Learning MySQL. Chapter 14 PHP

Transcription

1 Learning MySQL Chapter 14 PHP T Hills

2 Objectives PHP Overview Strings Arrays Manipulating Variables Displaying Information Conditional Statements Loops Functions Errors

3 Objectives Original PHP MySQL Library PHP Improved Library MySQL Errors Modularizing Code PHP Super Global Variables User Input SQL Injection Attacks Sessions

4 PHP Overview PHP was designed as a simple procedural programming language with syntax similar to C, C++, Java, JavaScript and Perl To use you enclose php code in <?php?> tags // - Comment a single line /* */ - A block comment All variables in php must start with a $

5 Strings Strings in php can be enclosed in single quotes or double quotes A string in a single quotes does not interpret variables Strings are concatenated in php with the. (dot) operator

6 Arrays Arrays in php can be numerically indexed or associative arrays $myarray = array(25,50,80); You could print the 50 in the array with the command: echo($myarray[1]); $myarray = array( young => 25, middle => 50, old => 80); You could print the 50 in the array with the command: echo($myarray[ middle ]); echo($myarray[1];

7 Manipulating Variables PHP supports common mathematical operators + * / = = -= *= /=

8 Displaying information print() or echo() Print the data in parenthesis out to the screen printf() Print a formatted string echo<<<here data HERE; This will print everything between the beginning and ending HERE The ending HERE must be flush against the left margin

9 Conditional Statements PHP supports standard comparison operators == > < >= <=!= === Are variables equal and of the same type PHP supports if and if else statements PHP supports switch...case statements

10 Conditional Variables PHP has several useful functions for testing variable states isset($variable) Does the variable exist and have a value empty($variable) Does the variable exist and have a meaningful value

11 Loops PHP supports for loops PHP supports while and do...while loops PHP supports a foreach loop that makes it simple to iterate through an array $myarray = array( one, two, three ); foreach($myarray as $element) { echo($element); }

12 Functions PHP has many built-in functions such as isset and empty You can declare your own functions $a = 2; $b = 2; $c = addstuff($a, $b); function addstuff($num1, $num2) { return($num1 + $num2); }

13 Functions Variables can be passed by reference by placing a & (ampersand) in front of the variable name

14 Errors On a production machine verbose errors should not be displayed To turn on error reporting for testing you can: Modify the display_errors line in the php.ini file Add the line ini_set( display_errors, true); to the top of every php file

15 Original PHP MySQL Library resource mysql_connect(string hostname, string username, string password) Returns a resource handle on success or false on fail boolean mysql_select_db(string database, resource connection) Attempts to use the specified database

16 Original PHP MySQL Library mixed mysql_query(string query, resource connection) For SELECT, SHOW, EXPLAIN or DESCRIBE it returns a handle that can be assigned to a variable and then displayed For UPDATE, INSERT or DELETE it returns true or false array mysql_fetch_array(resource result) Return the result as an array

17 Original PHP MySQL Library int mysql_insert_id(resource connection) If using an AUTO_INCREMENT column this tells you what number was used int mysql_affected_rows(resource connection) How many rows were modified by the previous query int mysql_num_rows(resource result) How many rows did the previous SELECT statement return

18 PHP Improved MySQL Library resource mysqli_connect(string hostname, string username, string password, string database) Connect to the server and use a database mixed mysqli(resource connection, string query) Same as the original but the parameters are reversed Also mysqli_fetch_array, mysqli_insert_id and mysqli_num rows

19 PHP Improved MySQL Library The improved library offers better performance Support for encryption and compression Prepared statements Object-oriented statements Transaction control Profiling Distribution and replication functions

20 MySQL Errors Test all MySQL functions and make sure they return valid data die(message) Will abort processing and send the message to the browser MySQLi functions provide access to the error message and numerical error code on connection attempts mysqli_connect_errno(resource connection) Show the numerical error code mysqli_connect_error(resource connection) Show the error message

21 MySQL Errors After the connection if errors occur you can find the message and code with the old library functions mysql_errono(resoruce connection) mysql_error(resource connection)

22 MySQL Errors On a production system the program should attempt to recover from errors and provide the user with more friendly error messages Errors should be logged by modifying the log_errors parameter in the php.ini file

23 MySQL Errors You can use the fopen, fwrite and fclose functions to do your own logging You can use the mail function to send mail if an error occurs boolean main(string to, string subject, string message) The mail server parameters must be configured in the php.ini file

24 Modularizing Code It is common practice to put commonly used functions and code into a file that can be used by other programs require(string path) Find the file specified and load it into the current program require_once(string path) Find the file specified and load it into the current program If it has already been included then this will be skipped

25 Modularizing Code There are also include and include_once methods that behave like the require functions The difference is that processing will continue if an included file is not found

26 PHP Super Global Variables $_GET[] - Retrieve any variables passed via the URI $_POST[] - Retrieve any variables passed via an html POST request $_SESSION[] - Retrieve any variables in the session $_COOKIE[] - Retrieve any variables stored in cookies set_cookie(string name) $_SERVER[] - Information about the server and the currently running script

27 User Input Limit the length of strings using the substr() function Perform data validation on specific types of input such as dollar amounts, addresses, zip codes, etc The most common way of doing this is through the use of regular expressions

28 SQL Injection Attacks This occurs when a hacker modifies the input on a form to include extra SQL commands For example: $query = SELECT * FROM users WHERE username = '$_POST[username]' AND password = '$_POST[password]' ; The hacker enters in ' OR '' = ' This changes your query to: SELECT * FROM users WHERE username = '' OR '' = '' AND password = '' OR '' = '' The hacker enter in ;DROP TABLE users This changes your query to: SELECT * FROM users WHERE username = ;DROP TABLE users

29 SQL Injection Attacks string mysqli_real_escape_string(resource connection, string data) or string mysql_real_escape_string(string data) Escapes out special SQL characters such as quotes and semicolons Setting magic_quotes_gpc in the php.ini will escape all quotes coming from a http request

30 Sessions Sessions allow you to save the state of variables between pages session_start() Tells the system to either create a new session or retrieve the data from an existing session session_destroy() Gets rid of a session Sessions by default last 24 minutes

31 Summary PHP Overview Strings Arrays Manipulating Variables Displaying Information Conditional Statements Loops Functions Errors

32 Summary Original PHP MySQL Library PHP Improved Library MySQL Errors Modularizing Code PHP Super Global Variables User Input SQL Injection Attacks Sessions