Transcript PHP: Further Skills 02

PHP: Further Skills 02
By Trevor Adams
Topics covered

Persistence



Basic Persistence




What is it?
Why do we need it?
Hidden form fields
Query strings
Cookies
Sessions
Persistence – What is it?

Broadly, it is a any mechanism that allows
values from one page activity to be available
on the next
Persistence – State Management

So why do we need it?




HTTP has no way of tracking a user’s visit to a
web site
HTTP simply responds to requests for resources
Web applications demand more functionality than
simple, static web pages can provide
Data driven web sites often provide access to
relatively sensitive data
Persistence – form fields

Hidden form fields provide a simple way to maintain
application state



Simple to use HTML
Generated by PHP statements
 <input type=“hidden” name=“action” value=“do” id=“action”
/>
Provides a useful way of processing data differently
from one form. E.g.



Editing and Adding a record can use the same form
The action required can be determined from a hidden field
named action
The script that catches the post can query action and act
appropriately
Persistence – Form fields

Form fields have their disadvantages



Have to be managed by the programmer
Can be laborious on many forms
Data has to be obfuscated if sensitive



This is not ideal
Remember – HTML is plain text
Have to be sent to the server each round trip
Persistence – Query Strings

Query allow the passing of variables through the
URL


Multiple variables are declared using the ampersand
(&) character


E.g. http://example.web/product.php?id=1001
E.g. /product.php?id=1001&order=asc
Values can be accessed using the $_GET array




This is used similar to the $_POST array
E.g. from above example
<?php echo $_GET[“id”]; ?>
// prints 1001
Persistence – Query Strings

Query strings are perfect for bookmarks



They are part of the URL
Can be given as direct links
Query strings can persist through basic
HTML elements

E.g. Hyperlinks (<a>)
Persistence – Query Strings

Query strings are not ideal in every situation





All variables are visible in the URL
Useless for sensitive data
Some applications specific a 256 character URL
limit (including the page)
Easy target for unscrupulous people
Useless for large input, such as web mail
Persistence – Basic Summary


We can create persistent applications using
skills we have already covered
Hidden form elements



Work just like other form elements
They do not render on screen
Query strings



Append key=value pairs to a URL
Accessible as $_GET array
Visible in the URL
Persistence – Cookie time!




Quick (perhaps dirty) way of persisting data
using the client
Can store data between visits to a site
Stored as basic text files on the client
machine
Cookie data is sent to the server with each
page request (providing the cookie is valid)
Persistence - Cookies

Cookies have a bad reputation



In general people do not trust cookies


Over used
Abused
Often they do not know they are needed for the cool things
they enjoy on a web site
Possible poor use of cookies include:



Tracking and reporting browsing habits
Reporting products of interest to other web sites
Many others
Persistence - Cookies



Cookies should be used for the “Bells and
Whistles” of a web site
A web site should generally (try to at least)
not rely on cookies to be completely
functional
For example, storing the user’s visual style
preference

If the cookie is not accepted, the site will still work
Persistence - Cookies

PHP allows the programmer to set cookies


This function takes up to 6 parameters







The setcookie() function
Name – required
Value – required
Expire – time in seconds that the cookie expires
Path – path that the cookie is valid for (/tja1)
Domain – domain that is valid (e.g. example.web)
Secure – whether it requires HTTPS or not
setcookie(“cssfile”, “style.css”, time()+1800);
Persistence – Cookie expiration

The PHP time() function returns the current time
measured in the number of seconds since the Unix
Epoch (January 1 1970 00:00:00 GMT).


time() + 1800 will expire the cookie in 30 minutes


Try <?php echo time(); ?>
60 seconds * 30 = 1800
We shall cover time and date functions in lab
session
Persistence - Cookies


Cookies are available on the subsequent
page request from when they are set
They are accessible via $_COOKIES array


The cookie name is the array key
Adding values directly to the cookie array will
not create a cookie

Must use set cookie function for this
Persistence - Cookies


Calls to setcookie() must be called before any out
put is sent to the browser
Cookies are sent in the HTTP header





<?php echo “Hello!”;
setcookie(“style”, “myfile.css”, time()+1800); ?>
Results in an error
Output includes any data, including plain HTML that
comes before the setcookie() call
Do not store arrays in cookie variables


They require special manipulation
Stick to basic types, textual/numeric
Persistence – Cookie Summary


Cookies are great for the ‘nice’ features
Do not rely on them


Not even in closed environments
They are stored on the client



Not stored securely
Sent with each page request
Can be transmitted securely
Persistence - Sessions


Sessions are stored on the server
Exist for the time a user starts to use your
application to the time they finish


Or you programmatically end the session (logout)
Sessions are very simple to use

PHP4 has built in functionality for sessions
Sessions – in use



Call the function session_start(); before any
output is sent to the browser
$_SESSION array is used to store session
variables
Adding values to $_SESSION will
automatically persist those values at the
server side
Sessions – in use

<?php





?>
Subsequent page access
<?php




session_start();
$_SESSION[“uname”] = “tja1”;
Session_start();
Echo $_SESSION[“uname”];
// prints “tja1”
?>
Sessions – Why use them?



Store more complex data, such as arrays,
easily
Data is never involved in a round trip
In some ways, more secure


Although has security issues of a different nature
Well out of the scope of this module
Sessions - Summary

Persistence data




Maintained on the server
Needs to be initialised before output
Allows the programmer to implement
complex application functionality
Probably the best choice to facilitate logins
Topics covered - summary



Basic Persistence
 Query Strings
 Hidden form elements
Cookies
 Client side storage
 Sent on every page request
 Not secure
 Access using $_COOKIES
Sessions
 Server side variable storage
 Accessed using $_SESSIONS
 Avoids the client side storage

Still suffers from server side attacks
Resources

Use the PHP web site



Search for time
Search for session_start
Search for setcookie