Is there any way in php.info (or other config file) for me to indicate a script to be run every single time PHP is invoked?
I'm interested in mapping HTTP requests for a particular page to a Controller class representing that page, similar to how a lot of MVC framework (like CI) work.
For instance, the user clicks a link that should map to /webroot/some/url/widget.php, but rather the /webroot/app/mvc/controllers/WidgetController.php class is what gets invoked instead.
To do this, I figure MVC framework like CI have figured out a way to "hook" the PHP Runtime by running a script that runs and says "oh, the request is for widget.php, but we want to actually run the WidgetController.php object."
Any ideas/thoughts/suggestions/concerns?
Thanks!
I think you might be the wrong trail here. Zend Framework and other Frameworks I know use mod_rewrite or similar techniques to redirect requests, which are then processed by some kind of Front Controller.
This means that your request to example.org/mypage is being redirected by Apache (not PHP) to myfrontcontroller.php, which then decides how to handle the incoming request.
What you're looking for is the php.ini option auto_prepend_file.
You need a router, and apache mod_rewrite or equivalent. You set up mod_rewrite to send all requests to a single file, such as /index.php. The router then looks at the request URL and determines which controller file to load and which method to call. Pretty much any MVC framework has this functionality built-in, and they all work pretty much the same.
An index.php in the webroot should be sufficient, the path will be passed as the server variable PATH_INFO.
See http://us3.php.net/manual/en/ini.core.php#ini.auto-prepend-file
Edit: My answer is simply meant to be an FYI. As others have mentioned, mod_rewrite is the accepted way to solve the problem.
Related
I've been recently learning about REST APIs (concretely using MySQL and PHP) so it's hard for me to understand basic concepts since most of the sites I check have more advanced solutions.
My doubt is the following: I know that an endpoint is the place where we get the data, but I'm not sure about the URI format, sometimes I've seen it as a php file path and other times it doesn't have an extension, but I don't know which one is correct, or if both are.
In case the URI format has no file extension (like performing a GET in the endpoint /api/update), do I forcefully have to have a "controller" file to which all the URIs are redirected and treated depending on the case, or is there a better way to handle them?
I've also been asked to make a script to run a backend app and a frontend and backend app, as in a script that will execute everything when launched (calling other scripts if necessary and so on) but I don't know what they mean exactly by that or how to do it. I thought that having a index.php (for example) in which you can have a couple of buttons that would trigger the requests was already it but it's not, so what is it exactly?
Sorry for the basic questions but I've looked many solutions in here and other websites and I still can't grasp the concept.
Thanks in advance.
The answer to this question is yes. Common practice is to have a PHP application use the front controller pattern, where a single publicly available script (usually index.php) is solely responsible for delegating all incoming requests to the appropriate part of your application (your actual "controllers"), often relying on server configuration to do the actual "redirecting" (rewriting, allowing for omitted file extensions and "pretty url's"). This design approach is common because most popular frameworks support it out of the box, from the Laravel and Symfony big boys, to microframeworks like Slim, Silex and Lumen. Perhaps giving these frameworks a try will help you understand how this works and how they do it.
Not sure if I understand your question correctly, but it sounds like you are being asked to provide/implement a deployment script; a script that runs a set of commands in order to easily install, bootstrap and start the entire application. Think of commands like composer install, commands that initialize/seed the database, or commands that build your frontend assets. The actual commands are specific to the application, but the goal is to easily provide a fresh installation and deployment of your application by executing a single script. These scrips are usually sh scripts executed from the command line.
How to modify URL such www.mysite.com/dir.php?ID=123
to www.mysite.com/dir/123 without using or involving .htaccess
cause I can't access .htaccess on our server.
If this is your own application and not the standard framework/CMS then you can implement your own rewrite engine in PHP so the URLs would look like www.mysite.com/index.php/dir/123.
That's slightly worse than the clean URLs but that's the best you can achieve.
When you run the url like that the $_SERVER['PATH_INFO'] PHP variable would store "/dir/123" which is then your job to parse and transform to the params you need and then invoke or include the right script.
IIRC Kohana is built like that. So you can look their code for an inspiration.
The only other option is using a rewrite engine on the web server software, e. g. mod_rewrite for Apache.
But as long as you don't even control files on your server, you probably don't have access to Apache configuration.
Your web app/CMS should have support for nice URLs too.
Short story is:
You can't
At least you should be able to use .htaccess to normally do this. If you can't even use that, other options will most probably also be limited out for you.
But there is one work-around that you MAYBE (I'm absolutely not sure) can use...
Are you allowed to set your own 404 error pages?
If so, try setting a 404page.php that acts as your entry point, sends out a http_response_code(200); and does what it further should do.
Off course you should remove any index.php from your public_html and not use any of the URLS that should be handled by the handler, so they will lead you to the 404page.php.
(Let me know if this worked :). )
What is bootstrap.php? I got a project that in the .htaccess reads SetEnv AE_BOOTSTRAP /full/path/to/_app/bootstrap.php
However, that file does not exist in the project... Is this something from PHP?
No, bootstrapping is not a part of PHP. Rather it is a file that is generally ran at installation time, or with PHP for every request, that takes care of making sure everything is included and general startup procedures are taken care of.
You can find more information about BootStrapping here .
It's not a PHP feature but just some code that is executed at the start.
