Intro to PHP
A brief overview – Patrick Laverty
What is PHP?
PHP (recursive acronym for "PHP: Hypertext
Preprocessor") is a widely-used Open
Source general-purpose scripting language
that is especially suited for Web
development and can be embedded into
HTML.
What is PHP?
Compared to others like:
Java – Sun, compiled and interpreted (jsp)
Perl – Open Source, scripting
.NET – MS, opposite of Java
ColdFusion – Now Adobe, the original
Javascript – Netscape, client-side
PHP – Open Source, server-side
How it works
PHP is installed on web server
Our web server is Apache (just an FYI)
Server parses files based on extensions
Returns plain HTML, no code
How To – The Basics
Need to name files is a .php extension
Example: index.php, mypage.php
Open and close tags:
Was:
Save file to server, view in a browser
Hello World
helloworld.php
Variables
Variables are like a cup
The same cup can hold
lots of different things
Same with variables
Variables
In PHP, you create a variable with a dollar
sign and some text.
Usually the text will be something descriptive
of what it is going to hold.
$name = “Patrick Laverty”;
$dept = “CIS”;
$campus_addr = “Box 1885”;
Variables
There are many different kinds of variables in
PHP
Scalar
Array
Object
Scalar Variables
Hold single values
String/text
Numbers
$name = “Josiah”;
$dob = “1/1/23”;
$age = 84;
$waist_size = 36;
Array Variables
Hold multiple values
All in one step example:
$kids = Array(“Tom”,”Dick”,”Harry”);
Multiple steps example:
$kids = Array();
$kids[0] = “Tom”;
$kids[1] = “Dick”;
$kids[2] = “Harry”;
Individual array values are just a scalar
Array Variables
Associative Arrays – may be easier to find
stuff
$teams = Array(„bos‟=>‟Red Sox‟,
„nyy‟=>‟Yankees‟, ‟bal‟=>‟Orioles‟);
The two-step way works the same:
$teams = Array();
$teams[„bos‟] = „Red Sox‟;
Object Variables
We‟ll talk about these later.
We‟re in no rush
Functions
Getting PHP to do some action for you
echo() or print()
phpinfo() (phpinfo.php)
Functions
Be lazy. It‟s a good thing.
If you‟re going to do the same action more
than once, write a function.
sayhello.php
function sayHello($toWhom)
{
echo “Hello $toWhom”;
}
Functions
Lots have already been written for you:
http://php.net/manual/en
If you know the function:
http://php.net/echo
A Basic Form
How we do things now: eform.cgi
A Basic Form
How we do things with PHP:
basicform.html
A Basic Form
Capturing the data in output.php
Variables:
$_POST[„name‟]
$_POST[„age‟]
Use phpinfo() to see variables
A Basic Form
Weave HTML and PHP
output.php
Data Validation
We‟ll talk more about validating user input
later.
A Basic Form
Outputting to the screen is nice, but boring
We could email the results
Let‟s store data in a database
Layers of a Database
Server
Database
Tables
Fields/Columns
Records
Data
How to Get a Database
Use Microsoft Access
Use Filemaker
Request a MySQL Database
(http://brown.edu/db)
Request a MySQL Database
You will receive:
Server name (it‟s not localhost)
Database name
Username
Password
Link to phpMyAdmin
phpMyAdmin
phpMyAdmin is a graphical view of your
database
Very easy
Let‟s take a look
(http://brown.edu/phpMyAdmin)
Connecting to DB from PHP
Create one connection script:
dbconn.php
Connecting to DB from PHP
Remember, “Be Lazy!”
At the top of each file that needs the DB:
Database Table
Table named „info‟ has two fields, name and age
Use a SQL INSERT statement:
$sql =
“INSERT INTO
info (name,age)
values („$name‟, „$age‟)”;
Database Table
Send it to the Database:
mysql_query($sql,$conn);
The Whole Picture
dbinsert.php
Thank you, your name and age were received.
The Whole Picture - Fancier
fancydbinsert.php
Getting the Info Back
Read it in phpMyAdmin
Create an output page
(Just like that little survey you filled out)
Create an Output Page
Connect to the Server
Do a query of the data
Programmatically write the data to a page
View the page in a browser
Let‟s see how to do it
Connect to the Server
First, include our connection script:
Do a Query of the Data
This time we use SELECT
$sql = “SELECT name, age FROM info”;
Or if you have many fields and want to be LAZY!
$sql = “SELECT * from info”;
Programmatically Write the Data
Here‟s the only hard part:
”;
echo $table->name;
echo “”;
echo $table->age;
echo “”;
}
?>
Putting it All Together
statuspage.php
”;
echo $table->name;
echo “”;
echo $table->age;
echo “”;
}
?>
I Hate Objects!
If you don‟t like using mysql_fetch_object:
mysql_fetch_array($result)
mysql_fetch_assoc($result)
mysql_fetch_array()
Access the columns by numbers:
while($array = mysql_fetch_array($result))
{
echo $array[0];
echo $array[1];
}
mysql_fetch_assoc()
Access the columns by column names:
while($array = mysql_fetch_assoc($result))
{
echo $array[„name‟];
echo $array[„age‟];
}
One Helpful Function
nl2br() – Line breaks in a form are not
respected
This function will turn a newline (nl) character
into (2) an html (br) tag.
Data Validation
Very Important!
Without it, your site and all others can be
hacked!
PHP makes it easier
Data Validation
Cut down on XSS with htmlentities()
Cut down on SQL-injection with
mysql_real_escape_string()
Check that you‟re getting what you expect
Check that you‟re getting the length you
expect
Don‟t trust JavaScript
Data Validation
Cross site scripting vulnerability
Allows a user to input scripts
Allows a user to input links to malicious sites
Allows a user to steal a
session/cookie/password
The htmlentities() function turns entities into
its harmless entity number.
A „ is turned into '
Data Validation
SQL-injection vulnerability
Allows a user to directly access your database
Allows a user to get access to other accounts
Allows a user to read data you don‟t want read
Prevention can be as simple as escaping quotes with
mysql_real_escape_string to all user input
$clean_user =
mysql_real_escape_string($_POST[„username‟]);
Data Validation
Get what you expect to get
Don‟t change it, give error message
Example: (validinsert.php)
Age, should be less than 110, and numeric. Reject
anything else
if(strlen($age)>3){ //error message }
if(!is_int($age)){ //error message }
if($age>110 || $age
Make sure the username is no longer than 8
if(strlen($username)>8)){ //error message }
Data Validation
Don‟t trust JavaScript
Do client side AND server side validation
Slide #50
I think that‟s enough
webpublishers@listserv.brown.edu
Next topic – to be announced for early May