PHP and MySQL for Dynamic Web Sites

VISUAL QUICKpro GUIDEPHP and MySQLfor Dynamic Web SitesFourth EditionLarry ULLmanPeachpit Press

Visual QuickPro GuidePHP and MySQL for Dynamic Web Sites, Fourth EditionLarry UllmanPeachpit Press1249 Eighth StreetBerkeley, CA 94710510/524-2178510/524-2221 (fax)Find us on the Web at: www.peachpit.comTo report errors, please send a note to: errata@peachpit.comPeachpit Press is a division of Pearson Education.Copyright © 2012 by Larry UllmanEditor: Rebecca GulickCopy Editor: Patricia PaneTechnical Reviewer: Anselm BradfordProduction Coordinator: Myrna VladicCompositor: Debbie RobertiProofreader: Bethany StoughIndexer: Valerie Haynes-PerryCover Design: RHDG / Riezebos Holzbaur Design Group, Peachpit PressInterior Design: Peachpit PressLogo Design: MINE www.minesf.comNotice of RightsAll rights reserved. No part of this book may be reproduced or transmitted in any form by any means,electronic, mechanical, photocopying, recording, or otherwise, without the prior written permission of thepublisher. For information on getting permission for reprints and excerpts, contact permissions@peachpit.com.Notice of LiabilityThe information in this book is distributed on an “As Is” basis, without warranty. While every precaution hasbeen taken in the preparation of the book, neither the author nor Peachpit Press shall have any liability to anyperson or entity with respect to any loss or damage caused or alleged to be caused directly or indirectly by theinstructions contained in this book or by the computer software and hardware products described in it.TrademarksVisual QuickPro Guide is a registered trademark of Peachpit Press, a division of Pearson Education. MySQL isa registered trademark of MySQL AB in the United States and in other countries. Macintosh and Mac OS X areregistered trademarks of Apple, Inc. Microsoft and Windows are registered trademarks of Microsoft Corp. Otherproduct names used in this book may be trademarks of their own respective owners. Images of Web sites inthis book are copyrighted by the original holders and are used with their kind permission. This book is notofficially endorsed by nor affiliated with any of the above companies, including MySQL AB.Many of the designations used by manufacturers and sellers to distinguish their products are claimed astrademarks. Where those designations appear in this book, and Peachpit was aware of a trademark claim,the designations appear as requested by the owner of the trademark. All other product names and servicesidentified throughout this book are used in editorial fashion only and for the benefit of such companies with nointention of infringement of the trademark. No such use, or the use of any trade name, is intended to conveyendorsement or other affiliation with this book.ISBN-13: 978-0-321-78407-0ISBN-10: 0-321-78407-39 8 7 6 5 4 3 2 1Printed and bound in the United States of America

Table of ContentsIntroduction . . . . . . . . . . . . . . . . . . . . . . . . . . . ixChapter 1 Introduction to PHP. . . . . . . . . . . . . . . . . . . . . 1Basic Syntax . . . . . . . . . . . . . . . . . . . . . . . . . 2Sending Data to the Web Browser. . . . . . . . . . . . . 6Writing Comments. . . . . . . . . . . . . . . . . . . . . . 10What Are Variables?. . . . . . . . . . . . . . . . . . . . . 14Introducing Strings . . . . . . . . . . . . . . . . . . . . . 18Concatenating Strings . . . . . . . . . . . . . . . . . . . 21Introducing Numbers . . . . . . . . . . . . . . . . . . . . 23Introducing Constants . . . . . . . . . . . . . . . . . . . 26Single vs. Double Quotation Marks . . . . . . . . . . . . 29Basic Debugging Steps . . . . . . . . . . . . . . . . . . . 32Review and Pursue . . . . . . . . . . . . . . . . . . . . . 34Chapter 2 Programming with PHP . . . . . . . . . . . . . . . . . 35Creating an HTML Form . . . . . . . . . . . . . . . . . . 36Handling an HTML Form . . . . . . . . . . . . . . . . . . 41Conditionals and Operators . . . . . . . . . . . . . . . . 45Validating Form Data . . . . . . . . . . . . . . . . . . . . 49Introducing Arrays. . . . . . . . . . . . . . . . . . . . . . 54For and While Loops . . . . . . . . . . . . . . . . . . . . 69Review and Pursue . . . . . . . . . . . . . . . . . . . . . 72Chapter 3 Creating Dynamic Web Sites. . . . . . . . . . . . . . 75Including Multiple Files . . . . . . . . . . . . . . . . . . . 76Handling HTML Forms, Revisited . . . . . . . . . . . . . 85Making Sticky Forms . . . . . . . . . . . . . . . . . . . . 91Creating Your Own Functions . . . . . . . . . . . . . . . 95Review and Pursue . . . . . . . . . . . . . . . . . . . . . 110iv Table of Contents

Chapter 4 Introduction to MySQL . . . . . . . . . . . . . . . . . 111Naming Database Elements . . . . . . . . . . . . . . . 112Choosing Your Column Types . . . . . . . . . . . . . . 1 1 4Choosing Other Column Properties. . . . . . . . . . . 118Accessing MySQL . . . . . . . . . . . . . . . . . . . . . 1 2 1Review and Pursue . . . . . . . . . . . . . . . . . . . . 128Chapter 5 Introduction to SQL. . . . . . . . . . . . . . . . . . . . 129Creating Databases and Tables . . . . . . . . . . . . . 130Inserting Records . . . . . . . . . . . . . . . . . . . . . 133Selecting Data . . . . . . . . . . . . . . . . . . . . . . . 138Using Conditionals . . . . . . . . . . . . . . . . . . . . 140Using LIKE and NOT LIKE. . . . . . . . . . . . . . . . . 143Sorting Query Results. . . . . . . . . . . . . . . . . . . 145Limiting Query Results . . . . . . . . . . . . . . . . . . 147Updating Data . . . . . . . . . . . . . . . . . . . . . . . 149Deleting Data . . . . . . . . . . . . . . . . . . . . . . . 1 51Using Functions . . . . . . . . . . . . . . . . . . . . . . 153Review and Pursue . . . . . . . . . . . . . . . . . . . . 164Chapter 6 Database Design . . . . . . . . . . . . . . . . . . . . .165Normalization . . . . . . . . . . . . . . . . . . . . . . . 166Creating Indexes . . . . . . . . . . . . . . . . . . . . . 179Using Different Table Types . . . . . . . . . . . . . . . 182Languages and MySQL . . . . . . . . . . . . . . . . . . 184Time Zones and MySQL . . . . . . . . . . . . . . . . . 189Foreign Key Constraints . . . . . . . . . . . . . . . . . 195Review and Pursue . . . . . . . . . . . . . . . . . . . . 202Chapter 7 Advanced SQL and MySQL. . . . . . . . . . . . . . . 203Performing Joins. . . . . . . . . . . . . . . . . . . . . . 204Grouping Selected Results . . . . . . . . . . . . . . . 214Advanced Selections . . . . . . . . . . . . . . . . . . . 218Performing FULLTEXT Searches . . . . . . . . . . . . 222Optimizing Queries . . . . . . . . . . . . . . . . . . . . 230Performing Transactions . . . . . . . . . . . . . . . . . 234Database Encryption . . . . . . . . . . . . . . . . . . . 237Review and Pursue . . . . . . . . . . . . . . . . . . . . 240Table of Contents v

Chapter 8 Error Handling and Debugging . . . . . . . . . . . . 241Error Types and Basic Debugging . . . . . . . . . . . . 242Displaying PHP Errors. . . . . . . . . . . . . . . . . . . 248Adjusting Error Reporting in PHP . . . . . . . . . . . . 250Creating Custom Error Handlers. . . . . . . . . . . . . 253PHP Debugging Techniques . . . . . . . . . . . . . . . 258SQL and MySQL Debugging Techniques. . . . . . . . 262Review and Pursue . . . . . . . . . . . . . . . . . . . . 264Chapter 9 Using PHP with MySQL . . . . . . . . . . . . . . . . . 265Modifying the Template. . . . . . . . . . . . . . . . . . 266Connecting to MySQL. . . . . . . . . . . . . . . . . . . 268Executing Simple Queries . . . . . . . . . . . . . . . . 273Retrieving Query Results . . . . . . . . . . . . . . . . 281Ensuring Secure SQL . . . . . . . . . . . . . . . . . . . 285Counting Returned Records . . . . . . . . . . . . . . . 290Updating Records with PHP . . . . . . . . . . . . . . . 292Review and Pursue . . . . . . . . . . . . . . . . . . . . 298Chapter 10 Common Programming Techniques . . . . . . . . . 299Sending Values to a Script . . . . . . . . . . . . . . . . 300Using Hidden Form Inputs . . . . . . . . . . . . . . . . 304Editing Existing Records . . . . . . . . . . . . . . . . . 309Paginating Query Results. . . . . . . . . . . . . . . . . .316Making Sortable Displays . . . . . . . . . . . . . . . . 323Review and Pursue . . . . . . . . . . . . . . . . . . . . 328Chapter 11 Web Application Development . . . . . . . . . . . . 329Sending Email . . . . . . . . . . . . . . . . . . . . . . . 330Handling File Uploads . . . . . . . . . . . . . . . . . . 336PHP and JavaScript . . . . . . . . . . . . . . . . . . . . 348Understanding HTTP Headers. . . . . . . . . . . . . . 355Date and Time Functions . . . . . . . . . . . . . . . . . 362Review and Pursue . . . . . . . . . . . . . . . . . . . . 366vi Table of Contents

Chapter 12 Cookies and Sessions . . . . . . . . . . . . . . . . . .367Making a Login Page . . . . . . . . . . . . . . . . . . . 368Making the Login Functions . . . . . . . . . . . . . . . 371Using Cookies . . . . . . . . . . . . . . . . . . . . . . . 376Using Sessions. . . . . . . . . . . . . . . . . . . . . . . 388Improving Session Security . . . . . . . . . . . . . . . 396Review and Pursue . . . . . . . . . . . . . . . . . . . . 400Chapter 13 Security Methods . . . . . . . . . . . . . . . . . . . . . 401Preventing Spam . . . . . . . . . . . . . . . . . . . . . 402Validating Data by Type. . . . . . . . . . . . . . . . . . 409Validating Files by Type. . . . . . . . . . . . . . . . . . 414Preventing XSS Attacks. . . . . . . . . . . . . . . . . . 418Using the Filter Extension . . . . . . . . . . . . . . . . 421Preventing SQL Injection Attacks . . . . . . . . . . . . 425Review and Pursue . . . . . . . . . . . . . . . . . . . . 432Chapter 14 Perl-Compatible Regular Expressions. . . . . . . . 433Creating a Test Script . . . . . . . . . . . . . . . . . . . 434Defining Simple Patterns . . . . . . . . . . . . . . . . . 438Using Quantifiers . . . . . . . . . . . . . . . . . . . . . 4 41Using Character Classes . . . . . . . . . . . . . . . . . 443Finding All Matches . . . . . . . . . . . . . . . . . . . . 446Using Modifiers . . . . . . . . . . . . . . . . . . . . . . 450Matching and Replacing Patterns . . . . . . . . . . . . 452Review and Pursue . . . . . . . . . . . . . . . . . . . . 456Chapter 15 Introducing jQuery . . . . . . . . . . . . . . . . . . . . 457What is jQuery? . . . . . . . . . . . . . . . . . . . . . . 458Incorporating jQuery . . . . . . . . . . . . . . . . . . . 460Using jQuery . . . . . . . . . . . . . . . . . . . . . . . . 463Selecting Page Elements . . . . . . . . . . . . . . . . . 466Event Handling. . . . . . . . . . . . . . . . . . . . . . . 469DOM Manipulation . . . . . . . . . . . . . . . . . . . . 473Using Ajax . . . . . . . . . . . . . . . . . . . . . . . . . 479Review and Pursue . . . . . . . . . . . . . . . . . . . . 492Table of Contents vii

Chapter 16 An OOP Primer . . . . . . . . . . . . . . . . . . . . . . . . 493Fundamentals and Syntax . . . . . . . . . . . . . . . . 494Working with MySQL . . . . . . . . . . . . . . . . . . . 497The DateTime Class . . . . . . . . . . . . . . . . . . . . 511Review and Pursue . . . . . . . . . . . . . . . . . . . . 518Chapter 17 Example—Message Board . . . . . . . . . . . . . . . 519Making the Database . . . . . . . . . . . . . . . . . . . 520Creating the Index Page . . . . . . . . . . . . . . . . . 537Creating the Forum Page . . . . . . . . . . . . . . . . . 538Creating the Thread Page . . . . . . . . . . . . . . . . 543Posting Messages . . . . . . . . . . . . . . . . . . . . . 548Review and Pursue . . . . . . . . . . . . . . . . . . . . 558Chapter 18 Example —User Registration. . . . . . . . . . . . . . 559Creating the Templates . . . . . . . . . . . . . . . . . . 560Writing the Configuration Scripts . . . . . . . . . . . . 566Creating the Home Page . . . . . . . . . . . . . . . . . 574Registration . . . . . . . . . . . . . . . . . . . . . . . . 576Activating an Account. . . . . . . . . . . . . . . . . . . 586Logging In and Logging Out . . . . . . . . . . . . . . . 589Password Management. . . . . . . . . . . . . . . . . . 594Review and Pursue . . . . . . . . . . . . . . . . . . . . 604Chapter 19 Example —E-Commerce. . . . . . . . . . . . . . . . . 605Creating the Database . . . . . . . . . . . . . . . . . . 606The Administrative Side . . . . . . . . . . . . . . . . . 612Creating the Public Template . . . . . . . . . . . . . . 629The Product Catalog . . . . . . . . . . . . . . . . . . . 633The Shopping Cart . . . . . . . . . . . . . . . . . . . . 645Recording the Orders . . . . . . . . . . . . . . . . . . . 654Review and Pursue . . . . . . . . . . . . . . . . . . . . 659Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 661BonuS AppenDixAppendix A Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . A1viii Table of Contents

IntroductionToday’s Web users expect exciting pagesthat are updated frequently and providea customized experience. For them, Websites are more like communities, to whichthey’ll return time and again. At the sametime, Web-site administrators want sitesthat are easier to update and maintain,understanding that’s the only reasonableway to keep up with visitors’ expectations.For these reasons and more, PHPand MySQL have become the de factostandards for creating dynamic, databasedrivenWeb sites.This book represents the culmination of mymany years of Web development experiencecoupled with the value of havingwritten several previous books on the technologiesdiscussed herein. The focus ofthis book is on covering the most importantknowledge in the most efficient manner.It will teach you how to begin developingdynamic Web sites and give you plenty ofexample code to get you started. All youneed to provide is an eagerness to learn.Well, that and a computer.What Are DynamicWeb Sites?Dynamic Web sites are flexible and potentcreatures, more accurately described asapplications than merely sites. DynamicWeb sitesnnnnnRespond to different parameters (forexample, the time of day or the versionof the visitor’s Web browser)Have a “memory,” allowing for userregistration and login, e-commerce,and similar processesAlmost always integrate HTML forms,allowing visitors to perform searches,provide feedback, and so forthOften have interfaces whereadministrators can manage thesite’s contentAre easier to maintain, upgrade, andbuild upon than statically made sitesIntroduction ix

There are many technologies availablefor creating dynamic Web sites. The mostcommon are ASP.NET (Active ServerPages, a Microsoft construct), JSP (JavaServer Pages), ColdFusion, Ruby on Rails (aWeb development framework for the Rubyprogramming language), and PHP. DynamicWeb sites don’t always rely on a database,but more and more of them do, particularlyas excellent database applications likeMySQL are available at little to no cost.What is pHp?PHP originally stood for “Personal HomePage” as it was created in 1994 by RasmusLerdorf to track the visitors to his onlinerésumé. As its usefulness and capabilitiesgrew (and as it started being used in moreprofessional situations), it came to mean“PHP: Hypertext Preprocessor.”According to the official PHP Web site,found at www.php.net A, PHP is a“widely used general-purpose scriptinglanguage that is especially suited for Webdevelopment and can be embedded intoHTML.” It’s a long but descriptive definition,whose meaning I’ll explain.Starting at the end of that statement, tosay that PHP can be embedded intoHTML means that you can take a standardHTML page, drop in some PHP whereveryou need it, and end up with a dynamicresult. This attribute makes PHP veryapproachable for anyone that’s done evena little bit of HTML work.Also, PHP is a scripting language, asopposed to a compiled language: PHPwas designed to write Web scripts, notstand-alone applications (although, withsome extra effort, you can now createapplications in PHP). PHP scripts run onlyafter an event occurs—for example, whena user submits a form or goes to a URL(Uniform Resource Locator, the technicalterm for a Web address).I should add to this definition that PHP isa server-side, cross-platform technology,both descriptions being important. Serversiderefers to the fact that everything PHPdoes occurs on the server. A Web serverapplication, like Apache or Microsoft’s IIS(Internet Information Services), is requiredand all PHP scripts must be accessedthrough a URL (http://something). ItsA The home page for PHP.x Introduction

What Happened to pHp 6?When I wrote the previous version ofthis book, PHP 6 and MySQL 5 forDynamic Web Sites: Visual QuickProGuide, the next major release of PHP—PHP 6—was approximately 50 percentcomplete. Thinking that PHP 6 wouldtherefore be released sometime afterthe book was published, I relied upona beta version of PHP 6 for a bit of thatedition’s material. And then…PHP 6 died.One of the key features planned for PHP6 was support for Unicode, meaning thatPHP 6 would be able to work nativelywith any language. This would be agreat addition to an already popularprogramming tool. Unfortunately,implementing Unicode support wentfrom being complicated to quite difficult,and the developers behind the languagetabled development of PHP 6. Not allwas lost, however: Some of the otherfeatures planned for PHP 6, such assupport for namespaces (an Object-Oriented Programming concept), wereadded to PHP 5.3.At the time of this writing, it’s not clearwhen Unicode support might be completedor what will happen with PHP 6.My hunch is that PHP will be makingincremental developments along theversion 5 trunk for some time to come.cross-platform nature means that PHPruns on most operating systems, includingWindows, Unix (and its many variants), andMacintosh. More important, the PHP scriptswritten on one server will normally work onanother with little or no modification.At the time this book was written, PHP wasat version 5.3.6 and this book does assumeyou’re using at least version 5.0. Some functionsand features covered will require morespecific or current versions, like PHP 5.2 orgreater. In those cases, I will make it clearwhen the functionality was added to PHP,and provide alternative solutions if you havea slightly older version of the language.If you’re still using version 4 of PHP, youreally should upgrade. If that’s not in yourplans, then please grab the second editionof this book instead.More information about PHP can always befound at PHP.net or at Zend (www.zend.com),the minds behind the core of PHP.Why use pHp?Put simply, when it comes to developingdynamic Web sites, PHP is better, faster,and easier to learn than the alternatives.What you get with PHP is excellentperformance, a tight integration withnearly every database available, stability,portability, and a nearly limitless featureset due to its extendibility. All of this comesat no cost (PHP is open source) and witha very manageable learning curve. PHP isone of the best marriages I’ve ever seenbetween the ease with which beginningprogrammers can start using it and theability for more advanced programmers todo everything they require.Finally, the proof is in the pudding: PHPhas seen an exponential growth in usesince its inception, and is the server-sideIntroduction xi

technology of choice on over 76 percentof all Web sites B. In terms of all programminglanguages, PHP is the fifthmost popular C.Of course, you might assume that I, as theauthor of a book on PHP (several, actually),have a biased opinion. Although notnearly to the same extent as PHP, I’ve alsodeveloped sites using Java Server Pages(JSP), Ruby on Rails (RoR), and ASP.NET.Each has its pluses and minuses, but PHPis the technology I always return to. Youmight hear that it doesn’t perform or scaleas well as other technologies, but Yahoo!,Wikipedia, and Facebook all use PHP, andyou can’t find many sites more visited ordemanding than those.You might also wonder how secure PHPis. But security isn’t in the language; it’s inhow that language is used. Rest assuredthat a complete and up-to-date discussionof all the relevant security concerns isprovided by this book.How pHp worksAs previously stated, PHP is a server-sidelanguage. This means that the code youwrite in PHP sits on a host computer calleda server. The server sends Web pages tothe requesting visitors (you, the client, withyour Web browser).When a visitor goes to a Web site writtenin PHP, the server reads the PHP code andthen processes it according to its scripteddirections. In the example shown in D,the PHP code tells the server to send theappropriate data—HTML code—to the Webbrowser, which treats the received code asit would a standard HTML page.This differs from a static HTML site where,when a request is made, the server merelysends the HTML data to the Web browserand there is no server-side interpretationB The Web Technology Surveys site providesthis graphic regarding server-side technologies(www.w3techs.com/technologies/overview/programming_language/all).C The Tiobe Index (http://www.tiobe.com/index.php/content/paperinfo/tpci/index.html)uses a combination of factors to rank thepopularity of programming languages.D How PHP fits into theclient/server model when auser requests a Web page.xii Introduction

