It can’t really be disagreed on that something like example.com/index.php?page=article&id=409 is not nearly as nice as example.com/article/409.

Turns out this isn’t all that hard with PHP – infact it can turn into something that’s very useful from more than just a readability viewpoint.

The Plan

What we’re going to do is capture everything past a particular point in our URL and pipe it to PHP, we’re going to let PHP do most of the the legwork.

* Using mod_rewrite we get everything past a particular point.
* We will then pass that into a PHP get variable. We’ll use “p”, you can use anything.
* In our PHP we will define “rules” for our URLs with very simple regular expressions.
* When something matches, we’ll get the appropriate page – otherwise we’ll give back a 404.

mod_rewrite

Yep, this article is purely from an Apache perspective, so I assume that you not only have Apache on your webserver, that you also have enabled mod_rewrite.

If you haven’t enabled mod_rewirite, it’s usually something like this in your http.conf:

LoadModule rewrite_module modules/mod_rewrite.so

Remember to restart Apache afterwards.

.htaccess

Let’s get .htaccess out of the way now. These are special files that you may, or may not have come accross. Basically, Apache will read these set of definable rules and determines what to serve when you visit a page.

In this case we’re going to use mod_rewrite rules. So, first create a file called .htaccess and open it up. (To Windows folk – It really has no “filename”, this might confuse some of the poorer text editors.)

To start with, we’re going to check if mod_rewrite is enabled – if it isn’t then Apache will return an internal server error (500).

All our rules will go inside this block.

First we need to enable the rewrite engine and set our base.

RewriteEngine on
RewriteBase /

The RewriteBase will tell Apache exactly where our capturing needs to come from, what the relative path is.

In our case we’re assuming we’re rewriting the root of a URL. If your script resided in a sub-directory like http://example.com/test, RewriteBase would have to be written like so:

RewriteBase /test

Our first rule will tell Apache where to go when we haven’t specified anything, in this case we simply want to go to index.php:

RewriteEngine on
RewriteBase /

# Nothing - Go to index.php
RewriteRule ^$          index.php  [L]

RewriteRule is how we define our actual rules.

Rewrite rules use regular expressions (regex for short), a kind of special text processing language, to define the rules. They can become very useful if you learn them properly, and we shall be using them later when we write the PHP portion of this article. PHP comes with reasonably good regex support built in.

In this case our regular expression is ^$. The caret symbol, ^, means “At the start”. The dollar sign, $, means “At the end.” So this pattern effectively matches nothing, there is nothing between the two symbols.

Don’t worry if regular expressions are confusing at first, there are many tutorials on it around.

The second part of RewriteRule defines where our rule goes to, in this case we always want an empty path to go to index.php.

The last part in square brackets defines a special flag, here we use the L flag. L defines this rule as the “last one” – if this rule matches then Apache will disregard any further ones.

Our next rule is the one that we came here for:

RewriteEngine on
RewriteBase /

# Nothing - Go to index.php
RewriteRule ^$          index.php       [L]

# If anything matches, send the path to index.php
RewriteRule (.*)        index.php?p=$1  [L]

In regex a fullstop means “any single character” and asterisk means “one or more of the previous character”. So our pattern is effectively – any amount of any character or simply, everything.

The parentheses around the rule indicate we want to group that match, and use it later. We do use in defining where our pattern goes to. You refer to groups with the dollar sign and the number of group. (Groups start at 1.) Again we will define this as the last rule with [L].

So with these two rules http://example.com will invisibly redirect to index.php and http://example.com/page/409 will rewrite to index.php?p=page/409.

Unfortunatly, if you try to go directly to any other file or directory, it will not show up – Instead the path will get sent to index.php! We can use RewriteCond to add additional conditions to rectify this situation.

RewriteEngine on
RewriteBase /

# Nothing - Go to index.php
RewriteRule ^$          index.php        [L]

# Condition - requested path is not a file or directory.
RewriteCond %{REQUEST_FILENAME}         !-f
RewriteCond %{REQUEST_FILENAME}         !-d

# If anything matches, send the path to index.php
RewriteRule (.*)        index.php?p=$1  [L]

In a little bit of slightly backward behaviour, when Apache finds a rewrite rule it will go back to see if there were any conditions and check those before finally matching. So these conditions must appear before the rule.

The first parameter is what we test against, it refers to a special server variable, in this case REQUEST_FILENAME. The second parameter is our actual condition. -f asks “Is an existing file” and -d is directories.

Since we only want to continue if the match is not a file we can use a !, so our final patterns are !-f and !-d.

Our rewrite ruleset is nearly complete, but there’s one tiny thing, sometimes you may want to pass GET parameters around in the URL the same way you normally would, as it stands these will be ignored by Apache when rewriting. We can use a flag to append all extra request parameters to the URL – QSA.

Our final .htaccess file looks like this:

RewriteEngine on
RewriteBase /

# Nothing - Go to index.php
RewriteRule ^$          index.php       [L]

# Condition - requested path is not a file or directory.
RewriteCond %{REQUEST_FILENAME}         !-f
RewriteCond %{REQUEST_FILENAME}         !-d

# If anything matches, send the path to index.php
RewriteRule (.*)        index.php?p=$1  [QSA,L]

If anything about mod_rewrite is confusing it’s worth knowing that the documentation on it is actually not all that terrifying and can help you understand it much better.

Using PHP to get the requested URL

Our rewrite rule will pipe everything into index.php as a GET parameter called “p”. So everything in our script will need to be included through this.

To start our index.php file we need to define a list of matches.

