Results 1 to 8 of 8
  1. #1
    Join Date
    Oct 2004
    Location
    Shimonoseki
    Posts
    2,100

    Some useful tips for PHP'ers

    1- Redirect whenever / wherever you want:
    You cannot do this:
    PHP Code:
    <!doctype ..........>
    <html>
    <head>
    </head>
    <body>
    < put here some header banner >
    <?php 
    echo "something"
    //check some POST variable and if it is not set goto some page:
    header("Location: http://www.mysite.com/error.php");
    This will give a Warning:"Cannot modify header information - headers already sent"
    because you must put header() before any output in your code.

    A simple workaround for this (for PHP 4+) is:
    PHP Code:
    <?php
    ob_start
    ();
    ?>
    <!doctype ..........>
    <html>
    <head>
    </head>
    <body>
    < put here some header banner >
    <?php 
    echo "something" 
    header("Location: http://www.mysite.com/error.php");
    ?>
    </html>
    </body>
    <?php
    ob_end_flush
    ();
    Using output_buffering will hold any output until you release them (flush). So you will be safe to use header() in anywhere in your code

    2- Keep your database passwords safe
    For this, you have to make some changes in your apache config file: httpd.conf, if you cannot access it, have your host do this for you.
    BUT BE WARNED: make backups of everything, just in case you screw up
    First, create a file with your usernames and passwords for databases, registrar APIs, control panel APIs, 3PP APIs etc. in it:
    say, "secure.inc" file looks like this:
    Code:
    SetEnv DBASE_USER "username"
    SetEnv DBASE_PW "password"
    SetEnv ENOM_UID "enomuser"
    SetEnv ENOM_PW "enompw"
    And include this file into httpd.conf, *INSIDE YOUR OWN VIRTUAL HOST BLOCK* or all users in the server can see it.
    Code:
    Include "/path/secure.inc"
    Now restart you apache, and when you want to use those usernames and passwords you can call them as:
    PHP Code:
    conn_db mysq_connect("localhost"$_SERVER["DBASE_USER"], $_SERVER["DBASE_PW"]); 
    So if even someone have your php code in someway, your passwords will not be exposed. But keep in mind, outputting phpinfo() publicly will reveal your passwords.

    3- heredoc usage
    Consider this HTML code: (I know it has errors, I randomly deleted some parts. This is just an example)
    HTML Code:
    <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
    <HTML>
    <HEAD>
    
    <TITLE>Untitled Document</TITLE>
    
    <META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=utf-8">
    </HEAD>
    <BODY CLASS="sub">
    <BR>
    <TABLE WIDTH="90%" BORDER="0" CELLSPACING="2" CELLPADDING="4" STYLE="text-align: center">
      H="90%" NOSHADE SIZE="1">
    <BR>
    
    <TABLE WIDTH="90%" BORDER="0" CELLSPACING="0" CELLPADDING="4" STYLE="text-align: center">
    	<TR>
    		<TD WIDTH="15%" STYLE="white-space: nowrap">
    	 
    <TABLE WIDTH="100%" BORDER="0" CELLSPACING="0" CELLPADDING="2" CLASS="FooterColor">
      <TR>
        <TD>       2001 Lorem Ipsum Dolor <A HREF="#">Sic Amet</A>  <A HREF="#">Consectetur</A>    </TD>
        <TD STYLE="text-align: right">       <A HREF="#">Lorum</A>  <A HREF="#">Ipsum</A>  <A HREF="#">Dolor</A>  <A HREF="#">Sic Amet</A>  <A HREF="#">Consectetur</A>    </TD>
      </TR>
    </TABLE>
    </BODY>
    </HTML>
    Think that you want to put this code into a variable like $html_code.
    You will have to take care of the all quotes and other characters you have to escape. And inserting some dynamic content inside it will be a nightmare.
    Not exactly. We have heredoc
    check out this code:
    PHP Code:
    $html_code = <<< CONTENT
                 PUT ANYTHING HERE
       I mean <anything> 
         <img src="img.gif">
                     <FORM ACTION = 'mypage.php'>
           <DIV>
       </DIV>

    CONTENT; 
    heredoc will take care of everything for you. it starts with "<<<" follows a heredoc block identifier (CONTENT in this example). Ends with same block identifier name and a semicolon.
    Heredoc ending block identifier must be at the most left side of the line. No space(s) or tab(s) before it. Identifier must include only alphanumeric characters and underscore. Must begin with a non-numeric character.
    You want to use some dynamic content inside the block? No problem, use your php variables inside curly brackets:
    PHP Code:
    $html_code = <<< CONTENT
                 PUT ANYTHING HERE
       I mean <anything> 
          http://www.
    {$domain}.{$tld}
         <img src="
    {$img_name}.gif">
                     <FORM ACTION = 'mypage.php'>
           <DIV>
    {$staff->name["barney"]}
       </DIV>

    CONTENT; 
    Thats it for now, I hope you find these useful. I may come up with something more in near future.
    Comments and corrections are welcome
    Closed for winter...

