Accessing My SQL Using PDO Charles Severance www

  • Slides: 63
Download presentation
Accessing My. SQL Using PDO Charles Severance www. php-intro. com

Accessing My. SQL Using PDO Charles Severance www. php-intro. com

Application Structure End User Application Software (i. e. PHP) SQL Database Data Model SQL

Application Structure End User Application Software (i. e. PHP) SQL Database Data Model SQL Developer DBA Database Tools (i. e. php. My. Admin)

Multiple Ways to Access My. Sql • • PHP is evolving - there are

Multiple Ways to Access My. Sql • • PHP is evolving - there are three ways to access My. Sql • • • Legacy non-OO mysql_ routines (deprecated) New mysqli (OO version that is similar to mysql_) PDO - Portable Data Objects A perfect topic for debate http: //php. net/manual/en/mysqlinfo. api. choosing. php

http: //php. net/manual/en/mysqlinfo. api. choosing. php

http: //php. net/manual/en/mysqlinfo. api. choosing. php

Creating a Database and User CREATE DATABASE misc; GRANT ALL ON misc. * TO

Creating a Database and User CREATE DATABASE misc; GRANT ALL ON misc. * TO 'fred'@'localhost' IDENTIFIED BY 'zap'; GRANT ALL ON misc. * TO 'fred'@'127. 0. 0. 1' IDENTIFIED BY 'zap'; USE misc; (if you are in the command line) /Applications/MAMP/Library/bin/mysql -u root -P 8889 -p /Applications/xamppfiles/bin/mysql -u root -p c: xamppmysqlbinmysql. exe

CREATE TABLE users ( id INT UNSIGNED NOT NULL AUTO_INCREMENT KEY, name VARCHAR(128), email

CREATE TABLE users ( id INT UNSIGNED NOT NULL AUTO_INCREMENT KEY, name VARCHAR(128), email VARCHAR(128), password VARCHAR(128)); Creating a Table ALTER TABLE users ADD INDEX(email); mysql> describe users; +--------------+------+-----+--------+ | Field | Type | Null | Key | Default | Extra | +--------------+------+-----+--------+ | id | int(10) unsigned | NO | PRI | NULL | auto_increment | | name | varchar(128) | YES | | NULL | | | email | varchar(128) | YES | MUL | NULL | | | password | varchar(128) | YES | | NULL | |+--------------+------+-----+--------+

Inserting a Few Records INSERT INTO users (name, email, password) VALUES ('Chuck', 'csev@umich. edu',

Inserting a Few Records INSERT INTO users (name, email, password) VALUES ('Chuck', 'csev@umich. edu', '123'); INSERT INTO users (name, email, password) VALUES ('Glenn', 'gg@umich. edu', '456'); mysql> select * from users; +-------+--------+-----+ | id | name | email | password | +-------+--------+-----+ | 1 | Chuck | csev@umich. edu | 123 | | 2 | Glenn | gg@umich. edu | 456 |+-------+--------+-----+

Database Connection Hostname misc users sakai

Database Connection Hostname misc users sakai

Database Connection Hostname PHP Software SQL misc sakai users id / password $pdo =

Database Connection Hostname PHP Software SQL misc sakai users id / password $pdo = new PDO('mysql: host=localhost; port=8889; dbname=misc', 'fred', 'zap'); pdo. php

<? php echo "<pre>n"; $pdo=new PDO('mysql: host=localhost; port=8889; dbname=misc', 'fred', 'zap'); $stmt = $pdo->query("SELECT

<? php echo "<pre>n"; $pdo=new PDO('mysql: host=localhost; port=8889; dbname=misc', 'fred', 'zap'); $stmt = $pdo->query("SELECT * FROM users"); while ( $row = $stmt->fetch(PDO: : FETCH_ASSOC) ) { print_r($row); } echo "</pre>n"; ? > mysql> select * from users; +-------+--------+-----+ | id | name | email | password |+-------+--------+-----+ | 1 | Chuck | csev@umich. edu | 123 | | 2 | Glenn | gg@umich. edu | 456 | +-------+--------+-----+ first. php Array( [id] => 1 [name] => Chuck [email] => csev@umich. edu [password] => 123 ) Array( [id] => 2 [name] => Glenn [email] => gg@umich. edu [password] => 456 )

<? php $pdo = new PDO('mysql: host=localhost; port=8889; dbname=misc', 'fred', 'zap'); $stmt = $pdo->query("SELECT

