PHP NOTES

what is the GOTO method in PHP

Goto operator can be used to jump to another section in the program , target point is specified by a label followed by a colon , instruction is given as goto followed by the desired target label, target labl must be within the same file and context, which you cannot jump out of a function or method

what is the difference between hashing and encyrption ?

Encryption is reversible and Hashing is ONE WAY

what is encryption ?

Encryption is the use of an algorithm implementing a mathematical formula to convert plain text into unreadable form, the encrypted data can be decrypted by using appropriate key

what is the function to filter an input

Filter_var()

what does filter_var() do ?

Filter_var() will both sanitise and validate data

How do we name a function ?

Function would normally include a verb (do something) You can name a function with the following: • CamelCase • Snake_Case • Lower-Case characters • Only alphanumeric Characters • Underscores

what is Hashing?

Hashing is used for Authentication and It is one way

what is one of the problems with hashing?

Hashing is used for Authentication and It is one way

what is the differnce between include and require ?

Include_ONCE : if the file is not already included 1 time then it will issue a warning ,does not stop program Require_once : if the the file is not included , this would give you a fatal error.

what the different include ?

Incude_once 'header.php' grabs the content from header.php Incude_once 'body.php'grabs the content from the body.php Incude_once 'footer.php' gabs the content from the footer.php

what is Cross - site scripting Attack (XSS)

Inject some JavaScript onto a web page/web form, malicious script can access host file system

what are the 2 data types in which an array can accept ?

Integer or Strings *** Floats will be casted to integers, for example 8.7 will be stored as 8. Boolean will be casted to integers, for example true will be stored under 1 Null will be casted to empty strings

Are function paramerters Mandatory

It can be Mandatory or optional

what does PCI-DSS do ?

It was started by Master card , VIS And Amex , which attempts to create security standards across the business and commercial world . defines such items as : • - whether Credit Card numbers may be stored (yes) - • in what format (salt encrypted) - • if PIN and CVC2 numbers may be stored (no)

example of hashing algo?

MD5 and SHA -1

give an example of pattern in PHP?

Many patterns are used by PHP developers, E.G container, factory and Observer.

what is LibSodium ?

Mcrypt is crap and has been replaced by LIBsodium Libsodium does encryption , decryption , signature , password etc in 1 library Its portable

what is the presentation model?

Model : this involves data that would be usually be considered to be part of the view being more conveniently represented in the model e.g column sorting

explain MVC in detail ?

Model: encapsulates core application data and functionality - business layer View: obtains data from the model and present it to the user controller - output presentation layer Controller: receives and translates input to request on the model or the view - abstraction layer

what is the most popular database PHP uses ?

MySQL: Most popular usage of MYSQL is at data repo(backend) for PHP driven web-sites , but can also be used in many situations Other databases: PHP is capable of interfacing with many other commercially available database such as Oracle

what should you never do when connecting to a database in PHP

NEVER CONNECT TO A DATABASE AS A ROOT - this allows people to access the database without permissions

Can a function start with a number ?

NO

Can you have duplicate function name

NO

what is OWASP ?

OWASP is a web development company that is trying to make the web more secure

what is PDO?

PHP Data Objetcs (PDO): There are different libarties that PHP have that contain commands that talk to database PDO is a new Library which has got a bunch of commands inside of it , which would allow you to talk to a database. Mysqlnd is the fastest liabary

Can a function not return anything ?

Some programming languages make a distinction between a function which returns a value and a function which performs some operation but does not return anything (procedure)

explain SOC?

There principle is to separate a computer program into different section , each section address a separate concern Concern : 1) Set of info that affects the code of a computer program 2) A general details of the hardware the code is being optimised for

what are the 4 scalar types:

boolean integer float (floating-point number, aka double) string

what is the bootstrap?

creates definitions - calls the Router • can output the result just as URL:

What function allows you to open files

fopen()

what is the most common element in a web form

the input

What is the most common pattern design ?

the most common design pattern for web app is MVC (model - view - controller)

what is the oo design pattern ?

the relationship and interaction between classes and objects - without specifying the final application classes or object that are involved.

what is the single point entry Structure?

this is a software which allows the user to access different things

what is passive Model?

object used are unaware of being part of the larger app , controller informs the view when the result of a process within the model need to be updated -**this reflects the HTTP request/ response cycle very well , the view is rendered on every cycle.

what is DOS (Denail of service )?

overloading a web server with too many service request in a short space of time , the attack will be successful because it takes a finite amount of time for a request for a request to be processed

what is SOC?

separtion of concern

How does PHP connect to the database ?

try { $db_link = new PDO ($host_name, $user_name, $user_password, array(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION)); } catch (PDOException $p_error) { echo 'Error!: ' . $p_error->getMessage() . '<br />'; exit(); }

how does session file work?

when the user select something, the script would make a note on what the user has selected and it will write it on a special file and that special file is stored in the server

what is concatenation?

you can put 2 strings together by putting a dot between the 2 strings

what is the difference between == and ===?

