Follow this lesson in Ullman Chapter 5. The scripts are located in the 05 directory.
$greeting = ‘Hello, ‘.$user;
$greeting = “Hello $user”;
$greeting = ‘Hello, ‘;
$greeting .= $user
View in your browser the pages posting.html and handle_post.php described on Ullman pages 86ff.
“Bait” the pages: try names with spaces, quotes, numbers. What works? What doesn’t?
Take a good, careful look at this page: http://us2.php.net/magic_quotes.
Magic Quotes is a setting in PHP.INI that does exactly the same thing addslashes() does. All single-quote (‘), double quote (“), backslash (\) and NULL characters are escaped with a backslash.
To find out if it’s set:
echo get_magic_quotes_gpc();
echo get_magic_quotes_runtime();
echo ini_get(‘magic_quotes_sybase’);
Particularly see http://us2.php.net/manual/en/security.magicquotes.disabling.php.
stripslashes() # page 93
# remove slashes from a urlencoded stringaddslashes() # page 95
# inserts escape slashes before special charactersini_get() # page 95
# gets information about ini settings,
# for instance Magic Quotes:// Adjust for magic quotes.
if (ini_get (‘magic_quotes_gpc’)) {
$data = stripslashes ($_POST[‘form_input‘]);
} else {
$data = $_POST[‘form_input‘];
}
Fill in posting.html and look at script_05_03/handle_post.php in your browser. “Bait” it. How well does it handle unusual input?
htmlspecialchars() # page 96
# turns some HTML tags into HTML entitieshtmlentities() # page 96
# turns all HTML tags into HTML entitiesnl2br() # page 96
# turns newlines to breaksstrip_tags() # page 96
# removes all HTML and PHP tagshtml_entity_decode() # page 99
# returns all HTML entities to HTML tagsword_wrap() # page 99
# wraps a string at the number of characters you specify
Fill in posting.html and look at script_05_04/handle_post.php in your browser. Note the differences in the three different renderings.
urlencode() # page 100
# encodes a string so it can be appended to a URLurldecode() # page 102
# decodes an encoded stringSee the file thanks.php described on Ullman page 103. Why does it need URL encoding?
str_replace(needle, replacement, haystack)
str_replace(replace_this, with_this, in_this_string)
# page 105Note that any of the arguments of str_replace() can be arrays.
Fill in posting.html and look at script_05_07/handle_post.php in your browser. Use the word “badword” in your posting.
strlen(string) # page 106
# Returns length of stringstr_ireplace(needle, replacement, haystack) # page 106
# performs case-insensitive replacement
# PHP 5 onlystr_word_count(string) # page 106
# counts words delimited by spacesstrtok(string) # page 107
# “cuts up” a string based on its separatorssubstr(string, start_from, end_at) # page 107
# takes a substring from a string based on index:$sub = substr($string, 0, 10);
See Ullman p. 107 regarding Tokenizing, Searching and Comparing Strings.
strstr(needle, haystack) # page 107
# returns haystack from the first instance of needle to the end of haystackstristr()
# case-insensitivestrpos(needle, haystack) # page 107
# returns (numeric) position of needlestripos()
# case-insensitivestrcmp() # page 107
# compare two strings expressed in binarystrcasecmp()
# case-insensitivestrnatcmp() # page 107
# compare two strings in “natural order”strnatcasecmp()
# case-insensitivetrim(string) # page 108
# strips spaces from beginning and end of stringltrim() # page 111
rtrim() # page 111
ucfirst(string) # page 108
# capitalizes first character of stringucwords(string) # page 108
# capitalizes first character of every word in stringstrtoupper(string) # page 108
# capitalizes entire stringstrtolower(string) # page 108
# renders string in lower case
crypt() # page 112
# one-way encryption: hashingencrypt() # page 112
# encryption: requires Mcryptdecrypt() # 112
# decryption: requires Mcrypt
Create a page that takes a needle, a replacement and a haystack in text boxes.
Create a result page that displays the result of your transformation.
Optional: Create a page that takes a name and crypts it. Can you encrypt and decrypt on your computer?
Review Chapter 5 of Ullman.