Friday, April 22, 2011

Loop the Loop

Every programming language has a number of methods for creating loops, and PHP is no exception. Try this program, for example, either by uploading it the server and seeing what happens, or just by reading the code and trying to work it out:
<?php
echo "<HTML>";
echo "<body>";
echo "A web server that knows its 7 times table!<br><br>";
for ($x = 1; $x <= 10; $x++)
{
echo $x . " times 7 is " . $x * 7 . "<br>";
}
echo "</body>";
echo "</HTML>";
?>
Run the program, and you'll see the following in your web browser:





One line of PHP that you'll not have seen before is:
for ($x = 1; $x <= 10; $x++)
This is one of PHP's methods of creating a loop. In this case, it's a "for" loop. If you ever learnt to program in Basic many years ago, it's just the same as a FOR…NEXT loop in that language.

Translating the line of PHP into English, the line of code means: set variable $x to 1, and execute everything within the curly brackets that follow. If $x is less than, or equal, to 10, exit the loop and jump to the first line of code after the section in curly brackets. Otherwise, add 1 to $x and go round again.
The $x++ is a PHP shorthand way of saying "add 1 to $x". Another way, which works just as well and which is more familiar to Basic programmers, is $x = $x + 1.

By changing the starting value (1) and the finishing value (10), you can adapt this code to run as many times as you like. Try it.
As for generating our 7 times table, the line that does all the work is:
echo $x . " times 7 is " . $x * 7 . "<br>";

Here, we’ve used a single echo statement to produce the entire line of our table. Each part of the line is separated by a dot. Literal text such as times 7 is gets enclosed in quote marks, whereas we leave the quote marks out if we want PHP to echo the value of a variable such as $x, or make a calculation such as $x * 7.

Don't forget that, whenever you write a PHP program, you're creating a program that will generate a web page. This needs to be a valid web page, complete with <HTML> and <body> tags. Otherwise, the visitor's web browser may get confused.
Another type of loop that's used extensively in PHP, especially when accessing MySQL databases, is the "while" loop. Here's the 7 times table again, this time using a "while" loop:

<HTML>
<body>
My web server still knows its 7 times table
<br><br>
<?php
$i=1;
while($i <= 10)
{
echo $i;
echo " times 7 is ";
$product = $i * 7;
echo $product . "<br>";
$i = $i + 1;
}
?>
</body>
</HTML>

Just to be different, I've mixed HTML and PHP modes this time.
Notice how a "while" loop works. First, we set $i to 1. Then we create the loop, which says "do the block of code within the curly brackets, but only while $i is less than, or equal to, 10".
Because there's a line within the block which adds 1 to $i, there will come a point at which $i is not less than or equal to 10, so the program will fall through to the next line after the closing curly bracket.

Passing Information to PHP

There are various ways of passing information to a PHP program, and we’ll cover many of them in the database-related chapters that follow, and when we come to talk about HTML forms later on. But here’s a fun example for now, which illustrates a couple of important points about PHP.
Open PSPad, delete the contents of demo.php and replace it with the following:
<?php
$person = $_GET["name"];
echo "<HTML>";
echo "Hello ";
echo $person;
echo ", how are you today?";
echo "</HTML>";
?>
Surf to the demo.php page and you’ll see a message that says "Hello , how are you today".

Here, we’re passing 2 variables called firstname and surname. Note how only the first variable is preceded by a question mark. Any subsequent variables must be preceded by an ampersand.
Back to our demo.php program. Assuming you entered a name of Robert on the URL, you’ll see the following in your web browser:


To understand how this works, take another look at the PHP program code. The only line that will be unfamiliar to you is $person = $_GET["name"];

The $_GET[" "] syntax is how you retrieve variables (known as parameters in this context) that were added to the end of the URL. In this case, because we referred to the parameter as name in the URL, $_GET["name"] retrieves it for us. I’m retrieving it into a variable called $person rather than $name, but that’s entirely up to you.
Note that the URL variable in the square brackets doesn’t have a dollar sign at the start, so $_GET["$name"] wouldn’t work. And note that GET is in upper case – this is important too.

