The code quoted on page 610 is missing the keyword "this" from several of it's select case statements. The code should read:

case "_age":
??????isValid = this.isValidAge(elementValue);
????????break;

case "_password":
??????isValid = this.isValidPassword(elementValue);
??????break;

case "_telephone":
??????isValid = this.isValidTelephoneNum(elementValue);
??????break;

register_globals and PHP security.

There's a very important thing that we must comment about the code in this book and future PHP code regarding a configuration variable called register_globals

register_globals is a PHP configuration variable that can be turned 'on' or 'off' from your PHP configuration file. When register_globals is turned 'on' ??? form, server, and environment variables are converted to global variables by the PHP engine. In fact, you should be very familiar with this "feature", if you have an HTML form with an input element such as:

<input type="text" name="username" />

When you submit the form, you can use, validate, or do whatever you want with a variable $username that will have the data the user entered in the form's text field. This is because the form GET/POST variable was converted to a PHP variable in the global namespace: a global variable.

You may think that this is a nice feature and that you don't want to turn it 'off', but there're potential security problems when register_globals is turned 'on'. We can summarize the problem as: "users can alias PHP script variables changing the normal execution of the script".

Let's suppose we validate the "username" in our PHP script in this way:

if($username="master") {

?? $admin=true;

}

if($admin) {

??// Code for administrator features here

}

While the code may look in offensive, it's wrong, the user can pass not only "username" but "admin" in the form and then gain administrator privileges without knowing the username or password or whatever he would have need to know. Of course, you could have written the above code different and have no problem at all but the potential problem exists and it may be dangerous. 90% of the security problems found in PHP applications are a derivative from aliasing script variables when register_globals is turned 'on'.

If you do like register globals turned 'on', or you do need this setting 'on' because you have a lot of code written relying on this setting, you have to check your code and program carefully to avoid security problems. You can use the following checklist:

Programming safe with register_globals 'on':

• Initialize all of your script variables at the beginning of the script. (this will overwrite a user variable that was intended to alias one of your variables)
• Never rely on user input, validate all the data entered from the user
• Check user data for length before using it (avoiding potential buffer overflow exploits)
• Never store important information on cookies (the user can change it, for example userIds), use sessions that are stored on the server instead.
• Be extremely careful with user uploads, use the is_uploaded_file() function to check if the file was uploaded to the server or not.
• Always update your PHP version to the latest stable version to gain the security of the latest patches.
• If register_globals is 'off' you need a way to access user entered data, from PHP 4.x you have new special arrays: 

In other words, all the information that is coming from the user, and that from a security point of view, cannot be trusted. $_SESSION, contains HTTP variables registered by the session module. So if we have a form with a $username variable and we submit the form using post you can use: 

The use of $_POST is not an advantage but a way to program when register_globals is turned 'off', in some installations you will find this setting 'on' and on some others it will be 'off' so your code will be more portable if you program assuming that register_globals is 'off'. 

Use the phpinfo() function and check the PHP core section; you can find the status of the register_globals there.

The code in this book was written assuming that register_globals is 'on', you may find some pieces of code that will work with register_globals 'off' but some may not. If you want to port the code to work with register_globals'off', you can attack scripts that process forms and change the use of ?? $foo variables to $_GET["foo"] or $_POST["foo"] accordingly.

A normal way to do it is to use :

at the beginning of the script converting all the user entered variables to global variables in your script, with this modification you won't need to change the rest of the script.

http://www.zend.com/zend/art/art-sweat4.php

The slashes are incorrect in the URI at the top of the page. It says http:\\www.wrox.com, but should be http://www.wrox.com

It appears that some users of Win98 and Win Me are experiencing great difficulty getting PHP4 to run using PWS. An "Error 500" messge seems to be a common factor with these problems.

A common solution appears to be to try a different web server, such as Apache or BadBlue. For more on installing Apache/PHP4, see:

http://www.net-language.com/workshops/Default.asp?Workshop=21

For more on BadBlue:

http://www.badblue.com

(Many thanks to Ray Carroll and Jordan Savage for this useful advice)

At the time of going to press, http://www.php4win.de/ was the place to go to get a Windows download. However, now you can go to http://www.php.net/ and obtain a distribution for all platforms. To install just click on the php-version-msi.exe file and it will automatically do a custom install for you. 1) Note that the download from http://php4win.de doesnt contain "php.ini" with Win 98, but does contain "php.ini-dist" and "php.ini-optimized". Rename one of these as "php.ini" and then edit it according to the book. Updated 11/3/03: 2) Note that the regedit file must have a carriage return after the final line of code to work. You can also check that the registry has been altered if you wish:
-go to the "start" menu and click "run" -type "regedit" in the box and press enter -in the resulting window, navigate through the tree structure to HKEY_LOCAL_MACHINE\System\CurrentControlSet
\Services\W3SVC\Parameters\Script Map The Script Map folder should contain an item called ".php" with data value "C:\php\sapi\php4isapi.dll" (or whatever the path is to this .dll on your system). If it just contains an item "Default", whose value is not set, do the following: -in the right hand window, right click your mouse and choose New | String Value -give it the name ".php" and press enter -double click on this key and enter the path to php4isapi.dll in the Value Data field and press OK -restart your machine and all should be well.

