Jsp, Tomcat, J2Ee, Hibernate Programming, Http Web Server Blog

BRINGING FORMS TO LIFE if (function_exists(’nukeMagicQuotes’)) { nukeMagicQuotes(); } ?> The file corefuncs.php contains the function nukeMagicQuotes(). To prevent errors if corefuncs.php can t be accessed, the call to nukeMagicQuotes() is wrapped in a conditional statement using function_exists() as described in the last chapter. 5. Save contact.php and click the Reload button in your browser. Confirm that you want to resend the post data. The $_POST array should now be clear of backslashes, as shown in Figure 5-4. You can check your code with contact03.php. Figure 5-4. The nukeMagicQuotes() function cleans up the $_POST array ready for use in an email. Processing and acknowledging the message You can now build the message body with the contents of the $_POST array and email it to your inbox. You also need some way of informing the user that the message has been sent or if there is a problem. Rather than redirect the user to a different page, the following PHP Solution displays the result on the same page. I ve adopted this approach because an improved version later in the chapter redisplays the user s input if any required fields are missing. Once the final version of the form is complete, you can redirect the user to a separate acknowledgment page by adding only two lines of code. PHP Solution 5-2: Sending email from the feedback form Continue using the same files. Alternatively, use contact03.php from the download files. 1. Now that you have finished testing the $_POST array, delete the following three lines of code that were used to display its contents (they re just after the closing

tag):

125
If you are in need for cheap and reliable webhost to host your website, we recommend http web server services.

PHP SOLUTIONS: DYNAMIC WEB DESIGN MADE EASY Removing unwanted backslashes from form input As explained in Unraveling the magic quotes tangle in Chapter 3, many PHP servers automatically insert backslashes in front of quotes when a form is submitted. You need to remove these backslashes. PHP Solution 5-1: Eliminating magic quotes Continue working with the file from the previous exercise. Alternatively, use contact02.php from the download files for this chapter. Copy it to your working site and rename it contact.php. 1. Load contact.php into a browser. Enter some text. It doesn t matter what it is, as long as it contains an apostrophe or some double quotes. Click Send message. 2. Check the contents of the $_POST array at the bottom of the screen. If magic quotes are on, you will see something like Figure 5-3. A backslash has been inserted in front of all single and double quotes (apostrophes are treated the same as single quotes). If magic quotes are off, you will see no change from your original text. Figure 5-3. PHP magic quotes automatically insert a backslash in front of quotes when a form is submitted. 3. It s the setting on your remote server that matters, not what you see locally. Refer to Chapter 3 for instructions on how to check whether your remote server uses magic quotes. If it doesn t, make sure they are turned off in your local testing setup, and move on to PHP Solution 5-2. If in doubt, continue with the remaining steps. You can safely use the nukeMagicQuotes() function even if magic quotes have been disabled. 4. If your remote server uses magic quotes, copy includes/corefuncs.php from the download files for this chapter to the includes folder in your working site, and add the following code shown in bold to the end of the code block at the top of contact.php: Go visit our java server pages services for a reliable, lowcost webhost to satisfy all your needs.

BRINGING FORMS TO LIFE You may come across scripts that use $_REQUEST, which avoids the need to distinguish between $_POST or $_GET. It s less secure. Always use $_POST or $_GET instead. Old scripts may use $HTTP_POST_VARS or $HTTP_GET_VARS, which have exactly the same meaning as $_POST and $_GET. The longer versions have been removed from PHP 6. Use $_POST and $_GET instead. Sending email The PHP mail() function takes up to five arguments, all of them strings, as follows: The address(es) of the recipient(s) The subject line The message body A list of other email headers Additional parameters The first three arguments are required. Email addresses in the first argument can be in either of the following formats: ‘user@example.com’ ‘Some Guy ‘ To send to more than one address, use a comma-separated string like this: ‘user@example.com, another@example.com, Some Guy ‘ The second argument is a string containing the subject line. The third argument is the message body, which must be presented as a single string, regardless of how long it is. I ll explain how the fourth argument works later. Most people are unlikely to need the fifth argument, although some hosting companies now make it a requirement. It ensures that the email is sent by a trusted user, and it normally consists of -f followed (without a space) by your own email address, all enclosed in quotes. Check your hosting company s instructions to see whether this is required and the exact format it should take. It s important to understand that mail() isn t an email program. It passes the address, sub ject line, message, and any additional email headers to the web server s mail transport agent (MTA). PHP s responsibility ends there. It has no way of knowing if the email is deliv ered to its intended destination. Email doesn t always arrive when testing mail() in a local testing environment. Normally, this has nothing to do with your configuration, but with your service provider s security policies. If email fails to arrive, upload the script to your remote server and test it there. 123
Searching for affordable and proven webhost to host and run your servlet applications? Go to Linux Web Hosting services and you will find it.

