Mcloide's resources library

All about PHP, Javascript, concepts and development

Posts Tagged ‘php basic series’

PHP Basic Series – Playing with XML

Posted by mcloide on November 2, 2009

XML – Extensible Markup Language – is one of the most flexible type of files that you can use at your application. It can easily allow 2 different applications to communicate, it can save data, store configuration information and much more.

PHP has 2 great libraries to work with XML:

  • DOM – Document Object Model: A great library to strongly manipulate XML in all levels
  • SimpleXML: A “simple” xml library that will help you to easily manipulate XML files until a certain level (for instance you can’t delete an item on a XML with the SimpleXML).

Even knowing that SimpleXML does not handle everything it is by far the best library to work with. Is very light, the performance is amazing and you can handle the minimal necessary which is creating, reading, adding and, with a little trick, deleting nodes. The best feature of the SimpleXML library is the XPath. XPath provides you with a small “regex” interpretation to easily let you get the contents and attributes from a given node / parent etc.

[Note:] SimpleXML only supports well-formed XML files / strings. Only by loading it, PHP already gives a great tool to validate XML.

First let’s work with a small XML file:

<?xml version="1.0" encoding="utf-8" ?>
<states>
<!--US States and Territories-->
 <state abbreviation="AL">Alabama</state>
 <state abbreviation="AK">Alaska</state>
 <state abbreviation="AZ">Arizona</state>
 <state abbreviation="AR">Arkansas</state>
 <state abbreviation="FL">Florida</state>
 <state abbreviation=IN>Indiana</state>
 <!-- list continues -->

</states>

Copy this code and paste inside a text file and name it as you please (states-provinces.xml / states-provinces.txt / etc). Since SimpleXML allows to read the XML from a string, we will be seeing both codes here in this post.

First let’s load the created file into the SimpleXML object.

<?php
// reading a xml file with simple xml
$xml = simplexml_load_file('states-provinces.xml');
?>

Or, if you want to load it from a string:

<?php
// reading a xml string with simple xml
$xmlString = '
<states>
<!--US States and Territories-->
 <state abbreviation="AL">Alabama</state>
 <state abbreviation="AK">Alaska</state>
 <state abbreviation="AZ">Arizona</state>
 <state abbreviation="AR">Arkansas</state>
 <state abbreviation="FL">Florida</state>
 <state abbreviation=IN>Indiana</state>
 <!-- list continues -->

</states>';
$xml = simplexml_load_string($xmlString);
?>

After this point, all the remaining procedures for SimpleXML are the same and so it’s the structure.

Once created SimpleXML will load all XML contents to an array of SimpleXML objects.

As any other method, when manipulating is necessary that the focus be at:

  • read
  • write
  • delete

SimpleXML does read and write pretty well, but when it comes to delete is a bit tricky.

Reading:

To read attributes and values from a given item is pretty simple and the library offers you 2 ways to access the element node.

  1. Accessing in an as array style
  2. Accessing using XPATH

To access in an array style all you need to do is use the position of the element in the array (if you know it) or call the children method inside a loop.

<?php
foreach ($xml->children() as $node) {
 // to read the state name value all you need is to convert the node to string
 $name = (string) $node;
 // to read the state abbreviation is even simpler, call the attribute using the array feature
 $abbreviation = $node['abbreviation'];
 // just to print
 echo "name: {$name} abbrv: {$abbreviation}
";
}
?>

Seems simple, but when you are working with XML files that have 3, 4 childnodes levels, it becomes more complicated and more intensive to get to the results. In cases like this we use the XPATH to access the elements of an XML in a fast way.

As mentioned before, the XPATH will work as a small REGEX to get to the element and load its features.

<?php
$node = $xml->xpath('//state[@abbreviation=\'IN\']');
?>

As simple as it looks, with XPATH, you can easily access the Indiana node value without having to loop until it. XPATH will also be very useful when we are considering deleting a given node.

