Presentation is loading. Please wait.

Presentation is loading. Please wait.

Accessing Your MySQL Database from the Web with PHP (Ch 11) 1.

Published byShannon Payne Modified over 9 years ago

Similar presentations

Presentation on theme: "Accessing Your MySQL Database from the Web with PHP (Ch 11) 1."— Presentation transcript:

1 Accessing Your MySQL Database from the Web with PHP (Ch 11) 1

2 Prepared statements – recommended for: Speeding up execution when the same query is performed a large number of times, with different data. Protecting against SQL injection attacks. Basic concept: A template of the query to execute is sent to MySQL Data (parameters) for the query is sent separately The query template can be used multiple times with different sets/lots of data Using Prepared Statements 2

3 Prepared statements in mysqli library The query string is not built on the fly, based on user-provided input! Instead, the query is parameterized When setting up the query, mark each piece of data that will be fed later into the query with ? – called placeholders $query = "insert into books values(?, ?, ?, ?)"; Create a statement resource suitable for preparing and executing an SQL query mysqli_stmt_resource mysqli_stmt_init ( mysqli_resource $db_link ) $stmt = mysqli_stmt_init($link); Using Prepared Statements 3

4 Prepared statements in mysqli library (cont) Prepare the statement bool mysqli_stmt_prepare ( mysqli_stmt_res $stmt, string $query ) Bind parameters = tell PHP which variables / values should be substituted for placeholders (?) when the query is executed bool mysqli_stmt_bind_param (mysqli_stmt_res $stmt, string $types, mixed &$var1 [, mixed &$... ]) The format string $types explains what are the types of the parameters passed to the query: s (string), i (integer), d (double) mysqli_stmt_bind_param($stmt, "sssd", $isbn, $author, $title, $price); Using Prepared Statements 4

5 Prepared statements in mysqli library (cont) Execute the statement bool mysqli_stmt_execute ( mysqli_stmt_res $stmt ) mysqli_stmt_execute($stmt); Check number of rows affected by INSERT/UPDATE/DELETE query int mysqli_stmt_affected_rows (mysqli_stmt_res $stmt) → -1 on error echo mysqli_stmt_affected_rows($stmt). " book inserted into the database."; Close statement bool mysqli_stmt_close ( mysqli_stmt_res $stmt ) Using Prepared Statements 5

6 newbook http://cscdb.nku.edu/csc301/frank/Chapter11/newbook_ps. html http://cscdb.nku.edu/csc301/frank/Chapter11/newbook_ps. html http://www.nku.edu/~frank/csc301/Examples/MySQL/ne wbook_ps_html.pdf http://www.nku.edu/~frank/csc301/Examples/MySQL/ne wbook_ps_html.pdf http://www.nku.edu/~frank/csc301/Examples/MySQL/ins ert_book_ps_php.pdf http://www.nku.edu/~frank/csc301/Examples/MySQL/ins ert_book_ps_php.pdf

7 Prepared statements = SQL queries, prewritten and precompiled at the DB server → only require variable inputs to execute. When sending a query the “normal” way: client (php script) passes the query as a string to the DB server DB server converts data back into the proper binary data type db engine parses the statement and looks for syntax errors db engine attempts to figure out the most efficient way to execute the statement => a query plan is created query is executed When using prepared statements: data are sent to the DB server in a native binary form => no data conversion, more efficient data transfer query is parsed only once, and the execution plan is cached (depends on what db server / version is used) security Prepared Statements - Advantages 7

8 Executing a prepared statement - steps: → ‘Pre-query’ is sent to the server for processing → The parsed syntax is checked for errors → An OK message is sent back to the client → Variables are then sent and processed → Results are sent back. For queries executed only once => longer to execute Repetitive, complicated queries => faster Prepared Statements - Limitations 8

9 Security with prepared statements SQL injection = an attack method consisting in passing/injecting a SQL query as an input, possibly via web pages, in hopes of gaining unauthorized access to a database / application. How: Ex: a login web page that collects a username and a password, creates an ad-hoc SQL query to the db to check if the user is valid. SQL Injection = send crafted user name and/or password input that will alter the SQL query and thus grant us something else. Solution: code to filter and sanitize input, use prepared statements Prepared Statements - security 9

Download ppt "Accessing Your MySQL Database from the Web with PHP (Ch 11) 1."

Similar presentations

PHP SQL. Connection code:- mysql_connect(server, username, password); Connect to the Database Server with the authorised user and password. Eg $connect.

