PHP several functions

1. dirname

(PHP 3, PHP 4, PHP 5)

DirName--The directory part of the return path describes the string dirname(String path)

Gives a string containing a full path to a file, which returns the directory name after removing the file name.

In Windows, both the slash ( / ) and the backslash ( \ ) can be used as directory separators. In other environments, it is a slash ( / ).

example 1. dirname ()   Example &L t;? PHP $path   =  "/etc/ passwd " $file   =  dirname ( $path ) ;   //$file is set to "/etc" ?>

Note: in PHP 4.0.3,dirname () is fixed as POSIX compliant. Essentially means that if path there is no slash in it, a point (' . ') is returned, indicating the current directory. Otherwise, the string that is removed from the path Middle End /component (the last Slash and later) is returned. Note that this means that when the old function returns an empty string, you usually get a slash or a point from dirname () .

dirname () change from PHP 4.3.0 to see the following example:

<?php // PHP 4.3.0 以前 dirname(‘c:/‘); // 返回 ‘.‘ // PHP 4.3.0 以后 dirname(‘c:/‘); // 返回 ‘c:‘ ?>

The operation of DirName () is binary safe starting with PHP version 5.0.0.

2. The explode () function splits the string into arrays.

In this example, we will split the string into arrays:

<?PHP$STR = "Hello World". It ' s a beautiful day. "; Print_r ( explode(" ",$str) );? >

Output:

Array ([0] = hello[1] = world.[ 2] + [It ' s[3] = a[4] = beautiful[5] = day.)
3.$_server[' Script_name ']

/test.php/123456 words

$_server[' Script_name '] The result is/test.php

4. __file__: Called the PHP Magic Constant, returns the full path and file name of the currently executing PHP script, containing an absolute path

For example, the file b.php contains the following: <?php$basedir = DirName (__file__); Echo $basedir//will print out an absolute path to this file on the page!? > I did the test to get the result: E:\website\othertest\cms if b.php is referenced by a.php file require or include in other directories. The contents of the variable $basedir are also the path to the folder where the b.php resides. Instead of becoming the directory where the a.php file resides. 5.

When Register_globals is opened, various variables are injected into the code, such as request variables from an HTML form. Plus, PHP doesn't have to be initialized before using variables, which makes it easier to write unsafe code. It was a tough decision, but the PHP community decided to turn this option off by default. When opened, people do not know where the variable comes from when they use it, only to take it for granted. But Register_globals's shutdown has changed the way the code internal variables and the variables sent by the client are mixed together in a bad situation. Here's an example of an error using register_globals:

Example #1 error using Register_globals = on example

<?php
// 当用户合法的时候，赋值 $authorized = true
if (authenticated_user()) {
    $authorized = true;
}

// 由于并没有事先把 $authorized 初始化为 false，
// 当 register_globals 打开时，可能通过GET auth.php?authorized=1 来定义该变量值
// 所以任何人都可以绕过身份验证
if ($authorized) {
    include "/highly/sensitive/data.php";
}
?>

When register_globals = ON, the code above is dangerous. If it is off, it $authorized can not be changed by means such as URL request, so much the better, although the initialization of variables is a good programming habit. For example, if you add $authorized = False before the above code executes, whether Register_globals is on or off, because the user state is initialized to unauthenticated.

Another example is about the session. When register_globals = ON, $username It can also be used in the following code, but be aware that $username it may also come in from other sources, such as through a URL GET.

Example #2 compatible with register_globals on and off when using sessions

<?php
// 我们不知道 $username 的来源，但很清楚 $_SESSION 是
// 来源于会话数据
if (isset($_SESSION[‘username‘])) {

    echo "Hello <b>{$_SESSION[‘username‘]}</b>";

} else {

    echo "Hello <b>Guest</b><br />";
    echo "Would you like to login?";

}
?>

It is entirely possible to take appropriate precautions to give warnings when forging variable inputs. If you know exactly where the variable came from, you can check to see if the submitted data was submitted from an improper form. However, this does not guarantee that the variable is not forged, which requires an attacker to guess how to forge it. If you don't care about requesting a data source, you can use $_REQUEST an array that includes all the data for GET, POST, and COOKIE. For details, refer to the variables from outside of PHP in this manual.

Example #3 Detect Harmful variables

<?php
if (isset($_COOKIE[‘MAGIC_COOKIE‘])) {

    // MAGIC_COOKIE 来自 cookie
    // 这样做是确保是来自 cookie 的数据

} elseif (isset($_GET[‘MAGIC_COOKIE‘]) || isset($_POST[‘MAGIC_COOKIE‘])) {

   mail("[email protected]", "Possible breakin attempt", $_SERVER[‘REMOTE_ADDR‘]);
   echo "Security violation, admin has been alerted.";
   exit;

} else {

   // 这一次请求中并没有设置 MAGIC_COOKIE 变量

}
?>

Of course, simply shutting down the register_globals doesn't mean that all the code is safe. For each piece of data submitted, it is to be examined in detail. Always validate user data and initialize variables! set error_reporting () to a E_NOTICE level to check for uninitialized variables.

For more information on analog register_globals for on or off, see this FAQ.

PHP several functions