By incorporating a database into a Webapplication, some of the data generated byPHP can be retrieved from MySQL G. Thisfurther moves the site’s content from a static(hard-coded) basis to a flexible one, flexibilitybeing the key to a dynamic Web site.MySQL is an open-source application,like PHP, meaning that it is free to useor even modify (the source code itself isdownloadable). There are occasions inwhich you should pay for a MySQL license,especially if you are making money fromthe sales or incorporation of the MySQLproduct. Check MySQL’s licensing policyfor more information on this.The MySQL software consists of severalpieces, including the MySQL server (mysqld,which runs and manages the databases),the MySQL client (mysql, which gives youan interface to the server), and numerousutilities for maintenance and other purposes.PHP has always had good supportfor MySQL, and that is even more true in themost recent versions of the language.MySQL has been known to handle databasesas large as 60,000 tables withmore than 5 billion rows. MySQL can workwith tables as large as 8 million terabyteson some operating systems, generally ahealthy 4 GB otherwise. MySQL is usedby NASA and the United States CensusBureau, among many others.At the time of this writing, MySQL is onversion 5.5.13, with versions 5.6 and 6.0 indevelopment. The version of MySQL youhave affects what features you can use, soit’s important that you know what you’reworking with. For this book, MySQL 5.1.44and 5.5.8 were used, although you shouldbe able to do everything in this book aslong as you’re using a version of MySQLgreater than 5.0.pronunciation GuideTrivial as it may be, I should clarifyup front that MySQL is technicallypronounced “My Ess Que Ell,” just asSQL should be said “Ess Que Ell.” This isa question many people have when firstworking with these technologies. Whilenot a critical issue, it’s always best topronounce acronyms correctly.G How most of the dynamic Web applications in this book will work,using both PHP and MySQL.xiv Introduction

What You’ll needTo follow the examples in this book, you’llneed the following tools:nnnnnnA Web server application (for example,Apache, Abyss, or IIS)PHPMySQLA Web browser (Microsoft’s InternetExplorer, Mozilla’s Firefox, Apple’sSafari, Google’s Chrome, etc.)A text editor, PHP-capable WYSIWYGapplication (Adobe’s Dreamweaverqualifies), or IDE (integrateddevelopment environment)An FTP application, if using a remoteserverOne of the great things about developingdynamic Web sites with PHP and MySQLis that all of the requirements can bemet at no cost whatsoever, regardless ofyour operating system! Apache, PHP, andMySQL are each free; Web browsers canbe had without cost; and many good texteditors are available for nothing.The appendix, which you can downloadfrom http://www.peachpit.com, discusses theinstallation process on the Windows and MacOS X operating systems. If you have a computer,you are only a couple of downloadsaway from being able to create dynamicWeb sites (in that case, your computer wouldrepresent both the client and the server inD and E). Conversely, you could purchaseWeb hosting for only dollars per month thatwill provide you with a PHP- and MySQLenabledenvironment already online.To download this book's appendix frompeachpit.com, create a free account at http://peachpit.com, and then register this bookusing ISBN number 0321784073. Once registered,you'll have access to the bonus content.About This BookThis book teaches how to develop dynamicWeb sites with PHP and MySQL, coveringthe knowledge that most developersmight require. In keeping with the formatof the Visual QuickPro series, the informationis discussed using a step-by-stepapproach with corresponding images. Thefocus has been kept on real-world, practicalexamples, avoiding “here’s somethingyou could do but never would” scenarios.As a practicing Web developer myself, Iwrote about the information that I use andavoided those topics immaterial to the taskat hand. As a practicing writer, I made certainto include topics and techniques that Iknow readers are asking about.The structure of the book is linear, andthe intention is that you’ll read it in order.It begins with three chapters coveringthe fundamentals of PHP (by the secondchapter, you will have already developedyour first dynamic Web page). Afterthat, there are four chapters on SQL(Structured Query Language, which isused to interact with all databases) andMySQL. Those chapters teach the basicsof SQL, database design, and the MySQLapplication in particular. Then there’sone chapter on debugging and errormanagement, information everyone needs.This is followed by a chapter introducinghow to use PHP and MySQL together, aremarkably easy thing to do.The following five chapters teach moreapplication techniques to round out yourknowledge. Security, in particular, is repeatedlyaddressed in those pages. Two newchapters, to be discussed momentarily,expand your newfound knowledge. Finally,I’ve included three example chapters, inwhich the heart of different Web applicationsare developed, with instructions.Introduction xv

is this book for you?This book was written for a wide range ofpeople within the beginner-to-intermediaterange. The book makes use of XHTML, sosolid experience with XHTML or HTML isa must. Although this book covers manythings, it does not formally teach HTML orWeb-page design. Some CSS is sprinkledabout these pages but also not taught.Second, this book expects that you haveone of the following:nnnThe drive and ability to learn withoutmuch hand holding, or…Familiarity with another programminglanguage (even solid JavaScript skillswould qualify), or…A cursory knowledge of PHPMake no mistake: This book coversPHP and MySQL from A to Z, teachingeverything you’ll need to know to developreal-world Web sites, but particularly theearly chapters cover PHP at a quick pace.For this reason I recommend either someprogramming experience or a curiousand independent spirit when it comes tolearning new things. If you find that thematerial goes too quickly, you shouldprobably start off with the latest editionof my book PHP for the World Wide Web:Visual QuickStart Guide, which goes ata much more tempered pace.No database experience is required, sinceSQL and MySQL are discussed starting at amore basic level.What’s new in this editionThe first three editions of this book havebeen very popular, and I’ve received a lotof positive feedback on them (thanks!).In writing this new edition, I wanted todo more than just update the material forthe latest versions of PHP and MySQL,although that is an overriding considerationthroughout the book. Other new featuresyou’ll find are:nnnnnnnnNew examples demonstratingtechniques frequently requestedby readersEven more advanced MySQL and SQLinstruction and examplesA tutorial on using the jQueryJavaScript frameworkAn introduction to the fundamentalsand basic usage of Object-OrientedProgrammingEven more information and examplesfor improving the security of yourscripts and sitesExpanded and updated installation andconfiguration instructionsRemoval of outdated content (e.g.,things used in older versions of PHPor no longer applicable)A “Review and Pursue” section atthe end of each chapter, with reviewquestions and prompts for ways inwhich you can further expand yourknowledge based upon the informationjust coveredFor those of you that also own a previousedition (thanks, thanks, thanks!), I believethat these new features will also make thisedition a required fixture on your desk orbookshelf.xvi Introduction

How this book comparesto my other booksThis is my fourth PHP and/or MySQL title,after (in order)nnnPHP for the World Wide Web: VisualQuickStart GuidePHP 5 Advanced for the World WideWeb: Visual QuickPro GuideMySQL: Visual QuickStart GuideI hope this résumé implies a certain level ofqualification to write this book, but how doyou, as a reader standing in a bookstore,decide which title is for you? Of course,you are more than welcome to splurgeand buy the whole set, earning my eternalgratitude, but…The PHP for the World Wide Web: VisualQuickStart Guide book is very much abeginner’s guide to PHP. This title overlapsit some, mostly in the first three chapters,but uses new examples so as not to beredundant. For novices, this book acts as afollow-up to that one. The advanced bookis really a sequel to this one, as it assumesa fair amount of knowledge and buildsupon many things taught here. The MySQLbook focuses almost exclusively on MySQL(there are but two chapters that use PHP).With that in mind, read the section “Is thisbook for you?” and see if the requirementsapply. If you have no programming experienceat all and would prefer to be taughtPHP more gingerly, my first book wouldbe better. If you are already very comfortablewith PHP and want to learn more of itsadvanced capabilities, pick up the second.If you are most interested in MySQL andare not concerned with learning muchabout PHP, check out the third.That being said, if you want to learneverything you need to know to begindeveloping dynamic Web sites with PHPand MySQL today, then this is the book foryou! It references the most current versionsof both technologies, uses techniques notpreviously discussed in other books, andcontains its own unique examples.And whatever book you do choose, makesure you’re getting the most recent editionor, barring that, the edition that bestmatches the versions of the technologiesyou’ll be using.Introduction xvii

1Introductionto PHPAlthough this book focuses on using MySQLand PHP in combination, you’ll do a vastmajority of your legwork using PHP alone.In this and the following chapter, you’ll learnits basics, from syntax to variables, operators,and language constructs (conditionals,loops, and whatnot). At the same time youare picking up these fundamentals, you’llalso begin developing usable code thatyou’ll integrate into larger applications laterin the book.This introductory chapter will cruise throughmost of the basics of the PHP language.You’ll learn the syntax for coding PHP,how to send data to the Web browser, andhow to use two kinds of variables (stringsand numbers) plus constants. Some of theexamples may seem inconsequential, butthey’ll demonstrate ideas you’ll have tomaster in order to write more advancedscripts further down the line. The chapterconcludes with some quick debuggingtips…you know…just in case!in This ChapterBasic Syntax 2Sending Data to the Web Browser 6Writing Comments 10What Are Variables? 14Introducing Strings 18Concatenating Strings 21Introducing Numbers 23Introducing Constants 26Single vs. Double Quotation Marks 29Basic Debugging Steps 33Review and Pursue 34

Basic SyntaxAs stated in the book’s introduction, PHPis an HTML-embedded scripting language,meaning that you can intermingle PHPand HTML code within the same file. Soto begin programming with PHP, startwith a simple Web page. Script 1.1 is anexample of a no-frills, no-content XHTMLTransitional document, which will be usedas the foundation for most Web pagesin the book (this book does not formallydiscuss [X]HTML; see a resource dedicatedto the topic for more information). Pleasealso note that the template uses UTF-8encoding, a topic discussed in the sidebar.To add PHP code to a page, place it withinPHP tags:Script 1.1 A basic XHTML 1.0 Transitional Web page.1 2 3 4 5 Page Title6 7 8 9 10 understanding encodingEncoding is a huge subject, but what you most need to understand is this: the encoding youuse in a file dictates what characters can be represented (and therefore, what languagescan be used). To select an encoding, you must first confirm that your text editor or IntegratedDevelopment Environment (IDE)—whatever application you’re using to create the HTML and PHPscripts—can save documents using that encoding. Some applications let you set the encoding inthe preferences or options area; others set the encoding when you save the file.To indicate the encoding to the Web browser, there’s the corresponding meta tag:The charset=utf-8 part says that UTF-8 encoding is being used, short for 8-bit UnicodeTransformation Format. Unicode is a way of reliably representing every symbol in everyalphabet. Version 6 of Unicode—the current version at the time of this writing—supportsover 99,000 characters!If you want to create a multilingual Web page, UTF-8 is the way to go, and I’ll be using it in thisbook’s examples. You don’t have to, of course. But whatever encoding you do use, make sure thatthe encoding indicated by the XHTML page matches the actual encoding set in your text editor orIDE. If you don’t, you’ll likely see odd characters when you view the page in a Web browser.2 Chapter 1

Script 1.2 This first PHP script doesn’t do anything,but does demonstrate how a PHP script is written.It’ll also be used as a test script, prior to gettinginto elaborate PHP code.1 2 3 4 5 Basic PHP Page6 7 8 9 This is standard HTML.10 12 13 HTML5At the time of this writing, the next majorrelease of HTML—HTML5—is beingactively developed and discussed, butis not production ready, which is why Ichose not to use it in the book. In fact,I wouldn’t be surprised if HTML5 is stillnot released by the time I start the fifthedition of this book, and it will take evenlonger for broad browser adoption of thelanguage. Still, as HTML5 is an excitingfuture development, this book willoccasionally mention features you canexpect to see introduced and supportedover time.Anything written within these tags willbe treated by the Web server as PHP,meaning the PHP interpreter will processthe code. Any text outside of the PHP tagsis immediately sent to the Web browser asregular HTML. (Because PHP is most oftenused to create content displayed in theWeb browser, the PHP tags are normallyput somewhere within the page’s body.)Along with placing PHP code within PHPtags, your PHP files must have a properextension. The extension tells the serverto treat the script in a special way, namely,as a PHP page. Most Web servers use.html for standard HTML pages and .phpfor PHP files.Before getting into the steps, understandthat you must already have a working PHPinstallation! This could be on a hosted siteor your own computer, after following theinstructions in Appendix A, “Installation,”which is a free download from peachpit.com.To make a basic pHp script:1. Create a new document in your texteditor or IDE, to be named first.php(Script 1.2).It generally does not matter whatapplication you use, be it AdobeDreamweaver (a fancy IDE), TextMate(a great and popular Macintosh plaintexteditor), or vi (a plain-text Unixeditor, lacking a graphical interface).Still, some text editors and IDEs maketyping and debugging HTML andPHP easier (conversely, Notepad onWindows does some things that makescoding harder: don’t use Notepad!). Ifyou don’t already have an applicationyou’re attached to, search the Web oruse the book’s corresponding forum(www.LarryUllman.com/forums/) tofind one.continues on next pageIntroduction to PHP 3

2. Create a basic HTML document:Basic PHP PageThis is standard HTML.Although this is the syntax being usedthroughout the book, you can changethe HTML to match whichever standardyou intend to use (e.g., HTML 4.0Strict). Again, see a dedicated (X)HTMLresource if you’re unfamiliar with any ofthis HTML code.3. Before the closing body tag, insert thePHP tags:These are the formal PHP tags, alsoknown as XML-style tags. Although PHPsupports other tag types, I recommendthat you use the formal type, and I willdo so throughout this book.4. Save the file as first.php.Remember that if you don’t save the fileusing an appropriate PHP extension,the script will not execute properly.(Just one of the reasons not to useNotepad is that it will secretly add the.txt extension to PHP files, therebycausing many headaches.)5. Place the file in the proper directory ofyour Web server.If you are running PHP on your owncomputer (presumably after followingthe installation directions in Appendix A),you just need to move, copy, or save thefile to a specific folder on your computer.Check Appendix A or the documentationfor your particular Web server to identifythe correct directory, if you don’t alreadyknow what it is.If you are running PHP on a hostedserver (i.e., on a remote computer),you’ll need to use a File TransferProtocol (FTP) application to upload thefile to the proper directory. Your hostingcompany will provide you with accessand the other necessary information.6. Run first.php in your Web browser A.Because PHP scripts need to be parsedby the server, you absolutely mustaccess them via a URL (i.e., the addressin the browser must begin with http://).You cannot simply open them in yourWeb browser as you would a file in otherapplications (in which case the addresswould start with file:// or C:\ or the like).A While it seems like any other (simple)HTML page, this is in fact a PHP scriptand the basis for the rest of the examplesin the book.4 Chapter 1

If you are running PHP on your owncomputer, you’ll need to use a URLlike http://localhost/first.php,http://127.0.0.1/first.php, or http://localhost/~/first.php (on MacOS X, using your actual username for). If you are using a Web host, you’llneed to use http://your-domain-name/first.php (e. g., http://www.example.com/first.php).7. If you don’t see results like those in A,start debugging!Part of learning any programminglanguage is mastering debugging.It’s a sometimes-painful but absolutelynecessary process. With this firstexample, if you don’t see a simple,but perfectly valid, Web page, followthese steps:1. Confirm that you have a workingPHP installation (see Appendix A fortesting instructions).2. Make sure that you are running thescript through a URL. The address in theWeb browser must begin with http://. Ifit starts with file://, that’s a problem B.3. If you get a file not found (or similar)error, you’ve likely put the file in thewrong directory or mistyped the file’sname (either when saving it or in yourWeb browser).If you’ve gone through all this andare still having problems, turn tothe book’s corresponding forum(www.LarryUllman.com/forums/).To find more information about HTMLand XHTML, check out Elizabeth Castro’sexcellent book HTML, XHTML, and CSS, SixthEdition: Visual QuickStart Guide, (PeachpitPress, 2006) or search the Web.You can embed multiple sections of PHPcode within a single HTML document (i.e., youcan go in and out of the two languages). You’llsee examples of this throughout the book.Prior to UTF-8, ISO-8859-1 was one ofthe more commonly used encodings. It representsmost Western European languages. It’sstill the default encoding for many Web browsersand other applications.You can declare the encoding of an externalCSS file by adding @charset "utf-8"; asthe first line in the file. If you’re not using UTF-8,change the line accordingly.B PHP code will only be executed when run through http: //(not that this particular script is affected either way).Introduction to PHP 5

Sending Data tothe Web BrowserTo create dynamic Web sites with PHP,you must know how to send data to theWeb browser. PHP has a number of built-infunctions for this purpose, the most commonbeing echo and print. I personally tend tofavor echo:echo 'Hello, world!';echo "What's new?";You could use print instead, if you prefer(the name more obviously indicates whatit does):print 'Hello, world!';print "What's new?";As you can see from these examples, youcan use either single or double quotationmarks (but there is a distinction betweenthe two types of quotation marks, whichwill be made clear by the chapter’s end).The first quotation mark after the functionname indicates the start of the message tobe printed. The next matching quotationmark (i.e., the next quotation mark of thesame kind as the opening mark) indicatesthe end of the message to be printed.Along with learning how to send data tothe Web browser, you should also noticethat in PHP all statements—a line ofexecuted code, in layman’s terms—mustend with a semicolon. Also, PHP is caseinsensitivewhen it comes to functionnames, so ECHO, echo, eCHo, and so forthwill all work. The all-lowercase version iseasiest to type, of course.needing an escapeAs you might discover, one of thecomplications with sending data to theWeb involves printing single and doublequotation marks. Either of the followingwill cause errors:echo "She said, "How are you?"";echo 'I'm just ducky.';There are two solutions to this problem.First, use single quotation marks whenprinting a double quotation mark andvice versa:echo 'She said, "How are you?"';echo "I'm just ducky.";Or, you can escape the problematiccharacter by preceding it with abackslash:echo "She said, \"How are you?\"";echo 'I\'m just ducky.';An escaped quotation mark will merelybe printed like any other character.Understanding how to use the backslashto escape a character is an importantconcept, and one that will be covered inmore depth at the end of the chapter.6 Chapter 1

