Variables in PHP

If you have experience programming in high-level languages (e.g., C++, Delphi), you must know that all variables must be of a strictly defined type, and the code must follow quite stringent syntax rules. PHP is more flexible and does not impose strict rules. This flexibility, however, comes at the price of greater chances of erroneous script execution and being much more difficult to provide proper security. Lots of break-ins have been perpetrated exactly because variables in PHP are not assigned a specific type when declared.

Suppose a hacker passes a database query string through a parameter that the programmer intended to be used to pass a numerical value. (By the way, this is how the PHPNuke site management system was cracked.) If the parameter variable were defined of a specific type, such action would return an error, because the string could not be converted into a number. Because PHP is weak-typed language, programmers must implement data type checks and handle incorrect data type errors themselves.

If you have programmed in C, Java, or Perl before, many concepts in PHP will be familiar to you, because PHP is very similar to C/C++.

We have already touched slightly on variables and know that a variable is a memory area in which values can be stored and can be referenced by a name. We don't care where exactly in the memory our variables are stored, because their values can always be retrieved or changed by referencing their names. PHP variables have the following properties:

PHP Main Operations

Variables are created to perform some operations on them. At present, we will consider only the following simple mathematical operations:

• + (addition)
• - (subtraction)
• * (multiplication)
• / (division)

As is common in mathematics, mathematical operations in PHP are performed in the order of operator precedence. Multiplication and division are performed before addition and subtraction. Consider the following classical example:

$index = 2 + 2 * 2;

If you ask, for example, a third-grader to evaluate the above expression, the most likely answer will be 8. But those with further advances in math will not fall into the sequential evaluation trap. Their answer will be 6, because pursuant to the mathematical operator precedence order, first the multiplication operation is performed, yielding 4, which is then added to 2, thus producing 6.

Input Validation

Input Validation is the primary task for every security specialist and software (web) developer. I will describe the problem using web development because it is my passion. Web programs get data from users using parameters. The parameters it is an entry point to your application. Hackers may impact on the parameters to impact on your application to intrude to your system. Parameters are the gate between your application and users. You have to take the gate protected and your application will be secure.

Input validation is not only security issue but it is the main one. You have to provide proper input data validation to make your system protected. There is no single solution to make the parameters secure. It depends on your application and how you use the data.

Assume all input is malicious. Do not trust to data received from users. Trust only to data received personally from you or your code that already checked the values. Other values must be checked.