ABU DHABI POLYTECHNIC
INFORMATION SECURITY ENGINEERING TECHNOLOGY
OCT 1- Secure Web Application Development Security
Laboratory Manual No. 4
Mohammed Saeed Ahmed Alnaqbi
A00051595
php Basics and Introduction
Prepared By : Dua’a Abuhamdi
Lab Objectives:
After completing this lab exercises, the student will be able to:
To describe the basic syntax of PhP Program
To use variables in the program
To create output statement
To use PhP Operators in the program
Needed Materials:
PC
XAMPP (Apache)
Notepad++
Course Outcomes:
Describe how client-side and server-side programs enhance the functionality of the web site.
Use language objects, functions and programming constructs to control the program flow
Using this link: http://www.w3schools.com/php/default.asp
Study the following topics:
PHP Intro
PHP Syntax
PHP Variables
PHP Echo
PHP Operators
PHP If..Else..Elseif
PHP Switch
PHP Intro:
<?php
$x=10;
$myname = "Ahmad";
echo $myname . " is my name";
?>
Practice:
| Page 2
1. Write a PHP code that will manipulate two numbers. Compute and output the sum,
difference and the square of the first number.
<?php
$x=10;
$y=20;
$sum = $x + $y;
$diff = $x - $y;
$sq = $x * $x;
echo "The sum is " . $sum . "<br>";
echo "The difference is " . $diff . "<br>";
echo "The square of the first number is " . $sq;
?>
2. Write PHP code that will manipulate any temperature in Celsius. Then, print its
equivalent Fahrenheit temperature.
F = C * 1.8 + 32
PHP If else
<?php
$average = (70+90+70+80)/4;
if ($average > 70)
echo "Good Job";
else
echo "Study harder";
echo $average > 70 ? "Good Job" : "Study Harder";
PHP Switch
<?php
$favcolor="red";
switch ($favcolor) {
case "red":
echo "Your favorite color is red!";
break;
case "blue":
echo "Your favorite color is blue!";
break;
case "green":
echo "Your favorite color is green!";
break;
default:
echo "Your favorite color is neither red, blue, or green!";
| Page 3
}
?>
GET vs. POST
Both GET and POST create an array (e.g. array(key => value, key2 => value2, key3 => value3, ...)). This
array holds key/value pairs, where keys are the names of the form controls and values are the input
data from the user.
Both GET and POST are treated as $_GET and $_POST. These are superglobals, which means that they
are always accessible, regardless of scope - and you can access them from any function, class or file
without having to do anything special.
$_GET is an array of variables passed to the current script via the URL parameters.
$_POST is an array of variables passed to the current script via the HTTP POST method.
When to use GET?
Information sent from a form with the GET method is visible to everyone (all variable names and values
are displayed in the URL). GET also has limits on the amount of information to send. The limitation is
about 2000 characters. However, because the variables are displayed in the URL, it is possible to
bookmark the page. This can be useful in some cases.
GET may be used for sending non-sensitive data.
Note: GET should NEVER be used for sending passwords or other sensitive information!
When to use POST?
Information sent from a form with the POST method is invisible to others (all names/values are
embedded within the body of the HTTP request) and has no limits on the amount of information to
send.
Moreover, POST supports advanced functionality such as support for multi-part binary input while
uploading files to server.
However, because the variables are not displayed in the URL, it is not possible to bookmark the page.
HTML CODE: Sample.html
<html>
<head>
<title>ABC Supermarket</title>
</head>
<body>
<form method="Post" action=" ">
Enter Amount of an item <input type="text" name="amount"/><br>
Enter Number of an item <input type="text" name="items"/><br>
| Page 4
<input type="submit" />
</form>
</body>
</html>
PHP SCRIPT: Sample1.html
<?php
$Amount = $_POST["amount"];
$Items = $_POST["items"];
$TotalCost = $Amount * $Items;
echo "The total cost is " . $TotalCost;
?>
-----------------------------------------------------------------------------------
Combined Code: Sample.php
<html>
<head>
<title>ABC Supermarket</title>
</head>
<body>
<form method="Post" action="Sample1.php">
Enter Amount of an item <input type="text" name="amount"/><br>
Enter Number of an item <input type="text" name="items"/><br>
<input type="submit" />
</form>
<?php
$Amount = $_POST["amount"];
$Items = $_POST["items"];
$TotalCost = $Amount * $Items;
echo "The total cost is " . $TotalCost;
?>
</body>
</html>
| Page 5
Validation
| Page 6
• The code is now safe to be displayed on a page or inside an e-mail.
stripslashes()
• We will also do two more things when the user submits the form:
• Remove backslashes (\) from the user input data (with the PHP stripslashes()
function)
• The next step is to create a function that will do all the checking for us (which is much
more convenient than writing the same code over and over again).
• We will name the function test_input().
trim()
• Strip unnecessary characters (extra space, tab, newline) from the user input data
htmlspecialchars()
The htmlspecialchars() function converts special characters to HTML entities. This means
that it will replace HTML characters like < and > with < and >. This prevents attackers
| Page 7
from exploiting the code by injecting HTML or Javascript code (Cross-site Scripting attacks)
in forms.