Script 1.3 Using print or echo, PHP can send datato the Web browser.1 2 3 4 5 Using Echo6 7 8 9 This is standard HTML.10 13 14 A The results still aren’t glamorous,but this page was in part dynamicallygenerated by PHP.To send data to the Web browser:1. Open first.php (refer to Script 1.2) inyour text editor or IDE.2. Between the PHP tags (lines 10 and 11),add a simple message (Script 1.3):echo 'This was generated using➝ PHP!';It truly doesn’t matter what messageyou type here, which function you use(echo or print), or which quotationmarks, for that matter—just be carefulif you are printing a single or doublequotation mark as part of your message(see the sidebar “Needing an Escape”).3. If you want, change the page title tobetter describe this script (line 5):Using EchoThis change only affects the browserwindow’s title bar.4. Save the file as second.php, place it inyour Web directory, and test it in yourWeb browser A.Remember that all PHP scripts must berun through a URL (http://something)!continues on next pageIntroduction to PHP 7

5. If necessary, debug the script.If you see a parse error instead of yourmessage B, check that you have bothopened and closed your quotationmarks and escaped any problematiccharacters (see the sidebar). Also becertain to conclude each statementwith a semicolon.If you see an entirely blank page, this isprobably for one of two reasons:> There is a problem with your HTML.Test this by viewing the source ofyour page and looking for HTMLproblems there C.> An error occurred, but display_errorsis turned off in your PHP configuration,so nothing is shown. In this case,see the section in Appendix A onhow to configure PHP so that youcan turn display_errors back on.B This may be the first of many parse errors yousee as a PHP programmer (this one is caused bythe omission of the terminating quotation mark).C One possible cause of a blank PHP page is asimple HTML error, like the closing title tag here(it’s missing the slash).Technically, echo and print arelanguage constructs, not functions. That beingsaid, don’t be flummoxed as I continue tocall them “functions” for convenience. Also,as you’ll see later in the book, I include theparentheses when referring to functions—say number_format( ), not just number_format—to help distinguish them fromvariables and other parts of PHP. This isjust my own little convention.D PHP can send HTML code (likethe formatting here) as well as simpletext A to the Web browser.You can, and often will, use echoand print to send HTML code to theWeb browser, like so D:echo 'Hello, world!';8 Chapter 1

Echo and print can both be used overmultiple lines:echo 'This sentence isprinted over two lines.';E Printing text and HTML over multiple PHP lineswill generate HTML source code that also extendsover multiple lines. Note that extraneous whitespacing in the HTML source will not affect the look ofa page F but can make the source easier to review.What happens in this case is that thereturn (created by pressing Enter or Return)becomes part of the printed message, whichisn’t terminated until the closing quotationmark. The net result will be the “printing”of the return in the HTML source code E.This will not have an effect on the generatedpage F. For more on this, see the sidebar“Understanding White Space.”F The return in the HTML source E hasno effect on the rendered result. The onlyway to alter the spacing of a displayed Webpage is to use HTML tags (like and ).understanding White SpaceWith PHP you send data (like HTML tags and text) to the Web browser, which will, in turn, render thatdata as the Web page the end user sees. Thus, what you are often doing with PHP is creating theHTML source of a Web page. With this in mind, there are three areas of notable white space (extraspaces, tabs, and blank lines): in your PHP scripts, in your HTML source, and in the rendered Web page.PHP is generally white space insensitive, meaning that you can space out your code however youwant to make your scripts more legible. HTML is also generally white space insensitive. Specifically,the only white space in HTML that affects the rendered page is a single space (multiplespaces still get rendered as one). If your HTML source has text on multiple lines, that doesn’t meanit’ll appear on multiple lines in the rendered page (E and F).To alter the spacing in a rendered Web page, use the HTML tags (line break, in older HTMLstandards) and (paragraph). To alter the spacing of the HTML source created with PHP, you can.Use echo or print over the course of several lines.or.Print the newline character (\n) within double quotation marks, which is equivalent to Enteror Return.Introduction to PHP 9

Writing CommentsCreating executable PHP code is onlya part of the programming process(admittedly, it’s the most important part).A secondary but still crucial aspect toany programming endeavor involvesdocumenting your code. In fact, whenI’m asked what qualities distinguish thebeginning programmer from the moreexperienced one, a good and thorough useof comments is my unwavering response.In HTML you can add comments usingspecial tags:HTML comments are viewable in the sourcebut do not appear in the rendered page(see E and F in the previous section).PHP comments are different in that theyaren’t sent to the Web browser at all,meaning they won’t be viewable to the enduser, even when looking at the HTML source.PHP supports three comment syntaxes. Thefirst uses the pound or number symbol (#):# This is a comment.The second uses two slashes:// This is also a com ment.Both of these cause PHP to ignoreeverything that follows until the end ofthe line (when you press Return or Enter).Thus, these two comments are for singlelines only. They are also often used toplace a comment on the same line assome PHP code:print 'Hello!'; // Say hello.A third style allows comments to run overmultiple lines:/* This is a longer commentthat spans two lines. */10 Chapter 1

Script 1.4 These basic comments demonstrate thethree comment syntaxes you can use in PHP.1 2 3 4 5 Comments6 7 8 Comments2. Add the initial PHP tag and write yourfirst comments:

3. Send some HTML to the Web browser:echo 'This is a line of➝ text.This is another line➝ of text.';It doesn’t matter what you do here, justmake something for the Web browser todisplay. For the sake of variety, the echostatement will print some HTML tags,including a line break () to add somespacing to the generated HTML page.4. Use the multiline comments to commentout a second echo statement:/*echo 'This line will not be➝ executed.';*/By surrounding any block of PHP codewith /* and */, you can render that codeinert without having to delete it from yourscript. By later removing the commenttags, you can reactivate that section ofPHP code.5. Add a final comment after a third echostatement:echo "Now I'm done.";➝ // End of PHP code.This last (superfluous) comment showshow to place a comment at the end ofa line, a common practice. Note thatdouble quotation marks surround thismessage, as single quotation markswould conflict with the apostrophe(see the “Needing an Escape” sidebar,earlier in the chapter).6. Close the PHP section and completethe HTML page:?>7. Save the file as comments.php, place itin your Web directory, and test it in yourWeb browser A.A The PHP comments in Script 1.4don’t appear in the Web page orthe HTML source B .12 Chapter 1

8. If you’re the curious type, check thesource code in your Web browser toconfirm that the PHP comments do notappear there B.You shouldn’t nest (place one insideanother) multiline comments (/* */). Doingso will cause problems.Any of the PHP comments can be usedat the end of a line (say, after a function call):echo 'Howdy'; /* Say 'Howdy' */Although this is allowed, it’s far less common.It’s nearly impossible to over-commentyour scripts. Always err on the side of writingtoo many comments as you code. That beingsaid, in the interest of saving space, the scriptsin this book will not be as well documented asI would suggest they should be.It’s also important that as you change ascript you keep the comments up-to-date andaccurate. There’s nothing more confusing thana comment that says one thing when the codereally does something else.B The PHP comments from Script 1.4 are nowhere to be seen in the client’s browser.Introduction to PHP 13

What Are Variables?Variables are containers used totemporarily store values. These valuescan be numbers, text, or much morecomplex data. PHP supports eight typesof variables. These include four scalar(single-valued) types—Boolean (TRUE orFALSE), integer, floating point (decimals),and strings (characters); two nonscalar(multivalued)—arrays and objects;plus resources (which you’ll see wheninteracting with databases) and NULL(which is a special type that has no value).Regardless of what type you are creating,all variable names in PHP follow certainsyntactical rules:nnnnA variable’s name must start with adollar sign ($), for example, $name.The variable’s name can containa combination of letters, numbers,and the underscore, for example,$my_report1.The first character after the dollar signmust be either a letter or an underscore(it cannot be a number).Variable names in PHP are casesensitive!This is a very important rule.It means that $name and $Name areentirely different variables.To begin working with variables, this nextscript will print out the value of threepredefined variables. Whereas a standardvariable is assigned a value during theexecution of a script, a predefined variablewill already have a value when the scriptbegins its execution. Most of thesepredefined variables reflect propertiesof the server as a whole, such as theoperating system in use.Before getting into this script, there aretwo more things you should know. First,variables can be assigned values using theequals sign (=), also called the assignmentoperator. Second, to display the value of avariable, you can print the variable withoutquotation marks:print $some_var;Or variables can be printed within doublequotation marks:print "Hello, $name";You cannot print variables within singlequotation marks:print 'Hello, $name'; // Won't work!14 Chapter 1

Script 1.5 This script prints three of PHP’s manypredefined variables.1 2 3 4 5 Predefined Variables6 7 8 25 26 To use variables:1. Begin a new PHP document inyour text editor or IDE, to be namedpredefined.php, starting with theinitial HTML (Script 1.5):Predefined Variables➝ 2. Add the opening PHP tag and thefirst comment:

3. Create a shorthand version of the firstvariable to be used in this script:$file = $_SERVER['SCRIPT_FILENAME'];This script will use three variables,each of which comes from the largerpredefined $_SERVER variable. $_SERVERrefers to a mass of server-relatedinformation. The first variable the scriptuses is $_SERVER['SCRIPT_FILENAME'].This variable stores the full path andname of the script being run (forexample, C:\Program Files\Apache\htdocs\predefined.php).The value stored in $_SERVER['SCRIPT_FILENAME'] will be assigned to the newvariable $file. Creating new variableswith shorter names and then assigningthem values from $_SERVER will makeit easier to refer to the variables whenprinting them. (It also gets around anotherissue you’ll learn about in due time.)4. Create a shorthand version of twomore variables:$user = $_SERVER['HTTP_USER_AGENT'];$server = $_SERVER➝ ['SERVER_SOFTWARE'];$_SERVER['HTTP_USER_AGENT'] representsthe Web browser and operating systemof the user accessing the script. Thisvalue is assigned to $user.$_SERVER['SERVER_SOFTWARE'] representsthe Web application on the server that’srunning PHP (e.g., Apache, Abyss, Xitami,IIS). This is the program that must beinstalled (see Appendix A) in order to runPHP scripts on that computer.5. Print out the name of the script being run:echo "You are running the➝ file:$file.\n";The first variable to be printed is $file.Notice that this variable must be usedwithin double quotation marks andthat the statement also makes use ofthe PHP newline character (\n), whichwill add a line break in the generatedHTML source. Some basic HTML tags—paragraph and bold—are added to givethe generated page a bit of flair.6. Print out the information of the useraccessing the script:echo "You are viewing this page➝ using:$user\n";This line prints the second variable,$user. To repeat what’s said in thefourth step, $user correlates to $_SERVER['HTTP_USER_AGENT'] and refersto the operating system, browser type,and browser version being used toaccess the Web page.7. Print out the server information:echo "This server is running:➝ $server.\n";8. Complete the PHP block and theHTML page:?>16 Chapter 1

9. Save the file as predefined.php, placeit in your Web directory, and test it inyour Web browser A.If you have problems with this, or anyother script, turn to the book’s correspondingWeb forum (www.LarryUllman.com/forums/) for assistance.If possible, run this script using a differentWeb browser and/or on another server B.Variable names cannot contain spaces.The underscore is commonly used in lieu ofa space.The most important considerationwhen creating variables is to use a consistentnaming scheme. In this book you’ll see thatI use all-lowercase letters for my variablenames, with underscores separating words($first_name). Some programmers preferto use capitalization instead: $FirstName(known as “camel-case” style).PHP is very casual in how it treats variables,meaning that you don’t need to initializethem (set an immediate value) or declare them(set a specific type), and you can convert a variableamong the many types without problem.A The predefined.php script reportsback to the viewer information about thescript, the Web browser being used toview it, and the server itself.B This is the book’s first truly dynamicscript, in that the Web page changesdepending upon the server running itand the Web browser viewing it (comparewith A ).Introduction to PHP 17

introducing StringsNow that you’ve been introduced to thegeneral concept of variables, let’s look atvariables in detail. The first variable type todelve into is the string. A string is merelya quoted chunk of characters: letters,numbers, spaces, punctuation, and soforth. These are all strings:nn‘Tobias’“In watermelon sugar”n ‘100’n ‘August 2, 2011’To make a string variable, assign a stringvalue to a valid variable name:$first_name = 'Tobias';$today = 'August 2, 2011';When creating strings, you can use eithersingle or double quotation marks toencapsulate the characters, just as youwould when printing text. Likewise, youmust use the same type of quotation markfor the beginning and the end of the string.If that same mark appears within the string,it must be escaped:$var = "Define \"platitude\", please.";Or you can also use the other quotationmark type:$var = 'Define "platitude", please.';To print out the value of a string, use eitherecho or print:echo $first_name;To print the value of string within a context,you must use double quotation marks:echo "Hello, $first_name";You’ve already worked with strings once—when using the predefined variables inthe preceding section (the values of thosevariables happened to be strings). In thisnext example, you’ll create and use yourown strings.18 Chapter 1

Script 1.6 String variables are created and theirvalues are sent to the Web browser in this script.1 2 3 4 5 Strings6 7 8 19 20 To use strings:1. Begin a new PHP document in your texteditor or IDE, to be named strings.php,starting with the initial HTML and includingthe opening PHP tag (Script 1.6):Strings

3. Add an echo statement:echo "The book $book➝ was written by $first_name➝ $last_name.";All this script does is print a statementof authorship based upon threeestablished variables. A little HTMLformatting (the emphasis on the book’stitle) is thrown in to make it moreattractive. Remember to use doublequotation marks here for the variablevalues to be printed out appropriately(more on the importance of doublequotation marks at the chapter’s end).4. Complete the PHP block and the HTMLpage:?>5. Save the file as strings.php, place it inyour Web directory, and test it in yourWeb browser A.6. If desired, change the values of thethree variables, save the file, and runthe script again B.A The resulting Web page is based upon printingout the values of three variables.B The output of the script is changed by alteringthe variables in it.If you assign another value to an existingvariable (say $book), the new value willoverwrite the old one. For example:$book = 'High Fidelity';$book = 'The Corrections';/* $book now has a value of'The Corrections'. */PHP has no set limits on how big a stringcan be. It’s theoretically possible that you’ll belimited by the resources of the server, but it’sdoubtful that you’ll ever encounter sucha problem.20 Chapter 1

Script 1.7 Concatenation gives you the ability toappend more characters onto a string.1 2 3 4 5 Concatenation6 7 8 21 22 Concatenating StringsConcatenation is like addition for strings,whereby characters are added to theend of the string. It is performed usingthe concatenation operator, which is theperiod (.):$city= 'Seattle';$state = 'Washington';$address = $city . $state;The $address variable now has the valueSeattleWashington, which almost achievesthe desired result (Seattle, Washington).To improve upon this, you could write$address = $city . ', ' . $state;so that a comma and a space areconcatenated to the variables as well.Because of how liberally PHP treatsvariables, concatenation is possible withstrings and numbers. Either of thesestatements will produce the same result(Seattle, Washington 98101):$address = $city . ', ' . $state .' 98101';$address = $city . ', ' . $state .' ' . 98101;Let’s modify strings.php to use thisnew operator.To use concatenation:1. Open strings.php (refer to Script 1.6) inyour text editor or IDE.2. After you’ve established the $first_name and $last_name variables (lines 11and 12), add this line (Script 1.7):$author = $first_name . ' ' .➝ $last_name;As a demonstration of concatenation, anew variable—$author—will be createdas the concatenation of two existingstrings and a space in between.continues on next pageIntroduction to PHP 21

3. Change the echo statement to use thisnew variable:echo "The book $book➝ was written by $author.";Since the two variables have beenturned into one, the echo statementshould be altered accordingly.4. If desired, change the HTML page titleand the values of the first name, lastname, and book variables.5. Save the file as concat.php, place it inyour Web directory, and test it in yourWeb browser A.PHP has a slew of useful string-specificfunctions, which you’ll see over the course ofthis book. For example, to calculate how longa string is (how many characters it contains),use strlen( ):$num = strlen('some string'); // 11You can have PHP convert the case ofstrings with: strtolower( ), which makesit entirely lowercase; strtoupper( ), whichmakes it entirely uppercase; ucfirst( ),which capitalizes the first character; anducwords( ), which capitalizes the first characterof every word.If you are merely concatenating onevalue to another, you can use the concatenationassignment operator (.=). The followingare equivalent:$title = $title . $subtitle;$title .= $subtitle;The initial example in this section couldbe rewritten using either$address = "$city, $state";or$address = $city;$address .= ', ';$address .= $state;A In this revised script, the end result ofconcatenation is not apparent to the user.using the pHp ManualThe PHP manual—accessible onlineat www.php.net/manual—lists everyfunction and feature of the language.The manual is organized with generalconcepts (installation, syntax, variables)discussed first and ends with thefunctions by topic (MySQL, stringfunctions, and so on).To quickly look up any function in thePHP manual, go to www.php.net/functionname in your Web browser(for example, www.php.net/print). Foreach function, the manual indicates:.The versions of PHP the function isavailable in..How many and what types ofarguments the function takes(optional arguments are wrappedin square brackets)..What type of value the functionreturns.The manual also contains a descriptionof the function.You should be in the habit of checkingout the PHP manual wheneveryou’re confused by a function, how it’sproperly used, or need to learn moreabout any feature of the language. It’salso critically important that you knowwhat version of PHP you’re running, asfunctions and other particulars of PHPdo change over time.22 Chapter 1

introducing numbersIn introducing variables, I stated thatPHP has both integer and floating-point(decimal) number types. In my experience,though, these two types can be classifiedunder the generic title numbers withoutlosing any valuable distinction (for the mostpart). Valid number-type variables in PHPcan be anything liken 8n 3.14n 10980843985n -4.2398508n 4.4e2Notice that these values are neverquoted—quoted numbers are stringswith numeric values—nor do they includecommas to indicate thousands. Also, anumber is assumed to be positive unless itis preceded by the minus sign (-).Along with the standard arithmetic operatorsyou can use on numbers (Table 1.1), thereare dozens of functions built into PHP. Twocommon ones are round( ) and number_format( ). The former rounds a decimal tothe nearest integer:$n = 3.14;$n = round ($n); // 3It can also round to a specified number ofdecimal places:$n = 3.142857;$n = round ($n, 3); // 3.143The number_format( ) function turns anumber into the more commonly writtenversion, grouped into thousands usingcommas:$n = 20943;$n = number_format ($n); // 20,943This function can also set a specifiednumber of decimal points:$n = 20943;$n = number_format ($n, 2); //20,943.00To practice with numbers, let’s writea mock-up script that performs thecalculations one might use in ane-commerce shopping cart.TABLe 1.1 Arithmetic OperatorsOperatorMeaning+ Addition- Subtraction* Multiplication/ Division% Modulus+ + Increment-- DecrementIntroduction to PHP 23