/*
 * Work out what page we are on
 */
$page_rules = array(
  "index" => "home.php",
  "about" => "about.php"
);

$page_val = (isset($_GET['p'])) ? $_GET['p'] : "index";

$page_rules is an associative array pointing matched rules to special pages. You can keep your eventually pages whereever you like, for our example we’ll simply have a “pages/” subdirectory where these will go in.

We set $page_val to our “p” parameter if it was set, otherwise defaulting to index.

Next we go through all our rules and find if we’ve matched one with our parameter.

/*
 * Work out what page we are on
 */
$page_rules = array(
  "index" => "home.php",
  "about" => "about.php"
);

$page_val = (isset($_GET['p'])) ? $_GET['p'] : "index";

/*
 * Iterate through rules and test them on our request
 */
$match = NULL;

foreach($pages as $regex => $page_to)
{

  if(preg_match("/^".$regex."$/i", $page_val))
  {
    $match = $page_to;
    break;
  }

}

/*
 * If we didn't match anything deliver a 404 or include our file
 */
if($match === NULL)
  die("404");
else
  require "pages/".$page_to;

We now use preg_match to match against each of our rules.

For our index rule, the regular expression looks like /^index$/i. The forward slashes indicate the start and end delimeters of the regex, we can use extra flags to define special things, in this case we use the i flag which indicates that the match is case insensitive.

When we match a rule, we save the page name, then serve it later, or give a 404 message if not. (Your 404 message should be a lot better – this is a simple example after all.)

At this point our rewriting will work perfectly fine. There’s a few issues to work out first.
Small issues

First off, if you go to http://example.com/about the rule works, but if you go to http://example.com/about/ then nothing matches – our p variable has changed with that one character!
Luckily we can expand our regular expression to account for this. Question mark, ?, means “the previous character none or more times”. So /? would mean “forward slash or no forward slash”, except that as we know, forward slash means something in regular expressions. To escape characters in regex simply use the backslash character. The correct match is \/?.
Our new rule check looks like this:

if(preg_match("/^".$regex."\/?$/i", $page_val))
{
$match = $page_to;
break;
}

You may be starting to think that regular expressions can start to look messy the more complicated they get – you’d be right, but that doesn’t discount how useful they can be. A regular expression can be broken down into smaller parts if necessary.
This leads on to our second problem, if any of our matches have a forward slash in, which they most likely will, you will get an error when hitting the regex because it would be unescaped. A quick str_replace will sort that.

$regex = str_replace("/", "\/", $regex);

if(preg_match("/^".$regex."\/?$/i", $page_val))
{
$match = $page_to;
break;
}

Grouping
This is all well and good, but if you have a URL like our initial example of http://example.com/article/409 surely you’d have to make a new rule for each ID? Luckily we can leverage the power of regex to do that for us.
First we need to ammend our rules to match /article/ and any number. This is done like so:

$page_rules = array(
  "index"          => "home.php",
  "about"          => "about.php"
  "article/[0-9]+" => "article.php"
);

[0-9] is a range, a single number from 0 to 9. And whereas ? means “zero or more times”, in this case we need to use plus, + which means “one or more times“. So we’re now matching any integer.
Great, our rule works! But it’s useless to us if we can’t get that parameter out. Well, first we need to define this as a group in our regex by using parentheses, the same way we did in our .htaccess rules before.

$page_rules = array(
  "index"            => "home.php",
  "about"            => "about.php"
  "article/([0-9]+)" => "article.php"
);

To get our groups out of our regular expression we need to use the third parameter of preg_match, in which we pass in an array that will then be filled with our groups.
Our foreach loop needs to look something like this:

$match = NULL;
$matches = array();

foreach($pages as $regex => $page_to)
{

$regex = str_replace("/", "\/", $regex);

if(preg_match("/^".$regex."\/?$/i", $page_val, $matches))
{
$match = $page_to;
break;
}

}

Great, now if you tried to go to /article/409 and did a print_r of $matches, you’d get something like:
Array

(

[0] => article/43/

[1] => 43

)
The first entry is filled with the entire pattern, the second one is our requested ID – the group we defined in our match.
Notice that because we’ve defined any number, if you try to enter anything other than a number into the URL as an ID you will get given a 404 – This can act as a kind of first-defense validation for input variables.
This is almost the end of the article, however we can make this a little nicer to work with.
Named groups
Being able to refer to something like $_GET[’id’] is a convenience, there’s a name. $matches[1] is not so easy to dechyper – or even keep track of, what if we add another group that appears before it like a category name – the group number may shift.
Luckily with regex we can name our groups using the simple syntax of ? inside the start of the group. Our new rules can now look like this.

$page_rules = array(
  "index"                 => "home.php",
  "about"                 => "about.php"
  "article/(?[0-9]+)" => "article.php"
);

Now when you print_r $matches you get:
Array

(

[0] => article/43/

[id] => 43

[1] => 43

)
You can still refer to the group as $matches[1], but we’re also given the option of $matches[’id’].
Conclusion

Our final PHP script looks like this:

/*
* Work out what page we are on
*/
$page_rules = array(
"index"                 => "home.php",
"about"                 => "about.php"
"article/(?[0-9]+)" => "article.php"
);

$page_val = (isset($_GET['p'])) ? $_GET['p'] : "index";

/*
* Iterate through rules and test them on our request
*/
$match = NULL;
$matches = array();

foreach($pages as $regex => $page_to)
{

$regex = str_replace("/", "\/", $regex);

if(preg_match("/^".$regex."\/?$/i", $page_val, $matches))
{
$match = $page_to;
break;
}

}

/*
* If we didn't match anything deliver a 404 or include our file
*/
if($match === NULL)
die("404");
else
require "pages/".$page_to;

?>

We’ve implemented friendly URLs in a simple way that is also very easy to work with in your script, we even have some basic validation that wouldn’t get relying on $_GET.

