Secure PHP Development- P10

Chia sẻ: Cong Thanh | Ngày: | Loại File: PDF | Số trang:5

Thêm vào BST

Báo xấu

80
lượt xem 6
download

Download Vui lòng tải xuống để xem tài liệu đầy đủ

Secure PHP Development- P10: Welcome to Secure PHP Development: Building 50 Practical Applications. PHP has come a long way since its first incarnation as a Perl script. Now PHP is a powerful Web scripting language with object-oriented programming support. Slowly but steadily it has entered the non-Web scripting arena often reserved for Perl and other shell scripting languages. Arguably, PHP is one of the most popular Web platforms.

Chủ đề:

Bình luận(0) Đăng nhập để gửi bình luận!

Lưu

Nội dung Text: Secure PHP Development- P10

16 Part I: Designing PHP Applications Listing 1-6 (Continued) // Setup the template block $t->set_block(“page”, “mainBlock” , “main”); // Set the template variable = value $t->set_var(“ERRORS”, $errors); $t->set_var(“NUM1”, $num1); $t->set_var(“NUM2”, $num2); $t->set_var(“OPERATOR”, $operator); $t->set_var(“RESULT”, $result); // Parse the template block with all // predefined key=values $t->parse(“main”, “mainBlock”, false); // Parse the entire template and // print the output $t->pparse(“OUT”, “page”); ?> The script can be called using a URL such as the following: http://yourserver/ch1/calc.php?num1=123&operator=%2B&num2=0 The calc.php script produces an output screen, as shown in Figure 1-1, using the calc.html template stored in ch1/templates. Figure 1-1: Output of the calc.php script. If the script is called without one or more inputs, it shows error messages. For example, say the user forgot to enter the operator, in such a case the output looks as shown in Figure 1-2.
Chapter 1: Features of Practical PHP Applications 17 Figure 1-2: Output of the calc.php script (calling without an operator). Similarly, if the operator is division (/) and the second number is 0, then the divide by zero error message is shown, as in Figure 1-3. Figure 1-3: Output of calc.php script (divide by zero error message). So this script is able to catch input errors and even a run-time error caused by bad user input (divide by zero). But, sadly, this script is violating a design principle of a practical PHP application. Notice the following lines in the script: $errors .= “You did not enter number 1.”; // lines skipped $errors .= “You did not enter number 2.”; // lines skipped $errors .= “You did not enter the operator.”; // lines skipped $errors .= “Divide by zero is not allowed.”;
18 Part I: Designing PHP Applications These error messages are in English and have HTML tags in them. This means if the end user wasn’t fond of the way the messages were shown, he or she would have to change them in the code and potentially risk modification of the code that may result in bugs. Also, what if the end user spoke, say, Spanish, instead of English? This also means that the end user would have to change the code. A bet- ter solution is shown in Listing 1-7 and Listing 1-8. Listing 1-7: calc2.php
Chapter 1: Features of Practical PHP Applications 19 // If operation is + do addition: num1 + num2 if (!strcmp($operator, ‘+’)) { $result = $num1 + $num2; // If operation is - do subtraction: num1 - num2 } else if(! strcmp($operator, ‘-’)) { $result = $num1 - $num2; // If operation is * do multiplication: num1 * num2 } else if(! strcmp($operator, ‘*’)) { $result = $num1 * $num2; // If operation is / do division: num1 / num2 } else if(! strcmp($operator, ‘/’)) { // If second number is 0, show divide by zero exception if (! $num2) { $errors .= $ERRORS[LANGUAGE][‘DIVIDE_BY_ZERO’]; } else { $result = sprintf(“%.2f”, $num1 / $num2); } } // Create a new template object $t = new Template($TEMPLATE_DIR); // Set the template file for this object to application’s template $t->set_file(“page”, $OUT_TEMPLATE); // Setup the template block $t->set_block(“page”, “mainBlock” , “main”); // Set the template variable = value $t->set_var(“ERRORS”, $errors); $t->set_var(“NUM1”, $num1); $t->set_var(“NUM2”, $num2); $t->set_var(“OPERATOR”, $operator); $t->set_var(“RESULT”, $result); // Parse the template block with all predefined key=values $t->parse(“main”, “mainBlock”, false); // Parse the entire template and print the output $t->pparse(“OUT”, “page”); ?>
20 Part I: Designing PHP Applications The difference between calc.php and calc2.php is that calc2.php doesn’t have any error messages hard-coded in the script. The calc.php error messages have been replaced with the following: $errors .= $ERRORS[LANGUAGE][NUM1_MISSING]; $errors .= $ERRORS[LANGUAGE][NUM2_MISSING]; $errors .= $ERRORS[LANGUAGE][OPERATOR_MISSING]; $errors .= $ERRORS[LANGUAGE][DIVIDE_BY_ZERO]; The calc2.php script loads error messages from the calc2.errors file using the following line: require_once(‘calc2.errors’); The calc.errors file is shown in Listing 1-8. Listing 1-8: calc2.errors