To use numbers:1. Begin a new PHP document in your texteditor or IDE, to be named numbers.php(Script 1.8):Numbers3 4 5 Numbers6 7 8 26 27 24 Chapter 1

4. Format the total:$total = number_format ($total, 2);The number_format( ) function willgroup the total into thousands andround it to two decimal places. Applyingthis function will properly format thecalculated value.5. Print the results:echo 'You are purchasing ' .➝ $quantity . ' widget(s) at➝ a cost of $' . $price . '➝ each. With tax, the total comes➝ to $' . $total . '.';The last step in the script is to print outthe results. The echo statement usesboth single-quoted text and concatenatedvariables in order to print out thefull combination of HTML, dollar signs,and variable values. You’ll see an alternativeapproach in the last example ofthis chapter.6. Complete the PHP code and theHTML page:?>7. Save the file as numbers.php, place it inyour Web directory, and test it in yourWeb browser A.8. If desired, change the initial threevariables and rerun the script B.PHP supports a maximum integerof around two billion on most platforms.With numbers larger than that, PHP willautomatically use a floating-point type.When dealing with arithmetic, the issueof precedence arises (the order in which complexcalculations are made). While the PHPmanual and other sources tend to list out thehierarchy of precedence, I find programmingto be safer and more legible when I groupclauses in parentheses to force the executionorder (see line 17 of Script 1.8).Computers are notoriously poor atdealing with decimals. For example, the number2.0 may actually be stored as 1.99999.Most of the time this won’t be a problem,but in cases where mathematical precision isparamount, rely on integers, not decimals. ThePHP manual has information on this subject,as well as alternative functions for improvingcomputational accuracy.Many of the mathematical operators alsohave a corresponding assignment operator,letting you create a shorthand for assigningvalues. This line,$total = $total + ($total * $taxrate);could be rewritten as$total += ($total * $taxrate);If you set a $price value without usingtwo decimals (e.g., 119.9 or 34), you wouldwant to apply number_format( ) to $pricebefore printing it.A The numbers PHP page (Script 1.8) performscalculations based upon set values.B To change the generated Web page, alter anyor all of the three variables (compare with A ).Introduction to PHP 25

introducing ConstantsConstants, like variables, are used totemporarily store a value, but otherwise,constants and variables differ in manyways. For starters, to create a constant,you use the define( ) function insteadof the assignment operator (=):define ('NAME', value);Notice that, as a rule of thumb, constantsare named using all capitals, although thisis not required. Most importantly, constantsdo not use the initial dollar sign as variablesdo (because constants are not variables).A constant can only be assigned a scalarvalue, like a string or a number:define ('USERNAME', 'troutocity');define ('PI', 3.14);And unlike variables, a constant’s valuecannot be changed.To access a constant’s value, like when youwant to print it, you cannot put the constantwithin quotation marks:echo "Hello, USERNAME"; // Won't work!With that code, PHP literally prints Hello,USERNAME A and not the value of theUSERNAME constant (because there’s noindication that USERNAME is anything otherthan literal text). Instead, either print theconstant by itself:echo 'Hello, ';echo USERNAME;or use the concatenation operator:echo 'Hello, ' . USERNAME;PHP runs with several predefinedconstants, much like the predefinedvariables used earlier in the chapter. Theseinclude PHP_VERSION (the version of PHPrunning) and PHP_OS (the operating systemof the server). This next script will printthose two values, along with the value ofa user-defined constant.A Constants cannot be placedwithin quoted strings.26 Chapter 1

Script 1.9 Constants are another temporarystorage tool you can use in PHP, distinctfrom variables.1 2 3 4 5 Constants6 7 8

4. Complete the PHP code and theHTML page:?>5. Save the file as constants.php, place itin your Web directory, and test it in yourWeb browser B.B By making use of PHP’s constants, you canlearn more about your PHP setup.If possible, run this script on anotherPHP-enabled server C.The operating system called Darwin Bis the technical term for Mac OS X.In Chapter 12, “Cookies and Sessions,”you’ll learn about another constant, SID(which stands for session ID).C Running the same script (refer toScript 1.9) on different servers garnersdifferent results.28 Chapter 1

Single vs. DoubleQuotation MarksIn PHP it’s important to understand howsingle quotation marks differ from doublequotation marks. With echo and print, orwhen assigning values to strings, you canuse either, as in the examples used so far.But there is a key difference between thetwo types of quotation marks and whenyou should use which. You’ve seen thisdifference already, but it’s an importantenough concept to merit more discussion.In PHP, values enclosed within singlequotation marks will be treated literally,whereas those within double quotationmarks will be interpreted. In other words,placing variables and special characters(Table 1.2) within double quotes will resultin their represented values printed, nottheir literal values. For example, assumethat you have$var = 'test';The code echo "var is equal to $var";will print out var is equal to test, but thecode echo 'var is equal to $var'; willprint out var is equal to $var. Using anescaped dollar sign, the code echo "\$varis equal to $var"; will print out $varis equal to test, whereas the code echo'\$var is equal to $var'; will print out\$var is equal to $var A.As these examples should illustrate,double quotation marks will replace avariable’s name ($var) with its value (test)and a special character’s code (\$) withits represented value ($). Single quoteswill always display exactly what you type,except for the escaped single quote (\')and the escaped backslash (\\), which areprinted as a single quotation mark and asingle backslash, respectively.As another example of how the twoquotation marks differ, let’s modify thenumbers.php script as an experiment.TABLe 1.2 Escape SequencesCodeMeaning\" Double quotation mark\'Single quotation mark\\ Backslash\n Newline\r Carriage return\t Tab\$ Dollar signA How single and double quotation marks affectwhat gets printed by PHP.Introduction to PHP 29

To use single and doublequotation marks:1. Open numbers.php (refer to Script 1.8)in your text editor or IDE.2. Delete the existing echo statement(Script 1.10).3. Print a caption and then rewrite theoriginal echo statement using doublequotation marks:echo "Using double quotation➝ marks:";echo "You are purchasing➝ $quantity widget(s) at➝ a cost of \$$price each.➝ With tax, the total comes to➝ \$$total.\n";In the original script, the results wereprinted using single quotation marksand concatenation. The same result canbe achieved using double quotationmarks. When using double quotationmarks, the variables can be placedwithin the string.There is one catch, though: trying toprint a dollar amount as $12.34 (where12.34 comes from a variable) wouldsuggest that you would code $$var.That will not work (for complicatedreasons). Instead, escape the initialdollar sign, resulting in \$$var, as yousee twice in this code. The first dollarsign will be printed, and the secondbecomes the start of the variable name.Script 1.10 This, the final script in the chapter,demonstrates the differences between usingsingle and double quotation marks.1 2 3 4 5 Quotation Marks6 7 8 31 32 30 Chapter 1

4. Repeat the echo statements, this timeusing single quotation marks:echo 'Using single quotation➝ marks:';echo 'You are purchasing➝ $quantity widget(s) at➝ a cost of \$$price each.➝ With tax, the total comes to➝ \$$total.\n';This echo statement is used to highlightthe difference between using single ordouble quotation marks. It will not workas desired, and the resulting page willshow you exactly what does happeninstead.5. If you want, change the page’s title.6. Save the file as quotes.php, place it inyour Web directory, and test it in yourWeb browser B.7. View the source of the Web page tosee how using the newline character(\n) within each quotation mark typealso differs.You should see that when you placethe newline character within doublequotation marks it creates a newlinein the HTML source. When placedwithin single quotation marks, the literalcharacters \ and n are printed instead.Because PHP will attempt to findvariables within double quotation marks, usingsingle quotation marks is theoretically faster.If you need to print the value of a variable,though, you must use double quotation marks.As valid HTML often includes a lot ofdouble-quoted attributes, it’s often easiestto use single quotation marks when printingHTML with PHP:echo '';If you were to print out this HTML usingdouble quotation marks, you would have toescape all of the double quotation marks inthe string:echo "";In newer versions of PHP, you can actuallyuse $$price and $$total without precedingthem with a backslash (thanks to someinternal magic). In older versions of PHP, youcannot. To guarantee reliable results, regardlessof PHP version, I recommend using the\$$var syntax when you need to print a dollarsign immediatelyfollowed by the value of a variable.If you’re still unclear as to the differencebetween the types, use double quotationmarks and you’re less likely to have problems.B These results demonstratewhen and how you’d use onetype of quotation mark asopposed to the other.Introduction to PHP 31

Basic Debugging StepsDebugging is by no means a simpleconcept to grasp, and unfortunately, it’sone that is only truly mastered by doing.The next 50 pages could be dedicated tothe subject and you’d still only be able topick up a fraction of the debugging skillsthat you’ll eventually acquire and need.The reason I introduce debugging inthis somewhat harrowing way is that it’simportant not to enter into programmingwith delusions. Sometimes code won’twork as expected, you’ll inevitably createcareless errors, and some days you’ll wantto pull your hair out, even when using acomparatively user-friendly language suchas PHP. In short, prepare to be perplexedand frustrated at times. I’ve been codingin PHP since 1999, and occasionally I stillget stuck in the programming muck. Butdebugging is a very important skill to have,and one that you will eventually pick upout of necessity and experience. As youbegin your PHP programming adventure, Ican offer the following basic but concretedebugging tips.Note that these are just some generaldebugging techniques, specificallytailored to the beginning PHP programmer.Chapter 8, “Error Handling andDebugging,” goes into other techniquesin more detail.32 Chapter 1

To debug a pHp script:nnnMake sure you’re always running PHPscripts through a URL!This is perhaps the most commonbeginner’s mistake. PHP code must berun through the Web server application,which means it must be requested viahttp://something. When you see actualPHP code instead of the result of thatcode’s execution, most likely you’re notrunning the PHP script through a URL.Know what version of PHP you’rerunning.Some problems will arise from theversion of PHP in use. Before you everuse any PHP-enabled server, run aphpinfo.php script (see Appendix A) orreference the PHP_VERSION constant toconfirm the version of PHP in use.Make sure display_errors is on.This is a basic PHP configuration setting(also discussed in Appendix A). Youcan confirm this setting by executingthe phpinfo( ) function (just use yourbrowser to search for display_errorsin the resulting page). For securityreasons, PHP may not be set to displaythe errors that occur. If that’s the case,you’ll end up seeing blank pageswhen problems occur. To debug mostproblems, you’ll need to see the errors,so turn this setting on while you’relearning. You’ll find instructions fordoing so in Appendix A.nnnCheck the HTML source code.Sometimes the problem is hidden inthe HTML source of the page. In fact,sometimes the PHP error message canbe hidden there!Trust the error message.Another very common beginner’smistake is to not fully read or trust theerror that PHP reports. Although an errormessage can often be cryptic and mayseem meaningless, it can’t be ignored.At the very least, PHP is normally correctas to the line on which the problem canbe found. And if you need to relay thaterror message to someone else (likewhen you’re asking me for help), doinclude the entire error message!Take a break!So many of the programming problemsI’ve encountered over the years, and thevast majority of the toughest ones, havebeen solved by stepping away from thecomputer for a while. It’s easy to getfrustrated and confused, and in suchsituations, any further steps you take arelikely to only make matters worse.Introduction to PHP 33

Review and pursueNew in this edition of the book, eachchapter ends with a “Review andPursue” section. In these sections you’llfind questions regarding the materialjust covered and prompts for ways toexpand your knowledge and experienceon your own. If you have any problemswith these sections, either in answeringthe questions or pursuing your ownendeavors, turn to the book’s supportingforum (www.LarryUllman.com/forums/).ReviewnnnnnnnnnWhat tags are used to surroundPHP code?What extension should a PHP file have?What does a page’s encoding refer to?What impact does the encoding haveon the page?What PHP functions, or languageconstructs, can you use to send data tothe Web browser?How does using single versus doublequotation marks differ in creating orprinting strings?What does it mean to escape acharacter in a string?What are the three comment syntaxesin PHP? Which one can be used overmultiple lines?What character do all variable namesbegin with? What characters can comenext? What other characters can beused in a variable’s name?Are variable names case-sensitive orcase-insensitive?nnnnWhat is the assignment operator?How do you create a string variable?What is the concatenation operator?What is the concatenation assignmentoperator?How are constants defined and used?pursuennnnnnIf you don’t already know—for certain—what version of PHP you’re running,check now.Look up one of the mentioned stringfunctions in the PHP manual. Thencheck out some of the other availablestring functions listed therein.Look up one of the mentioned numberfunctions in the PHP manual. Thencheck out some of the other availablenumber functions listed therein.Search the PHP manual for the$_SERVER variable to see what otherinformation it contains.Create a new script, from scratch,that defines and displays the valuesof some string variables. Use doublequotation marks in the echo or printstatement that outputs the values. Foradded complexity include some HTMLin the output. Then rewrite the scriptso that it uses single quotation marksand concatenation instead of doublequotation marks.Create a new script, from scratch, thatdefines, manipulates, and displays thevalues of some numeric variables.34 Chapter 1

2Programmingwith PHPNow that you have the fundamentals ofthe PHP scripting language down, it’s timeto build on those basics and start trulyprogramming. In this chapter you’ll begincreating more elaborate scripts while stilllearning some of the standard constructs,functions, and syntax of the language.You’ll start by creating an HTML form,and then learn how you can use PHP tohandle the submitted values. From there,the chapter covers conditionals and theremaining operators (Chapter 1, “Introductionto PHP,” presented the assignment,concatenation, and mathematical operators),arrays (another variable type), andone last language construct, loops.in This ChapterCreating an HTML Form 36Handling an HTML Form 41Conditionals and Operators 45Validating Form Data 49Introducing Arrays 54For and While Loops 69Review and Pursue 72

Creating anHTML FormHandling an HTML form with PHP isperhaps the most important process in anydynamic Web site. Two steps are involved:first you create the HTML form itself, andthen you create the corresponding PHPscript that will receive and process theform data.It is outside the realm of this book to gointo HTML forms in any detail, but I willlead you through one quick example sothat it may be used throughout the chapter.If you’re unfamiliar with the basics of anHTML form, including the various types ofelements, see an HTML resource for moreinformation.An HTML form is created using the formtags and various elements for taking input.The form tags look likeIn terms of PHP, the most importantattribute of your form tag is action, whichdictates to which page the form data willbe sent. The second attribute—method—has its own issues (see the “Choosing aMethod” sidebar), but post is the valueyou’ll use most frequently.The different inputs—be they text boxes,radio buttons, select menus, check boxes,etc.—are placed within the opening andclosing form tags. As you’ll see in the nextsection, what kinds of inputs your form hasmakes little difference to the PHP scripthandling it. You should, however, payattention to the names you give your forminputs, as they’ll be of critical importancewhen it comes to your PHP code.Choosing a MethodThe method attribute of a form dictateshow the data is sent to the handlingpage. The two options—get and post—refer to the HTTP (HyperText TransferProtocol) method to be used. The GETmethod sends the submitted data to thereceiving page as a series of name-valuepairs appended to the URL. For example,http://www.example.com/script.php?➝ name=Homer&gender=M&age=35The benefit of using the GET methodis that the resulting page can bebookmarked in the user’s Web browser(since it’s a complete URL). For thatmatter, you can also click Back in yourWeb browser to return to a GET page,or reload it without problems (none ofwhich is true for POST). But there is a limitin how much data can be transmitted viaGET, and this method is less secure (sincethe data is visible).Generally speaking, GET is used forrequesting information, like a particularrecord from a database or the results ofa search (searches almost always useGET). The POST method is used whenan action is expected: the updating ofa database record or the sending of anemail. For these reasons I will primarilyuse POST throughout this book, withnoted exceptions.36 Chapter 2

Script 2.1 This simple HTML form will be used forseveral of the examples in this chapter.1 2 3 4 5 Simple HTML Form6 7 label {8 font-weight: bold;9 color: #300ACC;10 }11 12 13 14 1516 1718 Enter yourinformation in the form below:1920 Name: 2122 Email Address: 2324 Gender: Male Female2526 Age:27 28 Under 3029 Between 30and 60code continues on next pageTo create an HTML form:1. Begin a new HTML document inyour text editor or IDE, to be namedform.html (Script 2.1):Simple HTML Formlabel {font-weight: bold;color: #300ACC;}The document uses the same basicsyntax for an HTML page as in theprevious chapter. I have added someinline CSS (Cascading Style Sheets)in order to style the form slightly(specifically, making label elementsbold and blue).CSS is the preferred way to handlemany formatting and layout issues in anHTML page. You’ll see a little bit of CSShere and there in this book; if you’re notfamiliar with the subject, check out adedicated CSS reference.Finally, an HTML comment indicates thefile’s name and number.continues on next pageProgramming with PHP 37

2. Add the initial form tag:Since the action attribute dictatesto which script the form data will go,you should give it an appropriatename (handle_form to correspondwith this page: form.html) and the.php extension (since a PHP scriptwill handle this form’s data).3. Begin the HTML form:Enter your➝ information in the form below:➝ I’m using the fieldset and legendHTML tags because I like the way theymake the HTML form look (they add abox around the form with a title at thetop). This isn’t pertinent to the formitself, though.4. Add two text inputs:Name: Email Address: ➝ These are just simple text inputs,allowing the user to enter their nameand email address A. In case youare wondering, the extra space andslash at the end of each input’s tag arerequired for valid XHTML. With standardHTML, these tags would conclude withmaxlength="40"> instead. The labeltags just tie each textual label to theassociated element.Script 2.1 continued30 Over 6031 3233 Comments: 3435 3637 3839 4041 42 A Two text inputs.38 Chapter 2

B If multiple radio buttonshave the same name value,only one can be selectedby the user.C The pull-down menuoffers three options, ofwhich only one can beselected (in this example).D The textarea form element type allows for lotsand lots of text.5. Add a pair of radio buttons:Gender:➝ Male➝ FemaleThe radio buttons B both have thesame name, meaning that only one ofthe two can be selected. They havedifferent values, though.6. Add a pull-down menu:Age:Under 30➝ Between➝ 30 and 60Over 60➝ The select tag starts the pull-downmenu, and then each option tagwill create another line in the list ofchoices C.7. Add a text box for comments:Comments: Textareas are different from text inputs;they are presented as a box D, not asa single line. They allow for much moreinformation to be typed and are usefulfor taking user comments.continues on next pageProgramming with PHP 39

8. Complete the form:The first tag closes the fieldset thatwas opened in Step 3. Then a submitbutton is created and centered usinga p tag. Finally, the form is closed.9. Complete the HTML page:10. Save the file as form.html, place it inyour Web directory, and view it in yourWeb browser E.E The complete form, which requests some basicinformation from the user.Since this page contains just HTML, ituses an .html extension. It could instead usea .php extension without harm (since codeoutside of the PHP tags is treated as HTML).You can specify the encoding to acceptin an HTML form tag, too:By default, a Web page will use the sameencoding as the page itself for any submitteddata.40 Chapter 2