WHOA, there! Are you sure you want to do that? Any input from a user should be treated like a nuclear fuel rod. You can handle it, but you’ve got to make sure you do it right. You wouldn’t just pick it up with your bare hands, would you?

Why? Just what are MySQL Injection attacks anyway?

Lets say your database has a table inside called ‘tbl_Users’. Inside ‘tbl_Users’ are a list of your users, which all have usernames, passwords, first names, last names, addresses, etc. If these users are presented with a login box somewhere on your site, your php user verification query might be something like this:

SELECT * FROM `tbl_Users` WHERE `username`=’”.$_POST['username'].”‘ AND `password`=’”.md5($_POST['password']).”‘”The problem is that unscrupulous users (read: bad ones) could enter this into your form:

username: no_onepassword: ‘ OR ”=”Which would make your query look something like this:

SELECT * FROM `tbl_Users` WHERE `username`=’no_one’ AND `password`=” OR ”=”Which, if you read that correctly, would allow that user access to whatever it was you wanted hidden by logging them in. There are a multitude of other ways this can be dangerous, but this is by far the easiest example. Even more unscrupulous users (read: the real jackasses) could send in multiple queries including DELETE queries.

In which case, when you wake up the morning after the attack you are most likely to be heard saying:”Hey, where did all my users go?” 

Wow. Okay so I’ve got a friend… and his website isn’t secure. What can I do to help him out?

The good news is that with a few easy precautions, your “friend’s” website will be pretty secure against these types of attacks. I say pretty secure because there is no way to prevent every attack. We can only do our best to increase security to a point to take every realistic precaution to prevent these attacks.

#1: Escape your variables!

Using the php function ‘mysql_real_escape_string’ you can “escape” the single quote character from user input. This is probably the easiest method to prevent MySQL injection attacks. It works by adding a backslash (”\”) before each quote that the user enters into their input. So, to use our example from before:

username: hey’therebecomes

username: hey\’thereThis effectively stops MySQL injection in its tracks since it not only escapes the single quote (”‘”) character but also all other characters that the baddies can use to hijack your queries.

If you’ve got an array of data coming in, you can use this neat function that I found on the PHP mysql_real_escape_string page (code by “brian dot folts at gmail dot com”). It escapes all of the values in your array with ease.

To escape an array, use this function:

function mysql_real_escape_array($t){
return array_map(”mysql_real_escape_string”,$t);
}

Then you can call that function easily by passing your array to it:

$your_array = mysql_real_escape_array($your_array);

#2: Check the variable type of your input.

This is done by using the php functions “is_numeric()“, “is_string()“, “is_float()“, and “is_int()” to determine if the input the user is sending in is the same type that you were asking for. It’s not perfect, but if you were asking for a number and they sent in a word you know to discard it straight away and return an error thereby entirely avoiding any change of a MySQL injection attack.

#3: Always use proper MySQL syntax, including “`” and “‘” characters.

If your queries look something like this:

SELECT * FROM tbl_Users WHERE username=$value; Rewrite it so that it looks more like this:

$value = mysql_real_escape_string($value);mysql_query(SELECT * FROM `tbl_Users` WHERE `username`=’”.$value.”‘”); Proper MySQL syntax requires that all table and field names are surrounded by the reverse apostraphe (”`”) and values surrounded with single quotes / apostraphe (”‘”).

I hope this gives you a better indication of what you can do to help secure your websites. Keep in mind that this is in no way a complete list. Be ever vigilant in your efforts to prevent attacks of any kind on your code. Leave a comment or two if this helped you at all or if you have different suggestions on how to secure your code from injection attacks!

A simple example of this involves displaying the time on a Web page. With PHP, you can easily use the date() function to read the server’s clock and display the required information in a specific format. But what if you’d like to display the time in a different location – for example, if your company is located in a different country from your server and you want to see “home” time instead of local time? Well, then you have to figure out the difference between the two places and perform some date arithmetic to adjust for the different time zones. If the time difference is significant, you need to take account of whether the new time is on the day before or after, worry about daylight savings time, and keep track of end-of-the-month and leap year constraints.

As you can imagine, the math to perform such time zone conversions can quickly get very complicated if you do it manually. To be fair, PHP has built-in time zone functions to help with this, but these aren’t particularly intuitive and require a fair amount of time to get used to. A quicker alternative is to use the PEAR Date class, which comes with built-in support for time zones and is, by far, the simplest way to perform these conversions.

This tutorial will teach you how to convert temporal values between time zones with the PEAR Date class. It assumes that you have a working Apache and PHP installation and that the PEAR Date class has been correctly installed.

Note: You can install the PEAR Date package directly from the Web, either by downloading it or by using the instructions provided.

Getting started

Let’s begin with the basics – initialising and using a Date object. Create a PHP script with the following lines of code:

getDate();
?>

This is fairly simple – include the class code, initialise a Date() object with a date/time string, and then use the getDate() method to display the value you just inserted. Here’s the output:

2006-06-21 15:45:27

What if you want the date in a different format? If the format is a standard one, such as the ISO format, simply pass getDate() a modifier indicating this:

getDate(DATE_FORMAT_ISO_BASIC);
?>

The output in this case conforms to the standard ISO format.

