PHP SECURITY

I want to get other peoples thoughts on what they perceive the security vulnerabilities are in the PHP Engine and Frameworks. I always here that as one of the major deterrents to developing with PHP. --Sks01060 08:07, 3 April 2007 (EDT)

Old Stuff::WEB SERVICE PROXIES

http://stweb.ccv.edu/CIS-2430-VO01/sks01060/index.php?ID=01&MID=05</a>

Overview

You might wonder why this page doesn't show anything other than this script; that's because for my first week 5 script I added functionality to the entire site in the form of a comment system. If you look at the bottom of each page you will see two things, first is a DIV containing a form which allows you to create a comment for the current page, and second another DIV that shows all of the comments for the current page. I decided to add this functionality after watching Jil Mac's collection of YOU TUBE links regarding Web 2.0

Architecture

The easiest way to add a comment system would have been to use MYSQL and a simple PHP script, however because CCV doesn't allow or provide MYSQL functionality I had to come up with a different model. To get around the imposed limitations, I created a web service on my private hosted platform that exposes methods to add comments and read comments from a MYSQL database. Next I created a PROXY service in my CCV space that redirects requests to add and read comments to my hosted provider. Then I complete the package by using AJAX to handle submission of comments and display of comments in my main ccv site template. You might ask why don't I call my remote hosted web service directly from AJAX, well the answer is that todays browsers prevent cross site scripting attacks by limiting a XMLHTTP request to the context of the current domain. This is a pain in the butt but makes a lot of sense. Below is a basic diagram of how the Proxy service works:

http://stweb.ccv.edu/CIS-2430-VO01/sks01060/images/ass/proxy.png

The following is a listing of code files that produce the comment functionality

1. ajax.js - Provides methods to create XMLHTTP Requests
2. comments.js - Provides methods to add, validate and retrieve comments
3. cProxy.php - creates a class object with methods to provide proxy functionality for external services
4. cBase.php - base class providing mysql functionality and other methods that child classes can extend
5. cComments.php - class extending cBase which provides methods to validate, and list requests for comment listings - Returns an XML string representing comments for a specific page.
6. cComment.php - class extending cBase which provides methods to validate and add comments - Returns Nothing
7. chadler.php - simple page that creates class objects of type cComment and cComments based on the type of request the service will handle.

Step by Step Execution

1. Client Browser loads a page, using the BODY onLoad() event we call getComments(container, ID) in comments.js
2. getComments then creates an XMLHTTP Request utilizing GET to cProxy.php.
3. cProxy.php validates that the XMLHTTP Request is for a valid Web Service and that cProxy is able to handle requests for said service.
4. If cProxy can handle this request it creates a CURL session to chadler.php including GET or POST variables sent from XMLHTTP Request
5. chadler.php Inspects the incoming request, validating the request by checking for key variables in the GET or POST array.
6. After validation chadler, then creates an object of type cComments.
7. cComments again validates the request and builds a SQL statement based upon request variables.
8. The SQL statement is executed against the database and a result set is returned.
9. The contents of the result set are then formatted into an xml string.
10. The xml string is then sent back to cProxy.php.
11. After the xml string is returned to cProxy.php, chadler.php deletes the object of type cComments in order to conserve server memory.
12. cProxy.php simply sends the xml file back to the ajax XMLHTTP Request.
13. Back in getComments we create a document from the xml, then loop through the documents 1comment nodes and output each node to the page as formatted html.

