Server-Side Scripting 1

Course Description

This course will provide an overview of the PHP scripting language and SQL, and how to use these technologies to generate dynamic web sites. It will introduce secure and maintainable coding practices.

Prerequisites

Students should have taken Web Design 1 or have comparable knowledge. Students should also have or be in the process of acquiring some knowledge of forms in (X)HTML. It can be taken in parallel to Web design 2.

FED-110 Web Design 2

Recommended Textbook(s)

Beginning PHP 5.3 is the main book. Essential PHP Security lacks a few modern tools, since it is from 2005, but explains attack vectors and the philosophy of security really well.

Doyle, Matt.. Beginning PHP 5.3. Indianapolis, IN: Wiley Pub, 2009.
Shiflett, Chris.. Essential PHP Security, A Guide to Building Secure Web Applications. Sebastopol, CA: O'Reilly, 2005.

Technologies Required

Usually provided by the institution/teacher:

A web server, with student access to a MySQL database, PhpMyAdmin, SSH- and encrypted FTP access. Short open tags should be disallowed and display errors should be on, with an error reporting level of E_ALL.
Practice servers, to install an HTTP-server, PHP and MySQL on.
To help students write clean and readable code from day one, the teacher may provide PHP Code Sniffer. Many Linux distributions provides it through the packaging system, e.g. on Fedora, you can just do yum install phpcs. A suggested sniff is provided in the resources section.

Students are required to use:

A full fledged editor or IDE.
An FTP client that supports SFT and/or FTPS. (Can be part of the IDE or a browser extension.)
An SSH client.

Competencies

Please note that security is not a topic in this table to be handled separately. Security is built in, not bolt on. Security is also expected to be taught from day one, and not considered to be an advanced topic.

