PHP has set forth certain global variables that makes this process painfully easy. We will be experimenting with several methods of finding certain parts in the URL within this tutorial. Respectively, they are:

1. Finding the current domain
2. Finding the path to the script
3. Finding the query string (if any)
4. Using a special short cut method to tie things together

Finding The Current Domain In PHP

If you need the current domain, you can use this neat little snipped below:

<?php
# Using HTTP_HOST

$domain = $_SERVER['HTTP_HOST'];
echo $domain;
?>

If we were to use this directly on this page, the output would be learnphponline.com – notice that it does not include the ‘http://’ or ‘www.’ prefixes. If you are trying to make a link, you could do so by concatenating these prefixes onto the HTTP_HOST server variable.

Finding The Path To The Current Script

If you need to link to the current page, we use the SCRIPT_NAME server variable. We see this in use a lot more than you would think. WordPress installations will link article titles to the same page for several reasons. First, it keeps things user friendly- but it is also great for search engine optimization. Don’t be afraid to follow their example such as the snippet below shows.

<?php
# Using SCRIPT_NAME

$path = $_SERVER['SCRIPT_NAME'];

echo "Path To Script Example: <a href='$path'>An Article Title</a>";

?>

You will notice that the domain section and query string is left out. Instead we get the script path that links nicely to the current page.

Finding The Query String In a URL

The query string is important in passing variables or authorization information across several different pages in your website. You have probably noticed this before when logging into your favorite website and seen something to this effect: “TheWebsite.com/users/index.php?name=YourName”

Making a query string is actually quite easy. Make a simple PHP file and create a link to the current file, yet concatenate a ternary symbol and assign a variable like this:

• <a href=’www.yoururl.com/index.php?variable=value’>Test it!</a>

This won’t do anything since we haven’t coded anything to work with the variable. But it will allow us to test the server variable below.

<?php
# Using QUERY_STRING

$queryString = $_SERVER['QUERY_STRING'];

echo "Query: " . $queryString;

?>

Finding The Current URL With Request URI

If you are using MOD REWRITE to make your URLs more user-friendly, there is still a way to get the original URL. By using the REQUEST_URI server variable, we can get the URL given to access the page. So be definition, we bypass any rewrite rules.

<?php
# Using REQUEST_URI

echo "http://" . $_SERVER['HTTP_HOST']  . $_SERVER['REQUEST_URI'];

?>

This saves a little bit of space over the previous examples, since REQUEST_URI can replace the script path and query string server variables. This is best used when you don’t need these variables separated, which you commonly do.

Security Issues To Consider

There are many ways to get the current URL, but the ones mentioned here are the safest. The server variable PHP_SELF is an example of a method that can result in cross-scripting attacks (XSS). Instead make sure you use the SCRIPT_NAME variable as we did above in our examples.

Also make note that header information can be faked. Any variable that includes “HTTP” in it has a potential to be untrustworthy data. There are always verification methods and alternatives to these pitfalls, so you aren’t without options.

A humorous example of how HTTP headers can be faked is with certain security software packages that rewrite referrer information that websites use for analytics. By setting your referrer field to something such as “FBI” or “CIA” you can effectively give the statistics-conscious webmaster a nice scare.

Closing Comments

As a last note, be sure to encode any URL information you make use of if you are using these server variables for your own coding experiments. Otherwise malicious users may take advantage of your inept security tactics and cause havoc on your database.

3 Files Used:

1. contact.php
2. captcha.php
3. captcha.png

Requirements:

1. GD Library Installed (For Captacha- it’s 99% likely it’s already installed)
   

In this tutorial you will learn how to create a stylized form in HTML, code the backend in PHP to send an email to a specific address, and finally add a moderate Captcha system to thwart spammers from maliciously using your form.

Getting Started – Building The HTML Form And Style

We’ll start this off with a simple HTML template, that you are likely all too familiar with:

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<html>
<head>
<title>Contact Form - YourWebsite.com</title>

</head>

<body>
</body>

</html>

We will be using a CSS layout to organize the information. To help keep things simple, we have used inline styling- but do feel free to make your own remote CSS file to further cut down on code count.

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<html>
<head>

<title>Contact Form - YourWebsite.com</title>
</head>

<body>
<div style="width:650px;border-left:1px solid black;border-right:1px solid gray;margin:0px auto;overflow:hidden;">
  <h1 style="background-color:#1c5665;color:white;padding:5px;text-align:center;margin-top:0px;">Contact Form - YourWebsite.com</h1>

  <div style="float:left;width:214px;border-right:1px solid gray;padding:5px;background-color:#f6f8f9;height:100%;">

    <p align="right" style="padding:5px;">Name:</p>
    <p align="right" style="padding:5px;">Email Address:</p>

    <p align="right" style="padding:5px;">Comment/Suggestion:</p>
  </div>

  <div style="float:left;width:415px;padding:5px;">

    <p><input type="text" name="name" style="border:1px solid #1c5665;padding:3px;margin-top:5px;"></p>
    <p><input type="text" name="email" style="border:1px solid #1c5665;padding:3px;margin-top:5px;"></p>

    <p><textarea cols="40" name="comment" rows="4" style="border:1px solid #1c5665;padding:3px;margin-top:5px;"></textarea></p>

  </div>

  <div style="clear:both;">&nbsp;</div>
  <hr style="color:gray" />

  <input type="submit" value="Submit Form" />
 <input type="hidden" name="form_submitted" value="1"/>
      </form>

<div style="width:650px;height:10px;background-color:#1c5665;">&nbsp</div>
</div>

</body>
</html>

So far things should be fairly simple if you already have some knowledge about HTML and basic forms. One thing that seems to stump a lot of developers is the float property in CSS. To properly create a structured float, you will need four components: the wrapper, two or more sections of content that are using the float property, and finally a DIV that clears the float. You can see these, respectively, below:

<!--WRAPPER -->
<div style="width:650px;border-left:1px solid black;border-right:1px solid gray;margin:0px auto;overflow:hidden;">

<!--FLOATED CONTENT 1 -->
  <div style="float:left;width:214px;border-right:1px solid gray;padding:5px;background-color:#f6f8f9;height:100%;">

(content)
  </div>

<!--FLOATED CONTENT 2 -->
<div style="float:left;width:415px;padding:5px;">
(content 2)
</div>

<!--CLEAR FLOAT -->
  <div style="clear:both;">&nbsp;</div>
</div>

And that’s it! The HTML form is done for now. Now let’s go on with sending the form contents to a specified email address.

Sending Mail In PHP

We like to keep file count as small as possible, so we will be recycling the same file we just created to act as both the form and the file that processes the data to email the contents to your email address. We can do this with a simple IF structure in PHP.

You may have noticed this hidden value in the form we created:

• <input type=”hidden” name=”form_submitted” value=”1″/>

This is going to allow us to see whether or not the user is submitting the form, or if they are filling it out. Since this is only true once the “Submit Form” button is clicked, we can use the following IF structure in conjunction:

<?php
if ($_POST['form_submitted'] != '1') {
# Form not submitted, show form

} else {
# Process script, form was submitted
}
?>

To save you hassle, you can easily implement this selection structure by nesting in around the HTML:

<?php
    if ($_POST['form_submitted'] != '1') {
# Form was not submitted, show form

?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<html>
<head>

<title>Contact Form - YourWebsite.com</title>
</head>

<body>
<div style="width:650px;border-left:1px solid black;border-right:1px solid gray;margin:0px auto;overflow:hidden;">

...[form contents]...

</div>

<?php } else if ($_POST[form_submitted] == 1) { ?>


<?php
# Code to send email goes here, since form was submitted
?>

<?php }  ?>


</div>
</body>

</html>

Now, onto the email function! PHP developers can make use of the mail() function already included in the PHP language. This function takes four main parameters to function correctly. As you’ll see below, we can simply plug in the information we just got from the submitted form– and the function takes care of the rest.

