 Morning, everyone. Let's, I'll take like one or two minutes for project questions. Yes, and? What's the benefit of, for the cross-eyed scripting prevention, you say minor modification to PHP program. Yes. What's the benefit of PHP over another scripting language? It's one of the most widely used, well, case language, but I don't want to just tell you now. So we could use it. I think that'd be fine. Yeah. Yes. I think you're more difficult, maybe. Other questions? Yes. For the project where we have to limit the payload automatically, do we need to do something like, you send a request and like in verb soot, you capture that request and modify and then send it to the server? For, specifically for which one? For automatic acceptance of payload limitation. Yes. For that, you, for that, that's the precise one, right? So you want to not just use, so specifically you don't want to just use the list of payloads, right? You want to understand when an HTML content is paid, what characters do I need to execute JavaScript and automatically generate that payload? So the input would be that request and that target page. Yes. Yes. And then based on that, you generate automatically a precise payload. And we can use like wonderful applications like WebGoat or RAM application. Yeah, for that you don't, you don't have to, you can think of this as a module that you can plug into one of those other tools. Like you don't have to develop all that yourself, but you need to get it so that, so that it is very precise by taking into account the HTML part size and the context that the output is used in. Excessive production on the server side and the input on the server side. I can't hear what. Excessive differential on the server side. Yes. So when we look into Java, web-based applications, you do this, so the response is always HTML. Say that again. If you have an STPI with Java-based web applications. Right. So for excesses, you need a response to be always HTML, so that. Yes. So can we go into that direction where the response can be the request is some base advertised for Java-based web applications? Oh, you mean you do it for Java instead of PHP? Yeah. That would be fine. I think it's also more difficult, but maybe. So I think you have less. I mean, you may have to use some like reflection because you need to figure out what are all the parameters that are being sent in for this request. Right. It needs to be very dynamic. Can I use an XPDP solar dispatcher where XPDP solar dispatcher. So when I get a push there, I can push it up and. Yeah, but you can't just filter because you need to see what's being used. Right. If you put it into the database, if it's never used in HTML, you shouldn't filter it. Or you only need to filter it when it's being output. That's the trick there. It's not just, if you just filter, right, then you're gonna filter everything, but not everything is gonna be used in a cross-experting context. Yes, exactly. But yeah, you wanna hook the things that are coming in so that you know what came from the user. And then you also wanna hook the output function so that that way you can properly sanitize anything that needs to be sanitized. That's what I think. Yes, perfect. Cool, all right. Let's get on with it. Okay, so we've got the web and we're learning about the technologies that build out the web, right? So that we can understand the web-based attacks. And so we saw cookies. So if somebody were to fracture our memory, what are cookies, the science-delicious things that we like to eat? Yeah, they're just key value pairs or yeah, they're just data that the server asks our user agent to store. And then every time we make a further request to that website or that domain, we send those cookies back, right? And so we saw that there's actually a lot of different policies that the server can specify. So that the server can specify how long the cookies valid for. And so the user agent, right, the browser is actually responsible for enforcing these policies about expiring cookies and restricting cookies to the proper domains and paths, right? So can the server like force the client to do these things and force it to make sure it expires cookies after a certain amount of time? No, right? So actually the server also has to enforce this policy, right? The server also has to check expiration dates and make sure it's expiring cookies in sessions on its side. Also, the user agent is free to delete cookies at any time, right? They can, the user can at any point just delete all their cookies, right? For maybe space reasons or storage reasons, probably not as relevant nowadays with hundreds of hundreds of gigs of disk space. Or the user decides to clear the cookies. So all of this, the purpose of cookies, right, goes back to sessions. Is the website, the server site code wants to establish some session, right? To understand and talk to the server. So we want some time limited interaction of the user with the web servers so that I can know you're the same user that made this request. And so this is why it has to be implemented at the web application level. So you have to use cookies, use URL parameters or hidden form fields. And the most common way sessions are done is the server generates a unique, or in this case unique specifically means random and unguessable. So unique session ID and sends it to the user agent as a cookie, right? And then on the