<? php $pdo = new PDO('mysql: host=localhost; port=8889; dbname=misc', 'fred', 'zap'); $stmt = $pdo->query("SELECT name, email, password FROM users"); echo '<table border="1">'. "n"; while ( $row = $stmt->fetch(PDO: : FETCH_ASSOC) ) { echo "<tr><td>"; echo($row['name']); echo("</td><td>"); echo($row['email']); echo("</td><td>"); echo($row['password']); echo("</td></tr>n"); } echo "</table>n"; ? > <table border="1"> <tr><td>Chuck</td><td>csev@umich. edu</td><td>123</td></tr> <tr><td>Glenn</td><td>gg@umich. edu</td><td>456</td></tr> </table> second. php

Pattern • Put database connection information in a single file and include it in

Pattern • Put database connection information in a single file and include it in all your other files • • Helps make sure to not to mistakenly reveal id / pw Don't check it into a public source repository : )

pdo. php <? php $pdo = new PDO('mysql: host=localhost; port=8889; dbname=misc', 'fred', 'zap'); //

pdo. php <? php $pdo = new PDO('mysql: host=localhost; port=8889; dbname=misc', 'fred', 'zap'); // See the "errors" folder for details. . . $pdo->set. Attribute(PDO: : ATTR_ERRMODE, PDO: : ERRMODE_EXCEPTION); <? php echo "<pre>n"; require_once "pdo. php"; $stmt = $pdo->query("SELECT * FROM users"); while ($row = $stmt->fetch(PDO: : FETCH_ASSOC)){ print_r($row); } echo "</pre>n"; ? > third. php Array( [id] => 1 [name] => Chuck [email] => csev@umich. edu [password] => 123 ) Array( [id] => 2 [name] => Glenn [email] => gg@umich. edu [password] => 456 )

Lets put some data in a database!

Lets put some data in a database!

user 1. php <? php require_once "pdo. php"; if ( isset($_POST['name']) && isset($_POST['email']) &&

user 1. php <? php require_once "pdo. php"; if ( isset($_POST['name']) && isset($_POST['email']) && isset($_POST['password'])) { $sql = "INSERT INTO users (name, email, password) VALUES (: name, : email, : password)"; echo("<pre>n". $sql. "n</pre>n"); $stmt = $pdo->prepare($sql); $stmt->execute(array( ': name' => $_POST['name'], ': email' => $_POST['email'], ': password' => $_POST['password'])); } ? ><html><head></head><body> <p>Add A New User</p> <form method="post"> <p>Name: <input type="text" name="name" size="40"></p> <p>Email: <input type="text" name="email"></p> <p>Password: <input type="password" name="password"></p> <p><input type="submit" value="Add New"/></p> </form> </body>

user 1. php mysql> select * from users; +-------+--------+-----+ | id | name |

user 1. php mysql> select * from users; +-------+--------+-----+ | id | name | email | password | +-------+--------+-----+ | 1 | Chuck | csev@umich. edu | 123 | | 2 | Glenn | gg@umich. edu | 456 | | 3 | Fred | fred@umich. edu | YO | +-------+--------+-----+

if ( isset($_POST['name']) && isset($_POST['email']) && isset($_POST['password'])) { $sql = "INSERT INTO users (name,

if ( isset($_POST['name']) && isset($_POST['email']) && isset($_POST['password'])) { $sql = "INSERT INTO users (name, email, password) VALUES (: name, : email, : password)"; echo("<pre>n". $sql. "n</pre>n"); $stmt = $pdo->prepare($sql); $stmt->execute(array( ': name' => $_POST['name'], ': email' => $_POST['email'], ': password' => $_POST['password'])); } ? > <html> <head></head><body><table border="1"> <? php $stmt = $pdo->query("SELECT name, email, password FROM users"); while ( $row = $stmt->fetch(PDO: : FETCH_ASSOC) ) { echo "<tr><td>"; echo($row['name']); echo("</td><td>"); echo($row['email']); echo("</td><td>"); echo($row['password']); echo("</td></tr>n"); } ? > </table> <p>Add A New User</p> user 2. php

user 2 del. php <? php require_once "pdo. php"; if ( isset($_POST['id']) ) {

user 2 del. php <? php require_once "pdo. php"; if ( isset($_POST['id']) ) { $sql="DELETE FROM users WHERE id = : zip"; echo "<pre>n$sqln</pre>n"; $stmt = $pdo->prepare($sql); $stmt->execute(array(': zip'=>$_POST['id'])); } ? > <p>Delete A User</p> <form method="post"><p>ID to Delete: <input type="text" name="id"></p> <p><input type="submit" value="Delete"/></p> </form> Don't change data in a GET

mysql> select * from users; +-------+--------+-----+ | id | name | email | password

mysql> select * from users; +-------+--------+-----+ | id | name | email | password | +-------+--------+-----+ | 1 | Chuck | csev@umich. edu | 123 | | 2 | Glenn | gg@umich. edu | 456 | +-------+--------+-----+

user 3. php

user 3. php

if ( isset($_POST['delete']) && isset($_POST['id']) ) { $sql = "DELETE FROM users WHERE id