// Send

$to      = 'yourname@yourdomain.com';
$subject = "Message from " . $_POST['name'];

$message = $_POST['comment'];
$headers = "From: " . $_POST['email'] . "\r\n" .

    "Reply-To: ".$_POST['name'] . "\r\n" .
    'X-Mailer: PHP/' . phpversion();

mail($to, $subject, $message, $headers);

echo "<html><body style='background-color:#ececec;'><div style='width:300px;border:1px dashed black;text-align:center;margin:0px auto;margin-top:200px;padding:20px;font-size:20px;background-color:white;'>Your comment has been sent! Thanks!</div></html>";

It looks like we would be done. But, wait- what about those dastardly spammers?

Creating A Simple Captcha For PHP Forms

Some Captcha scripts are quite confusing; making use of many different technologies to provide the best possible protection against spam robots. Even though Captchas have been cracked, they are hard to do so- and certainly will cut out almost all of your spam, if not all of it completely.

In this example we are using a fairly secure Captcha system. First we are going to need a background image for our Captcha, which you can download via “Save As..” here:

Now we will have to create a captcha.php file to build the image we will be using via the GD Library. Follow the comments in the script to help get an understanding of how it works:

<?php
session_start();

// Generate a Random String, Based On Time
$md5 = md5(microtime() * mktime());

 //We don't need a 32 character long string, let's trim it
 $string = substr($md5,0,5);

// Use GD Library to make a PNG from a file
$captcha = imagecreatefrompng("captcha.png");

// Set colors of lines with RGB colors
$black = imagecolorallocate($captcha, 0, 0, 0);

$line = imagecolorallocate($captcha,233,239,239);

// The following creates random lines to help throw off a spam robot's ability to guess the string

imageline($captcha,0,10,50,16,$black);
imageline($captcha,40,11,64,29,$black);

imageline($captcha,0,60,90,0,$black);

//Write the string to the image

imagestring($captcha, 5, 20, 10, $string, $black);

// Use MD5 encryption on the key, and store it for a comparison test later

$_SESSION['key'] = md5($string);

// Print out the image
header("Content-type: image/png");

imagepng($captcha);
?>

This script is really neat, considering the .PHP file is treated as a .PNG image if successfully executed. This way, we can simply call to the image from the form and have a dynamic image to test our users with!

Now let’s go back to our form and make some necessary changes, as seen in red words below. This is the final version of the script- enjoy!

<?php
    session_start();
    if ($_POST['form_submitted'] != '1') {
?>


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<html>
<head>

<title>Contact Form - YourWebsite.com</title>
</head>

<body>
<div style="width:650px;border-left:1px solid black;border-right:1px solid gray;margin:0px auto;overflow:hidden;">

  <h1 style="background-color:#1c5665;color:white;padding:5px;text-align:center;margin-top:0px;">Contact Form - YourWebsite.com</h1>

  <div style="float:left;width:214px;border-right:1px solid gray;padding:5px;background-color:#f6f8f9;height:100%;">
    <form method="post">

    <p align="right" style="padding:5px;">Name:</p>
    <p align="right" style="padding:5px;">Email Address:</p>
    <p align="right" style="padding:5px;">Comment/Suggestion:</p>

  </div>

  <div style="float:left;width:415px;padding:5px;">
    <p><input type="text" name="name" style="border:1px solid #1c5665;padding:3px;margin-top:5px;"></p>
    <p><input type="text" name="email" style="border:1px solid #1c5665;padding:3px;margin-top:5px;"></p>

    <p><textarea cols="40" name="comment" rows="4" style="border:1px solid #1c5665;padding:3px;margin-top:5px;"></textarea></p>
  </div>

  <div style="clear:both;">&nbsp;</div>

  <hr style="color:gray" />

  <div style="width:325px; border:1px solid black;margin:0px auto;text-align:center;">
    <p><img src="captcha.php" /></p>

      <div style="margin-top:-15px;">
        Please enter the image text:
      </div>
      <div style="margin-top:-3px;margin-bottom: 4px;">
        <input type="text" name="code" style="border:1px solid #1c5665;padding:3px;margin-top:5px;">

      </div>
      <input type="submit" value="Submit Form" />
      <input type="hidden" name="form_submitted" value="1"/>
      </form>
  </div>

  <div style="width:650px;height:10px;background-color:#1c5665;">&nbsp</div>

<?php } else if ($_POST[form_submitted] == 1) { ?>

<?php
//Encrypt the posted code field and then compare with the stored key

if(md5($_POST['code']) != $_SESSION['key'])

{
  echo "It seems you entered an invalid Captcha key. Please go back and try again.";

}else{
session_unset();
session_destroy();
// Send

$to      = 'yourname@yourwebsite.com';
$subject = "Message from " . $_POST['name'];

$message = $_POST['comment'];
$headers = "From: " . $_POST['email'] . "\r\n" .

    "Reply-To: ".$_POST['name'] . "\r\n" .
    'X-Mailer: PHP/' . phpversion();

mail($to, $subject, $message, $headers);

echo "<html><body style='background-color:#ececec;'><div style='width:300px;border:1px dashed black;text-align:center;margin:0px auto;margin-top:200px;padding:20px;font-size:20px;background-color:white;'>Your comment has been sent! Thanks!</div>";

}
?>
<?php }  

?>

</div>
</body>

</html>

Note in particular that we are using the Session Unset and Session Destroy functions. Without them, you could refresh the page continually after you passed the Captcha test and send as much spam as you would like- – despite our efforts!

Closing Comments

Our form is still missing several things. You will likely need to add form validation, such as checking to see if all fields were filled out. You may also tweak the Captcha system to your liking- which is a great way to get experience with the GD Library. You may also want to consider that not everyone can see or hear- and that the Captcha in its current state will prevent such users from sending you mail.

Why This Error Occurs

If you’re seeing this error, we are willing to bet that you are using the include statement as seen below:

Common Include File Usage

<?php

include ("http://www.YourDomain.com/includes/header.php");

?> 

And you are more than likely getting an error similar to the following:

Include File Error Message

<?php

/*Warning: include() [function.include]: URL file-access is disabled in the server configuration in /home/YourUsername/public_html/index.php on line xx */

/*Warning: include(http://www.YourDomain.com/index.php) [function.include]: failed to open stream: no suitable wrapper could be found in /home/YourUsername/public_html/index.php on line xx*/

/*Warning: include() [function.include]: Failed opening 'http://www.YourDomain.com/index.php' for inclusion (include_path='.:/usr/lib/php:/usr/local/lib/php') in /home/YourUsername/public_html/index.php on line xx*/
?> 

What specifically causes this error is the fact that the server has upgraded from PHP 4 to a newer version. In the upgrade, the allow_url_fopen is set to OFF, which is responsible for disallowing include files to use absolute file paths.

Don’t be in a rush to turn this off in your system configuration just yet! Any upgrades past PHP 4 will turn allow_url_fopen to OFF as default due to security concerns. This is most prevalent in cross-site scripting attacks, or XSS attacks. In some cases, malicious users have even enslaved a server to become a spam-email-sending nightmare: all without the administrator noticing!

If there is any part of a website that allows a user to upload data of some sort, there are vulnerabilities that are present with poor coding that may allow malicious users to inject an include statement. By allowing allow_url_fopen to be set to ON, it allows them to include any file they wish from any website on the Internet. With it set to OFF, only documents on the server may be included. This is much safer considering you probably don’t have malicious code stored on the server. (And theoretically, if you did, hackers probably wouldn’t be able to find it)

The First Solution: Use Relative File Paths

A web server will automatically assume that the code below belongs on the server, and thus, is not a remote file:

PHP Include File With Relative Paths

<?php

include (header.php); //This file is in the same directory as the PHP file

include (includes/header.php); //This file is in a directory under the PHP file

include (../header.php); //This file is in the directory above the current PHP file

?>

Relative file paths can be used in every legitimate situation an absolute path would be used, although it may take a little more work. As in the example above, you may have to work at determining where the file you wish to include exists in relation to the PHP file being run.

