do multiplication: num1 * num2 } else if(! strcmp($operator, ‘*’)) { $result = $num1 * $num2; // If operation is / do division: num1 / num2 } else if(! strcmp($operator, ‘/’)) { // If second number is 0, show divide by zero exception if (! $num2) { $errors .= $ERRORS[LANGUAGE][‘DIVIDE_BY_ZERO’]; } else { $result = sprintf(“%.2f”, $num1 / $num2); } } // Create a new template object $t = new Template($TEMPLATE_DIR); // Set the template file for this object to application’s template $t->set_file(“page”, $OUT_TEMPLATE); // Setup the template block $t->set_block(“page”, “mainBlock” , “main”); // Set the template variable = value $t->set_var(“ERRORS”, $errors); $t->set_var(“NUM1”, $num1); $t->set_var(“NUM2”, $num2); $t->set_var(“OPERATOR”, $operator); $t->set_var(“RESULT”, $result); // Parse the template block with all predefined key=values $t->parse(“main”, “mainBlock”, false); // Parse the entire template and print the output $t->pparse(“OUT”, “page”);?>20 Part I: Designing PHP Applications The difference between calc.php and calc2.php is that calc2.php doesn’t have any error messages hard-coded in the script. The calc.php error messages have been replaced with the following: $errors .= $ERRORS[LANGUAGE][NUM1_MISSING]; $errors .= $ERRORS[LANGUAGE][NUM2_MISSING]; $errors .= $ERRORS[LANGUAGE][OPERATOR_MISSING]; $errors .= $ERRORS[LANGUAGE][DIVIDE_BY_ZERO]; The calc2.php script loads error messages from the calc2.errors file using the following line: require_once(‘calc2.errors’); The calc.errors file is shown in Listing 1-8. Listing 1-8: calc2.errors ...