------------------------------------------------------------------------------- Using PHP... (just some simple notes) ------------------------------------------------------------------------------- Simple 'is it working' test phpinfo output page (very big and verbose)... List on command line: php -i List active php modules: php -m NOTE to user pear or pecl you must tell PHP about the proxy. pear config-set http_proxy http://s3proxy.itc.griffith.edu.au:3128 pecl install mcrypt docker-php-ext-enable mcrypt A manual solution using curl (which understands proxy env vars) is... curl -fsSLJ https://pecl.php.net/get/mcrypt/stable | tar xzvf - cd mcrypt-*; phpize; ./configure; make install; cd .. rm -rf mcrypt-* package.xml docker-php-ext-enable mcrypt ------------------------------------------------------------------------------- PHP Error Handling Look at the guide http://php.net/manual/en/book.errorfunc.php Also http://www.php.net/manual/en/errorfunc.configuration.php Development Server Setup... I have enabled the following in the "php.ini" file for the system PHP configuration. display_errors = On display_startup_errors = On log_errors = Off This means PHP script should now report errors with the HTML output. This is good for development, though it is not really recommended for production environments. The provided "php-production.ini" config, if names "php.ini", disables disable as well reporting of 'depreciated' and 'strict' errors. The "php-development.ini" config does display errors including 'depreciated' errors. The "Examples" section in the above also contains a larger error handler sub-routine. And outputting program errors to the error log using the error_log() function. Redirect errors to a log file However these settings and others given in the above manual, can be set in user scripts to specify the filename into which errors should be logged using the ini_set() function. Thus something like this is recommended to be added to any and all user PHP scripts, to define where run-time errors should be sent for that script. ini_set('error_log', '/tmp/script_errors.log'); ini_set('log_errors', 'On'); ini_set('display_errors', 'Off'); Note the file "script_errors.log" may need a full path, and should be writable by the Apache web server user. That is it should exist with permissions 702 (writable by others) You also should think about preventing that file 'growing forever' over long periods of time. For example truncating or rolling the errors log appropriatally at the start of each run. This error log redirection will not help with compile-time errors, but the previous system setup however will at least report such problems, until the users scripts own ini_set() commands can be executed. Redirect to Display This is similar to the above but adds some but you need to provide some error wrapping ini_set('log_errors', 'Off'); ini_set('display_errors', 'On'); ini_set('error_prepend_string', "\n

Error

\n");
    ini_set('error_append_string', "\n

\n"); header("Content-type: text/html"); ... ------------------------------------------------------------------------------- Clean message for display Do not just output variables that could have come from user source. Prevent RCE (Remote Command Execution) and XSS (Cross-site scripting) $msg = $_GET['msg']; # get message from protocol arguments Use the appropriate selection of the following.... // strip all html tags (NOTE: keeps "´") $msg = strip_tags($msg); // strip all all but alphanumerics and spaces $msg = preg_replace('/[^A-Za-z0-9\-_ ]/', '', $msg); // keep all ASCII except for "<>{}[]" $msg = preg_replace('/[^\x20-;=?-Z^=z\\|]/', '', $msg); // Only keep ASCII (NOTE: keeps "" "´") $msg = preg_replace('/[^\x20-\x7E]/','', $msg); // Ditto but inverted the regex (NOTE: keeps "" "´") $msg = preg_replace('/[\x00-\x1F\x80-\xFF]/','', $msg); // Strip non-ACSII plus brackets and '&' $msg = preg_replace('/[\x00-\x1F\x80-\xFF&<>{}[]]/','', $msg); // String all binary (non-printable) chars (keeps "" "´") $msg = preg_replace('/[[:^print:]]/', '', $msg); // FUTURE: ASCII only, but HTMLize special chars ------------------------------------------------------------------------------- Unparenthesized ternary operator, depreciation warning. PHP 7.2 can produce the error... PHP Error : Unparenthesized `a ? b : c ? d : e` is deprecated. Use either `(a ? b : c) ? d : e` or `a ? b : (c ? d : e)` Most langauages parse... a ? b : c ? d : e as is left to right order... a ? b : ( c ? d : e ) with the parenthesis not executed (short circuited) on 'a' being true. If all terms are true that results in 'b' PHP however acts as if... ( a ? b : c ) ? d : e If all terms are true, "( a ? b : c )" is true, that results in 'd' That is without parenthesis the results can be ambigious. PHP 7.2+ starts giving depreciated warnings about this. PHP 8.0+ will just fail on this error. Test script (can be used with perl) =======8<--------CUT HERE---------- \n"; print "Most Lang: ".( $a ? $b : ($c ? $d : $e) )."
\n"; print "PHP pre7.2: ".( ($a ? $b : $c) ? $d : $e )."
\n"; =======8<--------CUT HERE---------- In PHP, results are... 40, 20, 40 In Perl results are... 20, 20, 40 ------------------------------------------------------------------------------- PHP Obfuscation You can make PHP unreadable using... eval(base64_decode(....)) Also by reversing the above string using... strrev("edoced_46esab") -------------------------------------------------------------------------------