Not your idea of fun? We aren’t fond of it either, so on to the next solution!

The Second Solution: Use Another PHP Function

We may substitute the include statement with file_get_contents, which reads an entire file into a string.

PHP Include With File_Get_Contents

<?php

$includeFile = file_get_contents("http://www.YourDomain.com/includes/header.php");

echo $includeFile;
?>

This is a good alternative to keep the absolute path an option in including a certain file. There are some instances where the above code wouldn’t come out as planned, depending on the situation. In addition, it adds another line of code that we can relinquish with the best solution: using a server variable.

The Best Solution: Using Server Variables

If you don’t want to spend hours rearranging code, you can do it the easy way with $_SERVER['DOCUMENT_ROOT'].

PHP Include Server Variables

<?php 

include $_SERVER['DOCUMENT_ROOT'] . '/includes/header.php'; 

?>

This allows you to keep the absolute path that you’ve come to be familiar with in using the include statement. Technically, the $_SERVER['DOCUMENT_ROOT'] command gives your path to the public_html directory, as seen below:

Essentially this is the root of your website, www.YourDomain.com, and therefore, you can use it just as you would with any other include statement. Just replace www.YourDomain.com with the server variable and you’re set!

Should I Turn On allow_url_fopen?

The short answer: no; allow_url_fopen was turned off for a reason. If you don’t own your own server, odds are your host won’t even allow the change in the first place. If you do own your own server, realize that the third solution presented in this tech tip takes almost no time to implement, and only requires that the base URL be replaced with a server variable.

Closing Comments

The bad news is that you’ll probably have to switch many pages in your website to conform to the new standard. The good news is that once that’s done you’ll have a more secure server, and by following the new syntax, you’ll never have to change the code again.

Foreword: There are two good reasons why email activation is a necessary for webmasters. First, it helps root out spam by requiring user interaction. It also creates a sense of trust, since we can build a certain amount of trust with a user who can confirm they are who they say they are. In this example you will need access to a database (MySQL is what we’ll use) with proper permissions.

We’ll start out creating the interface of the form. You will need to create two files: one file to hold the form, the next file to handle the verification process and interface with the database. It doesn’t necessarily matter what you name your files, but to stay uniform with our examples name the registration and verification files register.php and verify.php, respectively.

Below you will see register.php in action- in all its simplistic glory.

Our Registration Form – register.php

<html>
 <body>
  <form action="verify.php" method="post" name="register">
    Username: <input type="text" name="username" />
    Password: <input type="text" name="password" />
    Email: <input type="text" name="email" />
  <input type="submit" />
  </form>
 </body>

</html>

At this point the only things worth mentioning is that we are putting “verify.php” as the form action, and naming the form “register” with the name command. Go ahead and save this file and upload it to your hosting account- we’re done with this file for now.

Groundwork For The Verification Process

Now let’s create a file named verify.php. We are using this file for two things. First, we use it to insert data into the database if everything seems to be hunky-dory. But we also use it to confirm the verification code we email the user, so we’ll need to make use of the “IF” selection structure to differentiate between the two processes.

So how do we know if the verify.php file should submit data to our database or verify the activation code a user provides? We’ll admit that when we said we were done with register.php, we lied. To properly determine if the user is submitting data or verifying a code, we need to add a hidden value on the registration form, as seen below:

Hidden Values For Our Registration Form – register.php

<html>
 <body>
  <form action="verify.php" method="post" name="register">
    Username: <input type="text" name="username" />
    Password: <input type="text" name="password" />
    Email: <input type="text" name="email" />
	<input type="hidden" name="form_submitted" value="1"/> 
  <input type="submit" />
  </form>
 </body>
</html>

Now we can check to see if this value is set on our verify.php file with the following code:

Selection Structure – verify.php

if ($_POST['form_submitted'] == '1') {

## Form was submitted,the user is registering!

 } else{

## No value found, user must be activating their account!

}

With our form and selection structure in place, we need to go to our “backend” and create a database.

Database Design For Email Activation

In our example we are creating a table named “users” with the fields “id, status, username, password, email, and activationkey” – we encourage you to use the same values for the sake of simplicity. In fact, you can just run the SQL query below and do just that:

SQL Query Code – Run Code to Create Table And Fields

CREATE TABLE IF NOT EXISTS `users` (
  `id` int(11) NOT NULL auto_increment,
  `status` varchar(20) NOT NULL,
  `username` varchar(20) NOT NULL,
  `password` varchar(20) NOT NULL,
  `email` varchar(20) NOT NULL,
  `activationkey` varchar(100) NOT NULL,
  PRIMARY KEY  (`id`),
  UNIQUE KEY `username` (`username`),
  UNIQUE KEY `email` (`email`),
  UNIQUE KEY `activationkey` (`activationkey`)
) ENGINE=MyISAM  DEFAULT CHARSET=latin1 AUTO_INCREMENT=9 ;

If all has gone well, your database should look something like the following (note if you aren’t using PHPMyAdmin and MySQL, you may see some differences):

Inserting Registration Data Into Database With PHP

Now that we have a good grasp on where we are going, we can go ahead and connect to our database. First we’ll need to arrange the correct connection statement. We will be using the mysql_connect and mysql_select_db functions to make the connection to our database.

Connecting To The Database – verify.php

mysql_connect("localhost", DATABASE, PASSWORD or ;die(mysql_error());

mysql_select_db("USER_TABLENAME ") or die(mysql_error());

Above we can see that the only thing we need to change is the database, password, and table name. Ideally the table name should be “users” as per our example. Your password and database name can be created via MySQL if you have the proper permissions. If you don’t, contact your web host to get a database configured.

So far your verify.php should look like this:

Project Thus Far – verify.php

<?php

mysql_connect("localhost", "DATABASE", "PASSWORD") or die(mysql_error());

mysql_select_db("USER_TABLENAME") or die(mysql_error());

if ($_POST['form_submitted'] == '1') {
} else {

}
?>

Test the connection by uploading the file to your server and navigating to the file. If an error doesn’t present itself, it means you successfully connected to your database! (Even if you see a blank page) Now we can create a random key and answer all of the data into our database.

Creating A Random Key And Inserting Database Values

We will be using the mt_rand() function to create our random key. Below you’ll see that we concatenate the function five times in order to get a lengthy string.

Random Number Generator – verify.php

$activationKey =  mt_rand() . mt_rand() . mt_rand() . mt_rand() . mt_rand();

Don’t get too excited to try it out yet, first let’s write the code to insert the value into our database.

Inserting Data Into A Database – verify.php

$sql="INSERT INTO users (username, password, email, activationkey, status) VALUES ('$_POST[username]', '$_POST[password]', '$_POST[email]', '$activationKey', 'verify')";

if (!mysql_query($sql))

  {

  die('Error: ' . mysql_error());

  }

Above you can see we are updating all of the rows with information from our registration field via the $_POST command. We are also including the $activationKey variable and inputting the word ‘verify’ into the status field. This is to keep track of who is verified and who isn’t. If someone isn’t verified yet, but has registered, we could easily have them request to resend the email instead of having to register again. Oh, technology!

So far the code should be as below:

Script Thus Far – verify.php

<?php

mysql_connect("localhost", DATABASE, "PASSWORD") or die(mysql_error());

mysql_select_db("USER_TABLENAME ") or die(mysql_error());

if ($_POST['form_submitted'] == '1') {
##User is registering, insert data until ;we can activate it

$activationKey =  mt_rand() . mt_rand() . mt_rand() . mt_rand() . mt_rand();

$sql="INSERT INTO users (username, password, email, activationkey, status)

VALUES

('$_POST[username]', '$_POST[password]', '$_POST[email]','$activationKey', 'verify')";

if (!mysql_query($sql))

  {

  die('Error: ' . mysql_error());

  }

} else {

}

?>

Sending The Activation Key

Sending an email with PHP is painlessly easy- we just have to supply a few values to an already-made function in PHP: the aptly named mail() command. In our example we are using four parameters to send the email: the recipient address, the subject of the email, the message, and our own return address.

