Hello, and welcome to ERT :-)
PHP is an acronym for PHP: Hypertext Preprocessor. The PHP website gives this short blurb about PHP:
PHP is a widely-used general-purpose scripting language that is especially suited for Web development and can be embedded into HTML.
What does this mean? Well, PHP is a
scripting language. If you are familiar with client-side scripting for your webpage, such as Javascript or VBScript, you will know what a scripting language is. You are able to make choices, with if clauses and switch statements and use loops (three common types: while, for, do-while).
HTML, on the other hand, is a markup language. This means that it is used to describe information. If you recall, HTML tags are static and unchanging. Once you have a form on the page, it will stay on the page regardless (notice that all tags in HTML describe the presentation of the page, such as <b></b> or <br /> or even <form></form>, as is characteristic of a markup language). You cannot make decisions about whether to include the form or not (for instance, check whether the user is logged-in or not).
The situation can be partially remedied with Javascript. Yes, using the DOM, you can hide a form with CSS. But Javascript support can be turned off, and a very few people may still be using legacy browsers. Furthermore, every page load will require the form in the code viewed by the user, unless you redirect to another page. In the case of logins, this makes it extremely difficult to secure the page--what if someone turns off Javascript or does View Source? Can we do better?
Of course! We can use a server-side language, such as PHP. If you remember nothing else from this post, remember that PHP is server-side. This means that it is processed by the server, before it is shipped out to the client. Normally, the client requests a page from the server, and receives it. Javascript is an example of a client-side language, and is shipped out by the server to the client. It is the responsibility of the client/user's browser to display the Javascript correctly (and why it can be turned off as well).
In the case of a login scenario, you will need to ship to the client the detection code to see if someone is logged in. It is then the client/user's responsibility to execute that code. You need to hand the user the information for them to work with. This makes for a very insecure system.
If we use PHP, we can have the
server process the code beforehand. This even is represented in the name: Hypertext Preprocessor. If you have any previous experience with a language such as C/C++, you will know that the preprocessor runs before the code itself is compiled. The same with PHP. The client requests a PHP page from the server. The server then runs that PHP page, running all the if/else clauses, loops, etc. before returning to the client ONLY the information that it needs.
The best way of seeing this is with an example:
Bob is a malicious user who wants to hack our site. He knows the admin panel is at
www.oursite.org/admin.php. Being a rather smart fellow, Bob decides to skip the login page and go directly to admin.php. Should work? Of course not :)
If we program our admin.php page correctly, Bob should not have access. We can do something like this:
<?php
session_start();
if (true === $_SESSION['b_logged_in'])
{
//Welcome back!
echo('<b>You are logged in!</b>');
}
else
{
//Not logged in? Redirect to the login page
header('Location: login.php');
}
?>
What does this snippet do? It basically checks to see if Bob is logged in or not. If he is not, in the else clause, we see a header() statement. This redirects the page to the login page. The code checks for login with a session cookie. This is a particularly useful aspect of server-side languages and PHP has a particularly large support base for it. A quick Google or a more specific question here will give you a better response (I don't want to get too off-topic!).
What happens is Bob goes to admin.php, the server will load the page, and run the code. It checks if $_SESSION['b_logged_in'] is true. If it is, we're logged in, and we display the data. Notice that what is in the echo() statement is just HTML! PHP can give you choices on when to output what HTML, simple as that.
The description PHP.net gives mentions embedding inside HTML. That can be done too (as long as you have a server with PHP installed, and give you files the right extension, most of the time '.php'), for example:
<html>
<head>
<title>
<?php
echo('You came from ' . $_SERVER['HTTP_REFERER']);
?>
</title>
</head>
<body>
Look at the title!
</body>
</html>
What this example page does is print out the page you came from in the title of the website! As you see, PHP can also be embedded inside the HTML. And why not? It outputs HTML anyways :-)
If you look at the code ERT is coded in, it will be PHP. In fact, as of now, ERT is using phpBB forums, which is made entirely in PHP, and is amazingly powerful. Forums would be impossible without server-side languages.
However, keep in mind that PHP is not the only server-side language. There is ASP and JSP as well just to name two. However, PHP does have a large support base, and built to be easy to program in, and that makes it attractive to many programmers alike.
Enjoy your trip into this world, and you will discover so much you can do with PHP! Ultimately, when you come out of it, you will be a much more knowledgeable website programmer, and will understand how to connect to databases, create secure login sites, work with session cookies, and even modify images on the fly! The opportunities are endless.
If you want, we can help you with that journey ;-)