Handling anHTML FormNow that the HTML form has been created,it’s time to write a bare-bones PHP scriptto handle it. To say that this script will behandling the form means that the PHPpage will do something with the datait receives (which is the data the userentered into the form). In this chapter, thescripts will simply print the data back tothe Web browser. In later examples, formdata will be stored in a MySQL database,compared against previously storedvalues, sent in emails, and more.The beauty of PHP—and what makes itso easy to learn and use—is how well itinteracts with HTML forms. PHP scriptsstore the received information in specialvariables. For example, say you have aform with an input defined like so:Whatever the user types into that input willbe accessible via a PHP variable named$_REQUEST['city']. It is very importantthat the spelling and capitalizationmatch exactly! PHP is case-sensitivewhen it comes to variable names, so$_REQUEST['city'] will work, but $_Request['city'] and $_REQUEST['City']will have no value.This next example will be a PHP scriptthat handles the already-created HTMLform (Script 2.1). This script will assignthe form data to new variables (to beused as shorthand, just like in Script 1.5,predefined.php). The script will then printthe received values.Programming with PHP 41

To handle an HTML form:1. Begin a new PHP document in yourtext editor or IDE, to be namedhandle_form.php starting with theHTML (Script 2.2):Form Feedback2. Add the opening PHP tag and createa shorthand version of the form datavariables:3 4 5 Form Feedback6 7 8 26 27 TABLe 2.1 Form Elements to PHP VariablesElement NamenameemailcommentsagegendersubmitVariable Name$_REQUEST['name']$_REQUEST['email']$_REQUEST['comments']$_REQUEST['age']$_REQUEST['gender']$_REQUEST['submit']42 Chapter 2

A To test handle_form.php, you must load theform through a URL, then fill it out and submit it.B The script should display results like this.At this point, you won’t make use of theage, gender, and submit form elements.3. Print out the received name, email, andcomments values:echo "Thank you, $name,➝ for the following comments:$commentsWe will reply to you at➝ $email.\n";The submitted values are simply printedout using the echo statement, doublequotation marks, and a wee bit of HTMLformatting.4. Complete the page:?>5. Save the file as handle_form.php andplace it in the same Web directory asform.html.6. Test both documents in your Webbrowser by loading form.html througha URL (http://something) and then fillingout A and submitting the form B.Because the PHP script must be runthrough a URL (see Chapter 1), theform must also be run through a URL.Otherwise, when you go to submit theform, you’ll see PHP code C insteadof the proper result B.C If you see the PHP code after submitting theform, the problem is likely that you did not accessthe form through a URL.Programming with PHP 43

$_REQUEST is a special variable type,known as a superglobal. It stores all of thedata sent to a PHP page through eitherthe GET or POST method, as well as dataaccessible in cookies. Superglobals will bediscussed later in the chapter.If you have any problems with this script,apply the debugging techniques suggested inChapter 1. If you still can’t solve the problem,check out the extended debugging techniqueslisted in Chapter 8, “Error Handling andDebugging.” If you’re still stymied, turn tothe book’s supporting forum for assistance(www.LarryUllman.com/forums/).If the PHP script shows blank spaceswhere a variable’s value should have beenprinted, it means that the variable has novalue. The two most likely causes are: youfailed to enter a value in the form; or you misspelledor mis-capitalized the variable’s name.If you see any Undefined variable: variablenameerrors, this is because the variablesyou refer to have no value and PHP is seton the highest level of error reporting. Theprevious tip provides suggestions as to whya variable wouldn’t have a value. Chapter 8discusses error reporting in detail.To see how PHP handles the different forminput types, print out the $_REQUEST['age']and $_REQUEST['gender'] values D.D The values of gender and age correspond tothose defined in the form’s HTML.Magic QuotesEarlier versions of PHP had a featurecalled Magic Quotes, which has sincebeen deprecated and will eventually beremoved entirely. Magic Quotes—whenenabled—automatically escapes singleand double quotation marks found insubmitted form data (there were actuallythree kinds of Magic Quotes, but thisone kind is most important here). As anexample, Magic Quotes would turn thestring I’m going out into I\’m going out.The escaping of potentially problematiccharacters can be useful and even necessaryin some situations. But if MagicQuotes are enabled on your PHP installation,you’ll see these backslashes whenthe PHP script prints out the form data.You can undo the effect of Magic Quotesusing the stripslashes( ) function:$var = stripslashes($var);This function will remove any backslashesfound in $var. This will have the result ofturning an escaped submitted string backto its original, non-escaped value.To use this in handle_form.php(Script 2.2), you would write:$name = stripslashes($_REQUEST➝ ['name']);If you’re not seeing backslashes addedto your form data, then you don’t need toworry about Magic Quotes.44 Chapter 2

Conditionals andoperatorsPHP’s three primary terms for creatingconditionals are if, else, and elseif (whichcan also be written as two words, else if).Every conditional begins with an if clause:if (condition) {// Do something!}An if can also have an else clause:if (condition) {// Do something!} else {// Do something else!}TABLe 2.2 Comparative and Logical OperatorsSymbol Meaning Type Example= = is equal to comparison $x = = $y!= is notequal tocomparison $x != $y< less than comparison $x < $y> greaterthan< = less thanor equal to> = greaterthan orequal tocomparison $x > $ycomparison $x = $y! not logical !$x&& and logical $x && $yAND and logical $x and $y|| or logical $x || $yOR or logical $x or $yXOR and not logical $x XOR $yAn elseif clause allows you to add moreconditions:if (condition1) {// Do something!} elseif (condition2) {// Do something else!} else {// Do something different!}If a condition is true, the code in thefollowing curly braces ({}) will beexecuted. If not, PHP will continue on.If there is a second condition (after anelseif), that will be checked for truth.The process will continue—you can useas many elseif clauses as you want—until PHP hits an else, which will beautomatically executed at that point, oruntil the conditional terminates without anelse. For this reason, it’s important that theelse always come last and be treated asthe default action unless specific criteria—the conditions—are met.A condition can be true in PHP for anynumber of reasons. To start, these aretrue conditions:n $var, if $var has a value other than 0,an empty string, FALSE, or NULLnnisset($var), if $var has any valueother than NULL, including 0, FALSE,or an empty stringTRUE, true, True, etc.In the second example, a new function,isset( ), is introduced. This functionchecks if a variable is “set,” meaning thatit has a value other than NULL (as areminder, NULL is a special type in PHP,representing no set value). You can alsouse the comparative and logical operators(Table 2.2) in conjunction with parenthesesto make more complicated expressions.Programming with PHP 45

To use conditionals:1. Open handle_form.php (refer toScript 2.2) in your text editor or IDE,if it is not already.2. Before the echo statement, add a conditionalthat creates a $gender variable(Script 2.3):if (isset($_REQUEST['gender'])) {$gender = $_REQUEST['gender'];} else {$gender = NULL;}This is a simple and effective way tovalidate a form input (particularly a radiobutton, check box, or select). If the userchecks either gender radio button,then $_REQUEST['gender'] will havea value, meaning that the conditionisset($_REQUEST['gender']) is true.In such a case, the shorthand versionof this variable—$gender—is assignedthe value of $_REQUEST['gender'],repeating the technique used with$name, $email, and $comments. If theuser does not click one of the radiobuttons, then this condition is not true,and $gender is assigned the value ofNULL, indicating that it has no value.Notice that NULL is not in quotes.Script 2.3 In this remade version of handle_form.php, two conditionals are used to validate thegender radio buttons.1 2 3 4 5 Form Feedback6 7 8 37 38 46 Chapter 2

A The gender-based conditional prints a differentmessage for each choice in the form.B The same script will produce different salutations(compare with A ) when the gender value changes.C If no gender was selected, a message isprinted indicating the oversight to the user.3. After the echo statement, add anotherconditional that prints a message basedupon $gender’s value:if ($gender = = 'M') {echo 'Good day, Sir!➝ ';} elseif ($gender = = 'F') {echo 'Good day, Madam!➝ ';} else {echo 'You forgot to enter➝ your gender!';}This if-elseif-else conditional looksat the value of the $gender variableand prints a different message foreach possibility. It’s very important toremember that the double equals sign(= =) means equals, whereas a singleequals sign (=) assigns a value. Thedistinction is important because thecondition $gender = = 'M' may or maynot be true, but $gender = 'M' willalways be true.Also, the values used here—M andF—must be exactly the same as thosein the HTML form (the values foreach radio button). Equality is a casesensitivecomparison with strings,so m will not equal M.4. Save the file, place it in your Web directory,and test it in your Web browser A,B, and C.Programming with PHP 47

Although PHP has no strict formattingrules, it’s standard procedure and goodprogramming form to make it clear when oneblock of code is a subset of a conditional.Indenting the block is the norm.You can—and frequently will—nestconditionals (place one inside another).The first conditional in this script (theisset( )) is a perfect example of how to usea default value. The assumption (the else) isthat $gender has a NULL value unless the onecondition is met: that $_REQUEST['gender']is set.The curly braces used to indicate thebeginning and end of a conditional are notrequired if you are executing only one statement.I would recommend that you almostalways use them, though, as a matter ofclarity.Both and and or have two representativeoperators, with slight, technical differencesbetween them. For no particular reason, I tendto use && and || instead of AND and OR.XOR is called the exclusive or operator.The conditional $x XOR $y is true if $x is trueor if $y is true, but not both.SwitchPHP has another type of conditional,called the switch, best used in place ofa long if-elseif-else conditional. Thesyntax of switch isswitch ($variable) {case 'value1':// Do this.break;case 'value2':// Do this instead.break;default:// Do this then.break;}The switch conditional compares thevalue of $variable to the differentcases. When it finds a match, the followingcode is executed, up until the break.If no match is found, the default is executed,assuming it exists (it’s optional).The switch conditional is limited in itsusage in that it can only check a variable’svalue for equality against certaincases; more complex conditions cannotbe easily checked.48 Chapter 2

Validating Form DataA critical concept related to handlingHTML forms is that of validating form data.In terms of both error management andsecurity, you should absolutely never trustthe data being submitted by an HTML form.Whether erroneous data is purposefullymalicious or just unintentionally inappropriate,it’s up to you—the Web architect—to test it against expectations.Validating form data requires the use ofconditionals and any number of functions,operators, and expressions. One standardfunction to be used is isset( ), which testsif a variable has a value (including 0, FALSE,or an empty string, but not NULL). You sawan example of this in the preceding script.One issue with the isset( ) function is thatan empty string tests as true, meaning thatisset( ) is not an effective way to validatetext inputs and text boxes from an HTML form.To check that a user typed something intotextual elements, you can use the empty( )function. It checks if a variable has an emptyvalue: an empty string, 0, NULL, or FALSE.The first aim of form validation is seeing ifsomething was entered or selected in formelements. The second goal is to ensure thatsubmitted data is of the right type (numeric,string, etc.), of the right format (like an emailaddress), or a specific acceptable value (like$gender being equal to either M or F ).As handling forms is a main use of PHP,validating form data is a point that will bere-emphasized time and again in subsequentchapters. But first, let’s create a new handle_form.php to make sure variables have valuesbefore they’re referenced (there will beenough changes in this version that simplyupdating Script 2.3 doesn’t make sense).To validate your forms:1. Begin a new PHP script in yourtext editor or IDE, to be namedhandle_form.php starting withthe initial HTML (Script 2.4):continues on page 50Script 2.4 Validating HTML form data before you use it is critical to Web security and achieving professionalresults. Here, conditionals check that every referenced form element has a value.1 2 3 4 5 Form Feedback6 7 .error {8 font-weight: bold;9 color: #C00;10 }11 12 13 14

Script 2.4 continued16 // Validate the name:17 if (!empty($_REQUEST['name'])) {18 $name = $_REQUEST['name'];19 } else {20 $name = NULL;21 echo 'You forgot to enter your name!';22 }2324 // Validate the email:25 if (!empty($_REQUEST['email'])) {26 $email = $_REQUEST['email'];27 } else {28 $email = NULL;29 echo 'You forgot to enter your email address!';30 }3132 // Validate the comments:33 if (!empty($_REQUEST['comments'])) {34 $comments = $_REQUEST['comments'];35 } else {36 $comments = NULL;37 echo 'You forgot to enter your comments!';38 }3940 // Validate the gender:41 if (isset($_REQUEST['gender'])) {4243 $gender = $_REQUEST['gender'];4445 if ($gender = = 'M') {46 echo 'Good day, Sir!';47 } elseif ($gender = = 'F') {48 echo 'Good day, Madam!';49 } else { // Unacceptable value.50 $gender = NULL;51 echo 'Gender should be either "M" or "F"!';52 }5354 } else { // $_REQUEST['gender'] is not set.55 $gender = NULL;56 echo 'You forgot to select your gender!';57 }5859 // If everything is OK, print the message:60 if ($name && $email && $gender && $comments) {6162 echo "Thank you, $name, for the following comments:63 $comments64 We will reply to you at $email.\n";6566 } else { // Missing form value.67 echo 'Please go back and fill out the form again.';68 }6970 ?>71 72 50 Chapter 2

Form Feedback2. Within the HTML head, add someCSS code:.error {font-weight: bold;color: #C00;}This code defines one CSS class, callederror. Any HTML element that has thisclass name will be formatted in a bold,red color (which will be more apparentin your Web browser than in this blackand-whitebook).3. In PHP block, check if the name wasentered:if (!empty($_REQUEST['name'])) {$name = $_REQUEST['name'];} else {$name = NULL;echo 'You➝ forgot to enter your name!';}A simple way to check that a form textinput was filled out is to use the empty( )function. If $_REQUEST['name'] has avalue other than an empty string, 0,NULL, or FALSE, assume that their namewas entered and a shorthand variable isassigned that value. If $_REQUEST['name']is empty, the $name variable is set to NULLand an error message is printed. Thiserror message uses the CSS class.4. Repeat the same process for the emailaddress and comments:if (!empty($_REQUEST['email'])) {$email = $_REQUEST['email'];} else {$email = NULL;echo 'You➝ forgot to enter your email➝ address!';}if (!empty($_REQUEST['comments'])) {$comments = $_REQUEST['comments'];} else {$comments = NULL;echo 'You➝ forgot to enter your➝ comments!';}Both variables receive the sametreatment as $_REQUEST['name'] inStep 3.5. Begin validating the gender variable:if (isset($_REQUEST['gender'])) {$gender = $_REQUEST['gender'];The validation of the gender is a twostepprocess. First, check if it has avalue or not, using isset( ). This startsthe main if-else conditional, whichotherwise behaves like those for thename, email address, and comments.continues on next pageProgramming with PHP 51

6. Check $gender against specific values:if ($gender = = 'M') {$greeting = 'Good day,➝ Sir!';} elseif ($gender = = 'F') {$greeting = 'Good day,➝ Madam!';} else {$gender = NULL;echo 'Gender➝ should be either "M" or➝ "F"!';}Within the gender if clause is a nestedif-elseif-else conditional that teststhe variable’s value against what’sacceptable. This is the second part ofthe two-step gender validation.The conditions themselves are thesame as those in the last script. Ifgender does not end up being equalto either M or F, a problem occurredand an error message is printed. The$gender variable is also set to NULLin such cases, because it has anunacceptable value.If $gender does have a valid value, agender-specific message is assigned toa new variable, so that the message canbe printed later in the script.7. Complete the main gender if-elseconditional:} else {$gender = NULL;echo 'Youforgot to select your➝ gender!';}This else clause applies if $_REQUEST['gender'] is not set. The complete,nested conditionals (see lines 41–57of Script 2.4) successfully checkevery possibility:> $_REQUEST['gender'] is not set> $_REQUEST['gender'] has a valueof M> $_REQUEST['gender'] has a valueof F> $_REQUEST['gender'] has someother valueYou may wonder how this last case maybe possible, considering the valuesare set in the HTML form. If a malicioususer creates their own form that getssubmitted to your handle_form.phpscript (which is very easy to do), theycould give $_REQUEST['gender'] anyvalue they want.8. Print messages indicating the validationresults:if ($name && $email && $gender➝ && $comments) {echo "Thank you, $name➝ , for the following➝ comments:$commentsWe will reply to you at➝ $email.\n";echo $greeting;} else {echo 'Please➝ go back and fill out the form➝ again.';}52 Chapter 2

A The script now checks that every form elementwas filled out (except the age) and reports onthose that weren’t.B If even one or two fields wereskipped, the Thank you message isnot printed.The main condition is true if every listedvariable has a true value. Each variablewill have a value if it passed its testbut have a value of NULL if it didn’t. Ifevery variable has a value, the form wascompleted, so the Thank you messagewill be printed, as will the genderspecificgreeting. If any of the variablesare NULL, the second message will beprinted (A and B).9. Close the PHP section and completethe HTML page:?>10. Save the file as handle_form.php, placeit in the same Web directory as form.html, and test it in your Web browser.Fill out the form to different levels ofcompleteness to test the new script C.To test if a submitted value is a number,use the is_numeric( ) function.In Chapter 14, “Perl-Compatible RegularExpressions,” you’ll see how to validate formdata using regular expressions.It’s considered good form (pun intended)to let a user know which fields are requiredwhen they’re filling out the form, and whereapplicable, the format of that field (like a dateor a phone number).C If the form was completed properly, the script behaves as itpreviously had.Programming with PHP 53

introducing ArraysChapter 1 introduced two scalar (singlevalued) variable types: strings and numbers.Now it’s time to learn about another type,the array. Unlike strings and numbers, anarray can hold multiple, separate piecesof information. An array is therefore likea list of values, each value being a stringor a number or even another array.Arrays are structured as a series of keyvaluepairs, where one pair is an item orelement of that array. For each item in thelist, there is a key (or index) associatedwith it (Table 2.3).PHP supports two kinds of arrays: indexed,which use numbers as the keys (as inTable 2.3), and associative, which usestrings as keys (Table 2.4). As in mostprogramming languages, with indexedarrays, arrays will begin with the first indexat 0, unless you specify the keys explicitly.An array follows the same naming rulesas any other variable. This means that,offhand, you might not be able to tell that$var is an array as opposed to a stringor number. The important syntacticaldifference arises when accessing individualarray elements.To refer to a specific value in an array, startwith the array variable name, followed bythe key within square brackets:$band = $artists[0]; // The Mynabirdsecho $states['MD']; // MarylandYou can see that the array keys are usedlike other values in PHP: numbers (e.g., 0)are never quoted, whereas strings (MD)must be.TABLe 2.3 Array Example 1: $artistsKeyValue0 The Mynabirds1 Jeremy Messersmith2 The Shins3 Iron and Wine4 Alexi MurdochTABLe 2.4 Array Example 2: $statesKeyValueMDMarylandPAPennsylvaniaILIllinoisMOMissouriIAIowa54 Chapter 2