if ( isset($_POST['delete']) && isset($_POST['id']) ) { $sql = "DELETE FROM users WHERE id = : zip"; echo "<pre>n$sqln</pre>n"; $stmt = $pdo->prepare($sql); $stmt->execute(array(': zip' => $_POST['id'])); } ? ><html><head></head> <body> <table border="1"> <? php $stmt = $pdo->query("SELECT name, email, password, id FROM users"); while ( $row = $stmt->fetch(PDO: : FETCH_ASSOC) ) { echo "<tr><td>"; echo($row['name']); echo("</td><td>"); echo($row['email']); echo("</td><td>"); echo($row['password']); echo("</td><td>"); echo('<form method="post"><input type="hidden" '); echo('name="id" value="'. $row['id']. '">'. "n"); echo('<input type="submit" value="Del" name="delete">'); echo("n</form>n"); echo("</td></tr>n"); } user 3. php

echo('<form method="post"><input type="hidden" '); echo('name="id" value="'. $row['id']. '">'. "n"); echo('<input type="submit" value="Del" name="delete">'); echo("n</form>n");

echo('<form method="post"><input type="hidden" '); echo('name="id" value="'. $row['id']. '">'. "n"); echo('<input type="submit" value="Del" name="delete">'); echo("n</form>n"); <tr><td>Fred</td><td>fred@umich. edu</td> <td>YO</td> <td><form method="post"> <input type="hidden" name="id" value="5"> <input type="submit" value="Del" name="delete"> </form></td> </tr> if ( isset($_POST['delete']) && isset($_POST['id']) ) { $sql = "DELETE FROM users WHERE id = : zip"; echo "<pre>n$sqln</pre>n"; $stmt = $pdo->prepare($sql); $stmt->execute(array(': zip' => $_POST['id'])); }

if ( isset($_POST['delete']) && isset($_POST['id']) ) { $sql = "DELETE FROM users WHERE id

if ( isset($_POST['delete']) && isset($_POST['id']) ) { $sql = "DELETE FROM users WHERE id = : zip"; echo "<pre>n$sqln</pre>n"; $stmt = $pdo->prepare($sql); $stmt->execute(array(': zip' => $_POST['id'])); }

<? php require_once "pdo. php"; if ( isset($_POST['name']) && isset($_POST['email']) && isset($_POST['password'])) { $sql

<? php require_once "pdo. php"; if ( isset($_POST['name']) && isset($_POST['email']) && isset($_POST['password'])) { $sql = "INSERT INTO users (name, email, password) VALUES (: name, : email, : password)"; echo("<pre>n". $sql. "n</pre>n"); $stmt = $pdo->prepare($sql); $stmt->execute(array( ': name' => $_POST['name'], ': email' => $_POST['email'], ': password' => $_POST['password'])); } if ( isset($_POST['delete']) && isset($_POST['id']) ) { $sql = "DELETE FROM users WHERE id = : zip"; echo "<pre>n$sqln</pre>n"; $stmt = $pdo->prepare($sql); $stmt->execute(array(': zip' => $_POST['id'])); } ? > Program Outline <? php require_once "pdo. php"; I f ( isset($_POST['name']) && isset($_POST['email']) && isset($_POST['password'])) { $sql = "INSERT INTO users (name, email, password) VALUES (: name, : email, : password)"; echo("<pre>n". $sql. "n</pre>n"); $stmt = $pdo->prepare($sql); $stmt->execute(array( ': name' => $_POST['name'], ': email' => $_POST['email'], ': password' => $_POST['password'])); } if ( isset($_POST['delete']) && isset($_POST['id']) ) { $sql = "DELETE FROM users WHERE id = : zip"; echo "<pre>n$sqln</pre>n"; $stmt = $pdo->prepare($sql); $stmt->execute(array(': zip' => $_POST['id'])); } ? > <html><head></head> <body> <table border="1"> <? php $stmt = $pdo->query("SELECT name, email, password, id FROM users"); while ( $row = $stmt->fetch(PDO: : FETCH_ASSOC) ) { echo "<tr><td>"; echo($row['name']); echo("</td><td>"); echo($row['email']); echo("</td><td>"); echo($row['password']); echo("</td><td>"); echo('<form method="post"><input type="hidden" '); echo('name="id" value="'. $row['id']. '">'. "n"); echo('<input type="submit" value="Del" name="delete">'); echo("n</form>n"); echo("</td></tr>n"); } ? > </table> <p>Add A New User</p><form method="post"> <p>Name: <input type="text" name="name" size="40"></p> <p>Email: <input type="text" name="email"></p> <p>Password: <input type="password" name="password"></p>< p><input type="submit" value="Add New"/></p> </form> </body>

<html><head></head> <body><table border="1"> <? php $stmt = $pdo->query("SELECT name, email, password, id FROM users");

