Server-side: PHP and MySQL (continued)



Similar documents
Server-side: PHP and MySQL

Download: Server-side technologies. WAMP (Windows), MAMP (Mac),

PHP and XML. Brian J. Stafford, Mark McIntyre and Fraser Gallop

Chapter 1 Introduction to web development and PHP

Form Handling. Server-side Web Development and Programming. Form Handling. Server Page Model. Form data appended to request string

A SQL Injection : Internal Investigation of Injection, Detection and Prevention of SQL Injection Attacks

HowTo. Planning table online

Joomla 1.0 Extension Development Training. Learning to program for Joomla

SCRIPTING, DATABASES, SYSTEM ARCHITECTURE

Hello friends, This is Aaditya Purani and i will show you how to Bypass PHP LFI(Local File Inclusion)

Internet Ohjelmointi 1 Examples 4

A table is a collection of related data entries and it consists of columns and rows.

Web Development using PHP (WD_PHP) Duration 1.5 months

Fasthosts ASP scripting examples Page 1 of 17

Facebook Twitter YouTube Google Plus Website

<head> <meta content="text/html; charset=utf-8" http-equiv="content-type" /> <title>my First PHP Lab</title> </head>

Web applications. Web security: web basics. HTTP requests. URLs. GET request. Myrto Arapinis School of Informatics University of Edinburgh

Sample Code with Output

Embedded PHP. Web services vs. embedded PHP. CSE 190 M (Web Programming), Spring 2008 University of Washington

1.264 Lecture 19 Web database: Forms and controls

Create dynamic sites with PHP & MySQL

ShoreTel Enterprise Contact Center 8 Installing and Implementing Chat

Other Language Types CMSC 330: Organization of Programming Languages

Python and MongoDB. Why?

Technical Specification ideal

Example for Using the PrestaShop Web Service : CRUD

CREATING WEB FORMS WEB and FORMS FRAMES AND

SQL. Short introduction

Server side scripting and databases

Application note: Connecting the to a Database

AD Phonebook 2.2. Installation and configuration. Dovestones Software

PHP Tutorial From beginner to master

How To Write A Program In Php (Php)

How-To: MySQL as a linked server in MS SQL Server

OCS Training Workshop LAB13. Ethernet FTP and HTTP servers

INFORMATION BROCHURE Certificate Course in Web Design Using PHP/MySQL

Web Development Guide. Information Systems

NewsletterAdmin 2.4 Setup Manual

Self-test SQL Workshop

Concepts Design Basics Command-line MySQL Security Loophole

Chapter 2: Interactive Web Applications

MYSQL DATABASE ACCESS WITH PHP

Import and Export User Guide. PowerSchool 7.x Student Information System

JavaServer Pages Fundamentals

GMP-Z Annex 15: Kwalificatie en validatie

Knocker main application User manual

Tutorial básico del método AJAX con PHP y MySQL

Short notes on webpage programming languages

Detecting (and even preventing) SQL Injection Using the Percona Toolkit and Noinject!

How To Design A 3D Model In A Computer Program

API. Application Programmers Interface document. For more information, please contact: Version 2.01 Aug 2015

CPE111 COMPUTER EXPLORATION

Adding web interfaces to complex scientific computer models brings the following benefits:

Handling the Client Request: Form Data

DIPLOMA IN WEBDEVELOPMENT

How To Create A Web Database From A Multimedia Resources Database On A Microsoft Web Browser On A Pc Or Mac Or Mac (For Free) On A Mac Or Ipad Or Ipa (For Cheap) On Pc Or Ipam (For Money

Webapps Vulnerability Report

Web development... the server side (of the force)

About Subscription Confirmation

Introduction to Server-Side Programming. Charles Liu

MySQL Job Scheduling

Maximizer Synergy. BE Houwaartstraat 200/1 BE 3270 Scherpenheuvel. Tel: Fax:

Log Analyzer Reference

Application Firewall Configuration Examples

Topic 7: Back-End Form Processing and Database Publishing with PHP/MySQL

Application Servers G Session 2 - Main Theme Page-Based Application Servers. Dr. Jean-Claude Franchitti

4PSA DNS Manager Translator's Manual

International Journal of Advanced Research in Computer Science and Software Engineering

Introduction to Web Technologies

Using Cloud Databases in the Cloud Control Panel By J.R. Arredondo

OxyClassifieds Installation Handbook

A Brief Introduction to MySQL

Web Programming with PHP 5. The right tool for the right job.

