PHP: Further Skills 02 By Trevor Adams

Topics covered Persistence What is it? Why do we need it? Basic Persistence Hidden form fields Query strings Cookies Sessions

Persistence – What is it? Broadly, it is a any mechanism that allows values from one page activity to be available on the next

Persistence – State Management So why do we need it? HTTP has no way of tracking a user’s visit to a web site HTTP simply responds to requests for resources Web applications demand more functionality than simple, static web pages can provide Data driven web sites often provide access to relatively sensitive data

Persistence – form fields Hidden form fields provide a simple way to maintain application state Simple to use HTML Generated by PHP statements Provides a useful way of processing data differently from one form. E.g. Editing and Adding a record can use the same form The action required can be determined from a hidden field named action The script that catches the post can query action and act appropriately

Persistence – Form fields Form fields have their disadvantages Have to be managed by the programmer Can be laborious on many forms Data has to be obfuscated if sensitive This is not ideal Remember – HTML is plain text Have to be sent to the server each round trip

Persistence – Query Strings Query allow the passing of variables through the URL E.g. Multiple variables are declared using the ampersand (&) character E.g. /product.php?id=1001&order=asc Values can be accessed using the $_GET array This is used similar to the $_POST array E.g. from above example // prints 1001

Persistence – Query Strings Query strings are perfect for bookmarks They are part of the URL Can be given as direct links Query strings can persist through basic HTML elements E.g. Hyperlinks ( )

Persistence – Query Strings Query strings are not ideal in every situation All variables are visible in the URL Useless for sensitive data Some applications specific a 256 character URL limit (including the page) Easy target for unscrupulous people Useless for large input, such as web mail

Persistence – Basic Summary We can create persistent applications using skills we have already covered Hidden form elements Work just like other form elements They do not render on screen Query strings Append key=value pairs to a URL Accessible as $_GET array Visible in the URL

Persistence – Cookie time! Quick (perhaps dirty) way of persisting data using the client Can store data between visits to a site Stored as basic text files on the client machine Cookie data is sent to the server with each page request (providing the cookie is valid)

Persistence - Cookies Cookies have a bad reputation Over used Abused In general people do not trust cookies Often they do not know they are needed for the cool things they enjoy on a web site Possible poor use of cookies include: Tracking and reporting browsing habits Reporting products of interest to other web sites Many others

Persistence - Cookies Cookies should be used for the “Bells and Whistles” of a web site A web site should generally (try to at least) not rely on cookies to be completely functional For example, storing the user’s visual style preference If the cookie is not accepted, the site will still work

Persistence - Cookies PHP allows the programmer to set cookies The setcookie() function This function takes up to 6 parameters Name – required Value – required Expire – time in seconds that the cookie expires Path – path that the cookie is valid for (/tja1) Domain – domain that is valid (e.g. example.web) Secure – whether it requires HTTPS or not setcookie(“cssfile”, “style.css”, time()+1800);

Persistence – Cookie expiration The PHP time() function returns the current time measured in the number of seconds since the Unix Epoch (January :00:00 GMT). Try time() will expire the cookie in 30 minutes 60 seconds * 30 = 1800 We shall cover time and date functions in lab session

Persistence - Cookies Cookies are available on the subsequent page request from when they are set They are accessible via $_COOKIES array The cookie name is the array key Adding values directly to the cookie array will not create a cookie Must use set cookie function for this

Persistence - Cookies Calls to setcookie() must be called before any out put is sent to the browser Cookies are sent in the HTTP header <?php echo “Hello!”; setcookie(“style”, “myfile.css”, time()+1800); ?> Results in an error Output includes any data, including plain HTML that comes before the setcookie() call Do not store arrays in cookie variables They require special manipulation Stick to basic types, textual/numeric

Persistence – Cookie Summary Cookies are great for the ‘nice’ features Do not rely on them Not even in closed environments They are stored on the client Not stored securely Sent with each page request Can be transmitted securely

Persistence - Sessions Sessions are stored on the server Exist for the time a user starts to use your application to the time they finish Or you programmatically end the session (logout) Sessions are very simple to use PHP4 has built in functionality for sessions

Sessions – in use Call the function session_start(); before any output is sent to the browser $_SESSION array is used to store session variables Adding values to $_SESSION will automatically persist those values at the server side

Sessions – in use <?php session_start(); $_SESSION[“uname”] = “tja1”; ?> Subsequent page access <?php Session_start(); Echo $_SESSION[“uname”]; // prints “tja1” ?>

Sessions – Why use them? Store more complex data, such as arrays, easily Data is never involved in a round trip In some ways, more secure Although has security issues of a different nature Well out of the scope of this module

Sessions - Summary Persistence data Maintained on the server Needs to be initialised before output Allows the programmer to implement complex application functionality Probably the best choice to facilitate logins

Topics covered - summary Basic Persistence Query Strings Hidden form elements Cookies Client side storage Sent on every page request Not secure Access using $_COOKIES Sessions Server side variable storage Accessed using $_SESSIONS Avoids the client side storage Still suffers from server side attacks

Resources Use the PHP web site Search for time Search for session_start Search for setcookie