20060621T154527Z

If you’d like a custom format, you can do that too, with the format() method. Like PHP’s native date() function, this method accepts a series of format specifiers that indicate how each component of the date is to be formatted. Below is an example (look in the class documentation for a complete list of modifiers):

format("%A, %d %B %Y %T");
?>

And here’s the output:

Wednesday, 21 June 2006 15:45:27

Converting between time zones

Now that you’ve got the basics, let’s talk about time zones. Once you have a Date() object initialised, converting from one time zone to another is a simple two-step process:

1. Tell the Date class which time zone you’re converting from, with the setTZByID() method.
2. Then, tell the Date class which time zone you wish to convert to, with the convertTZByID() method.

setTZByID("GMT");

// convert to foreign time zone
$d->convertTZByID("IST");

// retrieve converted date/time
echo $d->format("%A, %d %B %Y %T");
?>

In this case, I’m attempting to convert from Greenwich Mean Time (GMT) to Indian Standard Time (IST). India is about 5.5 hours ahead of Greenwich, which is why the output of the script is:

Wednesday, 21 June 2006 16:06:27

Simple, isn’t it? Here’s another example, this one demonstrating how the class handles leap years and month end values.

// include class
include ("Date.php");

// initialize object
$d = new Date("2008-03-01 06:36:27");

// set local time zone
$d->setTZByID("GMT");

// print local time
echo "Local time is " . $d->format("%A, %d %B %Y %T") . "\n";

// convert to foreign time zone
$d->convertTZByID("PST");

// retrieve converted date/time
echo "Destination time is " . $d->format("%A, %d %B %Y %T");
?>

And the output is:

Local time is Saturday, 01 March 2008 06:36:27
Destination time is Friday, 29 February 2008 22:36:27

Note: In case you’re wondering where the time zone IDs come from, you can find a complete list within the class documentation.

Calculating GMT offsets

Another piece of information that’s sometimes useful when working with time zones is the GMT offset — that is, the difference between the specified time zone and standard GMT. The PEAR Date class lets you get this information easily, via its getRawOffset() method. Here’s an example:

setTZByID("PST");

// get raw offset from GMT, in msec
echo $d->tz->getRawOffset();
?>

Here, the getRawOffset() method calculates the time difference between the local time and GMT. Here’s the output:

-28800000

Note that this offset value is expressed in milliseconds, so you will need to divide it by 3600000 (the number of milliseconds in one hour) to calculate the time zone difference in hours.

Tip: You can use the inDaylightTime() method to see if the destination is currently observing daylight savings time. Look in the class documentation for details on this method.
Adding and subtracting timespans

The Date class also lets you perform sophisticated date arithmetic on temporal values, adding or subtracting durations to a date/time value. These durations (or timespans) are expressed as a string containing day, hour, minute and/or second components.

addSpan(new Date_Span("0,1,20,0"));

// retrieve date as formatted string
echo $d->format("%A, %d %B %Y %T");
?>

In this case, I’ve added an hour and twenty minutes to the initial timestamp, by calling the Date class’ addSpan() method and supplying it with a Date_Span() object initialised to that duration. The output is fairly easy to guess:

Wednesday, 21 June 2006 17:05:27

Just as you can add timespans, so too can you subtract them. That, in fact, is the purpose of the subtractSpan() method, which is illustrated below.

addSpan(new Date_Span("0,1,20,0"));

// subtract 00:05 from it
$d->subtractSpan(new Date_Span("0,0,5,0"));

// retrieve date as formatted string
echo $d->format("%A, %d %B %Y %T");
?>

Here, I’ve first added an hour and twenty minutes, and then subtracted a further five minutes. The net effect is an addition of an hour and fifteen minutes, and the output reflects this:

Wednesday, 21 June 2006 17:00:27

As the examples above illustrate, the PEAR Date class provides methods to intuitively and efficiently perform fairly complex date math. If you’re looking for a stress-free way to convert timestamps between different locations, I’d heartily recommend it to you.

Most PHP Web developers have heard of PEAR, the PHP Extension and Application Repository, but very few of them actually use it on a regular basis. This is an oversight that should be corrected, because PEAR is actually a rich treasure trove of PHP widgets that can significantly simplify the average Web developer’s workday.

If you think I’m overstating the benefits, ask yourself if you’ve ever written custom code to (a) create HTML e-mail, (b) generate Web forms on the fly, or (c) validate email addresses. PEAR has pre-built PHP packages for all these tasks, and a few hundred more besides. These packages provide a robust, well-tested code base that can save you the time and effort you would otherwise spend on “rolling your own” code. You can’t beat the price either…they’re free!

PEAR classes cover a wide range of tasks, and so this document will focus specifically on classes of interest to developers working with Web pages and form input. If there are other categories you’d like to see addressed, send in your suggestions and we will examine those areas too…and until then, here’s to easier coding!

Note: You can install PEAR packages directly from the Web, by following the provided instructions.

Package Name: Validate
Description: This package provides validation routines for common input types: email addresses, credit card numbers, URLs, dates and times, string and number classes, and more.

Use this package to test user input entered in Web forms and ensure it is valid before using it in a calculation/saving it to a file or database.

URL: http://pear.php.net/package/Validate

Calendar
This package creates calendar data structures for one or more months. These data structures can then be combined with HTML formatting or a template to create a calendar display, complete with forward/backward navigation links.

Use this package to quickly integrate a pop-up Web calendar into a Web site.

http://pear.php.net/package/Calendar

Mail_Mime
This package provides routines to create a MIME-compliant multi-part message. Such a message can contain embedded HTML, images, file attachments, or other parts. The package also provides functions to decode received multi-part messages into their constituent parts.

