CS 174: Server-Side Web Programming February 19 Class Meeting

Slides:



Advertisements
Similar presentations
JavaScript I. JavaScript is an object oriented programming language used to add interactivity to web pages. Different from Java, even though bears some.
Advertisements

Copyright © 2011 Pearson Education, Inc. Publishing as Pearson Addison-Wesley Chapter 14 Web Database Programming Using PHP.
PHP Server-side Programming. PHP  PHP stands for PHP: Hypertext Preprocessor  PHP is interpreted  PHP code is embedded into HTML code  interpreter.
Copyright © 2007 Ramez Elmasri and Shamkant B. Navathe Slide
Application Development Description and exemplification of server-side scripting language for server connection, database selection, execution of SQL queries.
MySQL in PHP – Page 1 of 17CSCI 2910 – Client/Server-Side Programming CSCI 2910 Client/Server-Side Programming Topic: MySQL in PHP Reading: Williams &
1 PHP and MySQL. 2 Topics  Querying Data with PHP  User-Driven Querying  Writing Data with PHP and MySQL PHP and MySQL.
NMED 3850 A Advanced Online Design January 26, 2010 V. Mahadevan.
School of Computing and Information Systems CS 371 Web Application Programming PHP - Basics Serving up web pages.
CMPE 226 Database Systems September 9 Class Meeting Department of Computer Engineering San Jose State University Fall 2015 Instructor: Ron Mak
CS 174: Web Programming September 23 Class Meeting Department of Computer Science San Jose State University Fall 2015 Instructor: Ron Mak
Creating Dynamic Web Pages Using PHP and MySQL CS 320.
Hello.java Program Output 1 public class Hello { 2 public static void main( String [] args ) 3 { 4 System.out.println( “Hello!" ); 5 } // end method main.
CS 160: Software Engineering October 1 Class Meeting Department of Computer Science San Jose State University Fall 2014 Instructor: Ron Mak
CS 174: Web Programming August 31 Class Meeting Department of Computer Science San Jose State University Fall 2015 Instructor: Ron Mak
PHP PHP: Hypertext Preprocesor Personal Home Page Tools.
CS 174: Web Programming September 2 Class Meeting Department of Computer Science San Jose State University Fall 2015 Instructor: Ron Mak
Just a Little PHP Programming PHP on the Server. Common Programming Language Features Comments Data Types Variable Declarations Expressions Flow of Control.
1Computer Sciences Department Princess Nourah bint Abdulrahman University.
Open Source Server Side Scripting ECA 236 Open Source Server Side Scripting PHP & MySQL.
CMPE 226 Database Systems September 23 Class Meeting Department of Computer Engineering San Jose State University Fall 2015 Instructor: Ron Mak
CMPE 226 Database Systems October 7 Class Meeting Department of Computer Engineering San Jose State University Fall 2015 Instructor: Ron Mak
CMPE 226 Database Systems September 2 Class Meeting Department of Computer Engineering San Jose State University Fall 2015 Instructor: Ron Mak
CS 174: Web Programming October 14 Class Meeting Department of Computer Science San Jose State University Fall 2015 Instructor: Ron Mak
Just a Little PHP Programming PHP on the Server. Common Programming Language Features Comments Data Types Variable Declarations Expressions Flow of Control.
Open Source Server Side Scripting ECA 236 Open Source Server Side Scripting PHP Basics.
Copyright © 2011 Pearson Education, Inc. Publishing as Pearson Addison-Wesley Chapter 14 Web Database Programming Using PHP.
1 PHP Intro PHP Introduction After this lecture, you should be able to: Know the fundamental concepts of Web Scripting Languages in general, PHP in particular.
CS 174: Web Programming November 2 Class Meeting Department of Computer Science San Jose State University Fall 2015 Instructor: Ron Mak
CMPE 226 Database Systems February 16 Class Meeting Department of Computer Engineering San Jose State University Spring 2016 Instructor: Ron Mak
Dr. Abdullah Almutairi Spring PHP is a server scripting language, and a powerful tool for making dynamic and interactive Web pages. PHP is a widely-used,
Introduction to Javascript. What is javascript?  The most popular web scripting language in the world  Used to produce rich thin client web applications.
Web Systems & Technologies
CMPE Database Systems Workshop June 6 Class Meeting
PHP using MySQL Database for Web Development (part II)
Web Database Programming Using PHP
CGS 3066: Web Programming and Design Spring 2017
Review 3 csc242 – web programming.
PHP (Session 1) INFO 257 Supplement.
Introduction to Dynamic Web Programming
CS320 Web and Internet Programming SQL and MySQL
CS 371 Web Application Programming
Web Database Programming Using PHP
Server-Side Application and Data Management IT IS 3105 (Spring 2010)
CMPE Database Systems Workshop June 5 Class Meeting
PHP (PHP: Hypertext Preprocessor)
PHP Introduction.
CMPE 226 Database Systems February 7 Class Meeting
CMPE 226 Database Systems February 14 Class Meeting
CS 174: Server-Side Web Programming February 12 Class Meeting
ISC440: Web Programming 2 Server-side Scripting PHP 3
CS 174: Server-Side Web Programming February 14 Class Meeting
Software Engineering for Internet Applications
PHP Intro/Overview Bird Book pages 1-11,
PHP.
CMPE 226 Database Systems February 28 Class Meeting
Web DB Programming: PHP
HYPERTEXT PREPROCESSOR BY : UMA KAKKAR
Lecture 5: Functions and Parameters
Web Programming Language
Tutorial 6 PHP & MySQL Li Xu
CS3220 Web and Internet Programming SQL and MySQL
CMPE/SE 131 Software Engineering March 9 Class Meeting
Web Programming– UFCFB Lecture
MySQL Web Application Connecting to a MySQL database
PHP an introduction.
CS3220 Web and Internet Programming SQL and MySQL
PHP-II.
Presentation transcript:

CS 174: Server-Side Web Programming February 19 Class Meeting Department of Computer Science San Jose State University Spring 2018 Instructor: Ron Mak (substitute for Fabio Di Troia) www.cs.sjsu.edu/~mak

PHP Syntax Very similar to C. Case sensitive: Case insensitive: End each statement with a semicolon. Case sensitive: variables, constants, array keys class properties and constraints Case insensitive: functions (pre-defined and user-defined) class constructors and methods reserved words

PHP Variables All variable names start with $. PHP is a dynamically typed language. You don’t declare a variable’s type. A variable can be assigned a value of any type. PHP data types scalar: integer, float, boolean, string array object resource NULL

PHP Strings Enclose a string with single or double quotes. Examples: Variables embedded in a double-quoted string are evaluated: But not: "Hello, world!" 'Hello, world!' "It's a nice day." 'Define "string" for me.' "Define \"string\" please." "The first name is $first." 'The first name is $first.'

PHP String Operations The string concatenation operator is . Better: Some string functions: strlen() strtoupper() strtolower() ucwords() capitalize the first letter of every word $name = $last . ", " . $first; $name .= ", Esq."; $name = "$last, $first";

Heredocs Use a heredoc to avoid string quoting issues. Example: $first = "John"; $last = "Smith"; print <<<HERE <table border="1"> <tr> <td>First name:</td> <td>$first</td> </tr> <td> Last name:</td> <td>$last</td> </tr></table> HERE; Must be on a line by itself with no indentation.

PHP Constants Name constants with all uppercase letters, by convention. Constants are not variables, so do not use $. Examples But not: define (PI, 3.1415926); define (HOST_NAME, "localhost"); print "Host name is " . HOST_NAME; print "Host name is HOST_NAME";

Two Kinds of PHP Arrays Indexed array Associative array Indexes are integers. Associative array Indexes are strings. key-value pairs, like a hash table.

Creating PHP Indexed Arrays $bands[] = "Beatles"; $bands[] = "Rolling Stones"; $bands[] = "Queen"; Use the array() function: Specify the first index value. Subsequent elements are indexed incrementally. An array of sequential numbers: $bands = array("Beatles", "Rolling Stones", "Queen"); $bands = array(2=>"Beatles", "Rolling Stones", "Queen"); $values = range(5, 10);

Creating PHP Associative Arrays $states["CA"] = "California"; $states["NY"] = "New York"; $states["TX"] = "Texas"; Use the array() function: $states = array( "CA" => "California", "NY" => "New York", "TX" => "Texas" ); An associative array is like a hash table.