Superglobal ArraysPHP includes several predefined arrayscalled the superglobal variables. Theyare: $_GET, $_POST, $_REQUEST, $_SERVER,$_ENV, $_SESSION, and $_COOKIE.The $_GET variable is where PHP storesall of the values sent to a PHP scriptvia the GET method (possibly but notnecessarily from an HTML form). $_POSTstores all of the data sent to a PHP scriptfrom an HTML form that uses the POSTmethod. Both of these—along with$_COOKIE—are subsets of $_REQUEST,which you’ve been using.$_SERVER, which was used in Chapter 1,stores information about the server PHPis running on, as does $_ENV. $_SESSIONand $_COOKIE will both be discussed inChapter 12, “Cookies and Sessions.”One aspect of good security and programmingis to be precise when referringto a variable. This means that, althoughyou can use $_REQUEST to accessform data submitted through the POSTmethod, $_POST would be more accurate.Because arrays use a different syntax thanother variables, and can contain multiplevalues, printing them can be trickier. Thiswill not work A:echo "My list of states: $states";However, printing an individual element’svalue is simple if it uses indexed (numeric)keys:echo "The first artist is➝ $artists[0].";But if the array uses strings for the keys,the quotes used to surround the key willmuddle the syntax. The following code willcause a parse error B:echo "IL is $states['IL']."; // BAD!To fix this, wrap the array name and key incurly braces when an array uses strings forits keys C:echo "IL is {$states['IL']}.";If arrays seem slightly familiar to youalready, that’s because you’ve alreadyworked with two: $_SERVER (in Chapter1) and $_REQUEST (in this chapter). Toacquaint you with another array and topractice printing array values directly, onefinal, but basic, version of the handle_form.php page will be created usingthe more specific $_POST array (see thesidebar on “Superglobal Arrays”).A Attempting to print an array using only the variable’sname results in the word Array being printed.B Attempting to print an element in an associative array without using curly braces resultsin a parse error.C Attempting to print an element in an associativearray while using curly braces works as desired.Programming with PHP 55

To use arrays:1. Begin a new PHP script in your text editoror IDE, to be named handle_form.phpstarting with the initial HTML (Script 2.5):Form Feedback3 4 5 Form Feedback6 7 8 19 20 56 Chapter 2

string for its key, use the curly braces(as in {$_POST['name']} here) to avoidparse errors.4. Complete the conditional begun inStep 2:} else {echo 'Please go back and➝ fill out the form again.';}If any of the three subconditionals inStep 2 is not true (which is to say, if anyof the variables has an empty value),then this else clause applies and anerror message is printed D.5. Complete the PHP and HTML code:?>6. Save the file as handle_form.php,place it in the same Web directoryas form.html, and test it in yourWeb browser E.Because PHP is lax with its variablestructures, an array can even use a combinationof numbers and strings as its keys. Theonly important rule is that the keys of an arraymust each be unique.If you find the syntax of accessing superglobalarrays directly to be confusing (e.g.,$_POST['name']), you can continue to use theshorthand technique at the top of your scriptsas you have been:$name = $_POST['name'];In this script, you would then need to changethe conditional and the echo statement torefer to $name et al.You only need to use the curly bracketsto surround an associated array used withinquotation marks. All of these array referencesare fine:echo $_POST['name'];echo "The first item is $item[0].";$total = number_format($cart['total']);D If any of the threetested form inputs isempty, this generic errormessage is printed.E The fact that the script now uses the $_POST array has noeffect on the visible result.Programming with PHP 57

Creating arraysThe preceding example uses a PHPgeneratedarray, but there will frequentlybe times when you want to create yourown. There are two primary ways to defineyour own array. First, you could add anelement at a time to build one:$band[ ] = 'Jemaine';$band[ ] = 'Bret';$band[ ] = 'Murray';As arrays are indexed starting at 0, $band[0]has a value of Jemaine; $band[1], Bret,and $band[2], Murray.Alternatively, you can specify the key whenadding an element. But it’s important tounderstand that if you specify a key anda value already exists indexed with thatsame key, the new value will overwrite theexisting one:$band['fan'] = 'Mel';$band['fan'] = 'Dave'; // New value$fruit[2] = 'apple';$fruit[2] = 'orange'; // New valueInstead of adding one element at a time,you can use the array( ) function to buildan entire array in one step:$states = array ('IA' => 'Iowa','MD' => 'Maryland');(As PHP is generally insensitive to whitespace, you can use this function overmultiple lines for added clarity.)The array( ) function can be used whetheror not you explicitly set the key:$artists = array ('Clem Snide',➝'Shins', 'Eels');Or, if you set the first numeric keyvalue, the added values will be keyedincrementally thereafter:$days = array (1 => 'Sun', 'Mon',➝'Tue');echo $days[3]; // TueThe array( ) function is also used toinitialize an array, prior to referencing it:$tv = array( );$tv[ ] = 'Flight of the Conchords';Initializing an array (or any variable) in PHPisn’t required, but it makes for clearer codeand can help avoid errors.Finally, if you want to create an array ofsequential numbers, you can use therange( ) function:$ten = range (1, 10);Accessing entire arraysYou’ve already seen how to accessindividual array elements using its keys(e.g., $_POST['email']). This works whenyou know exactly what the keys are or ifyou want to refer to only a single element.To access every array element, use theforeach loop:foreach ($array as $value) {// Do something with $value.}The foreach loop will iterate throughevery element in $array, assigning eachelement’s value to the $value variable. Toaccess both the keys and values, useforeach ($array as $key => $value) {echo "The value at $key is➝ $value.";}58 Chapter 2

(You can use any valid variable name inplace of $key and $value, like just $k and$v, if you’d prefer.)Using arrays, this next script will demonstratehow easy it is to make a set of form pulldownmenus for selecting a date F.F These pull-down menus will be created usingarrays and the foreach loop.Script 2.6 This form uses arrays to dynamicallycreate three pull-down menus.1 2 3 4 5 Calendar6 7 8 9 Calendar

2. Create an array for the months:$months = array (1 => 'January',➝'February', 'March', 'April',➝'May', 'June', 'July', 'August',➝'September', 'October',➝'November', 'December');This first array will use numbers for thekeys, from 1 to 12. Since the value ofthe first key is specified, the followingvalues will be indexed incrementally (inother words, the 1 => code creates anarray indexed from 1 to 12, instead offrom 0 to 11).3. Create the arrays for the days of themonth and the years:$days = range (1, 31);$years = range (2011, 2021);Using the range( ) function, you caneasily make an array of numbers.4. Generate the month pull-down menu:echo '';foreach ($months as $key =>➝ $value) {echo "➝ $value\n";}echo '';The foreach loop can quickly generateall of the HTML code for the month pulldownmenu. Each execution of the loopwill create a line of code like January G.5. Generate the day and year pull-downmenus:echo '';foreach ($days as $value) {echo "➝ $value\n";}Script 2.6 continued2021 // Make the months pull-down menu:22 echo '';23 foreach ($months as $key =>$value) {24 echo "$value\n";25 }26 echo '';2728 // Make the days pull-down menu:29 echo '';30 foreach ($days as $value) {31 echo "$value\n";32 }33 echo '';3435 // Make the years pull-down menu:36 echo '';37 foreach ($years as $value) {38 echo "$value\n";39 }40 echo '';4142 ?>43 44 45 G Most of the HTML source was generated byjust a few lines of PHP.60 Chapter 2

echo '';echo '';foreach ($years as $value) {echo "➝ $value\n";}echo '';Unlike the month example, both the dayand year pull-down menus will use thesame data for the option’s value andlabel (a number, G). For that reason,there’s no need to also fetch the array’skey with each loop iteration.6. Close the PHP, the form tag, and theHTML page:?>7. Save the file as calendar.php, place itin your Web directory, and test it in yourWeb browser.To determine the number of elements inan array, use count( ):$num = count($array);The range( ) function can also create anarray of sequential letters:$alphabet = range ('a', 'z');An array’s key can be multiple-wordedstrings, such as first name or phone number.The is_array( ) function confirms thata variable is of the array type.Multidimensional arraysWhen introducing arrays, I mentioned thatan array’s values could be any combinationof numbers, strings, and even other arrays.This last option—an array consisting of otherarrays—creates a multidimensional array.Multidimensional arrays are much morecommon than you might expect but remarkablyeasy to work with. As an example,start with an array of prime numbers:$primes = array(2, 3, 5, 7, …);Then create an array of sphenic numbers(don’t worry: I had no idea what a sphenicnumber was either; I had to look it up):$sphenic = array(30, 42, 66, 70, …);These two arrays could be combined intoone multidimensional array like so:$numbers = array ('Primes' =>➝ $primes, 'Sphenic' => $sphenic);Now, $numbers is a multidimensional array.To access the prime numbers sub-array,refer to $numbers['Primes']. To access theprime number 5, use $numbers['Primes'][2](it’s the third element in the array, but thearray starts indexing at 0). To print outone of these values, surround the wholeconstruct in curly braces:echo "The first sphenic number is➝ {$numbers['Sphenic'][0]}.";Of course, you can also access multidimensionalarrays using the foreach loop,nesting one inside another if necessary.This next example will do just that.If you see an Invalid argument suppliedfor foreach( ) error message, that means youare trying to use a foreach loop on a variablethat is not an array.Programming with PHP 61

To use multidimensional arrays:1. Begin a new PHP document in your texteditor or IDE, to be named multi.phpbeginning with the initial HTML(Script 2.7):Multidimensional➝ ArraysSome North American States,➝ Provinces, and Territories:3 4 5 Multidimensional Arrays6 7 8 Some North American States,Provinces, and Territories:9

Script 2.7 continued11 // Create one array:12 $mexico = array(13 'YU' => 'Yucatan',14 'BC' => 'Baja California',15 'OA' => 'Oaxaca'16 );1718 // Create another array:19 $us = array (20 'MD' => 'Maryland',21 'IL' => 'Illinois',22 'PA' => 'Pennsylvania',23 'IA' => 'Iowa'24 );2526 // Create a third array:27 $canada = array (28 'QC' => 'Quebec',29 'AB' => 'Alberta',30 'NT' => 'Northwest Territories',31 'YT' => 'Yukon',32 'PE' => 'Prince Edward Island'33 );3435 // Combine the arrays:36 $n_america = array(37 'Mexico' => $mexico,38 'United States' => $us,39 'Canada' => $canada40 );4142 // Loop through the countries:43 foreach ($n_america as $country =>$list) {4445 // Print a heading:46 echo "$country";4748 // Print each state, province, orterritory:49 foreach ($list as $k => $v) {50 echo "$k - $v\n";51 }5253 // Close the list:54 echo '';5556 } // End of main FOREACH.5758 ?>59 60 3. Create the second and third arrays:$us = array ('MD' => 'Maryland','IL' => 'Illinois','PA' => 'Pennsylvania','IA' => 'Iowa');$canada = array ('QC' => 'Quebec','AB' => 'Alberta','NT' => 'Northwest Territories','YT' => 'Yukon','PE' => 'Prince Edward Island');4. Combine all of the arrays into one:$n_america = array('Mexico' => $mexico,'United States' => $us,'Canada' => $canada);You don’t have to create threearrays and then assign them to afourth in order to make the desiredmultidimensional array, but I think it’seasier to read and understand this way(defining a multidimensional array inone step makes for some ugly code).The $n_america array now containsthree elements. The key for eachelement is a string, which is the country’sname. The value for each element is thearray of states, provinces, and territoriesfound within that country.5. Begin the primary foreach loop:foreach ($n_america as $country➝ => $list) {echo "$country";continues on next pageProgramming with PHP 63

Following the syntax outlined earlier,this loop will access every elementof $n_america. This means that thisloop will run three times. Within eachiteration of the loop, the $countryvariable will store the $n_americaarray’s key (Mexico, Canada, or UnitedStates). Also within each iteration ofthe loop, the $list variable will storethe element’s value (the equivalent of$mexico, $us, and $canada).To print out the results, the loop beginsby printing the country’s name within H2tags. Because the states and so forthshould be displayed as an HTML list,the initial unordered list tag () isprinted as well.6. Create a second foreach loop:foreach ($list as $k => $v) {echo "$k - $v\n";}This loop will run through each subarray(first $mexico, then $us, and then$canada). With each iteration of thisloop, $k will store the abbreviationand $v the full name. Both are printedout within HTML list tags. The newlinecharacter is also used, to better formatthe HTML source code.7. Complete the outer foreach loop:echo '';} // End of main FOREACH.After the inner foreach loop is done,the outer foreach loop has to close theunordered list begun in Step 5.8. Complete the PHP and HTML:?>9. Save the file as multi.php, place it inyour Web directory, and test it in yourWeb browser H.10. If you want, check out the HTML sourcecode to see what PHP created.Multidimensional arrays can also comefrom an HTML form. For example, if a formhas a series of checkboxes with the nameinterests[ ] — Music Movies Books—the $_POST variable in the receivingPHP page will be multidimensional.$_POST['interests'] will be an array,with $_POST['interests'][0] storing thevalue of the first checked box (e.g., Movies),$_POST['interests'][1] storing the second(Books), etc. Note that only the checked boxeswill get passed to the PHP page.You can also end up with a multidimensionalarray if an HTML form’s select menuallows for multiple selections:Music➝ Movies➝ Books➝ Napping➝ Again, only the selected values will be passedto the PHP page.64 Chapter 2

Arrays and StringsBecause arrays and strings are socommonly used together, PHP has twofunctions for converting between them:$array = explode (separator,➝ $string);$string = implode (glue, $array);The key to using and understandingthese two functions is the separator andglue relationships. When turning an arrayinto a string, you establish the glue—thecharacters or code that will be insertedbetween the array values in the generatedstring. Conversely, when turning astring into an array, you specify the separator,which is the token that marks whatshould become separate array elements.For example, start with a string:$s1 = 'Mon-Tue-Wed-Thu-Fri';$days_array = explode ('-', $s1);The $days_array variable is now a fiveelementarray, with Mon indexed at 0,Tue indexed at 1, etc.$s2 = implode (', ', $days_array);The $s2 variable is now a commaseparatedlist of days: Mon, Tue, Wed,Thu, Fri.Sorting arraysOne of the many advantages arrayshave over the other variable types is theability to sort them. PHP includes severalfunctions you can use for sorting arrays,all simple in syntax:$names = array ('Moe', 'Larry',➝'Curly');sort($names);The sorting functions perform three kinds ofsorts. First, you can sort an array by value,discarding the original keys, using sort( ).It’s important to understand that the array’skeys will be reset after the sorting process,so if the key-value relationship is important,you should not use sort( ).Second, you can sort an array by valuewhile maintaining the keys, using asort( ).Third, you can sort an array by key, usingksort( ). Each of these can sort in reverseorder if you change them to rsort( ),arsort( ), and krsort( ) respectively.To demonstrate the effect sorting arrayswill have, this next script will create anarray of movie titles and ratings (how muchI liked them on a scale of 1 to 10) and thendisplay this list in different ways.Programming with PHP 65

To sort arrays:1. Begin a new PHP document in your texteditor or IDE, to be named sorting.phpstarting with the initial HTML (Script 2.8):Sorting Arrays2. Create an HTML table:RatingTitleTo make the ordered list easier to read,it’ll be printed within an HTML table.The table is begun here.3. Add the opening PHP tag and createa new array:3 4 5 Sorting Arrays6 7 8 9 10 Rating11 Title12 13

Script 2.8 continued35 foreach ($movies as $title =>$rating) {36 echo "$rating37 $title\n";38 }3940 // Display the movies sorted byrating:41 arsort($movies);42 echo 'Sorted byrating:';43 foreach ($movies as $title =>$rating) {44 echo "$rating45 $title\n";46 }4748 ?>49 50 51 This array uses movie titles as the keysand their respective ratings as their values.This structure will open up severalpossibilities for sorting the whole list.Feel free to change the movie listingsand rankings as you see fit (just don’tchastise me for my taste in films).4. Print out the array as is:echo 'In➝ their original order:➝ ';foreach ($movies as $title =>➝ $rating) {echo "$rating$title\n";}At this point in the script, the array isin the same order as it was defined.To verify this, print it out. A caption isfirst printed across both table columns.Then, within the foreach loop, the keyis printed in the first column and thevalue in the second. A newline is alsoprinted to improve the readability of theHTML source code.5. Sort the array alphabetically by title andprint it again:ksort($movies);echo '➝ Sorted by title:';foreach ($movies as $title =>➝ $rating) {echo "$rating$title\n";}The ksort( ) function will sort anarray by key, in ascending order, whilemaintaining the key-value relationship.The rest of the code is a repetition ofStep 4.continues on next pageProgramming with PHP 67

6. Sort the array numerically by descendingrating and print again:arsort($movies);echo '➝ Sorted by rating:';foreach ($movies as $title =>➝ $rating) {echo "$rating$title\n";}To sort by values (the ratings), whilemaintaining the keys, one would usethe asort( ) function. But since thehighest-ranking films should be listedfirst, the order must be reversed,using arsort( ).7. Complete the PHP, the table, and theHTML:?>8. Save the file as sorting.php, place it inyour Web directory, and test it in yourWeb browser I.To randomize the order of an array,use shuffle( ).I This page demonstrates different ways arrayscan be sorted.PHP’s natsort( ) function can be usedto sort arrays in a more natural order (primarilyhandling numbers in strings better).Multidimensional arrays can be sorted inPHP with a little effort. See the PHP manualfor more information on the usort( ) functionor check out my PHP 5 Advanced: VisualQuickPro Guide book.68 Chapter 2

A A flowchart representation of how PHPhandles a while loop.B A flowchart representation of how PHP handlesthe more complex for loop.For and While LoopsThe last language construct to discuss inthis chapter is the loop. You’ve alreadyused one, foreach, to access everyelement in an array. The other two typesof loops you’ll use are for and while.The while loop looks like this:while (condition) {// Do something.}As long as the condition part of the loopis true, the loop will be executed. Once itbecomes false, the loop is stopped A. Ifthe condition is never true, the loop willnever be executed. The while loop willmost frequently be used when retrievingresults from a database, as you’ll see inChapter 9, “Using PHP with MySQL.”The for loop has a more complicated syntax:for (initial expression; condition;closing expression) {// Do something.}Upon first executing the loop, the initialexpression is run. Then the condition ischecked and, if true, the contents of the loopare executed. After execution, the closingexpression is run and the condition ischecked again. This process continues untilthe condition is false B. As an example,for ($i = 1; $i

The functionality of both loops is similarenough that for and while can often beused interchangeably. Still, experience willreveal that the for loop is a better choice fordoing something a known number of times,whereas while is used when a condition willbe true an unknown number of times.In this chapter’s last example, the calendarscript created earlier will be rewrittenusing for loops in place of two of theforeach loops.To use loops:1. Open calendar.php (refer to Script 2.6)in your text editor or IDE.2. Delete the creation of the $days and$years arrays (lines 18–19).Using loops, the same result of thetwo pull-down menus can be achievedwithout the extra code and memoryoverhead involved with creating actualarrays. So these two arrays shouldbe deleted, while still keeping the$months array.3. Rewrite the $days foreach loop as afor loop (Script 2.9):for ($day = 1; $day

Script 2.9 continued31 // Make the years pull-down menu:32 echo '';33 for ($year = 2011; $year 39 40 41 4. Rewrite the $years foreach loop as afor loop:for ($year = 2011; $year