Topic	Competency	Evaluation Methods
PHP history and uses	Explain the difference between server side and client side scripts. Summarize the origin and development of PHP. List and briefly describe the most common alternatives to PHP. List some well known web sites and applications that has been built in PHP. Briefly explain the concept of Open Source. List some well-known public mailing lists, IRC channels and discussion forums where you can find help with PHP.	Final exam
Installation and basic configuration of PHP and an IDE	Demonstrate installing an HTTP-server, PHP and MySQL on a computer. Demonstrate the usage of php.ini and .htaccess Explain why display_errors should be off on a production web server. List some commonly used PHP-modules and demonstrate how to activate them on a web server. Demonstrate how to get information about a PHP-installation using `phpinfo()` and `php -m`. Demonstrate how to use PHP CLI. Demonstrate how to install an IDE or editor for PHP development. Explain the purpose and usage of development and staging servers. Explain the purpose of a version control system.	Module 1: Installation Final exam
Basic PHP syntax	Demonstrate how to switch between HTML-mode and PHP mode. List what types of php tags that you can use, and explain the potential pitfalls of using short open tags. (Note to teachers: Turn open tags off on the server you provide.) Demonstrate how to use single line, multi line and PhpDoc-style comments. Demonstrate how to separate instructions. Demonstrate how to use the echo and print statements. Recognize the differences between the two.	Module 1: Installation Final exam Final assignment
Using PHP as a simple template engine	Explain the concept of server side includes and why it is better than client side frames. Describe the differences between PHP’s include, include_once, require and require_once commands. Explain performance benefits of using absolute paths when including files. Explain why included files should always reside outside of the server root directory. Demonstrate how PHP can make client side frames redundant.	Assignment 1: Use PHP as a Template System
PHP best practices overview	Note: This is meant as an overview. No in-depth knowledge yet. Briefly discuss key characteristics of a well written PHP_application. Demonstrate how to write readable and properly indented code. Demonstrate basic knowledge about coding conventions, especially the PEAR coding standard. Explain what revision control is. Show basic knowledge about phpDocumentor. Use the most basic tags in phpDocumentor and produce generated documentation for your code. Explain what bug tracking is. List a few well known bug trackers.	(Most assignments will touch upon these concepts in some way.) Final assignment. Final exam.
Programming concepts	Explain the concept of identifiers and list some identifier names one is not allowed to use in PHP. Explain the concept of sigils. Explain the consept of data types and compare strong and weak typing. Demonstrate type checking and type juggling. Recognize that all user-submitted data, and all data-base results, are strings to PHP. Demonstrate how to check for numeric values in strings. Explain the null value, and describe the difference between variables that are null and variables that have not been set. Demonstrate how to use the isset() and empty() functions. Explain what values in PHP that convert to false, when used in a boolean check. Demonstrate usage of variables and constants, using best practice naming conventions. Recognize the different kinds of constants in PHP (built in, magic, user defined; global, class). Demonstrate different syntaxes for setting constants (define and const - also for global constants since PHP 5.3) Explain the concept of statements. Demonstrate correct usage of statements and block statements. Explain the concept of expressions. Demonstrate correct usage of expressions. Explain what operators are and demonstrate correct usage of all common operators. Explain the concept of functions and all associated terminology and demonstrate how to write and use functions. Explain and use assignment by value and assignment by reference. Explain what arrays are in PHP and contrast the implementation to a few other programming languages. Demonstrate how to create and manipulate arrays and how to access individual items in arrays. Recognize all error levels in PHP and explain the difference between an error and an exception. Demonstrate how to handle errors appropriately.	(Modules with exercises are appreciated.) Final assignment. Final exam.
HTTP	Explain the most commonly used HTTP methods (get, post, head) Demonstrate how to fetch information from the client using $_SERVER. Explain MIME-types, and demonstrate how to set MIME-types using PHP’s header-function.	Module 2 (a): Emulate HTTP-connections with netcat or telnet Module 2 (b): Analyze HTTP-traffic using Firebug or a similar tool. Final assignment. Final exam.
Character encoding	Note: For any audience using non ascii-characters (almost everybody outside the USA and UK) this is essential! Describe the basics of character encodings and compare the terminology used by Unicode to the terminology used in HTTP-headers encoding vs. charset. Demonstrate how to specify the encoding used in a script (the setting on your editor or IDE). Explain the difference between multi-byte encodings and single-byte encodings. Demonstrate how to use multi-byte string functions in PHP 5.x. Recognize problems that might occur in PHP because of misinterpreted character encodings. Demonstrate how to set character encoding in HTTP-headers, using the http-server tools and PHP. List the characters that have a highest potential for abuse (e.g. “null” and “eof”) and demonstrate how to filter input to avoid them using ctype functions. Demonstrate how to set the encoding (and collation) in a MySQL table or field, using PhpMyAdmin or a similar tool. Demonstrate how to convert text between different encodings.	Assignment 3. Final assignment Final exam Extra questions for SS 2: Explain what a BOM is and how it can cause problems for PHP scripts. What is the difference between little endian and big endian UTF-16? What is Unicode normalization?
Locales, timezones and time functions.	Explain the concept of locales. Demonstrate how to set timezones for PHP scripts. Demonstrate how to set locale for PHP scripts. Explain the concept of collation and demonstrate how to use locale aware string and array comparison and sorting. Demonstrate how locale and timezone information affects date and time functionality in PHP. Use the basic date and time functions.	(Modules with exercises are appreciated.) Final exam Final assignment
Strings	Explain the concept of a string. Compare the two types of strings there is in PHP 6. Demonstrate how to set them and convert between them. Demonstrate how to get the length of a string and access its characters by index Demonstrate how to handle single and double quotes in strings with variables. Demonstrate how to concatenate strings. Demonstrate how to use heredoc and nowdoc. Recognize the two syntaxes that exist for heredoc as of PHP 5.3. Demonstrate how to escape characters in strings. Demonstrate correct usage of basic string functions, e.g. strlen, substr, strstr, strpos, trim, strtolower, with variants. Demonstrate how to compare strings, using operators and comparison functions like strcmp or strcoll. Demonstrate how to check the integrity of string contents using the ctype-functions. Explain the concept of regular expressions, exemplify when they can be used and demonstrate simple usage.	Assignment 3. Final exam. Final assignment.
Array usage and array functions	Demonstrate how to iterate over an array using the foreach function. Demonstrate how to sort arrays. Demonstrate how to perform a function call on each value in an array. Specifically, demonstrate how to remove magic quotes from GPC-data. Explain what the cursor is in an array and demonstrate how to walk through arrays. Demonstrate how to use assign multiple variables from array values using the list() language construct. Demonstrate how to check for the existence of specific keys or values within an array. Demonstrate how to attach and how to delete values at both the bottom and top of an array.	Assignment 3. Final exam. Final assignment.
Objects and classes (simple overview)	Explain some benefits of Object Oriented programming compared to procedural programming. Explain basic OO terminology. Demonstrate how to define and instantiate classes in PHP. Explain constructors and destructors, how to name constructors in PHP 4 and 5+ and how to use constructors. Demonstrate how to use the $this pseudovariable. Explain the concept of inheritance och demonstrate how to use the extends keyword. Explain the concept of polymorfism and demonstrate how to use interfaces and abstract classes in PHP. Briefly explain the differences in the object model between PHP 4 and PHP 5. Explain visibility of properties and methods. Explain class constants, static properties and methods and demonstrate how to use the scope resolution operator (Paamayim Nekudotayim).	(Modules with exercises are appreciated.) Final exam Final assignment
Error handling and exceptions	Recognize the types of errors in PHP. Handle interaction errors e.g. GET-data does not match DB-record might produce a 404. Use good error handling strategies. E.g: Differentiate between development servers (show on page) vs. production servers (log errors). Make usable error pages and understandable error messages. Send the correct HTTP status code for error pages. Recognize exceptions and handle them using try and catch.	(Modules with exercises are appreciated.) Final exam. Final assignment.
Server side architecture	Recognize what separation of concerns mean for PHP development. Recognize the following concepts: Presentation logic and templates, business logic and data storage logic. Demonstrate a secure and logical directory structure for PHP applictions. Explain include paths. Demonstrate how to write an application that does not depend on being in a specific root directory. Demonstrate a good strategy for filtering all untrusted data. Demonstrate consistent and appropriate escaping of output data. Implement usable, SEO-friendly and hackable URL:s. Recognize rewrite rules. Recognize the abbreviation MVC and briefly explain the rationale behind it.	Exercise 4. Final exam. Final assignment.
Handling posted data	Explain why client side checks only can be used to offload a server and provide better usability, never for security. Explain why GPC-data might be quoted in PHP 4.x and 5.x. Explain what problems magic quotes were intended to solve, why they did not work properly and are being removed in PHP 6 and how they can be removed in a script. Explain how the superglobal array $_POST relates to name attributes in HTML forms. Demonstrate handling posted data. Recognize the usage of register globals and explain why it is a security hazard. Recognize the bad habit of manually making EGPCS-data into regular variables ($foo = $_POST[‘foo’] or extract($_POST)). Recognize the usage of $_REQUEST and explain why it is considered bad practice to use it. Recognize how sensitive data can be transmitted securily, using encryption. Recognize the abbreviations SSL and TLS.	Exercise 5. Final exam. Final assignment.
Sending email	Demonstrate simple usage of the mail() function in PHP. Recognize the concept SMTP injection and demonstrate how to avoid it.	Exercise 5. Final exam. Final assignment.
Sessions and authentication	Recognize the sessionless nature of HTTP. Recognize session fixation and session hijacking. Use session_regenerate_id and set session ID using cookies only. Recognize HTTP-authentication in PHP. Preventing multiple submits of a form. Demonstrate how to prevent cross-posting using a session variable.	Final exam. Final assignment.
Cookies	Explain the concept of cookies and how they are passed to the server from the browser. Demonstrate how to set and read cookies. Explain the security benefits of server side only cookies, and demonstrate how to set them.	Final exam. Final assignment.
File handling and storing data in text files	Demonstrate how to read from and write to files. Recognize the different flags used to control the opening of file sockets. Recognize the most common security problems when usiing file functions. Demonstrate how to safely handle files uploaded by the user.	Final exam. Final assignment.
Relational Database concepts and MySQL fundamentals	List some common Database Management Systems (DBMS). List some common alternatives to storing data in a relational database and briefly explain the merits and disadvantages of each option. Explain how SQLite can be used from every modern PHP installation. (Note: SQLite is primarily included to provide a way to explain data access abstraction using PDO.) Give an overview of how a relational database works. Recognize the terminology used about databases (relation/table, tuple/row, attribute/field/column, default values, NULL, keys, etc). Briefly explain the concept of normalization and recognize the related glossary (keys, functional dependency) List the available data types in MySQL and demonstrate proper usage of the most common ones. Explain the concept of indexes. Demonstrate how to use indexes in MySQL. Recognize the concept of a storage engines in MySQL and briefly explain the main differences between MyISAM and InnoDB. Demonstrate how to use PhpMyAdmin or a graphical tool to set up a database. Make a user with privileges suitable for PHP scripts. Demonstrate how to run queries in the tool. Demonstrate how to backup/dump a MySQL database. Question to reviewers: Is it possible to wait with constraints and referential integrity (foreign keys) until Server Side Scripting 2?	Final assignment Final exam
SQL	Recognize the glossary of SQL (DDL, DML, CRUD) Demonstrate how to access a MySQL DBMS from a CLI tool. Demonstrate how to SELECT individual records and groups of records; SORT-ing and LIMIT-ing of the results. Demonstrate how to use JOIN. Demonstrate simple usage of SQL-functions (count!) Demonstrate how to INSERT data into a table. Demonstrate how to UPDATE a table and explain why one should always use the WHERE clause doing so. Demonstrate how to DELETE data and explain why one should always use the WHERE clause doing so.	Final assignment Final exam
PDO	Recognize all 3 built in API’s to access a MySQL database from PHP (mysql, mysqli, PDO). Discuss their strengths and downsides. Demonstrate how to connect to a DBMS with PDO, prepare and execute statements, fetch single results and iterate over result sets. Recognize how to access reults from a prepared statement as normal arrays, associative arrays, objects and objects belonging to a specific class. Demonstrate safe usage of user submitted data in SQL. Recognize how to manually quote user submitted data. Discuss the benefits of prepared statements. Demonstrate how to handle errors and unexpected results using PDO. Demonstrate safe handling of database credentials.	Final assignment Final exam
The mysql and the mysqli functions	Recognize how to use the mysql and the mysqli functions. Discuss how to safely handle user submitted data using the mysql and the mysqli functions.	Final exam
SPL, PEAR and Frameworks	Recognize PEAR, PECL, SPL and the most well known PHP Component libraries? Recognize the most common PHP Frameworks. Recognize the most common PHP applications/Content Managament Systems. Recognize the usage of PHP for extended functionality for some big websites (e.g. Facebook)	Final exam
Web Services, API’s, RSS, JSON and Ajax	Recognize the most common formats for data interchange. Summarize the Ajax pattern for updating a web page. Briefly describe the concepts of API’s and Web Services.	Final exam
Shared hosting	Recognize the most important technical considerations one must know when chosing a web host. List the most important security considerations one must know about shared hosting. Demonstrate usage of a web host control panel.	Final assignment Final exam

