lecture 3: web servers / php and apache - wilkes...
TRANSCRIPT
Lecture 3: Web Servers / PHP
and ApacheCS 383 – Web Development II
Monday, January 29, 2018
Server Configuration• One of the most common configurations of servers meant
for web development is called a LAMP servero Linux
o Apache
o MySQL
o PHP
• Some servers explicitly have a “LAMP” option
• Others do not, but have all of the components in their repositories
1
Linux• We are familiar with Linux through the other courses and
labs
• The key to the Linux component is our file ownership/permissions that we’ve learned
2
Apache• We’ll come back to this in a second…
3
MySQL• MySQL runs as a process in the background that we
connect to
• We can either connect from the command line with the mysql command, or use libraries to connect from programming languages with out account logins
4
PHP• PHP scripts are stored in “regular” files on a filesystem
• Thus, any user on the system who wants to run the PHP script must be able to read the file on the system
5
Back to Apache…• Apache runs as a process on the server
• All processes on a system must be run as somebodyo Run ps aux on dilbert – these are the processes running, with the user
who is running the process listed in the first column
• We need somebody who can run the Apache web server, and also access our files
6
Apache• By default, root is the only user who can access anybody’s
files
• But this is a horrible idea – people connecting to webpages are theoretically executing code as the admin of the system
• Solution: We need to use another user, and set the permissions on the file so that new user can create it
7
Apache• If we run ps aux | grep apache on dilbert, we will
see the running processes for the web server
• On our system (Ubuntu), they are run by www-data, as configured automatically by aptitude, the package manager
• Thus, we need to configure out scripts to be able to be read by www-data
8
Apache• If you manually set up Apache on a server, the admin must
create a new user (named whatever they want) and configure this server to do so
• If you use repositories supplied by the Linux distribution (yum for Fedora), they generally choose the name in their configuration scripts that come through the repository
• Also note, on some systems, that the web server is simply known as httpd, rather than apache
9
File Permissions• File permissions are critical when making a web
application available to a web server
• File permissions are usually stored as octals
• Octals can represent 8 different values, using numbers 0 through 7
10
File Permissions• There are three different digits in the octal form of a file
permissiono The first digit is for the user that owns the file
o The second digit is for the group that owns the file
o The third digit is for all users on the system
11
File Permissions• To assign permissions to one of these three, you “add” up
the permissionso 4 means read permission
o 2 means write permission
o 1 means execute permission
• If we want the group owner of the file to have read and execute access, the value of that digit would be 5 (4 for read + 1 for execute)
12
File Permissions• Because these use binary numbers, two different
combinations of permissions cannot equal the same value
• We will see this later in the course when we talk about configuration options for PHP
13
File Permissions• To assign an octal file permission to a file, we use the chmod command (short for change mode):chmod octal filename
• Example: Suppose we had the file foo.php and wanted to assign the permissions 755:chmod 755 foo.php
• If you had a directory with subdirectories and files, you can use the –R option to apply the permission to all of them:chmod –R 755 foo/
14
File Permissions• So, suppose we want the owner of the file index.php to be
able to read, write, and execute the file; the group owner of the file to be able to read and execute the file; all other users to be able to execute the fileo First digit: 4 (read) + 2 (write) + 1 (execute) = 7
o Second digit: 4 (read) + 1 (execute) = 5
o Third digit: 1 (execute) = 1
o Octal permission: 751
o Command: chmod 751 index.php
15
File Permissions• Thus, for our scripts to be able to be run as www-data, we
need to set the permissions of our files to 644, and our directories to 755o group and other are set to 4, which is read
o owner is set to 6, which is read + write (obviously, we need to be able to add code to our file, so we must be able to write to it)
o Directories need execute access
16
But…• We’ve created another problem by solving this one
• Now, the www-data user can access our files
• … and so can every other user on our systemo This exposes your source code, passwords, etc.
o This means if you have a script that uploads or generates any files, the files are owned by the www-data user, not you – and thus, you can’t access them
17
AssignUserID• AssignUserID allows you to run PHP as another user on a
system
• Thus, we will run our own apache processes as ourselves
• This will allow us to set permissions on the scripts so that only we have access to them
18
AssignUserID• Your web directories have been setup to use
AssignUserID if accessed at an alternate URL called a virtual hosto http://mathcs.wilkes.edu/~username/ will run the files as www-data
o http://username.mathcs.wilkes.edu/ will run the files as you
• We will talk about the configuration of virtual hosts later this semester
19
AssignUserID• To ensure everything is working as expected:
o Make a directory inside your webdocs called cs383 (where all of your work this semester will be stored)
o Give this directory the permission 700
o Create a file inside your cs383 directory called hello.php that contains the patented Hello World program to ensure everything is working
o Give this file the permission 600
o Visit this at http://username.mathcs.wilkes.edu/hello.php to ensure that it does works
o Visit http://mathcs.wilkes.edu/~username/hello.php to ensure that it does not work
20
Warning #1• If you put files in your webdocs directory and make them
publicly readable so that www-data (and anybody else) can read them, this means anybody can go on dilbert and read your source code
• If somebody else in the class goes into your webdocs and copies your code because you made a file publically readable, you will be considered to be as equally responsible for cheating as they are and will face the same consequences
• All files should be readable only by you and executed through AssignUserID
21
phpinfo()• phpinfo() is a function that takes no arguments that does
just what it’s name implies – dumps out information about PHP
• It can be used on the command line or in a web script
• Information includes:o Version numberso Modules installedo Configuration settingso Environment/server variables