Sending Mail With PHP – verify.php

	echo "An email has been sent to $_POST[email] with an activation key. Please check your mail to complete registration.";

##Send activation Email

$to      = $_POST[email];

$subject = " YOURWEBSITE.com Registration";

$message = "Welcome to our website!\r\rYou, or someone using your email address, has completed registration at YOURWEBSITE.com. You can complete registration by clicking the following link:\rhttp://www.YOURWEBSITE.com/verify.php?$activationKey\r\rIf this is an error, ignore this email and you will be removed from our mailing list.\r\rRegards,\ YOURWEBSITE.com Team";

$headers = 'From: noreply@ YOURWEBSITE.com' . "\r\n" .

    'Reply-To: noreply@ YOURWEBSITE.com' . "\r\n" .

    'X-Mailer: PHP/' . phpversion();

mail($to, $subject, $message, $headers);

This should be fairly self-explanatory. Notice that we are using the \r command to force a return- this is to format the email so all the text isn’t on one line. If you wanted, you could even include HTML and images into the email. We would recommend you didn’t, however, as many mail platforms today either don’t support such features or mark most emails that contain them as spam.

Coding The Verification Checking Process

We have arrived at the final part of this lesson: checking the verification code and allowing the user to either be registered or tell them they have entered the wrong code and to try again. In this section we will actually grab the current URL, take the query string, and then check our database to see if it matches a record. If it does, we will call the registrant a member and remove the key from our database. Otherwise, tough luck!

Script Thus Far – verify.php

##User isn't registering, check verify code and change activation code to null, status to activated on success

$queryString = $_SERVER['QUERY_STRING'];

$query = "SELECT * FROM users";

$result = mysql_query($query) or die(mysql_error());

  while($row = mysql_fetch_array($result)){

    if ($queryString == $row["activationkey"]){

       echo "Congratulations!" . $row["username"] . " is now the proud new owner of a YOURWEBSITE.com account.";

       $sql="UPDATE users SET activationkey = '', status='activated' WHERE (id = $row[id])";

       if (!mysql_query($sql))

  {

        die('Error: ' . mysql_error());

  }

    }

  }

Above we are doing just as we stated. Pay special attention to the fact we are using the UPDATE command in SQL- not INSERT. Also note that we need the while loop to find the exact ID of the member to update- we don’t want to update everyone in our database! We do this by comparing the current record ID with one from the database- and voila! If a match is found, we can update it.

Finally, we need to add some security to our script. Read our SQL Injection Tutorial and add the updates below:

Final Result – verify.php

mysql_connect("localhost", DATABASE, "PASSWORD") or die(mysql_error());

mysql_select_db("USER_TABLENAME") or die(mysql_error());

if ($_POST['form_submitted'] == '1') {
##User is registering, insert data until we can activate it

$activationKey =  mt_rand() . mt_rand() . mt_rand() . mt_rand() . mt_rand();
$username = mysql_real_escape_string($_POST[username]);
$password = mysql_real_escape_string($_POST[password]);

$email = mysql_real_escape_string($_POST[email]);

$sql="INSERT INTO users (username, password, email, activationkey, status) VALUES ('$username', '$password', '$email', '$activationKey', 'verify')";

if (!mysql_query($sql))

  {

  die('Error: ' . mysql_error());

  }

echo "An email has been sent to $_POST[email] with an activation key. Please check your mail to complete registration.";

##Send activation Email

$to      = $_POST[email];

$subject = " YOURWEBSITE.com Registration";

$message = "Welcome to our website!\r\rYou, or someone using your email address, has completed registration at YOURWEBSITE.com. You can complete registration by clicking the following link:\rhttp://www.YOURWEBSITE.com/verify.php?$activationKey\r\rIf this is an error, ignore this email and you will be removed from our mailing list.\r\rRegards,\ YOURWEBSITE.com Team";

$headers = 'From: noreply@ YOURWEBSITE.com' . "\r\n" .

    'Reply-To: noreply@ YOURWEBSITE.com' . "\r\n" .

    'X-Mailer: PHP/' . phpversion();

mail($to, $subject, $message, $headers);

} else {

##User isn't registering, check verify code and change activation code to null, status to activated on success

$queryString = $_SERVER['QUERY_STRING'];

$query = "SELECT * FROM users"; 

$result = mysql_query($query) or die(mysql_error());

  while($row = mysql_fetch_array($result)){

    if ($queryString == $row["activationkey"]){

       echo "Congratulations!" . $row["username"] . " is now the proud new owner of an YOURWEBSITE.com account.";

       $sql="UPDATE users SET activationkey = '', status='activated' WHERE (id = $row[id])";

       if (!mysql_query($sql))

  {

        die('Error: ' . mysql_error());

  }

    }

  }

}

Verification Key Conclusion

So where should you take it from here? Obviously we haven’t included any error checking for input data. What if the user misspelled his or her password? We should probably put another password field in, and check to see if the passwords match. Additionally, we should mask the content in the password field to ensure security.

We might also add a CAPTCHA to prevent the mail server from getting abused by spam bots- something your host would probably appreciate. We could also simplify matters by using functions and cleaning up code.

There are many ways to improve- but be sure to check out our scripts and tutorials section for more information, because we’ve covered such topics like this in the past.

Ever since the release of PHP 4, we’ve had the ability to utilize a function that automatically converts a string to uppercase characters. This function, UCWords, has many uses that aren’t so obvious at first glance.

1. Title Case – While not everyone runs their own news website or even a movie database, we use title case for things such as website titles and website links. You’ll note in your browser window that your very own LearnPHPOnline.com utilizes the UCWords function to capitalize the title string.
2. Sanitizing Database Input – We are all familiar with the stereotypical Internet user that just has to leave the Caps Lock key on at all times to get their point across. Protection against LOUD TEXT is quite prevalent in forum systems. (Try putting in “TEST TITLE” in vBulletin and watch it magically get transformed into “Test Title” if the forum is running correct settings.)
3. Meta Tags – While you don’t see it directly, search engines still look at meta tags to help formulate what a website is and what it has to offer. By setting the “Title” attribute to automatically create uppercase words, we can show the search engines how proper we are without risking carpal tunnel syndrome.
4. Fixing User Input – Let’s say you run your own business, and you contact registered users via E-mail to gain leads. If the user signed up and didn’t capitalize their name properly, it’s going to look unprofessional sending an email to them with their name in lowercase. In this situation we could actually lose business due to a lack of proper programming.

What Does The PHP Function UCWords Do?

The UCWords function automatically capitalizes every word within a given string. The function is especially easy to use since it only accepts a single argument: the string you want to be forced into uppercase stance. We can see an example of the usage of ucwords below, in our news headline demonstration.

PHP UCWords Example Of Basic Title Casing

<?PHP

 $newsHeadline = "breaking: man finds way to capitalize news headings automatically";

 echo ucwords($newsHeadline);

 //Returns: Breaking: Man Finds Way To Capitalize News Headings Automatically

?>

So far things look fairly simple. But what exactly constitutes a new word for the UCWords function? Technically defined, a new word is going to be a string of characters following a whitespace, so long as the string doesn’t begin with a number. What do you think would happen if we were to start a string with an integer? Would the next letter be capitalized? In the below example, we take the real-life Internet company 43Things.com into consideration.

PHP UCWords Example Of Strings Starting With An Integer

<?PHP

 $webpageTitle = "43things.com";
 echo ucwords($webpageTitle);
 //Returns 43things.com

?>

Note that in this example, the T will not be forced into capitalization because the string begins with a number. If we were to separate the number and the letter with a space, carriage return, newline, tab, or form-feed, then the letter would indeed be capitalized.

If the UCWords function encounters a string that is already capitalized, the function will not act on the string in question. If, however, the user were to convert the entire string to lower case letters and then pass the result to the UCWords function, we get a result as seen in the below example.

PHP UCWords Example Of Basic Rules Of Operation

<?PHP

 $screamingText = "THIS IS VERY LOUD TEXT"

 echo ucwords($screamingText);

//Returns: THIS IS VERY LOUD TEXT

 echo ucwords(strtolower($screamingText));
//Returns: This Is Very Loud Text

?>

Capitalizing Only Certain Words In A String With UCWords

If we were concerned with only capitalizing a certain part of a string, we could write up a quick function to ensure that words that are commonly not capitalized are ignored. In many headings you may notice prepositions such as “at” or “to” aren’t capitalized. The following function solves the problem by accepting only a single argument.

PHP UCWords Function For Returning Partially Capitalized String

<?PHP

    function smartcase($str) {
       return preg_replace(
            "/(?<=(?<!:|'s)\W)(A|An|And|At|For|In|Of|On|Or|The|To|With)(?=\W)/e",

            'strtolower("$1")',
            $str);

    }

echo smartcase(ucwords("the prepositions in a title can be excluded with this function!"));

//Output: The Prepositions in a Title Can Be Excluded with This Function!
?>

We could add other words to the ignore feature simply by editing the following line:

PHP UCWords Example Of Basic Title Casing

     (A|An|And|At|For|In|Of|On|Or|The|To|With)

Sanitize Database Input With A Function Using UCWords

One of the more practical uses for UCWords is to sanitize input when putting information into a database. You may have noticed that some forum systems such as vBulletin will automatically change your thread title into title case if it is in all-caps. (After all, who really likes to read a screaming title?) An example of how this is done can be seen below, by implementing another function.

PHP UCWords Example Of Sanitizing Input

<?PHP

function titleCase($string)
     {
     return ucwords(strtolower($string));

     }

$threadName = "CHECK OUT THIS NEW PHP FUNCTION GUYS!";
echo titleCase($threadName);

//Returns: Check Out This New PHP Function Guys!

?>

Closing Comments

UCWords has quite a bit of use to the PHP development community. Other functions that are worthy of noting would be: StrToUpper() , StrToLower() , UCFirst() , and MB_Convert_Case(). Each of these functions are necessary as the Internet shifts to a more and more dynamic environment.

Bottom line: We can all thank technology for allowing us to reduce the wear and tear on our Shift keys.

What Is PHP?

PHP was in development in 1994, when creator Rasmus Lerdorf wanted a better way to administer his personal homepage. It all began as a few CGI binaries that Lerdorf used to build several interesting applications. This in itself isn’t so exciting, especially since early forms of PHP couldn’t even interface with a database! Regardless, Lerdorf started what would become a very prominent web development language.

From thereon out, PHP became an open source piece of software that anyone could contribute work on. Over the years developers have added quite a bit of functionality to the language overall. Through all the changes that occurred over the years, we can now describe PHP as the following:

1. Server-Side Scripting Language – In addition to being a scripting language, PHP is a server-side scripting language. This essentially means that PHP runs on the web server end of things (Which is why you should take advantage of our free hosting if you don’t have hosting already!). As we’ll learn later, PHP is processed on the server and then output to the browser after a request is made.
2. Dynamic – PHP is a dynamic language, which is to say that it can change based on what we need it to do. On the other hand we have static languages like HTML, which don’t allow us to do things like pull and store information from a database. Dynamic languages are quickly becoming standard among web applications, with PHP at the forefront.
3. Object-Oriented Programming – A buzzword in the programming industry is object-oriented design. Under this principle, the PHP is able to create “objects” that interact with each other. Object-oriented design isn’t necessary, but many supporters claim that using it helps organization and functionality in an application. We’ll review the topic more in future chapters, no need to worry about this topic just yet.
4. LAMP – An architecture called LAMP describes the usage of four popular technologies to create functional web applications. The P can stand for several other competing languages, but PHP generally takes the name in addition to Linux, Apache, and MySQL. For now, we don’t need to delve into such topics; but it’s good to note LAMP philosophy has dictated the way many web applications have been created.
5. Free-Form Language – Lastly, PHP is a free-form language. A free-form language will not observe whitespace when being output to the browser. This is apparent in HTML as well, where we can spank the Space bar as much as we want and not see any extra spaces when viewing the HTML in a browser.

What Can PHP Can Do?

What is PHP? So far, we’ve established that it is a programming language designed for creating web applications. It serves up dynamic content, works on the web server in the operation, and supports new-fangled principles such as object-oriented design. That’s all great, but what can PHP do exactly?

Take a look around, and we can see the results of PHP everywhere. It is estimated that PHP is in use on over 20 million different websites, and over a million different web servers (including ours!). We use PHP in applications such as simplifying templates, using user registration systems, storing and receiving information into a database, and even other exciting such as editing images on the fly.

PHP is used in many reporting and business applications, where built-in graphing and image creation can take place. Oddly enough, one of the first PHP applications ever created was an application to track statistics and report results in a convenient manner (Think back- remember Rasmus Lerdorf? He used his Personal Home Page language to create his own statistics counter!).

Thanks to recent years of innovation, technologies such as AJAX have made it easier to offer an easier experience for users of web applications. AJAX is used to silently load and store all sorts of information- whereas it was previously required to refresh the webpage or navigate to multiple other websites. We’ll learn more on AJAX in future sections, which will be a particularly fun section and something to look forward to in learning.

What Does PHP Do For Development?

Developers have a lot to benefit from PHP- and not just a surplus income. Rather, developers are able to take advantage of decreased development times, ease of use in deploying applications, and a fantastical support from a very large community.

To help further the process of developing a web application, multiple frameworks are available for
usage. Frameworks reuse many repetitive tasks, such as connecting to a database or storing basic information. Frameworks should not be used until PHP itself is learned, and a learning curve for most PHP
frameworks can be anywhere from a day to a week or more.

Also worthy of noting is the fact that some frameworks have support for security measures that programmers ignore on a common basis. PHP itself is not an insecure language, but it does leave holes where improper developers might leave mistakes in programming. Frameworks help cover up such holes, but regardless of the fact proper security tactics are good to learn as PHP itself is learned. (Don’t worry, we teach all the security topics you’ll need for PHP web applications.)

Closing Comments

PHP has been in development for a long time and there are plenty of things to learn about the language overall. Rest assured, we’ll learn more about everything discussed in this introduction to PHP with the coming chapters. Next up: what you’ll learn from this course and what you can do with the knowledge obtained therein.

SQL Injection: What It Is

There was once a famous doctor that had it completely right: never trust your patients. Now this doctor may have only been a sitcom doctor on the show “House,” but we’ll be taking a page from his book. Of course, in our case the patients will actually be Internet users. Don’t let your guard down! They are conniving, dastardly, plot-making fiends- and you’ll do well to remember it.

First, Let’s define an SQL Injection:

Define SQL Injection

  SQL Injection - \S-Q-L-in-'jek-shen\ - Noun
 The technique of inputting malicious data into an SQL statement, which would therefore make the vulnerability present on the database layer. Surprisingly, it seems everyone who has recently taken up learning a web development language has to try the technique out on their favorite websites. Luckily for said websites, this technique isn't at all hard to protect against.

The technique of inputting malicious data into an SQL statement, which would therefore make the vulnerability present on the database layer. Surprisingly, it seems everyone who has recently taken up learning a web development language has to try the technique out on their favorite websites. Luckily for said websites, this technique isn’t at all hard to protect against.

SQL Injection: What It Looks Like

The vast majority of all SQL injections will take place on an input form. Contrary to popular belief, this isn’t the only place where we will see them- it’s also common to manipulate URLs to inject SQL code. (But we’ll get more into that later.)