Assignments

Assignment 1: Using PHP as a Template System.

Make a simple web site with at least 3 types of pages and 2 instances of each type. All types shall share a common masthead, footer and navigation. Make a page controller for each page and set title, heading and other data in variables. Make a master template for every type of page, that in turn will include the smaller page parts. (All data can be considered safe for this exercise, making filtering and escaping unnecessary. But students must be told such practices are required further on…)

Assignment 1 Grading Rubric
Criteria	Performance Quality			Score
Criteria	0 points	1 point	2 points	Score
Functionality	The template system does not work or is far from being complete.	The template system has all basic functionality and is mostly complete.	All required functionality is present and the solution is complete.
Code quality	No indentation, no comments or only insignificant comments. Variable names do not tell their intended usage. Resulting markup does not validate and is not semantic. File names are undescriptive and do not follow any system.	Code is mostly indented and have some usable comments. Most variable names are descriptive. There are only a few validation errors in the resulting HTML. The HTML has all basic semantics correct. File names are fairly descriptive.	All code is properly indented and well commented. Variable names show their intended usage immediately. Resulting markup is valid and semantic. ALl files have been put in different directories according to their intended usage and all file names are descriptive.

Assignment 2: Language constructs.

Use for-loops in PHP to generate a table containing a multiplication table. Alternate rows shall be colored using class names (for this exercise CSS 3 selectors are forbidden). Every cell containing the square of a number ( 1 x 1, 2 x 2, 3 x 3, etc) shall also have distinct backgrounds. The table shall be appropriately marked up with column and row headers and a caption. The page must be valid (X)HTML strict or valid (X)HTML5. Repeat the assignment using while-loops.
Generate functions in PHP that will return parts of a page, e.g. the HTML head, a masthead, a sidebar or a page footer. At least some parameters shall have default values. Have a page accept a number, submitted through the get method. Using a whitelist testing approach and the switch language construct, set values on variables that gets passed to the functions and output the page. If the user omits the GET-variable or provides an unacceptable value an appropriate error message shall be delivered. Use a whitelist approach for indata filtering, using type and range checks.

The code in both sub-assignments shall be properly commented and demonstrate different ways of making comments, including a leading PhpDoc-block. The coding style must be according to the PEAR convention, or a named convention of significant importance within the PHP community (with reasonable exceptions depending on this project’s small size).

