Presentation is loading. Please wait.

Presentation is loading. Please wait.

PHP WORKSHOP (Session 2)

Published byJason Davidson Modified over 6 years ago

Similar presentations

Presentation on theme: "PHP WORKSHOP (Session 2)"— Presentation transcript:

1 PHP WORKSHOP (Session 2)
November 14, 2013 Thanks to Chan & JT who developed the original version

2 Outline PHP Classes (Brief Overview)
Accessing MySQL via the mysqli class Connecting to MySQL Querying the MySQL Retrieving results from MySQL DEMO Notes for Assignment 4

3 Classes and OOP (Basic Conceptual Overview)
Define the blueprint of your own class (object) Instantiate instances of your object and use them in your program Class Definition (Blueprint) $ben = new dog; $sunny = new dog; class dog{ //properties //methods } $sugar = new dog; Reading:

4 Defining Classes class dog { //Properties public $name; public $breed; //Methods public function bark(){ echo $this->name . “ barked… Woof!”; } //Constructor (optional) public __construct($nameOfDog){ $this->name = $nameOfDog;

5 Working with Classes $sugar = new dog(“Sugar”); //pass “Sugar” to constructor $sugar->breed = “German Shepherd”; //set breed property equal to “German Shepherd” echo $sugar->name . “ is a “ . $sugar->breed; >>Sugar is a German Shepherd $sugar->bark(); //call the “bark” method >>sugar barked… Woof!

6 Mysqli Class The mysqli class is the main class you can use to:
Set up a connection to the MySQL database Send SQL queries to the MySQL database (CRUD Operations) Read results (if any) from the query Check for any error connecting to or executing SQL queries on a MySQL database Reading:

7 1. Connecting to DB with Mysqli
//Instantiate mysqli object & create connection $db = new mysqli(“localhost”, “username”, “password”, “database_name”); //Check for any errors connecting If($db->connect_errorno){ //There was an error connecting to the database. Put code here on what you would like to about it like… echo “Error: ” . $db->connect_error; }else{ //Put code here when you connect to the database. } Example: post.php, get.php, get2.php

8 2. Querying the DB via Mysqli (Single Query)
//Construct some query (it’s just a string) $query_noresult = “INSERT INTO …”; $query_result = ‘’SELECT * FROM DIVECUST”; 2 Types of Queries No Result Queries INSERT, DELETE, CREATE, etc… Result Queries SELECT PHP MySQL PHP MySQL Example: post.php, get.php, get2.php

9 3. Retrieving results from MySQL (No Result Queries)
If($db->query($query_noresult) === TRUE){ //Your query worked, yay } Note about INSERT SQL queries You can use $db->insert_id; to retrieve the AUTO_INCREMENT ID generated for an inserted record. You do NOT need to run a separate query to get that ID value. Example: post.php

10 3. Retrieving results from MySQL (Result Queries)
Returns a mysqli_result object if($result = $db->query($query_result)){ echo $result->num_rows; while($row = $result->fetch-array()){ echo $row[‘Name’]; } $result->free(); Column or Attribute name returned from query Free up the result from memory Example: get.php, get2.php

11 3.1. Result Modes $db->query($query_result, MYSQLI_STORE_RESULT)
You can return results in 2 ways (result modes) $db->query($query_result, MYSQLI_STORE_RESULT) Return entire results to memory Can use $result->data_seek(index) to jump to different rows in your result set (i.e. after you loop through the results, do $result->data_seek(0); to go to starting point to loop again) Default (this is the executed mode if you don’t specify a “result mode”) $db->query($query_result, MYSQLI_USE_RESULT) MySQL “spoon feeds” the rows to server running PHP each time a fetches a row Useful if expecting a large dataset (too large to put in memory of PHP server) Must free results in order to run another query ($result->free();) Example: get.php, get2.php

12 4. Closing Connections When you are done using the database, make sure to close the connection… $db->close();

13 Before DEMO time You may need to know Super Global Variables
Passing Variables JSON AJAX Security Issues (SQL Injection and XSS) Import & Export DB

