Server-side: PHP and MySQL (continued)

Transcription

1 Server-side: PHP and MySQL (continued) some remarks check on variable: isset ( $variable )? more functionality in a single form more functionality in a single PHP-file updating the database data validation at server-side (always) regular expressions with PHP 1 mysql_real_escape_string mysql_real_escape_string -function were reported The mysql_real_escape_string(..) function requires a connection to the database to be open. If one isn't open it will try to open one with the existing defaults. All you need to do is make sure you connect to the mysql database before using mysql_real_escape_string(..)., -&-. #%/00 /00 /00 Suggestion: the here document - variant of php-echo: echo <<<XXX.. XXX; For instance: echo <<<END This uses the "here document" syntax to output multiple lines with $variable interpolation. Note that the here document terminator must appear on a line with just a semicolon. No extra whitespace END; " #$#%% & '()* + 3 echo <<<MYEND <form action="" method="post" name="userinput" > <b><i>your query-command:</i></b> <input type="text" name="querytext" value="$querytext" size="0" /> <input type="submit" value="submit query" /> MYEND; , <html><head><title>more submits</title></head> <h>example with more 'submits'</h> <form id="myform" action=" method="post" > <tr><td>membernr.:</td><td><input type="text" name="number" size= /></td></tr> <tr><td>firstname:</td><td><input type="text" name="firstname" size=8 /></td></tr> <tr><td><input type="submit" name="idsubmit" value="change" /></td> <td><input type="submit" name="idsubmit" value="delete" /></td></tr> </table> Response from server-side: Next form data arrived by 'POST'-method: number = 1 firstname = Alice idsubmit = Change Next form data arrived by 'POST'-method: number = 1 firstname = Alice idsubmit = Delete or: if ( isset ( $_POST [ 'idsubmit' ]) ).... if ( $idsubmit == "Delete" ) // perform Delete-operation 6 RU Nijmegen, voorjaar 009 1

2 1-&- 6 #% <DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" > <html><head><title>combining functionality in one file</ title> <link href="mystyles.css" rel="stylesheet" type="text/css" /> <script src="javascripts.js" type="text/javascript"></script></head> <div class="top"> include "top.inc" ; <div class="main"> if ( isset ( $_POST [ 'fullname' ) ) include 'startform.html' ; include 'startform.html' ; include 'request.php' ; <= will always be shown Alternatives (more or less..): if ( empty( $_POST ['fullname'] )) if ( $_POST ['fullname'] ) // n.p. <= only shown at startup <= shown at second call (with a posted fullname ) Later: we ll look to the 7 alternative: startform.php 1 -&-#% Content of startform.html : <h>the 'startform.html'-part</h> <form name="testform" method="post" action="" > <tr><td>name:</td> <td><input type="text" name="fullname" value="" /></td></tr> <tr><td>age:</td> <td><input type="text" name="age" value="" /></td></tr> <tr><td><input type="submit" value="submit" /></td> <td><input type="reset" value="reset" /> <input type="button" value="clear" onclick="clear_all();"/> </td></tr> </table> Content of request.php : action="" if action -file is same as actual file Fields are empty Why? $fullname = $_POST['fullname'] ; $age = $_POST['age'] ; echo "<p />Received: values: '$fullname' and '$age' to.." ; 8 More functionality in one single PHP-file (cont. ) Content of startform.php : $fullname = $_POST ['fullname'] ; $age = $_POST ['age'] ; echo <<<END <h>the 'startform.php'-part</h> Different behavior at first time versus at second time <form name="testform" method="post" action="" > <tr><td>name:</td> <td><input type="text" name="fullname" value="$fullname" /></td></tr> <tr><td>age:</td> <td><input type="text" name="age" value="$age" /></td></tr> <tr><td><input type="submit" value="submit" /></td> <td><input type="reset" value="reset" /> <input type="button" value="clear" onclick="clear_all();"/></td></tr> </table> <script>document.testform.fullname.select(); </script> END; 9 3 #: % <html><head><title>test with isset(..)</title></head> <h3>test with isset(variabele)</h3> <form action=" method="post" > Give a number value: <input type="text" name="number" size="5" /> <p><input type="submit" value="calculate square" /> <hr /> if ( isset ( $_POST['number'] ) ) $number = $_POST['number'] ; echo "<h>we received number = $number</h>" ; $square = $number*$number ; echo "Its square-value is: $square<br />" ; echo "<form action=\" method=\"post\">\n"; echo "Give your firstname: <input type=\"text\" name=\"firstname\" /> " ; echo "<p><input type=\"submit\" value=\"send name\" /></p>\n"; echo "<hr />" ; if ( isset ( $_POST['firstname'] ) ) $firstname = $_POST['firstname'] ; echo "<p>hello $firstname, glad to see you</p>" ; if ( isset($_post['number']) ) echo "In this part we don't know a variable 'number' " ; echo "<hr />" ; ; < = 9 10 #1>0% "? 7 #(+@% A >08 B C D >08 #1>0%#% The SQL command for deleting data from a table is: DELETE FROM table_name WHERE <condition> Syntax of the SQL-Update-command: UPDATE table_name SET column_name_1 =, column_name_ = WHERE <conditie> Do not forget the WHERE -part, because if omitted, the whole table will be emptied (all records in that table will be deleted),-&-8 $query = "UPDATE Members SET Address = \"$Address\", Cityname= \"$Cityname\" WHERE Membernr= \"$Membernr\" " ; 11 1 RU Nijmegen, voorjaar 009