Assignment 2 Grading Rubric
Criteria	Performance Quality			Score
Criteria	0 points	1 point	2 points	Score
Functionality	No multiplication table is produced. Functions do not return usable results. GET-data is not tested at all.	The work has all basic functionality and is mostly complete, but a few things are lacking, e.g. alternating row colors, caption or headers. The switch case construct does not allow for more than 3 alternatives. GET-data is tested for type but not range. No usable error message is displayed.	All required functionality is present in both parts of the assignment and the solution is complete and at leastt 4 different values can be used for the switch-construct. GET-data is carefully filtered and bad data results in usable error messages.
Code quality	No indentation, no inline comments or only insignificant comments. Variable names do not tell their intended usage. Resulting markup does not validate and is not semantic. File names are undescriptive and do not follow any system. No PhpDoc blocks at all.	Code is mostly indented and have some usable comments. Most variable names are descriptive. There are only a few validation errors in the resulting HTML. The HTML has all basic semantics correct. File names are fairly descriptive. PhpDoc blocks are present on most files and on most functions, but do not include more than 2 types of tags. The code does not follow a named coding convention.	All code is properly indented and well commented. Variable names show their intended usage immediately. Resulting markup is valid and semantic. All files have been put in different directories according to their intended usage and all file names are descriptive. PhpDoc comments are present on all files and all functions and include at least @author, @param and @return tags. A coding convention is followed within reasonable limits.

Assignment 3: Characters, Strings and Arrays

Make an array, indexed with integers, containing at least 5 famous quotes, sayings or similar phrases. At least one phrase must contain characters not present in the English alphabet/US_ASCII. You must use UTF-8 for this assignment. Using a GET-variable chose one of these phrases and perform the following operations on it (always starting with the original string). Output the results in an understandable way.

Convert all letters to upper case.
Count the number of characters.
Remove all vowels.
Reverse the string.
Find the first 5 and the last 5 characters.
Convert the string to ISO-8859-1.
Extra hard: Reverse the words in the string, but keep their order.
Extra hard: Put emphasis (em) on every other word.
Extra hard: Truncate the string to max 15 characters followed by … Truncate on a word boundary, not inside a word.

Loop through all phrases and output them as a list of links, with GET-parameters, to make the selection described above really easy. Use a whitelist approach for indata filtering, using type and range checks.

Use PHP to sort the array. Use print_r() or var_dump() to display the result. (Note: This is intended to show basic awareness of these two functions for debugging purposes.)

Assignment 3 Grading Rubric
Criteria	Performance Quality			Score
Criteria	0 points	1 point	2 points	Score
Functionality	There are less than 5 sayings in the array or not more than 3 described string conversions have been performed. No character outside of US-ASCII is being used. No control of the editor’s encoding setting is demonstrated. No looping to display the links. Array is not sorted.	There are at least 5 sayings in the array. At least 4 string conversions are performed. UTF-8 is used. The length of strings are checked using a multi-byte encoding aware approach. A loop runs to output the links, which are usable. The array is sorted and the result is showed.	There are at least 5 sayings in the array. At least 8 string conversions are performed. UTF-8 is used. The length of strings are checked using a multi-byte encoding aware approach. A loop runs to output the links, which are usable and nicely formatted as a HTML-list. The array is sorted and the result is showed.
Code quality	No indentation, no inline comments or only insignificant comments. Variable names do not tell their intended usage. Resulting markup does not validate and is not semantic. File names are undescriptive and do not follow any system. No PhpDoc blocks at all.	Code is mostly indented and have some usable comments. Most variable names are descriptive. There are only a few validation errors in the resulting HTML. The HTML has all basic semantics correct. File names are fairly descriptive. PhpDoc blocks are present on most files and on most functions, but do not include more than 2 types of tags. The code does not follow a named coding convention. The GET-variable is checked for type, but not range.	All code is properly indented and well commented. Variable names show their intended usage immediately. Resulting markup is valid and semantic. ALl files have been put in different directories according to their intended usage and all file names are descriptive. PhpDoc comments are present on all files and all functions and include at least @author, @param and @return tags. A coding convention is followed within reasonable limits. The GET-variable is checked for type and range. A usable error message is displayed if it is unaccepable.

Assignment 4: Templates and Emulated Database Results.

Expand on assignment 1. Set data in a multi-dimensional array (emulating database results). Chose what “row” (inner array) to show with a GET-variable. All rows must have a title-field and a body-field containg at least 3 full paragraphs of text. Check for appropriate values (filter input) and html-escape the output, as if it came from an untrusted source, before putting it into the templates. If the GET-value is unacceptable, show an appropriate error page. Use a whitelist approach for indata filtering, using type and range checks. Loop through all “rows” in the outer array and ouput a menu with links to all, using the title field for link text.

Assignment 4 Grading Rubric
Criteria	Performance Quality			Score
Criteria	0 points	1 point	2 points	Score
Functionality	The template is not populated with values from the array. No error page is showed if the GET-variable is missing or has an incorrect value. Pages do not emulate a real web site in design. No menu is showed.	The template is populated with the correct data. An error page gets showed if it refers to a row that is not present in the array, but it does not use a correct HTTP-header. Pages have enough content to emulate a real web site. A workable list of links is showed as a menu.	The template is populated with the correct data. An error page gets showed if it refers to a row that is not present in the array, but it sends a 404 HTTP-header. Pages have enough content to emulate a real web site. The menu is properly formatted as a list and styled with CSS to look like a menu.
Code quality	No indentation, no inline comments or only insignificant comments. Variable names do not tell their intended usage. Resulting markup does not validate and is not semantic. File names are undescriptive and do not follow any system. No PhpDoc blocks at all.	Code is mostly indented and have some usable comments. Most variable names are descriptive. There are only a few validation errors in the resulting HTML. The HTML has all basic semantics correct. File names are fairly descriptive. PhpDoc blocks are present on most files and on most functions, but do not include more than 2 types of tags. The code does not follow a named coding convention.	All code is properly indented and well commented. Variable names show their intended usage immediately. Resulting markup is valid and semantic. All files have been put in different directories according to their intended usage and all file names are descriptive. PhpDoc comments are present on all files and all functions and include at least @author, @param and @return tags. A coding convention is followed within reasonable limits.
Security	No checks on the GET-variable, no escaping of output.	The GET-variable is checked but the test is incomplete. HTML-output is escaped using htmlspecialchars, htmlentities or checked using a library like HTML purifier, but care is not taken to handle characters outside of the US-ASCII range.	The GET-variable is checked and the test is complete. HTML-output is escaped using htmlspecialchars, htmlentities or checked using a library like HTML purifier, and care is taken to handle characters outside of the US-ASCII range.

