Dec 31, 2008 - PHP

PHP: Serialization & Unserialization explanation, code & example

When I was new to PHP 5 Object Oriented Programming (OOP), the serialization and un-serialization issues were not clear to me and I used to get confused with them often. Nowadays I can play with them easily and I will try to share my knowledge with you so that you can kill your confusion on these topics.

What is Serialization?

This process makes a storable representation of a value that is useful for storing or passing PHP values around without losing their type and structure.

Remember the “__sleep” function in case of Serialization

Before starting your serialization process, PHP will execute the __sleep function automatically. This is a magic function or method.

What is Unserialization?

This process takes a single serialized variable and converts it back into a PHP value.

Remember the “__wakeup” function in case of Unserialization

Before starting your unserialization process, PHP will execute the __wakeup function automatically. This is a magic function or method.

What can you Serialize and Unserialize?

Many things as such

  1. Variables (Integer, Float, Real, String etc.)
  2. Arrays
  3. Objects etc.

What cannot you Serialize and Unserialize?

Only one type

  1. Resource-type

A simple example of Serialization and Unserialization

Explanation of the example

If you notice the A to Z of the above code, you will find that we have a $myString variable, $myArray array and $myObject object. First of all, we have set values to them and then printed them all. They all perform as expected. Then we change all the values. Next when we serialize and unserialize the values, our original dara structure returns! And that is what we wanted.

Here is the result of the above code:

An interesting thing to note:
I would like to draw your attention to the fact that using __sleep() method, you can change the values of your declared and initialized variables. But you cannot change them by using __wakeup() function. For example, see the following code:

Now we serialize 3 (three)  times and unserialize 2 (two) times.

And here is the result if we serialize 3 (three)  times and unserialize 2 (two) times.

Although we initialized $this->counter variable in the __construct() function, it is not used or has no effect in __wakeup() function. But it works properly in __sleep() or serialize() process. But what is the reason? The explanation is simple. The __wakeup() is part of the process when your data is retrieved from memory. Another thing is – did you notice the array return in the __sleep() function? Without returning this, the process often does not work. So, please remember to keep in your code.

Dec 29, 2008 - Uncategorized

PHP & MySQL: Creating a website in your local language smoothly

You know English is the international language and accepted as international communication. So, most of the websites have been developed in English. But in many other times, a developer needs to work with local languages where they are developing a website in PHP. If you develop in local language, you need to know a small trick and that will show your content properly in all browsers smoothly.

So, what is the technique?

Step One: An observation
I will show you the source code of two Bengali newspaper. In this newspaper: http://www.prothom-alo.com, the fonts and text comes properly in all browsers. But in this newspaper: http://www.ittefaq.com, it can show text and fonts properly only in Internet Explorer.

Now the matter is we must make sure our content will be displayed properly in any browser. Right?

OK. So what is the difference between the two websites I just gave example?

If you take a look at the source code of the first website’s content, you will find it is like this:সઃপাদক

This is another website that had been developed as smooth site in the same technique: http://www.bdnews24.com/bangla. If you check its code, you will see that it uses same type of code for its text.

So, what are these পাদকীয় things? It is very interesting that these are universal representation of local language in HTML entities. For every character of any local language, there is a unique and fixed symbol defined such as প in HTML entities. When you bring this kind of text in your browser source code, the site content looks smooth without any break and fonts displays properly.

Now if you open the source code of http://www.ittefaq.com, you will see something like AvR beg RvZxq msm` wbe©vP‡b jovB n‡e †RvU-gnv‡Rv‡Ui g‡a¨. The matter is they are also showing Bengali news content, but in a different way that is not useful in cross-broswer platform. This is often totally recognized by only Internet Explorer and often partially recognized by other browsers.

Step Two: Storing your local language content in the database
You see I have some content in my local language (Bangla) in the database.

Step Three: Converting your local language text in Universal code
Well. This is extremely easy.

The displayLocalContent() function is going to display the news and convertToLocalHtml() function converts my utf-8 content to HTML entities.

And here in index.php I am executing my displayLocalContent() function.

As a result, the output is now as ঢাকা, ডিসে etc.