If you’ve got a few minutes spare, here’s something that you can try. Enhance the program so that, if no name is entered on the URL, the program displays an error message. To do this, you’ll need to know that the strlen() function returns the length, in characters, of a string. So having retrieved the name from the URL, code such as:
if (strlen($person) == 0)
will allow you to find out whether any name was supplied.
Alternatively, adapt the program to display not just the name that was entered, but also the number of characters in the name.

Never Forget to Sanitize
Being able to pass information to a PHP program so easily is a good one, and you’ll find that you use it a lot. Mostly, it’s used in forms. For example, your visitor fills in a web-based form with his name and address, which gets retrieved by a PHP program and displayed on screen or added to a database. But the ease with which PHP can accept information from visitors to your site hides a very serious security flaw. You can’t trust that information, because the visitor is free to enter anything he or she likes.
Here’s a very simple example. Surf to demo.php again by using the following URL:

http://www.websitename.com/demo.php?name=<b>Robert</b>

This is what you’ll see in your Web browser:









See how my name is now displayed in bold? That’s because I added the relevant HTML tags to the URL. The PHP program uses the echo statement to insert, into the dynamically generated web page, whatever was specified on the URL. In this case it’s not just some text, but some actual HTML code too. You can see it if you use the View Source option in your web browser.
But why is this bad? Because, at a trivial level, someone can mess up the look of your web page by forcing it to display lots of stray HTML tags. At the other end of the scale, consider what would happen if someone entered a "name" of <script> followed by a load of Javascript code. Would the web browser then execute that code? Yes, it would.

All of which leads to one of the most fundamental rules of security when it comes to PHP programming: filter or sanitize information whose source you can’t be sure of. Quite how you do this will depend on circumstances, and on the precise nature of the data.

In our current example, where we’re expecting the visitor to enter a name, it’s obvious that the only characters we need to allow are the letters a to z (and A to Z). Any other character can be removed. This will include the pointy brackets which would allow someone to enter HTML code, and also many other unnecessary punctuation symbols. You’ll see later, when we talk about SQL Injection attacks, that some of those other punctuation symbols are just as dangerous.

One way to filter or sanitize data is to use the PHP str_replace function. This stands for "string replace". It can quickly and easily replace any characters in a string (ie, in a variable that corresponds to some text) with another character. Or, if you prefer, it can replace them with nothing and thus delete them.
For example, having retrieved the name from the URL into the $person variable, we could then add a line which says:
$person = str_replace("<","",$person);

As you can see, str_replace requires 3 parameters. What to search for, what to replace it with, and the variable within which to do it. This line would have the effect of replacing all < symbols in $person with nothing, ie deleting them.
Although this would work, you’d need lots of str_replace lines to deal with every unwanted character that you need to filter out. But thankfully there’s a neater way, using a function called ereg_replace. Take a look at this:
$person = ereg_replace("[^A-Za-z0-9 .,';:?]", "", $person);
This is similar to str_replace, in that you specify what you want to look for, what you want to replace it with, and the string to operate on. But take a closer look at what we’re searching for. No longer are we specifying a single character, but:
[^A-Za-z0-9 .,';:?]
Although this might look like gobbledygook, it’s actually just shorthand for the entire list of characters to search for. Let’s go through it in detail. First, the whole thing goes in square brackets, because that’s the rule for ereg_replace. A-Z means every character from A to Z.

Equally, a-z means all the lower-case letters. Then, in addition to those 52 characters, we list a few others. Namely the space, full stop, comma, apostrophe, semicolon, colon, and question mark.
The most important character in this whole collection, though, is the ^ at the start. This is ereg_replace shorthand for "everything except". So what the whole command actually does, is to replace every character in $person with a blank (ie, to delete that character), EXCEPT where the character is a letter, a space, a comma, an apostrophe, and so on.
You don’t really have to understand it. Just add this line to your PHP code, after the line which retrieves $person from the URL. Now surf to demo.php again and try entering "forbidden" characters. You’ll notice that they don’t appear in the generated web page.

