PHP Refresher: migration to PDO (PHP Data Objects)

Similar documents
Advanced Object Oriented Database access using PDO. Marcus Börger

database abstraction layer database abstraction layers in PHP Lukas Smith BackendMedia

Database Driven Websites Using PHP with Informix

Q&A for Zend Framework Database Access

SQL Injection. SQL Injection. CSCI 4971 Secure Software Principles. Rensselaer Polytechnic Institute. Spring

Zend Framework Database Access

Writing MySQL Scripts with PHP and PDO

Web Application Security Part 1

Using Cloud Databases in the Cloud Control Panel By J.R. Arredondo

Online Multimedia Winter semester 2015/16

PHP Data Objects Layer (PDO) Ilia Alshanetsky

SQL Injection Attack Lab Using Collabtive

DIPLOMA IN WEBDEVELOPMENT

1. What is SQL Injection?

A SQL Injection : Internal Investigation of Injection, Detection and Prevention of SQL Injection Attacks

DBMS Project. COP Spring Final Submission Report

SQL Injection Attack Lab

SQL - QUICK GUIDE. Allows users to access data in relational database management systems.

SQL Injection. The ability to inject SQL commands into the database engine through an existing application

7 Web Databases. Access to Web Databases: Servlets, Applets. Java Server Pages PHP, PEAR. Languages: Java, PHP, Python,...

Database Toolkit: Portable and Cost Effective Software

Chapter 9 Java and SQL. Wang Yang wyang@njnet.edu.cn

Facebook Twitter YouTube Google Plus Website

SQL PDO and Microsoft SQL Server

Jacinta Richardson Perl Training Australia

Understanding Sql Injection

Serious Threat. Targets for Attack. Characterization of Attack. SQL Injection 4/9/2010 COMP On August 17, 2009, the United States Justice

Database Extension 1.5 ez Publish Extension Manual

Create dynamic sites with PHP & MySQL

Other Language Types CMSC 330: Organization of Programming Languages

Website Pros Templates v1.0. Database Template Overview

USING MYWEBSQL FIGURE 1: FIRST AUTHENTICATION LAYER (ENTER YOUR REGULAR SIMMONS USERNAME AND PASSWORD)

AWS Schema Conversion Tool. User Guide Version 1.0

Exposed Database( SQL Server) Error messages Delicious food for Hackers

Supercharge your MySQL application performance with Cloud Databases

Real SQL Programming 1

SQL Injec*on Preven*on. May 3rd 2012

White Paper. Blindfolded SQL Injection

DB2 Application Development and Migration Tools

YOUR APP. OUR CLOUD.

Web Development using PHP (WD_PHP) Duration 1.5 months

Advanced PostgreSQL SQL Injection and Filter Bypass Techniques

HOW-TO. Access Data using BCI. Brian Leach Consulting Limited.

AWS Schema Conversion Tool. User Guide Version 1.0

The JAVA Way: JDBC and SQLJ

INTRODUCTION: SQL SERVER ACCESS / LOGIN ACCOUNT INFO:

How To Let A Lecturer Know If Someone Is At A Lecture Or If They Are At A Guesthouse

Database System Security. Paul J. Wagner UMSSIA 2008

SQL injection: Not only AND 1=1. The OWASP Foundation. Bernardo Damele A. G. Penetration Tester Portcullis Computer Security Ltd

Advanced Web Technology 10) XSS, CSRF and SQL Injection 2

A Brief Introduction to MySQL

SQL Injection Attacks. Prof. Jim Whitehead CMPS 183: Spring 2006 May 17, 2006

Course Outline Basic Web Development

Connect to MySQL or Microsoft SQL Server using R

Mercury Users Guide Version 1.3 February 14, 2006

PHP Tutorial From beginner to master

Maksym Iaroshenko Co-Founder and Senior Software Engineer at Eltrino. Magento non-mysql implementations

SQL Injection Vulnerabilities in Desktop Applications

SQL Injection Attack Lab

SQL Injection and Data Mining through Inference

Accessing Your Database with JMP 10 JMP Discovery Conference 2012 Brian Corcoran SAS Institute

INSTALLING, CONFIGURING, AND DEVELOPING WITH XAMPP

> ACCESSING SQL SERVER FROM IBM COGNOS BI SERVER.

Data Access Guide. BusinessObjects 11. Windows and UNIX

ASP.NET Programming with C# and SQL Server

Connecting to a Database Using PHP. Prof. Jim Whitehead CMPS 183, Spring 2006 May 15, 2006

What? Me, Worry? I've Already Been Hacked. Haven't You?

PHP Language Binding Guide For The Connection Cloud Web Services

NO SQL! NO INJECTION?

