I'm working on a site in php. Originally I had a lot of html pages but they were all very similar in that they had a heading, an image, and some text. I was able to consolidate my pages into one php page and pass in the heading and image name as GET variables. I wouldn't want to pass a lot of text this way though. What's the best way to do this? I was thinking of including the text from a text file but then I'd have a text file for every item. I also thought that I could have a database and read the text from there. What do you guys think?
According to me, it is better you use the database and just pass the ID's, through the $_GET.
You can divide your page in three sections.
header.php // including all the header section
body.php // your main content, varying according the $_GET
footer.php // footer section
Thanks.
pass in the heading and image name as GET variables
This is probably not secure. And its a bad coding practice to rely on GET's for your page structure. Why not use includes?
As for storing the data, the database is the way to go, flat files suck.
So, you could pass a unique ID for the text, and always include your header and footer:
include_once('header.php');
//If the id is valid, use it to query the text from the database.
include_once('footer.php');
You're right, using GET variables is inconvenient. It is also very insecure, since an attacker could trick a user into following a link which would inject HTML into the page, which could then pass the user's cookies to the attacker.
The most common approach is to store the various content blocks in a database such as MySQL. See the PHP MySQL docs to get started. You can then set up a simple form or WYSIWYG editor such as TinyMCE to allow the site administrator to edit content.
Related
I am creating a website for a local company and I am splitting off the header for each page into a individual php page which I then include into each page. I was wondering what would be the best practice to insert individual description and title content into the php header for each individual page. Should I create a php variable before the included header.php link and then insert that variable argument into the title and description tags in the php file? Each variable would have different titles and description depending on what page it's on. Or would it make more sense to someone include these different description and title content into another external php page? If you have a even more correct/easier way that would also work best with SEO please let me know. Thanks!
I would suggest creating a Metadata object definition, with all of the properties required (description, tags, etc). Then instantiate a Metadata object for each page of the site, just before including your header, and use the values of the current Metadata object in the header.
split your logic (and titles, page information, dynamic content) from your templates via an MVC type architecture
here are some easy to learn templating engines (and I believe the two most popular)
http://www.smarty.net
http://twig.sensiolabs.org
You can read about MVC architecture here: http://en.wikipedia.org/wiki/Model%E2%80%93view%E2%80%93controller
However you do it, basically what you suggest initially is one of the best ways. Define a variable, or object, or whatever, in each page before the inclusion of the header.php file (again, whether that's a template, or just a regular php inclusion, up to you). Then just set them to whatever you want for each page, and you're good to go.
Personally, I would recommend using a template engine like Smarty.
As for SEO, that's an entirely different conversation. That's more related to the content of the variables, as opposed to the implementation of them.
I'm trying to build something similar to the "Try on your site" on http://www.mywebpresenters.com/
I want to let users enter in their URL, then I need to save the HTML of that URL/Page to a MySQL database using PHP. I then need to insert a div containing more code and then serve up the whole lot to the user again.
I have done this using an IFrame but I'd like to do it better.
Can anyone shed light on this? Also, This will be used on a WordPress site if that adds in anyway.
Thanks in advance,
Barry
If you want to save the whole html page in the database use the smarty. It simply fetch a html file in a variable like
$myvar = smarty->fetch('htmlfile');
now you can simply save the $myvar into the sql.
Unless you are prepared to parse the HTML and remove the head/body tags of the scraped page, than an iFrame is the way to go. You could probably use a find/replace algorithm when you retrieve the stored HTML from the server to insert the containing code that you need into the correct location.
The only way I could personally think of doing this is having them upload the page to your site and then doing a mysql query using PHP to store it into database. Then using the PHP 5 DomDocument model to take that same code and save it as a dynamic page.
Well actually, you can do it two ways. You can use PHP cURL library to get the url of the page and simply parse and save the HTML code to the database as well.
To present it in a div you want to use javascript and get the div a target _top attribute so window.open can load the content in that page.
You don't even need WordPress for this to be honest. This can be done by scratch.
I have problem with PHP and JavaScript/CSS.
I have database with table. The table has a descriptions of articles. I want to echo the descriptions of the articles from database. Unfortunately many of them has a JavaScript or CSS included ( Then some article text), so when I use echo, it shows all of that code (and after that text). Is there any way to not show the JavaScript/CSS part and show only the text? For example with str_replace and regular expression? If yes, can somebody write me how it should look like?
Thanks for help and let me know if u need more info (code etc.)
Use HTMLPurifier - it will remove the scripts, css and any harmfull content from your articles. Since it is a CPU-intensive operations, it's better to run article trough HTMLPurifer before saving in the database, then to run it each time you are showing the article.
If you're trying to remove tags from a user's post, you can call strip_tags. This will get rid of css links, script tags, etc. It will not get rid of the style attribute, but if you get rid of div, span, p, etc. that won't matter -- there will be no tag for it to reside on.
As has been stated by others, it is generally best to sanitize your input (data from user before it goes into the DB), than it is to sanitize your output.