Advanced PostgreSQL SQL Injection and Filter Bypass Techniques

Installing Drupal on Your Local Computer

Intro to Web Programming. using PHP, HTTP, CSS, and Javascript Layton Smith CSE 4000

INSTALLING, CONFIGURING, AND DEVELOPING WITH XAMPP

Magento Security and Vulnerabilities. Roman Stepanov

Dynamische Websites. Week 7

sqlcmd -S.\SQLEXPRESS -Q "select name from sys.databases"

ISI ACADEMY Web applications Programming Diploma using PHP& MySQL

Eventia Log Parsing Editor 1.0 Administration Guide

McAfee Network Threat Response (NTR) 4.0

Introduction to Web Development

Introduction to web development and JavaScript

Content Management System

Web Application Development

Setting up High Availability

Web Security CS th November , Jonathan Francis Roscoe, Department of Computer Science, Aberystwyth University

Chapter 1. Introduction to web development

Transcription:

Server-side: PHP and MySQL (continued) some remarks check on variable: isset ( $variable )? more functionality in a single form more functionality in a single PHP-file updating the database data validation at server-side (always) regular expressions with PHP 1 mysql_real_escape_string mysql_real_escape_string -function were reported The mysql_real_escape_string(..) function requires a connection to the database to be open. If one isn't open it will try to open one with the existing defaults. All you need to do is make sure you connect to the mysql database before using mysql_real_escape_string(..)., -&-. #%/00 /00 /00 Suggestion: the here document - variant of php-echo: echo <<<XXX.. XXX; For instance: echo <<<END This uses the "here document" syntax to output multiple lines with $variable interpolation. Note that the here document terminator must appear on a line with just a semicolon. No extra whitespace END; " #$#%% & '()* + 3 echo <<<MYEND <form action="" method="post" name="userinput" > <b><i>your query-command:</i></b> <input type="text" name="querytext" value="$querytext" size="0" /> <input type="submit" value="submit query" /> MYEND; 1 1 3 536 37, 3 83 5 9697 <html><head><title>more submits</title></head> <h>example with more 'submits'</h> <form id="myform" action="http://www.../echoformdata.php" method="post" > <tr><td>membernr.:</td><td><input type="text" name="number" size= /></td></tr> <tr><td>firstname:</td><td><input type="text" name="firstname" size=8 /></td></tr> <tr><td><input type="submit" name="idsubmit" value="change" /></td> <td><input type="submit" name="idsubmit" value="delete" /></td></tr> </table> Response from server-side: Next form data arrived by 'POST'-method: number = 1 firstname = Alice idsubmit = Change Next form data arrived by 'POST'-method: number = 1 firstname = Alice idsubmit = Delete or: if ( isset ( $_POST [ 'idsubmit' ]) ).... if ( $idsubmit == "Delete" ) // perform Delete-operation 6 RU Nijmegen, voorjaar 009 1