PHP SOLUTIONS: DYNAMIC WEB DESIGN MADE EASY Because of these advantages, you should normally use the post method with forms. The get method is used mainly in conjunction with database searches, and has the advantage that you can bookmark a search result because all the data is in the URL. We ll return to the get method later in the book, but the rest of this chapter concentrates on the post method and its associated superglobal array, $_POST. Although the post method is more secure than get, you shouldn t assume that it s 100% safe. For secure transmission, you need to use encryption or the Secure Sockets Layer (SSL). Keeping safe with PHP superglobals While I m on the subject of security, it s worth explaining the background to the PHP superglobal arrays, which include $_POST and $_GET. The $_POST array contains data sent using the post method. So it should come as no surprise that data sent by the get method is in the $_GET array. Before the release of PHP 4.2.0 in April 2002, you didn t need to worry about using special arrays to access data submitted from a form. If the name of the form element was email, all that was necessary was to stick a dollar sign on the front, like this: $email. Bingo, you had instant access to the data. It was incredibly convenient. Unfortunately, it also left a gaping security hole. All that an attacker needed to do was view the source of your web page and pass values to your script through a query string. When the loophole was closed, millions of PHP scripts stopped working. Inexperienced web developers were up in arms, and harassed hosting companies changed a setting called register_globals in php.ini to restore a little peace to their lives. You will find lots of advice on the Internet to turn register_globals on in php.ini, because it will make your life easier. This is completely misguided. Turning on register_globals is foolish for the following reasons: It s totally insecure. There is no way to override the setting for individual scripts. If your hosting company turns register_globals off, any scripts that rely on it will break. The register_globals setting has been removed completely from PHP 6. Scripts that rely on register_globals won t work, period. It s very easy to write scripts that don t rely on register_globals, so it s not the major burden that some people imply. It just requires putting the name of the form element in quotes between square brackets after $_POST or $_GET, depending on the form s method attribute. So email becomes $_POST[’email’] if sent by the post method, and $_GET[’email’] if sent by the get method. That s all there is to it.
Searching for affordable and reliable webhost to host and run your web applications? Go to our java web server services and you will be pleased.

BRINGING FORMS TO LIFE 5. Save contact.php, and reload the page in your browser. Type another message, and click Send message. Your message should disappear, but nothing else happens. So where has it gone? It hasn t been lost, but you haven t done anything to process it yet. 6. In contact.php, add the following code immediately below the closing

tag:

This displays the contents of the $_POST superglobal array if any post data has been sent. As explained in Chapter 3, the print_r() function allows you to inspect the contents of arrays; the

 tags simply make the output easier to read.   7. Save the page, and click the Refresh button in your browser. You will probably see  a warning similar to the following. This tells you that the data will be resent, which  is exactly what you want. Click OK or Send depending on your browser.  8. The code from step 6 should now display the contents of your message below the  form as shown in Figure 5-2. Everything has been stored in one of PHP s super- global arrays, $_POST, which contains data sent using the post method. The name  attribute of each form element is used as the array key, making it easy to retrieve  the content.  Figure 5-2. Data from a form is stored as an associative array, with each element identified  by its name attribute.   As you have just seen, the get method sends your data in a very exposed way, making it vulnerable to alteration. Also, some browsers limit the maximum length of a URL, so it can be  used only for small amounts of data. The post method is more secure and can be used for  much larger amounts of data. By default, PHP permits up to 8MB of post data, although  hosting companies may set a smaller limit.   121    
We recommend cheap and reliable webhost to host and run your web applications: Coldfusion Web Hosting services.

				

PHP SOLUTIONS: DYNAMIC WEB DESIGN MADE EASY 1. Locate the opening

BRINGING FORMS TO LIFE First, let s take a look at the XHTML code used to build the form (it s in contact.php in the download files for this chapter):

Name:

Email:

Comments: .