request, the user agent sends back that random unique session ID and then the server looks up at its database, okay, this is this user, right? So what would happen if I just said, I sent you a cookie that says, hey, your user ID is one. And then when you send it back, I say look that on the database and say, look great, it's user one. Here's all your data. Was that good? So will that work to do sessions? Does it functionally work? It won't work, right? Log in, accept the cookie, I say your user one. Every time you get a cookie, I say, okay, your user one, here's all your user one's information. Right, that'll work. What's the problem there? It'll become a user on the system. Yeah, the cookies live on the browser, right? You could right now go and edit any of your cookies on your browser and you can just say, well, I wanna be user two or user three or user four or any other user on the system, right? Because the server is trusting that you're sending a valid cookie, right? So that's why in order to be really secure, we need these sessions to be random and unguessable. Otherwise you can get that. And what also does this mean about the security of this session cookie? So what happens if I'm, let's say sniffing your web traffic on our local network or on our unencrypted wireless and I see your Facebook cookie. I can store it. Yeah, if I just store that and I make a request to Facebook using that cookie, right? HTTP doesn't know that it's actually not you that's making that request, it's me, right? And so this is why actually HTTPS is so important is because it secures the cookies in transit from your browser to the server. And because cookies are used as session in session. So sessions are key enabling component of web applications, right? If you wanna have sessions, you wanna be able to link different requests together. And so in the early days, in the start of the web, you would write a web application by writing a completely custom web server that would receive HTTP requests and run custom code based on the path, the query data and would ultimately return the dynamic HTML page. Does that sound like something cool that you would want to do every time you wrote a web application? How many people have written a web application? Did you write an entire web server to do that? What was that? There are cases. There are cases? What cases? Who does that? Box. They actually wrote a capital applied system. They ran, or they designed an entire web application of the web server. Yes. You can do that by about, do people do this nowadays to make a real web application, right? I would say no, right? And one of the drawbacks is you have to keep, so you have your application, right? That custom code that you want to be executed, but you also then have to keep your web server component up to date with the latest HTTP changes. And you've seen the HTTP 1.1 spec, right? It is pretty long, yeah, right? So then every time that spec updates, you would have to update your web application, and everybody on the web would have to do that. So basically, as a matter of abstraction or kind of a separation of concerns, right? We say, okay, let's separate the web server into its own component, and that will accept HTTP requests, then it will forward those relevant requests to a web application to further process, right? Now you can upgrade the web server and everything will be great, and the back end web application will be fine. And now you can actually develop a web application, well, without worrying about HTTP is a little bit, without having to parse the HTTP protocol itself, right? You don't have to worry about supporting all of those different 400 error codes and 500 error codes, right? You can just deal with that. So the basic way I think about web applications is we have our client and we have our web server, right? And the client makes some HTTP request to the web server, and then there's some other web application that could be on a separate server, it could be on the same machine, that kind of is not quite as important. Somehow that request is forwarded from the server to the web application. The web application does processing, returns some response back to the web server, which then forwards that response onto the client. Cool. So there are a number of different technologies that have gone into web applications. We're just gonna look at two of them right now, mainly due to time reasons. If we have more time, I talk about CGI web applications and how you could write web applications in any language, and it's just really nice, older standard. So we're first gonna look at active server pages. So ASB, any kind of experience coding in ASB? Nice, okay, cool. So ASB was Microsoft's answer to CGI scripts. They said, man, we need people to be able to write web applications, and we want them to use Microsoft technology to do that. So the first version of ASB was released in 96, which is actually kind of crazy when you think about the web kind of started in 1990, and I have Microsoft creating languages and tool chains for this. And the idea was the program is a mix of text, like the output that you want the HTML, the pages to be of your text, tags, and a scripting directive that says, hey, at this point in the output, interpret this as either visual basic or J script code. And you could also have server site includes like in C, like a pound include. And the idea was