[ Silence ] Hello, everybody. My name is Peter. You can also call me Meyer. And I'm one of your TF's. Thank you so much for joining us for a section here on Wednesday, the 27th of June. We're going to be talking about HTTP, DNS and PHP. So how far did David get in the lecture? Did he get all the way to talking about the GET superglobal, $ underscore GET? Did he talk about that? Did he talk about $ underscore or sorry, POST? 

[Inaudible] he mentioned it previously. 

He mentioned it, yeah okay. What about $ underscore SESSION? 

He did. It looks like it was previously mentioned. 

He mentioned it, okay. Cool. Good. So we'll cover some of this stuff today. First of all, I wanted to point out just a few things about HTTP and DNS. I'm using this new presentation tool, Prezi. So we'll give this a whirl. I don't have very many slides but first of all, all of my sections will have code that's available at this content link. So if you go to this link and I'll make this Prezi available as well, you'll be able to find the code -- any code that we do today. So the code will be in this folder and you can email me at this email, pnore@fas.harvard.edu. So first of all, let's talk about HTTP and DNS. DNS is -- did he give much time to DNS? Did David spend much time talking about DNS at all? 

Yes. 

Yeah, he did. Okay, cool. So he talked about how every DNS request goes to your local ISP and then if you're local ISP doesn't know what the domain name for or what the IP address is for a given domain name then it goes through the root name server all the way up to a dot.com name server for prezi.com. So then if he covered DNS pretty well then we can spend some more time talking about hypertext transfer protocol. So like any protocol, I find it interesting to think about protocols by thinking about CB radios. Back in the 70's, they used to have these radios in every car and there's kind of a protocol for how you announced yourself to the people that were around you like to the vehicles that are around you that had CB radios in those vehicles. And so if you go check out the voice procedures on Wikipedia, there are certain key words like affirm, negative, over, out and there are certain times when you can say those key words. And HTTP is the same way. There are certain key words inside the header and there are certain places at which certain key words are able to occur. And you can see these headers in progress later on in this term. We'll talk about how to see the raw HTTP headers as they head across the internet in order to see what's actually happening with your AJAX requests. So it's a protocol which is just a set of conventions with vocabulary and a method for using that vocabulary. And it's also stateless which means that every time information is sent and received once, the information is discarded. So we need cookies and session management like the $ sign underscore session in order to make anything appear persistent. And what that means is that when you request a webpage, like let's say you go to netflix.com and you see your homepage on Netflix, if you were to go to another page on Netflix, the only way that they're able to know that you are still you and not somebody else is, by using this simulated persistence with session management and cookies and information stored on the server. So the webpage is created on the server by -- it's initiated with a browser request. The browsers sense an HTTP header that contains an address like this one could be prezi.com/, you know, this big long address and then all of these key value pairs. And then Apache finds the appropriate page to render, and once it's found the appropriate PHP file that's going to process when the URL actually is delivered, then it processes the PHP that's in that file. And that file returns HTML after interacting with one or more databases. This could be MySQL. It could be a CSV file. It could be XML that's stored on the server. It could be a flat file database. We'll deal with a lot of these different circumstances throughout the course. And then after processing the PHP, it returns the HTML back to the browser. So if you can think about Apache as being these kind of purplish pink things in here, that will actually clarify your mind as we try to debug our programs. So that's pretty much all I have with Prezi. Let's get started with some examples. So I'm going to be using a previous version of the CS50 appliance that we'll be using in this class. We're still updating the appliance so once it's officially released then you'll be able to download this computer within a computer and run it within a hypervisor on your computer. Now hypervisor is a program that runs a computer within a computer. If you've never run a virtual machine on your computer, it'll be kind of a brain stretch the very first time. It's almost like a simulation of a CPU that's running its own operating system and we've stored in a large file that's over one gigabyte in size a setup environment that includes a server and a development environment, if you want to use Linux. And that's the environment that you'll be using. Yeah? 

If we already have something, I have VMware. 

Yeah. 

Can I run it inside VMware? 