An alternative way
I have an alternative way in my mind and that is when you store the data in the database, you can first convert them to universal code such as কীয়and then directly show your text.

This article will cover any language such as Afrikaans, Albanian, Amharic, Arabic, Armenian, Assamese, Aymara, Azeri, Belarusian, Bengali, Bislama, Bosnian, Bulgarian, Burmese, Catalan, Chinese, Mandarin,Croatian, Czech, Danish, Dari, Dhivehi, Dutch, Dzongkha, English, Esperanto, Estonian, Fijian, Filipino, Finnish, French, Frisian,  Gagauz, Georgian, German, Greek, Guaraní, Gujarati, Haitian Creole, Hebrew, Hindi, Hiri Motu, Hungarian, Icelandic, Indonesian, Italian, Japanese, Kannada, Kashmiri, Kazakh, Khmer, Korean, Kurdish, Kyrgyz, Lao, Latvian, Lithuanian, Luxembourgish, Macedonian, Malagasy, Malay, Malayalam, Maltese, Māori, Marathi, Mayan, Moldovan, Mongolian, Montenegrin,Náhuatl, Ndebele, Nepali, New Zealand Sign Language, Northern Sotho, Norwegian, Oriya, Papiamento, Pashto, Persian, Polish, Portuguese, Punjabi, Quechua, Romanian, Rhaeto-Romansh, Russian, Sanskrit, Serbian, Shona, Sindhi, Sinhala, Slovak, Slovene, Somali, Sotho, Spanish, Swahili, Swati, Swedish, Tagalog, Tajik, Tamil, Telugu, Tetum, Thai, Tok Pisin, Tsonga, Tswana, Turkish, Turkmen, Ukrainian, Urdu, Uzbek, Venda, Vietnamese, Welsh, Xhosa, Yiddish, Zulu etc.

Dec 23, 2008 - PHP

PHP & MySQL: Unicode number add, subtract etc for any language

Recently a visitor from my country asked me how he can add Unicode numbers stored in MySQL database.  I was thinking that it is really a good question. Because you may store any number in any local language to your database and later you may try to add or delete them.

For example, in Bangla language an employee’s salary can be ২৪১৮৬ (which is 24186 in English) bucks and the coder may want to store it in a table under salary field. Another field can be bonus and it can be ২০০ (2000 in English). Now the coder may want to add them up anytime required. You know adding 24186 and 2000 is easy. But what the coder may do in case the values are stored in a local language?

The visitor asked me how he can use the MySQL sum() function in case the data are stored in Unicode format. Well. I do not think MySQL’s unicode will support the sum() function or even if there is one I do not know frankly speaking. So, I thought and developed an alternative solution.

  1. I get the unicode numbers from the database
  2. Convert them to English number
  3. Sum them up or anything like substract, multiply or divide etc
  4. Convert the result to Unicode once again

Thus, it looks simple procedure. Right?

So,  I wrote a small class to handle the whole procedure and here goes the coding of my class:

If you are not using Bengali language, you need to configure the equivalent number values in convertToEnglishNumber and convertToBanglaNumber functions.

And here goes the page where I am executing the displayTotalPayment() function.

Now the final result looks like this:

Oh! One important thing. If you are coding for European number format, you need to do some modification to handle the comma (,) factor in the number in case required.

Thus, if you use this small tricky method, you can add, subtract,  multiply or divide any local numbers such as Russian, Chinese, Arabic, Spanish, German, Polish, Turkey, Hindi etc.

Dec 15, 2008 - PHP, Wordpress

WordPress: Upload many PHP files quickly by Zip & Unzip


It is actually not only for a wordpress developer but also for all those developers who face situation where they must upload many files to the server. Recently in a wordpress project, I had to upload wordpress 2.7 version files in the server. In the wordpress 2.7 package, you will find around 600 files! Uploading them is not very interesting when your internet connection do not guarantee you smooth upload.

Uploading the 600 files brought me pain because they were going to the server very slowly and each time some files were corrupted and for any reason reuploading the corrupted files were not working. It was really time consuming, boring and painful. Then I started to look for an alternative solution. Then, I naturally came to the idea that how about I zip (compress) the folders containing most of the files and upload them. Thus I have to upload few zip files although bigger in size. Writing a piece of PHP code to unzip the zipped file is easy too.

