ITEC 325 2016fall ibarland

home—lects—hws
D2L—breeze (snow day)

form-handle-test-sanitize
testing forms; sanitizing html

We've been talking about input forms (html elements), and then php scripts to process a submitted form:

• The URL that handles the submitted form is the one given in the form tag as the submit attribute:

  <!-- inside form.php (or, form.html) --> <form submit='submit.php' action="post"> Login: <input type='text' name='userid' /> <br /> Remember me?: <input type='checkbox' name='remember' value='yep' /> … </form>

• Use the $_POST (or, $_GET) array to look up values; for indices (keys), use the name attribute that you gave the input-element back in the html.

  <!-- inside submit.php --> <?php echo "Hey there ", $_POST['userid']; if (array_has_index('remember',$_POST)) { echo "How could I ever forget?"; // $_POST['remember'] = 'yep' } ?>

• Note that checkboxes which weren't checked, etc., don't have any entries in $_POST (even though you might wish it had an entry with value “false” or something).
• If you gave several input-elements the same name attribute, and the name ends in “[]”, then in $_POST look it up without the “[]”, and you'll get an array of all the values (with numeric indices/keys).
• Use http post when the URL-request                                                       ;
  Use http get when the URL-request                                                                                                                                   .
• php detail: When a php program contains anything not inside “<?php … >”, those lines are simply                 .

testing a form-handler

Our functions have test cases, and this helps gives us confidence before we ever deploy to the web. But what about form-handlers? The result from form-handler is a long page that includes various bits from the form. It's too tedious to make this a check/expect sort of test, since the details of the html part of the output aren't relevant (and might change). Moreover, generating the page requires the POST data, that were entered by hand back in the form. But we would like to be able to check that the form-handler without going through the web, and also eyeball-check the result on certain inputs w/o having to continually re-type the inputs and call up the form.

Solution: Make a php program which simply initializes $_POST, and then require's the form-handler. Recall the sample form from last lecture (and recall what happens when it submits). Then, inspect:

• forms-handle-sample-1_php.txt source; results.
• forms-handle-sample-2_php.txt source (alternate init syntax); results.
• forms-handle-sample-0_php.txt source (degenerate sample); results.
• forms-handle-sample-3_php.txt source; results.

Awesome sauce: We can run these sample-inputs locally, or over the web. The former is useful when the latter isn't showing up as expected.

Sanitizing input

When creating a page which includes something typed in by the user (from a previous text-input), we must be careful! What could the user have typed, that would goof up our web page?

• htmlspecialchars
• nl2br

• Note that to prevent errors, some php servers used to enable “magic quotes”: When setting up the $_POST array, they will guard against malicious/accidental breaches by adding a slash in front of any quote-characters. This default-server-behavior has been deprecated and may be discontinued eventually (though php.radford.edu still uses them as of 2015-Sep-28).

  A poor solution is to always call stripslashes on all input. A better solution — one that won't have to change if the server's behavior changes — is to check whether or not the server is configured to auto-add slashes, via get_magic_quotes_gpc, and only call stripslashes in that case.

  /** Return $_POST[$fieldname] (removing magically-introduced slashes if any were added). */ function getInput($fieldname) { return get_magic_quotes_gpc() ? stripslashes($_POST[$fieldname]) : $_POST[$fieldname] ); }

Quick q: suppose a user types:

  hi
<3

• $_POST['msg']
• nl2br($_POST['msg'])
• htmlspecialchars($_POST['msg'])
• nl2br(htmlspecialchars($_POST['msg']))
• htmlspecialchars(nl2br($_POST['msg']))

We have seen arrays, and mentioned that if they have all-numeric indices (keys) then we can process them with a for loop or a while loop, using the same syntax that Java and Javascript happen to use.

Then we saw that if an array has keys which aren't all numeric, we can use a foreach loop to process them:

  $myData = array( 'hi' => 'hallo', 'good day' => 'guten Tag', 'see you later' => 'auf wiedersehen' );

  foreach ($mydata as $german) {
    echo $german, "\n";
    }

  foreach ($mydata as $english => $german) {
    echo "You say '$english', I say '$german'.\n";
    }

directory-processing

Look at the documentation for scandir.
Since it returns an array of filenames, it's a natural match to use with other functions that want an array of strings: For example, echo htmlLines( scandir( '/ibarland/Tmp' ) );

array_map

Suppose we wanted an English list of hyperlinks, separated by commas, with the word "and" before the last item. This decomposes into two orthogonal parts:

• make a comma-separated list, from an array of words,
and
• convert each word to a URL

To create the array, hopefully you also used your function hyperlink, written from hw02. (If you wrote the same long HTML a tag over and over, that's a sign that a function would be better.) So you might have a loop:

  $URLsAsText = array( "http://d20srd.org", "http://www.radford.edu", "http://google.com" );

  $URLsAsHTML = array();
  foreach ($URLsAsText AS $url) {
     $URLsAsHTML[] = hyperlink($url);
     }

  echo "It should appeal to users of ", commaSeparatedList( $URLsAsHTML ), "."
  

Any other repeated stuff? Hmm, the “http:” prefix was kinda annoying, but writing a loop for that seems definite overkill.
(Design Question: Should hyperlink be prepending a http:? How does this limit what it can do? Does it violate the principle of least surprise?)

It's kinda annoying to keep writing loops that make a new array of updated values. Most of the loop is very rote — the only part that differs is the particular rule to transform the individual element to the new element. (In the example above, the answer is “the function hyperlink”.)

There is a handy function, array_map: You pass it an array of data, and you pass it the rule (function) on how to transform each individual datum, and it gives you back the entire transformed array. So our loop above gets turned in to:

  $URLsAsText = array( "http://d20srd.org", "http://www.radford.edu", "http://google.com" );
  $URLsAsHTML = array_map( $URLsAsText, "hyperlink" );
  echo "It should appeal to users of ", commaSeparatedList( $URLsAsHTML ), ".";

  $URLsAsText = array( "http://d20srd.org", "http://www.radford.edu", "http://google.com" );
  echo "It should appeal to users of ", 
       commaSeparatedList( array_map( $URLsAsText, "hyperlink" ) ),
       ".";

Finally, note that we can also handle the “prepend “http://” to each item” issue. We could make a separate function and pass that to array_map, or we could use an anonymous function:

  $URLsAsText = array_map( array( "d20srd.org", "www.radford.edu", "google.com" ),
                           function ($domain) { return "http://" . $domain; } );
  

  echo "It should appeal to users of ", 
       commaSeparatedList( array_map( array( "http://d20srd.org",
                                             "http://www.radford.edu",
                                             "http://google.com" ),
                                      "hyperlink" ) ),
       ".";

function arraymap( $arr, $func ) {
  $result = array();
  foreach ($arr AS $k => $v) {
    $result[$k] = $func($v);    // call the function we were handed, and store the answer in our array $result.
    }
  return $result;
  }

home—lects—hws
D2L—breeze (snow day)

©2016, Ian Barland, Radford University Last modified 2016.Sep.30 (Fri)

Please mail any suggestions (incl. typos, broken links) to ibarlandradford.edu