Laboratory Exercise:
1. Write a PHP code that will manipulate the number of pieces and the amount of an item
purchased by the customer. End user asked to enter the number of pieces and the amount of an
item. Compute and output the Total Cost.
Example:
The number of pieces:
The amount of an item:
The total cost:
2. Write PHP code that will manipulate any temperature in Celsius. Then, print its
equivalent Fahrenheit temperature.
F = C * 1.8 + 32
| Page 8
3. You are asked to practice the following code for insecure validation form
Test the code by entering the following cross site scripting command in the email textfield:
| Page 9
<script>alert(“ Hacked”) </script>
<script>window.location.href=http://en.wikipedia.org/wiki/Hack</script>
Rewrite the above code as following:
Test the code by entering the following cross site scripting command in the email textfield:
| Page 10
<script>alert(“ Hacked”) </script>
<script>window.location.href=http://en.wikipedia.org/wiki/Hack</script>
TASK 1
<?php
$P = $_POST['pieces'];
$I = $_POST['item'];
?>
<!DOCTYPE html>
<html>
<head>
<title>Lab 4 OCT</title>
</head>
<body>
| Page 11
<fieldset>
<legend>
Enter purchasing info
</legend>
<form action="Task1.php" method="POST">
The number of pieces: <input type="number" name="pieces"><br>
The amount of an item: <input type="number" name="item"><br><br><br>
<input type="submit" name="submit"><br>
</form>
<h4>Your invoice:</h4>
<?php
echo "The number of pieces:". $P . "<br> ";
echo "The amount of an item" . $I . " <br> ";
echo "The total cost:". ($P * $I) . "<br>";
?>
</fieldset>
</body>
</html>
| Page 12
<!DOCTYPE html>
<html>
<head>
<title>Lab4</title>
</head>
<body>
<form action="Task1.php" method="POST">
<table border="1">
<tr>
<td>Fehrenheit</td>
<td><input type="number" name="Fehrenheit"></td>
<td><button type="submit">Convert to Celsius</button></td>
</tr>
<tr>
<td> Celsius </td>
<td><input type="number" name="Celsius"></td>
<td><button type="submit">Convert to Fehrenheit</button></td>
</tr>
</table>
<?php
$Feh = $_POST['Fehrenheit'];
$Cel = $_POST['Celsius'];
$F = ($Cel * 1.8) + 32;
$C = ($Feh - 32) / 1.8;
echo "From C to F" . $F . "<br>";
echo "From F to C". $C;
?>
</form>
</body>
</html>
| Page 13
| Page 14
<!DOCTYPE html>
<html>
<head>
<title>Supermarket</title>
</head>
| Page 15
<body>
<form method="POST" action="Task1.php">
<fieldset>
<legend id="demo">Enter student information</legend>
Student Id: <input type="text" name="id" id="id"><br>
Student Name: <input type="text" name="name"><br>
Email: <input type="text" name="Email"><br>
Website: <input type="text" name="website"><br>
comment: <textarea name="comment" rows="5" cols="40"></textarea>
<br><br>
Gender:
<input type="radio" name="Gender" value="female">Female
<input type="radio" name="Gender" value="Male"> Male
<br> <br>
<input type="submit" name="submit">
<?php
$name = $id =$email = $comment = $Gender = $website = "";
if($_SERVER["REQUEST_METHOD"] == "POST"){
$name = $_POST['name'];
$email = $_POST['Email'];
$id = $_POST['id'];
$website = $_POST['website'];
$comment = $_POST['comment'];
}
echo "<h2> your input </h2>";
echo $id;
echo "<br>";
echo $name;
echo "<br>";
echo $email;
echo "<br>";
echo $comment;
echo "<br>";
echo $Gender;
echo "<br>";
| Page 16
?>
</fieldset>
</form>
</body>
</html>
| Page 17
<!DOCTYPE html>
<html>
<head>
<title>Supermarket</title>
</head>
<body>
<h1> Romeo is hot </h1>
<form method="POST" action="Task1.php">
<fieldset>
<legend id="demo">Enter student information</legend>
Student Id: <input type="text" name="id" id="id"><br>
Student Name: <input type="text" name="name"><br>
Email: <input type="text" name="Email"><br>
Website: <input type="text" name="website"><br>
comment: <textarea name="comment" rows="5" cols="40"></textarea>
<br><br>
Gender:
<input type="radio" name="Gender" value="female">Female
<input type="radio" name="Gender" value="Male"> Male
<br> <br>
| Page 18
<input type="submit" name="submit">
<?php
$name = $id =$email = $comment = $Gender = $website = "";
if($_SERVER["REQUEST_METHOD"] == "POST"){
$name = test_input($_POST['name']);
$email = test_input($_POST['Email']);
$id = test_input($_POST['id']);
$website = test_input($_POST['website']);
$comment = test_input($_POST['comment']);
}
function test_input($data){
$data = trim($data);
$data = stripslashes($data);
$data = htmlspecialchars($data);
return $data;
}
echo "<h2> your input </h2>";
echo $id;
echo "<br>";
echo $name;
echo "<br>";
echo $email;
echo "<br>";
echo $comment;
echo "<br>";
echo $Gender;
echo "<br>";
?>
</fieldset>
</form>
</body>
</html>
| Page 19