Filipino Programmer | Philippines

With so many success stories about PHP programming, may it be in web development side or scripting side. Programmers around the world know PHP, but have you ever asked the question about PHP History? Who created PHP and how it started to be one of the most used and successful web development language.

It all started at “Home”

I will share you a little PHP history I have learned since I began using PHP. First what does “PHP” means? Well when Rasmus Lerdorf created the first binaries of what we called PHP today it was used as a small tool to display his personal home page, which is in fact his resume, and to do some certain tasks, such as how much traffic his page was receiving.

PHP Development Timeline

In June 8, 1995 Lerdorf publicly released “Personal Home Page Tools” after Lerdorf combined it with his own Form Interpreter to create PHP/FI (this release is considered PHP version 2). Two Israeli programmers Zeev Suraski and Andi Gutmans on that time working at Technion IIT, rewrote the parser in 1997 which formed the base of PHP 3, changing the language’s name to what we know now as PHP: Hypertext Preprocessor. After of months beta test, PHP 3 began and the official launch on June 1998. Soon after that Suraski and Gutmans then started a new rewrite of PHP’s core, producing the Zend Engine in 1999. They also founded Zend Technologies in Ramat Gan, Israel, which actively manages the development of PHP. In May 2000, PHP 4, powered by the Zend Engine 1.0, which is one of the two major versions of PHP are being actively developed, PHP 5 which was released on July 13, 2004 by the new Zend Engine II. PHP 4 will be supported by security updates until August 8, 2008. PHP 6 is currently under development, and is slated to release in conjunction with the decommission of PHP 4.

Bookmark This!

While spending 3 long days of no work, I have looked into the web for some puzzles and trivia dealing with dominant brain puzzles and informations. Accidentally I found an article about Bill Gates, and his story about the game Petals Around the Rose. Unfortunately Bill, solved this game longer than I tried the game myself. Okay so you might be thinking how the games work, well the games need a regular dice, it does not matter how many but, the game usually uses 5 dice. The rules are simple :

1. The name of the game is Petals Around the Rose, and the name is significant.
2. The roller will tell you how many petals are around the rose based on the dice roll results
3. If you have figured out the answer for 5 or more consecutive rolls, it is understood that you have solved the puzzle, and you should not tell the answer to anybody.

I have created a simple PHP script which emulates the games, if you are up to the challenge play Petals Around the Rose

Bookmark This!

Scenario:

You are coding a HTML form with the following form elements:
- checkbox
- mutiple select

Normally you would name the [checkbox] a “name” for all instances example:

<input type="checkbox" name="btype" value="a"> Type A
<input type="checkbox" name="btype" value="b"> Type B
<input type="checkbox" name="btype" value="o"> Type O
<input type="checkbox" name="btype" value="ab"> Type AB

For your [mutiple select] you just add “mutiple” on the select tag to make the dropdown element select mutiple items defined on the options tag.

Problem:

When submitting a group of checkboxes with the same name and a mutiple select, values passed on POST is the last item selected. For example, if you selected all checkbox named [btype] you are expecting the values (a,b,o,ab) will be returned as a string. But the problem is on PHP only value (ab) is returned.

In PHP POST and GET variables are treated differently, in order to retrieve all selected checkboxes and select option, you need to name your form elements with a “[]” (bracket) after the name, implying that the element will contain array values. In PHP you can define form elements as array values by adding “[]”, you can also explicitly define key names for array like for example:

Name:  <input type="text" name="personal[name]">
Email:   <input type="text" name="personal[email]">

By doing that you can access that values on PHP by:

foreach($personal as $key => $value) {
   print "$key => $value<br>";
}

One more problem that you might encounter is when using javascript to handle checkboxes and mutiple select, one classic example is for checkbox if you want to add a “Check All” button which selects all checkboxes, remember that you had named the checkboxes “btype[]” in order to define that variable as array, thus retrieving all selected checkboxes on PHP end. But how in the world can you access that name on javascript. Since javascript is also using “[]” to define array the best possible way to access form elements named with “[]” brackets are using:

...
document.forms[0].elements['btype[]'];
...

Summary:

When working on multiple select and checkboxes in PHP name this elements with “[]” to instruct PHP to store the values on array example:

<input type="checkbox" name="btype[]" value="a"> Type A
<input type="checkbox" name="btype[]" value="b"> Type B
<input type="checkbox" name="btype[]" value="o"> Type O
<input type="checkbox" name="btype[]" value="ab"> Type AB

<select name="season[]" multiple>
	<option value="spring">Spring</option>
	<option value="summer">Summer</option>
	<option value="autumn">Autumn</option>
	<option value="spring">Winter</option>
</select>

You can access it on PHP as regular arrays, note that in PHP 3, the array form variable usage is limited to single-dimensional arrays. As of PHP 4, no such restriction applies. Accessing named form elements with “[]” on javascript using this code:

...
document.forms[0].elements['btype[]'];
...

Bookmark This!

Web Developers, write thousands of codes each project. On each web development projects lies a series of little codes called Javascript. April 1995, when Brendan Eich started working on Javascript for Netscape Navigator browsers. The web scripting language was first released under the name of LiveScript as part of Netscape Navigator 2.0 in September 1995. It was renamed JavaScript on December 4, 1995.

In “Making Web Pages Come Alive” Brendan Eich said the following about how JavaScript came about:

I came to Netscape in April 1995, after seven years at Silicon Graphics and three years at MicroUnity Systems Engineering. Netscape was about a year old then and was looking for someone to work on a scripting language or some kind of language inside the browser that could be used to automate parts of a web page or make a web page more dynamic. Java had been around for five years at First Person and Sun, and had been retooled for the web in late 1994. Netscape was the first Java licensee, so the issue became: Can we do just Java, or do we need another language?

Eich attended the University of Illinois at Urbana-Champaign, where he received his master’s degree in 1986. He then helped found mozilla.org in early 1998, serving as chief architect. When AOL shut down the Netscape browser unit in July 2003, Eich helped spin out the Mozilla Foundation.

In August 2005, after serving as Lead Technologist and as a member of the Board of Directors of the Mozilla Foundation, Brendan became CTO of the newly founded Mozilla Corporation. Brendan Eich was named Web Innovator of the Year by c/net’s Builder.com in April 1998.

Bookmark This!

This exploit has been discovered which enables malicious users to upload valid PHP codes disguised is image files. Websites vulnerable to this attacks are website which accepts uploads of images, although this kind of exploit it is not exactly new, I am afraid some sites are still vulnerable due to bad security practices of their developers. Basically uploaded files are moved to a given directory. If the site then serves the uploaded images directly on their server, the malicious file can be executed via url.
The basic solution to avoid this problem is to either serve images only with actual extensions of image files (.gif, .png, .jpeg), or protect the upload directory to avoid direct requests to where the images are located.

Depending on your PHP setup, it may or may not be easy to protect your uploaded images directory. In Apache it can be done using a .htaccess file with lines like this:

<Files images>
deny from all
</Files>

Alternatively you can use other PHP functions to serve image files as images, and so, avoid triggering the execution of PHP scripts embedded in image files like these readfile.

$file = 'image.gif.php';
Header('Content-Type: image/gif');
readfile('images/'.basename($file));

Note the use of basename function to avoid injection of malicious paths. This way, only files from inside the images directory will be served, even if the original file named was forged to steal server sensitive files like /etc/passwd .

Bookmark This!