With regards to computer technology, “bootstrap PHP code” means creating a bootstrapper that handles all the dynamic requests coming to a server and apply the true MVC (Model View Component) framework so that in future you can change the functionality for each unique component or application without changing the entire code or application.
This file should be on the server otherwise, nothing can be assigned via code...
bootstrap.php is just a conventional name for a PHP file that loads up your project environment. If you have a .htaccess that's pointing to one that doesn't exist, that sounds like garbage left over from a dead software installation.
That's probably a line from a previous (or current) php framework, which would use that constant to define the path to their bootstrapping script.
A Bootstrap is a script consisting of multiple clasees definitions in a single file, to reduce overhead of large variety of classes.
Is it possible to hide the the url in the address bar of the web browser so that it won't necessarily match the location of the files.
For example, this url:
http://localhost/exp/regstuds.php
You will always know by looking where to find the files in the computer.
Is it possible to distort or disarrange or hide the url in such a way that the location of the files will not be revealed
Yes, if you're using Apache look into using mod_rewrite. There are similar rewrite modules for pretty much all other web servers too.
I hope your sole motivation for doing this is not "security through obscurity". Because if it is, you should probably stop and spend more time on something more effective.
If you are hosting your php on an Apache server, you probably have the ability to use the mod_rewrite utility. You can do this be adding rules to your .htaccess file...
RewriteEngine on
RewriteRule ^RegStuds/ regstuds.php
This would cause http://localhost/RegStuds/ to actually render regstuds.php, but without ever displaying it in the address bar.
If you are on IIS, you can perform the same function using an ISAPI Rewrite Filter.
If you don't have mod_rewrite or an ISAPI Rewrite Filter, you can get a similar result using a folder structure, so you would have a physical path of RegStuds/index.php - and you would never need to link to "index.php" as it is the default file. This is the least recommended way of doing it.
No its not.
Each bit of functionality must have a unique identifier (URI) so that the request is routed to the right bit of code. The mapping can be non-linear using all sorts of tricks - mod_rewrite, front controller, content negotiation...but this is just obscuring what's really going on.
You can fudge what appears in the address bar on the browser by using a front-controller architecture and using forms / POSTs for every request but this is going to get very messy, very quickly.
Perhaps if you were to explain why you wanted to do this we might be able to come up with a better solution.
C.
I was going to ask what the best way to do this is, but then decided I should ask whether or not it is even necessary. I have never seen it done in JSP development, but it appears to be common practice in PHP. What is the reasoning behind this, and if I do not protect against this, what else should I be taking into consideration?
The reason this is more common in PHP than other similar languages has to do with PHP's history. Early versions of PHP had the "register_globals" setting on as a default (in fact, it may not have even been a setting in really early versions). Register_globals tells PHP to define global variables according to the query string. So if you queried such a script thusly:
http://site.com/script.php?hello=world&foo=bar
... the script would automatically define a variable $hello with value "world" and $foo with value "bar."
For such a script, if you knew the names of key variables, it was possible to exploit the script by specifying those variables on the query string. The solution? Define some magic string in the core script and then make all the ancilliary scripts check for the magic string and bail out if it's not there.
Thankfully, almost nobody uses register_variables anymore, but many scripts are still very poorly written and make stupid assumptions that cause them to do damage if they are called out of context.
Personally, I avoid the whole thing by using the Symfony framework, which (at least in its default setup) keeps the controllers and templates out of the web root altogether. The only entry point is the front controller.
If you include everything from outside web root then it's not an issue as nothing can be loaded directly.
Well, This is to prevent sensitive includes from being sent to the web-server directly. It's certainly not an all-inclusive security measure, but it could help with your particular setup.
If however, your user was in a position to include the file from their own script, it won't help at all
I emit a 404 page, not as a serious security measure but only because I don't like leaking information about the internals of a site, even the names of internal files.
But if the file just contains functions then there's no real harm in omitting the check.
It also isn't just a security feature in php but more of how many MVC based PHP sites function. If for example in SugarCRM you were to call a module file directly the page load would fail because the controller, view and model were not previously loaded and you'd have no db config/connection information either, so to make sure all dependencies are loaded the users is forced through a known entry point - i.e. index.php
I just found an approach in the .Net MVC system that you could replicate for PHP using Apache Rewrites, .htaccess files or if you are using IIS, a web.config file.
As the MVC pattern doens't need the user to directly access aspx files these are not served and a 404 is sent instead. If you have a naming convention for included files "inc.php" for example you could redirect *.inc.php requests to a 404 for specific folders - in Apache Rewrite supply R=404 at the end of the rule will return that HTTP status to your client.
Some of these examples may help: Apache Rewrite Examples
As already mentioned in some of the other answers, you shouldn't need to do this. If a file isn't supposed to be served up by the web server, you shouldn't leave it within the web folder. Includes should be placed in a directory outside the web root.
Apart from that, the proper way to tell the user that a page doesn't exist, is by emitting a status 404, using:
header("HTTP/1.0 404 Not Found");
exit;
If you don't do this, it is hard for non-humans (Eg. search-engines) to distinguish between a regular page and a non-page.
This is very important because if you are editing your site running Google Toolbar, it will find your inner php files and then put them into search results. At best this will create an awkward experience for users but if you are a sloppy programmer, could reveal database connection information.