PHP SQL. Connection code:- mysql_connect("server", "username", "password"); Connect to the Database Server with the authorised user and password. Eg $connect.
PHP 5 + MySQL 5 A Perfect 10. Adam Trachtenberg PHP 5 + MySQL 5 = A Perfect 10 1. mysqli extension i is for improved! All new MySQL extension for PHP.

PHP 5 + MySQL 5 A Perfect 10. Adam Trachtenberg PHP 5 + MySQL 5 = A Perfect mysqli extension i is for improved! All new MySQL extension for PHP.
PHP Hypertext Preprocessor Information Systems 337 Prof. Harry Plantinga.

PHP Hypertext Preprocessor Information Systems 337 Prof. Harry Plantinga.
PHP and MySQL Database. Connecting to MySQL Note: you need to make sure that you have MySQL software properly installed on your computer before you attempt.

PHP and MySQL Database. Connecting to MySQL Note: you need to make sure that you have MySQL software properly installed on your computer before you attempt.
NAVY Research Group Department of Computer Science Faculty of Electrical Engineering and Computer Science VŠB-TUO 17. listopadu 15 708 33 Ostrava-Poruba.

NAVY Research Group Department of Computer Science Faculty of Electrical Engineering and Computer Science VŠB-TUO 17. listopadu Ostrava-Poruba.
LCT2506 Internet 2 Further SQL Stored Procedures.

LCT2506 Internet 2 Further SQL Stored Procedures.
Sara SartoliAkbar Siami Namin NSF-SFS workshop July 14-18, 2014.

Sara SartoliAkbar Siami Namin NSF-SFS workshop July 14-18, 2014.
PHP-MySQL By Jonathan Foss. PHP and MySQL Server Web Browser Apache PHP file PHP MySQL Client Recall the PHP architecture PHP can communicate with a MySQL.

PHP-MySQL By Jonathan Foss. PHP and MySQL Server Web Browser Apache PHP file PHP MySQL Client Recall the PHP architecture PHP can communicate with a MySQL.
Check That Input Preventing SQL Injection Attacks By Andrew Morton For CS 410.

Check That Input Preventing SQL Injection Attacks By Andrew Morton For CS 410.
CSCI 6962: Server-side Design and Programming JDBC Database Programming.

CSCI 6962: Server-side Design and Programming JDBC Database Programming.
Analysis of SQL injection prevention using a proxy server By: David Rowe Supervisor: Barry Irwin.

Analysis of SQL injection prevention using a proxy server By: David Rowe Supervisor: Barry Irwin.
Introduction to InfoSec – Recitation 7 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)

Introduction to InfoSec – Recitation 7 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)
Lecture 14 – Web Security SFDV3011 – Advanced Web Development 1.

Lecture 14 – Web Security SFDV3011 – Advanced Web Development 1.
Lecture 7 Interaction. Topics Implementing data flows An internet solution Transactions in MySQL 4-tier systems – business rule/presentation separation.

Lecture 7 Interaction. Topics Implementing data flows An internet solution Transactions in MySQL 4-tier systems – business rule/presentation separation.
1 PHP and MySQL. 2 Topics  Querying Data with PHP  User-Driven Querying  Writing Data with PHP and MySQL PHP and MySQL.

1 PHP and MySQL. 2 Topics  Querying Data with PHP  User-Driven Querying  Writing Data with PHP and MySQL PHP and MySQL.
Lecture 16 Page 1 CS 236 Online SQL Injection Attacks Many web servers have backing databases –Much of their information stored in a database Web pages.

Lecture 16 Page 1 CS 236 Online SQL Injection Attacks Many web servers have backing databases –Much of their information stored in a database Web pages.
Accessing MySQL with PHP IDIA 618 Fall 2014 Bridget M. Blodgett.

Accessing MySQL with PHP IDIA 618 Fall 2014 Bridget M. Blodgett.
What is MySQLi? Since the mid-90s, Mysql extension has served as the major bridge between PHP and MySQL. Although it has performed its duty quite well,

What is MySQLi? Since the mid-90s, Mysql extension has served as the major bridge between PHP and MySQL. Although it has performed its duty quite well,
Analysis of SQL injection prevention using a proxy server By: David Rowe Supervisor: Barry Irwin.

Analysis of SQL injection prevention using a proxy server By: David Rowe Supervisor: Barry Irwin.
Creating Dynamic Web Pages Using PHP and MySQL CS 320.

Creating Dynamic Web Pages Using PHP and MySQL CS 320.

Similar presentations

Ads by Google