Writing:

SimpleXML is a simple structured xml library so there aren’t many methods to write into the file, therefore, the methods existing are more than enough to perform the operation. The basics are, value and attributes, so, all needed is to add the child and it’s attributes.

Consider the insertion of the Texas State on our small XML file:

<?php
// adding a new state child
$state = $xml->addChild('state', 'Texas');
// adding the abbreviation attribute on the newly created state
$state->addAttribute('abbreviation', 'TX');
// saving the xml file
$xml->asXML();

foreach ($xml->children() as $node) {
// to read the state name value all you need is to convert the node to string
$name = (string) $node;
// to read the state abbreviation is even simpler, call the attribute using the array feature
$abbreviation = $node['abbreviation'];
// just to print
echo "name: {$name} abbrv: {$abbreviation}
";
}
?>

Just like reading, if necessary to add a child inside a given node, all needed is to reach the node and then add the child. Just to exemplify, consider we adding the child city inside the recently created Texas State.

<?php
$state = $xml->addChild('state', 'Texas');
$state->addAttribute('abbreviation', 'TX');

$city = $state->addChild('city', 'Austin');
$city->addAttribute('capital', 'yes');
$xml->asXML();
?>

The fact of the SimpleXML library be a simpler version of XML handling, it does not support direct access to functions such as DELETE and UPDATE, therefore, there is a way around it.

Deleting:

SimpleXML does not support direct deletion of a node, therefore, since it is treated as an array, you can, just like in an array, unset a node to delete it.

<?php
    $counter = -1;
    $itemToUnset = null;
    foreach ($xml->children() as $node) {
        ++$counter;
        $attr = $node->attributes();
        if ($attr['abbreviation'] == 'TX') {
            $itemToUnset = $counter;
            break;
        }
     }

   unset($xml->state[$itemToUnset]);
   $newXmlText = $xml->asXML();
?>

For multiple tier levels of the XML file, you can use the XPATH to get to uppermost parent node and then loop inside it to get the index and “delete” the node.

Updating:

Updating is not one of the easier tasks with SimpleXML and, in a case like this, using the DOM XML object is recommended, therefore just like the delete there is a way to go around it and update a XML file using SimpleXML.

First get all information that is necessary to re-create the node. Update the pieces that need to update, delete the node and then re-insert it with the addChild methods.

Even knowing that SimpleXML does not carry a strong support for delete and update, for it reading, nothing is faster than it. Most of the times XML manipulation will be used to read values from an AJAX request, config file for a bootstrap, simply store a new entry on a XML file, etc.

With the support of the XPATH, SimpleXML becomes a strong library and can handle the basics for XML manipulation with PHP in a structured and easy-to-understand  way.

Have fun.

Posted in PHP | Tagged: , , , , , , , | 2 Comments »

PHP Basic Series – Session Handling

Posted by mcloide on October 8, 2009

A session, a lasting connection between a user agent (user browser) and a server application (web application, site, etc) have a very short time life just like a cookie therefore it caries all the information necessary to the application to communicate between all of its parts.

The lasting connection, a true characteristic of a session, is also the reason why is important to take a very careful look at how the session works and how to increase its security.

In order to facilitate things and understanding of session, consider the session as a cookie holds an array and it is stored at the server while the application is being executed (or until your browser closes).

In PHP a session can be either stored in the filesystem or in the database. Either choice of storage has its pros and cons regarding security but in the overall both work in the same way. Consider the previous example: The login form. Once the user connects correctly logs into the application is necessary to keep the username / password or username / logged state so all parts of the application understands that the current user has correctly logged at some point and will keep like that until he decides to logoff.

