• Using variables
• Working with strings (text), numbers, and arrays
• Making decisions with conditions and comparisons
• Using built-in functions and creating your own custom functions
• Including external files
• Deciphering PHP’s often cryptic error messages

Finally, all that knowledge is put to practical use by building a script to gather user input from an online form and send it by email. The content of the course covers similar ground to the first five chapters of my book PHP Solutions, 2nd Edition, and is aimed at people who prefer learning by watching and doing rather than from the pages of a book.

The course costs $39.99 on its own, but is free to video2brain subscribers. Subscription plans start at $14.99 a month ($149 a year), but until the end of March 2012, you can get a discount by following this link. If you’d like to try before you buy, there are four free videos from the course:

• Setting Up a PHP Site in Dreamweaver
• PHP, the big picture
• Using Loops for Repetitive Actions
• How PHP Sends Email

Although one of the videos shows how to set up a PHP site in Dreamweaver, you do not need Dreamweaver to follow the course. It’s completely software-neutral and contains advice on choosing a suitable script editor, with suggestions for both free and paid-for programs.

Never heard of video2brain? It’s an Austrian company that has been providing video training in German, French, and Spanish for the past decade. It started creating courses in English in 2009, and now has more than 500 hours of English-language instruction on Photoshop, InDesign, Dreamweaver, and many other aspects of digital media. The videos have been created by some of the top names in their fields, including Rufus Deuchler, Tom Green, Angie Taylor, Todd Kopriva—not to mention me. The company has also created a large number of videos for Peachpit, one of the best known names in computer technology publishing. So, it’s no fly-by-night company.

As a video2brain author, I’m able to offer a substantial discount on the already competitive prices for the new subscription service. There are three levels of subscription:

• Standard—$129 a year or $12.99 a month (normally $149/$14.99). This gives you unlimited access to all English courses streamed online.
• Gold—$179 a year or $17.99 a month (normally $199/$19.99). In addition to the courses, you also get access to all project files and PDF books.
• Platinum—$279 a year (normally $299). In addition to the the project files and PDF books, you can download the courses to view them offline.

Students and teachers can purchase the academic version of the standard subscription for $99 a year.

If you subscribe during the introductory period, video2brain says it will lock the subscription price for three years. And as the collection of courses grows, you’ll get immediate access to all new titles. It’s planned to add at least four new courses each month. So, if you’re looking to brush up your digital skills and keep abreast of the latest developments, you can do so for as little as 35 cents a day. Many of the courses have sample videos that you can view free of charge, so you can judge the quality for yourself before committing your hard-earned cash.

$stmt = $db->stmt_init();
$sql = 'SELECT username FROM users WHERE username = ?';
$stmt->prepare($sql);
$stmt->bind_param('s', $_POST['username']);
$stmt->execute();
$numrows = $stmt->num_rows;

The code worked without error, so it wasn’t immediately obvious why $numrows was always 0. So, I checked the PHP documentation for mysqli_stmt::num_rows. The description is rather ambiguous in that it refers only to the need to store the result when using the procedural style, but the object-oriented example makes it clear that you need to call the store_result() method before accessing the num_rows property. When I changed my code like this, I got the expected result:

$stmt = $db->stmt_init();
$sql = 'SELECT username FROM users WHERE username = ?';
$stmt->prepare($sql);
$stmt->bind_param('s', $_POST['username']);
$stmt->execute();
// store result of prepared statement
$stmt->store_result();
$numrows = $stmt->num_rows;

At first, it seemed counterintuitive to store a result that I was going to throw away, but that’s how num_rows works with a MySQLi prepared statement. Thinking about it a bit more, it makes sense because if you use the MySQLi query() method instead of a prepared statement, you store the result in a MySQLi_Result object and get the number of rows from the result like this:

$sql = 'SELECT user_id, name, username FROM users';
$result = $db->query($sql);
$numrows = $result->num_rows;

Chapter 3 of my PHP Solutions, 2nd Edition makes for pretty heavy reading. So much so that I recommend stopping halfway through on the first pass. That’s why I skirted around the difference between parameters and arguments on page 43. But I’ve piqued the interest of Tom Flis, one of the participants in Boston PHP‘s self-study group PHP Percolate. He’s asked what’s the technical difference between the two words, so here goes. It’s actually quite simple.

When you define a function, the variables that represent the values that will be passed to it for processing are called parameters. For example, the following function definition has one parameter called $number:

function doubleIt($number) {
return $number *= 2;
}

However, when you use a function, the value you pass to it is called an argument. So, in the following case, $price is passed as the argument to doubleIt():

$price = 50;
$inflated_price = doubleIt($price);  // 100

It’s a pretty subtle difference. A parameter contains no value; it’s simply a placeholder for the value that will be passed to the function. An argument contains a value (even if it’s null or an empty string) that the function processes to produce a result. Because the meanings are so similar, many developers use the words interchangeably or always refer to arguments.

