1 Environment Variables
<html><head><title> Environment Variables </title>
</head><body>
<h3>Environment variables script</h3>
<p> Here are the CGI environment variables that
this PHP script has been called with
<p><hr>
<?php
foreach($_SERVER as $key => $value) {
echo ($key . "=" . $value ."<br>");
}
?>
<h4>How to use just one environment variable:</h4>
<?php
echo "\$_SERVER['REMOTE_ADDR'] = ". $_SERVER['REMOTE_ADDR'];
?>
1.1 Exercises
1) Try the script.
2) Use one of the PHP scripts that you have created earlier in this
semester and that responds to a form. Include a print statement in the PHP script that
prints the environment variables REQUEST_METHOD, QUERY_STRING
and CONTENT_LENGTH. Note: that some of these are only available if the
method for sending the form is "get", others are only available if the
method is "post". (Check the
<form action=... method=... > tag in your form.)
REQUEST_METHOD and CONTENT_LENGTH can be used to
increase the security of your script. CONTENT_LENGTH
should not be longer than a predefined maximum length.
2 Customize Pages with PHP
PHP can show different pages to different users depending on user preferences.
2.1 Exercises
3) Ask a user to input their name into a textfield and
to choose a color from a popup menu. Then display a page with
a short message (e.g. "Thank you $_REQUEST['name'] for your request") in that color.
3 Security on PHP Pages
There are several security problems and error sources for PHP scripts
such as the one above.
Here are some security tips:
-
If the script prints user input or html code that is retrieved from the
web apply
$text = preg_replace('/</', '<', $text);
$text = preg_replace('/>/', '>', $text);
to the text before printing it. Or even better and simpler use
htmlspecialchars() or
strip_tags().
- For input from radio buttons, menu selections, check boxes, check
all possible values with an if statement. In case of unexpected
values, print an error message and discontinue with the script.
- Don't ask the user for a filename and then write to that file.
- Files that are written to should not be in a directory
that allows server-side includes, active server pages, PHP
pages, or other HTML template systems.
- Don't install PHP code from untrusted sources on your server.
- If you use sendmail to email back to a user, remove all funny characters from
the address and use "sendmail -t -oi"
- Never allow user input into a system call.
- When calling programs (such as a MySQL database) from PHP
always check user input into this statement.
- If your script writes to a file, lock the file so that two
scripts cannot write to it at the same time.
- Be careful with PATH_INFO. Validate its contents.
- Check the REQUEST_METHOD variable to verify that the data
was send by POST (or GET or ...)
- Check the CONTENT-LENGTH variable to restrict amount of
input text.
- Turn error reporting off once you are finished with writing the script
(error_reporting(0);).
More information is available for security of
PHP
and general WWW security
3.1 Exercises
4) In the previous script check whether the input is
reasonable and not empty:
- check whether the name and color contain only word characters
or -.
(Hint: preg_match("/[^\w-]/i", $string) is true if $string contains
a character which isn't a word character or -).
- check that neither name nor color is longer than 100 chars (use the
strlen() function).
If the criteria are not fulfilled, do not
display the results page but instead show an error message.
5) For the $_REQUEST['name'] variable replace HTML characters "<" and ">"
with < and > before printing the name.
Hint: use the htmlentities() or the htmlspecialchars() function.