Facebook

PHP

PHP, a three letter acronym to describe a large, old language. It is unknown to many on the internet, and what it does even a greater mystery. This blog will attempt to shed some light by exploring PHP’s basic concepts, history, security, and its surrounding viewpoints.

Introduction

PHP, a name forming the recursive acronym PHP:Hypertext Preprocessor, is a powerful open-source programming language widely used in web-development [1] [2]. It is most commonly used on web servers to process data, as well as access and modify databases. Sometimes it is used in creating dynamic web pages (though not with the same flexibility as JavaScript). Capabilities include form validation, building pages specialized for particular users, and inputting and displaying database contents. Additionally, it can also manage forums and wikis along with many other things. A practical application can be found in displaying Highline’s class catalog.

What is it, and how does it work?

PHP is an open-source language with deep roots in the languages C, Java and Peril [3]. It is not a true programming language (like C); it instead more closely resembles its close cousin Javascript. It can be considered a scripting language, not a true coding language. The code can be embedded into an HTML page with relative simplicity, though it does require a processor first. It must utilize a processor in order to function, as it’s incapable of loading and processing data by itself. This is due to its inherent nature of not being a true coding language. In other words, this language must be run on “PHP enabled” [3] computers. Its roots and design are based on the syntax of multiple languages. It has undergone several revisions over the course of its lifetime – 7, to be exact.

A server that runs PHP works very similar to one that runs normal HTML/CSS. However there is a key difference between running a page with the file extension .php instead of .html. A page built in php goes through a special processor that interprets, compiles, and displays data to the user. In simpler terms, it is one extra step to the loading of a page. PHP pages are run server-side, and what’s generated based on a set of circumstances is delivered to the user. A page running raw HTML and Javascript simply sends the page and all the code to the user immediately. For example, a login form is created in via such a server side scripting language instead of Javascript. This is because a page created in Javascript would display all the validation code that keeps hackers out. Javascript can be very easily edited, even by accident from the most computer-illiterate user.

PHP Development - Website Development - Seattle - VisualwebzCom-Renton-WA-98058

 

Conversely, this server side scripting language cannot be manipulated by the user straight from the source of a website if coded correctly. While there are ways to trick this language (ways that will be discussed later), it’s inherently more secure than Javascript. This is due to the fact that users of the page can’t see what is going on behind the scenes. All they see is what is laid out in front of them. Hence, a login page is less likely to be hacked through direct modification.

A quick note – the file extension for a PHP file does not have to be .php [4]. It can be .phtml, or any other extension that is set in the configuration of the web server. Additionally, the ugly .php file extension (or whatever file extension you use) does not need to be shown. Proper server configuration can see it vanish entirely. Well configured pages can show example.com/login instead of example.com/login.php?gibberishcodehere if they wish. Granted, some websites don’t mask content in the title bar, such as the Google Accounts login service. This can make for a messy title bar.

This server side scripting language is not universal! While a majority of popular web servers support it [4], it is not supported by everyone. It enjoys fairly widespread support, but it faces competition from other sources, such as Microsoft’s open-source ASP.NET framework. ASP.NET is a potent competitor. W3schools.com, for example, makes heavy use of ASP in its pages over this server side language.

History

This server side scripting language was originally designed by a developer called RasmusLerdorf in 1994 to track visits to his online resume [5]. PHP has had many names, and it is in its beginnings that it has had the most names. It was originally called “Personal Home Page Tools”, aka “PHP Tools” when opened for public use. PHP steadily became popular, driving Ramses to revise the original code to include database interaction as well as more capabilities for users to create true applications (such as guestbooks). In 1995, the source code was released to be used by developers as they wished. This allowed for the community to detect and fix bugs that arose as it grew. At the time, it was not quite a full language. It was designed for Unix systems, not Windows.

Late that year, Ramses revised PHP again and renamed it to “FI” (Forms Interpreter), named such due to the fancy new features it contained. Some of them, including the variable syntax and embedded HTML functions, are still used today. The variables were “Perl-like” [5] and quite dynamic for their time. However, there was one interesting quirk about this revision of PHP. To embed it, the code had to be placed in HTML comments. Naturally, that wasn’t the most popular decision.

Despite the strange placement of code, PHP (or FI, at the time) continued to grow and become more widespread. Ramses rebuilt the code from ground up to allow easy access for C and Perl developers. He brought the PHP name back, with PHP now meaning “Personal Home Page Construction Kit”. It was the first truly powerful release, and one that could expand beyond being hosted on Unix. Its proverbial eyes were set on Windows NT. Finally, it was powerful enough and relevant enough to give it a shot. While it grew by leaps and bounds, it wasn’t a full language just yet.

This programming language achieved its dream in 1996 and became a true language under the name PHP/FI – PHP 2.0. It included advanced features such as built in support for popular databases, cookies, and user-defined functions. Again, tools in widespread use today. However, its era was short lived. While popularity rose after its release, it was swiftly rebuilt and replaced after leaving beta status in 1997. By then, it was present on thousands of domains.

In late 1997, PHP was still primarily the work of a single developer. Two developers, Andi Gutmans and ZeevSuraski, required more features to complete an eCommerce application. They began to rewrite the processor and create something new entirely alongside Rasmus. The 3.0 version that rose not long after PHP 2 left beta. The language was renamed to its modern name, PHP: Hypertext Preprocessor. The primary appeal of this version was its flexibility – it allowed extensions that went far beyond its base code. It also included object-oriented programming support and a more organized language structure. It became 2.0’s official successor in 1998.