<html><head></head> <body><table border="1"> <? php $stmt = $pdo->query("SELECT name, email, password, id FROM users"); while ( $row = $stmt->fetch(PDO: : FETCH_ASSOC) ) { echo "<tr><td>"; echo($row['name']); echo("</td><td>"); echo($row['email']); echo("</td><td>"); echo($row['password']); echo("</td><td>"); echo('<form method="post"><input type="hidden" '); echo('name="id" value="'. $row['id']. '">'. "n"); echo('<input type="submit" value="Del" name="delete">'); echo("n</form>n"); echo("</td></tr>n"); } ? > </table> <? php require_once "pdo. php"; I f ( isset($_POST['name']) && isset($_POST['email']) && isset($_POST['password'])) { $sql = "INSERT INTO users (name, email, password) VALUES (: name, : email, : password)"; echo("<pre>n". $sql. "n</pre>n"); $stmt = $pdo->prepare($sql); $stmt->execute(array( ': name' => $_POST['name'], ': email' => $_POST['email'], ': password' => $_POST['password'])); } if ( isset($_POST['delete']) && isset($_POST['id']) ) { $sql = "DELETE FROM users WHERE id = : zip"; echo "<pre>n$sqln</pre>n"; $stmt = $pdo->prepare($sql); $stmt->execute(array(': zip' => $_POST['id'])); } ? > <html><head></head> <body> <table border="1"> <? php $stmt = $pdo->query("SELECT name, email, password, id FROM users"); while ( $row = $stmt->fetch(PDO: : FETCH_ASSOC) ) { echo "<tr><td>"; echo($row['name']); echo("</td><td>"); echo($row['email']); echo("</td><td>"); echo($row['password']); echo("</td><td>"); echo('<form method="post"><input type="hidden" '); echo('name="id" value="'. $row['id']. '">'. "n"); echo('<input type="submit" value="Del" name="delete">'); echo("n</form>n"); echo("</td></tr>n"); } ? > </table> <p>Add A New User</p><form method="post"> <p>Name: <input type="text" name="name" size="40"></p> <p>Email: <input type="text" name="email"></p> <p>Password: <input type="password" name="password"></p>< p><input type="submit" value="Add New"/></p> </form> </body>

Program Outline <p>Add A New User</p> <form method="post"> <p>Name: <input type="text" name="name" size="40"></p> <p>Email:

Program Outline <p>Add A New User</p> <form method="post"> <p>Name: <input type="text" name="name" size="40"></p> <p>Email: <input type="text" name="email"></p> <p>Password: <input type="password" name="password"></p> <p><input type="submit" value="Add New"/></p> </form> </body> <? php require_once "pdo. php"; I f ( isset($_POST['name']) && isset($_POST['email']) && isset($_POST['password'])) { $sql = "INSERT INTO users (name, email, password) VALUES (: name, : email, : password)"; echo("<pre>n". $sql. "n</pre>n"); $stmt = $pdo->prepare($sql); $stmt->execute(array( ': name' => $_POST['name'], ': email' => $_POST['email'], ': password' => $_POST['password'])); } if ( isset($_POST['delete']) && isset($_POST['id']) ) { $sql = "DELETE FROM users WHERE id = : zip"; echo "<pre>n$sqln</pre>n"; $stmt = $pdo->prepare($sql); $stmt->execute(array(': zip' => $_POST['id'])); } ? > <html><head></head> <body> <table border="1"> <? php $stmt = $pdo->query("SELECT name, email, password, id FROM users"); while ( $row = $stmt->fetch(PDO: : FETCH_ASSOC) ) { echo "<tr><td>"; echo($row['name']); echo("</td><td>"); echo($row['email']); echo("</td><td>"); echo($row['password']); echo("</td><td>"); echo('<form method="post"><input type="hidden" '); echo('name="id" value="'. $row['id']. '">'. "n"); echo('<input type="submit" value="Del" name="delete">'); echo("n</form>n"); echo("</td></tr>n"); } ? > </table> <p>Add A New User</p><form method="post"> <p>Name: <input type="text" name="name" size="40"></p> <p>Email: <input type="text" name="email"></p> <p>Password: <input type="password" name="password"></p>< p><input type="submit" value="Add New"/></p> </form> </body>

Recall HTML Injection. . .

Recall HTML Injection. . .

