Using PHP | A PHP Example
Only the User Web Server has support for PHP. The Production Web Server does not, although this may be added at a later date. At the moment, PHP support is classified as experimental. This means that if an unpatchable vulnerability is reported, access to PHP will be discontinued until a patch is available. Recent versions of PHP seem reasonably stable and reliable. Many of the current PHP related vulnerabilities involve packages that run under PHP, rather than PHP itself. If you believe the developers, PHP is an acronym for PHP: Hypertext Preprocessor. However, historical trivia buffs will recall that Version 1 of PHP was distributed as the Personal Home Page Toolkit. Version 1 was simply a collection of commonly wanted CGI scripts. Since then PHP has grown into a very powerful scripting language that allows you to embed scripting commands within HTML. The scripts execute on the server, so are not dependent on the viewer's web |
|
|||||||||||
browser. PHP can be used within web pages, it can also be used for CGI scripts. One of the advantages to using PHP is that the same file can display a FORM and process the reply. To use PHP within web pages:
To use PHP for CGI scripts:
Since PHP web pages can also process CGI forms, you may wonder why you would create a PHP/CGI page to be run under "cgiwrap". The answer is fairly simple. If the PHP script will access files, then it should be run using the cgiwrap process. If it is just another web page, then the only files that it can access are ones that are world-readable (or even worse, world-writable). If it runs under cgiwrap then the files that it accesses need only belong to you. Security Note: PHP is configured to only be able to access files that belong to the owner of the PHP web page or script.
prompt[ ]> php script_name.phpHowever, if it is not being run under the control of a web server, many of the web interface capabilities are disabled. You can use this method to perform basic syntax checks, and to see if the default output appears to be HTML. Beyond that, you are effectively forced to test using a web server. You can still check that your scripts are not looping or doing other undesirable things by using the same techniques outlined in the testing section . If your script is running as a web page, rather than as a cgiwraped process, then apply the same checks as are outlined for an SSI web page that uses non-setuid programs. You can also check the PHP error log. This is available in file "/var/log/httpd/LOG.PHPmessages". This file is world-readable. As with other web server log files, you can watch for messages as they appear using "tail -f LOG.PHPmessages" from within the Apache log directory. As with other scripts, you can use the debugging version of the "cgiwrap" process, "cgiwrapd". You can also explicitely specifiy that the script is PHP by using, "php-cgiwrap" and "php-cgiwrapd" respectively. However these are only needed if your PHP script does not have a ".php" file extension in its name.
If you were to install this code in your "cgi-bin" directory as an executable file called "Example.php", it would display a form asking for a file name and, once submitted, would safely display the text in that file. The script is originally invoked as: http://www2.cs.uregina.ca/cgi-bin/cgiwrap/username/Example.php. Every time that the submit button is clicked, it reruns itself under the same URL. If you wish to try this example, you will have to replace "username" with your log in name.
<?PHP if (isset($_POST ["file"])) { $FileName = $File = $_POST ["file"]; } else { $FileName = ""; } ?> <HTML> <BODY BGCOLOR=#FFFFFF> <FORM ACTION=/cgi-bin/cgiwrap/username/Example.php METHOD=POST> <P>Enter FileName: <?PHP echo " <INPUT TYPE=TEXT NAME=file VALUE=\"$FileName\" SIZE=75>\n"; ?> <P><BR><P> <INPUT TYPE=SUBMIT VALUE="Show Me!"> </FORM> <P><BR><P> <P><BR><P> <P><BR><P> <?PHP if (isset($File)) { $Handle = @fopen ($File, "r"); // '@' suppresses external errors if ($Handle) { $FileText = fread ($Handle, 10000); // Read up to 10,000 Bytes fclose ($Handle); // Fix HTML tags that may be there $SafeText1 = str_replace ("&", "&", $FileText); $SafeText2 = str_replace ("<", "<", $SafeText1); $SafeText = str_replace (">", ">", $SafeText2); // Now it is safe to display it echo " <H2 ALIGN=CENTER>File: $File</H2>\n"; echo "<PRE>\n"; echo $SafeText; echo "</PRE>\n"; } else { echo " <H3>Error: File '$File' is not accessible.</H3>\n"; } } ?> </BODY> </HTML> These fairly simple examples are not intended to teach anyone how to use PHP. For complete details on the PHP Language, refer to the manual. This is available on-line from http://www.php.net/manual. |