By the development of PHP 4, PHP had expanded beyond 70,000 [5] domains and was widespread on windows servers. It was very powerful and widely used. However, PHP 3 lasted only until mid 1999. Gutmans and Suraski rewrite the base code again, this time to improve PHP’s competence with complex programs. 3.0 was powerful, but not powerful enough to approach projects at a massive scale. 4.0 was released as complete by 2000 and, along with many new features, included far superior performance.

Seattle Website Design - Renton-WA-98058 - Sever Side Programming

Years went by; PHP seemed to come to the peak of its development. PHP 5 was released in 2004 to include slightly revised and brand new features. This was then updated for a long time until PHP 7 came out recently. Overall, the development of PHP did not include massive rewrites of the base code again. The development team is now dozens of developers larger than the three-man team it had in the past.

Security

This language that is arguably easy to use, but becomes a new beast when looking at security. Namely, there are ways for users to place actual code statements into forms, followed by having those statements pull out data that shouldn’t have been accessed. This is caused by poor validation and unrestricted access to table data. The motives for doing this are vast, and the means are fairly common as well.

One of the greatest issues is unvalidated input from users [6]. Sitepoint suggests that a PHP developer treat every single user that accesses the web form as a potential threat. The key idea: never trust user input, even the ones who aren’t actively trying to hack the system. Some users simply attempt to put gibberish into forms and submit them for fun.

At the end of the day, the aforementioned issue is what causes many others that are known in PHP. A user’s session ID should be protected as best as possible. While it is not possible to completely protect them, it’s a good idea to minimize the possibility of a compromised ID. A compromised session ID on a forum means that a regular user could pose as an admin. The potential issues of that should be rather plain. XSS (cross site scripting) attacks mean that code such as JavaScript is placed into a form, which is then run by the server. If not properly validated, the code runs to do whatever the hacker desires. Also typically not to the benefit of other site users.

One common issue, sometimes lying slightly outside of regular PHP yet critical for PHP developers, is access flaws. A compromised session ID has been noted above. An access flaw is when a user is able to enter directories or pages that they’ve no right to. A policy for proper access must be maintained at all times. Important information should never be set in a directory that is visible on the web. Part of this does lie directly on the PHP developer. Some forms allow a user to enter a page and then go to it. The syntax ../ means to go up one directory. Using poor PHP code, a person could potentially use ../ to navigate outside the web directory. That could move into, say, the host operating system files.

One effective counter to this is using an unpredictable directory structure. For example, hostpc/twwir/wbthing/host/sitecontents/ instead of hostpc/host/sitecontents/. Then again, the most effective counter is to have the right policies in place so that this does not happen at all.

While it may seem paranoid, a PHP developer should always anticipate users to attempt to break the system. PHP is powerful and very secure in the right hands. It is useless when it lets an angered former employee delete System32.

What’s Wrong with this Server Side Programming Language?

A strange title, perhaps, but this is something that should be noted as this blog draws to a close. Reasons cited to actually hate PHP include rampant vulnerabilities, terrible syntax, insecure code policies, and poor documentation. Others are inconsistent coding, and the frequency of terrible PHP coders [7,8,9]. One source states “php references will damage your brain” [7]…

To be fair – yes, this language is a bit quirky. There are redundant pieces (Two built in functions, “exit” and “die”, do virtually the same thing). There are parts here and there that don’t work logically. and prior revisions have been built on compressing many functions into a single location and making them work. Some of the aforementioned “problems with PHP” such as terrible coders can be fixed simply by learning this language properly. Yes, it is very easy to make insecure code. A coder must learn to know and check off every point that can go wrong. Otherwise, something will inevitably go wrong. It is simple enough to code insecurely. It’s quite another matter to make it (almost) completely secure.

Final Notes

You’ve read a lot about this server side scripting language, and this page didn’t even cover specific coding examples in detail at all. There is much to know about PHP; in order to use it properly, it must be extremely well known. One could argue it is one of the simpler languages to pick up. That is true, the core syntax is fairly simple to get. However, PHP is more than just coding the application, as noted above – it’s also about coding as securely as possible. Nonetheless, if this post hasn’t “damaged your brain” by now, there may still be hope for it.

 

References

[1] http://php.net/manual/en/intro-whatis.php

 

 

[2]https://www.w3schools.com/php/[3] http://www.nusphere.com/php/php_history.htm[4] http://www.dummies.com/programming/php/how-php-works/[5] http://php.net/manual/en/history.php.php[6] https://www.sitepoint.com/php-security-blunders/[7] https://www.quora.com/Why-is-PHP-hated-by-so-many-developers[8] http://phpsadness.com/[9] https://adambard.com/blog/you-write-php-because-you-dont-know-better/

 

 

 

 

 

 

 

Interested In hiring this web design company for your next project?

Get In Touch

Learn more about our website services such as WordPress,  AnimationHTML 5website hosting, web designing, at Seattle WordPress Website Design. There are other website solutions we provide, but not limited to these :

Contact us for a quick quote, you'd be glad you do and understand why we believe we have mastered the science of web design. Interested in reading more? Refer below:

Share This

Share this post with your friends!

CONTACT US