<form method="post"> <p><label for="guess">Input Guess</label> <input type="text" name="guess" id="guess" value=""><b>DIE DIE</b>" /></p> <input type="submit"/>

<form method="post"> <p><label for="guess">Input Guess</label> <input type="text" name="guess" id="guess" value=""><b>DIE DIE</b>" /></p> <input type="submit"/> </form>

SQL Injection SQL injection or SQLi is a code injection technique that exploits a

SQL Injection SQL injection or SQLi is a code injection technique that exploits a security vulnerability in some computer software. An injection occurs at the database level of an application (like queries). The vulnerability is present when user input is either incorrectly filtered for string literal escape characters embedded in SQL statements or user input is not strongly typed and unexpectedly executed. Using well designed query language interpreters can prevent SQL injections. http: //en. wikipedia. org/wiki/SQL_injection

SQL Injection • This code is prone to SQL Injection - where? if (

SQL Injection • This code is prone to SQL Injection - where? if ( isset($_POST['email']) && isset($_POST['password']) ) { $e = $_POST['email']; $p = $_POST['password']; $sql = "SELECT name FROM users WHERE email = '$e' AND password = '$p'"; $stmt = $pdo->query($sql); Note: For PHP < 5. 4 – this might not fail, actually – look up "stripslashes" login 1. php

What Could Go Wrong? login 1. php

What Could Go Wrong? login 1. php

http: //xkcd. com/327/

http: //xkcd. com/327/

if ( isset($_POST['email']) && isset($_POST['password']) ) { $e = $_POST['email']; $p = $_POST['password']; $sql

if ( isset($_POST['email']) && isset($_POST['password']) ) { $e = $_POST['email']; $p = $_POST['password']; $sql = "SELECT name FROM users WHERE email = '$e' AND password = '$p'"; $stmt = $pdo->query($sql); login 1. php

Use Prepared Statements Properly login 2. php if ( isset($_POST['email']) && isset($_POST['password']) ) {

Use Prepared Statements Properly login 2. php if ( isset($_POST['email']) && isset($_POST['password']) ) { echo("Handling POST data. . . n"); $sql = "SELECT name FROM users WHERE email = : em AND password = : pw"; echo "<pre>n$sqln</pre>n"; $stmt = $pdo->prepare($sql); $stmt->execute(array( ': em' => $_POST['email'], ': pw' => $_POST['password'])); $row = $stmt->fetch(PDO: : FETCH_ASSOC); When the statement is executed, the placeholders get replaced with the actual strings and everything is automatically escaped!

Errors: What Could Go Wrong?

Errors: What Could Go Wrong?

if ( !isset($_GET['id']) ) die('id=1 GET parameter required'); $pdo->set. Attribute(PDO: : ATTR_ERRMODE, PDO: :

if ( !isset($_GET['id']) ) die('id=1 GET parameter required'); $pdo->set. Attribute(PDO: : ATTR_ERRMODE, PDO: : ERRMODE_WARNING); $stmt = $pdo->prepare("SELECT * FROM users where id = : xyz"); $stmt->execute(array(": xyz" => $_GET['id'])); $row = $stmt->fetch(PDO: : FETCH_ASSOC); if ( $row === false ) { echo("<p>id not found</p>n"); } else { echo("<p>id found</p>n"); } errors/error 0. php

$pdo->set. Attribute(PDO: : ATTR_ERRMODE, PDO: : ERRMODE_WARNING); $stmt = $pdo->prepare("SELECT * FROM users where

$pdo->set. Attribute(PDO: : ATTR_ERRMODE, PDO: : ERRMODE_WARNING); $stmt = $pdo->prepare("SELECT * FROM users where id = : xyz"); $stmt->execute(array(": pizza" => $_GET['id'])); $row = $stmt->fetch(PDO: : FETCH_ASSOC); if ( $row === false ) { echo("<p>id not found</p>n"); } else { echo("<p>id found</p>n"); } errors/error 1. php

http: //php. net/manual/en/pdo. error-handling. php

http: //php. net/manual/en/pdo. error-handling. php

$pdo->set. Attribute(PDO: : ATTR_ERRMODE, PDO: : ERRMODE_WARNING); $stmt = $pdo->prepare("SELECT * FROM users where

$pdo->set. Attribute(PDO: : ATTR_ERRMODE, PDO: : ERRMODE_WARNING); $stmt = $pdo->prepare("SELECT * FROM users where id = : xyz"); $stmt->execute(array(": pizza" => $_GET['id'])); $row = $stmt->fetch(PDO: : FETCH_ASSOC); if ( $row === false ) { echo("<p>id not found</p>n"); } else { echo("<p>id found</p>n"); } errors/error 1. php

$pdo->set. Attribute(PDO: : ATTR_ERRMODE, PDO: : ERRMODE_EXCEPTION); $stmt = $pdo->prepare("SELECT * FROM users where

$pdo->set. Attribute(PDO: : ATTR_ERRMODE, PDO: : ERRMODE_EXCEPTION); $stmt = $pdo->prepare("SELECT * FROM users where id = : xyz"); $stmt->execute(array(": pizza" => $_GET['id'])); $row = $stmt->fetch(PDO: : FETCH_ASSOC); if ( $row === false ) { $_SESSION['error'] = 'Bad value for id'; header( 'Location: index. php' ) ; return; } errors/error 2. php

