SitePoint Sponsor

User Tag List

Results 1 to 5 of 5

Thread: Php Faq

Threaded View

  1. #1
    SitePoint Wizard chris_fuel's Avatar
    Join Date
    May 2006
    Location
    Ventura, CA
    Posts
    2,750
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Php Faq

    Some material I'm working on for some common questions asked:

    1) What are here docs?

    Here docs are a to create long strings where you can insert function results,class methods, and variables. This avoids long concat procedures and prevents awkward quoting issues. Here is what heredocs help avoid:

    PHP Code:
    $string "
    <a href=\"test.html\" class=\"test\">
    <img src=\"
    $image\" alt=\"$alternate\"/>
    </a>"

    instead, you can use a heredoc like so:

    PHP Code:
    $string = <<<HTML
    <a href="test.html" class="test">
    <img src="
    $image" alt="$alternate"/>
    </a>
    HTML; 
    To insert arrays, class members, and function results, you must enclose them in braces:

    PHP Code:
    $string = <<<HTML
    <a href="{getDocument()}" class="{class_list['test']}>
    <img src="
    {$this->image}" alt="$alternate"/>
    </a>
    HTML; 
    Please note that HTML can be anything you want (BLAH ETC). Also note that the finishing line (HTML MUST be on a line by itself with NO identation or spacing. Failure to do so will cause nasty syntax errors.

    2) I can't access session variables!

    Verify that you've done:

    PHP Code:
    session_start() 
    at the top of your page.

    3) What are magic quotes?

    Magic quotes were a system created to escape certain characters for datyasanitation. However, they backfired in the end because a user could enable/disable them in their php.ini file. This made it extremely difficult for programmers, as they had to tailor to both situations. Often code is seen that does strip_slashes to undo the action to be used in real sanitation functions such as mysql_real_escape_string(). In the future magic quotes support will be removed, so use the appropriate character escaping functionality for your particular db.

    4) What is SQL injection, and what can I do about it?

    SQL injection is the process by where a user inserts malicious SQL, even so far as to delete a db. For example:

    Code:
    SELECT * FROM users WHERE id='$id'
    a user sets a malicious id entry:

    Code:
    SELECT * FROM users WHERE id='(user value: 0'; DELETE FROM users WHERE '0'=='0)';
    there goes your users table. This can be prevented by using escape functions:

    PHP Code:
    $var mysql_real_escape_string($var);
    $sql "SELECT * FROM foo where bar='$var'"
    or you can use the bind_param functionality of mysqli as well. If you're not using mysql, consult your db functions list for the appropriate function.

    5) What is register_globals and why is it bad?

    register_globals was a function to allow things such as:

    url: http://www.mysite.com/script.php?id=11
    Code:
    echo $id;
    which would produce 11. This is obviously shorter than:

    Code:
    echo $_GET['id']
    however, the problem is that if you have another variable not dependant upon being in the query string, the user could set an arbitrary value which could overwrite other variables and allow you access. $_GET[] is recommended instead. See:

    http://www.php.net/register_globals

    for more information.

    6) Why doesn't include('/includes/script.php') work?

    include requires the actual pathname on your server. A generic way to do that is:

    PHP Code:
    include ($_SERVER['DOCUMENT_ROOT'] . '/includes/script.php'); 
    However, as the PHP manual notes:

    If "URL fopen wrappers" are enabled in PHP (which they are in the default configuration), you can specify the file to be included using a URL (via HTTP or other supported wrapper - see Appendix M for a list of protocols) instead of a local pathname. If the target server interprets the target file as PHP code, variables may be passed to the included file using a URL request string as used with HTTP GET. This is not strictly speaking the same thing as including the file and having it inherit the parent file's variable scope; the script is actually being run on the remote server and the result is then being included into the local script.
    7) Why isn't $variable replaced in echo 'The variable is: $variable';?

    single quotes will not expand variables, this also includes \n, \t,etc. To exand variables within a string, use double quotes:

    PHP Code:
    echo "The variable is: $variable
    8) I see lots of @'s in code, what does that do?

    @ is used to supress warnings. Usually PHP will dump information to your webserver on files not working , etc. Sometimes this contains the path to your document root on the webserver. Using @ will prevent that information from being displayed, and replacing it with something less leakish.

    9) Can I do regex and other string operations on multibyte characters?

    Yes, these require the multibyte string operations. See this PHP page for more information:

    http://www.php.net/mbstring

    10) I have some inline code to display dynamic php code, but it's not showing!

    Often what's happened is that:

    PHP Code:
    <a href=<?php $test '.html'?>>
    remember you need to echo out for that to appear. There is also a shorthand:

    PHP Code:
    <a href=<?php$test '.html'?>>
    which echos the information.

    11) Can I include php files remotely?

    That depends on if allow_url_fopen is set to true in php.ini. This can not be set like other variables in a .htaccess file. If it is set to true, then the following will work:

    PHP Code:
    include('http://www.othersite.com/include.php'); 
    That's it for now, let me know if there's anything else that could be added.

    12) How do I know what extensions/features are avaliable to my php install?

    create a blank php file with the following code:

    PHP Code:
    <?php
    phpinfo
    ();
    ?>
    13) If a function returns an array with multiple values, can I just get one item?

    Yes, you can use the list function to get the specific element like so:

    PHP Code:
    function Test()
    {
      return array(
    'a','b','c');
    }

    list(
    $a,$b,$c) = Test();

    // You can also get a single element:
    list(null,$b2,null) = Test(); 
    and view it in your browser
    Last edited by chris_fuel; Jun 23, 2006 at 14:57. Reason: added note on using phpinfo() to get basic information


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •