Simple PHP 5 error handling

<?php
//create function with an exception
function checkNum($number)
{
if($number>1)
{
throw new Exception(“Value must be 1 or below”);
}
return true;
}

//trigger exception in a “try” block
try
{
checkNum(2);//If the exception is thrown, this text will not be shownecho ‘If you see this, the number is 1 or below’;}
//catch exception
catch(Exception $e)
{
echo ‘Message: ‘ .$e->getMessage();
}
?>

Examples of using PDO objects in PHP

<?php

//Example of fetching data from a database using PDO objects

# using the shortcut ->query() method here since there are no variable
# values in the select statement.

try {

$dbhost = “localhost”;
$dbname    = “users”;
$dbusername = “root”;
$dbpass = “”;

//Connect to the database
$dbh = new PDO(“mysql:host=” . $dbhost . “;dbname=” . $dbname, $dbusername, $dbpass);

//the sql query
$sql = “SELECT * FROM users”;

//statment handle
$sth = $dbh->query($sql);

# setting the fetch mode
$sth->setFetchMode(PDO::FETCH_ASSOC);

echo(“——————————————–<br/>”);
echo(“An example of a while loop<br/>”);
while($row = $sth->fetch()) {
echo( $row[“first_name”] . “<br/>” );
$table[] = $row;
}

$dbh = null;

}  catch (PDOException $e) {
print “Error!: ” . $e->getMessage() . “<br/>”;
die();
}

echo(“<br/><br/>”);

echo(“——————————————–<br/>”);
echo(“An example of looping around an array<br/>”);

if ($table) {    //Check if there are any rows to be displayed
//Retrieve each element of the array
foreach($table as $d_row) {
echo( $d_row[“first_name”] . ” ” . $d_row[“last_name”] . “<br/>” );
}
}

echo(“——————————————–<br/>”);
echo(“An example of printing one element from the array<br/>”);
echo($table[0][“first_name”]);

?>

<?php

//Example of fetching data from a database using PDO objects

//This uses a prepared statement using named values

try {

$dbhost = “localhost”;
$dbname    = “users”;
$dbusername = “root”;
$dbpass = “”;

$first_name = “%paul%”;

//Connect to the database
$dbh = new PDO(“mysql:host=” . $dbhost . “;dbname=” . $dbname, $dbusername, $dbpass);

//the sql query using a named placeholder
$sql = “SELECT * FROM users WHERE first_name LIKE :first_name “;

//statment handle
$sth = $dbh->prepare($sql);

$sth->execute(array(“:first_name” => $first_name));

$sth->setFetchMode(PDO::FETCH_ASSOC);

echo(“<br/><br/>”);
echo(“——————————————–<br/>”);
echo(“An example of printing values from a select statement with parameters<br/>”);

while($row = $sth->fetch()) {
echo( $row[“first_name”] . “<br/>” );
$table[] = $row;
}

$dbh = null;

}  catch (PDOException $e) {
print “Error!: ” . $e->getMessage() . “<br/>”;
die();
}

?>

Some regular expression matches

Regular Expression     Will match…

foo     The string “foo”
^foo     “foo” at the start of a string
foo$     “foo” at the end of a string
^foo$     “foo” when it is alone on a string
[abc]     a, b, or c
[a-z]     Any lowercase letter
[^A-Z]     Any character that is not a uppercase letter
(gif|jpg)     Matches either “gif” or “jpeg”
[a-z]+     One or more lowercase letters
[0-9\.\-]     ?ny number, dot, or minus sign
^[a-zA-Z0-9_]{1,}$     Any word of at least one letter, number or _
([wx])([yz])     wy, wz, xy, or xz
[^A-Za-z0-9]     Any symbol (not a number or a letter)
([A-Z]{3}|[0-9]{4})     Matches three letters or four numbers

Possible way of dealing with inserting quote marks into a database

This is another possible way of dealing with quote marks for inserting data into a database :

if (!get_magic_quotes_gpc()) {
$item_name = addslashes($_POST[‘txtItem_Name’]);
}
else
{
$item_name = $_POST[‘txtItem_Name’];
}

Dealing with quote marks for inserting data into a database
———————————————————–

if (!get_magic_quotes_gpc()) {
$item_name = addslashes($_POST[‘txtItem_Name’]);
}
else
{
$item_name = $_POST[‘txtItem_Name’];
}

Regular Expression Will match…

Regular Expression     Will match…

foo                                The string “foo”
^foo                            “foo” at the start of a string
foo$                            “foo” at the end of a string
^foo$                         “foo” when it is alone on a string
[abc]                           a, b, or c
[a-z]                           Any lowercase letter
[^A-Z]                      Any character that is not a uppercase letter
(gif|jpg)                   Matches either “gif” or “jpeg”
[a-z]+                       One or more lowercase letters
[0-9\.\-]                  any number, dot, or minus sign
^[a-zA-Z0-9_]{1,}$      Any word of at least one letter, number or _
([wx])([yz])                    wy, wz, xy, or xz
[^A-Za-z0-9]                 Any symbol (not a number or a letter)
([A-Z]{3}|[0-9]{4})     Matches three letters or four numbers

Use regular expressions to validate PHP inputs

To help counter SQL injections you need to make sure that entered values use minimum character types as possible.  So you restrict usernames to just a-z and 0-9 characters.

To test for these, use something like :

//——————————————————
/**
* Purpose : Check input for paticular characters
* Only allow a – z, A – Z , 0-9
* returns true if a match was found, false if no match was found
* @return boolean
*/
function is_valid_input($words) {

if ( preg_match( “/[^0-9a-zA-Z]/”, $words, $array ) )
return false;        //invalid characters
else
return true;        //valid characters

}

Ways to counter SQL Injection

Database Permissions

Set the permissions on the database username / password as tightly as possible.  If you are displaying data, there is no need for the user to have insert or update permissions into the database.  One solution is to have two usernames / passwords.  One would have select permissions, and would be used only for display.  The other would have select, insert and update permissions used only for forms that require data to be stored in the database.

Test all data input

All form data and all url query strings should be tested.

For example, if you are passing data using a query string any record id’s are usually integer, so test that they are actually integer values with a function such as is_numeric in PHP.

Use correct data types and data sizes in the database

This means that if you have a colunn which is a persons name, the data type size for that column only needs to be 40 characters. There is no need to have a data size any larger than required.
Convert text to html

Before storing text in a database, convert it into html.  This will change inputs such as the Javascript <script> to its html equilivant which cannot be executed on a web page.

Filter out any characters that may cause issues. and are not required.

Use parameterized queries

If you use parametized queries for connection to the database you eliminate string concatenation.  You should always use parametized queries rather than constucting the sql.

Check characters particlarly with username / password

If an entry is a username, it normally does not require any other characters other than a to z and 0 to 9 and it only needs to be say, 8 characters long.

In php, always use the mysql_real_escape_string

http://uk3.php.net/mysql_real_escape_string

SQL Injection pdf

http://dev.mysql.com/tech-resources/articles/guide-to-php-security-ch3.pdf

Description of paramised queries and slq injection in dot.net

http://msdn.microsoft.com/en-us/library/ms998271.aspx

Description of paramised queries and slq injection for php

http://stackoverflow.com/questions/60174/best-way-to-stop-sql-injection-in-php

How to create htaccess / htpasswd

Here is a simplified description on how to create an htaccess / htpasswd file :

To protect your admin area you can create an htaccess / htpasswd file.

(1) Create an .htaccess file

Go to http://www.htaccesstools.com/htaccess-authentication/

In the first box enter some optional text which gets displayed in the login box

In the second box you need to enter the file path name to a second file htpasswd file.  The htpasswd file is where the list of users / passwords are to be located.

Click on the button, copy the text and place it into a text file.  Name this file .htaccess and upload it to the folder that you want to protect.  In this case this would be the /admin/ folder.

(2) Create the .htpasswd username / password file

Go to http://www.htaccesstools.com/htpasswd-generator/

In the first box enter the username.

In the second box enter the password.

Click the button, copy the text and place it into a text file.  Name this file .htpasswd and upload it to a suitable location on your server.  This can be anywhere on your server, but usually in a defined folder.  The location is the same location as was entered in (1) above.

The folder as defined in (1) should now be protected by the username / password as defined in (2)

Resetting admin password in PHP-eSeller

The only way to reset the admin password is to do a SQL update statement on the database.

You will need to go into phpmyadmin or a similar program which can be user to administer the database tables.

The update statement that you can use is :

UPDATE ipn_tblpasswords SET userpassword = md5(‘admin’) WHERE username = ‘admin’

In this case it is assumed that the username is ‘admin’