14 Super Global Variables
There are predefined “Super Global” variables that are made available to you through the PHP runtime that you can use within your PHP code. Super Global Content $_SERVER Contains info about the web server environment such as Server Name, Request Method, Document Root, etc. $_GET Contains any GET variables in the URL query string $_POST Contains any POST variables submitted via a form post submission $_COOKIE Contains any HTTP Cookie Info $_FILES Contains information on POST file uploads $_SESSION Contains information about any variables registered in a session (if created) There are some other super globals but these are the main ones…

15 Passing Variable to PHP (GET)
Start of query string key=value pairs Separator <?php $var1 = $_GET[‘query’]; $var2 = $_GET[‘lang’]; ?> Note- certain characters cannot be put in the URL (such as space character). You will to “URL Encode” those special characters. For example, a space character will show up as a %20 in the URL query string. Reference:

16 Passing Variables to PHP (POST)
Your form html or php file The post.php file that will process the request (which could be the same as the posting file) <form method=“post” action=“post.php”> <input type=“text” name=“fname”/> <input type=“text” name=“lname” /> <input type=“submit” value=“Submit”/> </form> <?php $var1 = $_POST[‘fname’]; $var2 = $_POST[‘lname’]; ?> POST Request Click Submit HTTP POST Request to post.php Fname=Chan lname=Kim

17 JSON JSON: JavaScript Object Notation
JSON is syntax for storing and exchanging text information. Much like XML. JSON is smaller than XML, and faster and easier to parse. var Name = { "firstName":"John" , "lastName":"Doe" } Name.firstName >> John json= [ {assign1:42, assign2:38, assign3:45, full_name:'Ranju', id:100}, {assign1:29, assign2:26, assign3:28, full_name:'Manaz', id:101}]; $.each(json, function(k, v) { myTable += v.id+v.full_name+v.assign1+v.assign2+v.assign3; }); json[0] json[1] Index e.g. 0,1 Value e.g. {assign1:42, assign2:38, assign3:45, full_name:Ranju, id:100} Reference:

18 AJAX AJAX: Asynchronous JavaScript and XML. AJAX is not a new
programming language, but a new way to use existing standards. AJAX is the art of exchanging data with a server, and updating parts of a web page – without reloading the whole page. Reference:

19 More protection… For data input and passing parameters you will also need to use parameterized or “prepared” SQL statements to avoid the possibility of SQL Injection attacks: IS 257 – Fall 2014

20 Security (SQL Injection and XSS)
A malicious user can submit (POST or GET) SQL Code  SQL Injection Attack, or HTML tags that could be anything from a form to a <script> tag  XSS Attack. HTTP POST Request fname=Arian lname=SQL Code In your PHP… $query = “INSERT INTO table (fname, lname)”; $query .= “VALUES (‘{$_POST[‘fname’]}’, ‘{$_POST[‘lname’]}’);”

21 Preventing SQL Injection & XSS
To prevent this, you have to sanitize your input variables and make sure you output safe HTML //Sanitize  SQL Injection $sanitized_variable = $db->real_escape_string($_POST[‘lname’]); //Output Safe HTML  XSS echo htmlspecialchars($row[‘lname’]); You can try to sanitize for HTML tags by using strip_tags($_POST[]) before you input the value into the database. Just make sure that is what you want to do… Example: post.php

22 Additional Security Tip
Don’t type out the username and password when instantiating mysqli. Instead, create a special PHP file that defines certain constants outside the root of your website which you can then include and use in your PHP code. define(SQL_PASSWORD, “mypassword”); Example: configure.php

23 Making the PW External Problem: the database and PW are in the source…
<HTML><BODY> <?php mysql_connect(“localhost”, “usename”, “password”); mysql_select_db(“mydb”); $result = mysql_query(“SELECT * FROM employees”); printf(”, %s</H2></center> ",$r[”FIRST_NAME"]); } ?></BODY></HTML> IS 257 – Fall 2014