The most basic of all SQL injections will look like the following:

The Basic SQL Injection

	Variable' or 1=1--

Let’s say we have a login form. By inputting the above code, we can use our SQL injection to gain login even without proper credentials! So how’s it work? Take a look at the “bigger picture” below:

What It Looks Like On The Back-End

	SELECT * FROM users WHERE username = 'Variable' or 1=1--'

See how our code is nicely injected into the query? The result of this query will grant us access regardless of the username, since the result of “1=1″ will always be true. In this case, we bypass the whole selection process.

You may have been wondering what the double dashes are for ( — ). These dashes at the end tell the SQL server to ignore the rest of the query. If the exploit isn’t being used on an SQL server, then omitting the double dashes and ending single quote will get the desired results.

Note that while this is the most standard way, it certainly isn’t the only way that malicious users will gain entry. SQL queries will differ greatly from one syntax to another, and thus, so too should the SQL injection. It’s also common to see the following:

More SQL Injection Syntax Fun

    ') or ('1'='1
    "or "1"="1
    ' or '1'='1
    Or 1=1--
    " or 1=1--
    ' or 1=1--

SQL Injection: Attacking Via URLs

Did you know it was possible to attack an SQL server through a URL? Well, it’s possible, and usually much more dangerous to webmasters. When using PHP and SQL, there is commonly a URL such as the following:

• http://YourWebsite.com/login.php?id=2

By adding a little SQL to the end of the URL, we can do some very mischievous mischief:

• http://YourWebsite.com/login.php?id=2‘; DROP TABLE login; #

You might be confused by the hash. This little guy is just like the double dash we used earlier; it will tell the SQL query to halt after our input. And if you haven’t noticed, we just told the server to drop the entire table of users! This is an example of how powerful and dangerous SQL injections can be- and also shows that constant backups are a necessity.

Enough already! Let’s finally find out how to make sure that little script kiddies aren’t going to ruin the hard work webmasters and web developers set aside for their projects.

SQL Injection Prevention: Editing Lengths Of Form Components

The first step in the process is simple: simply restrict input fields to the absolute minimum- usually anywhere from 7-12 characters is fine. Doing so will make long queries unable to be input, since the field is only enough characters for smaller queries. This will actually not prevent an SQL injection, but will make work harder for those trying to make use of one.

Savvy SQL injection users can simply make a new form and remove the limits on the character length, since the length is in plain HTML and viewable (and editable) by anyone.

SQL Injection Prevention: Data Type Validation

Another good idea is to validate any data once it is received. If a user had to input an age, make sure the input is an actual number. If it was a date, make sure the date is in proper format. Again, this will not prevent an SQL injection in itself- it just makes work harder for those trying to exploit an SQL server.

Data type validation can be thwarted by modifying the query over a trial-and-error test period. This is still only slowing attackers down- but isn’t it much more satisfying to have them waste their time before finding out one’s own query is impervious to harm? Of course! An eye for an eye!

SQL Injection Prevention: User Privileges

It’s nice to be able to create a “super user” in one’s own database that can create, drop, and edit tables at will. The security-obsessive webmaster will want to make individual users that can only do one or two tasks at a time. In effect, this means that SQL injections will only be able to do one or two things at a time.

This is just a little prevention fun, it can certainly still cause a certain amount of danger. If a user is made for deleting tables, than an SQL injection can do the same thing- it just won’t be able to do much else. Regardless, deleting a table is a very big privilege to handle. This method is still useful for throwing attackers off track, as well as minimizing risk from areas of a website that aren’t critical to the security of the database.

SQL Injection Prevention: Magic Quotes (Which Aren’t So Magical)

We all love magic. Heck, magic is downright cool. It serves as the basis for great children books (Harry Potter, anyone?) and even has been used for themes in nerdy card games everyone seems to enjoy (Ah, we’re looking at you, Magic The Gathering!)

One thing that just doesn’t live up to the magic name is magic quotes. PHP developers thought it would be a wonderful idea to make a process that escapes all incoming data in a PHP script. Sounds like it would fix our problem with SQL injections, but alas, there are better ways.

Anyone who has recommended a fix with magic quotes doesn’t know what they are talking about. After all, magic quotes are considered deprecated and removed as of PHP version 6. So why such hostility over a process that is seemingly beneficial to our predicament?

The short answer: magic quotes are horrible for portability issues, performance issues, and they mess with other data that doesn’t need to be escaped.

1. Many scripts made with magic quotes won’t work on servers that have (intelligently) turned the feature off.
2. Performance loss is observed because not all of the data is being input into a database- we’re wasting process time.
3. Lastly, magic quotes are just inconvenient. They add an extra slash (“\”) to all of our form data, even when it might not be needed. To fix this, we have to use another process to fix it (If you are unfortunate enough to have used magic quotes, look up the stripslashes() function, and consider switching if possible)

We came close to finding a real solution there- almost! But we did learn something: don’t use magic quotes, and instead find an alternative that can escape the input data based on what we need: not what we don’t.

SQL Injection Prevention: The Solution In Preventing SQL Attacks

We could’ve given you the answer right away, but what fun would that have been? Too often, PHP developers are becoming lazy and not following proper security tactics the way they should. By reaching this point in the lecture, you’ve increased your knowledge on how SQL injections are used, how not to prevent the attacks, and finally: you’ll learn the right way to keep injection attacks at bay.

We’ll accomplish this last feat with a simple function that the developers of PHP made especially for SQL injections. We call this function mysql_real_escape_string() – take a look at it below:

mysql_real_escape_string() In Action!

    $name = "John";
    $name = mysql_real_escape_string($name);
    $SQL = "SELECT * FROM users WHERE username = '$name'";

Although for a more practical use, we would have the $name variable pointed to a POST result, as seen below:

$_POST Can Dig In On The Action Too!

    $name = mysql_real_escape_string($_POST['user']);

And we can even make things easier by putting it into one line:

All In One Line Now; Here We Go!

$SQL = "SELECT * FROM users where username = "mysql_real_escape_string($POST['user']);

So what’s the output like if malicious users try to get access to our SQL server? Well glad you asked! Their attempts may look something like this:

Cause And Effect With mysql_real_escape_string()

    $malcious_input = "' OR 1'";
    // The Above Is The Malicious Input. Don't Be Scared!
    // With The mysql_real_escape_string() usage, the following is obtained:

	\' OR 1\'
    // Notice how the slashes escape the quotes! Now users can't enter malicious data

And the best part is, they just wasted their time and effort for nothing. Now how’s that for vindication!

SQL Injection: Closing Comments

We’ve learned quite a bit today. SQL injections are bad. All Internet users are equally as bad. Protecting against both ensures a happy and stable web application. And above all else, never use magic quotes! Despite their cleverly disguised name, we’ve found no evidence of magic.

Lastly, note that there are libraries and classes that can help aid in the fight against SQL injection. Prepared statements are plausible as well, but as for us, we enjoy sticking to the mysql_real_escape_string() function for less headaches.

Bottom Line: mysql_real_escape_string() – It doesn’t have a magically awesome name, but it’s 24 characters worth of SQL injection-protection goodness.

Find An Odd Or Even Number With The IF Statement

We can check for whether or not a number is even or odd by using the modulus operator seen below.

<?php

if (7 % 2) {
  echo "7 is odd";
} else {
  echo "7 is even";
}  

?>

We interpret the first line as “Divide 7 by two, and check for a remainder.” If there is a remainder (in our case we have 3.5, so a remainder of 0.5), then the number is odd. If there isn’t a remainder while dividing by two, then that number is even.

You could change the three sevens in the above script to eights, and you will notice the script outputs the number is even, since 8 divided by two is 4 with no remainder.

Checking For Odd And Even Numbers With A PHP Function

We can clean up so code here by using a function to do the dirty work for us. First we’ll stick the if statement into a function and make sure it works, then we’ll optimize our code once we get the concept up and running.

<?php

function is_odd($num) {
  if ($num % 2 == 0) {
  return false;
 } else {
    return true;
  }
}
############################

if (is_odd(4)) {
 echo "This number is odd.";
} else {
  echo "This number is even.";
}

?>

The function will do exactly what we just did with our IF statement previously, only this time we can reuse our code and save quite a bit of space. We supplied the is_odd function with a plain number; if we wanted we could put in a variable. In fact, we’ll do just that while we optimize our code in the next example.