Sanitizing strings is fiddly but, thankfully, it only normally takes just line or two of extra code. And it is vital that you do sanitize every string that comes from a visitor to your site, because you have no idea what the visitor has typed. Get into the habit now. Every time you use $_GET to retrieve information from a URL, sanitise it before using it. Failure to do this will mean that your site WILL get hacked.


Tuesday, April 19, 2011

Sending Email with PHP

With server-side programming you can do just about anything, and that includes sending email. Try this little PHP program, by changing the contents of demo.php to the following and then surfing to the demo.php page:
<?php
$to = "robert@the-web-book.com";
$subject = "Hello";
$message = "This is my Web server, sending me email on ";
$message .= date("D");
$message .= " at ";
$message .= date("H:i");
$m = mail($to,$subject,$message);
echo "Return code from mail was " . $m;
exit();
?>
You should see a message which says "Return code from mail was 1". To understand why, and what this program does, let’s examine it in detail.
The first line of code creates a new variable called $to, which is set to the "to" address of the email we’re going to be sending. In this case, I’m sending the message to myself. If you want to try this example, please use your own email address rather than mine!
The next line sets the subject of the message in a similar way, and then we create $message, which is the text of the actual message we’ll be sending.

But what about $message .= date("D");? Are we setting $message to something else entirely? No. Take a closer look and you’ll see we’re using .= rather than = on its own. The .= symbol means that PHP should add the new text to the end of what’s in that variable already. But what text to add? In this case we’re using the date() function and specifying "D" as what’s known as the argument. The date() function returns lots of time- and daterelated information, such as the current day, date, hour, minute, second, year, and so on.
There are dozens of possible things that it can return, each symbolized by their own letter (and these are case-sensitive, by the way, so d is not the same as D).
In this case, D returns the current day of the week as a 3-letter abbreviation. So, this line is adding a 3-letter version of today’s day onto the end of the $message string which we created in the line above. Thus, if today happens to be Friday, $message will now be "This is my Web server, sending me email on Fri".

The next line adds " at " to the $message string. So now it contains "This is my Web server, sending me email on Fri at ".
Finally we add the current time to the end of the message that we’ll be emailing. We use the date() function again, with H and i. H returns the current hour in 24-hour clock format, and i returns the number of minutes. Anything that isn’t a letter, within the bracketed part of the date() function, gets returned as-is. So if the time happened to be 9pm, date("H:i") would return 21:00.
PHP is particularly good at processing and manipulating strings and dates. Whatever you need to do with a string (count the number of characters, convert it to upper or lower case, remove the last 4 characters, etc etc), PHP has a function to do it. As for dates, there are even functions which will, if you supply a date and a latitude/longitude location, tell you the time of the sunrise or sunset.

Right, back to our program. Next, we use the mail() command to send the message. It’s as simple as specifying, in the correct order, the "to" address, the "from" address, and the text of the message to be sent. But note the $m = bit at the start, though. The mail() function returns a value to indicate whether the message was successfully sent to the mail server for delivery. We capture this into the $m variable, and display it in the next line.
Finally, the exit() statement ends the PHP program. You don’t need to use this if it’s unambiguous, as it is here. The program is clearly going to end, as there’s no more PHP code left to run.


Random numbers in PHP

Do you think that I log in every day to update those figures and dates? Nope. Everything is done automatically. There’s a PHP function which returns the date that a file was last changed. So all I have to do is upload a new PDF file each time I make changes to the book.
A couple of lines of PHP code then produces the “Last updated…” section of the web page, automatically looking up and formatting the file’s date. Even the “NEW” marker is automatic. If the date of the PDF file is within 7 days of today’s date, the marker gets displayed. Otherwise, it doesn’t. So I never have to remember to remove the marker, because the web site does it for me.
As you can hopefully see, PHP isn’t just for creating databases. It’s great for managing and automating all aspects of a web site.

