Upload
augustus-palmer
View
238
Download
0
Embed Size (px)
Citation preview
(1)
PHP Part 2
(2)
Client – Server Model
Client Browser Web Server
HTTP Requestindex.php
Process PHP script
HTTP ResponseRender HTML &CSSRun JavaScript
(3)
Splitting PHP Code PHP code does not have to be contiguous
<?phpif ($x<5) {?><p>There are less than five items.</p><?php}?>
This is very powerful, yet can be hard to read
(4)
PHP and Databases PHP has built in support for over 20 databases• Both SQL and NoSQL
http://www.php.net/manual/en/refs.database.vendors.php
We’ll be using MySQL an Open Source RDBMS
(5)
PHP MySQL Extension MySQL Improved• Both procedural and Object Oriented- $mysqli = mysqli_connect(“example.com”,
“user”, “password”, “database);$res = mysqli_query($mysqli, “SELECT * FROM People”);
- $mysqli = new mysqli(“example.com”, “user”, “password”, “database);$res = $mysqli->query(“SELECT * FROM People”);
(6)
Connecting to DB $mysqli = new mysqli(“localhost”, “user”, “passwd”, “database”);
if ($mysqli->connect_errno) { echo “Failed to connect to MySQL: (“ . $mysqli->connect_errno . “) “ . $mysqli->connect_error; }
(7)
Executing SQL Statements $res = $mysql->query(SQL);
if (!mysqli->query(“DROP TABLE IF EXISTS test”) || !mysqli->query(“CREATE TABLE test(id INT)”) || !mysqli->query(“INSERT INTO test(id) VALUES (1)”)) { echo “Table creation failed: (“ . $mysqli->errno . “) “ . $mysqli->error;}
Drops the table test, Creates a table test with one column id,Inserts a row with the value id==1
(8)
Important SQL Commands SELECT – extracts data UPDATE – updates data DELETE – deletes data INSERT INTO – inserts new data CREATE DATABASE – creates new database ALTER DATABASE – modifies database CREATE TABLE – creates new table ALTER TABLE – modifies table DROP TABLE – deletes table
(9)
PHP Select Query Selects records from a table
SELECT col1,col2,… FROM table
$res = $mysqli->query(“SELECT name, age FROM People”); while ($row = $res->fetch_assoc()) { echo “Name: “ . $row[‘name’] . “ is “ . $row[‘age’]; } $res->free();
(10)
Select Query SELECT col1,col2,… FROM table WHERE col oper value [AND | OR] col oper value
Filters the records returned
Operators:• =, <>, >, <, >=, <=, BETWEEN, LIKE, IN
(11)
SELECT ORDER BY Orders the records returned
SELECT col1,col2,… FROM table ORDER BY col1,col2,… ASC|DESC
$res = $mysqli->query(“SELECT * FROM Persons ORDER BY age”);
(12)
INSERT Query Inserts a record into the table
INSERT INTO table (col1,col2,…) VALUES (val1,val2,…)• Column names are optional• Must have a value for each column
$res = $mysqli->query(“INSERT INTO test VALUES (1, ‘fred’)”);
(13)
UPDATE Query Updates record(s) in the table
UPDATE table SET col1=val1,col2=val2,… WHERE some_col=some_val
WHERE clause can have AND OR statements WHERE clause chooses which records to change
$res = $mysqli->query(“UPDATE test SET name=‘fred’ WHERE id=3”);
(14)
DELETE Query Deletes records from a table
DELETE FROM table WHERE some_col=some_val
$res = $mysqli->query(“DELETE FROM test WHERE name=‘fred’”);
(15)
SQL Injection It is common to allow web users to input their own values <?php $stmt = “SELECT * FROM Users WHERE id = “ . $_POST[‘user_id’]; ?>
What if they typed ‘3 or 1=1’? SELECT * FROM Users WHERE id = 3 or 1=1 What if they typed ‘5; DROP TABLE Sales’?
(16)
Solution Use Prepared Statements Prepared statements have place holders ‘?’ They are bound before execution <?php if(!($stmt = $mysqli->prepare(“INSERT INTO test(id) VALUES (?)”))) { echo “Prepare failed”; } $id = 2; if (!stmt->bind_param(“i”, $id)) { echo “Bind failed”; } for($id = 1; $id < 5; $id++) { if (!stmt->execute()) { echo “Execute failed”; } } $stmt->close(); ?>
(17)