IBM DB2 XML support. How to Configure the IBM DB2 Support in oxygen

Oracle PL/SQL Injection

HP OO 10.X - SiteScope Monitoring Templates

Office 365 and SharePoint Local File Share Synchronization

Implementing the Shop with EJB

Web development... the server side (of the force)

Writing Scripts with PHP s PEAR DB Module

pset 7: C$50 Finance Zamyla Chan

Oracle Database: SQL and PL/SQL Fundamentals

Security and Control Issues within Relational Databases

Configuring an Alternative Database for SAS Web Infrastructure Platform Services

Layer2 Business Data List Connector for SharePoint

Database Master User Manual

7- PHP and MySQL queries

HTSQL is a comprehensive navigational query language for relational databases.

An Introduction to SQL Injection Attacks for Oracle Developers. January 2004 INTEGRIGY. Mission Critical Applications Mission Critical Security

Oracle Database: SQL and PL/SQL Fundamentals

Querying Databases Using the DB Query and JDBC Query Nodes

Database Management System Choices. Introduction To Database Systems CSE 373 Spring 2013

Linking Access to SQL Server

Release Bulletin EDI Products 5.2.1

Download: Server-side technologies. WAMP (Windows), MAMP (Mac),

How-To: MySQL as a linked server in MS SQL Server

Exchanger XML Editor - Data Import

"SQL Database Professional " module PRINTED MANUAL

Using SAS ACCESS to retrieve and store data in relational database management systems

David M. Kroenke and David J. Auer Database Processing 11 th Edition Fundamentals, Design, and Implementation. Chapter Objectives

Log Analyzer Reference

CS346: Database Programming.

Database Security. Principle of Least Privilege. DBMS Security. IT420: Database Management and Organization. Database Security.

Transcription:

PHP Refresher: migration to PDO (PHP Data Objects) 1

Background PHP & MySQL Three MySQL APIs in PHP mysql, mysqli and PDO <?php // mysql $c = mysql_connect("example.com", "user", "password"); mysql_select_db("database"); $result = mysql_query("select 'Hello, dear MySQL user!' AS _message FROM DUAL"); $row = mysql_fetch_assoc($result); echo htmlentities($row['_message']); // mysqli $mysqli = new mysqli("example.com", "user", "password", "database"); $result = $mysqli >query("select 'Hello, dear MySQL user!' AS _message FROM DUAL"); $row = $result >fetch_assoc(); echo htmlentities($row['_message']);?> Note that both mysql and mysqli APIs are highly MySQL specific and not portable between different RDBMS! Copyright 2001-2013 The PHP Group hint: you should use the excellent manual! 2

PHP Data Objects - PDO <?php // PDO $pdo = new PDO('mysql:host=example.com;dbname=database', 'user', 'password'); $statement = $pdo >query("select 'Hello, dear MySQL user!' AS _message FROM DUAL"); $row = $statement >fetch(pdo::fetch_assoc); echo htmlentities($row['_message']);?> Note that PDO API is not MySQL specific! Copyright 2001-2013 The PHP Group hint: you should use the excellent manual! 3

Choosing an API Three MySQL APIs in PHP mysql, mysqli and PDO mysql API deprecated from PHP5.5 onwards maintenance only not for new projects commonly found in tutorials and textbooks! mysqli (improved) API object oriented and suitable for new projects most fully featured for MySQL RDBMS highly MySQL specific and not portable between different RDBMS PDO also object oriented and suitable for new projects consistent interface for accessing databases ease of switching databases (in theory, just change the connection parameters on a single line) drivers for CUBRID, MS SQL Server, Firebird/Interbase, IBM, Informix, MySQL, MS SQL Server, Oracle, ODBC and DB2, PostgreSQL, SQLite & 4D object oriented requiring OO features of PHP 5 core prepared statements and bind values are more secure ORM-like features (Object Relational Mapping) fields within record properties of object a common feature of MVC frameworks some employers insist on PDO http://www.php.net/manual/en/mysqlinfo.api.choosing.php hint: you should use the excellent manual! 4

PDO Concepts PDO PHP DB Driver Database Abstraction layer: consistent interface for accessing different databases Driver required for your chosen database Database technology of your choice 5

PDO - PHP Data Objects PDO extension defines a lightweight, consistent interface for accessing databases in PHP PDO provides a data-access abstraction layer, which means that, regardless of which database you're using, you use the same functions to issue queries and fetch data <?php try { $dbh = new PDO('mysql:host=localhost;dbname=test',$user,$pass); foreach($dbh >query('select * from FOO') as $row) { print_r($row); } $dbh = null; } catch (PDOException $e) { print "Error!: ". $e >getmessage(). "<br/>"; die(); }?> Copyright 2001-2013 The PHP Group hint: you should use the excellent manual! 6

