www.nostarch.com THE FINEST IN GEEK ENTERTAINMENT ™ SHELVE IN: PROGRAMMING LANGUAGES/PHP $29.95 ($32.95 CDN) 76 TIME-SAVING, PROBLEM-SOLVING PHP SCRIPTS 76 TIME-SAVING, PROBLEM-SOLVING PHP SCRIPTS “I LAY FLAT.” This book uses RepKover—a durable binding that won’t snap shut. Printed on recycled paper PHP is an easy-to-use scripting language perfect for quickly creating the web features you need. Once you know the basics of how the language works, wouldn’t it be great to have a collection of useful scripts that solve those tricky problems and add interesting functionality to your site? We thought so, too. Instead of starting at “Hello, world!”, Wicked Cool PHP assumes that you’re familiar with the language and jumps right in to the good stuff. After you learn the FAQs of life —the most commonly wished-for PHP scripts—you’ll work your way through smart configuration options and the art of forms, all the way to complex database-backed scripts. Wicked Cool PHP contains a wide variety of scripts to process credit cards, check the validity of email addresses, template HTML, and serve dynamic images and text. The 76 easily implemented scripts will also teach you how to: • Send and receive email notifications • Track your visitors’ behavior with cookies and sessions • Override PHP’s default settings • Manipulate dates, images, and text on the fly • Harness SOAP and other web services • Create an online poll, e-card delivery system, and blog But it’s not all fun and games. Security is a big concern when programming any web application, so you’ll learn how to encrypt your confidential data, safeguard your passwords, and prevent common cross-site scripting attacks. And you’ll learn how to customize all of the scripts to fit your own needs. Dynamic web content doesn’t have to be difficult. Learn the secrets of the craft from two experienced PHP developers with Wicked Cool PHP. ABOUT THE AUTHORS William Steinmetz is the author of LAN Party: Hosting the Ultimate Frag Fest (Wiley) and co-author of Paint Shop Pro for Dummies (IDG). He is the webmaster and editor of StarCityGames.com, where traffic has quadrupled as a result of the changes he designed and implemented, all using PHP. Brian Ward is the author of How Linux Works, The Book of VMware, and The Linux Problem Solver (all from No Starch Press). WICKED COOL PHP WICKED COOL PHP REAL-WORLD SCRIPTS THAT SOLVE DIFFICULT PROBLEMS WILLIAM STEINMETZ WITH BRIAN WARD ® COVERS PHP VERSIONS 5 And 6 STEINMETZ WITH WARD WICKED COOL PHP WICKED COOL PHP www.it-ebooks.info www.it-ebooks.info WICKED COOL PHP www.it-ebooks.info www.it-ebooks.info WICKED COOL PHP Real-World Scripts That Solve Difficult Problems by William Steinmetz with Brian Ward San Francisco ® www.it-ebooks.info WICKED COOL PHP. Copyright © 2008 by William Steinmetz with Brian Ward. All rights reserved. No part of this work may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying, recording, or by any information storage or retrieval system, without the prior written permission of the copyright owner and the publisher. 12 11 10 09 08 1 2 3 4 5 6 7 8 9 ISBN-10: 1-59327-173-5 ISBN-13: 978-1-59327-173-2 Publisher: William Pollock Production Editor: Megan Dunchak Cover and Interior Design: Octopod Studios Developmental Editor: Tyler Ortman Technical Reviewer: Scott Gilbertson Copyeditor: Linda Recktenwald Compositor: Riley Hoffman Proofreader: Jeanne Hansen Indexer: Karin Arrigoni For information on book distributors or translations, please contact No Starch Press, Inc. directly: No Starch Press, Inc. 555 De Haro Street, Suite 250, San Francisco, CA 94107 phone: 415.863.9900; fax: 415.863.9950; info@nostarch.com; www.nostarch.com Library of Congress Cataloging-in-Publication Data Steinmetz, William. Wicked cool PHP : real-world scripts that solve difficult problems / William Steinmetz and Brian Ward. 1st ed. p. cm. Includes index. ISBN-13: 978-1-59327-173-2 ISBN-10: 1-59327-173-5 1. PHP (Computer program language) I. Ward, Brian, 1972- II. Title. QA76.73.P224S74 2008 005.13'3 dc22 2005033702 No Starch Press and the No Starch Press logo are registered trademarks of No Starch Press, Inc. Other product and company names mentioned herein may be the trademarks of their respective owners. Rather than use a trademark symbol with every occurrence of a trademarked name, we are using the names only in an editorial