WIXLIB

CONTENTS ” xiChapter 10 — SecurityConcepts and Practices . . . . . . .All Input Is Tainted . . . . . . .Whitelist vs. Blacklist FilteringFilter Input . . . . . . . . . . . .Escape Output . . . . . . . . . .Register Globals . . . . . . . . .Website Security . . . . . . . . . . . .Spoofed Forms . . . . . . . . .Cross-Site Scripting . . . . . . .Cross-Site Request Forgeries .Database Security . . . . . . . . . . .Session Security . . . . . . . . . . . .Filesystem Security . . . . . . . . . .Remote Code Injection . . . . .Command Injection . . . . . .Shared Hosting . . . . . . . . . . . .Summary . . . . . . . . . . . . . . . 33234Chapter 11 — Streams and Network ProgrammingAccessing Files . . . . . . . . . . . . . . . . . . . .Common C-like File Functions . . . . . . . .Simple File Functions . . . . . . . . . . . . .Working with Directories . . . . . . . . . . .Controlling File Access . . . . . . . . . . . . .Accessing Network Resources . . . . . . . . . . . .Simple Network Access . . . . . . . . . . . . .Stream Contexts . . . . . . . . . . . . . . . . .Advanced Stream Functionality . . . . . . . .Stream Filters . . . . . . . . . . . . . . . . . .Summary . . . . . . . . . . . . . . . . . . . . . . . .237239241243244245247247248248249250.Licensed to IL-05391-09 - Philippe Dellaert (philippe@dellaert.org)Creating SOAP-based Web Services . . . . . . . . . . . . . . . . . . . . . 209REST . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 211Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 212

xii ” CONTENTSIndex.253253254254255256257Licensed to IL-05391-09 - Philippe Dellaert (philippe@dellaert.org)Appendix A — Differences Between PHP 4 and 5Language Features . . . . . . . . . . . . . . . .Objects . . . . . . . . . . . . . . . . . . . . . . .Magic Methods . . . . . . . . . . . . . . .Selected New Extensions . . . . . . . . . . . . .Error Management . . . . . . . . . . . . . . . .

Licensed to IL-05391-09 - Philippe Dellaert (philippe@dellaert.org)

Licensed to IL-05391-09 - Philippe Dellaert (philippe@dellaert.org)

With PHP breaking new ground in the enterprise arena, the establishment of a ratified certification was, some might say, inevitable. However, for me, it couldn’t comesoon enough—and I was ecstatic when Zend launched their PHP 4 Certification.With more than 1,500 certified engineers to date, there is no doubt that their endeavour has been a success.Now, with the introduction of the long-awaited PHP 5 certification, Zend has onceagain raised the bar for PHP developers everywhere. This examination is muchbroader, and requires much more than just theoretical knowledge—in order to passthe test, candidates need real-world knowledge in addition to a solid theoreticalbackground.The effect of the PHP 5 certification, for me, is even more profound than that ofthe original certification, and I believe that it will become the gold standard for thoselooking to hire PHP-centric Web Developers. I think that it is apt to consider Zend’swork a job well done, and to applaud those who invest the time and effort needed tobecome Zend Certified Engineers.Davey ShafikZephyrhills, FloridaSeptember 2006Licensed to IL-05391-09 - Philippe Dellaert (philippe@dellaert.org)Foreword

Licensed to IL-05391-09 - Philippe Dellaert (philippe@dellaert.org)

We wrote php architect’s Zend PHP 5 Certification Study Guide with the specific intent of making it useful in two situations: For candidates who are preparing for the Zend exam For student of instructor-led classes who are approaching and studying PHPfor the first timeThese choices may seem obvious, but they, in fact, imply that we made a significantassumption about our readers.In the first instance—when you are studying for the PHP exam—we want this bookto act as a guide to your studies. Because you should not take on the exam unlessyou have a working knowledge of PHP, this book will guide you through the differenttopics that make up the exam with the idea that you will either be already familiarwith them, or that you will use the PHP manual as a reference companion to explorein depth those subjects that you need to freshen up on.If, on the other hand, you are using this book in an instructor-led class, we intendit to act as a companion to your classroom experience, and not as a self-study orreference tool.As a result, this Guide does not teach you how to program in PHP, nor does it provide exhaustive coverage of every single topic. This is by design—an all-inclusivebook would have missed the mark on both fronts: for starters, it would have beenmuch bigger and more expensive; it would have make preparing for the exam muchmore difficult, as the significant amount of extraneous material—useful for reference purposes, but detrimental to studying for the exam—would have made theLicensed to IL-05391-09 - Philippe Dellaert (philippe@dellaert.org)How To Use This Book

