This page contains my general comments to your solutions. Also visit Lasse's instructor site for his comments.
If you have any questions please ask in class, try the newsgroup or email me.
You must handle malicious user input such as HTML or Javascript entered by the user in the web page comments assignment.
There are two main strategies for doing so - when inserting data (prevent malicious data from insertion, eg. by rejecting strings containing > or < characters) or by applying the htmlentities function when displaying the data (will convert any HTML characters to harmless values, that are not being interpreted as HTML by the client).
If you ignore this, the evil-minded user can totally mess up your comments display page, redirect the visitor to his own web page - or do whatever.
All of the above should be considerations when you perform your input validation. Consider all input hostile until proven otherwise and code accordingly.
$_SERVER['HTTP_REFERER']As some of you found out, the PHP pre-defined variable $_SERVER['HTTP_REFERER'] contains the address/URL of the page (if any) which referred the user agent to the current page. This you could have used instead of manually passing the URL as parameter to the script.
Do note that $_SERVER['HTTP_REFERER'] can be manipulated, but so can the manually approach (and all other HTTP headers by the way).
PRIMARY KEYRemember to create a PRIMARY KEY for all of your tables. The PRIMARY KEY uniquely identifies each record in the table. Below I've listed the PRIMARY KEY's for the tables used in problem A:
itu_courses : PRIMARY KEY(course_ID)itu_persons : PRIMARY KEY(person_ID)itu_courseresponsibility : PRIMARY KEY(course_ID, person_ID, semester)Notice in the case of itu_courseresponsibility how a PRIMARY KEY can consist of multiple columns.
The patterns below are sample solutions for problem A. Click here to see the patterns applied to each of the example strings in problem A. The return value of ereg is shown in the output.
^[[:alpha:]]+$^[[:alpha:]][[:alnum:]]*$^[[:alpha:]][[:alnum:]_]*$^[[:alnum:][:space:]'-]+$^(0|[1-9][0-9]*)$^[^@[:space:]]+@[^@[:space:]]+\.[^@[:space:]]+$Often in programming languages, you'll find multiple ways of achieving/expressing the same thing. This holds for PHP as well. Here is an example of array creation. All methods below create an array called $my_array using sequential integers as indexes - only the syntax differs. I would prefer method 1 or 3 (they are the shortest of their kind) - but it's all up to you.
As written in my comments for set 2, you should really use the PHP isset or empty functions as part of your input validation. Never try to access a variable, that you've not first tested with isset or empty.
Below you'll find two examples of when and how to use isset. Notice the first line error_reporting(E_ALL);. This will make PHP complain about you accessing undefined variables. Consider leaving this line in your own scripts (to make up for the very forgiving PHP configuration at ITU).
Click here to see what happens, when you run the script.
When you create functions define them either at the top or at the bottom of the PHP script (or in a seperate file, that you require). It will make your code more readable and easier to maintain, if you only have function calls (and not definitions) in the HTML. In general you should try to seperate your PHP logic from the HTML code.
Don't do this:
Do this instead:
Variables submitted by the user through forms, should be accessed via the in PHP pre-defined superglobal arrays $_POST, $_GET or $_REQUEST (depending on the method in your form).
There are various reasons why this is a good idea. The most important is to clearly seperate variables being sent to the script from variables defined in the script. Another reason for using the superglobal arrays is that in current PHP versions (and out-of-the-box configurations) variables can ONLY be fetched from the arrays. If you don't use them chances are, that your script will not work outside the ITU server.
Example on usage: Say you have a form with method get and an input tag with name 'foo'. This variable you want to read on your PHP page. This should be accessed via $_GET['foo'] or $_REQUEST['foo']. Not just $foo.
Before you use variables being sent to the script by the user, they MUST be validated. That is you must make sure they contain whatever you excpect them to contain - before actually using them.
There are numerous way to validate input, depending on the context. But usually you must first check if the variable has been defined (if the variable exists), and then check to see if the content of the variable makes sence. Here is an example on how to validate the number of persons variable (from the user form) in the apple pie recipe example (problem D):
Below is another (much shorter and a little bit more exotic) way to implement it. In this version we simply make sure that the variable is valid (no feedback to user if input is not valid, we just convert it to 1 person if it's not). Also we use a short-hand if/else structure called the ternary operator.
If you're getting familiar with HTML now, you should try and make your HTML pages W3C compliant. That is make sure that your pages comply with the HTML standards.
You can use the online W3C service for checking your markup - a free service that checks documents like HTML and XHTML for conformance to W3C Recommendations and other standards.
Write all tags (,
href=, class= etc.) using lowercase (small letters).
Modern HTML standards like XHTML 1.0 require this.
They are (usually) not capable of generating compliant HTML code.
They will mess up your PHP code.
You need to have a solid understanding of HTML to create PHP applications for the web.
You need to have a solid understanding of HTML to pass this course.
Problem D can be written like: <? echo "The date is:<br>".date("j. M. Y"); ?>
Please don't polute your HTML code with unnecessary tags and attributes (like , etc.).
,
If you want to style/format your HTML, you should use cascading style sheet (CSS) (from an external .css file, that you do not include in your hand-in).
PHP is documented very well. The documentation is available on the Internet in HTML format. You can lookup functions in the manual quickly: http://dk.php.net/<name_of_function_goes_here>
No comments on this set.