PDO: Prepared statements, placeholders and bind values $stmt = $dbh >prepare("insert INTO REG (name, value) VALUES (:name, :value);"); $stmt >bindparam(':name', $name); $stmt >bindparam(':value', $value); // insert one row $name = 'one'; $value = 1; $stmt >execute(); The parameters to prepared statements don't need to be quoted; the PDO driver automatically handles this. $stmt = $dbh >prepare("insert INTO REG (name, value) VALUES (?,?);"); $stmt >bindparam(1, $name); $stmt >bindparam(2, $value); // insert another row with different values $name = 'two'; $value = 2; $stmt >execute(); If an application exclusively uses prepared statements, the developer can be sure that no SQL injection will occur. Note that the PDO functions are not MySQL specific! 7

MySQL functions lack prepared statements, placeholders and bind values // insert a third row with different values $name = 'three'; $value = 3; $res=mysql_query("insert INTO REG (name, value) VALUES ('$name', $value);"); Note that string variable must be enclosed in quotes for valid SQL. String interpolation is open to SQL injection attack. // insert a fourth row with different values $name = 'four'; $value = 4; $res=mysql_query( "INSERT INTO REG (name, value) VALUES ('". $name. "',". $value. ");" ); Note that these functions are very MySQL specific and less secure! Note that string variable has been enclosed in single quotes for valid SQL. String concatenation is open to SQL injection attack. 8

PDO: error handling $id = $_GET['id']; try { $dbh = new PDO("mysql:host=localhost;dbname=$database", $username, $password); $dbh >setattribute(pdo::attr_errmode, PDO::ERRMODE_EXCEPTION); // SQL errors will not be silent if (array_key_exists('name',$_get)) { // Update row (marker) with user data $name = $_GET['name']; $address = $_GET['address']; $type = $_GET['type']; $stmt=$dbh >prepare("update markers SET name=?,address=?,type=? WHERE id=?;"); $stmt >execute( array($name, $address, $type, $id) ); } else { // Update row (marker) with new position $lat = $_GET['lat']; $lng = $_GET['lng']; $stmt= $dbh >prepare( "UPDATE markers SET lat=?,lng=? WHERE id=?;" ); $stmt >execute( array($lat, $lng,$id) ); } $dbh = null; } catch (PDOException $e) { print "Error!: ". $e >getmessage(). "<br/>"; print "PHP Line Number: ". $e >getline(). "<br/>"; print "PHP File: ". $e >getfile(). "<br/>"; die(); } 9

require("phpsqlajax_dbinfo.php"); $dom = new DOMDocument("1.0"); $dom >formatoutput = true; $node = $dom >createelement("products"); $parnode = $dom >appendchild($node); try { PDO::FETCH_OBJ returns an anonymous object with property names that correspond to the column names returned in your result set (ORM-like behaviour ) $dbh = new PDO("mysql:host=localhost;dbname=$database", $username, $password); $dbh >setattribute(pdo::attr_errmode, PDO::ERRMODE_EXCEPTION); $stmt = $dbh >prepare("select catid, descr, stocklevel from products"); $stmt >execute(); while ( $result = $stmt >fetch(pdo::fetch_obj) ) { // ADD TO XML DOCUMENT NODE $node = $dom >createelement("product"); $newnode = $parnode >appendchild($node); $newnode >setattribute( "catid", $result >catid ); $newnode >setattribute( "descr", $result >descr ); $newnode >setattribute( "stocklevel", $result >stocklevel ); } $dbh = null; } catch (PDOException $e) { // as before } header("content Type: text/xml;"); echo $dom >savexml(); 10

PDO::FETCH_BOUND returns TRUE and assigns the values of the columns in your result set to the PHP variables to which they were bound with the PDOStatement::bindColumn() method <?php try { $stmt= $dbh >prepare( "select name,email,phone from users order by name asc;" ); $stmt >execute(); $stmt >bindcolumn( 'name', $name ); $stmt >bindcolumn( 'email', $email ); $stmt >bindcolumn( 'phone', $phone ); while ( $stmt >fetch(pdo::fetch_bound) ): echo <<<EOD <tr><form action='' method='post'> <td>name: <input type='text' value='$name' name='name'></td> <td>email: <input type='text' value='$email' name='email'></td> <td>phone: <input type='text' value='$phone' name='phone'></td> <td>name: <input type='submit' value='update' name='update'></td> </form></tr> EOD; <?php endwhile; } catch (PDOException $e) { $dbh = null; print "Error displaying existing user!: ". $e >getmessage(). "<br/>"; die(); }?> 11

Additional reading http://www.php.net/manual/en/mysqlinfo.api.choosing.php http://net.tutsplus.com/tutorials/php/why-you-should-be-using-phps-pdo-for-database-access/ http://net.tutsplus.com/tutorials/php/pdo-vs-mysqli-which-should-you-use/ http://www.php.net/manual/en/book.pdo.php (you should use the excellent manual!) 12

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information