A presentation with an accompanying example app to help beginners start build basic web applications. The example does not need a web or database server but can be used to display a web page and save data. Basic tenants for for protecting a PHP web application from HTML injection, cross-site scripting, and SQL injection are covered in the slides and the example. The accompanying example application is highly commented to help with understanding why certain actions are taken.
2. Who Am I?
Adam Englander
adamenglander@yahoo.com
@adam_englander
http://adamknowsstuff.com
https://github.com/derptest
• DirectEdge Brands Director
of Software Development
• Coupla CTO
• Founder/Organizer of Las
Vegas PHP Users Group
• Co-Organizer of Las Vegas
Developers Users Group
• #VegasTech Enthusiast
http://www.slideshare.net/AdamEnglander/basic-web-development-in-php
3. Overview
In this presentation you will learn how to
build a web page that does the following:
Interacts with the user via HTML forms
Stores data in a database
Displays data stored in a database
Handles errors properly
Prevents injection attacks
Runs without installing a web server
4. Interacting with users via forms
Use the “post” action in your forms
Post data is accessible via the $_POST
super global variable
Validate submitted data
Use htmlentities() when setting form
data to prevent HTML injection and
Cross-site scripting (XSS)
5. Storing Data in a Database
Use PDO when possible
Plenty of tutorials and examples
Allows for prepared statements to prevent
SQL injection
Saves memory with result cursors
Allows use of multiple back-ends
Use prepared statements to prevent
SQL injection attacks
Use exception error mode for ease of
error handling
6. Displaying Data Stored in a
Database
Use PDO – see last slide
Loop with fetch instead of fetch all to
save on memory
If you are filtering data, use prepared
statements and bind to prevent SQL
injection attacks
7. Handle Errors Properly
Turn off error display to the user
Use try/catch exception handling to
reduce complexity
Show the user a generic error message
that can be tracked back to the error
logs
Place as much data as possible in the
error logs without risking exposing
secret or private data
8. Prevents Injection Attacks
Use prepared statements with binding to
prevent SQL injection
Validate input data to prevent malicious
data being stored or shown to the user
Use htmlentities() to encode HTML and
prevent HTML injection and cross-site
scripting (XSS)
9. Run a PHP Web App Without
Installing a Separate Web
Server
As of PHP 5.4, PHP has a built in web
server
Provides a simple way for building,
testing, and debugging a web
application without installing a bunch of
infrastructure.
The built in web server SHOULD NOT
be used for a live application
10. Lets See an Example in Action
A sample application that provides a
registration book of sorts is available to
download/checkout on my Github account:
https://github.com/aenglander/starter-app
Download the zip or clone the repository to
see a highly commented example on how
to accomplish the items in these slides.