So, now you know.

Although PHP isn’t an object-oriented language, it has extensive support for objects. Also, since PHP 5, many core aspects of the language use objects rather than ordinary (procedural) functions. An object is a special data type that is capable of storing and manipulating values. You create an object from a class, which is a collection of functions and variables that define the object’s characteristics. Some classes, such as DateTime and Mysqli, are predefined by PHP, but you can also define your own.

The advantage of using classes and objects is that, once the class has been defined, they reduce the amount of code you need to write. An object inherits all the functions and variables defined by the class. That’s not all. Each object is independent, so you can create several objects from the same class to store different values, but they all share the same functions. Up to now, I’ve referred to functions and variables, but when talking about objects and classes, a function is called a method, and a variable is called a property. Whenever you want to use an object’s method or property, you need to use the -> operator.

You create an object by calling the class’s constructor method (which has the same name as the class) with the new keyword. Most constructor methods also accept arguments that set the initial properties of the object. In the case of the built-in DateTime class, you can use a string to specify the date. Without any arguments, it creates an object for the current date and time. For example, the following code creates two objects, one for today, and the other for Christmas Day 2011:

$today = new DateTime();
$xmas2011 = new DateTime('12/25/2011');

The $today object now contains the current date and time, but $xmas2011 contains the date for December 25, 2011 (because the time wasn’t specified when creating the object, it’s set to midnight at the start of the day).

To display the day of the week, you need to use the DateTime class’s format() method, and pass it a format string (they’re listed in Table 14-4 on page 402 of PHP Solutions, 2nd Edition) for the weekday name like this:

echo $today->format('l');

This displays whatever day it is today. However, the date stored in $xmas2011 is independent of $today. The following code displays “Sunday”:

echo $xmas2011->format('l');  // Sunday

Using the -> operator is very similar to passing a variable as an argument to a function. Instead of putting the variable between the function’s parentheses, you attach the function (method) to the variable with the -> operator. What it actually means is “use the format() method with the value stored in this object ($xmas2011)”. In addition to format(), the DateTime class has other methods, such as setDate() and add(), that can be used to modify the date.

Many objects also have properties that you can access. An object’s properties are similar to values stored in an array. The big difference is that the class definition can control how a property is accessed and modified by specifying whether it’s public, protected, or private. Only public properties are visible and can be modified outside the class definition; protected and private ones are hidden from view. You access a public property using the -> operator like this:

$someObject->propertyName

This is the equivalent of accessing an array element like this:

$arrayName['elementName']

If you’re familiar with JavaScript, it should be obvious by now that the -> operator plays the same role in PHP as the dot operator in JavaScript. For example, in JavaScript, this produces the date for Christmas Day 2011:

var xmas2011 = new Date(2011, 11, 25); // months are zero-based
alert('Christmas 2011 is on ' + xmas2011.toString());

JavaScript also uses the dot operator for properties:

objectName.propertyName

Hopefully, that clarifies the role of the -> operator. If you still have questions, post them in the Comments section below.

There’s no charge to participate. The only cost is buying a copy of my book. Although I have Amazon affiliate links on my website, I encourage you to buy it through the Boston PHP Store. That way, the organizers get a small commission that helps support the activities of Boston PHP.

The way it works is that you commit to reading one chapter of the book (there are 17) and completing the exercises each week. There’s no classroom instruction, but you can get online support through a dedicated forum for each chapter. Also, if you live in the Boston area (the one in Massachusetts, not the one in Lincolnshire or more than a dozen other places), you can get hands-on help at the PHP Percolate Coffee Club, which is usually held every Saturday morning at a Starbucks. Boston PHP also runs occasional all-day events known as Developer Dorm Room in Cambridge, Massachusetts, where you can get help with PHP problems or just bounce ideas about projects off each other.

Although PHP Percolate is based on my book, this isn’t a wacky marketing idea that has been dreamed up by me or my publisher. It’s an idea that Boston PHP came up with independently. In fact, I didn’t learn about it until quite recently. According to the President of Boston PHP, Michael Bourque, Boston PHP is the largest and most active PHP tech community in the world, with more than 1,900 members. It has a focus on education and adoption of open source technology like PHP. Last year, they were looking for the best possible book to learn PHP, and mine was the one they chose. Naturally, I’m delighted, and I have agreed to help in whatever way I can.

Unfortunately, there’s a small matter of the Atlantic Ocean lying between me and Boston, so I won’t be able to attend the PHP Percolate Coffee Club or Developer Dorm Room in person. But that’s one of the joys of the internet. You don’t need to be there in person to share ideas and cooperate with others. From what I understand, PHP Percolate has also attracted people from other countries to join in. A book and an internet connection is all you need.