Assignment 5: Mailing Data From a Contact Form.

Make a contact form, contaning a subject field, a textarea for the message, a “from” name field, a “from” email field, and at least two checkboxes to chose between possible recipients (whom to contact).

Upon form submission, the data should be sent to the URL of the contact page, but now handled by the script. Filter and validate the submitted data to see if the values are safe and accepable. If not, re-display the form, pre-filled with the submitted values, and appropriate error messages. Use a white list approach to check that the recipient is actually one of the persons listed in the form. If the data is good, deliver it to the recipient using PHP’s mail-function. Set appropriate headers. Display a results page.

When displaying the results or when re-displaying the form, prevent HTML and script-injections. For the highest grade use a mechanism, e.g. session variables, to prevent multiple submissions.

Assignment 5 Grading Rubric
Criteria	Performance Quality			Score
Criteria	0 points	1 point	2 points	Score
Functionality	No mail gets sent. No appropriate feedback is given to the user when submitting the form, i.e. if it contains bad data or is lacking any required field it is simply showed as if it was the first time. Fields are missing in the form and/or some form fields are not handled at all in the script.	Missing or badly filled in data results in error messages, but correct form data is not re-displayed and has to be entered again. The mail function is invoked, but the user is not alerted about the success, i.e. the return value is not checked. The actual mail contains a few clues about its origin, a reply field and a useful subject line. All required form fields present and are handled by the script.	All required form fields are present and are handled by the script. If the form contains complete and correct data the mail function is invoked. The form contains useful error messages if showed after failing tests. The user does not need to fill in valad data again. The results page is useful and informative. The actual mail is formatted so the recipient immediately sees all relevant information about its origin and purpose, and includes a useful subject line and an appropriate reply-to SMTP-header, that also includes the real name of the sender. Multiple submissions are not possible.
Code quality	No indentation, no inline comments or only insignificant comments. Variable names do not tell their intended usage. Resulting markup does not validate and is not semantic. File names are undescriptive and do not follow any system. No PhpDoc blocks at all.	Code is mostly indented and have some usable comments. Most variable names are descriptive. There are only a few validation errors in the resulting HTML. The HTML has all basic semantics correct. File names are fairly descriptive. PhpDoc blocks are present on most files and on most functions, but do not include more than 2 types of tags. The code does not follow a named coding convention.	All code is properly indented and well commented. Variable names show their intended usage immediately. Resulting markup is valid and semantic. All files have been put in different directories according to their intended usage and all file names are descriptive. PhpDoc comments are present on all files and all functions and include at least @author, @param and @return tags. A coding convention is followed within reasonable limits.
Security	No special measures are made to ensure that the application is secure.	The POST data is checked for valid and useful values, but the tests are incomplete. HTML-output, when showing the form again when it contains errors or on the results page is escaped using htmlspecialchars, htmlentities or checked using a library like HTML purifier, and care is taken to handle characters outside of the US-ASCII range. The subject and the reply-to fields are checked for possible attempts to include SMTP headers and appropriate measures are taken to prevent them. Malicious characters, like null or vtab, are not allowed.	The GET-variable is checked and the test is complete. HTML-output is escaped using htmlspecialchars, htmlentities or checked using a library like HTML purifier, and care is taken to handle characters outside of the US-ASCII range. All fields are checked for possible attempts to include SMTP headers and appropriate measures are taken to prevent them. Recipient email addresses are not showed in the HTML-code (the check boxes) to prevent spammers from picking them up. Malicious characters, like null or vtab, are not allowed.

Final assignment

Develop a simple CMS or a web application of choice that includes the following features.

Storing, retrieving, altering and deleting information in a database (CRUD).
Form handling: Retrieving submitted data, validation, usable patterns for feedback on errors.
User authentication and session management, secure handling of passwords.
Separation of concerns: Information updates should not require coding skills. Design change should not require PHP coding skills.
Some separation of logic, e.g. through templating. (On a beginners course like this it is not required to use full MVC architecture or have a similar separation of logic.)
Demonstration of good programming practices.
PhpDoc generated documentation.
Input filtering and suitable escaping of output, depending on the situation.
File uploads.

The site shall be hosted on the web site provided by the instructor or a web hosting company. Publishing and securing the web site is part of the assignment.

Examples of applications that can be built for this assignment include:

A blogging platform.
A gaming or sports tournament site, where users can see game results, aggregate scores and comment on them.
A site for a company where it displays its products. (On-line shopping probably will be part of Server Side Scripting 2.)
A project management site with to-do lists, a simple calendar and messages.
A very simple community where users can have personal profile pages, a status line and send each other messages.
A site for a club, a church/mosque/synagogue/temple or an association, with information about activities.

You are required to work in project form, plan your work and follow a process, including setting goals, writing down intended features, do sketches about site design (simple wireframes) and site structure, data processing flow and database design. If you deviate from the plan, describe the reasons and evaluate options and consequences.

Optional features for higher grades:

Automatic sending of email, e.g. alerting the owner of new comments or letting users subscribe to discussions.
Creation of a feed, SVG-image or other XML-based data format.
Authentication against operating system supplied user data, e.g. LDAP and Active Directory, or the use of a single sign-on service.
Integration with a web service, e.g. pulling in an RSS-feed.
A script that check the server for required functionality, e.g. PHP-version and modules, PEAR-modules, MySQL-version and a populated MySQL Timezone database.
Installation SQL queries to build tables and populate them with initial data.
Full installation scripts.
Caching mechanisms.
Image manipulation in PHP, e.g. making thumbnails or adding text to images.
Pretty URLs i.e. the URLs should reflect useful information to the user, not to the CMS.

