hosted by liquidweb


Go Back   Web Hosting Talk : Web Hosting Main Forums : Web Hosting Talk Tutorials : Programming Tutorials : Some useful tips for PHP'ers
Reply

Forum Jump

Some useful tips for PHP'ers

Reply Post New Thread In Programming Tutorials Subscription
 
Send news tip View All Posts Thread Tools Search this Thread Display Modes
  #1  
Old 11-02-2005, 04:12 PM
BurakUeda BurakUeda is offline
Retarded Noodleator
 
Join Date: Oct 2004
Location: Shimonoseki
Posts: 2,100

Some useful tips for PHP'ers


1- Redirect whenever / wherever you want:
You cannot do this:
PHP Code:
<!doctype ..........>
<html>
<head>
</head>
<body>
< put here some header banner >
<?php 
echo "something"
//check some POST variable and if it is not set goto some page:
header("Location: http://www.mysite.com/error.php");
This will give a Warning:"Cannot modify header information - headers already sent"
because you must put header() before any output in your code.

A simple workaround for this (for PHP 4+) is:
PHP Code:
<?php
ob_start
();
?>
<!doctype ..........>
<html>
<head>
</head>
<body>
< put here some header banner >
<?php 
echo "something" 
header("Location: http://www.mysite.com/error.php");
?>
</html>
</body>
<?php
ob_end_flush
();
Using output_buffering will hold any output until you release them (flush). So you will be safe to use header() in anywhere in your code

2- Keep your database passwords safe
For this, you have to make some changes in your apache config file: httpd.conf, if you cannot access it, have your host do this for you.
BUT BE WARNED: make backups of everything, just in case you screw up
First, create a file with your usernames and passwords for databases, registrar APIs, control panel APIs, 3PP APIs etc. in it:
say, "secure.inc" file looks like this:
Code:
SetEnv DBASE_USER "username"
SetEnv DBASE_PW "password"
SetEnv ENOM_UID "enomuser"
SetEnv ENOM_PW "enompw"
And include this file into httpd.conf, *INSIDE YOUR OWN VIRTUAL HOST BLOCK* or all users in the server can see it.
Code:
Include "/path/secure.inc"
Now restart you apache, and when you want to use those usernames and passwords you can call them as:
PHP Code:
conn_db mysq_connect("localhost"$_SERVER["DBASE_USER"], $_SERVER["DBASE_PW"]); 
So if even someone have your php code in someway, your passwords will not be exposed. But keep in mind, outputting phpinfo() publicly will reveal your passwords.

3- heredoc usage
Consider this HTML code: (I know it has errors, I randomly deleted some parts. This is just an example)
HTML Code:
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<HTML>
<HEAD>

<TITLE>Untitled Document</TITLE>

<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=utf-8">
</HEAD>
<BODY CLASS="sub">
<BR>
<TABLE WIDTH="90%" BORDER="0" CELLSPACING="2" CELLPADDING="4" STYLE="text-align: center">
  H="90%" NOSHADE SIZE="1">
<BR>

<TABLE WIDTH="90%" BORDER="0" CELLSPACING="0" CELLPADDING="4" STYLE="text-align: center">
	<TR>
		<TD WIDTH="15%" STYLE="white-space: nowrap">
	 
<TABLE WIDTH="100%" BORDER="0" CELLSPACING="0" CELLPADDING="2" CLASS="FooterColor">
  <TR>
    <TD>       2001 Lorem Ipsum Dolor <A HREF="#">Sic Amet</A>  <A HREF="#">Consectetur</A>    </TD>
    <TD STYLE="text-align: right">       <A HREF="#">Lorum</A>  <A HREF="#">Ipsum</A>  <A HREF="#">Dolor</A>  <A HREF="#">Sic Amet</A>  <A HREF="#">Consectetur</A>    </TD>
  </TR>
</TABLE>
</BODY>
</HTML>
Think that you want to put this code into a variable like $html_code.
You will have to take care of the all quotes and other characters you have to escape. And inserting some dynamic content inside it will be a nightmare.
Not exactly. We have heredoc
check out this code:
PHP Code:
$html_code = <<< CONTENT
             PUT ANYTHING HERE
   I mean <anything> 
     <img src="img.gif">
                 <FORM ACTION = 'mypage.php'>
       <DIV>
   </DIV>

CONTENT; 
heredoc will take care of everything for you. it starts with "<<<" follows a heredoc block identifier (CONTENT in this example). Ends with same block identifier name and a semicolon.
Heredoc ending block identifier must be at the most left side of the line. No space(s) or tab(s) before it. Identifier must include only alphanumeric characters and underscore. Must begin with a non-numeric character.
You want to use some dynamic content inside the block? No problem, use your php variables inside curly brackets:
PHP Code:
$html_code = <<< CONTENT
             PUT ANYTHING HERE
   I mean <anything> 
      http://www.
{$domain}.{$tld}
     <img src="
{$img_name}.gif">
                 <FORM ACTION = 'mypage.php'>
       <DIV>
{$staff->name["barney"]}
   </DIV>

CONTENT; 
Thats it for now, I hope you find these useful. I may come up with something more in near future.
Comments and corrections are welcome

__________________
Closed for winter...



Sponsored Links
  #2  
Old 12-08-2005, 07:44 PM
robmaag robmaag is offline
New Member
 
Join Date: Dec 2005
Posts: 1
That might do it

The above post is correct

  #3  
Old 12-09-2005, 04:30 PM
Korvan Korvan is offline
Web Hosting Guru
 
Join Date: Nov 2005
Posts: 268
On a semi-related note: Its also a good idea to use lower case html tags and attribute names, especially if you want to translate your pages into xhtml sometime in the future.