So the question is if you are already familiar with VMware, can you run it inside VMware? That's quite probably true. Previous versions did work in VMware. I think for Windows, the preferred method is actually to use VMware right now. So that'll probably work just fine. Because I'm not responsible for developing the next version of the appliance, I can't say for sure which hypervisors it'll support. But I think that that's a fairly reasonable guess. And they've deployed it onto multiple hypervisors in the past to VirtualBox and to VMware. So you should be able to use whatever hypervisor you want probably. So the appliance I have open right here, so inside this little box, right here is a computer that's running inside my computer. And this is a computer that's running Fedora Linux. Fedora is a certain distribution of Linux, so if you're not familiar with Linux, it's an operating system just like Windows or Macintosh. And Linux, unlike Windows or Macintosh, has many different distributions. There are many different flavors to it. I guess in the same way that Windows Vista is a little bit different than Windows Seven. Linux Fedora is a little bit different than Linux Ubuntu. So there are different flavors for each version of Linux. And so the key right here is this IP address which has been already configured for us. 192.168.119.128 and if we open up a terminal here in your -- in this class, you'll probably become pretty familiar with terminal applications if you're not already. And right now, we're in a Linux environment so if we type ls, it lists the contents of the directory. And right now, we are in -- if I do PWD, that stands for print working directory, you can see I'm in the folder jharvard which is inside the folder Home. So when I did ls up at the top, that listed the current files and folders that are inside the folder jharvard that's inside Home. And there are many more commands that you'll need to get familiar with. If you're curious about any of these commands that I've demonstrated here, you can type man which stands for manual and then the command, and then you get a long help page that tells you all of the switches that can tell you more information than the default version of the command. So for example, this one right here, ls-a, that does not ignore entries starting with the dot which is a shortcut for this current directory. So if I do ls-a, then I see all the dot files. Another one that'll be really useful in this class is ls-l which gives you the long listing for the directory. And in this case, it gives you over here at the left, the permissions of the file and the owner and the group and the size and the last modification date and the name. The permissions will become really important when you try to debug which the permissions which are over here, will become really important you try to debug what pages do and don't show up. So normally, when you open the -- when you open your appliance, it will probably not have a public HTML directory. You will have to create the directory and the way that you create the directory is by typing mkdir. I'm going to create a temporary directory right now to EMP and if I tag ls-la, then -- or ls-l, then now you can see there's a folder, the temp folder that I just created and it has these permissions which are different than the public HTML permissions. And we'll deal more with permissions in another section once you already have the appliance and have played around with this? But in general, there's a mnemonic that you'll want to commit to memory which is that the number four stands for read permissions, and two stands for write, and one stands for execute. So the permissions that you have or that you can assign, are the sum of all the permissions that you want. So for example, if I wanted to change the permissions on the temp directory so that there are three relevant people that can interact with this directory, there is the user which comes first, the rwx. Then there is the group which is the middle rwx. And then there is everyone like, the permissions for every person that could encounter this folder which is the last triple of rwx. So whenever you indicate permissions, you indicate three numbers which is a number be -- each of which is a number between one and seven. And for example, if I wanted the temp directory to have the same permissions as the public HTML directory, I'd want it to have 755 because you can see the public HTML directory has read, write, execute for the first bit which is four plus two plus one. And then for the middle and the last users, for the group and for everyone, it has, well I guess for that one, the group has execute and read permissions so that would actually only be six. And then for the last one -- or no. It has read and execute so that's -- yeah. So read plus execute is five so there's read and execute on the group which is the middle one and on the final bit which is for everyone. So if I were to change the permissions on the temp directory with the chmod command, C-H-M-O-D 755 temp, then now temp has the same permissions as public HTML. So the reason why this is important is that when you go to this IP address, 192.168.119.128/ and then the user name which is jharvard, you are taken directly into the public HTML folder. CD stands for change directory so I just changed directory into the public HTML folder. And here you can see the S75-Sections folder which is just like what you see here. So if I were to move the temporary directory I just created to this directory, now you can see there's S75-Sections in temp and if I were to refresh this page, now I see the temp directory and because I assigned it at the same permissions, I should be able to go into it. And I don't have anything in there currently. So if you remember back to this image right here, the very first thing Apache does is find what PHP file to render. So if I go to -- it automatically knows that this server automatically knows that if you go to tilde and then a username, it goes to that user's public HTML folder which is at this address, home/jharvard/public underscore html. So that's what Apache does in order to find, in order to map the tilde jharvard to the public HTML folder and from then on, it just goes inside the folders the way that you tell it to. So if I go inside temp, and go inside temp -- if I create an index.php file inside of this temp directory, then if there's either an index.php or an index.html, it will -- Apache will naturally assume that is the one that you want to create. What we're seeing right here is the default Apache index. And so if I create an index.php, this is the default Apache index page for the temp folder. And if I create an index.php, it'll override this default one and display whatever the result of my php execution is. So I'm going to be using the terminal editor VIM to edit index.php and we'll just -- I'm sure that David did a little bit of this in his class as well. We'll just make a simple page. So now, if I refresh this page, it actually shows me the result of executing this php file. Now, there's no php code that's actually executed because we didn't include any begin php execution or end php execution tags. So the begin php execution tag is like that. Can you see that okay? So one of the most fundamental commands in php is echo. And you call echo by putting what you would like echoed out to the screen as a parameter to the function call. So I'm going to create a break and then echo more content. And then I'll close the php tags and this should echo more content out right there. So one of the most important commands that you can learn about is phpinfo. And that tells you everything there is to know about the version of php that you're running. One of the first things that I do, if I'm working on a new server is run this command in order to really find out what the server is capable of. Because it changes with every installation of php and with every version of Apache and the parameters that it's installed with. So phpinfo as a function call gives me this nice page that has all of these important key value pairs like, display errors is on, and error reporting. Now, this gives us a rather confusing integer for error reporting. But we can find out what that is if we were really determined to. It's easier to set error reporting than it is to read it through this page. So if you're interested -- if your version of php has any particular functionality, you can call the phpinfo function and then use control F on your page in order to search for that particular parameter and then look for it. So the [inaudible] with variable names in php, there are lots of things that are valid. Basically anything that begins with a dollar sign and then a letter or an underscore; these are all valid variable names. I would recommend against using an underscore just because php actually uses them internally in order to do its own variables like I post which is a variable that contains a very special array. Did David talk about arrays at all in this last? So one really clever function is print underscore r and if you put an array inside of print underscore r, then it tells you what's inside of the array. And in this one, it just displays an empty array. Why is that? For $ underscore GET, what's $ underscore GET supposed to have inside of it? Yeah. 