So, I decided to zip the main three folders and uploaded them. You know they contain most of the files.

  1. First I zipped my three folders (wp-admin, wp-content & wp-includes) that contains most of the files.
  2. Changed the ‘public_html‘ folder permission to 777. Remember you will do it for the folder where you are going to upload.
  3. Uploaded the three zipped folders.
  4. Run my PHP script that you will see below.
  5. Checked if everything is OK and found them OK.
  6. Changed the file permission of the ‘public_html‘ folder back to 750. If you uploaded to any other folder, you need to change the permission 777 to any combination you think good for your purpose.
  7. Deleted the zip files since they are no longer required.

Here goes my PHP code to unzip them and it is very simple!

By the way, you can improve the code to more sophisticated one as per your requirement. For example, the exec() function has several options that you can use for more flexibility or anyway anything else you want.

Oh! There is one other way to unzip a uploaded zipped file although I did not use this piece of code. But remember that if you use this code you need to set your destination file permission to ‘777’ first and then change as mentioned before after you unzipped. Fortunately this coding is very simple too and an example is as follows:

I tested both the processes mentioned above in Linux system and not sure how it works in Windows Server. I guess the second process should work in Windows server for uploading and unzipping bulk file quickly.

This is all for the trick of the game and for killing the pain of uploading several hundred of files.

Nov 14, 2008 - MySQL, PHP

SQL Injection Prevention & Protection in PHP & MySQL with Example

What is SQL Injection?

SQL Injection is the process when someone executes one or more SQL statements in your database without your knowledge to harm the data in your database. In this technique, someone exploits a security vulnerability in database application layer. This happens often when you ask for input(s) from the user and they add extra SQL statement(s) with the valid input. We can illustrate this situation with two cases (1) user inputs are incorrectly filtered or (2) user submitted data is not strongly typed and one ore more of the inputs is executed unexpectedly.

Case 1:

Executing one statement at a time is OK.

Case 2:

Executing more than one statement at a time is also OK.

Now an intruder can combine Case 1 and Case 2, run all the queries at a time and then delete the users table and harmfully update the customers table.

As a result, a successful SQL Injection occurs and harms the database information.

Reasons behind SQL Injection

In the following situations, SQL Injection happens.

  • Incorrectly filtered escape characters
  • Incorrect type handling
  • Vulnerabilities inside the database server
  • Conditional Errors

Case 1: Incorrectly filtered escape characters

You have a module that asks for user’s email address to send a temporary password to her email address when she forgets her password. So, the usual SQL query will be like this in this case:

But an intruder can extent this statement if they set the value for the $email variable in this way and delete the user table:

[email protected]’; DROP TABLE users; SELECT * FROM customers WHERE name LIKE ‘%

As a result, the final statement is something like:

So, you see the intruder is deleting the users table easily. And as a result, you lose your users table and your system crashes since no user will be able to log in from now on. If you do not have a database backup, you loose everything.

Case 2: Incorrect type handling

Sometimes you definitely know the type of data. For example, the age of a customer is a numeric value, gender of a user as male or female, total amount of bill as double value.

Now what if someone submits the $ageValue value as 20; DROP TABLE users

The resulting sql is:

You know for sure that the value of will be always an integer. If you do not check if the value is really an integer, the intruder can add one or more statements with the value of $ageValue variable and harm your database.

Case 3: Vulnerabilities inside the database server

Although some people think that they can avoid SQL Injection just by using mysql_real_escape_string() function in PHP, they are wrong unfortunately. Built-in functions supplied with language package to work on database is sometimes vulnerable to database and thus are not successful to avoid the attack all the times.

Case 4: Conditional Responses

Using SQL Injection the user can easily bypass the sign in or log in process in your system. Let us give an example:

Now you know satisfying only one condition is enough to enter the system. The condition OR 1=1 is always true. Thus, the intruder can fool the log in system.