The first thing to notice about this code is that the and tags contain both name and id attributes set to the same value. The reason for this duplication is that XHTML, CSS, and JavaScript all refer to the id attribute. Form processing scripts, however, rely on the name attribute. So, although the id attribute is optional, you must use the name attribute for each element that you want to be processed. The XHTML 1.0 specification (www.w3.org/TR/xhtml1) lists a number of elements, includ- ing<br /> <form>, for which the name attribute has been deprecated. This applies only to the<br /> <form> tag. The name attribute remains valid for <input>,<br /> <select>, and <textarea>. Two other things to notice are the method and action attributes inside the opening<br /> <form> tag. The method attribute determines how the form sends data to the processing script. It can be set to either post or get. The action attribute tells the browser where to send the data for processing when the submit button is clicked. If the value is left empty, as here, the page attempts to process the form itself. Understanding the difference between post and get The best way to demonstrate the difference between the post and get methods is with a real form. The download files for this chapter contain a complete set of files for the Japan Journey site with all the script from the last chapter incorporated in them. Make sure that the includes folder contains footer.inc.php and menu.inc.php. Copy contact01.php to your working site, and rename it contact.php. 119 <br />In case you need quality webspace to host and run your web applications, try our <a href="http://j2ee.b5websitehosting.com">personal web hosting</a> services. </p> </div> <p class="postmetadata">Posted in <a href="http://mysql5.armadillowebhosting.com/category/mysql5/" title="View all posts in MYSQL5" rel="category tag">MYSQL5</a> | <a href="http://mysql5.armadillowebhosting.com/mysql5/bringing-forms-to-life-first-let-s-take-a/#respond" title="Comment on BRINGING FORMS TO LIFE First, let s take a">No Comments »</a></p> </div> <div class="post"> <h3 id="post-337"><a href="http://mysql5.armadillowebhosting.com/mysql5/disney-web-site-php-solutions-dynamic-web-design-made-easy-what/" rel="bookmark" title="Permanent Link to Disney web site - PHP SOLUTIONS: DYNAMIC WEB DESIGN MADE EASY What">Disney web site - PHP SOLUTIONS: DYNAMIC WEB DESIGN MADE EASY What</a></h3> <small>Tuesday, December 4th, 2007</small> <div class="entry"> <p>PHP SOLUTIONS: DYNAMIC WEB DESIGN MADE EASY What this chapter covers: Gathering user input and sending it by email Displaying errors without losing user input Checking user input for security risks Forms lie at the very heart of working with PHP. You use forms for logging in to restricted pages, registering new users, placing orders with online stores, entering and updating information in a database, sending feedback . . . The list goes on. The same principles lie behind all these uses, so the knowledge you gain from this chapter will have practical value in most PHP applications. To demonstrate how to process information from a form, I m going to show you how to gather feedback from visitors to your site and send it to your mailbox. Unfortunately, user input can lay your site open to malicious attacks. The PHP Solutions in this chapter show you how to filter out or block anything suspicious or dangerous. It doesn t take a lot of effort to keep marauders at bay. How PHP gathers information from a form The Japan Journey website contains a feedback form (see Figure 5-1). I ve kept it deliberately simple to start with, but will add other elements such as radio buttons, check boxes, and drop-down menus later. Although XHTML contains all the necessary tags to construct a form, it doesn t provide any means to process the form when submitted. For that, you need a server-side solution, such as PHP. Figure 5-1. Activating a feedback form is one of the most popular uses of PHP. <br />Please visit <a href="http://domain.b5websitehosting.com">Domain Name Hosting</a> services for high quality webhost to host and run your jsp applications. </p> </div> <p class="postmetadata">Posted in <a href="http://mysql5.armadillowebhosting.com/category/mysql5/" title="View all posts in MYSQL5" rel="category tag">MYSQL5</a> | <a href="http://mysql5.armadillowebhosting.com/mysql5/disney-web-site-php-solutions-dynamic-web-design-made-easy-what/#respond" title="Comment on Disney web site - PHP SOLUTIONS: DYNAMIC WEB DESIGN MADE EASY What">No Comments »</a></p> </div> <div class="post"> <h3 id="post-336"><a href="http://mysql5.armadillowebhosting.com/mysql5/web-design-tools-5-bringing-forms-to-life/" rel="bookmark" title="Permanent Link to Web design tools - 5 BRINGING FORMS TO LIFE">Web design tools - 5 BRINGING FORMS TO LIFE</a></h3> <small>Monday, December 3rd, 2007</small> <div class="entry"> <p>5 BRINGING FORMS TO LIFE <br />Note: If you are looking for cheap and reliable webhost to host and run your mysql application check <a href="http://mysql.b5websitehosting.com">mysql web server</a> services. </p> </div> <p class="postmetadata">Posted in <a href="http://mysql5.armadillowebhosting.com/category/mysql5/" title="View all posts in MYSQL5" rel="category tag">MYSQL5</a> | <a