On page 17 you have to edit the php.ini file. The path you have to set with the parameter "extension_dir" causes problems if a directory name is longer than 8 characters. However, you can use the ~ notation or to quote the path if you use directory names longer than 8 characters. For example: extension_dir=C:\Progra~1\Php4 extension_dir="C:\Program files\Php4\extensions". (Many thanks to Stephen Tittel for this info)

In order to pass variables between PHP scripts (as shown in the text.html/php Try-It-Out on p77) you must make sure that

register_globals = On

in your php.ini file. Remember that if you adjust anything in the php.ini file, in order to apply changes, you must reboot.

To bring up the PWM window in Win 98 you can navigate through the "Start" menu to:

Start|Programs|Accessories|Internet Tools|Personal Web Server|Personal Web Manager

Comment from Allan J Horwitz (DEVONS02@aol.com)

I know many of us have had
problems getting it to work so here's something that I tried and it now works
like a champ. In your book Beginning PHP4, there is a great example of how
to install php4 on IIS. One detail, however, is left out (I believe). They
forget to mention that when making up a name for your ISAPI filter, that you
should NOT use the same name as the directory that you store PHP in. What I did (just playing around on a lark) was to name my ISAPI filter PHP4 since I don't have a PHP4 directory anywhere on my system. When I did that,
everything worked without a hitch. So my pearl of wisdom is that you should
give your ISAPI filter a name like PHP405 (or whatever, as long as it is not one of your directories) and everything should work fine. This should save a lot of people the headache of getting Error 403 (or is it 404?) saying it can't find the program.

The code snippet:

$Bread = 1.5
$Milk = 0.8
$DiscountCoupon = 0.5
$ShoppingTotal = $Bread + $Milk - $DiscountCoupon;

is missing terminating semicolons for the first 3 lines:

$Bread = 1.5; //added semicolon
$Milk = 0.8; //added semicolon
$DiscountCoupon = 0.5; //added semicolon
$ShoppingTotal = $Bread + $Milk - $DiscountCoupon;

(Thanks to Ming-Cheng Hsu)

In "Constants" section, the code line:

$IndependenceDay = "4th July";

should have a normal (not a superscripted) "th"

Code error
There is a missing <br> tag in the code snippet following the first paragraph in the "Constants" section. The code snippet should read as follows:

define("INDEPENDENCEDAY", "4th July");

should have a normal (not a superscripted) "th"

There are missing terminating semicolons for the following code snippet:

The first sentence in the second paragraph of this page reads as follows:
???Which method you use depends on what you want to the form to do.???

It should be read as :

???Which method you use depends on what you want the form to do.???

The first line on page 105 has an extra "and" which is not required. The sentence that reads "Our final line will return a 0 if we put in a value between 0 and 19 for the user's age, and 1 if we supply a value between 20 and 29, a 2 if we supply a value between and 30 and 39, and so on...." should read as below:

The Section on Combining Operators has the wrong usage of the "OR" operator. The operator "AND" should be used instead. Also, an opening paranthesis is missing in the condition part of the "if" statement. The following is the correct usage:

"Open up board.html in your browser and fill in some information:"

should be:

"Open up quote.html in your browser and fill in some information" (Thanks to Rebecca Wells)

The code snippet in the Form Validation section uses a "break" statement. "break" only works in conjunction with "switch" statement, and not with "if" statement.

There are some missing semicolons in the script for the Try-It-Out "Combining arrays in a practical example" in Chapter 5.

In the while loop in exam.php, the following lines should be terminated with semicolons as shown:

echo "<BR><BR>"; // added semicolon
...
<OPTION>Grade A</OPTION>
...
<OPTION>Grade E</OPTION>
</SELECT>"; // added semicolon

(Thanks to John Thorpe and David Leong for these errata)

In the box explaining listing "Symbols" and "Matches," the regexp [^@\.] should be [^@ \.], i.e., there must be a space in there as in the code. (thanks to Rick Gawlik)

echo "TOTAL BILL = $" . $total . "<BR>";

should be

echo "TOTAL BILL = $$total<BR>";
to be consistent with the explanation in the How It Works section (although both lines of code give the correct output).