1-&- 6 #% <DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" > <html><head><title>combining functionality in one file</ title> <link href="mystyles.css" rel="stylesheet" type="text/css" /> <script src="javascripts.js" type="text/javascript"></script></head> <div class="top"> include "top.inc" ; <div class="main"> if ( isset ( $_POST [ 'fullname' ) ) include 'startform.html' ; include 'startform.html' ; include 'request.php' ; <= will always be shown Alternatives (more or less..): if ( empty( $_POST ['fullname'] )) if ( $_POST ['fullname'] ) // n.p. <= only shown at startup <= shown at second call (with a posted fullname ) Later: we ll look to the 7 alternative: startform.php 1 -&-#% Content of startform.html : <h>the 'startform.html'-part</h> <form name="testform" method="post" action="" > <tr><td>name:</td> <td><input type="text" name="fullname" value="" /></td></tr> <tr><td>age:</td> <td><input type="text" name="age" value="" /></td></tr> <tr><td><input type="submit" value="submit" /></td> <td><input type="reset" value="reset" /> <input type="button" value="clear" onclick="clear_all();"/> </td></tr> </table> Content of request.php : action="" if action -file is same as actual file Fields are empty Why? $fullname = $_POST['fullname'] ; $age = $_POST['age'] ; echo "<p />Received: values: '$fullname' and '$age' to.." ; 8 More functionality in one single PHP-file (cont. ) Content of startform.php : $fullname = $_POST ['fullname'] ; $age = $_POST ['age'] ; echo <<<END <h>the 'startform.php'-part</h> Different behavior at first time versus at second time <form name="testform" method="post" action="" > <tr><td>name:</td> <td><input type="text" name="fullname" value="$fullname" /></td></tr> <tr><td>age:</td> <td><input type="text" name="age" value="$age" /></td></tr> <tr><td><input type="submit" value="submit" /></td> <td><input type="reset" value="reset" /> <input type="button" value="clear" onclick="clear_all();"/></td></tr> </table> <script>document.testform.fullname.select(); </script> END; 9 3 #: % <html><head><title>test with isset(..)</title></head> <h3>test with isset(variabele)</h3> <form action="http://.../testwithisset.php" method="post" > Give a number value: <input type="text" name="number" size="5" /> <p><input type="submit" value="calculate square" /> <hr /> if ( isset ( $_POST['number'] ) ) $number = $_POST['number'] ; echo "<h>we received number = $number</h>" ; $square = $number*$number ; echo "Its square-value is: $square<br />" ; echo "<form action=\"http://.../testwithisset.php\" method=\"post\">\n"; echo "Give your firstname: <input type=\"text\" name=\"firstname\" /> " ; echo "<p><input type=\"submit\" value=\"send name\" /></p>\n"; echo "<hr />" ; if ( isset ( $_POST['firstname'] ) ) $firstname = $_POST['firstname'] ; echo "<p>hello $firstname, glad to see you</p>" ; if ( isset($_post['number']) ) echo "In this part we don't know a variable 'number' " ; echo "<hr />" ; ; < = 9 10 #1>0% "? 7 #(+@% A >08 B C D >08 #1>0%#% The SQL command for deleting data from a table is: DELETE FROM table_name WHERE <condition> Syntax of the SQL-Update-command: UPDATE table_name SET column_name_1 =, column_name_ = WHERE <conditie> Do not forget the WHERE -part, because if omitted, the whole table will be emptied (all records in that table will be deleted),-&-8 $query = "UPDATE Members SET Address = \"$Address\", Cityname= \"$Cityname\" WHERE Membernr= \"$Membernr\" " ; 11 1 RU Nijmegen, voorjaar 009

E, # % 3 5 1>0 8 " 8 extract -- Import variables into the current symbol table from an array 9 39F# 8% $membernr = $_POST [ 'membernr' ] ; $amount = $_POST [ 'amount' ] ; G extract ( $_POST ) ; $ # % C -&- 9 13 -&- <html><head><title>php-test on not Empty</title></head> function isempty ( $somevar ) return ( strlen($somevar) == 0) ; # -&- % extract ( $_POST, EXTR_SKIP ) ; // if there is a $_POST['firstname'], // we will get the associated $firstname if ( isset ( $firstname ) ) echo "<form action=\"http://.../php/test.php\" method=\"post\" >\n" ; echo "Give firstname: <input type=\"text\" name=\"firstname\" />\n" ; echo "<p><input type=\"submit\" value=\"submit to test on server\" /></p>\n" ; echo "\n"; echo "We received: \$firstname = $firstname " ; if ( isempty ( $firstname ) ) // test on server/side echo "<br />String is empty... we shall NOT proceed... " ; echo "<br />String is not empty... we may proceed..." ; 1 E 9 @?% <html> <head><title>php-test on not Empty</title></head> <form action="http://localhost/b3/php/test.php" method="post" > Give firstname: <input type="text" name="firstname" /> <p><input type="submit" value="submit to test on server" /></p> A% H < #$#: %=9 <html> <head><title>php-test on not Empty</title></head> We received: $firstname = <br />String is empty... we shall NOT proceed... B% <html> <head><title>php-test on not Empty</title></head> We received: $firstname = Alice <br />String is not empty... we may proceed... The PHP-function extract( ) + a warning extract Import variables into the current symbol table from an array Syntax: int extract ( array $var_array [, int $extract_type [, string $prefix ]] ) This function is used to import variables from an array into the current symbol table. The function returns the number of variables extracted. It takes an associative array var_array and treats keys as variable names and values as variable values. For each key/value pair it will create a variable in the current symbol table, subject to extract_type and prefix parameters. extract() also checks for collisions with existing variables in the symbol table. The "#-&-% way invalid/numeric keys and collisions are treated is determined by the extract_type. It can be one of the following values: # % EXTR_OVERWRITE : If there is a collision, overwrite the existing variable. # EXTR_SKIP : If there is a collision, don't overwrite the existing variable.. (and many more) % Warning Do not use extract() on untrusted data, like user-input ($_GET,...). If you do, make sure you use one of the non-overwriting extract_type values such 15 as EXTR_SKIP 16 The PHP-function extract( ) + a warning () Extract: A Word of Caution As stressed in the PHP Manual, avoid using "extract" on the super global arrays ($_GET, $_POST etc). Doing so has the same effect as having register_globals switched on and will result in security holes in your code. If you absolutely have to do this then make sure that you pass configuration options to "extract" to ensure it doesn't overwrite existing variables by prepending a standard prefix to each variable as shown in the example below (or by skipping variables which already exist with option "EXTR_SKIP"): Another possible construction is: extract ( $_POST, EXTR_SKIP ) ; extract ( $_GET, EXTR_SKIP ) ; foreach ($_POST as $key=>$value) if ( isset ( $$key ) ) $$key = $value; 17 More functionality in a single PHP-file, including server-side validation <div class="top"> include "top.inc" ; <div class="main"> if ( isset ( $_POST ['fullname'] ) ) include 'startform.php' ; include 'phpfunctions.php' ; $errors = check_values ( ) ; if ( $errors =="" ) include 'startform.php' ; echo "<script> document.testform.age.select(); alert( '$errors' ) ;</script> " ; include 'request.php' ; 18 RU Nijmegen, voorjaar 009 3