href="http://mysql5.armadillowebhosting.com/mysql5/web-design-tools-5-bringing-forms-to-life/#respond" title="Comment on Web design tools - 5 BRINGING FORMS TO LIFE">No Comments »</a></p> </div> <div class="post"> <h3 id="post-335"><a href="http://mysql5.armadillowebhosting.com/mysql5/lightening-your-workload-with-includes-security-considerations-with-web-page-design/" rel="bookmark" title="Permanent Link to LIGHTENING YOUR WORKLOAD WITH INCLUDES Security considerations with (Web page design)">LIGHTENING YOUR WORKLOAD WITH INCLUDES Security considerations with (Web page design)</a></h3> <small>Monday, December 3rd, 2007</small> <div class="entry"> <p>LIGHTENING YOUR WORKLOAD WITH INCLUDES Security considerations with includes Include files are a very powerful feature of PHP. With that power come some serious secu rity risks. As long as the external file is accessible, PHP includes it and incorporates any code into the main script. But, as mentioned in the previous section, include files can be located anywhere even on a different website. Never use includes from a remote server. Even if you control the remote server yourself, it s possible for a malicious attacker to spoof the address. Because of the security risks involved, some hosting companies turn off the ability to include files from other servers. Summary This chapter has plunged you headlong into the world of PHP, using includes, arrays, and multidimensional arrays. It has shown you how to extract the name of the current page and get the dimensions of an image. If it s your first experience with PHP, your head may be reeling. Don t worry. Once you get used to the basic structures, you will find them being used over and over again, and familiarity will help you overcome any initial confusion. 115 <br />Please visit <a href="http://domain.b5websitehosting.com">Domain Name Hosting</a> services for high quality webhost to host and run your jsp applications. </p> </div> <p class="postmetadata">Posted in <a href="http://mysql5.armadillowebhosting.com/category/mysql5/" title="View all posts in MYSQL5" rel="category tag">MYSQL5</a> | <a href="http://mysql5.armadillowebhosting.com/mysql5/lightening-your-workload-with-includes-security-considerations-with-web-page-design/#respond" title="Comment on LIGHTENING YOUR WORKLOAD WITH INCLUDES Security considerations with (Web page design)">No Comments »</a></p> </div> <div class="navigation"> <div class="alignleft"><a href="http://mysql5.armadillowebhosting.com/2007/12/page/5/">« Previous Entries</a></div> <div class="alignright"><a href="http://mysql5.armadillowebhosting.com/2007/12/page/3/">Next Entries »</a></div> </div> </div> <div id="sidebar"> <ul> <li> <form method="get" id="searchform" action="http://mysql5.armadillowebhosting.com/"> <div><input type="text" value="" name="s" id="s" /> <input type="submit" id="searchsubmit" value="Search" /> </div> </form> </li> <!-- Author information is disabled per default. Uncomment and fill in your details if you want to use it. <li><h2>Author</h2> <p>A little something about you, the author. Nothing lengthy, just an overview.</p> </li> --> <li> <p>You are currently browsing the <a href="http://mysql5.armadillowebhosting.com/">Jsp, Tomcat, J2Ee, Hibernate Programming, Http Web Server Blog</a> weblog archives for December, 2007.</p> </li> <li><h2>Archives</h2> <ul> <li><a href='http://mysql5.armadillowebhosting.com/2008/03/' title='March 2008'>March 2008</a></li> <li><a href='http://mysql5.armadillowebhosting.com/2008/02/' title='February 2008'>February 2008</a></li> <li><a href='http://mysql5.armadillowebhosting.com/2008/01/' title='January 2008'>January 2008</a></li> <li><a href='http://mysql5.armadillowebhosting.com/2007/12/' title='December 2007'>December 2007</a></li> <li><a href='http://mysql5.armadillowebhosting.com/2007/11/' title='November 2007'>November 2007</a></li> <li><a href='http://mysql5.armadillowebhosting.com/2007/10/' title='October 2007'>October 2007</a></li> <li><a href='http://mysql5.armadillowebhosting.com/2007/09/' title='September 2007'>September 2007</a></li> <li><a href='http://mysql5.armadillowebhosting.com/2007/08/' title='August 2007'>August 2007</a></li> <li><a href='http://mysql5.armadillowebhosting.com/2007/07/' title='July 2007'>July 2007</a></li> <li><a href='http://mysql5.armadillowebhosting.com/2007/05/' title='May 2007'>May 2007</a></li> <li><a href='http://mysql5.armadillowebhosting.com/2007/04/' title='April 2007'>April 2007</a></li> </ul> </li> <li><h2>Categories</h2> <ul> <li><a href="http://mysql5.armadillowebhosting.com/category/mysql5/" title="View all posts filed under MYSQL5">MYSQL5</a> (496) </li> </ul> </li> </ul> </div> <hr /> <div id="footer"> <!-- If you'd like to support WordPress, having the "powered by" link someone on your blog is the best way, it's our only promotion or advertising. --> <p> Jsp, Tomcat, J2Ee, Hibernate Programming, Http Web Server Blog is proudly powered by <a href="http://www.visionwebhosting.net/">cheap hosting</a> <br /><a href="feed:http://mysql5.armadillowebhosting.com/feed/">Entries (RSS)</a> and <a href="feed:http://mysql5.armadillowebhosting.com/comments/feed/">Comments (RSS)</a>. <!-- 15 queries. 0.296 seconds. --> </p> </div> </div> <!-- Gorgeous design by Michael Heilemann - http://binarybonsai.com/kubrick/ --> </body> </html>