It should have parameters follow the URL. 

Right, so I actually need -- yes. Someone suggested that it should have the parameters following the URL. So this is actually the index.php page and if I put key equals val and refresh the page, then now my array is updated with a key of the word key and the value val. So I should be able to create a new break and then I am going to concatenate that break with $ underscore GET key and then because val is stored inside the key, then it's printed out right there and concatenated to a break. So in order to get beyond GET and POST which contain the information that Apache receives inside of the request, we need to incorporate sessions. And so the key to doing sessions is to at the very beginning before you echo out any content, you have to make sure that you call sessions underscore start and this actually makes it possible for you to use any of the key value pairs that you will then store inside the session variable. So the session variable is $ underscore SESSION and I can store anything in a key value pair here. Arrays in php let you store numbers or strings or even other arrays in them so you can have nested arrays. So you can use the session variable to literally store arrays of arrays of arrays in order to contain hierarchical information, if that's what you want to do. So I'll store first name inside -- I'll use my name, Peter and -- So if we go back to this page and refresh it, it says temporary page is working. And what has now happened is that I have created a cookie on my computer by my browser and that cookie contains a very long string of numbers that uniquely identifies me. And that cookie that has that long number in it, there is a file -- or there is a folder inside Apache that has that same long number in it. And so then when I request this page again, it goes and digs out that folder and puts the stuff that's inside that folder stored in the server into the $ underscore SESSION variable for you to use. So if I were to create I will call it after -- well in fact we'll copy it. Copy, cp stands for copy so I'm going to copy the index and call it index02 and now, I will not included these assignment statements but I will. You don't actually need these parentheses here for historical reasons. These days, everything in php is done in an object-oriented and function-oriented way. But traditionally, you actually can just do this. So now, I have a page that is index02 and if I go to index02.php, I see Peter Nore. And even though there's no assignment statement on this page and the reason why is that in index.php, I stored those variables in this SESSION folder. This one's called first underscore name. This one's called last underscore name and when you call session underscore start, when you visit this page, index.php, it creates a cookie on your computer -- created by your browser and that cookie is just a little file that has a long number in it and at the very same time, it creates a folder on the server here in Fedora and Apache does this, and it has that same number in it. So then, when I visit index02, it sends the cookie that was created on my computer to the server and it has that number in it so Apache knows that it can look up inside that directory and retrieve the information that was stored in a previous session. Yeah. 

If you had to stop a command like a session end and begin with index.php, would it still have performed or is there such a command? 

So the question was if you were to call a command to end the session before the variables were stored then would this retrieval be possible? 

Yeah, after the variables were stored but before you made index02. 