3 E, # % 3 5 1>0 8 " 8 extract -- Import variables into the current symbol table from an array 9 39F# 8% $membernr = $_POST [ 'membernr' ] ; $amount = $_POST [ 'amount' ] ; G extract ( $_POST ) ; $ # % C -& &- <html><head><title>php-test on not Empty</title></head> function isempty ( $somevar ) return ( strlen($somevar) == 0) ; # -&- % extract ( $_POST, EXTR_SKIP ) ; // if there is a $_POST['firstname'], // we will get the associated $firstname if ( isset ( $firstname ) ) echo "<form action=\" method=\"post\" >\n" ; echo "Give firstname: <input type=\"text\" name=\"firstname\" />\n" ; echo "<p><input type=\"submit\" value=\"submit to test on server\" /></p>\n" ; echo "\n"; echo "We received: \$firstname = $firstname " ; if ( isempty ( $firstname ) ) // test on server/side echo "<br />String is empty... we shall NOT proceed... " ; echo "<br />String is not empty... we may proceed..." ; 1 E <html> <head><title>php-test on not Empty</title></head> <form action=" method="post" > Give firstname: <input type="text" name="firstname" /> <p><input type="submit" value="submit to test on server" /></p> A% H < #$#: %=9 <html> <head><title>php-test on not Empty</title></head> We received: $firstname = <br />String is empty... we shall NOT proceed... B% <html> <head><title>php-test on not Empty</title></head> We received: $firstname = Alice <br />String is not empty... we may proceed... The PHP-function extract( ) + a warning extract Import variables into the current symbol table from an array Syntax: int extract ( array $var_array [, int $extract_type [, string $prefix ]] ) This function is used to import variables from an array into the current symbol table. The function returns the number of variables extracted. It takes an associative array var_array and treats keys as variable names and values as variable values. For each key/value pair it will create a variable in the current symbol table, subject to extract_type and prefix parameters. extract() also checks for collisions with existing variables in the symbol table. The "#-&-% way invalid/numeric keys and collisions are treated is determined by the extract_type. It can be one of the following values: # % EXTR_OVERWRITE : If there is a collision, overwrite the existing variable. # EXTR_SKIP : If there is a collision, don't overwrite the existing variable.. (and many more) % Warning Do not use extract() on untrusted data, like user-input ($_GET,...). If you do, make sure you use one of the non-overwriting extract_type values such 15 as EXTR_SKIP 16 The PHP-function extract( ) + a warning () Extract: A Word of Caution As stressed in the PHP Manual, avoid using "extract" on the super global arrays ($_GET, $_POST etc). Doing so has the same effect as having register_globals switched on and will result in security holes in your code. If you absolutely have to do this then make sure that you pass configuration options to "extract" to ensure it doesn't overwrite existing variables by prepending a standard prefix to each variable as shown in the example below (or by skipping variables which already exist with option "EXTR_SKIP"): Another possible construction is: extract ( $_POST, EXTR_SKIP ) ; extract ( $_GET, EXTR_SKIP ) ; foreach ($_POST as $key=>$value) if ( isset ( $$key ) ) $$key = $value; 17 More functionality in a single PHP-file, including server-side validation <div class="top"> include "top.inc" ; <div class="main"> if ( isset ( $_POST ['fullname'] ) ) include 'startform.php' ; include 'phpfunctions.php' ; $errors = check_values ( ) ; if ( $errors =="" ) include 'startform.php' ; echo "<script> document.testform.age.select(); alert( '$errors' ) ;</script> " ; include 'request.php' ; 18 RU Nijmegen, voorjaar 009 3

4 More functionality, including server-side validation (cont.) Content of the file phpfunctions.php: function check_age_value ( ) $age = $_POST['age'] ; if ( is_numeric($age) ) $errors = " - Age must be numeric" ; if ( $age<0 $age>100 ) $errors = " - Age must be between 0 and 100"; return "" ; function istooshort ( $somevar ) return ( strlen( $somevar ) <= 3 ) ; function check_values ( ) $fullname = $_POST ['fullname'] ; if ( istooshort ( $fullname )) $errors = " - Name is too short\\n" ; $errors = $errors. check_age_value () ; if ( $errors == "" ) $errors = "Error(s):\\n". $errors ; 19 -&-I6 Regular expressions can also be used in PHP-programming Again: anything you can do with regular expressions, can also be done by just coding (in PHP, avascript etc.), line after line, to get the same desired effect; so: you are not forced to use regular expressions Functions (in PHP): preg_match() ereg() and eregi() ereg_replace() & eregi_replace() split() Example: how to verify a Canadian postal code with a Regexp in PHP? if ( preg_match ("/^[a-z]\d[a-z]?\d[a-z]\d$/i", $postalcode)) echo "Your postal code has an incorrect format. " ; 0 -&- We can send mail simply via PHP scripts Built in function mail: mail ($receiver, $subject, $message, $extras) All arguments are strings $extras allows additional information to be passed Ex: From, Cc, Bcc -&-; ;-&-#% K 5 #)/;"*)/;"*% #% See mail.php and sendmail.php Also see mail() in the PHP manual 1 0 E L,H ;L - EEEH IE 999 M -&-1>0 N 9LL B RU Nijmegen, voorjaar 009

5 M -&-1>0 #% Gebruik één scherm [althans in de ogen van een gebruiker], waarmee diverse operaties op een betaling uitgevoerd kunnen worden. Als je in het veld Betalingnr een waarde invoert en op de Zoek -knop klikt, worden van de betreffende betaling de gegevens in de database opgezocht en getoond. (Ook de naam van het betreffende lid wordt opgezocht en readonly getoond...) Als de gegevens getoond worden, dan kunnen desgewenst wijzigingen worden aangebracht en via de Verander -knop ter aanpassing naar de database worden gestuurd. Via Verwijder zou [alleen] die betreffende betaling uit de database moeten worden verwijderd. N.B. e kunt uiteraard niet het betalingnr van een bestaande betaling veranderen 5 RU Nijmegen, voorjaar 009 5