"==", two equals , checks if two variables are the same , whilst "===" , 3 equals checks if they have the same type . e.g. if two false then it would return a true.

how many outcome should a function return ?

Each function should achieve 1 outcome, may not return something.

what are the differnent file modes

'r' = open for reading only, places the pointer at the start of the file 'a' = open for writing only, file pointer at the end of the file 'a++' = open for reading and writing . file pointer at the end 'x' = create and open for writing only , pointer at the beginning , if file exist the fopen() call will fail 'X++' = create and open for reading and writing

what is the best way in connecting to the database

1) 1. Prepare : compilation : prepare the query - does not which value its working with 2). Binds: inserted values are parametrised , connecting each parameter with the query string 3). Execute : command is executed

what are the 2 types of array in PHP?

1)$array = array( "foo" => "bar", "bar" => "foo", ); 2)$array = [ "foo" => "bar", "bar" => "foo", ]; In PHP 4 they introduce the idea of squared brackets, this means you would no longer needed to say "array" rather you can just place a square bracket

what are the 3 A's?

1). Authentication: 1st part of 3 stages process , provides who you are 2. Authorisation: this decides what you are allowed to do 3. Accounting: keeps track in what you are doing

what are the operators in PHP?

1)Arithmetic Operators 2)Assignment Operators 3)Bitwise Operators 4)Comparison Operators 5)Error Control Operators ('@'). If there is an error , then placing @ would suppress it. Execution Operators (backticks '`') 6)Incrementing/Decrementing Operators 7)Logical Operators 8)String Operators 9)Array Operators 10)Type Operators

what are the 4 attrubites in a web form

1)Method : get and post from the browser (get method , value typed in will be passed part of the Url, Post passed part of the Http header) 2)Action: this is the target , where data of user typed into form filed get sent for processing 3)Accept: which type characters it can accept 4)Enctype: this is a way of telling a form that you want to upload files

what are the disadvantage of MVC

1)Possible increased complexity , changes in one section will often require changes in other 2)Can be difficult to decide exactly where a particular component should be placed 3)Achieving 100% MVC pattern compliant may be virtually impossible

what are the 2 types of function ?

1)Pre-written: prewritten set of function that are stored in libraries 2)User-defined: Developers can also create their own function to perform a specific task.

what are the 2 function of PDO?

1)They connect to a database 2)Execute a sql query 3)And they do something with the result such as anylais

PDO have several setting in order for it to run , what are those setting ?

1)You would need to tell PDO what type of database you have chosen E.G MYSQL 2)You would need to tell the Host, also hostname and also can specify and username and password

what are the 3 types of XSS attack

1)stored(injected script goes into the database), 2)reflected(JavaScript in the URL) 3)DOM based XSS: where the vulnerability is in the client-side code rather than the server-side code.

what are the different way in which you can comment in PHP ?

1. Do comment out1 line , use // 2. To comment out multiple lines use /* */ 3. To write a Doc Block use /** */

How many levels of Scope are there ?

1. Global , you can assign a variable so they can be recognised/available in the script the make up the application, Global are inherently evil except super global arrays 2. Class 3. Method/function ** Hungarian notation is useful in understanding scope

When downloading MYSQL you can get 4 different types , what are they ?

1. Information _schema - database created at installation # 2. Information schema holds meta data - not strictly database 3. 'mysql' stored info about MYSQL - current users,database installed , password are stored in encrypted format 4. 'test' database is purely for testing purpose - delete this

How does PHP work?

1. PHP request comes in to the web server 2. Then passes it onto the input section of the ZEND 2 engine 3. Passes the code,compiles it,executes it ,parse it 4. Output not passed back to the client , sent back to the web server through a buffer 5. Buffer could then be process 6. Web server needs to take the content from the buffer and output as a HTTP response

How many parts are there to a function

2 parts to a function: Function signature and Function call

what is session ID ?

A session Id is used so that we can differentiate which file belongs to which user. A session is a file.

how do we start a session ?

A session start is created with session _ start() function , first look for a session ID from the client machine , if none exist , then the SID is created and stored on client machine (session cookie , session file is created on the server )

what is the difference between AND and &&?

AND is not the same as && $a && $b || $c is not the same as $a AND $b || $c The first calculation processes as: (a and b) or c The second as: a and (b or c) This is because || has a higher priority than AND, but less than &&

what are the advantage of using function ?

Advantage of Function: • Allows the developer to organise their code into logical structure • Allows the developer to allocate specific behaviour to a function • Allows the developer to reuse of the code

what are the 2 compounds types?

Array, object

Examples of Data structure ?

Arrays, objects, loops etc.

what is BCRYPT?

BCRYPT is a library in PHP . BCRYPT has 2 method , 1 of them is called Password_hash() , this creates a new password using a strong one way hashing algorithm (can choose algorithm)

Can you name some of the PHP function directrioreis ?