To correctly construct that scenario the first thing to be done is to set the session. With PHP, unless you specify it, a session will not be started. There are 2 ways to start a session:

  1. You open the session on every single script of your application using <?php session_start(); ?>
  2. You open it only once, at the application bootstrap, and includes the bootstrap in every step of the application

It might seem that both are the same, therefore the second option is by far more clean and secure.

bootstrap.php

<?php
session_start(); // the session start must be the first thing of every script. If any header or even an echo is done before the session start, it will break
// Adding some security to avoid session fixation attacks
if (!isset($_SESSION['sinit'])) {
session_regenerate_id(); // this will give the session a new identifier and keep the current session information
$_SESSION['sinit'] = true;
}
// the bootstrap file is also a good place to start libraries such as ob_start and to define your constants that will be shared all over the application
// since it’s a full php file, with no HTML coding (or any other coding), there is no need to close the PHP open tag

At the bootstrap the application now have the session instantiated and also have a small security that checks if the sinit (session initiated) session variable has already being set and otherwise it will regenerate the session identifier keeping the previous data. This will help your application to prevent from the most usual Session Fixation attacks.

The bootstrap is prepared and the next step is to include the bootstrap on the login script. The bootstrap will add the initiated session on the login script and the application will be able to use the session to hold the login information from the user, so it can be used in other parts of the application.

login.php

<?php
include_once(‘bootstrap.php’); // getting the instantiated session and variables

if (isset($_POST['doIt'])) {

// initiating the session variables that will hold the logged user information
$_SESSION['username'] = null;
$_SESSION['logged'] = false;

$username = $_POST['username'];
$password = (int) $_POST['password']; // casting the password so it can be converted to a integer since everything on a post variable is, at first, a string

if ( (!empty($username) && is_string($username) && $username === ‘myUsername’)
(!empty($password) && is_numeric($password) && $password === 123456789)) {
// for now let’s use a hardcoded username and a hardcoded password just to exemplify the process
// the username and password is correct and the user is correctly logged on. Now is necessary to tell the remaining parts of the application.

$_SESSION['username'] = $username;
$_SESSION['logged'] = true;

header(‘location: userProfile.php’);
}
?>
<html> ….

With the code snipped above the application now holds the information that the user myUsername is now logged and there is no more need to requested for the user to login or force his logout.

This code would not make much sense if we don’t use it in other parts of the system. Let’s add on this little application 2 more sections, the user profile and a logout page to clean the session.

userProfile.php

<?php
include_once(‘bootstrap.php’);

if (!isset($_SESSION['username']) || !isset($_SESSION['logged']) || !$_SESSION['logged']) {
// checking if the user is logged, otherwise, redirect to logout
header(‘location:logout.php’);
}
?>
<html>
<head>
<title> User Profile </title>
</head>
<body>
<h3>Welcome to your profile page, <?php echo $_SESSION['username']; ?></h3>
<fieldset>
<legend>Action Menu </legend>
<dl>
<dt> Edit your profile </dt>
<dt> <a href=”logout.php”>Logout</a> </dt>
</dl>
</fieldset>
</body>
</html>

At the user profile the application checks the session to see if the user is correctly logged and otherwise redirects the user-to-be to the logout page that will clean the session and redirects him to the login page. At the user profile page the application makes use of the information in hands and uses to interact with the user (in blue). When the page is displayed it will show:

Welcome to your profile page, myUsername

Bellow the message it will show the user some action options for editing his profile information and loggout of the application.

To finish up, let’s clean the session once the user is ready to logout.

logout.php

<?php
include_once(‘bootstrap.php’);
// cleaning the session variables
$_SESSION = array();

if (isset($_COOKIE[session_name()])) {
// to guarantee that the previous session will not be hijacked, destroy the cookie that held the session name
setcookie(session_name(), ”, time() – 42000, ‘/’);
}

// finally destroy the session
session_destroy();

header(‘location: index.php’);

This will fully clean up the session and redirect the user to the first page of the application. It seems a simple set of scripts all over but this will fully exemplify how the session should be handled through the application.

The basics still being, for every session instantiated it must have a session destroy and clean up part. Managing variables, creating, destroying, adding values and updating, works in the same way as an array, but in this case the array is handled by the system and it has its own name $_SESSION.

The series is getting close to the end and soon enough everything will be set together. Keep learning and playing with the session and check this 2 articles from Chris Shiflett blog. It shows very well how session and security should be walking side by side.