• Create a file called info.php that contains the following:<?php phpinfo(); ?>
22
PHP Configuration• The settings for PHP on a web server are stored in a file called
php.ini
• There is a separate file for each version of PHPo /etc/php5/cli/php.ini for scripts run on the command lineo /etc/php5/apache2/php.ini for scripts run through the web server
• You can change the PHP configuration by:o Edit the php.ini file (if you have admin access)o Create your own php.ini file and set your virtual host to use it (if you have
admin access)o Use the ini_set() function to override a settingso Settings in an .htaccess fileo Use a function for a specific option to override it’s setting
23
Warning #2• If you Google issues you are having with code, it may direct you
to change values that come from php.ini
• DO NOT CHANGE ANY OF THESE VALUES IN YOUR ASSIGNMENTS UNLESS YOU ARE DIRECTED TO DO SO
• Often, people post solutions without fully understanding the scope of their suggestions,
• Some PHP settings can change crucial security settings that may open up holes that were previously closed
• Example: Register Globals (now removed from PHP)
24
Warning #2• Often, php.ini is configured for this class to ensure no
shortcuts are taken
• All assignments I give can be completed using the php.inisettings that are listed on dilbert
• If it cannot, I will supply you with the necessary changes to the php.ini settings
25
PHP through Apache• Last week, we talked about building command line scripts
• This week, we will transition to building scripts that will run through the web server, Apache, that will be viewable in a browser
26
Differences in Input• As mentioned last week, the biggest difference between
the two interfaces for programming is how we receive input and provide output
• While different, providing input will (mostly) be different due to the fact that we need to wrap everything in HTML code to properly display it in a browser window
• For input, think about our command line applications and how we received input
27
Differences in InputCommand Line Input Method Equivalent in Web Browser
Command line arguments ($argv) Query strings ($_GET)
Standard input (STDIN) Forms ($_POST)
28
Note about Forms with $_GET and $_POST
• Note that we can send forms over $_GET instead of $_POST
• However, it is not ideal because all data in $_GET is sent through the URL:o Generally has a limit of about 2048 characters in a URL, limiting how
much data can be sent over a form
o Sensitive data (such as a password) would be captured in the URL, and thus, appear in the user’s browser history
29
$_GET and Query Strings• The syntax of a URL is:
http://host.domain/file.php?querystring
• The query string consists of data, in the form variable=value
• Multiple piece of data can be strung together with &
30
$_GET and Query Strings• Suppose you had the URL:
http://cs383.mathcs.wilkes.edu/myfile.php?newsid=18&theme=2
• Our variables are newsid (18) and theme (2)
• If we were to add print_r($_GET); the output would be:Array(
[newsid] => 18[theme] => 2
)
• We can access these with $_GET["newsid"] and $_GET["theme"]
31
Register Globals• You may see a solution on the Internet to a problem that
suggests you turn on register globals in the INI settings of PHP
• Register globals means, if you had the URL http://cs383.mathcs.wilkes.edu/script.php?userid=10, then you could access the variable in the query string directly with $userid rather than $_GET["userid"]
• DON’T TURN IT ON
32
Register Global• This creates a HUGE security risk
• Suppose your script had a variable that had $userid in it, which kept track of who was logged in
• Somebody could add ?userid=3 to the end of a URL, and if your script is not explicitly checking for somebody to add their own query strings, it could allow them to take over the account of whoever had the userid 3
33
Validating Input• Because PHP is flexible in that the explicit variable
definitions are neither necessary nor allowed, this makes checking input somewhat complicated
• Suppose we had the URL http://cs383.mathcs.wilkes.edu/script.php?x=_____ (some value for x)
• We want to make sure the value supplied for x in the query string is an integer
• How do we do this?
34
Validating Input• First, note that, even if this value came from a form or a
link we put on the page, we cannot assume that the input is valid
• Why not?
• Even if we use Javascript on a form to validate input is good, somebody can create their own form that submits to submit.php anyway, surpassing the Javascriptvalidation
35
Validating Input• First, we need to verify that a value for x was actually
supplied in the query string
• We can do this with the function isset($var), which verifies that the variable provided was initialized somewhere
• Example: isset($_GET["x"])
36
Validating Input• Now, we need to verify that the integer is a value
• If you look in the PHP documentation, you can see that it looks like we have a few functions that can do this…
• ... But we actually don’t
• These functions will not do what we really want them to
37
Validating Input• One function you will find is is_int($var)
• However, this checks if the type, as it is stored, is an int, not if the actual value is an int
• Note that we don’t call the part of the URL we are extracting these variables from a query integer, but it is in fact a query string
• Examples:o is_int(4) => trueo is_int("4") => false
• Since the latter is how the variable would appear from a query string, this function will not work
38
Validating Input• Next, you may come across the function intval($var)
• This converts strings into integers
• However, it essentially takes a string and strips out all numeric characters
• Examples:o intval("4") => 4o Intval("4.6") => 46
• Since the latter would just simply take a floating point and remove the decimal to completely change our input, this function will not work
39
Validating Input• We have the function, is_numeric($var), which will
tell us if something is a numeric value
• Examples:o is_numeric(4) => trueo is_numeric("4") => trueo is_numeric("4.6") => true
• This gets us almost there, but it will still return true for floating points
40
Validating Input• Workaround: Cast the variable as an integer, and compare it to
the original – if they’re equal, it must be an integer:is_numeric($var) && $var == (int)$var
• So, putting this all together, to verify that a variable x is provided in a query string, and it is an integer, our code would be:
if(isset($_GET["x"]) && is_numeric($_GET["x"]) && $_GET["x"] == (int)$_GET["x"]) {
// is an int} else {
// is not an int}
41
Validating Input• Why does this work?
• Unlike other languages, the following WILL evaluate to true:
0.2 == "0.2"
• Although the previous functions would have found a distinction between 0.2 and "0.2" PHP otherwise does not
42