Committing to working through 17 chapters in as many weeks is a lot to ask. Work, family, and other obligations get in the way. So, not everybody manages to last the whole course. But since there’s no cost (apart from the book), there’s little to lose. In fact, I see that some of the people who dropped out part of the way through season 2 have signed up again for season 3. As one of them said, “It’s fun!”

So, if you’re looking for a little bit of moral support in your efforts to learn PHP, check out PHP Percolate Season 3 with Boston PHP.

I recently discovered that friends of ED has closed its website and merged it with that of its parent company, Apress. Unfortunately, none of my books’ errata are yet listed on the new site. So, I’ve scrabbled around to put them back together and host them here. You can find the corrections for the following Apress/friends of ED titles on this site:

• PHP Object-Oriented Solutions
• PHP Solutions (First edition)
• PHP Solutions (Second edition)
• The Essential Guide to Dreamweaver CS3
• Foundation PHP 5 for Flash

I find it hard to believe that there weren’t any mistakes in The Essential Guide to Dreamweaver CS4, but I can’t trace any record of corrections. I haven’t gone back to some of my older books. Good though they were, they’re based on versions of software that are no longer supported. What’s more, most of them were reprinted with corrections.

I also plan to keep up to date the corrections pages on this site for the books I have published with Adobe Press.

If you come across any errors or code that doesn’t work, please report them directly to the publisher. That way corrections can be incorporated into reprinted versions of the book. But if you don’t get an acknowledgement from the publisher within a day or so, please leave a comment here, and I’ll try to deal with the issue as quickly as possible.

While checking the reports of the missing file, I discovered a mistake in the code on page 211 of the book. A closing curly brace is missing at the bottom of the script. Details are on the book’s corrections page.

What is email header injection?

The PHP mail() function takes up to five arguments, the first three of which are required: the address(es) the mail is being sent to, the subject line, and the body of the message. The fourth argument allows you to specify additional headers, such as From, Reply-to, Cc, and Bcc. Email header injection usually targets weaknesses in the way this fourth argument is handled to insert bogus headers to turn your online form into a spam relay.

One of the most common uses of the fourth argument is to insert the user’s email address into the From or Reply-to header. It’s extremely convenient, because it allows you to reply directly to an email received from an online form just by clicking the Reply button in your email program. It’s also extremely convenient for an attacker. All that’s necessary is to add a string of spurious headers into the email field of your contact form, and your website becomes an instant spam relay—unless, of course, you take suitable precautions.

Preventing email header injection

The data filters introduced in PHP 5.2 make it easy to check that the value submitted through the email field of an online form contains a single email address and nothing else. So, if you want to put the user’s email address in a Reply-to header, you can check it like this (assuming the input field is named “email”):

$validemail = filter_input(INPUT_POST, 'email', FILTER_VALIDATE_EMAIL);
if ($validemail) {
$headers .= "Reply-to: $validemail\r\n";
}

Note that INPUT_POST and FILTER_VALIDATE_EMAIL are PHP constants, and must be in uppercase.

Using filter_input() like this is a simple, and effective way to prevent the email field of a contact form being exploited for header injection. Of course, you would probably want to take further action if the email address fails validation (the filter checks only that it’s in a valid format—it doesn’t check whether it’s a genuine address), such as redisplaying the form with an error message. This blog post is concerned only with basic prevention.

Is that all that’s needed?

Although the email field of a contact form is the main target, you also need to be careful about allowing user input in the first and second arguments to mail(): the address the message is being sent to, and the subject line. If both values are hard-coded in your script, there’s nothing to worry about. However, if your form allows the user to select from a choice of destination addresses, or insert a custom subject line, you need to sanitize those values before passing them to mail(). Don’t be fooled by thinking that a drop-down menu in your form limits the values that can be entered. It’s very easy for an attacker to bypass your preselected values.

One way of handling the destination addresses is to create an array of valid addresses, and use in_array() to check that the submitted value is among them.

$destinations = array('me@example.com', 'you@example.com');
if (in_array($_POST['to'], $destinations) {
// the address is OK to use
} else {
// don't send the mail
}

You can do the same with a choice of subjects. But if you want to allow the user to enter a custom subject line, you need to check that it doesn’t contain newline characters or common headers. The following code uses a regular expression to detect characters and values likely to be used in an attack:

$pattern = '/[\r\n]|Content-Type:|Bcc:|Cc:/i';
if (preg_match($pattern, $_POST['subject'])) {
// reject the post, as it's most likely an attack
}

I go into much more detail in my books, but hopefully this help PHP newcomers to adopt more secure coding practices with mail().