Random Numbers
Let’s imagine that, on a particular web page, we want to include a message on our home page which thanks visitors for looking at our site. However, to avoid bombarding people with the message, we only want to show it approximately one time in ten. So, every ten times that the web server sends out the page to a visitor, it will include the message.
One simple way to do this is with PHP’s random number generator. There’s a PHP function which returns a random integer between 1 and any number we specify. So we'll ask it to generate a number between 1 and 10, and only display the message if the number happens to be, say, 7. This will result in the message only being shown approximately 10% of the time.
That is to say, if 100 people visit the home page during one specific time period, roughly 10 of them will see the message.
Open PSPad and navigate to your demo.php file. Open it, delete everything that’s in it, and replace it with the following:
<HTML>
<body>
Welcome to our site.<br><br>
<?php
$r = rand(1,10);
if ($r == 7)
{
echo "Thank you for visiting<br>";
}
?>
</body>
</HTML>

Save the file (choose Save from the File menu), then open your web browser and surf to your demo.php file again. Keep pressing the Refresh button in your browser to reload the page. Most of the time you’ll see:



But if you keep refreshing the page (pressing F5 is usually the same as clicking the Refresh button, if you prefer), sometimes you’ll see this instead:



This is why PHP is so useful for generating dynamic HTML pages. It can generate different pages each time (or just some of the time). Take a look at the source code of those 2 HTML pages (use the View Source option in your browser). Note how there’s no PHP code in there, just the HTML that our code dynamically generated. The browser knows nothing about where the HTML code came from. It merely sent a "please send me the contents of demo.php" request to the server, and the server ran your program and sent some HTML back. The fact that the HTML was generated by a program, rather than being retrieved from a ready-made .html file on the server, is unknown to the browser.
Again, we’ve introduced a couple of new PHP concepts so let’s take another look at the code we just typed and uploaded. Here it is again, with line numbers to aid explanation:
 <HTML>
 <body>Welcome to our site.<br><br>
<?php
 $r = rand(1,10);
 if ($r == 7)
 {
 echo "Thank you for visiting<br>";
 }
 ?>
 </body>
 </HTML>

This time, I’ve chosen to mix HTML and PHP mode, and only to use PHP mode when necessary. So, to create our dynamically-generated HTML page, we start by outputting the necessary HTML and BODY tags. Remember that a PHP file always starts off in HTML mode, ie it’s just a standard HTML file as far as the web server is concerned. Just because it has a .php extension doesn’t change this. The only reason for the php extension is to tell the server that, if there is any PHP code in the file, it’s safe to run it. Some servers will also run PHP code that’s contained within a .HTM file, but many won’t.

And even if yours does, it’s a good habit to be able to identify, from its extension, whether a file is plain HTML or PHP. Line 3 generates the first line of text on the page, and I’ve added a couple of line break tags
too, for clarity. Once again, for clarity, I haven't created a css style sheet, or a doctype, or used <p> tags. The program will still work just fine, as browsers are generally pretty forgiving. When you're doing this for real, you'll need to do it properly.
Lines 11 and 12 close the HTML page neatly, by creating the closing body and HTML tags.

Line 4 flips the server into PHP mode. Line 5 creates a variable (we’ve called it $r) which uses the rand function. In this particular instance, the $r variable will be set to a value between 1 and 10. Note that every variable name in PHP has to be preceded with a dollar sign. Variables don’t have to be given single-letter names. I could just as easily have called it $my_random_value, but shorter is always best as there’s less chance of making a typing mistake when you refer to the same variable later on.

Line 6 checks to see whether $r is equal to 7. If it is, everything between the 2 curly brackets gets executed. If it’s not, everything between the curly brackets gets ignored.

Note two important points about the code in line 6. First, the if command is almost unique in PHP, in that it doesn’t (indeed, mustn’t) end with a semicolon. Second, when you’re comparing something, you use 2 "equals" signs rather than just one. So, $x = 99 will set the variable $x to 99. But to check whether $x is equal to 99 we say if ($x == 99). Note, too, how the value to check for has to go inside rounded brackets.
Incidentally, if you leave PHP mode and then re-enter it within the same file, no information is lost. So, for example, the following:
<html>
<?php
$name = "Fred";
?>
Your name is
<?php echo $name; ?>
</html>

Will display the message Your name is Fred.

 
Design by Free WordPress Themes | Bloggerized by Lasantha - Premium Blogger Themes | Grants For Single Moms