fashion and to the benefit of the trademark owner, with no intention of infringement of the trademark. The information in this book is distributed on an “As Is” basis, without warranty. While every precaution has been taken in the preparation of this work, neither the author nor No Starch Press, Inc. shall have any liability to any person or entity with respect to any loss or damage caused or alleged to be caused directly or indirectly by the information contained in it. Printed on recycled paper in the United States of America www.it-ebooks.info BRIEF CONTENTS Introduction xiii Chapter 1: The FAQs of Life— The Scripts Every PHP Programmer Wants (or Needs) to Know 1 Chapter 2: Configuring PHP 19 Chapter 3: PHP Security 33 Chapter 4: Working with Forms 45 Chapter 5: Working with Text and HTML 59 Chapter 6: Working with Dates 81 Chapter 7: Working with Files 91 Chapter 8: User and Session Tracking 103 Chapter 9: Working with Email 119 Chapter 10: Working with Images 129 Chapter 11: Using cURL to Interact with Web Services 141 Chapter 12: Intermediate Projects 155 Appendix 183 Index 185 www.it-ebooks.info www.it-ebooks.info CONTENTS IN DETAIL INTRODUCTION xiii 1 THE FAQS OF LIFE—THE SCRIPTS EVERY PHP PROGRAMMER WANTS (OR NEEDS) TO KNOW 1 #1: Including Another File as a Part of Your Script 2 What Can Go Wrong? 3 #2: Highlighting Alternate Row Colors in a Table 4 Hacking the Script 5 #3: Creating Previous/Next Links 7 Using the Script 10 #4: Printing the Contents of an Array 11 #5: Turning an Array into a Nonarray Variable That Can Be Restored Later 12 What Can Go Wrong? 12 #6: Sorting Multidimensional Arrays 13 Hacking the Script 14 #7: Templating Your Site with Smarty 14 Installing Smarty 14 A Brief Smarty Tutorial 15 What Can Go Wrong? 16 Hacking the Script 17 2 CONFIGURING PHP 19 Configuration Settings and the php.ini File 20 Locating Your php.ini File 20 #8: Revealing All of PHP’s Settings 21 #9: Reading an Individual Setting 21 #10: Error Reporting 22 Common Error Messages 23 #11: Suppressing All Error Messages 24 #12: Extending the Run Time of a Script 24 What Can Go Wrong? 25 #13: Preventing Users from Uploading Large Files 25 #14: Turning Off Registered Global Variables 25 #15: Enabling Magic Quotes 26 What Can Go Wrong? 26 #16: Restricting the Files that PHP Can Access 26 What Can Go Wrong? 27 #17: Shutting Down Specific Functions 27 #18: Adding Extensions to PHP 27 Adding PHP Extensions 28 Installing Extensions with a Web-Based Control Panel 29 What Can Go Wrong? 32 www.it-ebooks.info viii Contents in Detail 3 PHP SECURITY 33 Recommended Security Configuration Options 35 #19: SQL Injection Attacks 35 #20: Preventing Basic XSS Attacks 37 #21: Using SafeHTML 38 What Can Go Wrong? 39 #22: Protecting Data with a One-Way Hash 40 Hacking the Script 41 #23: Encrypting Data with Mcrypt 41 Hacking the Script 43 #24: Generating Random Passwords 43 Using the Script 44 4 WORKING WITH FORMS 45 Security Measures: Forms Are Not Trustworthy 45 Verification Strategies 46 Using $_POST, $_GET, $_REQUEST, and $_FILES to Access Form Data 47 #25: Fetching Form Variables Consistently and Safely 47 #26: Trimming Excess Whitespace 47 #27: Importing Form Variables into an Array 48 #28: Making Sure a Response Is One of a Set of Given Values 51 Hacking the Script 51 #29: Using Multiple Submit Buttons 52 #30: Validating a Credit Card 52 Using the Script 54 Hacking the Script 55 #31: Double-Checking a Credit Card’s Expiration Date 55 Using the Script 56 #32: Checking Valid Email Addresses 56 #33: Checking American Phone Numbers 57 5 WORKING WITH TEXT AND HTML 59 #34: Extracting Part of a String 59 Hacking the Script 61 #35: Making a String Uppercase, Lowercase, or Capitalized 62 What Can Go Wrong? 62 #36: Finding Substrings 63 What Can Go Wrong? 64 #37: Replacing Substrings 64 What Can Go Wrong? 65 #38: Finding and Fixing Misspelled Words with pspell 65 Working with the Default Dictionary 66 Adding a Custom Dictionary to pspell 68 What Can Go Wrong? 69 www.it-ebooks.info [...]... wherever you installed PHP On Windows, try C:\ php Call the phpinfo() function in a PHP script (see the following section for more detail) The location appears in the output near the beginning with the label Configuration File (php. ini) Location On many Unix systems, the locate php. ini command returns all filenames that match php. ini NOTE 20 Many settings aren’t in the default php. ini file; PHP uses defaults... how to do it < ?php require_once("/path/to/file .php" ); ?