Final Assignment Grading Rubric
Criteria	Performance Quality				Score
Criteria	0 points	1 point	2 points	3 points	Score
End user/site maintainer functionality	The solution is far from complete, features are missing.	All application data is displayed, but data can not be added. The site has at least 3 different types of pages. The navigation between all pages works. A site redesign would require extensive rewrites to the PHP code.	All application data is displayed and most of it can be added or altered by a user through forms. The navigation between all pages works and is robust. The web site contains at least 5 different types of pages as well as an administrative interface that covers a few tasks. Authentication is required for all administrative tasks. A site redesign would not require extensive rewrites to the PHP code.	A complete web site can be run using the solution. Data can be inserted and altered by users having no coding skills. The web site contains at least 5 different types of pages as well as a complete administrative interface/possibilities for users to add content. Navigation is usable and consistent. Authentication is required for all administrative tasks. The site is fully skinnable, i.e. the php scripts do not lock site maintainers into a specific design or a rigid HTML order.
PHP functionality	Only a very small subset of PHP’s features or built in functions are used. PHP reports lots of errors when the script runs.	A basic subset of PHP’s features or built in functions are used. PHP reports only notices, strict or deprecated errors when it runs.	The solution shows a reasonable wide range of language features and built in functions. PHP reports only strict or deprecated errors when it runs, and only a few of those.	The solution takes advantage of a wide range of language features and built in functions. No built in features are duplicated in userland code. The best tool for the job is used throughout, e.g. 5 similar str_replace calls can be replaced by one preg_replace or multiple similar if-elseif’s are replaced by switch-case. PHP reports no errors at all when it runs.
Database functionality	No more than two tables, no indexes, only very basic SQL-queries. Database queries are not evaluated or errors are dumped on pages.	At least 3 tables, normalization is not intentional, some fields used for sorting or selection are indexed. Some database queries are evaluated and possible errors are hidden from users.	At least 4 tables, mostly normalized. Most fields used for sorting or selection are indexed. Appropriate data storage types are used for most fields. There are few redundant calls to the database. All database queries are evaluated, possible errors are hidden from users and unexpected replies result in usable messages to the user.	The database contains at least 4 tables and has a good design, with tables normalized to the 3d degree, except where normalization is bad for web performance, in which case the student explains the reason for not having a normalized database. Fields that are used for selection and/or ordering of results have indexes. Appropriate data storage types are used for every field. Where SQL is the better choice, it is used instead of PHP, e.g. for setting the time to now, subselects, ordering and counting the number of rows. There are no redundant calls to the database. All database queries are evaluated, possible errors are hidden from users and unexpected replies result in usable messages to the user.
Code quality	No indentation, no inline comments or only insignificant comments. Variable names do not tell their intended usage. Resulting markup does not validate and is not semantic. No PhpDoc blocks at all. Placement of braces, parenthesis, etc is erratic.	Code is indented, although somewhat erratically and it has a few usable comments. Some variable names are descriptive. The resulting HTML may have some validation errors. HTML elements are rarely misused in ways that differ from their semantic meaning. PhpDoc blocks are present on some files, functions or variables, but may lack tags. Placement of braces, parenthesis, etc is mostly consistent.	Code is mostly indented and have some usable comments. Most variable names are descriptive. There are only a few validation errors in the resulting HTML. The HTML has all basic semantics correct. PhpDoc blocks are present on most files and on most functions, but do not include more than 2 types of tags. The code does not follow a named coding convention, but placement of braces, parenthesis, etc. is consistent.	All code is properly indented and well commented. Variable names show their intended usage immediately and variable naming follows a clear pattern. Resulting markup is valid and semantic. PhpDoc comments are present on all files and all functions and include at least @author, @param and @return tags. A coding convention is followed within reasonable limits.
Security	Security measures are completely missing or very few.	Most data submitted by users or external sources is filtered or escaped. Malicious characters, like null or vtab, are not allowed. Some restrictions have been made for folder permissions.	All data submitted by users or external sources is filtered before being handled and escaped when being output. Application passwords, e.g. to access the database, are kept safely. User passwords are not stored in cleartext. Sessions are identified only through cookies and the session identifier is regenerated when there is any change in user permissions. Folder permissions are restrictive.	All user submitted or external data is thoroughly filtered before being handled and appropriately escaped when being saved in database, output as (X)HTML or XML, sent as email, etc. Unsafe characters are removed and malformed UTF-8 is rejected. A whitelist approach is used whenever possible. Application passwords, e.g. to access the database, are kept safely. User passwords are not stored in cleartext. Sessions are identified only through cookies and the session identifier is regenerated when there is any change in user permissions. Folder permissions are restrictive and do not permit more access than absolutely necessary.
Application structure	Code is unstructured. Code duplication occurs frequently. All files are kept in the web root and files are not structured in folders according to purpose. File names are undescriptive and do not follow any system. Presentation logic is not separated from business logic in any meaningful way.	Code is mostly structured but code duplication may occur a few times. Some file names are descriptive about their usage/contents. Files meant for inclusion are mostly kept out of the web root. Presentation logic is somewhat kept away from business logic.	Code is cleanly structured. Functions are grouped according to purpose. Code duplication is very rare. File names are fairly descriptive about their usage/contents. All files meant for inclusion are kept outside of the web root. Files are mostly sorted according to usage in appropriately named folders. Presentation logic is mostly kept away from business logic.	Code is cleanly structured. Functions are grouped according to purpose and most can be re-used outside of this project. No code duplication occurs. Only files that are supposed to be callable through HTTP are kept in the web root, all files intended for incusion are kept outside of th web root. All files have been put in different directories according to their intended usage and all file names are descriptive about their usage/contents and consistently named. Presentation logic is kept away from business logic.
Process	There is no structured process and no documentation.	The initial plan is vague and do not list the full feature set of the application. Only one or two pages have wireframes or wireframes are sloppy. Deviations from the plan are not discussed.	The initial plan and sketches give a pretty clear picture about intended design, features and data flow. Deviations from the plan are explained to some degree. The work is documented, but lacks detail.	The student has set clear goals, made detailed sketches about site structure, page design and data flow. Any deviations from the plan are discussed in a way that shows technical knowledge and personal responsibility. Work is documented in detail, as in Today I worked on feature X… I experimented with the following solutions… and chose solution Y because… This is the final result… In doing this I learned that…

Besides the points awared in the rubric above, an instructor may award points for the bonus features listed above. However, bonus points should not be used as a way to cover up mistakes made at the fundamental level. Soundness should be valued more than fanciness.