<?php

function is_odd($num){
 return $num % 2 == 0 ? false:true;
}

$number_To_Check = 3;
if (is_odd($number_To_Check)) {
  echo "$number_To_Check is odd.";
} else {
  echo "$number_To_Check is even.";
}
?>

This time around we are saving even more space by using the ternary symbol (?). In this instance the left side of the colon is what gets executed if the statement is true, and the right side is what gets executed if the statement is false. Think of the colon as an “else” statement.We can use some pseudo-code to help understand this more:

<?php

function odd_check($num){
 (Is this statement true) ? yes  :  no;
}
?>

Back to our case example: since the statement checks for an even number, when the statement is true we return the value “false” to indicate it isn’t an odd number.

Further Optimization of The Odd Number-Finding Function

Want to really impress the ladies? Try showing them the following function to find odd and even numbers.

<?php

function is_odd( $num)
{
  return( $num & 1 );
}
########################

if (is_odd(7)) {
    echo "7 is odd";
} else {
    echo "7 is even";
}
?>

This time around we took the equation out. We can do this through using the AND operator (&). If you aren’t up to speed on binary, consult the chart below to see how we count to five. (Note that we will not go into depth on binary, just give you enough information to understand the AND process.)

Each place in the above numbers represents a different value. The furthest right number, as you might have guessed represents “1,” the next “2,” the next “4,” and so on. But notice something even more interesting: all the odd numbers have a “1″ while the even numbers don’t!

The AND operator is going to compare two binary numbers. If both numbers have a “true” (the number 1) value, then the result is true. If either numbers have a 0 (or “false”), or both numbers are false, the resulting number is 0. Consult the diagram below for more information.

Back to our equation. If the ($int & 1) check returns true, the number is odd. Let’s say we put an odd number such as 3 in. We will compare it against 1, which is already an odd number. 0011 and 0001 can be used in an AND equation to get the result of 1, since both values are 1 (and thus true).

You don’t necessarily have to understand this jargon to make use of the function- but it’s good to get the basics of binary down if you haven’t already.

Closing Comments

Now that you can find odd and even numbers, you can accomplish all types of artsy things. You’ll see this in effect most often on blogs that alternate the background colors of comments to make for easy reading. Lyrics websites do the same thing, and you can even use the same principle to use in more complex equations (which we won’t get into in the scope of this article).

Try running the following code just for fun:

<?php

function is_odd($num)
{
  return( $num& 1 );
}

for ($counter = 0; $counter <= 20; $counter++) {
  if (is_odd($num)) {
    echo "<div style='background-color:black;width:800px;height:30px;margin:0px auto;'> </div>";
  } else {

    echo "<div style='background-color:red;width:800px;height:30px;margin:0px auto;'> </div>";
  }
}
?>

Comments may only viewed by those who make changes to the code itself- the PHP engine doesn’t parse anything designated as a comment. A good example of this is seen below, where the first line isn’t being output to the browser, while the second is.

An Example Of The PHP Comment Syntax

<?php

// This is an example of a comment- this is not being parsed!

echo "This is being parsed by the PHP engine!";

?>

We, as able-bodied programmers and individuals, should invest our time into commenting for three primary reasons.

1. Employment – If you are working for an employer, or are planning to release your source code to the public, you will need to make use of comments. Employers demand it because if they were to lose you as an employee, they would have to hire someone new to peruse your code. This act with commenting can take hours, and without can take days. This same principle works with open source code, which needs to be readable by others so they know how to operate or modify your program correctly.
2. Saving time – Even if you plan on keeping the code to yourself, you should make use of PHP comments because as your projects grow in scale, you will forget where you place certain bits of code or even what large blocks of code do. Most arrogant programmers do without comments at this stage, claiming they can remember the programs they make. In reality, a programmer will often come back to a certain code block months into the future, and quickly find they will need to take a few hours to reread their code and comment it properly.
3. Troubleshooting – More intelligently, programmers use PHP comments to troubleshoot their applications. When trying to find which code block is causing an error, programmers can quickly section out new additions to the application with a comment block to see if the error subsides. If it does, that’s where the error lies. If not, the error lies elsewhere.

PHP Commenting Syntax

You’ve finally come around, and you want to start commenting your code. Bravo! The first step is to learn how to use it. There are three different ways we can make comments; two of which can be seen below in the example.

Two different Methods of Using PHP Comments

<?php

#This is an example comment

//This is another example comment

echo "Sentence 1."; //This is our first statement

echo "<br />"; #This is a line break

echo "Sentence 2."; // This is our second statement

?>

You’ll notice that both commenting styles, either the “#” or the “//” versions, are used on a single line. Also note we can use both behind an otherwise functional PHP statement, such as can be seen with our second half of the example. But if we wanted to format comments to span multiple lines, things would get tedious. Luckily, PHP developers can make use of a third way that spans multiple lines as seen below.

Multi-Line Comments in PHP

<?php

#This is a

#single line comment

#on multiple lines.

/* This is an easier

way to write comments

on multiple lines */

?>

In the above PHP commenting example we see that you can span multiple lines both ways, but the latter example is much easier to work with. These types of multiple line comments are usually placed at the top of a PHP file to explain what it’s for, what it accomplishes, and any specific information needed to run or edit the file correctly.

Some people like to showoff and get elaborate with their commenting styles. We’ll agree it’s great fun, since it actually helps out the readability of comments in many cases. Below is an example of what the LearnPHPOnline.com’s creative programming department came up with in all but a few seconds of their precious time.

Fancy-Shmancy PHP Comments

<?php

#################################

####  My PHP File Version 2.2####

#################################

/* Be sure to edit the server 

password and username details 

to properly configure this 

script to work! */

?>

Quite chauvinistic aren’t they?

Using PHP Comments To Troubleshoot

Troubleshooting is a vital part of programming, as we are sure the reader knows already. It’s always a great idea to take breaks every time a new code block is added to see if everything is still functional. If it isn’t, we have to get creative in how we find the root of the problem.

Below is an actual flawed script that we created. You will likely see the problem right off, but in a real-world environment, tracking such a problem down will be much more difficult.

Troubleshooting PHP Code With Comments

<?php

//This script will output a variable to the browser

$myVar1 = " meow mix";

$myVar2 = " meow mix';

echo "I want chicken, I want liver," . $myVar1 . $myVar2 . " please deliver!";

?>

When run, this script will give the error “Parse error: syntax error, unexpected T_STRING” – and even though the problem lies on line 4, it points us to line 6. So we’ll just comment out line 6, and we see that the problem still persists!

Troubleshooting PHP Code With Comments

<?php

//This script will output a variable to the browser

$myVar1 = " meow mix";

$myVar2 = " meow mix';

#echo "I want chicken, I want liver," . $myVar1 . $myVar2 . " please deliver!";

?>

Oh dear, it looks like the problem is still there once we run the application.

Now we’ll move the comment to line 4, and see what happens. Once we run the application, we see that the browser outputs this string “I want chicken, I want liver, meow mix please deliver!” We are missing the second meow mix, obviously, but the script still executed successfully. This means that the problem must lie on or near line 4. Upon further checking, we see that we used an apostrophe to close the variable assignment! Oops! Let’s fix it and see if it runs now.

Troubleshooting PHP Code With Comments

<?php

//This script will output a variable to the browser

$myVar1 = " meow mix";

$myVar2 = " meow mix";

echo "I want chicken, I want liver," . $myVar1 . $myVar2 . " please deliver!";

?>

Success! We now have the correct string output to the browser.

One Last Tip For PHP Comments

One last thing we need to stress is to use PHP comments in selection structures, such as CASE or IF. If you have an IF statement, always be sure to comment what each branch does, even if you don’t use one of the choices. An example is below.

