Reading and printing in Php

[Kon-Tiki]

I'm studying php and got stuck at a thing as simple as a guestbook. I can get the input and store it to a .txt-file, but I don't know how to access the file and show all the inputs. I've looked through w3schools.com, an e-book I have and the php-site itself, but can't find anything that might help :-\

[BI lazy]

That's a simple task, provided you have concatenated the fields of each entry with some special char combo like && or ||. in php it is nothing more than:

Code: Select all

$entry=$nomen."||".$est."||".$omen."||".$text;

//open the file: 
$fd=@fopen("guestbook",a); //a for append!
@fwrite($fd,$entry,1024); //max1024 chars, but only til eof
@fclose($fd);

//now you wanna read out the contents of the stuff ...
$entries=array(); //make it an array (dunno exactly by heart)
$fd=@fopen("guestbook",r);
while(@fread($fd,$line,1024)){//read til eof but max 1024 chars per line
//now comes the interesting part: we explode our actual line:
  $entries=explode($line,"||");
//you can access the elements of $entries per index:
  $nomen=$entries[0];
  $est0$entries[1];
  $omen=$entries[2];
  $text=$entries[3];
  //here it is up to you to perform some processing ...
}

I hope this is of any help for my php is a little bit rusty *g*

[BI lazy]

ere you get lost in tons of websites about how to output the stuff:

echo "xxx".$var; after the retrieval of the line does the trick quite fine. You will want to put this stuff in a table? have echo output the tags too. Open the table-tag before the while loop and close it afterwards:?><table><?php and the according closing tag.

[Kon-Tiki]

Wooo! It works! Got alot of help from Eero on little tidbits I wouldn't've learned 'bout otherwise. My code is here.

[AGI1122]

With a script like this you need to make sure that you clean up the input to ensure it doesn't have html in it. Otherwise people would be able to hack your site.

[Kon-Tiki]

Yeah, Eero told me 'bout it, but we couldn't get the code to work ::) Another thing that's lacking, is IP-logging in the .txt-file without showing it online, or showing it as stars, but that's way too advanced for me at the moment.

[AGI1122]

use the function htmlspecialchars(); to remove the html.

An example of it's use:
$_POST['user'] = htmlspecialchars($_POST['user']);

It will turn html into entity's which makes it safe from javascript and html being executed.

[Eero Ränik]

Yeah, we should've added htmlspecialchars(); back after deleting the whole line to fix a bug...
Anyway, the most simple way to log IPs is to use a different TXT-file.
Getting an IP-address:

Code: Select all

if (getenv(HTTP_X_FORWARDED_FOR) {
$ipaddress = getenv(HTTP_X_FORWARDED_FOR);
}
else {
$ipaddress = getenv(REMOTE_ADDR);
}

or a shorter one:

Code: Select all

$ipaddress = (getenv(HTTP_X_FORWARDED_FOR) ? getenv(HTTP_X_FORWARDED_FOR) : getenv(REMOTE_ADDR));

Don't forget logging the date and time, otherwise there's no use of logging IPs. You could also add date and time to the main page, since there's no use of hiding them.
Anyway, there are lots of things you could do with your guest book. Like adding special tags (like YABBC tags), smilies, removing strong language from a post, IP-banning and stuff...

[Neo]

A related question.....
i was wondering about access rights for PHP scripts.
Do you keep the scripts in a folder with 'execute' only rights?
or does it have to have the 'read' rights enabled too?
How can security be improved when using PHP scripts?

[AGI1122]

Well for security... make sure to code you scripts so that they work with register_globals turned off in php.

If you are working with a database make shure to escape all data to ensure they can't posion the query.

And never print out any data inputed by a user unless you remove html from it.

Make sure to initialize variables before you use them.

As for permissions, you can in most cases leave chmod's the way they are unless you have a host that requires you to chmod them to be executable. And yes it has to have read and execute rights.