Review and pursueIf you have any problems with the reviewquestions or the pursue prompts, turnto the book’s supporting forum (www.LarryUllman.com/forums/).Note: Some of these questions and promptsrehash information covered in Chapter 1, inorder to reinforce some of the most importantpoints.ReviewnnnnnnnnWhat is the significance of a form’smethod attribute? Of its action attribute?Why must an HTML form that getssubmitted to a PHP script be loadedthrough a URL? What would happenupon submitting the form if it were notloaded through a URL?What are the differences between usingsingle and double quotation marks todelineate strings?What control structures wereintroduced in this chapter?What new variable type was introducedin this chapter?What operator tests for equality? Whatis the assignment operator?Why are textual form elementsvalidated using empty( ) but other formelements are validated using isset( )?What is the difference between anindexed array and an associative array?nnnnnnnWith what value do indexed arraysbegin (by default)? If an indexed arrayhas ten elements in it, what would theexpected index be of the last elementin the array?What are the superglobal arrays? Fromwhere do the following superglobalsget their values?> $_GET> $_POST> $_COOKIE> $_REQUEST> $_SESSION> $_SERVER> $_ENVHow can you print an individualindexed array item? How can you printan individual associative array item?Note: there is more than one answer toboth questions.What does the count( ) function do?What impact does printing \n have onthe Web browser?Generally speaking, when would youuse a while loop? When would youuse a for loop? When would you usea foreach loop? What is the syntax ofeach loop type?What is the + + operator? What does it do?72 Chapter 2

pursuennnnWhat version of PHP are you using? Ifyou don’t know, find out now!Create a new form that takes someinput from the user (perhaps base it ona form you know you’ll need for oneof your projects). Then create the PHPscript that validates the form data andreports upon the results.Rewrite the gender conditional inhandle_form.php (Script 2.4) as oneconditional instead of two nested ones.Hint: You’ll need to use theAND operator.Rewrite handle_form.php (Script 2.4) touse $_POST instead of $_REQUEST.n Rewrite handle_form.php (Script 2.4)so that it validates the age element.Hint: Use the $gender validation as atemplate, this time checking against thecorresponding pull-down option values(0-29, 30-60, 60+).nRewrite the echo statement in the finalversion of handle_form.php (Script 2.5)so that it uses single quotation marksand concatenation instead of doublequotation marks.nnnnLook up in the PHP manual one ofthe array functions introduced in thisbook. Then check out some of theother array-related functions builtinto the language.Create a new array and then displayits elements. Sort the array in differentways and then display the array’s contentsagain.Create a form that contains a selectmenu or series of check boxes thatallow for multiple sections. Then, inthe handling PHP script, display theselected items along with a count ofhow many the user selected.For added complexity, take the suggestedPHP script you just created(that handles multiple selections), andhave it display the selections in alphabeticalorder.Programming with PHP 73

This page intentionally left blank

3Creating DynamicWeb SitesWith the fundamentals of PHP under yourbelt, it’s time to begin building truly dynamicWeb sites. Dynamic Web sites, as opposedto the static ones on which the Web wasfirst built, are easier to maintain, are moreresponsive to users, and can alter theircontent in response to differing situations.This chapter introduces three new ideas,all commonly used to create more sophisticatedWeb applications (Chapter 11, “WebApplication Development,” covers anotherhandful of topics along these same lines).The first subject involves using externalfiles. This is an important concept, as morecomplex sites often demand compartmentalizingsome HTML or PHP code. Then thechapter returns to the subject of handlingHTML forms. You’ll learn some new variationson this important and standard featureof dynamic Web sites. Finally, you’ll learnhow to define and use your own functions.in This ChapterIncluding Multiple Files 76Handling HTML Forms, Revisited 85Making Sticky Forms 91Creating Your Own Functions 95Review and Pursue 110

includingMultiple FilesTo this point, every script in the book hasconsisted of a single file that contains allof the required HTML and PHP code. Butas you develop more complex Web sites,you’ll see that this approach is not oftenpractical. A better way to create dynamicWeb applications is to divide your scriptsand Web sites into distinct parts, each partbeing stored in its own file. Frequently, youwill use multiple files to extract the HTMLfrom the PHP or to separate out commonlyused processes.PHP has four functions for incorporatingexternal files: include( ), include_once( ),require( ), and require_once( ). To usethem, your PHP script would have a line likeinclude_once('filename.php');require('/path/to/filename.html');Using any one of these functions has theend result of taking all the content of theincluded file and dropping it in the parentscript (the one calling the function) at thatjuncture. An important consideration withincluded files is that PHP will treat theincluded code as HTML (i.e., send it directlyto the browser) unless the file containscode within the PHP tags.In terms of functionality, it also doesn’tmatter what extension the included fileuses, be it .php or .html. However, givingthe file a symbolic name and extensionhelps to convey its purpose (e.g., anincluded file of HTML might use .inc.html).Also note that you can use either absoluteor relative paths to the included file (seethe sidebar for more).Absolute vs. Relative pathsWhen referencing any external item,be it an included file in PHP, a CSSdocument in HTML, or an image, youhave the choice of using either anabsolute or a relative path. An absolutepath references a file starting from theroot directory of the computer:include ('C:/php/includes/➝ file.php');include('/usr/xyz/includes/➝ file.php');Assuming file.php exists in the namedlocation, the inclusion will work, nomatter the location of the referencing(parent) file (barring any permissionsissues). The second example, in caseyou’re not familiar with the syntax,would be a Unix (and Mac OS X)absolute path. Absolute paths alwaysstart with something like C:/ or /.A relative path uses the referencing(parent) file as the starting point. Tomove up one folder, use two periodstogether. To move into a folder, use itsname followed by a slash. So assumingthe current script is in the www/ex1 folderand you want to include something inwww/ex2, the code would be:include('../ex2/file.php');A relative path will remain accurate,even if the site is moved to anotherserver, as long as the files maintaintheir current relationship to each other.76 Chapter 3

The include( ) and require( ) functionsare exactly the same when workingproperly but behave differently when theyfail. If an include( ) function doesn’t work(it cannot include the file for some reason),a warning will be printed to the Webbrowser A, but the script will continue torun. If require( ) fails, an error is printedand the script is halted B.Both functions also have a *_once( )version, which guarantees that the file inquestion is included only once regardless ofhow many times a script may (presumablyinadvertently) attempt to include it.require_once('filename.php');include_once('filename.php');Because require_once( ) and include_once( ) require extra work from the PHPmodule (i.e., PHP must first check that thefile has not already been included), it’s bestnot to use these two functions unless aredundant include is likely to occur (whichcan happen on complex sites).In this next example, included files willseparate the primary HTML formattingfrom any PHP code. Then, the rest of theexamples in this chapter will be able tohave the same appearance—as if they areall part of the same Web site—without theneed to rewrite the common HTML everytime. This technique creates a templatesystem, an easy way to make largeapplications consistent and manageable.The focus in these examples is on the PHPcode itself; you should also read the “SiteStructure” sidebar so that you understandthe organizational scheme on the server.If you have any questions about the CSS(Cascading Style Sheets) or (X)HTML usedin the example, see a dedicated resourceon those topics.A One failedinclude( ) callgenerates thesetwo error messages(assuming that PHPis configured todisplay errors), butthe rest of the pagecontinues to execute.B The failure of a require( ) function call will print an error and terminatethe execution of the script. If PHP is not configured to display errors, then thescript will terminate without printing the problem first (i.e., it’d be a blank page).Creating Dynamic Web Sites 77

To include multiple files:1. Design an HTML page in your text orWYSIWYG editor (Script 3.1 and C).To start creating a template for a Website, design the layout like a standardHTML page, independent of any PHPcode. For this chapter’s example, I’musing a slightly modified version of the“Plain and Simple” template created byChristopher Robinson (www.edg3.co.uk)and used with his kind permission.2. Mark where any page-specificcontent goes.Almost every Web site has severalcommon elements on each page—header, navigation, advertising, footer,etc.—and one or more page-specificsections. In the HTML page (Script 3.1),enclose the section of the layout thatwill change from page to page withinHTML comments to indicate its status.Site StructureWhen you begin using multiple files inyour Web applications, the overall sitestructure becomes more important.When laying out your site, there are twoprimary considerations:.Ease of maintenance.SecurityUsing external files for holding standardprocedures (i.e., PHP code), CSS,JavaScript, and the HTML design willgreatly improve the ease of maintainingyour site because commonly editedcode is placed in one central location.I’ll frequently make an includes ortemplates directory to store these filesapart from the main scripts (the ones thatare accessed directly in the Web browser).I recommend using the .inc or .html fileextension for documents where securityis not an issue (such as HTML templates)and .php for files that contain moresensitive data (such as database accessinformation). You can also use both .incand .html or .php so that a file is clearlyindicated as an include of a certain type:db.inc.php or header.inc.html.C The HTML andCSS design as itappears in the Webbrowser (withoutusing any PHP).78 Chapter 3

Script 3.1 The HTML template for this chapter’s Web pages. Download the style.css file it uses from thebook’s supporting Web site (www.LarryUllman.com).1 2 3 4 Page Title5 6 7 8 9 10 Your Website11 catchy slogan...12 13 14 15 Home Page16 Calculator17 link three18 link four19 link five20 21 22 23 Content Header2425 This is where the page-specific content goes. This section, and thecorresponding header, will change from one page to the next.2627 Volutpat at varius sed sollicitudin et, arcu. Vivamus viverra. Nullam turpis.Vestibulum sed etiam. Lorem ipsum sit amet dolore. Nulla facilisi. Sed tortor. Aenean felis.Quisque eros. Cras lobortis commodo metus. Vestibulum vel purus. In eget odio in sapienadipiscing blandit. Quisque augue tortor, facilisis sit amet, aliquam, suscipit vitae, cursussed, arcu lorem ipsum dolor sit amet.2829 3031 32 Copyright &copy; Plain and Simple 2007 | Designed byedg3.co.uk | Sponsored by Open Designs | Valid CSS &amp; XHTML33 34 35 Creating Dynamic Web Sites 79

3. Copy everything from the first line ofthe layout’s HTML source to just beforethe page-specific content and pasteit in a new document, to be namedheader.html (Script 3.2):Page TitleYour Websitecatchy slogan...➝ Home PageCalculatorlink three➝ link four➝ link five➝ Script 3.2 The initial HTML for each Web page is stored in a header file.1 2 3 4 5 6 7 8 9 10 Your Website11 catchy slogan...12 13 14 15 Home Page16 Calculator17 link three18 link four19 link five20 21 22 23 80 Chapter 3

This first file will contain the initial HTMLtags (from DOCTYPE through the headand into the beginning of the pagebody). It also has the code that makesthe Web site name and slogan, plus thehorizontal bar of links across the top C.Finally, as each page’s content goeswithin a DIV whose id value is content,this file includes that code as well.4. Change the page’s title line to read:The page title (which appears at thetop of the Web browser C) should bechangeable on a page-by-page basis.For that to be possible, this value will bebased upon a PHP variable, which willthen be printed out. You’ll see how thisplays out shortly.5. Save the file as header.html.As stated already, included files canuse just about any extension for thefilename. This file is called header.html, indicating that it is the template’sheader file and that it contains(primarily) HTML.6. Copy everything in the original templatefrom the end of the page-specific contentto the end of the page and paste itin a new file, to be named footer.html(Script 3.3):Copyright &copy; Plain and Simple➝ 2007 | Designed➝ by edg3.co.uk |➝ Sponsored by Open Designs |➝ Valid ➝ CSS &amp; ➝ XHTMLThe footer file starts by closing thecontent DIV opened in the header file(see Step 3). Then the footer is added,which will be the same for every pageon the site, and the HTML documentitself is completed.continues on next pageScript 3.3 The concluding HTML for each Web page is stored in this footer file.1 2 34 5 Copyright &copy; Plain and Simple 2007 | Designed by edg3.co.uk | Sponsored by Open Designs | Valid CSS&amp; XHTML6 7 8 Creating Dynamic Web Sites 81

7. Save the file as footer.html.8. Begin a new PHP document in your texteditor or IDE, to be named index.php(Script 3.4):Content HeaderThis is where the page-➝ specific content goes. This➝ section, and the corresponding➝ header, will change from one➝ page to the next.For most pages, PHP will generate thiscontent, instead of having static text.This information could be sent to thebrowser using echo, but since there’sno dynamic content here, it’s easierand more efficient to exit the PHP tagstemporarily. (The script and the imageshave a bit of extra Latin than is shownhere, just to fatten up the page.)Script 3.4 This script generates a complete Web page by including a template stored in two external files.1 56 Content Header78 This is where the page-specific content goes. This section, and thecorresponding header, will change from one page to the next.910 Volutpat at varius sed sollicitudin et, arcu. Vivamus viverra. Nullam turpis.Vestibulum sed etiam. Lorem ipsum sit amet dolore. Nulla facilisi. Sed tortor.Aenean felis. Quisque eros. Cras lobortis commodo metus. Vestibulum vel purus.In eget odio in sapien adipiscing blandit. Quisque augue tortor, facilisis sitamet, aliquam, suscipit vitae, cursus sed, arcu lorem ipsum dolor sit amet.1112 82 Chapter 3

11. Create a final PHP section and includethe footer file:12. Save the file as index.php, and place itin your Web directory.13. Create an includes directory inthe same folder as index.php. Thenplace header.html, footer.html, andstyle.css (part of the downloadablecode at www.LarryUllman.com), intothis includes directory.Note: In order to save space, the CSSfile for this example (which controlsthe layout) is not included in the book.You can download the file throughthe book’s supporting Web site or dowithout it (the template will still work, itjust won’t look as nice).14. Test the template system by goingto the index.php page in your Webbrowser D.The index.php page is the key scriptin the template system. You do notneed to access any of the included filesdirectly, as index.php will take care ofincorporating their contents. As this isa PHP page, you still need to access itthrough a URL.continues on next pageD Now the same layout C has been created using external files in PHP.Creating Dynamic Web Sites 83

15. If desired, view the HTML source ofthe page E.In the php.ini configuration file, youcan adjust the include_path setting, whichdictates where PHP is and is not allowed toretrieve included files.As you’ll see in Chapter 9, “Using PHPwith MySQL,” any included file that containssensitive information (like database access)should ideally be stored outside of the Webdirectory so it can’t be viewed within aWeb browser.Since require( ) has more impact ona script when it fails, it’s recommended formission-critical includes (like those that connectto a database). The include( ) functionwould be used for less important inclusions.If a block of PHP code contains only asingle executable, it’s common to place bothit and the PHP tags on a single line:Because of the way CSS works, if youdon’t use the CSS file or if the browser doesn’tread the CSS, the generated result is still functional,just not aesthetically as pleasing.E The generated HTML source of the Web page should replicate the code in the originaltemplate (refer to Script 3.1).84 Chapter 3

Handling HTMLForms, RevisitedA good portion of Chapter 2, “Programmingwith PHP,” involves handling HTML formswith PHP (which makes sense, as a goodportion of Web programming with PHP isexactly that). All of those examples use twoseparate files: one that displays the formand another that receives its submitteddata. While there’s certainly nothing wrongwith this approach, there are advantages toputting the entire process into one script.To have one page both display and handlea form, a conditional must check whichaction (display or handle) should be taken:if (/* form has been submitted */) {// Handle the form.} else {// Display the form.}The question, then, is how to determine ifthe form has been submitted. The answeris simple, after a bit of explanation.When you have a form that uses the POSTmethod and gets submitted back to thesame page, two different types of requestswill be made of that script A. The firstrequest, which loads the form, will be aGET request. This is the standard requestmade of most Web pages. When the formis submitted, a second request of the scriptwill be made, this time a POST request (solong as the form uses the POST method).With this in mind, you can test for a form’ssubmission by checking the requestmethod, found in the $_SERVER array:if ($_SERVER['REQUEST_METHOD'] = =➝'POST') {// Handle the form.} else {// Display the form.}continues on next pageA The interactions between the user and this PHP script on the server involves theuser making two requests of this script.Creating Dynamic Web Sites 85

If you want a page to handle a form andthen display it again (e.g., to add a recordto a database and then give an option toadd another), drop the else clause:if ($_SERVER['REQUEST_METHOD'] = =➝'POST') {// Handle the form.}// Display the form.Using that code, a script will handle a formif it has been submitted and display theform every time the page is loaded.To demonstrate this important technique(of having the same page both display andhandle a form), let’s create a calculator thatestimates the cost and time required to takea car trip, based upon user-entered values B.B The HTML form, completed by the user.To handle HTML forms:1. Begin a new PHP document in yourtext editor or IDE, to be namedcalculator.php (Script 3.5):

Script 3.5 The calculator.php script both displays a simple form and handles the form data: performingsome calculations and reporting upon the results.1 3132 Trip Cost Calculator33 34 Distance (in miles): 35 Ave. Price Per Gallon: 36 3.0037 3.5038 4.0039 40 Fuel Efficiency: 41 Terrible42 Decent43 Very Good44 Outstanding45 46 47 4849 Creating Dynamic Web Sites 87

3. Validate the form:if (isset($_POST['distance'],➝ $_POST['gallon_price'],➝ $_POST['efficiency']) &&is_numeric($_POST['distance'])➝ && is_numeric($_POST['gallon_➝ price']) && is_numeric($_POST➝ ['efficiency']) ) {The validation here is very simple: itmerely checks that three submittedvariables are set and are all numerictypes. You can certainly elaborateon this, perhaps checking that allvalues are positive (in fact, Chapter 13,“Security Methods,” has a variation onthis script that does just that).If the validation passes all of the tests,the calculations will be made; otherwise,the user will be asked to try again.4. Perform the calculations:$gallons = $_POST['distance'] /➝ $_POST['efficiency'];$dollars = $gallons *➝ $_POST['gallon_price'];$hours = $_POST['distance']/65;The first line calculates the number ofgallons of gasoline the trip will take,determined by dividing the distanceby the fuel efficiency. The secondline calculates the cost of the fuel forthe trip, determined by multiplyingthe number of gallons times theaverage price per gallon. The third linecalculates how long the trip will take,determined by dividing the distance by65 (representing 65 miles per hour).5. Print the results:echo 'Total Estimated CostThe total cost of driving '➝ . $_POST['distance'] . ' miles,➝ averaging ' . $_POST➝ ['efficiency'] . ' miles per➝ gallon, and paying an average➝ of $' . $_POST['gallon_price']➝ . ' per gallon, is $' .➝ number_format ($dollars, 2) .➝'. If you drive at an average➝ of 65 miles per hour, the➝ trip will take approximately➝' . number_format($hours, 2)➝ . ' hours.';All of the values are printed out, whileformatting the cost and hours with thenumber_format( ) function. Using theconcatenation operator (the period)allows the formatted numeric values tobe appended to the printed message.6. Complete the conditionals and closethe PHP tag:} else { // Invalid submitted➝ values.echo 'Error!Please enter➝ a valid distance, price➝ per gallon, and fuel➝ efficiency.';}} // End of main submission IF.?>88 Chapter 3

