Expert PHP and MySQL. Application Desscpi and Development. Apress" Marc Rochkind

Transcription

1 Expert PHP and MySQL Application Desscpi and Development Marc Rochkind Apress"

2 Contents About the Author About the Technical Reviewer Acknowledgments Introduction xvii xix xxi xxiii -Chapter 1: Project Organization 1 People Determine Success 1 Who Are the People? 1 How to Satisfy? 2 Projects Have Three Dimensions 3 Requirements 4 The Development Team 4 Hiring the Best 5 The Schedule 6 Scheduling the Unknowable 7 A Scheduling Example 8 Why Projects Fail 9 Poor Requirements 10 Weak Team 10 Failure to Prototype High-Risk Features 10 Bad Design 10 Poor Development Processes 11 Changed Priorities 11 Sabotage 11 vii

3 Managing the Project 11 Dividing the Work 14 Exploiting Database Centricity 14 Assigning Components to People 15 The Workplace 15 Issue Tracking 16 Legal Matters 17 Have a Written Contract 17 Know Who Owns What 18 Watch Out for License Entanglements 18 Involving a Lawyer 19 Getting Paid 19 Invoicing 19 Collecting 20 Chapter Summary 21 ^Chapter 2: Requirements 23 Outline of the Requirements Document 23 Rough First Draft: Scope Without Detail 25 A Closer Look at the Requirements Sections 27 When the Requirements Change 32 Logging Requirements Changes 32 Modifying the Requirements Document 32 Use Cases 38 Requirements War Stories 39 The Runaway Developer 39 The Arzano Ranch 40 Agile Requirements 40 Chapter Summary 43 viii

4 ii Chapter 3: Platforms and Tools 45 Client-Server Architecture 45 Server Platform 47 The LAMP Stack 47 Server Operating System 48 Web Server 48 Database System 49 Server Programming Language 50 Client Platform 51 Client Operating System 51 Browsers 51 Client Programming Languages 53 Development Platform and Tools 54 Development Operating System 54 Installing a Web Server, MySQL, and PHP 54 Editors and IDEs 56 Transferring Files 57 Debugging Tools 58 Testing Tools 58 Version Control 58 Issue Tracker 59 Hosting Alternatives 59 Commercial Shared-Hosting Services 60 Hosting Scalability 60 Users, Groups, and Permissions 61 Cloud Servers 63 Installing New Versions 72 Doing It Wrong 72 Doing It Right 75 Chapter Summary 80 ix

5 Chapter 4: The Database 83 Relational Databases 84 SQL 84 Some History 84 SQL Statements 85 What a Select Statement Does 85 Joining Tables 87 Expressions and Stored Procedures 92 Further Reading About SQL 92 Entity-Relationship Modeling 92 ER Diagrams 92 ER Design Tools and MySQL Workbench 94 The ER Design Process 101 Identifying the Entities 102 Identifying Relationships and Their Semantic Information 103 Defining the Attributes 106 Deciding on Primary Keys 106 Foreign Keys 109 Subtypes 112 Physical Design 112 From ER Diagram to Physical Design 113 NULLS 114 Normalization 117 First Normal Form (1NF) 117 Second and Third Normal Forms (2NF and 3NF) 119 Fourth Normal Form (4NF) 120 Constraints 121 MySQL Constraints 121 Constraints with MySQL Triggers 122 Transactions 130

6 Database Security 132 Backup and Recovery 132 Network Security 133 Access Control 133 Performance Optimization 134 Do You Have a Good Database? 135 Developing an Object-Relational Mapping Layer 135 Chapter Summary 137 Chapter 5: Application Structure 139 Accessing MySQL from PHP 139 Connecting with PDO 140 Database Credentials 143 Executing SQL Statements with PDO 144 Handling Database Inserts and Updates 147 PHP-Browser Interaction 150 How HTTP Works 150 PHP and Forms 153 Integrating Forms and Databases 157 Choosing Between GET and POST 160 PHP Sessions 160 A Page Framework 163 Page Structure 163 Page Framework Usage 165 Page Framework Files 171 Page Framework Implementation 172 Session Transitions and Login Pages 176 Dealing with Relationships 179 Forms with Foreign Keys 179 Handling Many-to-Many Relationships 185 Chapter Summary 189 xi

7 # Chapter 6: Security, Forms, and Error Handling 191 PHP Security Overview 191 The Computer Has to Be Secured 191 Password Strength 192 Hashing Passwords 193 Storing Hashed Passwords 194 Two-Factor Authentication 194 SQL Injection 195 Cross-Site Scripting 195 Cross-Site Request Forgery 197 Clickjacking 198 Reversed CSS Attacks 202 Submitting Requests with POST 202 Security Summary 204 Forms 205 Basic Form Class 205 Text Fields, Labels, and Buttons 206 Foreign Keys 207 Check Boxes 209 Radio Buttons and Menus 209 Dates 210 Password-Strength Feedback 212 The User Table and Password Management 213 The User Table 214 User Table Constraints 214 The Security Class 215 Getting Hashes from the Database 220 Checking the Password and Verification Token 221 xii

8 Logging In and Handling Forgotten Passwords 222 Logging In with the Login Form (Phase 1) 224 HTTP Authentication 226 Verifying the Login (Phase 2) 227 Sending an Authentication Code 229 Checking the Verification Code and Completing 2FA Phase Temporary Passwords 231 Changing a Password 234 Using a YubiKey for 2FA Phase Setting the YubiKey Identifier 237 Verifying a YubiKey OTP 238 Comparing SMS/Voice and YubiKey 239 Error Handling 239 Error Message Usability 239 Catching Errors 240 Logging Errors 241 Hiding Errors 242 Translating Errors 242 Chapter Summary 247 Chapter 7: Reports and Other Outputs 249 Queries as Reports 249 Role-Based Access Control 254 RBAC in MySQL 255 RBAC Database Tables 255 Implementing RBAC with the Access Class 259 Hierarchy of Access 261 The Report Class: HTML and CSV Output 262 Report::html Method 262 About Character Sets 263 Report::csv Method 264 xiii

9 Generating PDFs from PHP 265 About PDFs and PDF Libraries 265 A Simple FPDF Example 266 FPDF Drawing Methods 267 FPDF::MultiCell Method 271 Writing Tables with FPDF 272 FPDF Headers and Footers 274 More FPDF 274 The Report Class: PDF Output 275 Using the Report Class to Build Reports 279 A Generalized Reports Page 280 Chapter Summary 282 : Chapter 8: Data Conversion 283 Conversion in the Development Process 283 Convert Early 283 Convert Often 284 Conversion Sources 284 Enumerating Conversion Sources 284 Static vs. Dynamic Sources 285 Connecting Directly to the Source Database 285 Export Formats 285 Generating Conversion Programs Automatically 286 Dates. Times, and Character Conversion 289 Wacky Date Formats 289 Handling Times 291 Character Conversions 291 After Conversion 292 Testing the Converted Data 292 Fixing Bad Data 292 Keeping Unconverted Data 293 xiv

10 Variant Names 294 Consolidate After Conversion 294 Discovering Name Variants 295 Organizing the Database Search 295 Replacing Foreign Keys 301 Finding the Foreign Keys 303 Marking Replaced Rows 305 Chapter Summary 305 Index 307 XV