1. Intro to PHP A brief overview – Patrick Laverty

2. What is PHP? PHP (recursive acronym for "PHP: Hypertext Preprocessor") is a widely-used Open Source general-purpose scripting language that is especially suited for Web development and can be embedded into HTML.

3. What is PHP? Compared to others like: Java – Sun, compiled and interpreted (jsp) Perl – Open Source, scripting.NET – MS, opposite of Java ColdFusion – Now Adobe, the original Javascript – Netscape, client-side PHP – Open Source, server-side

4. How it works PHP is installed on web server Our web server is Apache (just an FYI) Server parses files based on extensions Returns plain HTML, no code

5. How To – The Basics Need to name files is a.php extension Example: index.php, mypage.php Open and close tags: Was: Save file to server, view in a browser

6. Hello World helloworld.php

7. Variables Variables are like a cup The same cup can hold lots of different things Same with variables

8. Variables In PHP, you create a variable with a dollar sign and some text. Usually the text will be something descriptive of what it is going to hold. $name = “Patrick Laverty”; $dept = “CIS”; $campus_addr = “Box 1885”;

9. Variables There are many different kinds of variables in PHP Scalar Array Object

10. Scalar Variables Hold single values String/text Numbers $name = “Josiah”; $dob = “1/1/23”; $age = 84; $waist_size = 36;

11. Array Variables Hold multiple values All in one step example: $kids = Array(“Tom”,”Dick”,”Harry”); Multiple steps example: $kids = Array(); $kids[0] = “Tom”; $kids[1] = “Dick”; $kids[2] = “Harry”; Individual array values are just a scalar

12. Array Variables Associative Arrays – may be easier to find stuff $teams = Array(‘bos’=>’Red Sox’, ‘nyy’=>’Yankees’, ’bal’=>’Orioles’); The two-step way works the same: $teams = Array(); $teams[‘bos’] = ‘Red Sox’;

13. Object Variables We’ll talk about these later. We’re in no rush

14. Functions Getting PHP to do some action for you echo() or print() phpinfo()phpinfo() (phpinfo.php)

15. Functions Be lazy. It’s a good thing. If you’re going to do the same action more than once, write a function. sayhello.php function sayHello($toWhom) { echo “Hello $toWhom”; }

16. Functions Lots have already been written for you: http://php.net/manual/en If you know the function: http://php.net/echo

17. A Basic Form How we do things now: eform.cgi http://www.brown.edu/cgi- local/eform.cgi

18. A Basic Form How we do things with PHP: basicform.html

19. A Basic Form Capturing the data in output.php Variables: $_POST[‘name’] $_POST[‘age’] Use phpinfo() to see variables

20. A Basic Form Weave HTML and PHP output.php <? $name = $_POST[‘name’]; $age = $_POST[‘age’]; echo “My name is $name and I am $age years old”; ?>

21. Data Validation We’ll talk more about validating user input later.

22. A Basic Form Outputting to the screen is nice, but boring We could email the results Let’s store data in a database

23. Layers of a Database Server Database Tables Fields/Columns Records Data

24. How to Get a Database Use Microsoft Access Use Filemaker Request a MySQL Database (http://brown.edu/db)http://brown.edu/db

25. Request a MySQL Database You will receive: Server name (it’s not localhost) Database name Username Password Link to phpMyAdmin

26. phpMyAdmin phpMyAdmin is a graphical view of your database Very easy Let’s take a look (http://brown.edu/phpMyAdmin)

27. Connecting to DB from PHP Create one connection script: dbconn.php <? $conn = mysql_connect($server,$user,$pw); mysql_select_db($db,$conn); ?>

28. Connecting to DB from PHP Remember, “Be Lazy!” At the top of each file that needs the DB:

29. Database Table Table named ‘info’ has two fields, name and age Use a SQL INSERT statement: $sql = “INSERT INTO info (name,age) values (‘$name’, ‘$age’)”;

30. Database Table Send it to the Database: mysql_query($sql,$conn);

31. The Whole Picture dbinsert.php <?require(“dbconn.php”); $name = $_POST[‘name’]; $age = $_POST[‘age’]; $sql = “INSERT into info (name,age) values(‘$name’, ‘$age’);” mysql_query($sql,$conn); ?> Thank you, your name and age were received.

32. The Whole Picture - Fancier fancydbinsert.php <?require(“dbconn.php”); $name = $_POST[‘name’]; $age = $_POST[‘age’]; $sql = “INSERT into info (name,age) values(‘$name’, ‘$age’);” $success = mysql_query($sql,$conn); ?> <? if($success) { echo “Thank you, your name and age were received.”; } else { echo “Sorry, your info wasn’t received, please contact …”; } ?>

33. Getting the Info Back Read it in phpMyAdmin Create an output page (Just like that little survey you filled out)

34. Create an Output Page Connect to the Server Do a query of the data Programmatically write the data to a page View the page in a browser Let’s see how to do it

35. Connect to the Server First, include our connection script:

36. Do a Query of the Data This time we use SELECT $sql = “SELECT name, age FROM info”; Or if you have many fields and want to be LAZY! $sql = “SELECT * from info”;

37. Programmatically Write the Data Here’s the only hard part: <? $result = mysql_query($sql, $conn); while($table = mysql_fetch_object($result)) { echo “ ”; echo $table->name; echo “ ”; echo $table->age; echo “ ”; } ?>

38. Putting it All Together statuspage.php <? require(“dbconn.php”); $sql = “SELECT * FROM info”; $result = mysql_query($sql, $conn); ?> <? while($table = mysql_fetch_object($result)) {echo “ ”; echo $table->name; echo “ ”; echo $table->age; echo “ ”; } ?>

39. I Hate Objects! If you don’t like using mysql_fetch_object: mysql_fetch_array($result) mysql_fetch_assoc($result)

40. mysql_fetch_array() Access the columns by numbers: while($array = mysql_fetch_array($result)) { echo $array[0]; echo $array[1]; }

41. mysql_fetch_assoc() Access the columns by column names: while($array = mysql_fetch_assoc($result)) { echo $array[‘name’]; echo $array[‘age’]; }

42. One Helpful Function nl2br()nl2br() – Line breaks in a form are not respected This function will turn a newline (nl) character into (2) an html (br) tag.

43. Data Validation Very Important! Without it, your site and all others can be hacked! PHP makes it easier

44. Data Validation Cut down on XSS with htmlentities()htmlentities() Cut down on SQL-injection with mysql_real_escape_string() mysql_real_escape_string() Check that you’re getting what you expect Check that you’re getting the length you expect Don’t trust JavaScript

45. Data Validation Cross site scripting vulnerability Allows a user to input scripts Allows a user to input links to malicious sites Allows a user to steal a session/cookie/password The htmlentities() function turns entities into its harmless entity number. A ‘ is turned into '

46. Data Validation SQL-injection vulnerability Allows a user to directly access your database Allows a user to get access to other accounts Allows a user to read data you don’t want read Prevention can be as simple as escaping quotes with mysql_real_escape_string to all user input $clean_user = mysql_real_escape_string($_POST[‘username’]);

47. Data Validation Get what you expect to get Don’t change it, give error message Example: (validinsert.php) Age, should be less than 110, and numeric. Reject anything else if(strlen($age)>3){ //error message } if(!is_int($age)){ //error message } if($age>110 || $age<18){ //error message }

48. Data Validation Get the length you expect Make sure the username is no longer than 8 if(strlen($username)>8)){ //error message }

49. Data Validation Don’t trust JavaScript Do client side AND server side validation

50. Slide #50 I think that’s enough webpublishers@listserv.brown.edu Next topic – to be announced for early May