Use this package to create HTML email with embedded images, or messages with one or more attachments. You can also use this class to decode multi-part messages – for example, as an attachment browser in a Web mail client.

http://pear.php.net/package/Mail_Mime

Cache
This package provides a simple caching framework for a Web site. It allows you to cache the output of PHP scripts as well as function calls, and reduce response times by rendering the cached pages to clients. Cached pages may be stored as files on disk, in a database, or using a custom storage engine.

If your site receives a lot of traffic, use this package to reduce server load and page processing time by occasionally providing clients with snapshots from the page cache instead of the “live” page. You can also reduce the load on your database server by caching the output of frequently-used SQL queries.

http://pear.php.net/package/Cache

Image_Graph
This package makes it possible to automatically convert numerical data into a graph suitable for display on a Web page. Bar, graph, pie, radar and scatter graphs are just some of the supported graph types. X and Y axis customisations are supported, as are many different output formats.

Use this package to display numerical data in a visual manner for easier comprehension – for example, when calculating Web site traffic or ad clicks.

http://pear.php.net/package/Image_Graph

HTML_QuickForm
This package provides routines to generate, validate, and process Web forms programmatically. It supports all the HTML form input types, and comes with built-in validation routines for most common input types. It also provides built-in functionality for multi-page forms and file upload forms.

Use this package to significantly simplify the task of generating Web forms at run-time, or to efficiently validate and process form input.

http://pear.php.net/package/HTML_QuickForm

Auth
This package provides a framework for a basic login/authentication system using PHP. It can verify user credentials against a variety of data sources, including MySQL databases, ASCII files, LDAP servers and POP3 servers.

Use this package to quickly create a login system for a Web application. Because it has “out of the box” support for so many authentication sources, it can also be used to implement Web-based “single login” infrastructure.

http://pear.php.net/package/Auth

XML_RSS
This package is designed to parse RSS documents. It extracts information from an RSS feed as PHP data structures, which can be processed and formatted for display.

Use this package to integrate RSS feeds from other sites into your Web pages.

http://pear.php.net/package/XML_RSS

HTML_Progress
This package provides a framework for a progress bar on a Web site. It uses PHP, JavaScript and CSS to display and dynamically update a progress bar with visual notification of a task’s progress.

Use this package to display progress bars for time-consuming Web tasks — for example a file upload or a long-running loop.

http://pear.php.net/package/HTML_Progress

Translation
This package provides a framework for multi-lingual Web sites. It contains routines to retrieve a translation for each string value from a database and insert it into the appropriate location on each translation-enabled page.

Use this package to efficiently handle multi-language versions of a Web site.

http://pear.php.net/package/Translation/

Microsoft provides XPath functionality through the selectSingleNode() and selectNodes() methods on DOM nodes and documents. However, PHP uses functions that provide XPath functionality through contexts. In the following example, I’ll show sample XML data and PHP code to grab different parts of the XML document. I’ll also explain how the PHP code works.

In the example code, I use the following XML data to provide the functionality. (Note: This code was developed and run successfully using PHP 4.3.4, Windows XP, and IIS 5.1.)

Marmaduke
Garfield

Snoopy
Heathcliff

Spike
Sylvester

This XML data contains a few elements and some attributes including a namespace declaration — some basic XML. This results in varied queries for me to test.

<?php
$sxml = '

            Marmaduke
            Garfield

            Snoopy
            Heathcliff

            Spike
            Sylvester

    ';

$xml = domxml_open_mem($sxml);

$xpc = xpath_new_context($xml);
xpath_register_ns($xpc, "x", "http://www.someplace.com");

$nodes = xpath_eval($xpc, "//x:row/x:dog[@color='yellow']/text()");
foreach ($nodes->nodeset as $node) {
    print $node->content . "\n";
}

$nodes = xpath_eval($xpc, "//x:row/x:dog");
foreach ($nodes->nodeset as $node) {
    print $xml->dump_node($node) . "\n";
}

$nodes = xpath_eval($xpc, "//x:cat/child::text()|//x:dog[@color='white' or
@color='gray']/text()");
foreach ($nodes->nodeset as $node) {
    print $node->content . "\n";
}

$xml->free();
?>

First, I create a local variable to hold the XML string. This information could have been passed in as part of a POST HTTP request. However, for this example, I’m going to include it in the code. The next step is to create a DOM Document by using the domxml_open_mem() function. This function creates a DOM Document object in memory from a valid XML string. It accepts one parameter: the XML string. Another way to accomplish this is to store the XML in a separate file and use the domxml_open_file() function to load the XML from a file. This function takes one parameter: the filename of the XML file.

Once I create the DOM Document object, I can create an XPath context with this object through the xpath_new_context() function, which takes one parameter: the current DOM Document object. This context is used to evaluate the XPath expression and is also used to register namespaces, if needed. Since my XML includes a namespace, I register the namespace with the xpath_register_ns() function. This makes it possible to create XPath queries using prefixes. The xpath_register_ns() function takes three parameters: the XPath context, the prefix, and the namespace, respectively.

Now I can run XPath queries. This is done with the xpath_eval() function, whose first parameter is the XPath context and second parameter is the XPath expression. The function returns an array of DOM Nodes. In my code, I step through the nodeset and produce some form of output.

