Jump to content

Recommended Posts

Hi. I'll like to ask few questions about PHP, as I think they are related to it.

 

I've came across some webpages, what I've spotted is that a webpage displays content but each "page" has different argument and there is no filename.

For example:

"http://www.website.com/?home" is home-like webpage, by changing "/?home" to "/?anotherpage" land me on some other webpage on their website and so on. My question is how is it done? Is it done from PHP?

Another question I wanted to ask is.. I went on InvisionPower.Board forum (such as this PHP Freaks  :P). How to force "folders" to be displayed as "files"?

For example:

"http://forums.phpfreaks.com/topic/217301-php-freaks-on-facebook/" which links to a thread.

 

Thanks in advance  :)

Link to comment
https://forums.phpfreaks.com/topic/290016-my-php-questions/
Share on other sites

 

 

"http://www.website.com/?home" is home-like webpage, by changing "/?home" to "/?anotherpage" land me on some other webpage on their website and so on. My question is how is it done? Is it done from PHP?

Most likely. Yes. When you see urls like this you know the page is being dynamically generated. Here is a simple demo app

 

index.php

<?php

$page = isset($_GET['page']) ? $_GET['page'] : 'home';

switch($page)
{
    case 'home':
       // serve the homepage
       echo '<h1>Home Page</h1>';
    break;

    case 'portfolio':
       // serve the portfolio page
       echo '<h1>Portfolio Page</h1>';
    break;

    case 'contact':
       // serve the contact page
       echo '<h1>Contact Page</h1>';
    break;

   default: 
      header('HTTP/1.0 404 Not Found');
      echo "404 $page Not Found";
}

?>
<hr />
<ul>
    <li><a href="site.com/?page=home">Home</a></li>
    <li><a href="site.com/?page=portfolio">Portfolio</a></li>
    <li><a href="site.com/?page=contact">Contact Me</a></li>
</ul>

 

Another question I wanted to ask is.. I went on InvisionPower.Board forum (such as this PHP Freaks   :P). How to force "folders" to be displayed as "files"?

For example:

"http://forums.phpfre...ks-on-facebook/" which links to a thread.

Nope they are not mapping folders to files. This is something called mod_rewrite, what this means is that this url phpfreaks.com/topic/290016-my-php-questions/ is most likely being mapped to a url like phpfreaks.com/topic.php?topicid=290016

 

To demonstrate this with the demo app above. Create a .htaccess file in the same folder as the demo App index.php and add the following code to it


RewriteEngine On
RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_FILENAME} !-f
RewriteRule ([a-z0-9]+) index.php?page=$1 [NC,L]

Now change the links in index.hpp

<ul>
    <li><a href="site.com/home">Home</a></li>
    <li><a href="site.com/portfolio">Portfolio</a></li>
    <li><a href="site.com/contact">Contact Me</a></li>
</ul>
Link to comment
https://forums.phpfreaks.com/topic/290016-my-php-questions/#findComment-1485747
Share on other sites

PHP could parse the URL, but that would require the web server to be configured to run the PHP script on most anything.

 

The most likely scenario is that the .htaccess file (Apache, or equivalent file for other web servers) has some rewrite rules that basically say:

start with the ?, then use whatever follows (like, 'home') and reformat that to be index.php?page=home

The PHP script index.php runs and the variable $_GET['page'] holds the page to render.

Link to comment
https://forums.phpfreaks.com/topic/290016-my-php-questions/#findComment-1485748
Share on other sites

Does anybody know if I have to call htmlentities() on each row from table before displaying it to the user? Like: echo htmlentities($data_from_table) . "<br>" . htmlentities($another_data) . "<br>" . htmlentities($moore_data)

Or I can put it all together like: echo htmlentities($data_from_table . "<br>" . $another_data . "<br>" . $moore_data) ?

Link to comment
https://forums.phpfreaks.com/topic/290016-my-php-questions/#findComment-1486224
Share on other sites

You do not call htmlentities() at all.

 

What this function does is convert all characters for which there's a named HTML entity. This is absolutely useless. It is particularly useless for HTML-escaping, because only the five characters <, >, ", ' and & have a special meaning in HTML. Converting harmless characters like umlauts is entirely unnecesary and only wastes energy.

 

What you want is htmlspecialchars(). However, you still can't call this function like you did above where you only specified the input string. How is PHP supposed to know the encoding of the string? In other words, how is it supposed to recognize the characters from the raw bytes? If you don't tell it, then it will use a default encoding which differs accross PHP versions may or may not be correct.

 

You always have to specify the character encoding. There's also a pitfall: By default, htmlspecialchars() does not convert single quotes, so you're likely to run into problems of even security vulnerabilities. Always specify the ENT_COMPAT flag to make sure both single and double quotes are converted.

 

As an example:

<?php

// the character encoding of the document is UTF-8
header('Content-Type: text/html;charset=utf-8');

$input = 'Those should all be converted: <>"\'&';

echo htmlspecialchars($input, ENT_QUOTES | ENT_SUBSTITUTE, 'UTF-8');

Note the ENT_QUOTES flag and the explicit declaration of the encoding. The ENT_SUBSTITUTE flag can only be used in conjunction with Unicode strings and replaces invalid characters with an error symbol. Without this, any invalid character will make the entire return value empty, which is usually not what you want.

 

Since it's very cumbersome to repeat this piece of code all the time, it's a good idea to make a custom html_escape() function:

function html_escape($input, $encoding)
{
	return htmlspecialchars($input, ENT_QUOTES | ENT_SUBSTITUTE, $encoding);
}

Now you simply call this function whenever you need to HTML-escape a string.

Link to comment
https://forums.phpfreaks.com/topic/290016-my-php-questions/#findComment-1486275
Share on other sites

The best way to display data to user and prevent XSS is using a template engine that works this way by default. All the ways that needs something to be done to be secure must be considered insecure (like using htmlspecialchars). If you forget just one place, you are vulnerable to XSS.

 

My bookmark for these questions is this one: https://www.owasp.org/index.php/PHP_Security_Cheat_Sheet#XSS_Cheat_Sheet  :)

Link to comment
https://forums.phpfreaks.com/topic/290016-my-php-questions/#findComment-1486416
Share on other sites

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.