FROM FUNCTIONS/ BASIC.PHP

We can address these in any order —alphabetical seems as good as any. AUTHENTICATE( ) This little function sends a 401 HTTP response code. This header

forces your browser to open the username and password box shown in Figure 8-9. function authenticate ($realm=”Secure Area”

,$errmsg=”Please enter a username and password” ) {

Header(“WWW-Authenticate: Basic realm=\”$realm\””); Header(“HTTP/1.0 401 Unauthorized”); die($errmsg);

} The values entered into these text fields are set to PHP variables $PHP_AUTH_

USER and $PHP_AUTH_PW . PHP can then query MySQL to check if the values are stored in the database. Note that this function merely sends the header. It does nothing to check the values entered in the text boxes. They are checked in the guestbook2k/authenticate.php file. This function is called if either no values have been entered or the values match nothing in the database.

If the user hits the Cancel button the string stored in $errmsg is printed.

202 Part III: Simple Applications

Figure 8 - 9 : Results of a 4 01 unauthorized header

Tip This t ype of authentication is available only if PHP is installed as an Apache module. If you are using PHP as a CGI, which is the only way to run it under Windows, this will not work. If you are doing some development work on Windows, go into the applications comment out the calls to authenticate() and create an include for win_authenticate.php file.

CLENUP_TEXT( ) This function goes a long way toward making sure we don’t insert malicious text in our database.

function cleanup_text ($value = “”, $preserve=””, $allowed_tags=””) {

if (empty($preserve)) {

$value = strip_tags($value, $allowed_tags);

} $value = htmlspecialchars($value); return $value;

Chapter 8: Guestbook 2000, the (Semi- )Bulletproof Guestbook

This function accomplishes two things. First, it removes all HTML tags. The strip_tags() function takes care of that. No need to worry about malicious Britney Spears pictures here —unless you want them. You can indicate tags you want to keep with the second argument ($allowed_tag). For instance if you wanted to allow bold and italic tags, the second argument to strip_tags() could be a string like this: “<b><i>”.

Then html_specialchars() changes ampersands and double quotes to their proper HTML entities ( & and " ). After being run through this little function, your text is ready to be inserted in the database.

SAFE_QUERY( ) This function will save you from pulling your hair out when you’re trying to get your queries right.

function safe_query ($query = “”) {

if (empty($query)) { return FALSE; } $result = mysql_query($query)

or die(“ack! query failed: “

.”<li>errorno=”.mysql_errno() .”<li>error=”.mysql_error() .”<li>query=”.$query

); return $result; }

Throughout the application, you will run our queries through this function. This way, if the query fails for some reason, you will get a pretty good idea of what happened. This is another example of safe coding. After troubleshooting your code, you won’t run into these problems often, but if a change is made somewhere (perhaps without your knowledge) you’ll get a pretty good idea of what’s going on.

Tip

For a site that is publicly available, there is a danger in running every query through this function. If a query fails, a hacker is likely to see more about your setup than you’d like.To prevent this from happening you could define

a constant (discussed shortly) that prevents the function from printing out descriptive errors. Something like this:

function safe_query ($query = “”) {

if (empty($query)) { return FALSE; } if(QUERY_DEBUG == “Off”)

{ $result = mysql_query($query) or

204 Part III: Simple Applications

die (“Query failed: please conatact the Webmaster”);

} else { $result = mysql_query($query)

or die(“ack! query failed: “ .”<li>errorno=”.mysql_errno() .”<li>error=”.mysql_error() .”<li>query=”.$query

); } return $result; }