My PHP questions

[OmegaExtern]

Hi. I'll like to ask few questions about PHP, as I think they are related to it.

 

I've came across some webpages, what I've spotted is that a webpage displays content but each "page" has different argument and there is no filename.

For example:

"http://www.website.com/?home" is home-like webpage, by changing "/?home" to "/?anotherpage" land me on some other webpage on their website and so on. My question is how is it done? Is it done from PHP?

Another question I wanted to ask is.. I went on InvisionPower.Board forum (such as this PHP Freaks  ). How to force "folders" to be displayed as "files"?

For example:

"http://forums.phpfreaks.com/topic/217301-php-freaks-on-facebook/" which links to a thread.

 

Thanks in advance 

[Ch0cu3r]

 

 

"http://www.website.com/?home" is home-like webpage, by changing "/?home" to "/?anotherpage" land me on some other webpage on their website and so on. My question is how is it done? Is it done from PHP?

Most likely. Yes. When you see urls like this you know the page is being dynamically generated. Here is a simple demo app

 

index.php

<?php

$page = isset($_GET['page']) ? $_GET['page'] : 'home';

switch($page)
{
    case 'home':
       // serve the homepage
       echo '<h1>Home Page</h1>';
    break;

    case 'portfolio':
       // serve the portfolio page
       echo '<h1>Portfolio Page</h1>';
    break;

    case 'contact':
       // serve the contact page
       echo '<h1>Contact Page</h1>';
    break;

   default: 
      header('HTTP/1.0 404 Not Found');
      echo "404 $page Not Found";
}

?>
<hr />
<ul>
    <li><a href="site.com/?page=home">Home</a></li>
    <li><a href="site.com/?page=portfolio">Portfolio</a></li>
    <li><a href="site.com/?page=contact">Contact Me</a></li>
</ul>

 

Another question I wanted to ask is.. I went on InvisionPower.Board forum (such as this PHP Freaks   ). How to force "folders" to be displayed as "files"?

For example:

"http://forums.phpfre...ks-on-facebook/" which links to a thread.

Nope they are not mapping folders to files. This is something called mod_rewrite, what this means is that this url phpfreaks.com/topic/290016-my-php-questions/ is most likely being mapped to a url like phpfreaks.com/topic.php?topicid=290016

 

To demonstrate this with the demo app above. Create a .htaccess file in the same folder as the demo App index.php and add the following code to it

RewriteEngine On

RewriteCond %{REQUEST_FILENAME} !-d

RewriteCond %{REQUEST_FILENAME} !-f

RewriteRule ([a-z0-9]+) index.php?page=$1 [NC,L]

Now change the links in index.hpp

<ul>
    <li><a href="site.com/home">Home</a></li>
    <li><a href="site.com/portfolio">Portfolio</a></li>
    <li><a href="site.com/contact">Contact Me</a></li>
</ul>

[bsmither]

PHP could parse the URL, but that would require the web server to be configured to run the PHP script on most anything.

 

The most likely scenario is that the .htaccess file (Apache, or equivalent file for other web servers) has some rewrite rules that basically say:

start with the ?, then use whatever follows (like, 'home') and reformat that to be index.php?page=home

The PHP script index.php runs and the variable $_GET['page'] holds the page to render.

[OmegaExtern]

Thanks to both of you for your quick replies!

I'm looking into them now.

[OmegaExtern]

Does anybody know if I have to call htmlentities() on each row from table before displaying it to the user? Like: echo htmlentities($data_from_table) . "<br>" . htmlentities($another_data) . "<br>" . htmlentities($moore_data)

Or I can put it all together like: echo htmlentities($data_from_table . "<br>" . $another_data . "<br>" . $moore_data) ?

[Barand]

Try it and see.

[Jacques1]

You do not call htmlentities() at all.

 

What this function does is convert all characters for which there's a named HTML entity. This is absolutely useless. It is particularly useless for HTML-escaping, because only the five characters <, >, ", ' and & have a special meaning in HTML. Converting harmless characters like umlauts is entirely unnecesary and only wastes energy.

 

What you want is htmlspecialchars(). However, you still can't call this function like you did above where you only specified the input string. How is PHP supposed to know the encoding of the string? In other words, how is it supposed to recognize the characters from the raw bytes? If you don't tell it, then it will use a default encoding which differs accross PHP versions may or may not be correct.

 

You always have to specify the character encoding. There's also a pitfall: By default, htmlspecialchars() does not convert single quotes, so you're likely to run into problems of even security vulnerabilities. Always specify the ENT_COMPAT flag to make sure both single and double quotes are converted.

 

As an example:

<?php

// the character encoding of the document is UTF-8
header('Content-Type: text/html;charset=utf-8');

$input = 'Those should all be converted: <>"\'&';

echo htmlspecialchars($input, ENT_QUOTES | ENT_SUBSTITUTE, 'UTF-8');

Note the ENT_QUOTES flag and the explicit declaration of the encoding. The ENT_SUBSTITUTE flag can only be used in conjunction with Unicode strings and replaces invalid characters with an error symbol. Without this, any invalid character will make the entire return value empty, which is usually not what you want.

 

Since it's very cumbersome to repeat this piece of code all the time, it's a good idea to make a custom html_escape() function:

function html_escape($input, $encoding)
{
	return htmlspecialchars($input, ENT_QUOTES | ENT_SUBSTITUTE, $encoding);
}

Now you simply call this function whenever you need to HTML-escape a string.

[OmegaExtern]

@Barand: Guru sir, your post is not helpful.

@Jacques1: Thanks for your answer. I'm trying to avoid cross-site scripting attack.

 

Regards, Omega

[mogosselin]

The best way to display data to user and prevent XSS is using a template engine that works this way by default. All the ways that needs something to be done to be secure must be considered insecure (like using htmlspecialchars). If you forget just one place, you are vulnerable to XSS.

 

My bookmark for these questions is this one: https://www.owasp.org/index.php/PHP_Security_Cheat_Sheet#XSS_Cheat_Sheet