24 Making the PW External <HTML><BODY> <?php
include 'msqlini.php'; mysql_connect($host,$user,$pw) or die("Could not connect: " . mysql_error()); mysql_select_db(“mydb”); $result = mysql_query(“SELECT * FROM employees”); printf(”, %s</H2></center> ",$r[”FIRST_NAME"]); } ?></BODY></HTML> IS 257 – Fall 2014

25 Making the PW External msqlini.php <?php $inifile = "/home/ray/.mysql_settings_harbinger.ini"; /* Access required data for database access from isolated file */ if (!$settings = parse_ini_file($inifile, TRUE)) throw new exception('Unable to open ' . $file . '.'); $host = $settings['database']['host']; $dbname = $settings['database']['dbname']; $user = $settings['database']['username']; $pw = $settings['database']['password']; ?> IS 257 – Fall 2014

26 Making the PW External .mysql_settings_harbinger.ini file [database]
driver = mysql host = localhost dbname = ray username = ray password = whatever_your_pw_is port=3306 IS 257 – Fall 2014

27 Prepared Statements Mysqli supports parameterized “prepared statements” The notion is that the SQL command is pre-parsed, but has parameters that are filled in when the SQL is executed Since the parameters are not parsed like the SQL statement, injection attacks would be passed as just part of the data submitted, and therefore avoid any side effects

28 Mysqli – an enhanced interface
include 'msqlini.php’; $mysqli = new mysqli($host,$user,$pw,$dbname); if ($mysqli->connect_error) { echo "Failed to connect to MySQL: (" . $mysqli->connect_errno . ") " . $mysqli->connect_error;} $cust_id = $_GET["cust_id"]; $cust_id = mysql_real_escape_string($cust_id); /* start first prepared statement */ $stmt = $mysqli->stmt_init(); if ($stmt->prepare("SELECT * FROM DIVECUST where Customer_No= ? ")) { if (!$stmt->bind_param("i", $cid)) { echo "Binding parameters failed: (" . $stmt->errno . ") " . $stmt->error; } $cid = $cust_id; if (!$stmt->execute()) { echo "Execute failed: (" . $stmt->errno . ") " . $stmt->error; $stmt->bind_result($custid,$name,$street,$city,$state,$zip,$country,$phone, $contact); IS 257 – Fall 2014

29 Connecting to returned values
if ($stmt->prepare("SELECT * FROM DIVECUST where Customer_No= ? ")) { if (!$stmt->bind_param("i", $cid)) { echo "Binding parameters failed: (" . $stmt->errno . ") " . $stmt->error; } $cid = $cust_id; if (!$stmt->execute()) { echo "Execute failed: (" . $stmt->errno . ") " . $stmt->error; $stmt->bind_result($custid,$name,$street,$city,$state,$zip,$country,$phone, $contact); while ($stmt->fetch()) { echo "<br>Customer ID: $custid"; echo "<br>Name: <font size=+1><b>$name</b></font>"; echo "<br>Street: $street"; echo "<br>City: $city"; echo "<br>State: $state"; echo "<br>ZIP: $zip"; echo "<br>Country: $country"; echo "<br>Phone: $phone"; echo "<br>Date of first contact: $contact"; $stmt->close();

30 Demo We looked briefly at the DiveShop demo last time, today we dig a bit more into how it works

31 Example JS approach: On laboratory page of web site
example.php : main page student.sql : DB dump configure.php : configuration of DB get.php : php codes for get example get2.php : php codes for get example 2 post.php : php codes for post example script.js : AJAX call style.css : css file Student_ex Id full_name Assign1 assign2 assign3

Download ppt "PHP WORKSHOP (Session 2)"

Similar presentations

PHP Hypertext Preprocessor Information Systems 337 Prof. Harry Plantinga.

PHP Hypertext Preprocessor Information Systems 337 Prof. Harry Plantinga.
Web Database Programming Connecting Database to Web.