SQL Injection Prevention and/or Protection

These are the techniques for preventing SQL Injection:

  1. Use Parameterized Query
  2. Use Stored Procedure whenever applicable
  3. Apply Regular expression to discard invalid inputs
  4. Write and use Quote blocking  function
  5. Hide detailed error messages from the user
  6. Create a database user with less privileged role
  7. Set the limitation for maximum value in your HTML form

1. Use Parameterized Query

Rather than directly supplying the values in the SQL statement, let us supply the values in parameterized way as follows:

“i” stands for integer type
“d” stands for double type
“s” stands for string type
“b” stands for a blob and will be send in packets

2. Use Stored Procedure whenever applicable

Using stored procedures can help your to reduce the attack risk too.

3. Apply Regular expression to discard invalid inputs

Regular expression is very powerful process to find out the validity of the inputs. We can check whether the input is given in proper format. For example, here we validate data for a valid numeric value for customer age and reject any chance for SQL Injection.

You can also user the built in PHP is_array(), is_bool(), is_double(), is_float(), is_int(), is_integer(), is_integer() etc functions to check if the user provided information is in proper format.

4. Write and use Quote blocking  function

If you are using PHP, mysql_real_escape_string function for each and every user given inputs. For example,

This is a very powerful built-in PHP function and will stop SQL Injection in most of the cases. I have used it for long time and found it performing great. You can try to inject SQL after you use the mysql_real_escape_string function and test if you can succeed any way. This powerful function rejects the possibility of many clever techniques used by the intruders.

5. Hide detailed error messages from the user

First of all avoid using the built-in MySQL mysql_error() function. The clever intruder can guess many things from the error message and sometimes the error message may show the connection parameters. Using mysql_error() function is good at development stage. But avoid or clean it when you run it in the real server for users or visitors.

The second thing is stop error reporting in PHP. This is simple and one line code.

The third thing is better you give a customized error message. See an example:

As a result, the user will not know what the error is and how it is. He will also not get any accidentally disclosed crucial information such as database name, table name, username etc.

6. Create a database user with less privileged role

In most cases, you will notice that the visitors do not need to delete or update any information. Think of a music selling site. The user can request for data (which is SELECT query) and make their orders (which are INSERT query). Even sometimes the SELECT operation is just OK in many sites.

So, create different users with different privileges. For admin grant all the permissions. But for a general visitor, grant only limited permission. For example, I am creating, two connection string for two users.

And now we can user the $visitorDbLink link for regulating information connecting with the visitors and will use the $visitorDbLink link only for the administrator.

7. Set the limitation for maximum value in your HTML form

We can set that the username cannot be more than 10 chars. Try to use the “maxlength” property for HTML form. An example is like this:

As a result, possibility of attack by intruder somewhat goes down since he cannot input enough harmful SQL statement input. But it is not very helpful though and the user can bypass this creating his own form and submitting the custom form.

8. Using a PHP Framework

If you are using a PHP framework like CodeIgniter or CakePHP, the framework will protect you at maximum level from SQL injection. Complain of SQL Injection after using a PHP framework is rare and I did not hear even one still now.

This kind of frameworks are Open Source, very matured and strong nowadays and they do each and everything possible such as from input filtering to URL rewrite. Learning them is easy although it take some time. You can get books and other online materials about this PHP frameworks.

If you are an advanced PHP coder or developer, my suggestion is you better code using a PHP framework you like.

These are all I know about SQL Injection.

Nov 9, 2008 - PHP

PHP: pass all POST and GET variables in array in function parameter


My subject of this post is about the total number of parameters we send as input from a form or any other way and optimizing the parameter passing. If we have many forms and many input fields in each form, it is often painful to set or order value of GET, POST or other variables one by one.

Passing all POST variables as function parameter in one array

Let us see the following HTML form that has ten fields.

Now if we want to call a function passing all the input fields, it will look like this:

But does it look good or anything comfortable? I know most coder will be bored doing this. When I was a newcomer to PHP programming, I used to do this kind of programming. But there is no reason to do coding like this as we have extremely simple solution.

Fortunately we can pass a whole array as function parameter value. This is how:

Function calling:

Or the Object Oriented Programming style:

Easy and comfortable. Huh?