that the scripting directives were interpreted and executed at runtime. So when you fetch the page, everything that was not a scripting directed would be output normally, but scripting directives would be executed at runtime. And, oh, I guess we should look up what this is. It's actually still supported a minimum of 10 years from the Windows 8 release date. Actually it's probably ending closer to the end of life. Okay, October, 2026, 2022. Trying to think of, is that a long time away? I don't know, it looks like, the date looks like a long time away, right? But I think it's actually not 26 years away. Yeah, we would talk about that for a bit more time, but. But then what's the acceptance rate of that person? Yeah, I don't know. I think there's probably still a good amount of ASP pages out there. I mean, that's part of the problem with the web, right? It's once you have some kind of technology out there. There's websites that are supporting it and running it, right? So you can't force everyone to upgrade. So let's look at what this looks like. So the basic idea is, we have our server site and our code is in-between these brackets and the percent signs. This tells the ASP engine, hey, at this point evaluate, set string name equal to request.queryStringName. And then if string name is not equal to the empty string, then do this constant text, right? So this is outside of the scripting directive. This is gonna be constant, right? Now we're gonna remember we're inside of an if branch right here, okay? Then we're gonna write out response.writeStringName. So this is gonna write out at this location this string name which came from the queryStringName. And then the else, we have to terminate our if blocks. We have an else statement that said you didn't provide a name. And then we're gonna end our if statement. So what are the benefits here of writing an application in this way? You don't have to write like full HTML code. You don't write full HTML code, what does that mean? I mean, it supports conditional things based on the user input. So you get to provide some logic and logic study. Oh yeah, so you can, I didn't say that you can, this is full-blown DB script, an entire program language. You can do whatever you can do in the normal program language in here, inside these scripting directives. So the full power of language. As to code in, it's, you can access databases, you can do anything you can do with modern ones. It's simpler, it's easier, it's a little easier to understand how to do some of the dynamic HTML generation stuff because it's all in lines. You can see it in a repeat statement, see how it builds out. Right, so you can easily see, well maybe I easily write, but you can see that some of this is gonna be output conditionally depending on the conditions. And you can see the conditions right there. Or some of the downsides. Or MVCs, everything in one page. Yeah, so it's cheating ahead a little bit. But yeah, right, so everything is in one page, right? Do you write? I mean, yes, you can do includes, but, I don't know, when you write a normal, kind of large-ish application, do you put all of your code and everything in one file? Right, you think about, think about Facebook, right? If you have Facebook written like this, right? You have to do things like loop over comments and fetch things from databases and do things and create tables, right? So you're mixing in all of this like logic of the application and what needs to happen and maybe you have some output transformation, like you change people's names or capitalize them or whatever. And it's all mixed in with the output of the HTML of the page, right? So these can, I totally agree this style is a lot easier to get started in and develop things, but it starts to turn into crazy spaghetti code when you have like halfway down your ASP page, you have a database query, which is just like crazy trying to think of everything that happens, right? It's like there's some database query that's happening while you're generating the HTML of the page. But this has some nice things, right? So this request.query string, so what do we think this does just based off the name? Yeah, get the, in the query, right? The URL has key value pairs. So this is getting the value of the key that has the name of name, right? And so this is actually kind of nice. So it's providing a bit of a framework for us, the developer to parse those things and handle all that URL stuff so that we can think of it in a more abstract way. So this is kind of these web application frameworks. So ASP is one example, PHP as we'll see is another example. The basic idea is these frameworks try to make it easier for developers to quickly write web applications, right? Oftentimes what happens when you're writing web application you're doing the same thing over and over, right? You're trying to get a certain value in the URL string. And instead of parsing that string every time yourself of looking for the question mark and then separating that into key value tokens separated by ampersands and then separated by equals, right? You can have the framework actually provide all this functionality. And so they can make it easy to extract input from query parameters, from four parameters. They can actually handle all the cookies for you or say you can have a method called set cookie, right? You don't have to worry that actually this is going