In the first XPath example, I grab all the x:dog text elements under the x:row nodes, where the ‘color’ attribute equals ‘yellow’. This is where the XPath expression in PHP differs slightly from an XPath expression using MSXML. I include the ‘/text()’ part of the expression to return the text nodes only. With MSXML, you access the text node with the ‘text’ property. Using the ‘content’ property on the returned text node, I can get the content of the text node.

In the second example, I grab all the x:dog elements under the x:row nodes. However, I use the dump_node() method on the DOM Document object to print out the complete XML of the appropriate node. The dump_node() method accepts one parameter: the DOM Node of which you wish to dump the contents.

In the last example, I grab all the x:cat text nodes and all the x:dog text nodes where the ‘color’ attribute is ‘white’ or ‘gray’. Once again, I step through the nodeset and print out the content of each text node. Finally, I free up the DOM Document object.

Sometimes you just need to know what country your site visitors are coming from—for example, if you’re trying to implement geo-targeted advertising. That’s where a tool like MaxMind’s GeoIP comes in—it lets you easily extract geographic data from your visitor’s IP address.

MaxMind makes available both commercial and free databases; the commercial ones are extremely precise and can get as fine-grained as the user’s city, while the free version can only identify the country of origin. We’ll use the free version in this article. If you need more detailed information, such as the remote client’s city and state of origin, you will need to purchase a more detailed database from MaxMind.

Getting started
To use it, you’ll have to first download the GeoIP Free Country file and extract it into a directory in your Web server. Then you’ll have to pick which language API to use with the database file. For simplicity, we’re going to use the pure PHP version because it doesn’t require any additional configuration or Apache modules. Remember to read the license terms before installing these on your Web site to ensure you are in compliance.

The code below demonstrates the basics of using the module (geoip.inc) to access the GeoIP Free Country database (GeoIP.dat). The example assumes both the PHP include and the country database file are in the same directory as the PHP file itself. You’ll have to change the paths as needed if this is not the case in your installation.

The sample code is pretty straightforward. After including the GeoIP PHP function library, the first step is to open the GeoIP database file with the geoip_open() function. This function accepts two arguments: the path to the database file and the type of database.

We then use the handle returned by the call to geoip_open() to obtain the two-letter country code and human-friendly name corresponding to the given IP address, via the geoip_country_code_by_addr() and geoip_country_code_by_name() functions, respectively. Both functions accept two arguments: the handle returned by geoip_open() and the IP address to resolve.

Once the required information is obtained, we close the database file with a call to geoip_close(). Simple as that.

That’s fine in theory, but in practice, from my experience, the client frequently comes with more requirements, or maybe more modifications to the design or to the business logic. When this happens , the HTML is modified (or words rebuilt ) programmer changes the code inside HTML.

The problem with this scenario is that the programmer needs to be on stand-by until the designer completes the layout and the HTML files. Another problem is that if there is a major design change then the programmer will change the code to fit in the new page. And that’s why I recommand Smarty. Smarty is a templating engine for PHP.

You can download it from http://www.phpinsider.com/php/code/Smarty/ or http://smarty.php.net . The installation process is very simple. Just read the documentation and follow up the instructions.

So what is Smarty ? Smarty is a set of PHP classes that compile the templates into PHP scripts. Smarty is a template language and a very useful tool for designers and programmers.

Smarty for Designers

Designers work with HTML files. To work with Smarty, you work with template files. These files are are made up of static content but combined with Smarty mark-up tags. All the template files have a .tpl extension. The Smarty template tags are enclosed within { and } delimiters.

Let’s consider the basic structure of a web page. There is a header, a middle part, and a footer. A template file that includes the header and the footer looks like this:

{include file="header.tpl"}
<form name="form1">
    Label1 <input type="text" name="text1">
    <input type="submit" value="submit">
</form>
{include file="footer.tpl"}

All the templates should reside in a single template directory. After calling a template for the first time, the compiled template will reside in templates_c.

Smarty language is very poweful. All the variables that come from PHP are identified in Smarty with {$Variable_Name} (we precede them with a $ sign). So if we have a variable in PHP that is called $MyName, then to print it in Smarty you have to write something like:

<html>
    <body>
        Welcome, {$MyName} <br>
    </body>
</html>

The power of Smarty lies also in its flexibility. You can insert IFs and LOOPs into the template. The syntax for IF is:

{if <condition> }
        html code
{else}
        html code
{/if}

Let’s say you have a dynamic menu based on links. Depending on the link you click, you go to a specific page. So you get from PHP a variable $Menu with a integer value, depending on the page you are. The template looks like :

{if ($Menu == 1) }
         Option 1
{else}
        <a href="option1.php">Option 1</a>
{/if}
{if ($Menu == 2)}
        Option 2
{else}
        <a href="option2.php">Option 2</a>
{/if}

For coding a loop let’s suppose you get an array like the following from PHP :

<table>
<tr
{section name=user loop=$userID}
{if $smarty.section.user.iteration is odd}
        bgcolor=#efefef
{else}
        bgcolor=#ffffff       
{/if}
>
    <td>    ID = {$userID[user]}  </td>
    <td> Name = {$name[user]}     </td>
    <td> Address = {$address[user]} </td>
</tr>
    {sectionelse}
<tr>
    <td>
        There is no user.
    </td>
</tr>
</section>
</table>

Iteration is an internal counter for Smarty. It helps us to know the current iteration of the section. I use this internal variable to make alternate row colors in the table by checking if current iteration value is odd or not (Note that iteration was added to Smarty from version 1.4.4).

An alternative for LOOPS is FOREACH which is used to loop over a single associative array.