(Thanks to Joe LoMoglio)

The following line causes "hangman.php" to randomly choose a new word everytime the program loops, because of white spaces which cause the query string to be misread.

$links .= "<A HREF=\"$PHP_SELFletters=$letters$var
&word_number=$word_number\">

Putting the string together corrects the problem.

(This has been corrected in the latest code download. Thanks to Paul Agin)

The lines of code at the top of the page should be interchanged, to

$filepath = "$dir/$filename";
if(!$is_new) $filebody = $implode("",file($filepath));

(This has been corrected in the latest code download. Thanks to Peter Bakos)

>in save_file() function

in the code:

echo "&ltSCRIPT&gtself.location.href='$PHP_SELF?dir=$dir&
filename=$filename';</SCRIPT>";

this should be: (note no line break)

echo "&ltSCRIPT&gtself.location.href='$PHP_SELF?dir=$dir&filename=$filename';</SCRIPT>";
(This has been corrected in the code download)

>in editor_page() function

in the book code:

editor_form("$dir/$filename", $is_new);

this should be:

editor_form($dir,$filename,$is_new);
(This has been corrected in the latest code download)

The line:

if(isset(!$WINDIR) && !@unlink($userfile))
die ("Can't delete the file $userfile_name.");

should read:

if(!isset($WINDIR) && !@unlink($userfile))
die ("Can't delete the file $userfile_name.");

(note the "!" has been shifted to the beginning of the isset() function).
(This has been corrected in the latest code download)

In all of these scripts problems have been caused because the regexp comparison for filepaths:

ereg($default_dir, $dir)

will not work properly for Windows machines due to the trailing slashes in Windows filepaths, which PHP interprets as escape characters.

To get around this, wherever the code in these scripts are supposed to have the line:

if (empty($dir) || !ereg($default_dir, $dir)) {
...

this has been replaced by:

$def_length=strlen($default_dir);
if(!empty($dir)) $dir_test=substr($dir, 0, $def_length);

if(empty($dir) ||
($dir_test!=$default_dir)) {
...

instead. Note also, to stop PHP automatically escaping single quotes in strings with a trailing slash, you should switch off the magic_quotes_gpc environmental variable in your php.ini file.

common_db.inc is missing a closing PHP tag ie ?> at the end of the script.

There should be a semi-colon at the end of the MySQL command

Chnage:
mysql> DROP DATABASE sample_db

To:
mysql> DROP DATABASE sample_db; (thanks to Nick Bramwell.)

In the instructions to create the "access_log" table in MySQL, the
comma at the end of the line:

PRIMARY KEY (userid, page),

should be omitted.

(Thanks to John Thorpe)

Some problems have been encountered by users when attempting to run PHP scripts incorporating javascript calls (which take the format javascript:function(), for example javascript:open_window()). It is important to note that the call itself must contain no line breaks, or the call will not work. Note that the code download has been corrected for this problem.

These errors are in the else statement starting on line 76:

else {
...
$query = "SELECT userid FROM $access_log_tablename
//1st error...
WHERE page = '$userid'
AND userid = '$userpassword'";
//end of first error
$result = mysql_query($query);
if(!mysql_num_rows($result))
$query = "INSERT INTO $access_log_tablename VALUES
//2nd error...
('$PHP_SELF', '$userid', 1, NULL)";
//end of 2nd error
else $query = "UPDATE $access_log_tablename
...

The 1st error lines should be replaced with:

WHERE page = '$PHP_SELF' AND userid = '$userid'";

while the 2nd error line should be:

('$PHP_SELF', '$PHP_AUTH_USER', 1, NULL)";

(Thanks to Robin Mukherjee)

In the userman.php on page 484 (line 170 of downloaded code), comma is needed after ('$userpassword').

Change:

if(!empty($userpassword)) {

$field_str .= " userpassword = password('$userpassword') ";

}
to
if(!empty($userpassword)) {

$field_str .= " userpassword = password('$userpassword'), ";
}

In How It Works section related to mall2.php, we have line

$image = ImageCreateFromPNG("groundfloor.jpg");

This should reference the file "groundfloor.png" instead.

Line of code in chapter 17 just before "Palette Limitations" heading:

$icon = ImageCreateFromPNG("pin.png");

Here "$icon" should be replaced with "$image".

top of page 664 (in edit_new() function of php_directory.php):

if(send_mail){

send_mail is a variable and therefore should have a $ in front. ie it should be:

if($send_mail){