You could store your database info into your .conf file but sometimes this isnt an option. putting the configureing php file one level below (or above after all clients cannot see anything contained within php tags) the webroot will also work.

PHP Code:
<?php
if(!defined("_DB_HOST"))
{
define("_DB_HOST""localhost");
define("_DB_USER""user");
define("_DB_PASS""admin");
}
?>

and later you can access it as

$dbc = mysql_connect(_DB_HOST, _DB_USER, _DB_PASS);
the above solution will work as long as you do not let clients download it or read the source of the file. Obviously you will have to manually include the file in any document you need the settings. Whereas Berak's solution will give you universal access to those variables without having to manually include a configuration file.

Sponsored Links
  #4  
Old 12-14-2005, 08:25 PM
adaml adaml is offline
Web Hosting Guru
 
Join Date: Oct 2002
Location: York, United Kingdom
Posts: 260
Its not a good idea to load your database settings into apache, as then the variables can be accessed anywhere within the server.

Why not just use variables? Or add the contents in to an array? You could encrypt these and then decrypt them when you need them!?

__________________
adamlivesley
http://84degrees.com

  #5  
Old 01-02-2006, 09:42 AM
NateD NateD is offline
Junior Guru Wannabe
 
Join Date: Mar 2005
Location: New Zealand
Posts: 59
I store all my db passwords in a file with a .php extension. This way if a user does figure out the path to it my passwords won't be revealed (any other file extension will result in the file contents being displayed).

They are alot of techniques out there to improve your site's security though they will each come with a performance hit. Pick a reliable webhoster as someone could still access your database and password files by attacking a less-secure site hosted somewhere else on the system (assuming you are on a shared hosting account).

I recommend doing a Google search and reading up on what other developers suggest you do.

__________________
Hide website errors from your users plus manage all errors from multiple websites in one place FREE...

Codetrail.com: SSL Secure bug-tracking webservice.

  #6  
Old 01-13-2006, 08:43 AM
twhiting9275 twhiting9275 is offline
Just me
 
Join Date: Sep 2002
Location: Among the corn
Posts: 10,472
Quote:
Originally Posted by NateD
I store all my db passwords in a file with a .php extension. This way if a user does figure out the path to it my passwords won't be revealed (any other file extension will result in the file contents being displayed).
.
NOt always is this the case. The following will prevent this.
Code:
<FilesMatch "\.inc$">
Deny from all
</FilesMatch>
You can put this in your .htaccess file, or better yet, in your apache configs
in httpd.conf, look for
Code:
#<Directory /home/*/public_html>
and add just above:
Code:
<Directory  /home/*/public_html>
<FilesMatch "\.inc$">
Deny from all
</FilesMatch>
</Directory>
This way, you're protected against this stuff using .inc files.

There's a couple of other ways to do this, though I forget them at the time. If I remember them, I'll put the info in here as well.

  #7  
Old 01-13-2006, 08:52 AM
Xoopiter-Craig Xoopiter-Craig is offline
WHT Addict
 
Join Date: Feb 2005
Location: UK
Posts: 113
Quote:
Originally Posted by BurakUeda
[/html]Think that you want to put this code into a variable like $html_code.
You will have to take care of the all quotes and other characters you have to escape. And inserting some dynamic content inside it will be a nightmare.
Not exactly. We have heredoc
check out this code:
PHP Code:
$html_code = <<< CONTENT
             PUT ANYTHING HERE
   I mean <anything> 
     <img src="img.gif">
                 <FORM ACTION = 'mypage.php'>
       <DIV>
   </DIV>

CONTENT; 
heredoc will take care of everything for you. it starts with "<<<" follows a heredoc block identifier (CONTENT in this example). Ends with same block identifier name and a semicolon.
Heredoc ending block identifier must be at the most left side of the line. No space(s) or tab(s) before it. Identifier must include only alphanumeric characters and underscore. Must begin with a non-numeric character.
You want to use some dynamic content inside the block? No problem, use your php variables inside curly brackets:
PHP Code:
$html_code = <<< CONTENT
             PUT ANYTHING HERE
   I mean <anything> 
      http://www.
{$domain}.{$tld}
     <img src="
{$img_name}.gif">
                 <FORM ACTION = 'mypage.php'>
       <DIV>
{$staff->name["barney"]}
   </DIV>

CONTENT; 
Thats it for now, I hope you find these useful. I may come up with something more in near future.
Comments and corrections are welcome
Nice guide, I especially liked this one (above), will help me alot.

Cheers
Craig.

  #8  
Old 01-13-2006, 09:27 PM
Minodragon Minodragon is offline
New Member
 
Join Date: Jan 2006
Posts: 4
Thanks! I was especially wondering about the header one.

Reply

Related posts from TheWhir.com
Title Type Date Posted
123-reg Packs Up Camper Van to Embark on UK Small Business Tour Web Hosting News 2014-07-28 09:42:47
Shoot For Savings! Find Out How HP.com Handles 300M Hits Per Day With HP Moonshot Webinars 2014-06-13 10:12:06
Conference Tips and Tricks from the Pros Blog 2013-10-16 10:18:48
3 Ways GlowTouch Can Help You Grow Your Business Leveraging Amazon Web Services Webinars 2014-06-10 11:05:51
How Website Design Affects Conversion Rates Blog 2012-09-28 13:52:36


Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes
Postbit Selector

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Forum Jump
Login:
Log in with your username and password
Username:
Password:



Forgot Password?
Advertisement:
Web Hosting News:



 

X

Welcome to WebHostingTalk.com

Create your username to jump into the discussion!

WebHostingTalk.com is the largest, most influentual web hosting community on the Internet. Join us by filling in the form below.


(4 digit year)

Already a member?