Kaolin Fire with GUD Issues 0 through 5

kaolin fire presents :: PHP 101 :: Hello, World

look ma, no compile!

Hello, world. Hello, Dave.

Display your first dynamic data, and get a quick rant on security.

Hello, Hello!

You've already done your basic hello world by just copying the first file to see if php was running. A true hello world would just have been that, or even a lesson prior to that making sure you could see even the simplest piece of html, with the words "Hello, world".

This is hello world, mark II. Your first stab at taking user input, and displaying it. HTML forms either POST their information, or offer it through GET. You can either take your information, then, through $_POST, or $_GET. If you haven't noticed, $ signifies a variable in PHP. You might take a quick peek somewhere else as to what a variable is, and what an array is (why? because both $_POST and $_GET are associative arrays!), but ... you might not. Here's a quick low-down on php's arrays.

There's a third variable that I like to use, due to a certain sort of laziness, and there are arguments of security against using it. I figure it's fine to use so long as you validate any incoming data thoroughly, and you don't have "Register Globals" turned on. If you've got that on, turn it off; if you can't, do what you can. It's a hideous thing that I'm sure the PHP developers regret ever loosing into the world. That third variable, though, is $_REQUEST, which makes both $_GET and $_POST information available to you. The laziness? I like to be able to switch a form between method="get" and method="post" and not have to rewrite the code receiving the information. get is easier/quicker to develop/debug--less "are you sure" and the data goes straight into the url, so you can see what the form is "thinking".

Okay, so get started

So. Write a page, just gut the little bit from our orwellian exercise of 2+2, and put instead something like <p>Hello, <?php echo $_REQUEST["name"]; ?>.</p>

What are the quotes for? They define a set of characters as data, instead of a command. You don't need quotes for numbers, but any bit of text that isn't part of the syntax of the language should be quoted. What is this weird "name" thing, then? Well, if you visit your hello page, and put a ?name=Kaolin at the end of the url, that's exactly what a form would have done, with method=get. That's how data gets passed. See mine? Well, you see it with a form inside. Guess what the next thing you have to do is?

That's right! Add a form to make the page call itself with whatever data the person typed in.

Don't worry, I'll wait. There must be an example of how to do that _somewhere_ around here!.

Did you look at the source?

Please look at the source. :) If you don't recognize fieldset and label, take a moment to learn about their importance for accessibility.

Now, you may have managed to get php to spit out an error about an undefined variable. That's good. We'll get to that in the next lesson. Right after a quick word on security!

But wait, what's that?

Good job, I'll have to assume. But wait, what happens if some loser wants to screw with your site? They can't do anything permanent, probably, but they could make less savvy people think that you're saying things you aren't. How's this? You don't really mean that, do you? It might be small potatoes now, but really, a lot more can be done with that. Just be safe.

So why doesn't that happen with my "real" hello script? The magic of htmlentities. No, I'm not going to give you the link. It's a php function. Any php function you want to look up, just type out http://php.net/thefunctionname -- try it! And if you're a little familiar with other computer languages and you know how you'd do something in that other language, try that function for "thefunctionname" -- php may use the exact same one, or it might be similar enough that its search will suggest it to you. Okay, okay. I really hope you looked at http://php.net/htmlentities (see how easy that is to type? There's a wealth of information there!). It might not be a user-friendly description for you, it might not make any sense at all with its string string string, int, string business... but I want to breed some familiarity for you with it. Look at the page.

Now for a plain english explanation of htmlentities. htmlentities takes a string and _returns_ a new string with any "bad characters" changed into their "this will look right in html, as opposed to BE html" bits. At one level removed, then, if you passed "<b>WOW!</b>" in, the function would return "&lt;b&gt;WOW!&lt;/b&gt;". Safe!

ALWAYS ALWAYS ALWAYS put htmlentities around ANY thing you're about to print to the screen, if there's any chance that it hasn't been "cleaned" by some process. DON'T just do htmlentities around a variable as soon as you're reading it in, though. htmlentities is a display function, and if you run it on your "real" data (that might go in a database, for instance), then you're going to lose track of where and whether the information was cleaned. Always just do it on display.

I am soooo fake pre-loading this image so the navigation doesn't skip while loading the over state.  I know I could use the sliding doors technique to avoid this fate, but I am too lazy.