> The file that you give to require_once() is now a part of your script, exactly as if you had cut and copied the contents of the file into your script You can even include HTML files to create a crude templating system No matter what you name the file, PHP tries to read it as if it were valid PHP As with any PHP file, you need the < ?php and ?> markers... upload) a file called smarty_initialize .php, containing the following: < ?php define ("SMARTY_DIR", "/path/to/web/root/smarty/"); require_once (SMARTY_DIR."Smarty.class .php" ); $smarty = new Smarty; $smarty->compile_dir = "/path/to/web/root/templates/compile"; $smarty->template_dir = "/path/to/web/root/templates/html"; ?> Four aspects of the smarty_initialize .php file are very important: The SMARTY_DIR... www.it-ebooks.info 17 www.it-ebooks.info 2 CONFIGURING PHP As with any software package, PHP has many configuration options that affect how it runs Most of those options aren’t significant, but there are a few important ones that every programmer should know In addition, there are many add-ons for PHP, called libraries, that add new capabilities to PHP For example, the cURL extension allows your server... the settings that programmers frequently use in PHP and when you’d want to use them www.it-ebooks.info Configuration Settings and the php. ini File Most novice programmers treat PHP s default settings as if they were a tenant moving into an apartment complex—afraid to make changes lest it cost them their security deposit But you should really think of PHP as your house You’re going to live here for... to change a setting permanently, make a backup of your php. ini, edit the original, and restart Apache If you’d rather change it on a per-script basis, use the ini_set() function Locating Your php. ini File Sometimes it can be a little difficult to track down the location of php. ini on your system, especially if there are multiple instances of a PHP installation Here are a few ways of finding it: On... “The FAQs of Life—The Scripts Every PHP Programmer Wants (or Needs) to Know,” contains quick solutions to everyone’s favorite little tasks and problems After you calm down, take a look at Chapter 2, “Configuring PHP, ” to find out how you should install and configure PHP quite a large number of problems arise from misconfiguration Continuing in this vein, Chapter 3, PHP Security,” deals with keeping... The current page that contains the navigation bar In this script, we use the $_SERVER[ "PHP_ SELF"] special variable, which is always set to the current page without the hostname and any GET parameters For example, in a script accessed at http://example.com/navbar .php? start=0, $current_page would be set to /navbar .php $current_page The starting row number For example, if the user is looking at rows 100... or a session, for instance MySQL and XML can’t handle the native PHP array type, either Fortunately, there’s a way to transform PHP arrays into strings that you can store nearly anywhere: the serialize() function Here’s a script that illustrates how this function works (assume $alacarte is the same as it was in the preceding section): < ?php $menu = array( "appetizer" => "fruit", "entree" => "roast beef",... 24KB worth of XML processing goodness, but you use it only when someone chooses UPS as a shipping option Why not store it in ups_ship_quotes .php and call it only when necessary? In fact, almost all heavy-duty PHP applications have a file called something like config .php, which declares the critical variables that every page needs to know, such as the MySQL name and password Those same applications also . WARD ® COVERS PHP VERSIONS 5 And 6 STEINMETZ WITH WARD WICKED COOL PHP WICKED COOL PHP www.it-ebooks.info www.it-ebooks.info WICKED COOL PHP www.it-ebooks.info www.it-ebooks.info WICKED COOL PHP Real-World. implemented, all using PHP. Brian Ward is the author of How Linux Works, The Book of VMware, and The Linux Problem Solver (all from No Starch Press). WICKED COOL PHP WICKED COOL PHP REAL-WORLD SCRIPTS. name the file, PHP tries to read it as if it were valid PHP. As with any PHP file, you need the < ?php and ?> markers around the PHP code in your included file; otherwise, PHP simply prints