instanceof is used to determine whether a PHP variable is an instantiated object of a certain class:
<?php
class A{
}
$obj = new A();
if ($obj instanceof A) {
echo 'A';
}
?>
loadHTMLFile
The function parses the HTML document in the file named filename. Unlike loading XML, HTML does not have to be well-formed to load.
This function may also be called statically to load and create a DOMDocument object. The static invocation may be used when no DOMDocument properties need to be set prior to loading.
Superglobals
Several predefined variables in PHP are “superglobals”, which means that they are always accessible, regardless of scope – and you can access them from any function, class or file without having to do anything special.
The PHP superglobal variables are:
- $GLOBALS
- $_SERVER
- $_REQUEST
- $_POST
- $_GET
- $_FILES
- $_ENV
- $_COOKIE
- $_SESSION
$_SESSION superglobals does not necessarily contain data from the client
password_hash()
password_hash() creates a new password hash using a strong one-way hashing algorithm. password_hash() is compatible with crypt(). Therefore, password hashes created by crypt() can be used with password_hash().
To hash a password, take the password string and pass it into password_hash the function as a parameter along with the algorithm you want to use, then store the returned hash into the database.
Following are the acceptable ways to create a secure password hash in PHP
A. crypt()
B. hash_pbkdf2()
C. password_hash()
Static Binding
Late Static Binding is something that helps us correctly resolve to static classes at run time. So when we use self keyword, PHP checks it at compile time which class to bind the method call to but when we use static keyword, PHP would check it late eg it would determine which class to use and bind method call to at runtime. Doing it at runtime is what helps PHP determine which class was meant.
Late static binding is used in PHP to use caller class information provided in static method call.
Limit Resources
Following methods are available to limit the amount of resources available to PHP through php.ini
A. Limit the amount of memory a script can consume
B. Limit the maximum execution time of a script
Prevent PHP Open File
The following can prevent PHP from being able to open a file on the hard drive
A. File system permissions
B. File is outside of open_basedir
File Uploads Requirements
• The PHP directive file_uploads must be set to On
• The form’s method attribute must be set to “post”
• The form’s enctype attribute must be set to “multipart/form-data”
open_basedir
Limit the files that can be accessed by PHP to the specified directory-tree, including the file itself. This directive is NOT affected by whether Safe Mode is turned On or Off.
When a script tries to access the filesystem, for example using include, or fopen(), the location of the file is checked. When the file is outside the specified directory-tree, PHP will refuse to access it. All symbolic links are resolved, so it’s not possible to avoid this restriction with a symlink. If the file doesn’t exist then the symlink couldn’t be resolved and the filename is compared to (a resolved) open_basedir .
open_basedir can affect more than just filesystem functions; for example if MySQL is configured to use mysqlnd drivers, LOAD DATA INFILE will be affected by open_basedir . Much of the extended functionality of PHP uses open_basedir in this way.
The special value . indicates that the working directory of the script will be used as the base-directory. This is, however, a little dangerous as the working directory of the script can easily be changed with chdir().
In httpd.conf, open_basedir can be turned off (e.g. for some virtual hosts) the same way as any other configuration directive with “php_admin_value open_basedir none”.
Under Windows, separate the directories with a semicolon. On all other systems, separate the directories with a colon. As an Apache module, open_basedir paths from parent directories are now automatically inherited.
The restriction specified with open_basedir is a directory name since PHP 5.2.16 and 5.3.4. Previous versions used it as a prefix. This means that “open_basedir = /dir/incl” also allowed access to “/dir/include” and “/dir/incls” if they exist. When you want to restrict access to only the specified directory, end with a slash. For example: open_basedir = /dir/incl/
The default is to allow all files to be opened.
Note:
As of PHP 5.3.0 open_basedir can be tightened at run-time. This means that if open_basedir is set to /www/ in php.ini a script can tighten the configuration to /www/tmp/ at run-time with ini_set(). When listing several directories, you can use the PATH_SEPARATOR constant as a separator regardless of the operating system.
User Defined Errors
• Userland code may trigger custom errors
trigger_error( "something went wrong", E_USER_WARNING);
• These errors may be handled with a custom error handler function
function myHandler($code, $text, $file, $line) {
if ($code == E_USER_WARNING) {
echo 'WARNING: ' .
htmlspecialchars($text);
return true;
}
return false;
}
• If the custom error handler function returns true, php´s error handling does not kick in
• Custom error handler function needs to be registered using set_error_handler(“myHandler”).
Example
<?php
function myErrorHandler($errno, $errstr, $errfile, $errline) {
echo "<b>Custom error:</b> [$errno] $errstr<br>";
echo " Error on line $errline in $errfile<br>";
}
set_error_handler("myErrorHandler");
$test=2;
if ($test>1) {
trigger_error("A custom error has been triggered");
}
?>