1. PHP Part 2

2. Client – Server Model Client Browser Web Server Process PHP script
HTTP Request
index.php
Process
PHP script
Render HTML &CSS Run JavaScript
HTTP Response

3. Splitting PHP Code PHP code does not have to be contiguous
<?php if ($x<5) {
?>
<p>There are less than five items.</p>
<?php }
This is very powerful, yet can be hard to read

4. PHP and Databases PHP has built in support for over 20 databases
Both SQL and NoSQL
We’ll be using MySQL an Open Source RDBMS

5. PHP MySQL Extension MySQL Improved Both procedural and Object Oriented
$mysqli = mysqli_connect(“example.com”, “user”, “password”, “database); $res = mysqli_query($mysqli, “SELECT * FROM People”);
$mysqli = new mysqli(“example.com”, “user”, “password”, “database); $res = $mysqli->query(“SELECT * FROM People”);

6. Connecting to DB
$mysqli = new mysqli(“localhost”, “user”, “passwd”, “database”);
if ($mysqli->connect_errno) {
echo “Failed to connect to MySQL: (“ . $mysqli->connect_errno . “) “ . $mysqli->connect_error; }

7. Executing SQL Statements
$res = $mysql->query(SQL);
if (!mysqli->query(“DROP TABLE IF EXISTS test”) || !mysqli->query(“CREATE TABLE test(id INT)”) ||
!mysqli->query(“INSERT INTO test(id) VALUES (1)”)) {
echo “Table creation failed: (“ . $mysqli->errno . “) “ . $mysqli->error; }
Drops the table test,
Creates a table test with one column id,
Inserts a row with the value id==1

8. Important SQL Commands
SELECT – extracts data
UPDATE – updates data
DELETE – deletes data
INSERT INTO – inserts new data
CREATE DATABASE – creates new database
ALTER DATABASE – modifies database
CREATE TABLE – creates new table
ALTER TABLE – modifies table
DROP TABLE – deletes table

9. PHP Select Query Selects records from a table
SELECT col1,col2,… FROM table
$res = $mysqli->query(“SELECT name, age FROM People”);
while ($row = $res->fetch_assoc()) { echo “Name: “ . $row[‘name’] . “ is “ $row[‘age’]; }
$res->free();

10. Select Query
SELECT col1,col2,… FROM table WHERE col oper value [AND | OR] col oper value
Filters the records returned
Operators:
=, <>, >, <, >=, <=, BETWEEN, LIKE, IN

11. SELECT ORDER BY Orders the records returned SELECT col1,col2,…
FROM table
ORDER BY col1,col2,… ASC|DESC
$res = $mysqli->query(“SELECT * FROM Persons ORDER BY age”);

12. INSERT Query Inserts a record into the table
INSERT INTO table (col1,col2,…) VALUES (val1,val2,…)
Column names are optional
Must have a value for each column
$res = $mysqli->query(“INSERT INTO test VALUES (1, ‘fred’)”);

13. UPDATE Query Updates record(s) in the table
UPDATE table SET col1=val1,col2=val2,… WHERE some_col=some_val
WHERE clause can have AND OR statements
WHERE clause chooses which records to change
$res = $mysqli->query(“UPDATE test SET name=‘fred’ WHERE id=3”);

14. DELETE Query Deletes records from a table
DELETE FROM table WHERE some_col=some_val
$res = $mysqli->query(“DELETE FROM test WHERE name=‘fred’”);

15. SQL Injection
It is common to allow web users to input their own values
<?php
$stmt = “SELECT * FROM Users WHERE id = “ . $_POST[‘user_id’];
?>
What if they typed ‘3 or 1=1’?
SELECT * FROM Users WHERE id = 3 or 1=1
What if they typed ‘5; DROP TABLE Sales’?

16. Solution Use Prepared Statements
Prepared statements have place holders ‘?’
They are bound before execution
<?php
if(!($stmt = $mysqli->prepare(“INSERT INTO test(id) VALUES (?)”))) {
echo “Prepare failed”; }
$id = 2;
if (!stmt->bind_param(“i”, $id)) {
echo “Bind failed”;
for($id = 1; $id < 5; $id++) {
if (!stmt->execute()) {
echo “Execute failed”;
$stmt->close();
?>