Yeah, so let's see. I don't even think that that is a command. What you can do is -- That it's kind of tricky to actually delete all -- to delete the entire session. You have to do several different things. You can expire the cookie prematurely. You can -- let's see. I'll actually have to give -- I can't remember the syntax right now. I'll have to get back to you with that comment. The -- and it is essential that you be able to do otherwise you wouldn't be able to log someone out. The -- right now, if I visit this page, it will always say the name that was stored there unless I go into a separate cookie space. And this is where Chrome is especially efficient for developing because if you press control shift end, you can instantly get into a fresh cookie space. And if I go to the same webpage, you can see it says, "undefined index first name" in index02 on line 11. So what we're seeing here are notices and you can see that the default error level in php is set up to actually tell you about the notices. This is something you wouldn't want in production environments obviously because it would expose your server to vulnerabilities and you can control the error reporting but because we're in a different cookie space here then you're not -- you know, this is what you would see once you call that special command. So let's try -- One thing that you can do is you can create a form and here in index.php, the first one, if we create a form and action equals our index02.php, and -- Or we can even -- you can even have a form submit to its own -- to the actual page itself. Or I believe, you can even leave a blank and it will submit it to this one as well. So if we go to index.php, we should create some labels here. So right now, we need a submit. I think that's how it is. So what I've just done is submitted the first name and the last name form elements to the GET parameter and then print it out of GET parameter. So this page is actually ran twice. The very first time, print underscore r actually is you can see that my name is actually appended up here when I actually hit submit. So right now, there are no parameters and then when I hit submit, the parameter show up and print underscore r records at the variables are actually submitted. So because you can get access to variables this way, you can then store the -- Value of getting it from the GET superglobal. So what this will do, well maybe somebody else can explain it. What will this enable us to do? Yeah. 

Take the [inaudible]. 

Right, so it enables us to take the first and the last name from these two text boxes, store them into the SESSION and then if we load this page, whatever we type in here should show up on the second page because it's in the same SESSION. So I'm going to put random phrase here and it should store it in the SESSION and we have a syntax error, unexpected less than sign on line 12. So the problem here is that I didn't echo this br tag out and so it was confused because I was in the middle of php mode. And it needs a quote on that same line or a semi-colon in order to terminate the statement. So now, random phrase appears in the session. So this gives you an example of how you can take input from the user, store it into the SESSION and then retrieve that later. And because each cookie has an expiration date, you can store how long that's stored on the server. You can have it stored a month. You can have it stored a year. You can have it stored for 10 years. Ultimately though, it's up to the user how long that cookie is on their computer. It's possible for them to delete that cookie and then that information would not be stored persistently, which is why we have to log in periodically to some services. And because you can store arrays instead of array, you could even have a person key inside of SESSION and then in each person could be an array where there's a key, first name and last name and where or maybe the SESSION key could be people and then you could have actually store a bunch of people. You can store a lot of things into SESSION. It's actually just limited by the file size, you know, the memory is limited to the file size of the computer that's running it. So I think that pretty much illustrates it. In order to use post, you would -- I think it's -- is it type equals post? Is it method? Yeah, method. So if we do post then -- You can see that this -- oh, that didn't do it. Method, here. So what you should do whenever you're using these -- whenever you're referencing something that could be coming in from the outside world, you need to use is set in order to see if it is set. Either that or use the @ symbol in order to indicate that you want the errors to be suppressed if that key is not there. Because this is an array, this is a variable that refers to an array, and if that array doesn't have the key first name then you'll get a notice. So now that I've put the @ symbol there then it won't complain if that key is not present. So in Chrome, the -- I don't think you can pause in the middle of post but I'm sure David showed last time that you can view the different requests that have been done by the page. And when you're using JavaScript in order to indicate the -- in order to retrieve information from the server, you can press record and then have JavaScript do some executions and each request will appear right here. And so because I had the record button on, you can see the headers here. There is form data where first name is random and last name is string and the -- it's sent as post which means that nothing was stored in the actual URL request. But it's still in plain text and trivially observed. It's slightly more difficult to uncover a password if it's post but it's by no means secure. The -- so now you can see it first name is random and last name is string. And now first name is another random and last name is string. And even if I go to index01 or index02 then -- So I'm doing something wrong, where? 

On the left side? 

Yeah. 

Where your spread is [inaudible], it's underscore post. 

