copyright 2009 justin c. klein keane php code auditing session 1 – php foundations justin c. klein...

Copyright 2009 Justin C. Klein Keane

PHP Code Auditing

Session 1 – PHP FoundationsJustin C. Klein Keane

[email protected]


Overview

Purpose of these sessions Gage PHP competency Assignments Length of the course


What is PHP?

Dynamic scripting language Written in C

Served by a web server (Apache) CLI Current version is PHP 5 http://php.net


Commercial Support

Zend (http://www.zend.com) Produces Zend Studio IDE Also produces debuggers, enterprise servers,

etc. Founded by some of the chief PHP

developers


Developing PHP

Access to a web server that supports PHP Eclipse using PHP Development Tools (PDT)

Bundle from http://www.eclipse.org/pdt Nice to have Remote System Exporer (RSE)

installed as well http://www.eclipse.org/dsdp/tm/

Best source of documentation is http://php.net


PHP Basics

PHP is plain text When a URL is requested Apache parses the

text file and interprets any PHP Apache must be able to read the file Apache interprets the file every time

.php is the common extension but any is possible


Structure of PHP

PHP is delimited with:

<?php

?> Any material between the delimiters is

interpreted Text outside of the delimiters is treated as static


Simple 'Hello world'

<?php

echo “Hello world”;

?>


Web friendly 'Hello world'

<html>

<body>

<?php

echo “Hello world”;

?>

</body>

</html>


Apache renders as:

<html>

<body>

Hello world

</body>

</html>


PHP Syntax - Comments

// One line comment

/*Multiline comment

*/

# Acceptable but discouraged one line comment


PHP Syntax Basics - Variables

Variables are denoted with the $ sign Variables names must be alphanumeric or

undersign PHP variables are case sensitive


PHP Variables

Variables are not statically typed Integers can become floats can become strings Variable types include:

Boolean

Integer

Float

String

Array

Object

Resource

NULL


Operators

Arithmetic operators +, -, *, /, %

String operators .

Assignment operators =, .=, +=, -=, *=, /=


Operators (cont.)

Comparison operators ==, ===, !=, <>, !==, <, >, <=, >=

Increment, decrement operators ++, -- (pre and post)

Logical operators !, &&, ||, and, or, xor


Strings

Strings are delimited by quotes Different behavior depending on single or

double quote Example strings:

$a = 'foo'; $b = “$a bar”; $c = $a . $b


Arrays

$array = array();$array = ('one', 'two', 'three');$array[0] = 'new one';

$assoc_array = ('one'=>'uno', 'two'=>'dos');$assoc_array['one'] = 'uno nuevo';


Control Structures

If Else Elseif and else if


If Else Statement

if ($a < $b) {print “$a is less than $b”;

}else {

print “$b is less than $a”;}

Can you spot the logic flaw above?


If Else Statement (alt)

if ($a < $b)echo “$a is less than $b”;

else if ($a == $b) echo “$a is equal to $b”;

else echo “$b is less than $a”;


Ternary Statement

$result = ($a < $b) ? 'a is less' : 'a is not less';


While loops

$a = 1;while ($a < 10) {

echo $a . “<br/>”;$a++;

}


Do While Loops

$a = 0;do {

echo $a;$a++;

} while ($a < 10);


For loop

for ($a=0; $a<10; $a++) {echo $a . “<br/>”;

}


Break Control

for ($a=0; $a<10; $a++) {if ($a == 5) break;echo $a;

}


Continue (skip)

for ($a=0; $a<10; $a++) {if ($a==5) continue;print $a;

}


Switch

switch ($a) {case 0:

echo 'a is zero';break;

case 1:echo 'a is one';break;

default:echo 'a is something else';

}


Functions

function foo() {return “bar”;

}

echo foo();


Functions (cont.)

function foo($a='bar') {$a .= “ something”;return $a;

}

$retval = foo('foo');


Classes

class Foo {$name;__construct($name) {

$this->name = $name;}

}

$myvar = new Foo('foobar');echo $myvar->name;


Classes (cont.)

class Foo {$var = 'bar';function getVar() {

$var = 'inner_var';return $var;

}}

$a = new Foo();$b = $a->getVar();


Building PHP with Includes

<?phpinclude('inc/foo.php');require('inc/bar.php');$a = new Foo();echo $a->somevar;

?>

Some Useful Built-in Functions for Debugging

die(“message”);

echo “”;

print_r($variable);

echo phpinfo();


For Next Time

1) Install Eclipse PDT

2) Install the RSE extensions

3) Download the VMWare image for development

4) Connect to the VMWare image web root at: /var/www/html

5) Create a new default page with your name and the PHP configuration information

copyright 2009 justin c. klein keane php code auditing session 1 – php foundations justin c. klein...

Documents