328lect09-2-projected


*** NOTE: I may add to this post 
    after the Week 9 Labs!!! ***
=====
CS 328 - Week 9 Lecture 2 - 2025-03-26
=====

=====
TODAY WE WILL
=====
*   announcements
*   APPLICATION TIER - continue intro to PHP
*   whirlwind tour of PHP needed to (create AND) respond to
    a form
*   prep for next class

=====
*   should be working on Homework 7!
    *   at-least-1st-attempts due by 11:59 pm on Friday, March 28

*   will send a class e-mail when zyBook Chapter 5 is available

=====
useful aside: PHP command line interface (CLI)
=====
*   on a computer with PHP installed,
    in a terminal, you can run a PHP script using:

    php desired_file.php

*   this can sometimes be useful in debugging --
    you might see an error message that is not being sent
    to the web browser...

    *   IMPORTANT CAVEAT: without additional kluges, this
        does NOT appear to have access to the superglobal
        associative arrays mentioned later in these notes;

=====
PHP named constants
=====
*   like you expect:
    *   once assigned, its value CANNOT be changed
    *   common style is to write their names in all-uppercase

*   more quirkily:
    *   DON'T start their names with a $!

    *   PHP has at least two ways to define:
    
        const DESIRED_CONST = desired_expr;

        define("DESIRED_CONST", desired_expr);

=====
PHP if statement
=====
*   one of the versions:

    if (desired_expr)
    {
        statement;
	...
    }
    else
    {
        statement;
	...
    }

    *   and elseif is supported, but so is else if
        (if I am reading zyBooks section 5.4 correctly)

*   note: == is true if its operands are the same value
    (even if they aren't the same type)

    === is true if its operands are the same value AND
    the same type

    != and !== both exist....

*   AND: you can jump in and out of PHP tags as much as
    you want throughout your if statement (and while statement
    and etc.!!!)

    *   see the if statements in 328lect09-2.php!

=====
Superglobal Associative Arrays
=====
*   a set of PHP special global variables that are arrays
    and are visible in all PHP code

    *   their names start with $_ and are written in all-uppercase

        $_SERVER - has useful server-related info in it
            *   the key "REQUEST_METHOD" will let you access
	        the method for the current request

                $_SERVER["REQUEST_METHOD"] will contain either "GET" or "POST"

	$_POST - contains the name=value pairs from a submitted
	    form that had method="post"
	    
	    *   the key is the name in that name=value pair

	    *   $_POST["desired_name"] is the value in
	        desired_name=its_value

            *   (there's an analogous array $_GET for obtaining the name=value
                pair from a submitted array that has method="get")

=====
IMPORTANT: ON THE APPLICATION TIER,
****** NEVER TRUST ****** user-provided data!!
=====
*   cross-site scripting! SQL injection! and more!
    *   MANY dangers are possible, and we'll be discussing at least some of
        them as the semester continues!

*   IN THE MEANTIME: note that application-tier especially (and also data-tier)
    programmers CANNOT and SHOULD NOT trust client-tier provided data, EVER.
    *   what if you wrote a beautiful form with all kinds of HTML and client-side
        JavaScript error checking?

    *   doesn't matter -- a rogue user can write their OWN HTML page that happens to,
        for example, make a request to your form's action attribute value!
        (that is: NOT coming from YOUR form, providing its own custom name=value
        pairs BASED on your form but with ROGUE values...)

*   don't USE info from the $_POST (and $_GET) without somehow CHECKING
    and SANITIZING it first!!
    
    HOW? ...varies, based on the situation and the potential dangers!

    *   maybe using an if or select statement that CHECKS the value first!
        or that only acts if the value is one of a small set of expected
        values (and throws an error otherwise)

    *   maybe using PHP functions to sanitize the user-provided value before
        using it -- functions such as:
        *   strip_tags - expects a string, returns that string with <*> </*>
            tags removed

        *   htmlspecialchars, htmlentities - expects a string (and possibly more),
            returns that string with possibly-executable characters replaced with
            display-only versions

        *   trim - expects a string, returns that string with any leading or
            trailing blanks removed

*   info from $_SERVER can even be compromised -- see the recommended way
    for sanitizing that in the PHP expression tag setting the form's action
    attribute in 328lect09-2.php:

        // note: trying to safely use $_SERVER's "PHP_SELF" entry                      
        //    to get the current PHP document's URL to use as this                     
        //    form's action attribute value                                            
        ?>
        <form method="post"
              action="<?= htmlentities($_SERVER["PHP_SELF"],                           
                                       ENT_QUOTES) ?>">