PHP Comments And Selection Structures

<?php

//This script showcases comments in an IF structure

$clientAge = 18;

if ($clientAge < 18) {

echo "You are not able to view this material until you are 18 or older.";

} else {

//Don't show a notice

}

?>

Even though we don’t need a comment in the else branch, we should put one there because it does amazing things for readability. Once programmers start nesting IF statements inside each other, documenting each IF branch is absolutely vital in understanding how an application functions.

Closing Comments

Commenting is a vital part of programming, and it serves more purposes than what one would think as we can very well see. Always try to keep documentation on your code where possible, if not for yourself, then for your employers who don’t like seeing undocumented work from their employees.

PHP Include Tutorial – Basics Of The Include Language Construct

It should be noted that, much like the Echo statement in PHP, Include is not considered an actual function. Although it would behave like a function, we call it a language construct since it is “built into” PHP. We consider it an integral part of the language much like the IF statement! (You may notice some language constructs listed as functions- but this is only to improve documentation.)

The primary usage of this language construct in particular is to retrieve a remote file for inclusion into the currently running script. We are going to use the Include construct for three primary reasons:

1. Readability – We use the Include construct for replacing many lines of code with but one line of code. This increases the readability of an application, and ultimately lets us troubleshoot bugs quicker than ever before. We use the Include construct for replacing many lines of code with but one line of code. This increases the readability of an application, and ultimately lets us troubleshoot bugs quicker than ever before.
2. Save Time – We save time by using the Include() construct in a very ingenious way. If we were to change a link in our navigation menu, we would have to update that same link hundreds of time on different subpages. But if we used an Include() construct, we could just edit one file and the results on other pages would be instant!
3. Reliability – If an included file doesn’t exist or has malfunctioned, the server will tell us quite promptly. This is superb for troubleshooting! Error reporting is sometimes seen as a security risk, however, since it commonly shows semi-confidential information in the error.

PHP Include Tutorial – Examples Of Including A File

Before we can do dabble with an example, we need to learn how the Include syntax works. Using the Include construct is actually quite easy; we just need to know the URL of the code to be input, wrap it in parenthesis, and add the include statement.

An Example Of The PHP Include Syntax

<?php
    include("header.php");
    include 'footer.php';

    // Each Way Is Correct, But The First Example Is More Readable
?>

In the above example we are calling to two different files, in which both are located in the same directory as the page being viewed. Both statements will work, but we personally like the first example since we view it as more readable.

If the file we wanted to include is in the parent directory, we simply use the “../” notation as seen below.

Including A PHP File From A Parent Directory

<?php
    include("../header.php");

    // Include A File From Parent Directory
?>

Note that every time we use the “../” notation we go up one level. But things don’t have to get complicated! We can simplify things by simply using the entire URL as seen below:

An Easier Way To Include A PHP File

<?php
    include("http://www.YourUrl.com/includes/header.php");

    // Easy File Inclusion
?>

PHP Include Tutorial – An Include Example

To get started we are going to need at least two files. First, we will take an already-made index.php file as seen below:

Contents Of index.php – Copy And Paste

<html>
<title>A Basic PHP Website Using Include</title>

<p style="text-align: center;padding: 10px;">
<a href="#">Home</a>
<a href="#">Subpage 1</a>
<a href="#">Subpage 2</a>
</p>

<p style="text-align: center;border: 1px dotted blue;">Welcome to our website! The links above are being used in includes- saving us time that can be best used for developing better features for this website.</p>

</body>
</html>

	

Now create a file called “header.php” in another window. We are going to take out some of the contents of the index.php file and replace it with our include statement. Our header.php file should look like the following:

Contents Of header.php – Copy And Paste

<?php
	<a href="#">Home</a>
	<a href="#">Subpage 1</a>
	<a href="#">Subpage 2</a>
?>

Now we have two separate files. But we have a problem- how do we get the URLs from the header.php file into the index.php file? Simple! Review the code below to see where we put the include statement:

Contents Of header.php – Copy And Paste

<html>
<title>A Basic PHP Website Using Include</title>
<body>

<p style="text-align: center;padding: 10px;">
include("header.php"); ?>
</p>

<p style="text-align: center;border: 1px dotted blue;">
Welcome to our website! The links above are being used in includes- saving us time that can be best used for developing better features for this website.
</p>

</body>
</html>

Now upload both files to a same directory and test it out! If you’d like, you can change around the contents of the header.php file, upload it to your web server, and see the changes in real-time. This may not seem like a big time saver with only one page to use it on, but if we were to have a website filled with 100 pages, this would be quite the little time saver!

PHP Include Tutorial: Dealing With Variable Scope

Variable scope sounds like a mean phrase to anyone who doesn’t know what it is. The scope of a variable is just how far it “reaches”- or basically where it can and can’t be accessed. Variable scope can be seen when looking at two separate PHP scripts. If they are not connected in any way, then the variables of the first script will not interfere with variables in the second. (And vice versa)

We deal with scope in the Include construct quite simply because we are merging two files- so if we are using the same variable name in both scripts, which one gets precedence?

In our previous example we are not dealing with scope since we aren’t using any variables. But we can change that with the following edits to both index.php and header.php:

header.php – Edits To Show Variable Scope

<?php
  $home = "<a href='#'>Home<a>";
  $sub1 = "<a href='#'>Subpage 1<a>";
  $sub2 = "<a href='#'>Subpage 2<a>";
?>

We just declared our three variables as our links, so that we may see which variables take precedence in our index.php file. Our index.php file should be updated as seen below:

Contents Of index.php

<html>
<title>A Basic PHP Website Using Include</title>
<body>

<p style="text-align: center;padding: 10px;">
<?php 

$home = "";
$sub1 = "";
$sub2 = "";
include("header.php"); 

echo "$home $sub1 $sub2";
?>
</p>

<p style="text-align: center;border: 1px dotted blue;">Welcome to our website! The links above are being used in includes- saving us time that can be best used for developing better features for this website.</p>

</body>
</html>

So what do you think the script will output to the browser? As you can see, we declared each variable as an empty string before we included the file. But in the include of the file, we stated that the variables should contain links.

Upon testing this script, one can see that the output is going to be successful in displaying the correct navigation links. From this example it is seen that an included file will indeed overwrite variable values unless otherwise coded.

It should also be made clear that an include file is only going to have access to variables and functions that have been declared before the line used to include the file. In the following example we will declare a variable and reference it within the include file. (No need to test this out unless you want- you can easily see the results with the two short snippets below)

index.php – Testing Variable Scope

<?php
  $hello = "hello world!";
  include("echo.php");
?>

Now for the echo.php file:

echo.php – Testing Variable Scope

<?php
  echo  $hello;
?>

Once this script is run, we will see that “hello world!” is output to the screen. If we were to put the variable after the include line, we wouldn’t get any results at all.

PHP Include Tutorial – Two Major Security Concerns

PHP is considered a generally secure language since it hides the contents of the PHP code from the user. (Go ahead and view the source of the HTML of pages we have created- you won’t see PHP code!) If we take this protection away, anyone can see the contents of our scripts. Luckily you have to make the mistake of not using the PHP extension for this to happen.

It is sometimes common to see some use plain text or even a .INC file type for their includes. If you use the wrong extension or remove the PHP tags from the header.php file we were working with, you’ll notice that the plain text is output to the screen if you try to access header.php directly. This goes to show that when we use includes, always remember to use the PHP tags to enclose the data if it is using any type of sensitive data. (Or any time at all, since it builds good programming practice!)

The second major security concern is including files from a remote location. If we are only using local resources on our website, such as template files we have created, there is no reason to fret. But if we are pulling information from other websites, which is sometimes illegal in many cases anyway, the remote website can inject code into our websites and get confidential information with ease. As such, developers should only agree to use includes from remote resources if they are to be trusted without doubt.

Closing Comments

As we get more familiar with the Include statement, we can get a little more skilled in the way we use it. From using Includes in functions or even using IF statements to selectively include correct files, there is much to expand on here.