(1)

PHP Part 2

(2)

Client – Server Model

Client Browser Web Server

HTTP Requestindex.php

Process PHP script

HTTP ResponseRender HTML &CSSRun JavaScript

(3)

Splitting PHP Code PHP code does not have to be contiguous

<?phpif ($x<5) {?><p>There are less than five items.</p><?php}?>

This is very powerful, yet can be hard to read

(4)

PHP and Databases PHP has built in support for over 20 databases• Both SQL and NoSQL

http://www.php.net/manual/en/refs.database.vendors.php

We’ll be using MySQL an Open Source RDBMS

(5)

PHP MySQL Extension MySQL Improved• Both procedural and Object Oriented- $mysqli = mysqli_connect(“example.com”,

“user”, “password”, “database);$res = mysqli_query($mysqli, “SELECT * FROM People”);

- $mysqli = new mysqli(“example.com”, “user”, “password”, “database);$res = $mysqli->query(“SELECT * FROM People”);

(6)

Connecting to DB $mysqli = new mysqli(“localhost”, “user”, “passwd”, “database”);

if ($mysqli->connect_errno) { echo “Failed to connect to MySQL: (“ . $mysqli->connect_errno . “) “ . $mysqli->connect_error; }

(7)

Executing SQL Statements $res = $mysql->query(SQL);

if (!mysqli->query(“DROP TABLE IF EXISTS test”) || !mysqli->query(“CREATE TABLE test(id INT)”) || !mysqli->query(“INSERT INTO test(id) VALUES (1)”)) { echo “Table creation failed: (“ . $mysqli->errno . “) “ . $mysqli->error;}

Drops the table test, Creates a table test with one column id,Inserts a row with the value id==1

(8)

Important SQL Commands SELECT – extracts data UPDATE – updates data DELETE – deletes data INSERT INTO – inserts new data CREATE DATABASE – creates new database ALTER DATABASE – modifies database CREATE TABLE – creates new table ALTER TABLE – modifies table DROP TABLE – deletes table

(9)

PHP Select Query Selects records from a table

SELECT col1,col2,… FROM table

$res = $mysqli->query(“SELECT name, age FROM People”); while ($row = $res->fetch_assoc()) { echo “Name: “ . $row[‘name’] . “ is “ . $row[‘age’]; } $res->free();

(10)

Select Query SELECT col1,col2,… FROM table WHERE col oper value [AND | OR] col oper value

Filters the records returned

Operators:• =, <>, >, <, >=, <=, BETWEEN, LIKE, IN

(11)

SELECT ORDER BY Orders the records returned

SELECT col1,col2,… FROM table ORDER BY col1,col2,… ASC|DESC

$res = $mysqli->query(“SELECT * FROM Persons ORDER BY age”);

(12)

INSERT Query Inserts a record into the table

INSERT INTO table (col1,col2,…) VALUES (val1,val2,…)• Column names are optional• Must have a value for each column

$res = $mysqli->query(“INSERT INTO test VALUES (1, ‘fred’)”);

(13)

UPDATE Query Updates record(s) in the table

UPDATE table SET col1=val1,col2=val2,… WHERE some_col=some_val

WHERE clause can have AND OR statements WHERE clause chooses which records to change

$res = $mysqli->query(“UPDATE test SET name=‘fred’ WHERE id=3”);

(14)

DELETE Query Deletes records from a table

DELETE FROM table WHERE some_col=some_val

$res = $mysqli->query(“DELETE FROM test WHERE name=‘fred’”);

(15)

SQL Injection It is common to allow web users to input their own values <?php $stmt = “SELECT * FROM Users WHERE id = “ . $_POST[‘user_id’]; ?>

What if they typed ‘3 or 1=1’? SELECT * FROM Users WHERE id = 3 or 1=1 What if they typed ‘5; DROP TABLE Sales’?

(16)

Solution Use Prepared Statements Prepared statements have place holders ‘?’ They are bound before execution <?php if(!($stmt = $mysqli->prepare(“INSERT INTO test(id) VALUES (?)”))) { echo “Prepare failed”; } $id = 2; if (!stmt->bind_param(“i”, $id)) { echo “Bind failed”; } for($id = 1; $id < 5; $id++) { if (!stmt->execute()) { echo “Execute failed”; } } $stmt->close(); ?>

(17)