250 likes | 353 Vues
PHP: Further Skills 02. By Trevor Adams. Topics covered. Persistence What is it? Why do we need it? Basic Persistence Hidden form fields Query strings Cookies Sessions. Persistence – What is it?.
E N D
PHP: Further Skills 02 By Trevor Adams
Topics covered • Persistence • What is it? • Why do we need it? • Basic Persistence • Hidden form fields • Query strings • Cookies • Sessions
Persistence – What is it? • Broadly, it is a any mechanism that allows values from one page activity to be available on the next
Persistence – State Management • So why do we need it? • HTTP has no way of tracking a user’s visit to a web site • HTTP simply responds to requests for resources • Web applications demand more functionality than simple, static web pages can provide • Data driven web sites often provide access to relatively sensitive data
Persistence – form fields • Hidden form fields provide a simple way to maintain application state • Simple to use HTML • Generated by PHP statements • <input type=“hidden” name=“action” value=“do” id=“action” /> • Provides a useful way of processing data differently from one form. E.g. • Editing and Adding a record can use the same form • The action required can be determined from a hidden field named action • The script that catches the post can query action and act appropriately
Persistence – Form fields • Form fields have their disadvantages • Have to be managed by the programmer • Can be laborious on many forms • Data has to be obfuscated if sensitive • This is not ideal • Remember – HTML is plain text • Have to be sent to the server each round trip
Persistence – Query Strings • Query allow the passing of variables through the URL • E.g. http://example.web/product.php?id=1001 • Multiple variables are declared using the ampersand (&) character • E.g. /product.php?id=1001&order=asc • Values can be accessed using the $_GET array • This is used similar to the $_POST array • E.g. from above example • <?php echo $_GET[“id”]; ?> • // prints 1001
Persistence – Query Strings • Query strings are perfect for bookmarks • They are part of the URL • Can be given as direct links • Query strings can persist through basic HTML elements • E.g. Hyperlinks (<a>)
Persistence – Query Strings • Query strings are not ideal in every situation • All variables are visible in the URL • Useless for sensitive data • Some applications specific a 256 character URL limit (including the page) • Easy target for unscrupulous people • Useless for large input, such as web mail
Persistence – Basic Summary • We can create persistent applications using skills we have already covered • Hidden form elements • Work just like other form elements • They do not render on screen • Query strings • Append key=value pairs to a URL • Accessible as $_GET array • Visible in the URL
Persistence – Cookie time! • Quick (perhaps dirty) way of persisting data using the client • Can store data between visits to a site • Stored as basic text files on the client machine • Cookie data is sent to the server with each page request (providing the cookie is valid)
Persistence - Cookies • Cookies have a bad reputation • Over used • Abused • In general people do not trust cookies • Often they do not know they are needed for the cool things they enjoy on a web site • Possible poor use of cookies include: • Tracking and reporting browsing habits • Reporting products of interest to other web sites • Many others
Persistence - Cookies • Cookies should be used for the “Bells and Whistles” of a web site • A web site should generally (try to at least) not rely on cookies to be completely functional • For example, storing the user’s visual style preference • If the cookie is not accepted, the site will still work
Persistence - Cookies • PHP allows the programmer to set cookies • The setcookie() function • This function takes up to 6 parameters • Name – required • Value – required • Expire – time in seconds that the cookie expires • Path – path that the cookie is valid for (/tja1) • Domain – domain that is valid (e.g. example.web) • Secure – whether it requires HTTPS or not • setcookie(“cssfile”, “style.css”, time()+1800);
Persistence – Cookie expiration • The PHP time() function returns the current time measured in the number of seconds since the Unix Epoch (January 1 1970 00:00:00 GMT). • Try <?php echo time(); ?> • time() + 1800 will expire the cookie in 30 minutes • 60 seconds * 30 = 1800 • We shall cover time and date functions in lab session
Persistence - Cookies • Cookies are available on the subsequent page request from when they are set • They are accessible via $_COOKIES array • The cookie name is the array key • Adding values directly to the cookie array will not create a cookie • Must use set cookie function for this
Persistence - Cookies • Calls to setcookie() must be called before any out put is sent to the browser • Cookies are sent in the HTTP header • <?php echo “Hello!”; • setcookie(“style”, “myfile.css”, time()+1800); ?> • Results in an error • Output includes any data, including plain HTML that comes before the setcookie() call • Do not store arrays in cookie variables • They require special manipulation • Stick to basic types, textual/numeric
Persistence – Cookie Summary • Cookies are great for the ‘nice’ features • Do not rely on them • Not even in closed environments • They are stored on the client • Not stored securely • Sent with each page request • Can be transmitted securely
Persistence - Sessions • Sessions are stored on the server • Exist for the time a user starts to use your application to the time they finish • Or you programmatically end the session (logout) • Sessions are very simple to use • PHP4 has built in functionality for sessions
Sessions – in use • Call the function session_start(); before any output is sent to the browser • $_SESSION array is used to store session variables • Adding values to $_SESSION will automatically persist those values at the server side
Sessions – in use • <?php • session_start(); • $_SESSION[“uname”] = “tja1”; • ?> • Subsequent page access • <?php • Session_start(); • Echo $_SESSION[“uname”]; • // prints “tja1” • ?>
Sessions – Why use them? • Store more complex data, such as arrays, easily • Data is never involved in a round trip • In some ways, more secure • Although has security issues of a different nature • Well out of the scope of this module
Sessions - Summary • Persistence data • Maintained on the server • Needs to be initialised before output • Allows the programmer to implement complex application functionality • Probably the best choice to facilitate logins
Topics covered - summary • Basic Persistence • Query Strings • Hidden form elements • Cookies • Client side storage • Sent on every page request • Not secure • Access using $_COOKIES • Sessions • Server side variable storage • Accessed using $_SESSIONS • Avoids the client side storage • Still suffers from server side attacks
Resources • Use the PHP web site • Search for time • Search for session_start • Search for setcookie