Code Sources

1. Concept for creating a Web Service that serves a REST Method
   • <a href="http://www.oreilly.com/catalog/phpckbk2/" target="_blank">"PHP Cookbook" O'REILLY 2006(Example 15.1 pp 461- 463)</a>
2. Concept of creating a Web Service Proxy
   • <a href="http://developer.yahoo.com/javascript/samples/proxy/php_proxy_simple.txt" target="_blank">Yahoo's Developer example of a simple web proxy</a>
   • <a href="http://developer.yahoo.com/javascript/howto-proxy.html" target="_blank">Yahoo Developer: Use a Web Proxy for Cross-Domain XMLHttpRequest Calls</a>
3. Concept of using ajax for xml parsing
   • <a href="http://www.apress.com/book/bookDisplay.html?bID=10117" target="_blank">"Beginning Ajax with PHP: From Novice to Professional" Babin, Lee (pp. 225-227, Listing 14-3</a>
4. Concept of enabling Javascript Time Outs
   • <a href="http://www.webreference.com/programming/prof_java2/2.html" target="_blank">Professional JavaScript for Web Developers: JavaScript in the Browser, Pt. 2</a>
5. <a href="http://stweb.ccv.edu/CIS-2430-VO01/sks01060/assignments/05/SCRIPT0501.zip">The above sources compiled in a zip folder</a>

Conclusion

I had been working on the idea of creating this functionaly for a week, playing out different methods in my head. There are of course simpler methods, but I wanted to achieve several things. First unlike some of my previous scripts that used AJAX, this script uses XML instead of HTML for a response from the server; this provides increased performance on the client as well as increased flexibility in the use of the Web Service. Secondly I wanted to create a Web Service of my own and then consume said service. I feel that I have accomplished both in this script. Additionally because this weeks class discussion focuses on Web 2.0, I think that my comment system brings my site one step closer to meeting the loose definition of a web 2.0 site.

Week 4 Assignments http://stweb.ccv.edu/CIS-2430-VO01/sks01060/index.php?ID=111&MID=109

SCRIPT 04 01 / 04 01 before
A simple form taken from script 4.2 in the class text. The original script uses an html form as the source then a php form handler that spits out the final text. I modified this script by:

1. Created a php class that can be used as an html control by making a class declaration anywhere on a php page.
2. Used code from script_03_03.php to implement effiecient class methods for templating and variable assignment.
3. Created a simple validation method to determine if a variable is set.
4. Converted the original script calculations into class methods.

SCRIPT 04 02 / 04 02 before

The original code source for this script is Script 04 01, which was derived from script 4.2 of the class text. The difference between script 04 01 and this one, is that the form is entirely handled by AJAX!!!!! The inspiration for the ajax methods came from a book I picked up this weekend. <a target="_blank" href="http://www.apress.com/book/bookDisplay.html?bID=10117">"Beginning Ajax with PHP" by Lee Babin.</a> Specifically chapters 1-4. Here are my modifications based on changes from Script 04 01:

1. Included ajax.js into the sites header
2. Changes to templates/shippingform3.html
   1. Changed the "Calculate" button from sending the whole page, to executing a javascript onClick() method.
   2. Added a hidden input field "ajax" so that the server would know this is an ajax client
   3. wrapped the page area where dynamic content lives in a div named "ajaxcontent"
3. Changes Made to the backend script
   1. in the class constructor checked for the ajax input tag submitted by the form and set a class variable named $ajax = 'ajax'
   2. in my show() method which gets and parses the .html templates, I added logic to check and see if the class variable "ajax" was set, and if it was, load a stripped down template instead of the full template.
4. Changes to templates/shippingform3return.html (The response showing the calculation)
   1. Created a stripped down version of the template for ajax named templates/shippingform3returnajax.html
   2. In this template I added another form that recalls the user input form via ajax.

SCRIPT 04 03 / 04 03 before
This script was my week 3 script 3. I modified it to incorporate ajax, so that I can make requests for the maps without having to make a complete page refresh. Here are my modifications:

1. Template files templates/mapform3.html and templates/mapformajax.html
   1. Again I changed the form button to execute a javascript function in the mapform3.html template
   2. For the mapformajax.html template, I removed all html except for an img tag, and a span which will contain errors.
2. In the backend script, I added logic to check for the ajax key in the POST array.
3. I also modified the form action to go directly to the script as opposed to the regular method which includes the script in the rest of the sites template
4. I then added logic in the show function to determine if the request is ajax, so that I return to the browser minimal html output.