OmegaExtern Posted July 20, 2014 Share Posted July 20, 2014 Hi. I'll like to ask few questions about PHP, as I think they are related to it. I've came across some webpages, what I've spotted is that a webpage displays content but each "page" has different argument and there is no filename. For example: "http://www.website.com/?home" is home-like webpage, by changing "/?home" to "/?anotherpage" land me on some other webpage on their website and so on. My question is how is it done? Is it done from PHP? Another question I wanted to ask is.. I went on InvisionPower.Board forum (such as this PHP Freaks ). How to force "folders" to be displayed as "files"? For example: "http://forums.phpfreaks.com/topic/217301-php-freaks-on-facebook/" which links to a thread. Thanks in advance Quote Link to comment https://forums.phpfreaks.com/topic/290016-my-php-questions/ Share on other sites More sharing options...
Ch0cu3r Posted July 20, 2014 Share Posted July 20, 2014 "http://www.website.com/?home" is home-like webpage, by changing "/?home" to "/?anotherpage" land me on some other webpage on their website and so on. My question is how is it done? Is it done from PHP? Most likely. Yes. When you see urls like this you know the page is being dynamically generated. Here is a simple demo app index.php <?php $page = isset($_GET['page']) ? $_GET['page'] : 'home'; switch($page) { case 'home': // serve the homepage echo '<h1>Home Page</h1>'; break; case 'portfolio': // serve the portfolio page echo '<h1>Portfolio Page</h1>'; break; case 'contact': // serve the contact page echo '<h1>Contact Page</h1>'; break; default: header('HTTP/1.0 404 Not Found'); echo "404 $page Not Found"; } ?> <hr /> <ul> <li><a href="site.com/?page=home">Home</a></li> <li><a href="site.com/?page=portfolio">Portfolio</a></li> <li><a href="site.com/?page=contact">Contact Me</a></li> </ul> Another question I wanted to ask is.. I went on InvisionPower.Board forum (such as this PHP Freaks ). How to force "folders" to be displayed as "files"? For example: "http://forums.phpfre...ks-on-facebook/" which links to a thread. Nope they are not mapping folders to files. This is something called mod_rewrite, what this means is that this url phpfreaks.com/topic/290016-my-php-questions/ is most likely being mapped to a url like phpfreaks.com/topic.php?topicid=290016 To demonstrate this with the demo app above. Create a .htaccess file in the same folder as the demo App index.php and add the following code to it RewriteEngine On RewriteCond %{REQUEST_FILENAME} !-d RewriteCond %{REQUEST_FILENAME} !-f RewriteRule ([a-z0-9]+) index.php?page=$1 [NC,L] Now change the links in index.hpp <ul> <li><a href="site.com/home">Home</a></li> <li><a href="site.com/portfolio">Portfolio</a></li> <li><a href="site.com/contact">Contact Me</a></li> </ul> Quote Link to comment https://forums.phpfreaks.com/topic/290016-my-php-questions/#findComment-1485747 Share on other sites More sharing options...
bsmither Posted July 20, 2014 Share Posted July 20, 2014 PHP could parse the URL, but that would require the web server to be configured to run the PHP script on most anything. The most likely scenario is that the .htaccess file (Apache, or equivalent file for other web servers) has some rewrite rules that basically say: start with the ?, then use whatever follows (like, 'home') and reformat that to be index.php?page=home The PHP script index.php runs and the variable $_GET['page'] holds the page to render. Quote Link to comment https://forums.phpfreaks.com/topic/290016-my-php-questions/#findComment-1485748 Share on other sites More sharing options...
OmegaExtern Posted July 20, 2014 Author Share Posted July 20, 2014 Thanks to both of you for your quick replies! I'm looking into them now. Quote Link to comment https://forums.phpfreaks.com/topic/290016-my-php-questions/#findComment-1485749 Share on other sites More sharing options...
OmegaExtern Posted July 27, 2014 Author Share Posted July 27, 2014 Does anybody know if I have to call htmlentities() on each row from table before displaying it to the user? Like: echo htmlentities($data_from_table) . "<br>" . htmlentities($another_data) . "<br>" . htmlentities($moore_data) Or I can put it all together like: echo htmlentities($data_from_table . "<br>" . $another_data . "<br>" . $moore_data) ? Quote Link to comment https://forums.phpfreaks.com/topic/290016-my-php-questions/#findComment-1486224 Share on other sites More sharing options...
Barand Posted July 27, 2014 Share Posted July 27, 2014 Try it and see. Quote Link to comment https://forums.phpfreaks.com/topic/290016-my-php-questions/#findComment-1486274 Share on other sites More sharing options...
Jacques1 Posted July 27, 2014 Share Posted July 27, 2014 You do not call htmlentities() at all. What this function does is convert all characters for which there's a named HTML entity. This is absolutely useless. It is particularly useless for HTML-escaping, because only the five characters <, >, ", ' and & have a special meaning in HTML. Converting harmless characters like umlauts is entirely unnecesary and only wastes energy. What you want is htmlspecialchars(). However, you still can't call this function like you did above where you only specified the input string. How is PHP supposed to know the encoding of the string? In other words, how is it supposed to recognize the characters from the raw bytes? If you don't tell it, then it will use a default encoding which differs accross PHP versions may or may not be correct. You always have to specify the character encoding. There's also a pitfall: By default, htmlspecialchars() does not convert single quotes, so you're likely to run into problems of even security vulnerabilities. Always specify the ENT_COMPAT flag to make sure both single and double quotes are converted. As an example: <?php // the character encoding of the document is UTF-8 header('Content-Type: text/html;charset=utf-8'); $input = 'Those should all be converted: <>"\'&'; echo htmlspecialchars($input, ENT_QUOTES | ENT_SUBSTITUTE, 'UTF-8'); Note the ENT_QUOTES flag and the explicit declaration of the encoding. The ENT_SUBSTITUTE flag can only be used in conjunction with Unicode strings and replaces invalid characters with an error symbol. Without this, any invalid character will make the entire return value empty, which is usually not what you want. Since it's very cumbersome to repeat this piece of code all the time, it's a good idea to make a custom html_escape() function: function html_escape($input, $encoding) { return htmlspecialchars($input, ENT_QUOTES | ENT_SUBSTITUTE, $encoding); } Now you simply call this function whenever you need to HTML-escape a string. Quote Link to comment https://forums.phpfreaks.com/topic/290016-my-php-questions/#findComment-1486275 Share on other sites More sharing options...
OmegaExtern Posted July 29, 2014 Author Share Posted July 29, 2014 @Barand: Guru sir, your post is not helpful. @Jacques1: Thanks for your answer. I'm trying to avoid cross-site scripting attack. Regards, Omega Quote Link to comment https://forums.phpfreaks.com/topic/290016-my-php-questions/#findComment-1486400 Share on other sites More sharing options...
mogosselin Posted July 29, 2014 Share Posted July 29, 2014 The best way to display data to user and prevent XSS is using a template engine that works this way by default. All the ways that needs something to be done to be secure must be considered insecure (like using htmlspecialchars). If you forget just one place, you are vulnerable to XSS. My bookmark for these questions is this one: https://www.owasp.org/index.php/PHP_Security_Cheat_Sheet#XSS_Cheat_Sheet Quote Link to comment https://forums.phpfreaks.com/topic/290016-my-php-questions/#findComment-1486416 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.