Oh yeah, yeah, yeah. So here instead of underscore GET, it should be underscore post because it's no longer retrieving it through the URL. So if I go back and submit that, and then go to index02.php, then now my name appears. So I think that covers most of these things except for how to manually create, how to manually delete the cookie. 

I think [inaudible]. 

Yeah, that will -- does that do everything? 

You'd have to be [inaudible]. 

I think the effect for the user is the same. So now, if we go to index02 then these are undefined. So for the user session destroy called at the end or called anywhere like destroys the availability of the number. Do you know if that actually destroys the actual information on the -- 

I think it [inaudible]. 

Yeah? 

But I'm not [inaudible]. 

The cookie -- I'm not sure if session destroy actually expires the cookie for the user? But yeah, so this should log the user out. If we wanted to do a password, you can do -- I think its type equals password. Yeah, so if you do type equals password, then you can store -- you can make it so that it doesn't appear on the screen. So that's at least how you could implement some primitive password functionality using SESSION. So what we could do is put at the top of this page, password -- it's like a secret password equals trust no one. And then you could say if -- So here, the form is not going to a different page but if we submit it to index02.php with a method of post, and we change this to password, so that it matches this post password field, we'll even print it out. So here, I got in because I used the trust no one password. But if I used a different password and here maybe this would be easier to see if I delete that type. So that actually did not work. Let's see. The name is password. If we -- 

You're not [inaudible]. 

I'm -- 

And you're doing it back [inaudible]. 

Yeah. So I didn't test for equality. Instead I actually assigned -- I overwrote the password key so if I do this, you do not enter the right password but if I enter trust no one then it says you got in. And then it says undefined index first name. I'm not sure why it says undefined index first name. Oops, oh yeah, because it's in the SESSION if I actually said -- Yeah. So do you guys have any questions about how to use the GET superglobal, the POST superglobal, or the SESSION superglobal, or what a superglobal is? Is that pretty clear? You can store tons and tons of information inside the SESSION. If you want something bigger or more rigorous, you can write it to a file and we'll cover that in future sections. The -- I will add these two files to the -- to this GET hub page and you will be able, GET is preinstalled on the appliance so when you get the appliance, you'll be able to run these examples right in your own appliance and use the same URL's I have in class. So I think that's pretty much everything that we've really had to get through today. You may encounter one issue when you start playing with this which is the permissions issue. If I were to create -- let's say I wanted to create another directory. And I make an index.html page. Let's just see if this works. So now, I should be able to go to -- I'm in home of jharvard public html temp2. So I should be able to go to inside the jharvard directory. I should be able to temp2. But it says you don't have access to temp2 on this server. So the first thing you want to do is do ls-l and make sure that the permissions are right. In order for directories to show up, they need at the very least execute permissions because you -- to execute a directory means to be able to go inside of it. It's different then -- you don't necessarily need read permissions or write permissions. Read permissions on a directory means that you can list the files inside of it and write means that you can write -- you can touch a new file inside of it. But you want to make sure that at the very least, you can -- everyone can execute it. So if you -- you know, in general, 755 will be fine for directories. If you change the permissions on temp2 to 755, then you'll still encounter this issue which is that now we can get inside temp2 and find out that there's an index.html page. But if I go inside temp2, I can see that the index.html only has rewrite permissions. Now, if I do ls-l on the temp directory that we are working in, I can see index.php and index02.php only had rewrite permissions. So why is it that I can enter these and execute them just fine but not this one? Does anyone have an idea? So what's happening here is that Apache, if you go back to this page, Apache, the very first thing it does is try to find a file to handle the request. And so if I go to jharvard/temp2, the first thing it looks for is index.php and if index.php isn't there, it looks for an index.html. And if it actually has the suffix html then it assumes -- then Apache assumes that there's no php that needs to be executed and actually delivers the html file up the way that it is on the server. And so, as a result, everyone needs read permissions in order to read an html file or in order to read a jpeg like an image. So you would need to chmod this so that everyone has the read bit enabled. And now, we can access it. This will probably cost you a few headaches the first time that you're working with the appliance, if you've never dealt with Linux permissions before. But again, that -- this 644 permissions is only necessary for things where everyone needs to be able to read them. We're using a type of php that the php is actually executed as you, the user, and you are jharvard. So it just needs these first read-write bits to be enabled. Are there any questions about that? I think that pretty much covers it. I'll make sure that these are up on GET by tomorrow and I'll make sure that the slide shows -- accessible through there as well. Thanks so much.