to have to set this header in the HTTP response and this header has to have a certain format, right? The framework can take care of that for you. Same thing with sessions. You can, a lot of frameworks will provide the ability to handle sessions transparently for you. Oftentimes security, right? So that's actually part of what you're doing in some of you for the projects, right? Is you're providing kind of a mini framework or library or kind of shim layer to handle security for the developers. Even databases, so some frameworks handle talking to the database and fetching data. So now we get to PHP. PHP is a recursive acronym that stands for PHP, the hypertext preprocessor. So it is very similar to ASP so it's a scripting language that can be embedded in HTML pages to generate dynamic content. It's similar to JSP and ASP. It was originally released in 1995 as a series of CGI scripts that were C minors. So this is kind of important as we're gonna get into, A, we're gonna look at how PHP, like not how, but the fact that PHP is so popular on the web. I'm gonna look at some of the crazy features that PHP has from a security and understanding what the heck is going on in perspective. So it's important to keep this in mind that it was just like a series of C binary applications. And on, in 1988, PHP 3.0 was released. You can think of this as peak PHP 3.0 was installed on approximately 10% of the web servers on the internet in the late 90s. That's 10% of all, would you love it if any software you wrote was on 10% of the web servers on the internet? Yeah, that'd be pretty sweet, right? PHP 4.0 was released in 2000, PHP 5.0 from 2004. Finally added support for objects. So there was no way to do objects in PHP. 5.6 was released in August 2014, which is the latest version. So they've still been trying to develop PHP 6.0. I think they actually moved on to calling it PHP 7.0 since it's been taking so long. So if we look at the popularity, it is actually kind of insane. So from this company NetCraft, which looks at the usage of web application technologies, the number of, let's say, host names that are using PHP, I mean, this is just in 2012. It's like, what, 100 million? And it's actually even above those about halfway through there, so I don't want to think about what number that is. The number of active sites that are using PHP, so PHP is an incredibly popular and used web application technology. It's actually one of those things that it's hard to remember because a lot of times there's a lot more buzz about Ruby on Rails or Django or some of the node.js, web frameworks, all these kinds of things. But it's important to remember that actually PHP is the huge behemoth of the web. There's just so much more software written for the internet, for the web that uses PHP. Okay, so just like ASP, the PHP pages are parsed and interpreted on every page request. So you can run it in CGI mode, so a new copy of the PHP interpreter runs every time a page is requested, or you basically embed the PHP interpreter in the web server so that that way the web server knows to interpret every page, so you don't have all these instances of the PHP interpreter. This is mod PHP for Apache, if you ever set this up and enabled this, this is actually what it's doing. It should sound terrifying, you're putting a PHP interpreter inside your web server, but that's the way we do things. It's a completely new and different language. It's C-like in its syntax, and it's kind of, I like to think of it, it's basically like a language that's custom designed to build web applications. And it's specifically grew organically over time, so they have a lot of weird things, like you think about modern languages, oh, you want a namespace, right? So that functions that you declare, that way if you need to use database functions, you could maybe include the database functions and use those functions. If you don't have that, you just have all the MySQL functions started with MySQL underscore, and I believe the Postgres functions are the same thing, so there's a lot of weird design choices. So I'm looking at a quick example, so just like in ASP, everything that's not inside of a PHP tag is going to be output const, it's going to be just output. So here, all this text is going to be output, everything within the bracket question mark PHP and the question mark end bracket, that's going to be interpreted as PHP code. So this is going to, when this executes, this is going to execute this PHP code, echo means it's going to return that to the browser, and it's going to output startP tag, hello world, endP tag. Questions? So some of the features of PHP is dynamically typed, so this means that you do not have to specify exactly what the types of your variables are. It has string variable substitution, as we'll see, so inside a double quoted string, you can substitute the values of variables at runtime inside that string automatically. Your dynamic includes or requires, so when you include a function, instead of saying include specifically this PHP code, it actually will, that string that you include can be computed at runtime and can be arbitrary. It has super globals, which are so much better than regular global variables. They have variable variables, you can have variables that reference variables variably, as we'll see. It has crazy features like registerGlobals, which will automatically create