More functionality, including server-side validation (cont.) Content of the file phpfunctions.php: function check_age_value ( ) $age = $_POST['age'] ; if ( is_numeric($age) ) $errors = " - Age must be numeric" ; if ( $age<0 $age>100 ) $errors = " - Age must be between 0 and 100"; return "" ; function istooshort ( $somevar ) return ( strlen( $somevar ) <= 3 ) ; function check_values ( ) $fullname = $_POST ['fullname'] ; if ( istooshort ( $fullname )) $errors = " - Name is too short\\n" ; $errors = $errors. check_age_value () ; if ( $errors == "" ) $errors = "Error(s):\\n". $errors ; 19 -&-I6 Regular expressions can also be used in PHP-programming Again: anything you can do with regular expressions, can also be done by just coding (in PHP, avascript etc.), line after line, to get the same desired effect; so: you are not forced to use regular expressions Functions (in PHP): preg_match() ereg() and eregi() ereg_replace() & eregi_replace() split() Example: how to verify a Canadian postal code with a Regexp in PHP? if ( preg_match ("/^[a-z]\d[a-z]?\d[a-z]\d$/i", $postalcode)) echo "Your postal code has an incorrect format. " ; 0 -&- We can send mail simply via PHP scripts Built in function mail: mail ($receiver, $subject, $message, $extras) All arguments are strings $extras allows additional information to be passed Ex: From, Cc, Bcc -&-; ;-&-#% K 5 #)/;"*)/;"*% #% See mail.php and sendmail.php Also see mail() in the PHP manual 1 0 E L,H ;L - EEEH IE 999 M -&-1>0 N 9LL 99 8 9 9 99 9 99B 99 3 http://nl.php.net/manual/en/reference.pcre.pattern.syntax.php RU Nijmegen, voorjaar 009

M -&-1>0 #% Gebruik één scherm [althans in de ogen van een gebruiker], waarmee diverse operaties op een betaling uitgevoerd kunnen worden. Als je in het veld Betalingnr een waarde invoert en op de Zoek -knop klikt, worden van de betreffende betaling de gegevens in de database opgezocht en getoond. (Ook de naam van het betreffende lid wordt opgezocht en readonly getoond...) Als de gegevens getoond worden, dan kunnen desgewenst wijzigingen worden aangebracht en via de Verander -knop ter aanpassing naar de database worden gestuurd. Via Verwijder zou [alleen] die betreffende betaling uit de database moeten worden verwijderd. N.B. e kunt uiteraard niet het betalingnr van een bestaande betaling veranderen 5 RU Nijmegen, voorjaar 009 5

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information