xviii ” CONTENTSLicensed to IL-05391-09 - Philippe Dellaert (philippe@dellaert.org)study process much more complicated than it would have to be; and, finally, itwould negate the purpose of serving as a good textbook for a class, where we believethat simplicity while you are trying to learn foreign concepts trumps exhaustivenesshands-down.In short, we feel that there is a single reference text for PHP that is simply unbeatable: the PHP manual, which you can download and access directly online athttp://www.php.net. The manual is constantly up-to-date and contains informationon every single PHP-related topic under the sun—not to mention that, best of all, itis completely free.

Licensed to IL-05391-09 - Philippe Dellaert (philippe@dellaert.org)

Licensed to IL-05391-09 - Philippe Dellaert (philippe@dellaert.org)

PHP BasicsEvery PHP application is forged from a small set of basic construction blocks.From its very inception, PHP was built with the intent of providing simplicity andchoice—and this is clearly reflected in the number of options available in buildingapplications. In this chapter, we will cover the essentials that you will use day in andday out.SyntaxPHP’s syntax is derived from many languages—predominantly the C language, butPerl has also had a lot of influence on its syntax. With the latest object-oriented additions, more Java-like syntax is creeping in as well. Despite incorporating elementsof so many other languages, PHP’s syntax remains simple and easy to understand.Source Files and PHP TagsEven though it is often used as a pure language, PHP is primarily designed as a textprocessor (hence its name). To facilitate this role, PHP code can be inserted directlyinto a text file using a special set of tags; the interpreter will then output any textoutside the tags as-is, and execute the code that is between the tags.There are four types of tags available:Licensed to IL-05391-09 - Philippe Dellaert (philippe@dellaert.org)Chapter 1

4 ” PHP BasicsStandard Tags ?php.code? Short Tags ?.code? .ASP Tagscode /script %.code% Standard tags are the de-facto opening and closing tags; they are the best solution forportability and backwards compatibility, because they are guaranteed to be availableand cannot be disabled by changing PHP’s configuration file.Short tags were, for a time, the standard in the PHP world; however, they do havethe major drawback of conflicting with XML headers and, therefore, have somewhatfallen by the wayside. Their other advantage is the availability of the short form ? variable ? syntax, which allows you to print the result of an expression directly to the script’s output.Script tags were introduced so that HTML editors which were able to ignoreJavaScript but were unable to cope with the standard PHP tags could also ignorethe PHP code. Nobody quite understands why ASP tags were introduced—however,if you are so inclined you can turn on this optional configuration option, and you arefree to use them.iShort tags, script tags and ASP tags are all considered deprecated and their use isstrongly discouraged.Licensed to IL-05391-09 - Philippe Dellaert (philippe@dellaert.org)Script Tags ? variable ? script language “php”

PHP Basics ” 5It is important to remember that every character outside of PHP tags is copied as-isby the interpreter to the script’s output—and this includes newline characters.Newlines are, normally, ignored by browsers, as they are non-semantic charactersin HTML. However, they are also used as separators between the header portion ofa web server’s HTTP response and the actual data; therefore, outputting a newlinecharacter before all of the headers have been written to the output can cause somerather unpleasant (and unintended) consequences. To mitigate this problem, thefirst newline directly after a closing tag (? only) is stripped by the parser. Doing soalso solves a problem introduced by the fact that a number of popular text editorswill automatically prepend a newline to the end of your file, thus interfering withinclude files which are not supposed to output any textiAn easy way to prevent spurious output from an include file is to omit the closing tagat the end, which the parser considers this perfectly legal.Anatomy of a PHP ScriptEvery PHP script is made up of statements, like function calls, variable assignments,data output, directives, and so on. Except in very few cases, each of these instructions must be terminated—just like in C, Perl and JavaScript—with a semicolon. Thisrequirement is not always strict—for example, the last instruction before a closingtag does not require a semicolon; however, these should be primarily consideredquirks in the parser’s logic, and you should always terminate your instructions witha semicolon:some instruction(); variable ’value’;Licensed to IL-05391-09 - Philippe Dellaert (philippe@dellaert.org)Newline Characters