local variables in the scope of your program with the names of parameters that come from the user. Crazy, all right, so string variable substitution, so here's PHP code, we have the start on our PHP tag, so everything we get here is PHP code, we're going to echo, this is a simple string, then we're going to echo variables inside of a simple string, so the single quotes means it's a simple string, but if we set some variable, so in PHP, variables start with a dollar sign, so that's kind of nice because they're easy to identify. Really, this came from Perl, is that right now? Does that language do this? I feel like this came from somewhere else, but anyways. So you can easily tell variables because they have dollar signs in front of them. And then we can say he drank some dollar sign juice juice, and so because this isn't double quotes, this dollar sign juice in the string is going to be interpreted as substituting in for this juice in here. And we can even have a really complicated thing, we can make an array of juices, and then we can say he drank some dollar sign juices, bracket zero juice, and this will be actually evaluated at runtime. And you can even include the curly braces here to be able to do a substitution based on something complex in here, like any complicated expression that you want. So we're not even out there yet, but some of you have started looking at cross-site scripting vulnerabilities, right? So part of cross-site scripting is when you output something that came from the user. Well here, is it really easy to tell what's being output here? And what's being output here is a constant string, right? But actually at runtime, part of the string is going to be substituted with a value that maybe came from the user or maybe did not. Questions on this? This is kind of an important thing to understand is how PHP, like these are, they're PHP specific features, but they're features that make it easier for the programmer to write programs, right? But then make it more difficult as our job of, but it also makes it easier for the programmers to make security mistakes and have security vulnerabilities. Yeah? Can you explain the last paper in the value basis for example? It allows you to use an arbitrary expression in here. So you can, I think you can, can you do concatenation? I don't know if you look at exactly what it means, but it means that you can use the single quotes here as for this index inside the juices array. The other thing confusing about PHP is it's arrays and dictionaries are basically the same thing. So this is an array at zero is apple, at one is orange, at, no, two there's nothing. The other one is a key Kool-Aid one goes to purple. Is it even, don't you? I have to actually look at it. I don't remember the exact semantics here. I know it's used to do more complicated string variable substitutions. Like you can't just do the single quotes in here because it needs to know that this whole thing is a variable substitution. So this is to say everything within here is a variable substitution. Cool, so we can dynamically include or require other code. So this is from WordPress. So this is from the WordPress page and this is how actually WordPress does things. So it will load the WordPress environment and template. So it calls require. So just like in C, when you include a file in C it's as if that code is just copy and pasted exactly where you used to include. So this is why they're wondered in a C header file you usually have those if not defined tags. That's because when you include a file multiple times that code is just copied in. So if you have one file that ends up including the same file twice you don't want two copies of that code in there. So what's happening is that this code is actually including wp-blog-header.php in whatever the current directory name of underscore underscore file is a special PHP variable that specifies the exact current location of this file. So it's saying wherever the directory of this file is include the thing that's in the same directory as that. So other important things, the dot operator here means strength and patination in PHP not plus like they're used to also frustrates me. So what this means is looking at this do you know exactly which file is going to include? Yeah, it depends on wherever this file is currently in the directory structure, right? So think about like moving a file around you can clearly change what this code does because it could include the wrong file. Then the other thing that what happens here is this requires inside this scope here. So any, it's just like it's copy and pasted in. So any global variables that this wp-blog-header.php file creates, those will be accessible to code after this requires statement. And similarly this wp-blog-header can actually access these variables like this wp-use-themes. This is declaring a global variable called wp-use-themes. So let's look at this example. So it can check if this wp-blog-header is set. It is not set. So this does not exist. It will create this wp-blog-header variable. It will also itself require other files. And then, yeah. I think something to add here. If I remember right, the dollar sign wp-header if you have that in as a header it automatically does on the headers puts them into variables for you. So that's automatically done. There's no like, three string requests. What do you mean in a header? Like, all your header variables I think are automatically done. So your value parameter is the dollar sign. Maybe I'm looking at the price and maybe I'm misrepresenting it. I don't know what header variables are though. That's fine. Like that. So all the things included in the request header are automatically done. Oh, ah, we'll look at that. That's a feature that you can choose to enable or disable. They used to be enabled by people. Yes. So, yeah, you can see this craziness that it's actually like setting up these absolute path variables and wp-include variables to load this template loader library which probably got set by this wp function. So like trying to even understand not only what the code does, like that's one thing. This is like, what code is it actually including so I can understand what this code does, right? Changes and can change at runtime. Okay, some other PhD miss features. Allow URL include is a setting in PHP to allow HTTP and FTP URLs to include functions. So when you set require or include, you can specify a remote HTTP address or FTP address. And then it would at runtime go download and make that HTTP request, get that page and execute that as if it was part of your code. And this setting also enable, you have to enable allow URL F open which allows you call F open, which is file open, with the URL and we'll do the same thing. It will allow you to read URLs as if they were files on the local file system. And so the remote file will be fetched, parsed and executed. So is this a good idea? What could be some problems with this? Anything about the TCP characteristics you can completely control when it's reading? I think about it, right? Even if this URL is hard coded, let's say. If it's an HTTP URL, that's going to some other computer making HTTP requests, if I can hijack that, I can maybe alter the HTTP content that gets sent back, if it's not encrypted. And then that content that gets sent back it's executing it as if it was PHP code. Also, I mean, it's just a completely crazy feature. When you write an application, you want all of your code, you want all the code to live in one place so that you know what this application does. If you're including code from some other system that you may not have even written, it's a execute, crazy dangerous, right? I mean, what happens if that, you're increasing the attack surface, right? What happens if that other server gets broken into, right? Now if they change that code, your application is going to start executing it, right? And it's not like this code that just executes on the browser or something. There's something that's executing on your web application that has access by design to all of your user's data. Your web application can access the database because it has to access the database, right? This, now you're pulling in code from who knows where and just executing it. And then, so even if you're not using a constant string, but you happen, if the attacker can influence what you're including, then it can make you include my code and execute it on your server. And I've completely owned your PHP application. So Superglobals, so this is, so yeah, okay. So Superglobals are these dollar sign underscore variables. These like underscore, dollar sign underscore get, dollar sign underscore post, dollar sign underscore server. These are special variables that the PHP interpreter creates for the PHP application based on the HTTP request. And they're, the tricky part is they're accessible by any piece of code that executes in the application. So for instance here, if you try to, in this WP comments post, if the request message is not a post, then it's gonna tell you, hey, I only allow post. And the HTTP response code is gonna be 405. And it's gonna quit and exit and stop processing. Otherwise it sets up this variable comment post ID if this dollar sign underscore post, so this is a comment post ID and the key values that was sent through post. It will interpret that as an integer if it's set, otherwise it'll set it to zero. It's gonna get the post based on that. It's gonna check if the comment status of that post is empty, then it's gonna do some action and this is some callback that's gonna do, who knows what, because WordPress is very strange. It's supposed to be very extensible. So anyway, so this is showing that these super globals can be accessed from anywhere. These dollar sign underscore server, dollar sign underscore post. They have variable variables, which are something that, I honestly don't know of any other results on that kind that allow this. The idea is on this line I'm creating a new variable called a that has the value hello. On this, now here, the dollar sign dollar sign means I'm now creating a variable with the name of whatever's in dollar sign a. So this is creating a new variable dollar sign hello with the value world. So I can echo a and echo hello and it's gonna output hello world. So this is just like automatically creating a variable in this scope. It's crazy. That seems super weird. Why, why, why, why do you want this? And then you can access this also in the double coded strings by using a dollar sign and then curly braces and then dollar sign a. So this will, again, look up the variable name with something with a, look it up as a variable, what has the name hello and then output, yeah. It's kind of trying to do like the, make it easier to do the equivalent of eval and javascript or something. It's like we're trying to come up with a way to make it easier. This is a terrible idea. Even Python allows something similar. Yes, but you have to, at least in Python, it's clear that you're doing something weird, right? You have to look up in like global or locals or something and you can look through values and you can do it that way. But I believe all of those start with underscores, right? So that's like implicitly means that that is kind of unsupported. You're digging into the guts of Python here. This is just PHP. Like this is just $2 sign, so like this is how we roll with PHP. Yes, I'm sure it was to more expressivity and that kind of stuff. I'm sure you can, I'm sure you can do really cool things with this very distinctly that you could maybe not do in other languages as easily. It's still, it makes like trying to understand what this does if you see this in an application. You have to understand what could all the possible values be for variable A, right? And if variable A ever comes from the user, then we can control any other value and change their value in the program. So, gosh, it's crazy. Okay, then we get into registered locals. So, the idea was, well, man, it's really annoying to have to, whenever I wanna access a variable, I have to access like dollar signers for post, bracket, tick variable name, right? It's like, God, we're gonna be so much better if PHP just automatically created variables based on those names that get sent in. And so, it would register all environment variables, get variables, post variables, cookie variables, and server variables as global variables in the scope of your program. So, think about what's happening is PHP is automatically injecting variables into your script and the scope of your script based on input from the HTTP request. So, the HTTP request, so the variable name, so the HTTP request variable name, right, the key value pairs, is the PHP variable name and the value is the PHP variable's value, right? So, where do the values come from? From the user, which is also from the attacker, which means that these can be arbitrarily changed and altered. This was actually the default until 2002 for a long time, this was the default of PHP. And so, honestly, when we look at it, it actually does make the code, I'll definitely give this, it makes the code a little bit easier to read. So, for instance, let's say I have this feedback page here. So, I have some feedback code and I say if there's a name and if name and comment, then I'm gonna open this user feedback file with append only. I'm gonna write out name colon comment and then I'm gonna close that file. And then I'm gonna say, hey, good job, you submitted the feedback. Right, and so in my post method, I'm gonna have a form on here with a post with a name and a comment field and a submit button. So now when I submit this, right, it's gonna go here and it's gonna automatically create a name variable in a variable called dollarsignname in this scope based on whatever the value is here. And it's gonna automatically create a variable comment in here based on this value that I typed in here. So actually, this does make it, I mean, actually makes it a lot easier to read. So we'll actually see in a bit later why this is such a bad idea. Okay, so we talked about, so these are kind of some of the PHP miss features or I'd say features that are probably not exactly what you're used to when you look at project language. So we've talked about those. We talked about sessions, right? We want sessions with the user so we can see what they done. But is that all we want? I mean, do we just wanna know that you were the same person as five minutes ago? Right, we also wanna know are you the same person from a year ago, from two years ago? Right, so what we really need is some way to store the state of the application. Right, we want our users to be able to interact with our application. We want them to be able to save data information, whatever, and we need to be able to store that. Otherwise, it's really difficult to make a real application, right? Because we have this cooking mechanism, but cookies are fundamentally limited in how much data they can store. I guess not fundamentally. The browser will limit the size of the cookies, right? You wouldn't want it to like you visit some website and Facebook's like, oh, here's all posts you've ever written on Facebook. Here's all, you know, two gigs of text or whatever. Like just store this and send this to me every time you wanna take a request, make a request. Right, so where can we store the state? What are some of the options that we have? Maybe store it in the database and have some unique key that can be used as an identifier. We can store it in the database, what else? In a database, where else? But the only place we can ever store things in. File system, yeah, we can store it in files, right? Actually get away with a lot with that. What else? Memory, yeah, we can store things in memory, right? So you can store things in memory. We can store things on the file system. The file system could be just a file system. It could be an XML file. Maybe we store things in an XML file. We could use a database, right? And so the database is the most common, so why? More structured and easier to access. So structured, easy to access, easier than a file, though? It's pretty easy to open a file, right? Or controls around it, what else? Indexing. Just adding your section up there also might be good for that application. Yeah, right, so one of the problems with memory is if I wanna have multiple web applications, multiple copies of my server, they would need to somehow synchronize all their memory so that the state was consistent across all of them, right? But if I have a single database that multiple applications can access, well then, multiple copies of the application, then it doesn't matter which server fields that request, they should pull the information from the database. Yeah, there's also a whole host of other databases or a whole other area of research, right? There's a lot of research into making them safe and consistent and fast and so that they don't lose information, right? Whereas if you do something in a flat file, you may have multiple concurrent requests that overwrite things, right? You basically are implementing a forward version of a database yourself, right? So yeah, you get ACID compliance, which is great, right? Ooh, so what does ACID stand for? Atomicity. Atomicity. How's that work? Consistency, integrity, and durability, good. Awesome, you also get concurrency, right? There's also great separation of concerns, right? So now you can write your application, the database can be a completely different technology, right? And maybe you can swap them out and you can run the database on different server, right? You can have multiple web application processes connecting to the same database. What are some of the cons in which sense? What sense? Do you have to have a database application running? Yeah, you have to build and deploy and set up a database and you have to now become, if it's just you, right, you have to become an expert on databases and how to use them as much as we'd like them to be just stupid storage engines. You actually have to know a lot about indexes and all of those things, right, about how to optimize the database. Also, it's very hard to change tuples. I mean, the format that you've sorted in, it's not essentially backward compatible if you choose. Yeah, so it actually makes, so one of actually the very kind of finding things is that it makes, so updating your application, right? You wanna add some new code or do something. Well, you may need to change some column in your database, right, with an update. But let's say you make that update, but now you need to roll that back because that introduced more bugs, right? So now you then remove that column. It's not as easy to update and change a database over time as it is to just change the application's code. How do you query databases, normal databases? SQL. So now you have to know another language, not only do you have to know and understand HTML, HTTP. We didn't talk about JavaScript yet, but JavaScript, you need to know your server-side language like PHP and now you also need to know SQL, right? Everything's starting to get crazy. So the classic kind of way this was done is what they call a length stack. So Linux, Apache, MySQL, and PHP. So you have Linux as the server, you have Apache as the web server, MySQL as the database, and PHP as the server-side code. And it's kind of a nice way to think about separating applications into these four pieces because you can easily swap out and mix any of these components, right? You can run this on Windows and then it's like a WAMP server. You can swap out Apache for Nginx or one of the newer web servers. You can swap out MySQL for Postgres and you can swap out PHP for also any other kind of language. So yeah, you can completely change all of these things. So MySQL is currently the second most used open source relational database. So what is the first? Postgres? No. What was it? OracleDB, no, also not open source. Definitely also no. SQL server, no, also not open source. SQL light. SQL light, yes, why SQL light? I don't know, I just guess. Not only Android, also iOS, yeah, every single one of our phones is running SQL light. It's used not only in iOS and Android, it's also probably gonna be used on the Mac in certain places too. So yeah, it's actually really interesting. That's the most widely used database technology. Why do you have MySQL on the slide over that? Oh, because MySQL is used more in, so SQL light's really good for like an in memory. So you get the properties of database. You can also use it to like go to a file. So it's easy to use in simple scenarios, but it doesn't scale really well to like a complicated, multi-process type of thing. So MySQL is much more used and more frequently used in like a real web application sense. Not many people use SQL light for a web application, but SQL light's also really well tested so it's very, very durable. So MySQL was first released in May of 1995. Actually a really crazy coincidence is this is the same day that Sun released the first version of Java, which is kind of crazy. But yeah, and it's also weird because Sun eventually bought MySQL for a billion dollars in 2008. So yeah, anyways, I don't know. That coincidence just is super weird. But also really cool. Okay, so when we come back, we will talk. So now we've got all the web technologies break and we need to store our state somewhere. So now we're gonna talk about databases. So you can see that web applications are crazy complex mostly because of all the different technologies.