If you're trying to simply hide the JS and CSS from users, you can use Packer to obfusicate Javascript from less-savvy users, use Packer and use base 62 encoding. The JS will still work but will look like jiberish. Be aware that more knowledgeable users can attempt to unobfusicate the code, so any critical security risks in the JS still exists. Don't think any JS that accesses your databases directly will be safe; instead remove database access from the Javascript for security. If the JS is just to do fancy things like move elements around the page it's probably fine to just obfuscate it.
Only consider this if YOU have complete control and awareness of all JS included with the articles. If this is something your anonmous or otherwise not 120% trusted users can upload, you need to kill that functionality and use HTML Purifier to remove any JS they might add. It is not safe to output user entered JS, for you or your users.
For the CSS, I'm not sure why you want to hide it, and CSS can't be obfuscated quite like JS can; the styles will still be in plain English, best you can do is butcher the class/id names and whitespace; outputting CSS that YOU generated isn't a real security risk though, and even if people reverse engineer it I wouldn't be that afraid.
Again, if this is something anonymous/non trusted users can ADD to your site on their own, you don't want this at all, so remove the ability to upload CSS with an article using the HTML Purifier Darhazer mentioned.
You can try the following regex to remove the script and css:
"<script[\d\D]*?>[\d\D]*?</script>"
"<style[\d\D]*?>[\d\D]*?</style>"
It should help, but it cannot remove all the scripts. Like onclick="javascript:alert(1)".
I want to upload dynamically content from a soccer live score website to my database.
I also want to do this daily, from a single page on that website (the soccer matches for that day).
If you can help me only with the connection and retrieval of data from that webpage, I will manage the rest.
website: http://soccerstand.com/
language: php/java - mysql
Thank you !
You can use php's file function to get the data. You just pass it a URL and it returns the content as an array of lines from the file. You can also use file_get_contents to get the content as one big string.
Ethical questions about scraping other site's data aside:
With php you can do an "open" call on a website as long as you're setup corectly. See this page for more details on that and examples: http://www.php.net/manual/en/wrappers.http.php
From there you have the content of the web page and it's a matter of breaking it up. Off the top of my head, I'd use regular expressions or an HTML parser to break apart the HTML, and then loop through the child elements and parse the data into your database calls to save the data.
There are a lot of resources for parsing HTML on the web and it's simply a matter of choosing the one that will work best for you.
Keep in mind you'll need to monitor the site for changes, because if they change elements, or their classes/ids you might need to change your parsing structure as well.
Using curl you will get the content of the page, then using regex you will get what you want.
There is an easy way: http://www.jonasjohn.de/lab/htmlsql.htm
How is it possible to allow a user to create a webpage containing some html, based on their entries in a form? ie. I would want them to be able to input a name and when the button is clicked, a webpage called that name would be created. I imagine that this must be possible in php, but what functions/code would I be using?
Thank you!
First of all, I would ask myself if this really what I need.
Why don't you just create a basic template page and pass the data as a parameter?
Something like:
user.php?name=joachim
If you still want to do that, you could use the PHP functions for opening, writing and closing files:
http://php.net/manual/en/function.fopen.php
http://php.net/manual/en/function.fwrite.php
http://php.net/manual/en/function.fclose.php
Here's a tutorial on how to create a file in php:
http://www.tizag.com/phpT/filecreate.php
This can pose big security risks in the first place, anyways, suppose form is submitted with html text, you can go about something like this:
$handle = fopen('file_name.html', 'r+');
// write to file
fwrite($handle, $_POST['fieldname']);
close($handle);
Note: You got to consider XSS and other security issues because you are allowing users to create pages. Bad guys can exploit it easily.
Resoures:
PHP File Handling Functions
XSS
Finally, a must read PHP security guide:
http://phpsec.org/projects/guide/
Idea:
Just allow them minimal of customization and use a pre-made page where you could insert this user data. Ofcourse as said, you need to sanitize the user-submitted data and consider security issues.
I would just have a page that acts as a template that populates based on the fields you mention, unless you actually need a physical file.
The template makes changes and security much easier.
UPDATE: Basically you can either have your form submit to a page that prints those POSTed fields to the appropriate spots or post to a database and then pull to the page.
You'd need to extract the entries of the form from the $_GET or $_POST arrays, and then use file writing functions such as fwrite to create a file. Theres an example on how to do a simple write here.
Excluding the fact that it is a security risk to allow users to create any files on the host...
You can create a file via fopen(), fwrite() and fclose() or using file_put_contents(). I prefer using some kind of template file which you load first, then add the user input values in it and then save the whole string via fwrite() or file_put_contents(). You get the user inputs from the $_GET or $_POST array, depending on the method you used in your form.
By saying "create a webpage containing some html, based on their entries in a form" I'm going to assume ( yeah yeah I know) that what you really mean is to determine the contents of a page by the entries from the form.
Gonna try and explain this as basically as possible, because I'm not completely sure I understand your intent.
When you write the form, you will have an tag that contains action="example.php". This means that it will perform the actions on example.php
In example.php, you can then retrieve the variables passed to it from the form by looking within your $_POST[] array variable. Then, you can change the structure of example.php or your result page by using the variables in php to determine what you print.
I don't think generating a physical file would be necessary, and since you're using a form to get the information in, $_GET is kind of pointless (I'd guess in most cases).