6 ” PHP BasicsCommentsAnother common part of any programming language is comments. It is a good programming practice to comment every function, class, method or property in yourcode (although you will likely come across lots of code that is poorly commented—ornot at all). Remember—any code that took thought to write will take thought to reread after several days, months or in some cases, years.As with tags, PHP gives you multiple choices for your comments:# Single line comment/* Multi-linecomment*//*** API Documentation Example** @param string bar*/function foo( bar) { }Both types of single line comments, // and #, can be ended using a newline (\r, \n or\r\n) or by ending the current PHP block using the PHP closing tag—? .iBecause the closing tag ? will end a comment, code like // Do not show this ? orthis will output or this, which is not the intended behaviour.WhitespaceFinally, we reach a subject with very little substance (pun definitely intended):whitespace. PHP is whitespace-insensitive, except in a few key areas. This meansthat there are no requirements to use (or not to use) a specific type of whitespacecharacter (e.g.: tabs rather than spaces), or a particular number of whitespace characters. However, there are a few limitations:Licensed to IL-05391-09 - Philippe Dellaert (philippe@dellaert.org)// Single line comment

PHP Basics ” 7 You can’t have any whitespace between ? and php You cannot break apart keywords (e.g.: whi le, fo r, and funct ion) You cannot break apart variable names and function names, (e.g.: var nameand function foo bar())Code Block{// Some commentsf(); // a function call}Code blocks are handy for creating groups of script lines that must all be executedunder specific circumstances, such as a function call or a conditional statement.Code blocks can be nested.Language ConstructsConstructs are elements that are built-into the language and, therefore, follow special rules. Perhaps the most common of them is the echo statement, which allowsyou to write data to the script’s output:echo 10; // will output 10It’s important to understand that echo is not a function and, as such, it does not havea return value. If you need to output data as part of a more complex expression,you can use print() instead, which whilst also a language construct, behaves like afunction, as it has a return value (which is always 1).echo 10;print (10);Licensed to IL-05391-09 - Philippe Dellaert (philippe@dellaert.org)A code block is simply a series of statements enclosed between two braces:

8 ” PHP BasicsAnother very important construct is die(), which is itself an alias of exit(). It allowsyou to terminate the script’s output and either output a string or return a numericstatus to the process that called the script.Functions are, obviously, an important element of the PHP language. As such, they arecovered in their own, eponymous chapter.Data TypesPHP supports many different data types, but they are generally divided in two categories: scalar and composite.A scalar value contains only one value at a time. PHP supports four scalar types:booleanintfloatstringA value that can only either be true or falseA signed numeric integer valueA signed floating-point valueA collection of binary dataNumeric ValuesPHP recognizes two types of numbers, integers and floating-point values. The intdata type is used to represent signed integers (meaning that both positive and negative numbers can be expressed with it). Numbers can be declared using severaldifferent notations:Decimal10; -11; 1452Octal0666, 0100Standard decimal notation. Note that nothousand separator is needed—or, indeed,allowed.Octal notation—identified by its leading zeroand used mainly to express UNIX-style accesspermissions.Licensed to IL-05391-09 - Philippe Dellaert (philippe@dellaert.org)i

PHP Basics ” 9HexadecimalBase-16 notation; note that thehexadecimal digits and the leading0x prefix ar

Nov 21, 2014 · 7.50 x 9.25 .571 7.50 x 9.25 ZEND PHP 5 Certification STUDY GUIDE Davey Shafik and Ben Ramsey MSRP 32.99 USD From the publishers of Shelve