Looping over Array Elements Use the foreach statement: Examples: foreach ($arrayname as $variable) { … } foreach ($arrayname as $key => $value) { … } foreach ($bands as $bandName) { print $bandName; } foreach ($states as $abbrev => $fullName) { print "State $fullName is abbreviated $abbrev"; }

Multidimensional Arrays $north = array("ND" => "North Dakota", "MN" => "Minnesota"); $south = array("TX" => "Texas", "FL" => "Florida"); $east = array("NY" => "New York", "ME" => "Maine"); $west = array("CA" => "California", "OR" => "Oregon"); $us = array( "N" => $north, "S" => $south, "E" => $east, "W" => $west );

Multidimensional Arrays, cont’d print "<ul>\n"; foreach ($us as $region => $states) { print " <li>\n"; print " <h2>$region</h2>\n"; print " <ul>\n"; foreach ($states as $abbrev => $name) { print " <li>$abbrev: $name</li>\n"; } print " </ul>\n"; print "</ul>\n";

Multidimensional Arrays, cont’d

PHP Functions Syntax for programmer-defined functions: Examples: A function can optionally return a value. function name (optional arguments) { // statements in the body } function doSomething() { … } function sayHello($first, $last) { … } function greet($name, $language = "English") { … } function calculate($input, &$output) { … } Default value Passed by reference return value;

Scope of PHP Variables Variables have the scope of the PHP file in which they reside. A programmer-defined function creates a scope for its variables. Variables defined in a function cannot be accessed outside the function. Variables defined outside the function are not accessible inside the function. Use the global statement inside a function to access outside variables. Example: global $outsideVar;

PHP Data Objects (PDO) Create a database abstraction layer: Postgres MySQL MariaDB Oracle PHP Data Objects (PDO) PHP query() PDO documentation: http://php.net/manual/en/book.pdo.php

Three-Tier Web Application Architecture Client-side web browser Form data Server-side web server (.html .php images, etc.) Static (.html) or dynamically generated (.php) web pages Back-end database server, e.g. MariaDB Queries Data

Simple End-to-End Web Application! Client side A static HTML page the contains a form to submit a person’s first and last names. Server side PHP code that uses the first and last names to query a back end database. A dynamically generated web page that contains a table of the query results. Back end A database table containing people data. Demo

MySQL Command Line Interface ~: /Applications/XAMPP/xamppfiles/bin/mysql -u supercoders -p Enter password: mysql> show databases; +--------------------+ | Database | | information_schema | | supercoders | 2 rows in set (0.00 sec) mysql> use supercoders Database changed mysql> show tables; +-----------------------+ | Tables_in_supercoders | | people | 1 row in set (0.00 sec)

MySQL Command Line Interface, cont’d mysql> select * from people; +-----+--------+-------+--------+--------+ | id | first | last | gender | salary | | 101 | John | Adams | M | 120000 | | 102 | Mary | Smith | F | 155000 | | 105 | Helen | Troy | F | 75000 | | 110 | Albert | Jones | M | 160000 | 4 rows in set (0.00 sec) mysql> select * from people -> where first = 'Helen' -> and last = 'Troy'; +-----+-------+------+--------+--------+ | id | first | last | gender | salary | | 105 | Helen | Troy | F | 75000 | 1 row in set (0.00 sec) mysql>

Default Web Page: index.html people/index.html <body> <form action="queryDB.php" method="post"> <fieldset> <legend>User input</legend> <p> <label>First name:</label> <input name="firstName" type="text" /> </p> <label>Last name:</label> <input name="lastName" type="text" /> <input type="submit" value="Submit" /> </fieldset> </form> </body>

PHP Page: queryDB.php queryDB.php Connect to the database and set $con <body> <h1>Query Results</h1> <p> <?php $first = filter_input(INPUT_POST, "firstName"); $last = filter_input(INPUT_POST, "lastName"); try { // Connect to the database. $con = new PDO("mysql:host=localhost;dbname=supercoders", "supercoders", "sesame"); $con->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION); ... } catch(PDOException $ex) { echo 'ERROR: '.$ex->getMessage(); ?> </p> </body> queryDB.php Connect to the database and set $con to refer to the connection object. If an error occurs, throw an exception. PDO documentation: http://php.net/manual/en/book.pdo.php

PHP Page: queryDB.php, cont’d try { ...                 // Constrain the query if we got first and last names.                 if ((strlen($first) > 0) && (strlen($last) > 0)) { // Constrain the query if we got // first and last names.                     $query = "SELECT * FROM people ".                              "WHERE first = '$first' ".                              "AND   last  = '$last'";                 }                 else { // Otherwise fetch all the rows.                     $query = "SELECT * FROM people";   // We're going to construct an HTML table. print "<table border='1'>\n"; }

PHP Page: queryDB.php, cont’d try { ...                 // Query the database.                 $data = $con->query($query);                 $data->setFetchMode(PDO::FETCH_ASSOC); } Query the database to get a result set $data. We will fetch rows from the result set as an associative array of name => value pairs.