$pdo->set. Attribute(PDO: : ATTR_ERRMODE, PDO: : ERRMODE_EXCEPTION); try { $stmt = $pdo->prepare("SELECT * FROM

$pdo->set. Attribute(PDO: : ATTR_ERRMODE, PDO: : ERRMODE_EXCEPTION); try { $stmt = $pdo->prepare("SELECT * FROM users where id = : xyz"); $stmt->execute(array(": pizza" => $_GET['id'])); } catch (Exception $ex ) { echo("Exception message: ". $ex->get. Message()); return; } $row = $stmt->fetch(PDO: : FETCH_ASSOC); errors/edit 3. php

$pdo->set. Attribute(PDO: : ATTR_ERRMODE, PDO: : ERRMODE_EXCEPTION); try { $stmt = $pdo->prepare("SELECT * FROM

$pdo->set. Attribute(PDO: : ATTR_ERRMODE, PDO: : ERRMODE_EXCEPTION); try { $stmt = $pdo->prepare("SELECT * FROM users where id = : xyz"); $stmt->execute(array(": pizza" => $_GET['id'])); } catch (Exception $ex ) { echo("Exception message: ". $ex->get. Message()); error_log("error 4. php, SQL error=". $ex->get. Message()); return; } $row = $stmt->fetch(PDO: : FETCH_ASSOC); errors/edit 4. php

Where do error_log()'s go? • When in doubt look at PHPInfo

Where do error_log()'s go? • When in doubt look at PHPInfo

Where do error_log()'s go? • • • File Paths: • • /Applications/MAMP/logs/php_error. log c:

Where do error_log()'s go? • • • File Paths: • • /Applications/MAMP/logs/php_error. log c: xamppphplogsphp_error_log Open the log file and scroll to the bottom Watch the log actively • • On Mac / Linux use: tail -f filename Windows: http: //ophilipp. free. fr/op_tail. htm (m. Tail)

CRUD!

CRUD!

CRUD Pattern • • When we store things in database tables we generally need

CRUD Pattern • • When we store things in database tables we generally need • • Create - Insert a new row Read - Read existing row(s) Update - Change some values of a record Delete - Delete a record So far we have done 3/4 of CRUD

Our Program is a little Ugly • Usually we create several screens • •

Our Program is a little Ugly • Usually we create several screens • • • Add new row View all rows (paging) View single row Edit single row Delete a row

Five Separate Files • • • index. php - Main list and links to

Five Separate Files • • • index. php - Main list and links to other files add. php - Add a new entry delete. php - Delete an entry edit. php - Edit existing view. php (if index. php needs a detail view)

index. php <? php require_once "pdo. php"; session_start(); ? > <html><head></head> <body> <? php

index. php <? php require_once "pdo. php"; session_start(); ? > <html><head></head> <body> <? php if ( isset($_SESSION['error']) ) { echo '<p style="color: red">'. $_SESSION['error']. "</p>n"; unset($_SESSION['error']); } if ( isset($_SESSION['success']) ) { echo '<p style="color: green">'. $_SESSION['success']. "</p>n"; unset($_SESSION['success']); } echo('<table border="1">'. "n");

index. php echo('<table border="1">'. "n"); $stmt = $pdo->query("SELECT name, email, password, id FROM users");

index. php echo('<table border="1">'. "n"); $stmt = $pdo->query("SELECT name, email, password, id FROM users"); while ( $row = $stmt->fetch(PDO: : FETCH_ASSOC) ) { echo "<tr><td>"; echo($row['name']); echo("</td><td>"); echo($row['email']); echo("</td><td>"); echo($row['password']); echo("</td><td>"); echo('<a href="edit. php? id='. htmlentities($row['id']). '">Edit</a> / '); echo('<a href="delete. php? id='. htmlentities($row['id']). '">Delete</a>'); echo("n</form>n"); echo("</td></tr>n"); } ? > </table> <a href="add. php">Add New</a>

<tr><td>Chuck</td><td>csev@umich. edu</td><td>123</td><td> <a href="edit. php? id=1">Edit</a> / <a href="delete. php? id=1">Delete</a></td></tr> <tr><td>Glenn</td><td>gg@umich. edu</td><td>456</td><td> <a

<tr><td>Chuck</td><td>csev@umich. edu</td><td>123</td><td> <a href="edit. php? id=1">Edit</a> / <a href="delete. php? id=1">Delete</a></td></tr> <tr><td>Glenn</td><td>gg@umich. edu</td><td>456</td><td> <a href="edit. php? id=2">Edit</a> / <a href="delete. php? id=2">Delete</a></td></tr>

<? php require_once "pdo. php"; session_start(); if ( isset($_POST['name']) && isset($_POST['email']) && isset($_POST['password'])) {

<? php require_once "pdo. php"; session_start(); if ( isset($_POST['name']) && isset($_POST['email']) && isset($_POST['password'])) { $sql = "INSERT INTO users (name, email, password) VALUES (: name, : email, : password)"; $stmt = $pdo->prepare($sql); $stmt->execute(array( ': name' => $_POST['name'], ': email' => $_POST['email'], ': password' => $_POST['password'])); $_SESSION['success'] = 'Record Added'; header( 'Location: index. php' ) ; return; } ? > <p>Add A New User</p> <form method="post"> <p>Name: <input type="text" name="name"></p> <p>Email: <input type="text" name="email"></p> <p>Password: <input type="password" name="password"></p> <p><input type="submit" value="Add New"/> <a href="index. php">Cancel</a></p> </form> add. php

if ( isset($_POST['name']) && isset($_POST['email']) && isset($_POST['password'])) { $sql = "INSERT INTO users (name,

if ( isset($_POST['name']) && isset($_POST['email']) && isset($_POST['password'])) { $sql = "INSERT INTO users (name, email, password) VALUES (: name, : email, : password)"; $stmt = $pdo->prepare($sql); $stmt->execute(array( ': name' => $_POST['name'], ': email' => $_POST['email'], ': password' => $_POST['password'])); $_SESSION['success'] = 'Record Added'; header( 'Location: index. php' ) ; return; if ( isset($_SESSION['success']) ) { echo '<p style="color: green">'. $_SESSION['success']. "</p>n"; unset($_SESSION['success']); }

<? php require_once "pdo. php" ; session_start(); if ( isset($_POST['delete']) && isset($_POST['id']) ) {

<? php require_once "pdo. php" ; session_start(); if ( isset($_POST['delete']) && isset($_POST['id']) ) { $sql = "DELETE FROM users WHERE id = : zip"; $stmt = $pdo->prepare($sql); $stmt->execute(array(': zip' => $_POST['id'])); $_SESSION['success'] = 'Record deleted'; header( 'Location: index. php' ) ; return; } $stmt = $pdo->prepare("SELECT name, id FROM users where id = : xyz"); $stmt->execute(array(": xyz" => $_GET['id'])); $row = $stmt->fetch(PDO: : FETCH_ASSOC); if ( $row === false ) { $_SESSION['error'] = 'Bad value for id'; header( 'Location: index. php' ) ; return; } echo "<p>Confirm: Deleting ". htmlentities($row['name']). "</p>n"; echo('<form method="post"><input type="hidden" '); echo('name="id" value="'. $row['id']. '">'. "n"); echo('<input type="submit" value="Delete" name="delete">'); echo('<a href="index. php">Cancel</a>'); echo("n</form>n"); ? > delete. php Don't alter data in a GET.

if ( isset($_POST['delete']) && isset($_POST['id']) ) { $sql = "DELETE FROM users WHERE id

if ( isset($_POST['delete']) && isset($_POST['id']) ) { $sql = "DELETE FROM users WHERE id = : zip"; $stmt = $pdo->prepare($sql); $stmt->execute(array(': zip' => $_POST['id'])); $_SESSION['success'] = 'Record deleted'; header( 'Location: index. php' ) ; return; } if ( isset($_SESSION['success']) ) { echo '<p style="color: green">'. $_SESSION['success']. "</p>n"; unset($_SESSION['success']); }

<? php require_once "pdo. php"; session_start(); if ( isset($_POST['name']) && isset($_POST['email']) && isset($_POST['password']) &&

<? php require_once "pdo. php"; session_start(); if ( isset($_POST['name']) && isset($_POST['email']) && isset($_POST['password']) && isset($_POST['id']) ) { $sql = "UPDATE users SET name = : name, email = : email, password = : password WHERE id = : id"; $stmt = $pdo->prepare($sql); $stmt->execute(array( ': name' => $_POST['name'], ': email' => $_POST['email'], ': password' => $_POST['password'], ': id' => $_POST['id'])); $_SESSION['success'] = 'Record updated'; header( 'Location: index. php' ) ; return; } $stmt = $pdo->prepare("SELECT * FROM users where id = : xyz"); $stmt->execute(array(": xyz" => $_GET['id'])); $row = $stmt->fetch(PDO: : FETCH_ASSOC); if ( $row === false ) { $_SESSION['error'] = 'Bad value for id'; header( 'Location: index. php' ) ; return; } edit. php

$n = htmlentities($row['name']); $e = htmlentities($row['email']); $p = htmlentities($row['password']); $id = htmlentities($row['id']); echo <<<

$n = htmlentities($row['name']); $e = htmlentities($row['email']); $p = htmlentities($row['password']); $id = htmlentities($row['id']); echo <<< _END <html><head></head><body> <p>Edit User</p> <form method="post"> <p>Name: <input type="text" name="name" value="$n"></p> <p>Email: <input type="text" name="email" value="$e"></p> <p>Password: <input type="text" name="password" value="$p"></p> <input type="hidden" name="id" value="$id"> <p><input type="submit" value="Update"/> <a href="index. php">Cancel</a></p> </form> </body> _END edit. php

if ( isset($_POST['name']) && isset($_POST['email']) && isset($_POST['password']) && isset($_POST['id']) ) { $sql = "UPDATE

if ( isset($_POST['name']) && isset($_POST['email']) && isset($_POST['password']) && isset($_POST['id']) ) { $sql = "UPDATE users SET name = : name, email = : email, password = : password WHERE id = : id"; $stmt = $pdo->prepare($sql); $stmt->execute(array( ': name' => $_POST['name'], ': email' => $_POST['email'], ': password' => $_POST['password'], ': id' => $_POST['id'])); $_SESSION['success'] = 'Record updated'; header( 'Location: index. php' ) ; return; } edit. php

Summary • • • Making database connections Doing database operations SQL security (a. k.

Summary • • • Making database connections Doing database operations SQL security (a. k. a. we love PDO prepared statements) Exploring errors. . . A multi-file CRUD application with redirect

Acknowledgements / Contributions These slides are Copyright 2010 - Charles R. Severance (www. dr-chuck.

Acknowledgements / Contributions These slides are Copyright 2010 - Charles R. Severance (www. dr-chuck. com) as part of www. php-intro. com and made available under a Creative Commons Attribution 4. 0 License. Please maintain this last slide in all copies of the document to comply with the attribution requirements of the license. If you make a change, feel free to add your name and organization to the list of contributors on this page as you republish the materials. Initial Development: Charles Severance, University of Michigan School of Information Insert new Contributors and Translators here including names and dates Continue new Contributors and Translators here

Accessing My SQL Using PDO Charles Severance wwwAccessing My SQL Using PDO Charles Severance www
SQL SQL SELECT SQL INSERT SQL UPDATE SQLSQL SQL SELECT SQL INSERT SQL UPDATE SQL
Accessing My SQL Using PDO www phpintro comAccessing My SQL Using PDO www phpintro com
Accessing My SQL Using PDO Application Structure EndAccessing My SQL Using PDO Application Structure End
2015 Severance Stroke Center Severance Stroke Center 42015 Severance Stroke Center Severance Stroke Center 4
Severance Childrens Hospital SEVERANCE Department of Briefing sessionSeverance Childrens Hospital SEVERANCE Department of Briefing session
Relational Databases and My SQL Charles Severance wwwRelational Databases and My SQL Charles Severance www
Relational Databases and My SQL Charles Severance wwwRelational Databases and My SQL Charles Severance www
Advanced SQL Charles Severance www phpintro com ErrorAdvanced SQL Charles Severance www phpintro com Error
Relational Databases and Postgre SQL Charles Severance wwwRelational Databases and Postgre SQL Charles Severance www
SQL Syntaks SQL Hi A SQL SQL StructuredSQL Syntaks SQL Hi A SQL SQL Structured
SQL Syntaks SQL Hi A SQL SQL StructuredSQL Syntaks SQL Hi A SQL SQL Structured
PLSQL l SQL SQL DBMS SQL SQL IFPLSQL l SQL SQL DBMS SQL SQL IF
Postgre SQL Postgre SQL Postgre SQL Postgre SQLPostgre SQL Postgre SQL Postgre SQL Postgre SQL
SQL INJECTION INYECCIN SQL SQL Injection SQL InjectionSQL INJECTION INYECCIN SQL SQL Injection SQL Injection
Using JSON Dr Charles Severance www wa 4Using JSON Dr Charles Severance www wa 4
Using j Query Dr Charles Severance www waUsing j Query Dr Charles Severance www wa
Using Clip Board2000 Charles Severance University of MichiganUsing Clip Board2000 Charles Severance University of Michigan
Using Handlebars Dr Charles Severance www wa 4Using Handlebars Dr Charles Severance www wa 4
Using AJAX JSON Dr Charles Severance www djUsing AJAX JSON Dr Charles Severance www dj
Using Collaborative Tools in NEESGrid Charles Severance UniversityUsing Collaborative Tools in NEESGrid Charles Severance University
Using Sakai for Research Collaboration Charles Severance UniversityUsing Sakai for Research Collaboration Charles Severance University
Using the Collaborative Tools in NEESgrid Charles SeveranceUsing the Collaborative Tools in NEESgrid Charles Severance
Database Processing with PDO ISYS 475 PDO httpDatabase Processing with PDO ISYS 475 PDO http