Brown PHP

Welcome to BrownPHP! If this is the first time you have been visiting the site, please make yourself welcome. I made a quick video to go through some of the features of the site like the BrownPHP code repository and the book review section. Check the video out and let me know what you think.

This is the first screencast that I did and it was done in a very short amount of time. I’m just playing with the idea of making more screencasts in the future to possibly run through code an other things like that.

Like I said, this screencast is the first I tried. I’ll most likely redo this in the future so that it is a little more professional, and possibly without all that uh – um, haha. Let me know if there is anything that you would like to see a screencast about in the future.

 Loading ...

Show the Twitter Love!

I recently got an email from a reader asking me if I could help them with a small script to post updates to a Twitter account using PHP. I figured this might be something that a few others might be interested in, so I decided to post about it.

As most of you know, there are a multitude of options when deciding how to to Tweet to Twitter. If you would like to add this functionality to your site so that you don’t have to download an application to your computer, or visit another site, this might be something you would like.

Using the simple script below you, you can post updates to twitter. Please BE ADVISED: this script needs altered to run. As well as some extra code to add your desired functionality.

$username = 'myUserName';
$password = 'myPassword';
$status = urlencode(stripslashes(urldecode('This is a new Tweet!')));

if ($status) {
$tweetUrl = 'http://www.twitter.com/statuses/update.xml';

$curl = curl_init();
curl_setopt($curl, CURLOPT_URL, "$tweetUrl");
curl_setopt($curl, CURLOPT_CONNECTTIMEOUT, 2);
curl_setopt($curl, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($curl, CURLOPT_POST, 1);
curl_setopt($curl, CURLOPT_POSTFIELDS, "status=$status");
curl_setopt($curl, CURLOPT_USERPWD, "$username:$password");

$result = curl_exec($curl);
$resultArray = curl_getinfo($curl);

if ($resultArray['http_code'] == 200)
echo 'Tweet Posted';
else
echo 'Could not post Tweet to Twitter right now. Try again later.';

curl_close($curl);
}


Needed Alterations:

• Change $username to YOUR username
• Change $password to YOUR password
• Edit $status to the Tweet that you want posted.

Code to Add:

• Some HTML to Tweet dynamically. For example: Use a form like below and have $_POST['new_tweet'] update the $status variable.
• More Filtering: It would probably be a good idea to add some more filtering to the status so that you can’t just post a blanks status etc. (I could add that easily, but then where would be your opportunity to learn!)
• Use OOP Practices: Creating a Twitter Class out of the below procedural code would make it much more modular for you in the future. (Again, better for you to do this yourself. Feel free to contact me with any questions.)
• Add Some Javascript: Adding some Javascript that counts the amount of characters in the Tweet field would be handy to have for your visitors.

Try it out for yourself (Your Twitter Username and Password are NOT being recorded):

Tweet from BrownPHP if you like to test it out for yourself. You can also just copy this code, and make the necessary changes. I just wanted to give a small example to give you an idea of what you can do. Let me know what you think about it and if you have any ideas for some code scripts that you would like to see.

If you enjoy using Twitter, you may want to take a look at our Twitter Tag Cloud Service that we provide. You can also download the scripts to run the script from your own site.

Addendum (05/12/10):

This code has been added to the BrownPHP Code Repository if you would like to download it. You can go straight to the download by clicking the BrownPHP Twitter Class

ASP is defined as Active Server Pages. ASP runs inside Internet Information Services (IIS). This IIS is a component of Windows. ASP allows us to edit, change or add any content of a web page. It responds to user queries or data given from HTML forms. Any data or databases are accessed easily and the results are returned to the browser. It is helpful in customizing a web page; this feature makes the page more useful for individual users.

PHP is defined as Pre Hypertext Processor. PHP is a server-side, cross platform, HTML scripting language. The syntax of PHP is almost similar to C and Java. The goal of PHP is to allow web developers to write dynamically generated pages quickly.

PHP eliminates the need for numerous small CGI programs by allowing us to place simple scripts directly in HTML files. It also makes easier to manage large web sites by placing all components of a web page in a single HTML file. PHP has a perfect blend of compilation and interpretation. It is a used as general purpose scripting language which is suited for Web development and can be embedded into HTML.

The difference between PHP and ASP is that ASP is a Microsoft product based on visual basic syntax whereas PHP has C and Java based syntax. ASP works better on Microsoft servers.

ASP has the possibility to run on Linux and BSD (Berkeley Software Distribution) which is referred to the particular version of the UNIX operating system. ASP is mostly not recommended for BSD because it relies a lot on external components that often come in the form of Dynamic Linked Library ((DLL) which lists the other pages on the web where one can find additional information) that needs to be physically registered on the server.

PHP works fine on both environments. Linux/BSD server will run the PHP scripts faster than a Windows. Both ASP and PHP languages are popular but PHP is more popular because of its Open License solutions, which can be implemented, free of cost or can be downloaded easily.

The installation of tools such as image manipulation, upload, email, etc. can be easily uploaded in PHP with a very large number of tools whereas ASP requires the registration of components to do that, most of these components are not free.