<foreach from=$users item=current_user>
        Name = {$current_user}
<foreachelse}
        No user available.
</foreach>

The main difference between SECTION and FOREACH is that for SECTION you can start from a specific value, and can also set a step for the iteration, whereas for FOREACH you have to loop over all values.

Smarty for Programmers

The advantage for programmers is that they write the code in a PHP file without having to mix the instructions with HTML. Furthermore, if the designer changes the layout of a page the programmer doesn’t have to change the code to suit the new layout since the functionalities won’t change. You do your work in your files, assign to the templates all the values needed to print on the site and go out for a beer. You won’t get phone calls asking you to change a bit of code because the designer changed the layout and now a set of internal errors cropped up.

In the PHP file you need to include the Smarty class require ‘Smarty.class.php’. After that you need to instantiate the smarty with $smarty = new Smarty.

To assign a variable to the template you need to $smarty->assign(’UserName’, ‘John Doe’). After everything is finished you call the method to display the template $smarty->display(’index.tpl’).

A sample code looks like this (index.php) :

<?php
require ‘Smarty.class.php’;
$smarty = new Smarty;

$smarty->assign(’Username’, ‘John Doe’);
$smarty->display(’index.tpl’);
?>

The template (index.tpl) looks like this:

<html>
<body>
        Welcome {$Username}
</body>
</html>

You can also create an array in PHP an pass it to the template:

$tmp = array ( ‘UID’=> ‘10′,  &’Name’ => ‘John Doe’, ‘Address’=>’Home address’);
$smarty->assign(’info’, $tmp);

Sample Script

This script connects to a local database and select all the products from the ‘Products’ table. Then it passes all the values to the template, which prints them on the screen.

INDEX.PHP

<?php
require ‘Smarty.class.php’;
$smarty = new Smarty;

$hostname = "localhost";
$dbUser = "sqluser";
$dbPass = "sqlpass";
$dbName = "sqldb";
// connect to the database
$conn = mysql_connect($hostname, $dbUser, $dbPass) or die("Cannot connect to the database");

mysql_select_db($dbName);

$sql = "SELECT prodID, info FROM products ORDER BY prodID ASC";
// get all the products from the table
$res = mysql_query($sql);
$results = array();
$i=0;
while ($r=mysql_fetch_array($res)) {
            $tmp = array(
                ‘prodID’ => $r['prodID'],
                ‘info’=> $r['info']
            );
            $results[$i++] = $tmp;
}
// pass the results to the template
$smarty->assign(’results’, $results);
// load the template
$smarty->display(’index.tpl’);
?>

INDEX.TPL

<html>
<body>
Here’s a table with the results: <br>
<table cellpadding=1 cellspacing=0 border=0 width=100%>
{section name=nr loop=$results}
    <tr {if $smarty.section.nr.iteration is odd} bgcolor="#efefef"{/if}>
        <td class=fb width=15%>
            <nobr><a href=”show-product.php?id={$results[nr].prodID}">Press here</a>

        <td class=fb width=29%><a href="show.php?id={$results[nr].prodID}"
        {popup inarray=$smarty.section.nr.iteration}
        >{$results[nr].info}</a></td>
    </tr>

{sectionelse}
<tr><td align="center"><br><b>no product </b> <br> </td></tr>
{/section}
   
</table>

<br>

Here’s a select with the results: <br>
<select name="mys">
    {section name=nr loop=$results}
        <option value="{$results[nr].prodID}">{$results[nr].info}</option>
    {/section}
</select>

</body>
</html>

Summary

Smarty is a great tool for both designers and developers. By using Smarty you can reduce the site development and maintenance times. If you are a developer you no longer need to mix PHP code with HTML code. Just take care of business logic and leave the HTML to the designer.

A PEAR package is distributed as a gzipped tar file. It can consist of source code or binaries or both. Many PEAR packages can readily be used by developers as ordinary third party code via simple include statements in PHP. More elegantly, the PEAR installer which comes with PHP by default may be used to install PEAR packages so that the extra functionality provided by the package appears as an integrated part of the PHP installation. Unlike the Comprehensive Perl Archive Network (CPAN) archives, which PEAR took as its model, PEAR packages do not have implicit dependencies so that a package’s placement in the PEAR package tree does not relate to code dependencies. Rather, PEAR packages must explicitly declare all dependencies on other PEAR packages.

The PEAR base classes contain code for simulating object-oriented destructors and consistent error-handling. Packages exist for many basic PHP functions including authentication, caching, database access, encryption, configuration, HTML, web services and XML.

PECL (PHP Extension Community Library) is conceptually very similar to PEAR, and indeed PECL modules are installed with the PEAR Package Manager. PECL contains C extensions for compiling into PHP. As C programs , PECL extensions run more efficiently than PEAR packages. PECL includes modules for XML-parsing, access to additional databases, mail-parsing, embedding Perl or Python in PHP scripts and for compiling PHP scripts. Originally PECL was called the PEAR Extension Code Library, but it now operates independently of PEAR.

List of package categories

    * Authentication
    * Benchmarking
    * Caching
    * Configuration
    * Console
    * Database
    * Date & Time
    * Encryption
    * Event
    * File Formats
    * File System
    * Gtk Components
    * Gtk2 Components
    * HTML
    * HTTP
    * Images
    * Internationalization
    * Logging
    * Mail
    * Math
    * Networking
    * Numbers
    * Payment
    * PEAR
    * PHP
    * Processing
    * Science
    * Semantic Web
    * Streams
    * Structures
    * System
    * Text
    * Tools and Utilities
    * Validate
    * Web Services
    * XML

http://www.scripts.com/php-scripts/
http://www.best-php-scripts.com/
http://gscripts.net/
http://www.phpjunkyard.com/
http://www.free-php.net/
http://coding.phpground.net/
http://www.atomicphp.com/
http://www.thefreecountry.com/php/index.shtml
http://www.phpbuilder.com/snippet/
http://phpwizard.net/
http://www.devshed.com/Server_Side/PHP
http://www.phpclasses.org/
http://px.sklar.com/
http://zend.com/codex.php
http://www.weberdev.com/
http://www.hotscripts.com/PHP/
http://www.phpresourceindex.com/

I would be adding more to the list soon….