CHdir - change directiory chroot - change the root directory closedir - close directory handle dir- returns an instance of the directory class getcwd- gets the current directory opendir- open directory handle readdir - read entry direcory handle rewinddir = rewind directory handle scandir -list files and directories inside the specified path

What is CGI stand for ?

Common Gate Interface

what is DES (data encyrption standard )

DES is an example of symmetric algorithm DES takes the message / file and divides it into 64 bit block, each bit is encrypted 19 steps

what is data persistence ?

Data persistence is knowing what the user has done on a web application.

what is data structure ?

Data structure can be simple or complex and they are an origination bit of memory.

what is ORM (object -relational mapping )?

Databases tend to store scalar values, whereas OO applications store data within objects (although OO databases do exist) ● An ORM exists to map between the different data types

How does PHP check the password strengh?

PHP have a library (cracklib) that will test the streHngth of password

how do we store password in SQL?

PHP/MYSQL both have a selection of encryption algorithms available to be used for password storage Both MYSQL and PHP allow hashing

what is PCI- DSS?

Payement Card Industry data security Standard

If a variable as a () open and close bracket what would PHP assume ?

Putting an open and close bracket, PHP will assume it's a function

what are the problems with password hashing ?

Rainbow table

what is the rainbow table ?

Rainbow table works by getting a dictionary and hashing every single word in the dictionary, this creates rainbow table, every single hash you have recovered from a database, you then compare it with the word you have hashed in the dictionary

what are the 2 special types

Resource, NULL

what is the return type for filter_Var()

Returns the filtered data or False if the filter fails.

what does the router class do?

Router class is responsible for starting the correct controller class, each feature has a controller class (Model, Validate and view classes). Output for Model will either be error message or successful result. View can be extended using inheritance, standardise the web page and all result are returned for adding the output stream

what does the router do?

Router will allows the user to access different things

How doe we overcome MVC Problems ?

SOC

how can we achieve data persistence

Session is one way of achieving data persistence

The differnce between single quotes and double qoutes in PHP String ?

Use double quotes to allow variable to be shown, single quotes won't allow this. Single quotes strings are treated as true literals. Strings in single quotes will process just that little bit faster

what is Mcrypt?

Uses PHP generic encryption and decryption function These take as parameters the string to be encrypted/decrypted and an encryption description- basically describes how the text is to be divided up before encoding This encryption uses block-cyper encryption technique

what are the adv of using PDO?

Using PDO library is that all the databases are accessed with the same library function. Also SQL injection can be avoided if you use PDO correctly.

How do we prevent the web attack ?

Vulnerability Assessment Levels: 4 Levels : 1. Scanning 2. Automated Probes 3. Penetration Test 4. Physical Test

How is a web form created ?

Web form is started with a form tag which has many elements/ attribute within it:

where is PHP written ?

Web page is where the PHP script is written

what is the database wrapper?

You could abstract the commands that you would need and put them into a separate class, so instead of your main program talking directly to database, we would have a new layer of software called the wrapper (where the main code is )

what is Active Model ?

allows the model to inform the view and the controller component of any required changes

what is SEO Attack ?

you take over a website using cross - site scripting and get people to visit you're site and you inject extra content onto the web page and when someone visits the page you can take the info Most successful SEO attack uses iframes. Attackers exploit the input and display the vulnerabilities

when someone does not think properly about designing of the website what are the consequence ?

• Abuse of Functionality • Insufficient Process Validation • Information Leakage • Weak Password Recovery validation • Predictable Resource Location and Insufficient Authorisation

what are the XSS consequences ?

• Click jacking : click jacking is when you're playing a game , and when you're clicking on the mouse at the same time clicking buttons which will switch on the camera • Cross-Site Tracing : • Cross - Site Request Forgeries : when you get people to transfer money to another bank account e.g visit a vulnerable site (javascript) and when you go to a tab in which you're accessing you're bank account , and you're typing a details of bank money will be sent to attackers account • Cross-Site History Manipulation : visiting a vulnerable site( javascipt) , javasipt will be downloaded automaiclally , this would then look at you're history

what is the syntax for input

• Input tag • Define what inside the form • What is the max length of the input box • What is the max char • Select(dropdown list),textarea,fieldset,label

what is PHP?

• It generates html output , in response to http request from a browser • Older version are vulnerable • It's an open source software • Multi-platform • Back end database could be anything e.g sql ,oracle

what are the things to consider when creating a web app?

• Partition your application logically • Use abstraction to implement loose coupling between layers • Understand how components will communicate with each other • Reduce round trips • Consider using caching • Consider using logging and instrumentation • Avoid blocking during long-running tasks • Consider authenticating users across trust boundaries • Do not pass sensitive data in plain text across the network • Design your Web application to run using a least-privileged account

what is the differnence between santise and validate data ?

• Sanitizing removes illegal character from the input • Validating will determine if input is in proper from

Give an example of Authenticaion Libary

• Web service -oAuth • Google: PAM

How to print out statement on PHP?

● print_r() ● var_dump() ● var_export() ● xdebug