The speed of ASP is very slow which is not suitable for traffics whereas PHP is faster when compared to ASP. ASP works better with SQL Server and Access. PHP works very well with SQL. If PHP is used with database systems, the connectivity is slow compared to ASP. If there is Microsoft server, then ASP/SQL Server is used. If there is Linux or BSD Server, then PHP is used.

From the above differences between PHP and ASP, it can be concluded that PHP is better in use, especially in syntax, connectivity, and in toolbox, which can be easily installed. As far as the web boards are concerned, there are many awesome products, like PHPBB (Open License), Bulletins (OL), etc.

There are several methods to solve errors in PHP code. Sometimes when the user waits to see an output a blank page will be shown if there is an error. To show the errors E_ALL^E_STRICT is used for the PHP 5 version. Contrarily, remaining versions just use E_ALL.

Even though error_reporting set to E_ALL, PHP sometimes still shows a ’blank’ page without showing the errors. Therefore, to indicate errors it should run in different directory, because the directory may be full and by erasing the file, the errors will be displayed as usually. It may even help in turning the ’error logging’ off.

If the reporting of an error is set in http.conf contained by a script then the ’integer’ value must be used and not the string in some versions. Or else the error message would not be displayed during the output of a program.

The handling of errors is very important because they are useful in removing harmful user information about the system, allowing the developer to access the information. PHP provides certain methods for handling the errors.

For example, the browser can be installed in such way that errors are not displayed; instead we can log and see the errors using log_errors and display_errors directives in the php.ini file. Depending on the change needed in the development, the error display can be turned on and off.

Error_reporting() may give the results which are not expected if the @ error repression command is used. Depending on the configuration settings, this will throw an error level E_WARNING in relation to the missing file. If the command is removed, the code works as expected. On the other hand, by using ini_set in config.php, the same result is accomplished. From this, we can know that the above said instructions are same.

The fatal errors can be caught by making use of another dynamic way. The fundamental is easy and can be tested with the system. In work sites, it fails to catch these fatal errors when the display errors are turned on, but sometimes the system can be tested to see all the fatal errors quickly in an unproblematic way by turning off the display errors. The syntax for the function used to catch all the fatal errors is;

function catchFatalErrors($p_OnOff=’On’)

If there is a warning like “Warning: mysql_query()” then the query requires a full table scan. It is not looked in error_reporting settings it will be set in php.ini. It can be turned off by writing syntax; within_set(“mysql.trace_mode”,”Off”), in the script.

The quick methods as said above, when used in codes helps in the avoidance of errors. Like when a blank page appears instead of an output, it can be avoided by using the methods and when the errors appear, they can be rectified by using the above methods.

The phenomenal growth of PHP applications has also led to a mushrooming of increased quantum of malicious activity. It thus becomes imperative that you write secure PHP code to protect your website. Here are some tips for the same.

The three most vulnerable aspects of PHP that can become easily accessible to anyone are XSS (Cross Site Scripting), Global Variables and SQL code.

XSS

The growth of XSS has followed a steady growth in the use of AJAX. Cross Site Scripting, for instance is used when you create a Comment section in your website. If the commentator has to log in to comment, his login information gets stored in a cookie. As the JavaScript code is generally run whenever a person writes the comment, there is a pretty good chance of the contents of the cookie being accessible to a remote server handled by a malicious user.

To counter this, make a habit of including filters whenever you request for random information. Use the die() function to exit from the task whenever the filters detect an unqualified input. The details that are typed are first filtered and then sent to the website’s database. Again the information is filtered before it is output.

<?php

//A good filter program that validates data, prevents XSS attack and
//preempts white lists would look like this

echo 'this is what you input';

echo htmlentities($_POST['myInfo']);

?>

Global Variables

The PHP feature “Register Globals” leads to a palpable lacuna in programming safety. Once this feature is activated in PHP configuration file, even a single variable that is to uninitialized, can lead to a great security flaw. For instance

<?php

if (is_admin()) ( $authorized=true; )

if ($authorized) ( include "/very/sensitive/data.php"; )

?>

When you run the file, because of non-initialization the user may not be verified, resulting in anyone accessing the administrative control! To counter this, you should disable Register Globals, initialize variables use localized variables and as far as possible within the programs.

SQL Code

The SQL code is vulnerable to malicious users just like XSS feature. To write a secure SQL code you need to remember a couple of things. First avoid using dynamic code and second, if dynamic code in inevitable then do not have direct input into the tables.

For instance, a code like this will take care of the sql security

if ($_POST['submit'] == 'Save') {

   if (isset($_POST['acct_num']) &&
       isValidAccountNumber($_POST['acc_num'])) {

        $link = mysql_connect ('hostname', 'user', 'password')
              or die('Could not connect to DB');
        ...
   }
}

Preferably have a database to select user name so that any other entry (like “bingo” or ‘blah blah’) can be swiftly detected. A simple way of preventing SQL security lapse is by typecasting the data so that input is effectively monitored. You can also make use of the versatile “mysql_real_escape_string”. This function can successfully filter symbols and contain SQL security flaws.

These three are the most significant to create a secure PHP code. Apart from this, you should also ensure that

• The system is well protected
• Files and database are protected.
• Posts are verified
• Input is always validated

Input validation is the key to secure programming. Make a habit of allowing only the right input into your system. A systematic approach to PHP, keeping in mind the pitfalls, can guard the program against most flaws and malicious attacks.