Consider the following XML’s

< ?xml version=’1.0′?>
< !DOCTYPE chapter SYSTEM "/just/a/test.dtd" [
<!ENTITY plainEntity "FOO entity">
< !ENTITY systemEntity SYSTEM "xmltest2.xml">
]>
<chapter>
 <title>Title &plainEntity;</title>
 <para>
  <informaltable>
   <tgroup cols="3">
    <tbody>
     <row><entry>a1</entry><entry morerows="1">b1</entry><entry>c1</entry></row>
     <row><entry>a2</entry><entry>c2</entry></row>
     <row><entry>a3</entry><entry>b3</entry><entry>c3</entry></row>
    </tbody>
   </tgroup>
  </informaltable>
 </para>
 &systemEntity;
 <section id="about">
  <title>About this Document</title>
  <para>
   <!– this is a comment –>
   < ?php echo ‘Hi!  This is PHP version ‘ . phpversion(); ?>
  </para>
 </section>
</chapter>

<?xml version="1.0"?>
<!DOCTYPE foo [
<!ENTITY testEnt "test entity">
]>
<foo>
<element attrib="value"/>
&testEnt;
<?php echo "This is some more PHP code being executed."; ?>
</foo>

The following code shows how we can parse the above XML file using PHP

< ?php
$file = "xmltest.xml";

function trustedFile($file)
{
    // only trust local files owned by ourselves
    if (!eregi("^([a-z]+)://", $file)
        && fileowner($file) == getmyuid()) {
            return true;
    }
    return false;
}

function startElement($parser, $name, $attribs)
{
    echo "&lt;<font color=\"#0000cc\">$name";
    if (count($attribs)) {
        foreach ($attribs as $k => $v) {
            echo " <font color=\"#009900\">$k</font>=\"<font color=\"#990000\">$v</font>\"";
        }
    }
    echo "&gt;";
}

function endElement($parser, $name)
{
    echo "&lt;/<font color=\"#0000cc\">$name</font>&gt;";
}

function characterData($parser, $data)
{
    echo "<b>$data</b>";
}

function PIHandler($parser, $target, $data)
{
    switch (strtolower($target)) {
        case "php":
            global $parser_file;
            // If the parsed document is "trusted", we say it is safe
            // to execute PHP code inside it.  If not, display the code
            // instead.
            if (trustedFile($parser_file[$parser])) {
                eval($data);
            } else {
                printf("Untrusted PHP code: <i>%s</i>",
                        htmlspecialchars($data));
            }
            break;
    }
}

function defaultHandler($parser, $data)
{
    if (substr($data, 0, 1) == "&" && substr($data, -1, 1) == ";") {
        printf(’<font color="#aa00aa">%s</font>’,
                htmlspecialchars($data));
    } else {
        printf(’<font size="-1">%s</font>’,
                htmlspecialchars($data));
    }
}

function externalEntityRefHandler($parser, $openEntityNames, $base, $systemId,
                                  $publicId) {
    if ($systemId) {
        if (!list($parser, $fp) = new_xml_parser($systemId)) {
            printf("Could not open entity %s at %s\n", $openEntityNames,
                   $systemId);
            return false;
        }
        while ($data = fread($fp, 4096)) {
            if (!xml_parse($parser, $data, feof($fp))) {
                printf("XML error: %s at line %d while parsing entity %s\n",
                       xml_error_string(xml_get_error_code($parser)),
                       xml_get_current_line_number($parser), $openEntityNames);
                xml_parser_free($parser);
                return false;
            }
        }
        xml_parser_free($parser);
        return true;
    }
    return false;
}

function new_xml_parser($file)
{
    global $parser_file;

    $xml_parser = xml_parser_create();
    xml_parser_set_option($xml_parser, XML_OPTION_CASE_FOLDING, 1);
    xml_set_element_handler($xml_parser, "startElement", "endElement");
    xml_set_character_data_handler($xml_parser, "characterData");
    xml_set_processing_instruction_handler($xml_parser, "PIHandler");
    xml_set_default_handler($xml_parser, "defaultHandler");
    xml_set_external_entity_ref_handler($xml_parser, "externalEntityRefHandler");
   
    if (!($fp = @fopen($file, "r"))) {
        return false;
    }
    if (!is_array($parser_file)) {
        settype($parser_file, "array");
    }
    $parser_file[$xml_parser] = $file;
    return array($xml_parser, $fp);
}

if (!(list($xml_parser, $fp) = new_xml_parser($file))) {
    die("could not open XML input");
}

echo "<pre>";
while ($data = fread($fp, 4096)) {
    if (!xml_parse($xml_parser, $data, feof($fp))) {
        die(sprintf("XML error: %s at line %d\n",
                    xml_error_string(xml_get_error_code($xml_parser)),
                    xml_get_current_line_number($xml_parser)));
    }
}
echo "</pre>";
echo "parse complete\n";
xml_parser_free($xml_parser);

?>

I hope this will help. Your comments are welcome.