  2. #2

    That might do it

    The above post is correct

  3. #3
    Join Date
    Nov 2005
    Posts
    268
    On a semi-related note: Its also a good idea to use lower case html tags and attribute names, especially if you want to translate your pages into xhtml sometime in the future.

    You could store your database info into your .conf file but sometimes this isnt an option. putting the configureing php file one level below (or above after all clients cannot see anything contained within php tags) the webroot will also work.

    PHP Code:
    <?php
    if(!defined("_DB_HOST"))
    {
    define("_DB_HOST""localhost");
    define("_DB_USER""user");
    define("_DB_PASS""admin");
    }
    ?>

    and later you can access it as

    $dbc = mysql_connect(_DB_HOST, _DB_USER, _DB_PASS);
    the above solution will work as long as you do not let clients download it or read the source of the file. Obviously you will have to manually include the file in any document you need the settings. Whereas Berak's solution will give you universal access to those variables without having to manually include a configuration file.

  4. #4
    Join Date
    Oct 2002
    Location
    York, United Kingdom
    Posts
    260
    Its not a good idea to load your database settings into apache, as then the variables can be accessed anywhere within the server.

    Why not just use variables? Or add the contents in to an array? You could encrypt these and then decrypt them when you need them!?

  5. #5
    Join Date
    Mar 2005
    Location
    New Zealand
    Posts
    59
    I store all my db passwords in a file with a .php extension. This way if a user does figure out the path to it my passwords won't be revealed (any other file extension will result in the file contents being displayed).

    They are alot of techniques out there to improve your site's security though they will each come with a performance hit. Pick a reliable webhoster as someone could still access your database and password files by attacking a less-secure site hosted somewhere else on the system (assuming you are on a shared hosting account).

    I recommend doing a Google search and reading up on what other developers suggest you do.
    Hide website errors from your users plus manage all errors from multiple websites in one place FREE...

    Codetrail.com: SSL Secure bug-tracking webservice.

  6. #6
    Join Date
    Sep 2002
    Location
    Among the corn
    Posts
    10,648
    Quote Originally Posted by NateD
    I store all my db passwords in a file with a .php extension. This way if a user does figure out the path to it my passwords won't be revealed (any other file extension will result in the file contents being displayed).
    .
    NOt always is this the case. The following will prevent this.
    Code:
    <FilesMatch "\.inc$">
    Deny from all
    </FilesMatch>
    You can put this in your .htaccess file, or better yet, in your apache configs
    in httpd.conf, look for
    Code:
    #<Directory /home/*/public_html>
    and add just above:
    Code:
    <Directory  /home/*/public_html>
    <FilesMatch "\.inc$">
    Deny from all
    </FilesMatch>
    </Directory>
    This way, you're protected against this stuff using .inc files.

    There's a couple of other ways to do this, though I forget them at the time. If I remember them, I'll put the info in here as well.

  7. #7
    Join Date
    Feb 2005
    Location
    UK
    Posts
    113
    Quote Originally Posted by BurakUeda
    [/html]Think that you want to put this code into a variable like $html_code.
    You will have to take care of the all quotes and other characters you have to escape. And inserting some dynamic content inside it will be a nightmare.
    Not exactly. We have heredoc
    check out this code:
    PHP Code:
    $html_code = <<< CONTENT
                 PUT ANYTHING HERE
       I mean <anything> 
         <img src="img.gif">
                     <FORM ACTION = 'mypage.php'>
           <DIV>
       </DIV>

    CONTENT; 
    heredoc will take care of everything for you. it starts with "<<<" follows a heredoc block identifier (CONTENT in this example). Ends with same block identifier name and a semicolon.
    Heredoc ending block identifier must be at the most left side of the line. No space(s) or tab(s) before it. Identifier must include only alphanumeric characters and underscore. Must begin with a non-numeric character.
    You want to use some dynamic content inside the block? No problem, use your php variables inside curly brackets:
    PHP Code:
    $html_code = <<< CONTENT
                 PUT ANYTHING HERE
       I mean <anything> 
          http://www.
    {$domain}.{$tld}
         <img src="
    {$img_name}.gif">
                     <FORM ACTION = 'mypage.php'>
           <DIV>
    {$staff->name["barney"]}
       </DIV>

    CONTENT; 
    Thats it for now, I hope you find these useful. I may come up with something more in near future.
    Comments and corrections are welcome
    Nice guide, I especially liked this one (above), will help me alot.

    Cheers
    Craig.

  8. #8
    Thanks! I was especially wondering about the header one.

  9. Newsletters

    Subscribe Now & Get The WHT Quick Start Guide!

Related Posts from theWHIR.com

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •