Outline

• Credit Card Transactions
• i18n, l10n
• Unicode
• Quiz
• More Unicode
• Text direction

Credit Card Transactions

• Frequently, when one runs an online business one would like to collect credit card or other payment information online.
• One can often do credit card processing through your bank, but usually this requires setting up the correct kind of account.
• Alternatively, you can use an online payment gateway to charge transactions.
• Today, we begin by looking at how to chrge a credit card, with one such service: Stripe.

Stripe

• Stripe was created in 2010 by John and Patrick Collison.
• Initially, it got seed money from Y Combinator, then later Sequoia Capitol.
• It has the advantage that it is relatively easy to use and has stable REST API that and tools for a variety of languages.
• It supports a variety of payment methods: credit card, Paypal, Bitcoin, Apple Pay, etc.
• It supports a variety of currencies: dollars, euros, yen, etc.
• In the API, the person carrying out the charge never actually handles a user's credit card information, so the people carrying out the charge don't have to worry about storing, etc this sensitive info.
• The Stripe Documentation is thorough. Before making your code live, you can test using testing keys and Stripe Test Card Numbers.

Stripe Example

<!DOCTYPE html>
<html>
<head><title>Credit Card Test</title></head>
<body>
<?php
define("SECRET_KEY", "sk_test_get_this_at_stripe_com");
define("PUBLISHABLE_KEY", "pk_test_get_this_at_stripe_com");
define("CHARGE_URL", "https://api.stripe.com/v1/charges");
define("CHARGE_CURRENCY", "usd");
define("CHARGE_DESCRIPTION", "Buyer sees this on their statement");
define("CHARGE_USERAGENT", "CreditCardTester");
define("TIMEOUT", 20);
?>
<h1>Credit Card Test</h1>
<div>
<?php
if (empty($_REQUEST["credit_token"])) {
    ?>

    <form id="purchase-stuff-form" method="post" >
    <input type="hidden" id="credit-token"  name="credit_token" value="" />
    <p><label for="amount">Amount:</label><input type="text" id="amount"
        size="2" name="amount" /></p>
    <p><label for="card-number">Card Number:</label><input type="text"
        id="card-number" size="20" data-stripe='number'
        name="card-number" /></p>
    <p><label for="cvc">CVC:</label><input type="text" id="cvc" size="4"
        data-stripe='cvc' name="cvc" /></p>
    <p><label for="exp-month">Expiration Month:</label><input type="text"
        id="exp-month" size="2" data-stripe='exp-month' name="exp-month" /></p>
    <p><label for="exp-year">Expiration Year:</label><input type="text"
        id="exp-year" size="2" data-stripe='exp-year' name="exp-year" /></p>
    <p><input type="submit" id="purchase" name="Purchase" value="Purchase"></p>
    </form>
    <script>
    function elt(id)
    {
        return document.getElementById(id);
    }
    elt('purchase').onclick =
        function(event) {
            var purchase_form = elt('purchase-stuff-form');
            elt('purchase').disabled = true; // prevent additional clicks
            Stripe.card.createToken(purchase_form, tokenResponseHandler);
            event.preventDefault(); //prevent form submitting till get all clear
        }
    function tokenResponseHandler(status, response) 
    {
        var purchase_form = elt('purchase-stuff-form');
        if (response.error) {
            alert(response.error.message);
            elt('purchase').disabled = false;
        } else {
            elt('credit-token').value = response.id;
            purchase_form.submit();
        }
    }
    </script>
    <script src="https://js.stripe.com/v2/"  ></script>
    <script>
    Stripe.setPublishableKey('<?=PUBLISHABLE_KEY ?>');
    </script>
    <?php
} else {
    $message = "";
    if (empty($_REQUEST['amount']) || intval($_REQUEST['amount']) <= 0) {
        echo "No charge amount given";
        exit();
    }
    $amount = intval($_REQUEST['amount']);
    $token = $_REQUEST['credit_token'];
    $success = charge($amount, $token, $message);
    unset($_REQUEST['credit_token']);
    if ($success) {
        echo "$amount charged!";
    } else {
        echo "$amount charge did not do through!";
        if (!empty($message)) {
            echo "<br />$message";
        }
    }
}
function charge($amount, $token, &$message)
{
    $charge = [
        //swipe charges in cents * 100 to convert to dollars
        "amount" => $amount * 100,
        "currency" => CHARGE_CURRENCY,
        "source" => $token,
        "description" => CHARGE_DESCRIPTION
    ];
    $response = getPage(CHARGE_URL, http_build_query($charge),
        SECRET_KEY . ":");
    $credit_info = json_decode($response, true);
    if (!empty($credit_info['message'])) {
        $message = $credit_info['message'];
    }
    return isset($credit_info['status']) &&
        $credit_info['status'] == 'succeeded';
}

function getPage($site, $post_data = null, $user_password = null)
{
    $agent = curl_init();
    curl_setopt($agent, CURLOPT_USERAGENT, CHARGE_USERAGENT);
    curl_setopt($agent, CURLOPT_URL, $site);
    curl_setopt($agent, CURLOPT_AUTOREFERER, true);
    curl_setopt($agent, CURLOPT_FOLLOWLOCATION, true);
    curl_setopt($agent, CURLOPT_NOSIGNAL, true);
    curl_setopt($agent, CURLOPT_RETURNTRANSFER, true);
    curl_setopt($agent, CURLOPT_FAILONERROR, true);
    curl_setopt($agent, CURLOPT_TIMEOUT, TIMEOUT);
    curl_setopt($agent, CURLOPT_CONNECTTIMEOUT, TIMEOUT);
    //make lighttpd happier
    curl_setopt($agent, CURLOPT_HTTPHEADER, ['Expect:']);
    if ($post_data != null) {
        curl_setopt($agent, CURLOPT_POST, true);
        curl_setopt($agent, CURLOPT_POSTFIELDS, $post_data);
    } else {
        curl_setopt($agent, CURLOPT_HTTPGET, true);
    }
    if($user_password != null) {
        curl_setopt($agent, CURLOPT_FAILONERROR, false);
        curl_setopt($agent, CURLOPT_USERPWD, $user_password);
        curl_setopt($agent, CURLOPT_SSL_VERIFYHOST, 2);
        curl_setopt($agent, CURLOPT_SSLVERSION, CURL_SSLVERSION_TLSv1_2);
    }
    $response = curl_exec($agent);
    curl_close($agent);
    return $response;
}
?>
</div>
</body>
</html>

Notes on Stripe Example

• When the form is submitted, Javascript makes an XHR request to Stripe with the Publishable Key and the credit card info.
• If the credit card is okay, an authorization token is inserted into the credit_token hidden variable on the form and the form is sent to the charger's server.
• The charger then makes a request to Stripe using the token, the amount to be charged and charge description.
• If this is approved, the charge will go through and the charger can see the amount paid in their Stripe dashboard.

Introduction to Localization

• About two-thirds of people online don't speak English. [Building Scalable Web-sites.]
• Thus, it often makes sense to design one's web-site to reach this audience.
• Today, we will look at what's involved to do this.

Buzz-words: i18n and L10n

• Two commonly used terms with regard to making your web-site work in other languages are:
  • Internationalization -- adding to an application the ability to input, process, and output international text.
  • Localization -- making a customized application available to a specific locale.
• These are often abbreviated as i18n (number of char's betwen i and n in internationalization) and L10n (or l10n).
• A locale is a set of localization preferences which can include language, region, time zone, time and date formats, number display (period rather than comma, 1000 versus 100 to split a long number), and currency.
• For a web application, the locale that should be used with a given user is often stored in a session variable.
• For a web application, i18n often involves making sure your program can operate correctly on different character sets.
• Localization often involves making sure that correct translations of web pages appear so as to customize the appearance of the web-site to a given locale.

Unicode

• Unicode is the industry way to deal with texts from multiple languages.
• Unicode development started in 1987 as a project of Joe Becker (Xerox), Lee Collins, and Mark Davis (Apple).
• The original encoding was 16 bits with an aim. Its aim was to be able to encode texts in all modern languages.
• Currently, there are six different variants of Unicode, the most popular of which are UTF-8, UTF-16, and UTF-32.

Glyphs, Character Sets, Encodings

• A pattern of pixels on the screen representing an agreed on letter shape is called a glyph.
• For example, the letter "a" might have more than one glyph: a, a.
• When a sequence of characters is stored digitally we usually only store a representation of the sequence of characters, not the actual glyphs. We use things like css to specify the font-family to say for a given character what glyph to actually draw.
• The process of specifying a character involves two mappings:
  • A character set which is a mapping from abstract "characters" to numbers called code points.
  • Then we have an encoding which maps these numbers into a binary representation that can be stored in the computer.
• For English, one common character set and encoding is ASCII.
• In ASCII, the code point for an "a" is 0x61. It's encoding as a byte would also be 0x61 as a sequence of bits.
• In Unicode, the code point for "a" is 0x61; however, in UTF-16 its encoding would be two bytes 0x0061.
• In Unicode, code points are often writen as U+ a sequence of hex digits.
• In UTF-8 most roman letters are encoded as single bytes which is why UTF-8 is the most popular Unicode encoding.
• UTF-32 is a fixed-width encoding -- all code points are encoded with the same number of bits.
• UTF-8 and UTF-16 are variable-width encodings -- some characters are encoded with more bits than others.

More on Code Points, Characters, Glyphs, and Graphemes

• A character in Unicode does not necessarily map to what a person thinks of as a character.
• For instance, ã can be represented as one or two code points either U+00E3 or as an "a" U+0061 followed by a combining tilde U+0303.
• The composed form is called a grapheme.
• You can also have ligatures for some pairs of characters. So for example fi is a single code point U+FB01 but represents two characters - f and i.
• Where this causes headaches is how do you measure the length of a Unicode string?
• You can't count bytes or code points -- you have to understand what kind of code point it is (each code point belongs to a general category such as Lu: Letter,uppercase or Letter, LM Letter Modifier) and where the code point lies.
• In general, if you are working with Unicode you want to try use your languages facility for working with Unicode to get these kind of computations to happen magically.

Quiz

Which of the following statements is true?

1. XSS (Cross-site Security) is a technique used to log in with credentials from a third party.
2. SQL Injection attacks are prevented using the X-Frame-Options header.
3. Target blank attacks can be prevented by adding rel="noopener noreferrer" as an anchor tag attribute.

Quiz

Which of the following statements is true?

1. Clickjacking can be prevented using the X-Frame-Options header.
2. CSRF (Cross-site Request Forms) is a technique used to log in with credentials from a third party.
3. A site is only vulnerable to an inclusion attack if it has a web form on it somewhere.

Byte-order Mark

• A byte order mark is a sequence of bytes at the beginning of a Unicode stream used to designate the encoding type.
• For example,
  • UTF-16 big endian FE FF
  • UTF-16 little endian FF FE
  • UTF-32 big endian 00 00 FE FF
  • UTF-32 little endian 00 00 FF FE
  • UTF-8 little endian EF BB BF
• Some document editors store Unicode with this BOM character; however, this BOM character can also confuse browsers so it should be gotten rid of and avoided for HTML, XML, and PHP documents.
• You should instead use the Content-Type header to specify the character encoding.

UTF-8 Encoding

• So how does UTF-8 work?
• It uses bits in each byte to signal the number of bytes in a code point.
• For example,
  • A 1 byte code point is signaled by the lead bit being 0.
  • A 2 byte code point is signaled by the lead bits of the first byte being 110 and the lead bytes of the next byte being 10.
  • Similar techniques are used for code point that take more bytes, the maximum number of bytes being 8.

Specifying and Handling UTF-8

• In HTTP to say that a file is UTF-8, you can use the header:

  Content-Type: text/html; charset=utf-8
  

• In Apache you can make it so this header is automatically served for all files of a given extension by using a line like:

  AddCharset UTF-8 .php
  

• For static HTML where you don't have control of the server, you can still signal the browser on the charset using:

  <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" >
  

• When using string manipulation functions in PHP, if you want it to work with UTF-8 you need to use the multi-byte version of the given function.
• For example, use mb_substr() rather than substr().
• MySQL supports UTF-8 since version 4.1, for older versions you would need to use BLOB or BINARY rather than CHAR, VARCHAR, or TEXT.
• MySQL only supports UTF-8 codes up to 3 bytes.
• For Javascript, do not use escape() which doesn't work with UTF-8. You should write your own processing function to encode stuff. You can use the function String.getCodeAt() to find out UTF-8 codepoints.

Text Direction

• One preference which varies from locale to locale is text-direction.
• For instance, English, French, etc are left to right languages, Arabic and Hebrew are right to left languages. Some languages like Chinese and Japanese were traditionally top down and right to left.
• Ancient Egyptian hieroglyphics used both directions: An inscription around a door might be left to right on one half of the door; right to left on the other half.
• Eye-tracking studies have shown that the text orientation that a person is familiar with will affect how that person's eye saccade across a new image.

Text-direction: HTML and CSS

• There are several things in HTML and CSS that can be used to affect the text-direction.
• The <html> tag can have a dir attribute with value (ltr or rtl) as well as a lang attribute (for example en-US) to help fix the locale.
• In CSS, you can set the text-align attribute to right to get the text to align to the right hand side of the screen.
• For a general tag, you can also set the direction attribute to either ltr or rtl affect the order in which punctuation is written.
• Unicode itself has some code points which can be used to affect text-direction. For example, U+202A,... U+202D. However, these don't work well with browsers.
• Instead, you can use the unicode-bidi style attribute (which can have values: normal, embed, override) in conjunction with the bdo tag.
• For example,

  <p style="direction:rtl; 
  unicode-bidi: bidi-override; 
  text-align: right" ><bdo dir="rtl" >
  This is a test.</bdo></p>
  

  would look like:

  This is a test.

• For vertical alignment, there is a writing-mode style property which sorta works in Firefox, Chrome, Opera, Edge. It can have values horizontal-tb, vertical-rl, vertical-lr. For example,
  这是垂直的文本。
• Usually, you would have a separate CSS file used for each direction you want. Or you could have a class selectors like html-ltr, html-rtl to control it.
• You would also in PHP, based on the locale set the dir and lang attribute of the HTML tag.

gettext

• We next look at how we could set up the development environment of our web project to allow for text from more than one locale.
• We will first look at how to manage static text.
• One common tool to use to do this is gettext.
• There are also some open source tools such as Pootle with web interfaces for managing the kind of files used with gettext.
• The basic idea of gettext is that the developer, whenever they need to output a string that might need to be localized, calls a function gettext() with a string which says what needs to be translated. For example,

  gettext("translate_me"); // you could also use _("translate_me");
  

• The function gettext uses the current locale, textdomain, bindtextdomain to locate a .mo binary file which contains a string to echo for "translate_me" for that locale.
• So you might have in your html file commands like:

  putenv('LC_ALL=en_US');
  setlocale(LC_ALL, 'en_US'); // say locale
  bindtextdomain("myMoFile", "./locale"); // say locale dir
  textdomain("myMoFile"); // say .mo file
  _("translate_me"); // looks for ./locale/en_US/LC_MESSAGES/myMoFile.mo
                     // to find the translation.
  

How do we create .mo files? .po files

• There are a few steps to create a .mo file for a given locale.
• First, we have to extract all the things we need to translate from a given file.
• To do this we use the command xgettext:

  xgettext -L PHP filename.php
  

• This will generate a messages.po file. If we want, myMoFile.po we could have done: -d myMoFile
• At the top of this file there is a place to set the text encoding. Make sure to set this to UTF-8!
• Inside this file we have lines like:

  #: filename.php:6
  msgid "translate_me"
  msgstr ""
  

• You would give this file to your localizers to fill in a msgstr to translate each msgid.

From .po files to .mo files, more on msgid's.

• Once we have a fully translated .po file we are ready to generate a .mo file from it.
• To do this we use a command like:

  msgfmt -o myMoFile.mo myMoFile.po
  

• We then place the .mo file in the correct directory and we have one file translated to one locale.
• It can become hard to maintain if you use msgid's which are just English strings.
• It would be bad if several files in your project had the same msgid "Next"; and where next might be translated in different ways to a locale depending on context.
• Instead, you should a naming convention for id's which specifies things like: namespace_pagename_name_additional .
• gettext has support for things like pluralizations, and messages that involve formatted text that I will not go into.