Examination Questions

PHP history and uses

Who invented PHP?
What major versions of PHP have been released. List some major changes/additions in each version.
What does the acronym LAMP mean?
On what platforms does PHP run?
List at least 5 other server side technologies comparable to PHP.
What is Open Source? What does it mean that PHP is Open Source?

Installation and basic configuration

Where can you find information about PHP and/or help in solving problems?
When installing PHP, describe some differences you should have between a developers’ installation and a production server.
Explain the concepts of development, staging and production servers.

Basic PHP syntax

Describe the various kind of errors in PHP and how they should be handled on a production server.
What is a module in PHP? Name at least 5 modules.
What tags are there to mark up blocks of PHP code? Which one is preferred and why?
Explain what happens when you omit the closing php tag on a page, and why that often is preferable

PHP best practices overview

Describe the key characteristics of a well written PHP-application.
What is a coding convention? List a few features of the PEAR coding standard.
What is revision control? Name at least 3 well known version control systems.
What does the following PhpDoc tags mean: @author, @package, @filesource, @param, @return?
What is a bug tracker? Name at least 3 well known bug trackers.

Programming concepts

What characters are allowed in identifier names? What characters are they allowed to begin with?
Explain how the operators =, == and === work.
What is the value of: “5 needles” + “1 haystack”? Explain how type conversion occurs.
What is the value of: 3 * 2 . ” things” (note the space after 2)? Explain how type conversion occurs.
What is the difference between assignment by value and assignment by reference? When does the latter occur by default? How do one specify it manually?
Explain what an unary, binary and ternary operator is.
PHP 5.3 introduced a short form for the ternary operator, explain how it works.
Write at least 5 complex expressions involving different types of operators and values and explain how they are evaluated according to their precedence and associativity.
What is the differeence between $foo = null and unset($foo)?
Besides false, what values evaluates as false, when used in a boolean way (falsy values)?
Define a constant called FOO that will have the value I’m Foo, not Bar’.
Write a single statement that assigns a value to several variables, and explain how it demonstrates associativity.
What is a parameter to a function?
How do you set default values to function parameters?
List a few common guidelines for good function design.
Explain the difference between passing parameters by value or passing parameters by reference.
What is call time pass by reference? Why should it be avoided?
What is a static variable in a function?
What scope do variables have in functions by default?
How can one access global variables from a function? List 3 ways and compare their benefits and drawbacks.

HTTP

What are the 3 most common HTTP methods?
What is MIME?
Set a MIME header for a JPEG-image, using a PHP command.

Character encoding

What is internationalization and localization?
What is a character encoding?
What is the default character encoding in PHP 5?
Briefly explain the terms glyph, character, encoding and font as they are used in Unicode.
What is a single byte character encoding? Give a few examples.
What is a multi byte character encoding? Give a few examples.
How is character encoding specified in an HTTP header?
Explain the benefits of UTF-8 compared to older encodings.
What is an ASCII compatible encoding? Name two such encodings.
How can one convert a string between UTF-8 and ISO-8859-1? ()There might be several ways.)

Locales, timezones and time functions

What is the purpose of date_default_timezone_set()?
What are the types of locale settings that one must specify using a LC_* constant, when one is using the setlocale() function?
What is the ICU library and the Olsen database?

Strings

$foo= “My name is”; $bar = “Stan”;
1. Write an expression using the above variables that evaluates to “My name is Stan” (including all spaces!)
2. What is the value of $foo[4]?
3. Write an expression using the the above two strings and string functions that evaluates to “Stan is my name”. Note that “my” is lowe case. You may not privide additional strings besides the two variables.
What pracice is encouraged in PHP 5.3+ to access individual characters in a string, brackets or braces?
What function will count the characters of a string?
What function will count the characters of a multi-byte encoded string in PHP 5 and lower?
What is heredoc and nowdoc?
How can you do a case insensitive comparison between two strings?
Write an expression that shows how to remove excess whitespace at the ends of a string.
What is a regular expression? Name a few regular expression related functions in PHP.
Describe a use case for the ctype family of functions.
$foo = array(“my”, “name”, “is”); $bar[] = “Stan”; All
1. What will the ouput be from print_r($foo); print_r($bar);?
2. Write a line of code that changes “Stan” to “Stanley”.
3. Write an expression that evaluates to “My name is Stan”. If possible, avoid supplying an extra string for the space between “is” and “Stan” (Disregard the change you made to “Stan(-ley)” in the last question.)
4. Write a line of code that sorts $foo starting with “is” and ending with “my”.
5. Write code that iterates over $foo using both foreach, for and while () { list() = each(); ... next(); }. For each iteration output the key/value pair.
6. $foo[] = $bar; print_r($foo); will output what? What kind of array is $foo now?

Array usage and array functions

What is an array in PHP? How do they compare to arrays in other languages?
What is an associative array?
Demonstrate at least 2 ways to create an array.
Demonstrate at least 2 ways to append a value to an array.
What are multi-dimensional arrays?
Why is $foo[bar] wrong? What error reporting level should you use to catch this?
How would you write a value from an array with string indexes in a string that has double quotes?
Array_walk takes an array-argument by reference, array_map by value. Write some code to demonstrate the difference.
How do you count the items in an array?
List some common sorting functions for arrays and describe what they do with one sentence for each.
Write a single line of code that swaps two variables using the list() language construct.
Write a few lines of code that will remove magic quotes from all superglobal arrays that might contain user submitted data.