PHP Page: queryDB.php, cont’d try { ...                 // Construct the HTML table row by row.                 // Start with a header row.                 $doHeader = true;                 foreach ($data as $row) {                                                          // The header row before the first data row.                     if ($doHeader) {                         print "        <tr>\n";                         foreach ($row as $name => $value) {                             print "            <th>$name</th>\n";                         }                         print "        </tr>\n";                                                  $doHeader = false;                     } } queryDB.php Loop over each $row of the result set $data. Loop over the name => value pairs of the first $row. Print the $name (the column name).

PHP Page: queryDB.php, cont’d try { ...                     // Data row.                     print "            <tr>\n";                     foreach ($row as $name => $value) {                         print "                <td>$value</td>\n";                     }                     print "            </tr>\n";                 }                                  print "        </table>\n";             }             catch(PDOException $ex) {                 echo 'ERROR: '.$ex->getMessage();             }         queryDB.php Loop over the name => value pairs of each $row and print the $value.

PHP query() vs. exec() Use PDO::query() to execute an SQL SELECT statement. Returns a result set as a PDOStatement object. $con = new PDO("mysql:host=localhost;dbname=school", "root", "sesame"); $con->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION); $query = "SELECT * FROM teacher WHERE id = $id"; $data = $con->query($query);

PHP query() vs. exec(), cont’d Use PDO::exec() to execute an SQL INSERT or DELETE statement. Returns the count of affected rows. Teacher Id Last First 7003 Rogers Tom 7008 Thompson Art 7012 Lane John 7051 Flynn Mabel $con = new PDO("mysql:host=localhost;dbname=school", "root", "sesame"); $con->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION); $query = "UPDATE teacher ". "SET first = 'Ronald' ". "WHERE first = 'Ron'"; $count = $con->exec($query);

Table Join with PHP $first = filter_input(INPUT_POST, "firstName"); $last = filter_input(INPUT_POST, "lastName"); try { $con = new PDO("mysql:host=localhost;dbname=school", "root", "sesame"); $con->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION); $query = "SELECT student.first, student.last, subject ". "FROM student, teacher, class, student_class ". "WHERE teacher.last = '$last' ". "AND teacher.first = '$first' ". "AND teacher_id = teacher.id ". "AND code = class_code ". "AND student.id = student_id ". "ORDER BY subject, student.last"; $data = $con->query($query); $data->setFetchMode(PDO::FETCH_ASSOC);

SQL Injection Attack A simple query with a teacher id: $id = filter_input(INPUT_POST, "id"); try { $con = new PDO("mysql:host=localhost;dbname=school", "root", "sesame"); $con->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION); $query = "SELECT * FROM teacher WHERE id = $id"; $data = $con->query($query); $data->setFetchMode(PDO::FETCH_ASSOC); $data contains a result set as a PDOStatement object.

SQL Injection Attack, cont’d Id Last First 7003 Rogers Tom 7008 Thompson Art 7012 Lane John 7051 Flynn Mabel

SQL Injection Attack, cont’d

Prepared Statement $id = filter_input(INPUT_GET, "id"); try { $con = new PDO("mysql:host=localhost;dbname=school", "root", "sesame"); $con->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION); $query = "SELECT * FROM teacher WHERE id = :id"; $ps = $con->prepare($query); $ps->execute(array(':id' => $id)); $data = $ps->fetchAll(PDO::FETCH_ASSOC); $data contains an array.

Prepared Statement, cont’d

Prepared Statement, cont’d Never insert text from a user on the client side directly into an SQL query on the server side. A prepared statement provides some defense against SQL injection attacks. A prepared statement is parsed and compiled once. It can be reused. Performance improvement for queries made from inside PHP loops.

Table Join with a Prepared Statement $con = new PDO("mysql:host=localhost;dbname=school", "root", "sesame"); $con->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION); $query = "SELECT student.first, student.last, subject ". "FROM student, teacher, class, student_class ". "WHERE teacher.last = :last ". "AND teacher.first = :first ". "AND teacher_id = teacher.id ". "AND code = class_code ". "AND student.id = student_id ". "ORDER BY subject, student.last"; $ps = $con->prepare($query); $ps->execute(array(':first' => $first, ':last' => $last)); $data = $ps->fetchAll(PDO::FETCH_ASSOC);

Parameter Binding Instead of: Use parameter binding: $ps->execute(array(':first' => $first, ':last' => $last)); $data = $ps->fetchAll(PDO::FETCH_ASSOC); $ps->bindParam(':first', $first); $ps->bindParam(':last', $last); $ps->execute(); $data = $ps->fetchAll(PDO::FETCH_ASSOC);

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.