Web Database Programming Connecting Database to Web.
Lecture 3 – Data Storage with XML+AJAX and MySQL+socket.io

Lecture 3 – Data Storage with XML+AJAX and MySQL+socket.io
PHP Security.

PHP Security.
Application Development Description and exemplification of server-side scripting language for server connection, database selection, execution of SQL queries.

Application Development Description and exemplification of server-side scripting language for server connection, database selection, execution of SQL queries.
Introduction to PHP and Server Side Technology. Slide 2 PHP History Created in 1995 PHP 5.0 is the current version It’s been around since 2004.

Introduction to PHP and Server Side Technology. Slide 2 PHP History Created in 1995 PHP 5.0 is the current version It’s been around since 2004.
© Yanbu University College YANBU UNIVERSITY COLLEGE Management Science Department © Yanbu University College Module 6:WEB SERVER AND SERVER SIDE SCRPTING,

© Yanbu University College YANBU UNIVERSITY COLLEGE Management Science Department © Yanbu University College Module 6:WEB SERVER AND SERVER SIDE SCRPTING,
1Computer Sciences Department Princess Nourah bint Abdulrahman University.

1Computer Sciences Department Princess Nourah bint Abdulrahman University.
MySQL in PHP – Page 1 of 17CSCI 2910 – Client/Server-Side Programming CSCI 2910 Client/Server-Side Programming Topic: MySQL in PHP Reading: Williams &

MySQL in PHP – Page 1 of 17CSCI 2910 – Client/Server-Side Programming CSCI 2910 Client/Server-Side Programming Topic: MySQL in PHP Reading: Williams &
INTERNET APPLICATION DEVELOPMENT For More visit:

INTERNET APPLICATION DEVELOPMENT For More visit:
Create an online booking system (login/registration)

Create an online booking system (login/registration)
Web Application Access to Databases. Logistics Test 2: May 1 st (24 hours) Extra office hours: Friday 2:30 – 4:00 pm Tuesday May 5 th – you can review.

Web Application Access to Databases. Logistics Test 2: May 1 st (24 hours) Extra office hours: Friday 2:30 – 4:00 pm Tuesday May 5 th – you can review.
1 PHP and MySQL. 2 Topics  Querying Data with PHP  User-Driven Querying  Writing Data with PHP and MySQL PHP and MySQL.

1 PHP and MySQL. 2 Topics  Querying Data with PHP  User-Driven Querying  Writing Data with PHP and MySQL PHP and MySQL.
November 13, 2008 Ohio Information Security Forum Attack Surface of Web Applications James Walden Northern Kentucky University

November 13, 2008 Ohio Information Security Forum Attack Surface of Web Applications James Walden Northern Kentucky University
06/10/2015AJAX 1. 2 Introduction All material from www.w3schools.com AJAX – what is it? Traditional web pages and operation Examples of AJAX use Creating.

06/10/2015AJAX 1. 2 Introduction All material from AJAX – what is it? Traditional web pages and operation Examples of AJAX use Creating.
Accessing MySQL with PHP IDIA 618 Fall 2014 Bridget M. Blodgett.

Accessing MySQL with PHP IDIA 618 Fall 2014 Bridget M. Blodgett.
Introduction to MySQL Lab no. 10 Advance Database Management System.

Introduction to MySQL Lab no. 10 Advance Database Management System.
PHP MySQL Introduction. MySQL is the most popular open-source database system. What is MySQL? MySQL is a database. The data in MySQL is stored in database.

PHP MySQL Introduction. MySQL is the most popular open-source database system. What is MySQL? MySQL is a database. The data in MySQL is stored in database.
Creating Dynamic Web Pages Using PHP and MySQL CS 320.

Creating Dynamic Web Pages Using PHP and MySQL CS 320.
School of Computing and Information Systems CS 371 Web Application Programming PHP – Forms, Cookies, Sessions and Database.

School of Computing and Information Systems CS 371 Web Application Programming PHP – Forms, Cookies, Sessions and Database.

Similar presentations

Ads by Google