  1. Session Fixation
  2. Session Hijacking

Have fun.

Posted in PHP, Security, development, resources | Tagged: , , , , , , , , | Leave a Comment »

Client Side x Server Side Scripting

Posted by mcloide on August 7, 2009

When considering developing applications for the web two concepts, Client Side and Server Side Scripting,  will emerge and some times, for many beginners mixing this concept gets pretty messy.

Client Side Scripting

Client side scripting is when the application created is translated on the user web browser. The best programmable language that anyone can use to exemplify it is still Javascript.

Whenever working with Javascript all programmed methods, functions, actions and interactions are downloaded to the user web browser and then translated and executed.

Creating a little schematics to understand the process, the sequence would be:

  1. user browser requests a page / application part (index.html)
  2. the page / application part is fully downloaded to the browser
  3. the browser (in this case with Javascript enabled) translate the javascript code and output (print) the result

To better demonstrate this let’s do a small example:

<!DOCTYPE html PUBLIC “-//W3C//DTD HTML 4.01//EN” “http://www.w3.org/TR/html4/strict.dtd”>
<html>
<head>
<script type=”text/javascript”>
// don’t mind the code, is just for example
document.write(“<p>Browser: “);
document.write(navigator.appName + “</p>”);

document.write(“<p>Browserversion: “);
document.write(navigator.appVersion + “</p>”);

document.write(“<p>Code: “);
document.write(navigator.appCodeName + “</p>”);

document.write(“<p>Platform: “);
document.write(navigator.platform + “</p>”);

document.write(“<p>Cookies enabled: “);
document.write(navigator.cookieEnabled + “</p>”);

document.write(“<p>Browser’s user agent header: “);
document.write(navigator.userAgent + “</p>”);
</script>
</head>
<body>
<h1> Your browser information </h1>
</body>
</html>

In this small example, taken from W3C Schools, the javascript code will be downloaded to the user browser and executed displaying the result immediately to the user.

Server Side Scripting

Server Side Scripting is when the translation and execution of the code is done on the server side and only after that being downloaded to the user browser. There are many languages that are fit for the Server Side Scripting. Some great examples are PHP (off course), C# and ROR.

Whenever working with PHP, for example, all PHP code will be translated and executed on the server and substituted for the result that will be downloaded, all together with the page, to the user browser.

Let’s try to do a small schematics here to follow the process for that:

  1. User browser request a page / part of the application (index.php)
  2. The server understands that the page requested has PHP coding and send a request to the PHP engine to translate and execute the code returning the results
  3. After all is processed, the request is complete and the result page is returned to the user browser

To better exemplify this, I will place some body and code for the index.php application.

<!DOCTYPE html PUBLIC “-//W3C//DTD HTML 4.01//EN” “http://www.w3.org/TR/html4/strict.dtd”>
<html>
<head>
<title> A Server Side Application </title>
</head>
<body>
<ul>
<?php
// don’t worry about the code for now, just example
$menu = array(‘item1′, ‘item2′, ‘item3′);
foreach($menu as $index => $item)
{ ?>
<li><?php echo $item; ?></li><?php
}
?>
</ul>
</body>
</html>

The PHP engine will translate the PHP coding to output (print) item1, item2, item3 inside a list item for each one of them. The result from this small code will be:

  • item1
  • item2
  • item3

In the real world development, programmers uses both sides of scripting to create complex and interactive applications / pages to the users. Most of the time the client side scripting will take care of the interactions, usability, action requests, etc, and the server side will handle the security of data, output of massive data, body construction, logistics, etc.

To wrap up, take a look at the Google Maps application. While Javascript handles the marker positioning, displaying images, constructing the map, a server side language (PHP I believe) will retrieve the user position by it’s ip positioning the marker, calculate routes, gather the images from the map (in Google Maps specifically is done through an API).

Now let’s start learning some PHP scripting [next].

Posted in PHP, development, resources | Tagged: , , , , , | 1 Comment »