1 Environment Variables

<html><head><title> Environment Variables </title> </head><body>
<h3>Environment variables script</h3>
<p> Here are the CGI environment variables that this PHP script has been called with
<p><hr>
<?php
foreach($_SERVER as $key => $value) {
echo ($key . "=" . $value ."<br>");
}
?>
<h4>How to use just one environment variable:</h4>
<?php
echo "\$_SERVER['REMOTE_ADDR'] = ". $_SERVER['REMOTE_ADDR'];
?>

1.1 Exercises

1) Try the script.

2) Use one of the PHP scripts that you have created earlier in this semester and that responds to a form. Include a print statement in the PHP script that prints the environment variables REQUEST_METHOD, QUERY_STRING and CONTENT_LENGTH. Note: that some of these are only available if the method for sending the form is "get", others are only available if the method is "post". (Check the <form action=... method=... > tag in your form.) REQUEST_METHOD and CONTENT_LENGTH can be used to increase the security of your script. CONTENT_LENGTH should not be longer than a predefined maximum length.

2 Customize Pages with PHP

PHP can show different pages to different users depending on user preferences.

2.1 Exercises

3) Ask a user to input their name into a textfield and to choose a color from a popup menu. Then display a page with a short message (e.g. "Thank you $_REQUEST['name'] for your request") in that color.

3 Security on PHP Pages

There are several security problems and error sources for PHP scripts such as the one above.

Here are some security tips:

More information is available for security of PHP and general WWW security

3.1 Exercises

4) In the previous script check whether the input is reasonable and not empty:
- check whether the name and color contain only word characters or -.
(Hint: preg_match("/[^\w-]/i", $string) is true if $string contains a character which isn't a word character or -).
- check that neither name nor color is longer than 100 chars (use the strlen() function).
If the criteria are not fulfilled, do not display the results page but instead show an error message.

5) For the $_REQUEST['name'] variable replace HTML characters "<" and ">" with &#60; and &#62; before printing the name.
Hint: use the htmlentities() or the htmlspecialchars() function.