[Neo]

If you are working with a database make shure to escape all data to ensure they can't posion the query.

What does escape all data mean?

And never print out any data inputed by a user unless you remove html from it.

Do you mean parsing it char by char?

Sorry but i'm a total newbee here.

[AGI1122]

Alright, here is an example mysql query which has a variable inputted by a user:

Code: Select all

UPDATE table_name SET username='$_POST[name]' WHERE (username='AGISCI');

This query is to change the username, but unfortunatly you can cause something extemely bad to happen because $_POST[name] isn't cleaned up.

Now if I where to put my name as this:

Code: Select all

AGISCI',group='Administrator

It would turn my account into an Administrator account!

The solution is to escape the variable to make sure it isn't poisioned like so.

To remedy this problem I would do this to the variable:

Code: Select all

$_POST['name'] = htmlspecialchars($_POST['name']);
$_POST['name'] = addslashes($_POST['name']);

Now, the first line would remove all html from the variable and turn it into entity's. The second line would escape the variable to ensure it can't be poisioned when put in a mysql query.

Using addslashes on that input would turn it into this:

Code: Select all

AGISCI\',group=\'Administrator

Those slashes are known as escaping. With those slashes there it makes it so that the ' is not the end of the string.

Also something I just thought of you need to be carefull of is that if you have any code that opens, reads, or writes to files based on user input that the user input does not contain a period or a slash, with those they could hijack the file system and open/read/write to any file anywhere on the computer.

[Kon-Tiki]

Added those safety lines (anti-html and anti-slashes) and IP-logging in a different file (along with logging the message, sender and e-mail address in that different file too) and a timestamp on both. I don't really understand the ip-logging code Eero showed (used the second because it was less lines, but as I'm trying to fully understand the code as I use it, I'll have to see how it works or remove it)
Now another security problem has arisen, but it's not php-like. That txt-file with the IP's logged is chmodded 777, but as I forgot all about chmod, I forgot how to change it so that the php-script can write to it and that I myself can write and see it, but nobody else can even see it. It'd beat the purpose of using a different file for logging the IP if everybody could just open that file :-\

Oh, and the code now: Here-o. Next step: a bar with emoticons that'll add the one you click on (like on boards) ;D

[Candy]

Now another security problem has arisen, but it's not php-like. That txt-file with the IP's logged is chmodded 777, but as I forgot all about chmod, I forgot how to change it so that the php-script can write to it and that I myself can write and see it, but nobody else can even see it. It'd beat the purpose of using a different file for logging the IP if everybody could just open that file :-\

Make the owner you, the group the group of the php daemon, and chmod it 620. (first number is you (4=read, 2=write, 1=execute), second is group, third is world. This means you read/write, the group writes and the world doesn't touch it).

Note that root can still view it anyway

[Eero Ränik]

Those IP-logging codes were the same, second just used a bit more professional way of writing if...else statements.
Basically, it just checks if environmental variable HTTP_X_FORWARDED_FOR has a value (in case the user uses a proxy server or is behind a router). If it doesn't, $ipaddress will have the value of REMOTE_ADDR (which is an IP-address of the user, if we don't check for forwarding, it also could be the proxy, or the router).
The easiest way of doing smilies:
First, the Javascript part.

Code: Select all

<script>
function add(smiley) {
document.forms['formname'].comment.value += smiley;
document.forms['formname'].comment.focus();
}
</script>

In your case, the form must have a name attribute.

Code: Select all

<form name="formname" action="test.php" method="POST">

Then add a line

Code: Select all

$_POST['comment'] = str_replace(":)","<img src='smiley.gif'>",$_POST['comment']);

after the line with htmlspecialchars. Change it according to the smilies you want to add.
Now, to insert a smiley, you can use this:

Code: Select all

<a href="javascript:add(':)')"><img src="smiley.gif" border="0"></a>

Words 'Java' and 'Script' should be together, the board separates them...