Getting the values inside the function definition:

Simple. Right?

You can also print all the input values inside your function you want for debugging or any other purpose as like this:

Passing all GET variables as function parameter in one array

Suppose that here is your link:

You can pass all the GET variables to a function such as ‘filterKeys’ in this case simply this way:

Or the Object Oriented Programming style:

And here is how you get them:

This is just like the way used for the POST method.

You can print the input values inside your function anytime you want for debugging or any other purpose like this:

Although REQUEST method will work similarly, I suggest you not using this for avoiding any future confusion and also for the sake of keeping your coding more readable for other developers.

Special Case: File

Actually when you send a file, it contains several data and $_FILES is an array itself. So, the following values come directly to your script without any extra attention:

So, you can use them directly in your script.

Taking another Special Case in Consideration: Setting default input values

Sometimes you may need to set a default value to one or more parameters. For example:

You can define array and scalar inputs altogether as like this:

Next you can pass array and scalar inputs altogether as like this:

So, why should you code like this? Because this will increase efficiency, save some time and make your code clean looking.

Oct 13, 2008 - MySQL, PHP

PHP – MySQL: Unicode solution to Chinese, Russian or any language

I am a Freelance Web Developer and my main tools are PHP & MySQL. Few days ago, I got a Chinese project where I had to develop a Real Estate site in Chinese language. You know we often build websites in English and Databases are in English too. So, the default configuration in MySQL works fine everytime.

But when it comes a language other than English, many people do not know what to do. Well. When I started the project, I did not even know that the default MySQL settings will not work for the Chinese language. So, I started searching for a stable solution where my program will support any language for adding, updating and searching data from the MySQL database.

First of all, the browser needs to know that you are going to display or use Unicode in this page. So, go to your <HEAD></HEAD> section and set the charset to utf-8. So, the browser will be able to show the Unicode text without any error and smoothly. You can also copy and paste the line below:


When you create your (a) Database and (b) any Table in the database, set the Collation of both of them to utf8_unicode_ci and you know it is very easy if you are using phpMyAdmin.


When you initialize the database connection, please add the “extra lines”

But why are you adding the extra lines? Because you are letting the database know what kind of input you are going to work with soon.


Why are you adding the first two lines for? Because the database should know what kind of data is going to be stored.


So, you are adding the extra two lines before you run your query string as you are playing with Unicode.


Adding the one extra line every time you search your Unicode data is enough.

You are done. This should work smoothly for handling your data in any language does not matter it is Bangla (my mother tongue), Hindi, Chinese, French, German, Spanish, Russian, Arabian (Arabic), Urdu, or any other language.

May 2, 2008 - PHP

Destroy or Delete all session variables in PHP

Sometimes I have seen that coders forges to delete all session variables when the user logs out or sign out. This can be dangerous since this is a security hole. From my own experience I have seen that the session variables may appear even after the sign out. I myself have seen this. This may happen because several people write codes in several ways. But what is important we must delete all session variables when the user signs out.

So, how can we delete all session variables and stop the session variables appear accidentally even after sign out?

Well. We can do it using only 3 lines of code and this is very easy too!

Add these following 3 lines of codes in your sign out code and all your session variables are destroyed!

But if you want to delete the session itself too, you need to add a few lines. So the final code will look like this.

Thus, we can destroy our session variables and keep the user secured one way.
Mar 29, 2008 - PHP

PHP script to print all the GET & POST variables

Variables are one of the core powers of programming. As PHP programmers, we oftern may find that a $_GET or $_POST variable is not performing properly or the way we expected. This may occur for several reasons such as we made a mistake in the variable name. Sometimes this kind of problem take so much time that lots of time is wasted to correct a single variable!

So, you can use the scripts I have written below and use in your code whenever you suspect that there may be a problem with the variables. These scripts helps you by showing the details of each and every $_GET and $_POST variables in the script.

This is very easy and actually 3 (three) lines of code required.

Below is the code to print all $_GET variables:

Click here to see the demo here.

To print all the $_POST variables, we need to change only one line:

You can do it in another way too. It is simple also.


So, print your $_GET and $_POST variables whenever you think required.