So, you know PHP pretty well, and you think you can start making awesome forum software, or better yet, your own portal? That's great! Except there's one problem: if you're just starting out, the chances are really high that your code is vulnerable to injections, or that you're just not making very good code. Don't worry though, this is a phase almost all PHP programmers go through. I will show you how to make your scripts a bit more secure/more compatible than before.
==Part I: register_globals==
If you've ever worked with forms, or dynamic id retrieval before, than you might be used to getting the parameter sent by simply calling a variable named like the parameter. If that wasn't too clear, here's an example of a URL that you would like to get the ID from
You're probably thinking "oh, that's easy as pie! I just need to use the $id variable!". Well, if you think that, you are BAD CODER (don't worry, it'll get better when you finish reading this long tutorial). You should use $_GET['id'] . Am I not making much sense to you? Good. Here's how all this stuff actually works:
When you go to a page like hello.php?firstname=john&lastname=doe , your browser sends what are called GET variables to your script. GET variables are variables that show up solely in the URL. This is generally used so people can directly access some content just by typing the URL. This should usually be short, because nobody likes really long urls anyways (and there is a physical limit).
Now, usually when you submit a longer form such as the post I am writing right now, your browser sends all the data as POST variables. These variables don't show up in the URL, and are usually handled "in the background" by your browser (I won't go in depth on how they really are sent). POST data does not have any physically reachable limit, so you can send pretty much all the data you want with a POST.
Now, to make it much easier for beginners, the people developing PHP thought it would be a good idea to have PHP automatically handle this data and flawlessly give you nice variables you can immediately work with. This setting is called register_globals, and it is sadly automatically enabled by default on most servers you will find.
But as I said, the variables you can use with this setting enabled are not really good. Imagine if you have a script that does not do an initial setup for a variable called $cheese, and you just take it for granted that $cheese will be empty. Well, if I do yourpage.php?cheese=MALICIOUSDATA, $cheese will contain MALICIOUSDATA and you won't even know what happened! Thankfully, to avoid these types of problems, there is a much safer and sure way to access data sent to the script! They're arrays, and they're called super globals. That is, you can access them at any time in the script, in any function and any class, without worrying about variable scope. Pre-defined superglobals are usually in ALL CAPS, and prefixed with an underscore ( _ ). Simple enough.
So, now that you know the difference between GET and POST variables, you can simply access the array $_GET['name'] and $_POST['name'] ! This will make sure that none of your regular variables are overwritten. So, an example to access some GET data would be:
echo $_GET['firstname'] . ' ' . $_GET['lastname'];
Same would go for $_POST. You need to make sure the element you access is between quotes (single quotes are better. This is covered in the next chapter).
There are a few predefined variables:
$_GET['name'] : Accesses the value stored in the GET variable 'name'. Ex: $_GET['id'] gets the value '2' from test.php?id=2
$_POST['name'] : Accesses the value stored in the POST variable 'name'. Ex: $_POST['postBody'] gets the value of the form element named 'postBody'
$_COOKIE['name'] : Accesses the value stored in a user cookie 'name'. Ex: $_COOKIE['userId'] gets the value of 'userId' that was in the viewer's cookie.
$_REQUEST['name'] : Regroups $_GET, $_POST and $_COOKIE. Please, don't use it at all unless you're sure you want to accept variables from any of the three.
$_FILES['name']['property'] : Accesses the property 'property' of the file 'name'. Ex: $_FILE['flash']['size'] gets the size (in bytes) of the file in the form labeled as 'flash'
$_SERVER['NAME'] : Accesses the server variable 'NAME'. Ex: $_SERVER['REMOTE_ADDR'] gets the IP address of the person viewing the page.
==Part II: Strings==
You know how when you want to echo a variable, you do
$bob = 'My name is Bob';
echo "The variable Bob contains this: $bob";
Well, it's again a pretty bad habit. Let me explain:
When you use double quotes ( "lol" ), PHP searches the entire string for an eventual variable, or character that could be in the string. Single quotes do not do ANY replacement, so 'Hello, $bob' will be Hello, $bob . $bob will not be outputted, and the $ will be kept. This is called a literal string. This is why when you want to output a simple variable with some text, you should use the dot ( . ) operator, which appends a string to another. So, taking our example above, you should do
echo 'The variable Bob contains this: ' . $bob;
PHP won't ask itself any questions, and will simply output 'The variable Bob contains this: ', and then will output the $bob variable. Not only is this slightly faster to parse, but it also makes your code look cleaner, and will allow syntax highlighters and code-completion to work fine.
Now, I understand that if you have a giant string full of variables, you should use double quotes and just type it all. This is perfectly normal, and saves some useless typing.
Note: If you want to output a newline and you're using single quotes, do not just put \n in single quotes, it will be displayed as \n! You should close the string, and append a \n in double quotes (ie: echo 'Hello, ' . "\n" . 'world!')