Objects and classes

Identify 3 reasons you might decide to use Object Oriented Programming to develop a web applications rather than a procedural approach.
Explain the following terminology: Class, instance, property, method.
If you write (object) “foo”, what class will the resulting object be an instance of?
The teacher will provide code that defines a class for animals, a sub-class for birds and a sub-class for mammals (see resources).
1. Why is it not possible to instantiate the class Animal?
2. What properties in the classes illustrate encapsulation?
3. The method tweet() in the class Bird is static. What does that mean? How should it be invoked?
4. How would one access the constant HAS_WINGS from the Has_wings Interface?
5. Write a suitable PHPDoc comment block for the class Animal and for its constructor method.
6. An object of the class Bird can be said to be an instance of what? (List all 3 possibilities.)
Write a continuous flow of code that does the following. Any questions about output shall be answered using comments in the code.
1. Instantiate a variable called $gnu for a gnu Mammal, called “Richard Stallman”. What will this output?
2. Instantiate a variable called $tux for a penguin Bird, that cannot fly and is called “Linus Torvalds”. What will this output?
3. Instantiate a variable called $php for an elephant Mammal, called “Rasmus Leerdorf”. What will this output?
4. Set the catch phrase for $tux to “My wife knows karate!”.
5. Use the method sayCatchPhrase() to output $tux’s catch phrase.
6. Make the elephant and the gnu friends of the penguin! What will this output?
7. Write a line of code that outputs the elephant’s catch phrase. Start from $tux’s list of friends, not from $php, and use method chaining.
8. What’s the output when the script stops executing?

Error handling and exceptions

What problems might occur on a production server if you have display_errors turned on?
What are parse errors, run time errors and logic errors?
There are constants that describe error levels in PHP. List at least 4 in increasing order of severity.

Server side architecture

Once you have located a class that will perform a desired task in your web application, how would you go about discovering how to use it? What information is essential to know before you can use it?
Describe a good architecture for PHP applications.
What is the include path?
What are relateive and absolute include paths?
In what way can one use mod rewrite to get good URL’s?
List and briefly explain at lest 3 aspects of good URL’s.

Handling posted data

How are the get and post methods different in the way they transmit information to/from the server? Provide examples when it is appropriate to use each.
What is magic quotes in PHP? Explain at least one argument against relying on magic quotes for security.
Why is the use of register globals a bad idea? Describe at least one way of mimicking the use of register globals that is equally bad.

Sending email

What is SMTP-injection?

Sessions and authentication

What is a session in PHP?
Why should one not use URL-rewriting to propagate session ID’s?
What PHP function should always be run when a user changes his or her authorization level?

Cookies

What is a cookie in HTTP?
If not manually specified, when does a cookie expire?
What is a server side only cookie? In what way are they more secure than regular cookies?
How might cookies be an infringement of personal integrity? What laws regulate the usage of cookies in your country?
List at least 3 ways how cookies can be used to improve the usability of a web site.
What is the difference between opening a file socket in text mode and binary mode?

File handling

In what way can functions like fopen() and file_get_contents() be security risks?
What special function should be used to move a file uploaded by the user?

Relational Database concepts and MySQL fundamentals

Explain the process of designing a database structure for a web application.
List at least 5 common DBMS’s and describe their main features and/or normal usage in a sentence or two for each.
What is the value NULL in database? What does it mean that a field is defined as NOT NULL?
List the datatypes that vis available in MySQL and briefly explain each one.
What is an index? How do they help selecting and sorting of data?
What is a primary key?
What is the purpose of auto incrementing fields?

SQL

What is SQL?
Explain the acronym CRUD and show relates to four SQL keywords.
Write a query to retrieve an entry with the id of 5 in a database table called articles.
Write a query that fetches the 5 newest entries from the table articles, sorted with the newest one first, assuming that there is a field called create_time that holds time and a field called create_date that holds the date an article was added.
Add a clause to the query above that uses the field author to
- Write a query that retrieves data from two tables (instructor should provide table structures).
- Write a query that alters the value of a field on a specific row (instructor should provide table structure).
- Write a query that deletes a specific row (instructor should provide table structure).
- Write a single query that creates two new rows in a table, where the primary key is auto incremented (instructor should provide table structure).

PDO

List the key steps required to grab content from a database and display it on a page.
In what version of PHP was PDO introduced? List at least 5 DBMS’s that are supported by PDO.
What kind of data access abstraction will PDO provide? What database abstraction will it not provide?
What are the benefits of prepared statements?

The mysql and mysqli functions

What capabilities are not provided by the mysql functions, but by mysqli and PDO?
What function shall be used to escape all user submitted data for safe usage in an SQL query, using the mysql fiunctions?
In 2-4 sentences each, describe the following: PEAR, PECL and SPL.

SPL, PEAR and Frameworks

List some common PHP applications or CMS’s built with PHP.
What is a framework? Why or when would you use one?
List some major websites that allow for users to have PHP-modules to extend its functionality.

Web Services, API’s, RSS, JSON and Ajax

Draw a diagram/flow chart that explains the difference between Ajax and normal page reloads, from a client/server interaction perspective.
In what character encoding is XHR-submitted data (regardless of the web page’s encoding)?
What is a web service? (Briefly describe the concept.)
What is JSON? (Briefly describe the concept.)
What is RSS? (Briefly describe the concept.)
List a few web sites that offer a public API.

Shared hosting

A web hosting company seems to offer a valuable shared hosting plan. However, they are not very specific about the technical details. Write an email of inquiry addressed to their technical marketing staff asking everything you, as a potential customer would need to know, besides amount of data storage and the price.

Resources

Downloads (will come up soon)

Script that checks if an installation is suitable to be used by students.
A coding standard for PHP Code Sniffer suitable for teaching.
Class definitions for the exam questions about Object Oriented PHP.

Good PHP web sites

Learning Modules

Help us develop our living curriculum. Contribute a learning module.

Contributors

Primary course developer: Lars Gunther.

Contributors: Jinny Potter, Tony Lan.

WaSP InterACT