Using PHP and a PHP Example

Using PHP

Only the User Web Server has support for PHP. The Production Web Server does not, although this may be added at a later date.

At the moment, PHP support is classified as experimental. This means that if an unpatchable vulnerability is reported, access to PHP will be discontinued until a patch is available. Recent versions of PHP seem reasonably stable and reliable. Many of the current PHP related vulnerabilities involve packages that run under PHP, rather than PHP itself.

If you believe the developers, PHP is an acronym for PHP: Hypertext Preprocessor. However, historical trivia buffs will recall that Version 1 of PHP was distributed as the Personal Home Page Toolkit. Version 1 was simply a collection of commonly wanted CGI scripts. Since then PHP has grown into a very powerful scripting language that allows you to embed scripting commands within HTML. The scripts execute on the server, so are not dependent on the viewer's web browser.

PHP can be used within web pages, it can also be used for CGI scripts. One of the advantages to using PHP is that the same file can display a FORM and process the reply.

To use PHP within web pages:

  1. Create a file, within your "public_html" directory, with a ".php" extension rather than a ".html" extension. This file must be world-readable, as must any other web file.
  2. This file can contain any standard HTML as well as PHP scripting statements.
  3. PHP scripting statements are enclosed within "<?PHP ... ?>" tag sequences.
  4. A very simple PHP Script will display the current PHP configuration and environment. Create a file with a .php extension. For example, you could call this "info.php". Place the following in the file:
    Set the file permissions to 0644 as you would for any other webpage. To see what this produces use the URL:, where username is your log in ID.

To use PHP for CGI scripts:

  1. Create a file, within your "public_html/cgi-bin" directory, with a .php extension.
  2. Since this file must be accessed via the cgiwrap process, it must be executable. So, set its permissions to 0700, as you would for any other CGI program.
  3. Reference your PHP script name in your FORM Tag. For example, if your script was called "test.php", your FORM Tag would read:
    <FORM ACTION=/cgi-bin/cgiwrap/username/test.php
  4. This script can access FORM variables via PHP provided variable names.
  5. If you would prefer not to tell the world that your script uses PHP, you can give it any name that you like. If the file does not have a ".php" extension, then the first line of your script must be:

Since PHP web pages can also process CGI forms, you may wonder why you would create a PHP/CGI page to be run under "cgiwrap". The answer is fairly simple. If the PHP script will access files, then it should be run using the cgiwrap process. If it is just another web page, then the only files that it can access are ones that are world-readable (or even worse, world-writable). If it runs under cgiwrap then the files that it accesses need only belong to you.

Security Note: PHP is configured to only be able to access files that belong to the owner of the PHP web page or script.


Testing PHP

It is much harder to bench-test PHP scripts than other types of executable web content. PHP scripts can be invoked at a command prompt using the command-line interpretter for PHP.

prompt[ ]> php script_name.php

However, if it is not being run under the control of a web server, many of the web interface capabilities are disabled.

You can use this method to perform basic syntax checks, and to see if the default output appears to be HTML. Beyond that, you are effectively forced to test using a web server.

You can still check that your scripts are not looping or doing other undesirable things by using the same techniques outlined in the testing section . If your script is running as a web page, rather than as a cgiwraped process, then apply the same checks as are outlined for an SSI web page that uses non-setuid programs.

You can also check the PHP error log. This is available in file "/var/log/httpd/LOG.PHPmessages". This file is world-readable. As with other web server log files, you can watch for messages as they appear using "tail -f LOG.PHPmessages" from within the Apache log directory.

As with other scripts, you can use the debugging version of the "cgiwrap" process, "cgiwrapd". You can also explicitely specifiy that the script is PHP by using, "php-cgiwrap" and "php-cgiwrapd" respectively. However these are only needed if your PHP script does not have a ".php" file extension in its name.


A PHP Example:

This is a fairly simple example of something that can be done with PHP. It is designed to run as a CGI script under the cgiwrap process. It processes a form and displays the result. Note that the output of this script is provided by a mix of embedded HTML and PHP I/O commands.

If you were to install this code in your "cgi-bin" directory as an executable file called "Example.php", it would display a form asking for a file name and, once submitted, would safely display the text in that file. The script is originally invoked as: Every time that the submit button is clicked, it reruns itself under the same URL. If you wish to try this example, you will have to replace "username" with your log in name.



 if (isset($_POST ["file"]))
   $FileName = $File = $_POST ["file"];
   $FileName = "";


<FORM ACTION=/cgi-bin/cgiwrap/username/Example.php METHOD=POST>

<P>Enter FileName:
  echo " <INPUT TYPE=TEXT NAME=file VALUE=\"$FileName\" SIZE=75>\n";



 if (isset($File))
   $Handle = @fopen ($File, "r"); // '@' suppresses external errors

   if ($Handle)
     $FileText = fread ($Handle, 10000); // Read up to 10,000 Bytes

     fclose ($Handle);

     // Fix HTML tags that may be there

     $SafeText1 = str_replace ("&", "&amp;", $FileText);
     $SafeText2 = str_replace ("<", "&lt;", $SafeText1);
     $SafeText  = str_replace (">", "&gt;", $SafeText2);

     // Now it is safe to display it

     echo " <H2 ALIGN=CENTER>File: $File</H2>\n";

     echo "<PRE>\n";
     echo $SafeText;
     echo "</PRE>\n";
     echo " <H3>Error: File '$File' is not accessible.</H3>\n";


These fairly simple examples are not intended to teach anyone how to use PHP. For complete details on the PHP Language, refer to the manual. This is available on-line from