The else clause completes the validationconditional (Step 3), printing an error if thethree submitted values aren’t all set andnumeric C. The final closing curly bracecloses the isset($_SERVER['REQUEST_METHOD'] = = 'POST') conditional. Finally,the PHP section is closed so that the formcan be created without using echo (seeStep 7).7. Begin the HTML form:Trip Cost CalculatorDistance (in miles): ➝ The form itself is fairly obvious,containing only one new trick: theaction attribute uses this script’s name,so that the form submits back to thispage instead of to another. The firstelement within the form is a text input,where the user can enter the distanceof the trip.8. Complete the form:Ave. Price Per Gallon: 3.00 3.50 4.00Fuel Efficiency: Terrible➝ Decent➝ Very➝ Good➝ Outstandingcontinues on next pageC If any of the submitted values is not both set and numeric, anerror message is displayed.Creating Dynamic Web Sites 89

The form uses radio buttons as a wayto select the average price per gallon(the buttons are wrapped within spantags in order to format them similarlyto the other form elements). For thefuel efficiency, the user can select froma drop-down menu of four options. Asubmit button completes the form.9. Include the footer file:10. Save the file as calculator.php, placeit in your Web directory, and test it inyour Web browser D.You can also have a form submit backto itself by using no value for the actionattribute:By doing so, the form will always submit backto this same page, even if you later change thename of the script.D The page performs the calculations, reports on the results, and then redisplays the form.90 Chapter 3

Making Sticky FormsA sticky form is simply a standard HTMLform that remembers how you filled itout. This is a particularly nice feature forend users, especially if you are requiringthem to resubmit a form after filling it outincorrectly in the first place (as in C in theprevious section).To preset what’s entered in a text input,use its value attribute:To have PHP preset that value, print theappropriate variable (this assumes that thereferenced variable exists):

To make a sticky form:1. Open calculator.php (refer to Script3.5) in your text editor or IDE, if it isnot already.2. Change the distance input to read(Script 3.6):

3. Change the radio buttons to:/> 3.50 For each button, the comparison value(XXX) gets changed accordingly.continues on next pageScript 3.6 continued2829 // Leave the PHP section and create the HTML form:30 ?>3132 Trip Cost Calculator33 34 Distance (in miles):

4. Change the select menu options to:>Decent>OutstandingFor each option, within the openingoption tag, the following code is added:Again, just the specific comparisonvalue (XX) must be changed to matcheach option.5. Save the file as calculator.php, placeit in your Web directory, and test it inyour Web browser A and B.Because the price per gallon and fuelefficiency values are numeric, you can quoteor not quote the comparison values withinthe added conditionals. I choose to quotethem, because they’re technically stringswith numeric values.Because the added PHP code in thisexample exists inside of the HTML formelement tags, error messages may not beobvious. If problems occur, check the HTMLsource of the page to see if PHP errors areprinted within the value attributes and thetags themselves.You should always double-quote HTMLattributes, particularly the value attribute ofa text input. If you don’t, multiword values likeElliott Smith will appear as just Elliott in theWeb browser.Some Web browsers will also remembervalues entered into forms for you; this isa separate but potentially overlapping issuefrom using PHP to accomplish this.A The form nowrecalls the previouslysubmitted values…B …whetheror not the formwas completelyfilled out.94 Chapter 3

Creating Yourown FunctionsPHP has a lot of built-in functions,addressing almost every need you mighthave. More importantly, though, PHP hasthe capability for you to define and useyour own functions for whatever purpose.The syntax for making your own function isfunction function_name ( ) {// Function code.}The name of your function can be anycombination of letters, numbers, and theunderscore, but it must begin with eithera letter or the underscore. You also cannotuse an existing function name for yourfunction (print, echo, isset, and so on).One perfectly valid function definition isfunction do_nothing( ) {// Do nothing.}In PHP, as mentioned in the first chapter,function names are case-insensitive(unlike variable names), so you could callthat function using do_Nothing( ) or DO_NOTHING( ) or Do_Nothing( ), etc., but notdonothing( ) or DoNothing( ).The code within the function can donearly anything, from generating HTMLto performing calculations to calling otherfunctions.The most common reasons to create yourown functions are:nnnTo associate repeated code with onefunction call.To separate out sensitive orcomplicated processes from othercode.To make common code bits easierto reuse.This chapter runs through a couple ofexamples and you’ll see some othersthroughout the rest of the book. For thisfirst example, a function will be definedthat outputs the HTML code for generatingtheoretical ads. This function will then becalled twice on the home page A.A The two “ads” are generated by calling the same user-defined function.Creating Dynamic Web Sites 95

To create your own function:1. Open index.php (Script 3.4) in your texteditor or IDE.2. After the opening PHP tag, begin defininga new function (Script 3.7):function create_ad( ) {The function to be written here would, intheory, generate the HTML required toadd ads to a Web page. The function’sname clearly states its purpose.Although not required, it’s conventionalto place a function definition near thevery top of a script or in a separate file.3. Generate the HTML:echo 'This is an➝ annoying ad! This is an annoying➝ ad! This is an annoying ad! This➝ is an annoying ad!';In a real function, the code would outputactual HTML instead of a paragraphof text. (The actual HTML would beScript 3.7 This version of the home page has a user-defined function that outputs a theoretical ad. The functionis called twice in the script, creating two ads.1 1516 Content Header1718 This is where the page-specific content goes. This section, and thecorresponding header, will change from one page to the next.1920 Volutpat at varius sed sollicitudin et, arcu. Vivamus viverra. Nullam turpis.Vestibulum sed etiam. Lorem ipsum sit amet dolore. Nulla facilisi. Sed tortor.Aenean felis. Quisque eros. Cras lobortis commodo metus. Vestibulum vel purus.In eget odio in sapien adipiscing blandit. Quisque augue tortor, facilisis sitamet, aliquam, suscipit vitae, cursus sed, arcu lorem ipsum dolor sit amet.2122 96 Chapter 3

provided by the service you’re using togenerate and tracks ads.)4. Close the function definition:} // End of the functiondefinition.It’s helpful to place a comment at theend of a function definition so that youknow where a definition starts andstops (it’s helpful on longer functiondefinitions, at least).5. After including the header and beforeexiting the PHP block, call the function:create_ad( );The call to the create_ad( ) functionwill have the end result of inserting thefunction’s output at this point in the script.6. Just before including the footer, call thefunction again:create_ad( );7. Save the file and test it in your Webbrowser A.If you ever see a call to undefinedfunction function_name error, this meansthat you are calling a function that hasn’tbeen defined. This can happen if you misspellthe function’s name (either when defining orcalling it) or if you fail to include the file wherethe function is defined.Because a user-defined function takesup some memory, you should be prudentabout when to use one. As a general rule,functions are best used for chunks of codethat may be executed in several places ina script or Web site.Creating a function thattakes argumentsJust like PHP’s built-in functions, thoseyou write can take arguments (also calledparameters). For example, the strlen( )function takes as an argument the stringwhose character length will be determined.A function can take any number ofarguments, but the order in which you listthem is critical. To allow for arguments, addvariables to a function’s definition:function print_hello ($first, $last) {// Function code.}The variable names you use for yourarguments are irrelevant to the rest of thescript (more on this in the “Variable Scope”sidebar toward the end of this chapter), buttry to use valid, meaningful names.Once the function is defined, you can thencall it as you would any other function inPHP, sending literal values or variablesto it:print_hello ('Jimmy', 'Stewart');$surname = 'Stewart';print_hello ('Jimmy', $surname);As with any function in PHP, failure to sendthe right number of arguments results inan error B.To demonstrate this concept, let’s rewritethe calculator form so that a user-definedfunction creates the price-per-gallon radiobuttons. Doing so will help to clean up themessy form code.B Failure to send a function the proper number (and sometimes type) of arguments creates an error.Creating Dynamic Web Sites 97

To define functions thattake arguments:1. Open calculator.php (Script 3.6) inyour text editor or IDE.2. After the initial PHP tag, start definingthe create_gallon_radio( ) function(Script 3.8):function create_gallon_radio➝ ($value) {The function will create code like this: XXXor: XXXIn order to be able to dynamically setthe value of each radio button, thatvalue must be passed to the functionwith each call. Therefore, that’s the oneargument the function takes.Notice that the variable used as anargument is not $_POST['gallon_price'].The function’s argument variable isparticular to this function and has itsown name.continues on page 100Script 3.8 The calculator.php form now uses a function to create the radio buttons. Unlike the create_ad( )user-defined function, this one takes an argument.1

Script 3.8 continued29 is_numeric($_POST['distance']) && is_numeric($_POST['gallon_price']) &&is_numeric($_POST['efficiency']) ) {3031 // Calculate the results:32 $gallons = $_POST['distance'] / $_POST['efficiency'];33 $dollars = $gallons * $_POST['gallon_price'];34 $hours = $_POST['distance']/65;3536 // Print the results:37 echo 'Total Estimated Cost38 The total cost of driving ' . $_POST['distance'] . ' miles, averaging' . $_POST['efficiency'] . ' miles per gallon, and paying an average of $' .$_POST['gallon_price'] . ' per gallon, is $' . number_format ($dollars, 2) . '.If you drive at an average of 65 miles per hour, the trip will takeapproximately ' . number_format($hours, 2) . ' hours.';3940 } else { // Invalid submitted values.41 echo 'Error!42 Please enter a valid distance, price per gallon, and fuelefficiency.';43 }4445 } // End of main submission IF.4647 // Leave the PHP section and create the HTML form:48 ?>4950 Trip Cost Calculator51 52 Distance (in miles):

3. Begin creating the radio button element:echo '

Setting default argument valuesAnother variant on defining your ownfunctions is to preset an argument’s value.To do so, assign the argument a value inthe function’s definition:function greet ($name, $msg =➝'Hello') {echo "$msg, $name!";}The end result of setting a defaultargument value is that that particularargument becomes optional when callingthe function. If a value is passed to it,the passed value is used; otherwise, thedefault value is used.You can set default values for as many ofthe arguments as you want, as long asthose arguments come last in the functiondefinition. In other words, the requiredarguments must always be listed first.With the example function just defined, anyof these will work:greet ($surname, $message);greet ('Zoe');greet ('Sam', 'Good evening');However, just greet( ) will not work.Also, there’s no way to pass $msg a valuewithout passing one to $name as well(argument values must be passed in order,and you can’t skip a required argument).To take advantage of default argumentvalues, let’s make a better version of thecreate_gallon_radio( ) function. Asoriginally written, the function only createsradio buttons with a name of gallon_price.It’d be better if the function could be usedmultiple times in a form, for multiple radiobutton groupings (although the functionwon’t be used like that in this script).To set default argument values:1. Open calculator.php (refer to Script3.8) in your text editor or IDE, if it isnot already.2. Change the function definition line(line 6) so that it takes a second,optional argument (Script 3.9):function create_radio($value,➝ $name = 'gallon_price') {continues on page 103Script 3.9 The redefined function now assumes a set radio button name unless one is specified when thefunction is called.1

Script 3.9 continued1516 // Complete the element:17 echo " /> $value ";1819 } // End of create_radio( ) function.2021 $page_title = 'Trip Cost Calculator';22 include ('includes/header.html');2324 // Check for form submission:25 if ($_SERVER['REQUEST_METHOD'] = = 'POST') {2627 // Minimal form validation:28 if (isset($_POST['distance'], $_POST['gallon_price'], $_POST['efficiency']) &&29 is_numeric($_POST['distance']) && is_numeric($_POST['gallon_price'])&& is_numeric($_POST['efficiency']) ) {3031 // Calculate the results:32 $gallons = $_POST['distance'] / $_POST['efficiency'];33 $dollars = $gallons * $_POST['gallon_price'];34 $hours = $_POST['distance']/65;3536 // Print the results:37 echo 'Total Estimated Cost38 The total cost of driving ' . $_POST['distance'] . ' miles, averaging ' . $_POST['efficiency'] . ' miles per gallon, and paying an average of $' . $_POST['gallon_price']. ' per gallon, is $' . number_format ($dollars, 2) . '. If you drive at an average of65 miles per hour, the trip will take approximately ' . number_format($hours, 2) . 'hours.';3940 } else { // Invalid submitted values.41 echo 'Error!42 Please enter a valid distance, price per gallon, and fuelefficiency.';43 }4445 } // End of main submission IF.4647 // Leave the PHP section and create the HTML form:48 ?>4950 Trip Cost Calculator51 52 Distance (in miles):

There are two changes here. First, thename of the function is changed to bereflective of its more generic nature.Second, the function now takes asecond argument, $name, although thatargument has a default value, whichmakes that argument optional when thefunction is called.3. Change the function definition so thatit uses the $name argument in lieu ofgallon_price:echo '

4. Change the function call lines:create_radio('3.00');create_radio('3.50');create_radio('4.00');The function calls must be changedto use the new function name. Butbecause the second argument has adefault value, it can be omitted in thesecalls. The end result is the same asexecuting this call—create_radio('4.00', 'gallon_price');—but now the function could be used tocreate other radio buttons as well.5. Save the file, place it in your Web directory,and test it in your Web browser D.To pass a function no value for anargument, use either an empty string (''),NULL, or FALSE.In the PHP manual, square brackets( [ ] ) are used to indicate a function’s optionalparameters E.D The addition ofthe second, optionalargument, has notaffected the functionalityof the function.E The PHP manual’s descriptionof the number_format( ) functionshows that only the first argumentis required.104 Chapter 3

Returning values from a functionThe final attribute of a user-definedfunction to discuss is that of returningvalues. Some, but not all, functions do this.For example, print will return either a 1 ora 0 indicating its success, whereas echowill not. As another example, the number_format( ) function returns a string, which isthe formatted version of a number (see Ein the previous section).To have a function return a value, use thereturn statement. This function mightreturn the astrological sign for a given birthmonth and day:function find_sign ($month, $day) {// Function code.return $sign;}A function can return a literal value (saya string or a number) or the value of avariable that has been determined withinthe function.When calling a function that returns avalue, you can assign the function resultto a variable:$my_sign = find_sign ('October', 23);or use it as an argument when callinganother function:echo find_sign ('October', 23);Let’s update the calculator.php script sothat it uses a function to determine the costof the trip.To have a function return a value:1. Open calculator.php (refer toScript 3.9) in your text editor or IDE,if it is not already.2. After the first function definition, begindefining a second function (Script 3.10):function calculate_trip_cost➝ ($miles, $mpg, $ppg) {The calculate_trip_cost( ) functiontakes three arguments: the distanceto be travelled, the average miles pergallon, and the average price per gallon.continues on page 107Script 3.10 Another user-defined function is added to the script. It performs the main calculation and returnsthe result.1

Script 3.10 continued1516 // Complete the element:17 echo " /> $value ";1819 } // End of create_radio( ) function.2021 // This function calculates the cost of the trip.22 // The function takes three arguments: the distance, the fuel efficiency, and the priceper gallon.23 // The function returns the total cost.24 function calculate_trip_cost($miles, $mpg, $ppg) {2526 // Get the number of gallons:27 $gallons = $miles/$mpg;2829 // Get the cost of those gallons:30 $dollars = $gallons/$ppg;3132 // Return the formatted cost:33 return number_format($dollars, 2);3435 } // End of calculate_trip_cost( ) function.3637 $page_title = 'Trip Cost Calculator';38 include ('includes/header.html');3940 // Check for form submission:41 if ($_SERVER['REQUEST_METHOD'] = = 'POST') {4243 // Minimal form validation:44 if (isset($_POST['distance'], $_POST['gallon_price'], $_POST['efficiency']) &&45 is_numeric($_POST['distance']) && is_numeric($_POST['gallon_price'])&& is_numeric($_POST['efficiency']) ) {4647 // Calculate the results:48 $cost = calculate_trip_cost($_POST['distance'], $_POST['efficiency'],$_POST['gallon_price']);49 $hours = $_POST['distance']/65;5051 // Print the results:52 echo 'Total Estimated Cost53 The total cost of driving ' . $_POST['distance'] . ' miles, averaging ' .$_POST['efficiency'] . ' miles per gallon, and paying an average of $' . $_POST['gallon_price'] . ' per gallon, is $' . $cost . '. If you drive at an average of65 miles per hour, the trip will take approximately ' . number_format($hours, 2). ' hours.';5455 } else { // Invalid submitted values.56 echo 'Error!57 Please enter a valid distance, price per gallon, and fuelefficiency.';58 }code continues on next page106 Chapter 3

3. Perform the calculations and return theformatted cost:$gallons = $miles/$mpg;$dollars = $gallons/$ppg;return number_format($dollars, 2);} // End of calculate_trip_cost( )➝ function.The first two lines are the samecalculations as the script used before,but now they use function variables.The last thing the function does isreturn a formatted version of thecalculated cost.4. Replace the two lines that calculate thecost (lines 32-33 of Script 3.9) with afunction call:$cost = calculate_trip_cost➝ ($_POST['distance'],➝ $_POST['efficiency'],➝ $_POST['gallon_price']);Invoking the function, while passingit the three required values, will performthe calculation. Since the functionreturns a value, the results of thefunction call—the returned value—can be assigned to a variable.continues on next pageScript 3.10 continued5960 } // End of main submission IF.6162 // Leave the PHP section and create the HTML form:63 ?>6465 Trip Cost Calculator66 67 Distance (in miles):

5. Change the echo statement to use thenew variable:echo 'Total Estimated CostThe total cost of driving➝' . $_POST['distance'] .➝' miles, averaging ' .➝ $_POST['efficiency'] . ' miles➝ per gallon, and paying an➝ average of $' . $_POST➝ ['gallon_price'] . ' per➝ gallon, is $' . $cost . '.➝ If you drive at an average of➝ 65 miles per hour, the trip➝ will take approximately '➝ . number_format($hours, 2) . '➝ hours.';The echo statement uses the $costvariable here, instead of $dollars (as inthe previous version of the script). Also,since the $cost variable is formattedwithin the function, the number_format( )function does not need to be appliedwithin the echo statement to this variable.6. Save the file, place it in your Web directory,and test it in your Web browser F.The return statement terminates thecode execution at that point, so any codewithin a function after an executed returnwill never run.A function can have multiple returnstatements (e.g., in a switch statement orconditional) but only one, at most, will ever beinvoked. For example, functions commonly dosomething like this:function some_function ( ) {if (/* condition */) {return TRUE;} else {return FALSE;}}To have a function return multiple values,use the array( ) function to return an arrayof values:return array ($var1, $var2);When calling a function that returns anarray, use the list( ) function to assign thearray elements to individual variables:list($v1, $v2) = some_function( );F The calculator now uses a user-defined function to calculate and return the trip’s cost.But this change has no impact on what the user sees.108 Chapter 3

Variable ScopeEvery variable in PHP has a scope to it, which is to say a realm in which the variable (andtherefore its value) can be accessed. For starters, variables have the scope of the page in whichthey reside. If you define $var, the rest of the page can access $var, but other pages generallycannot (unless you use special variables).Since included files act as if they were part of the original (including) script, variables defined beforean include( ) line are available to the included file (as you’ve already seen with $page_titleand header.html). Further, variables defined within the included file are available to the parent(including) script after the include( ) line.User-defined functions have their own scope: variables defined within a function are notavailable outside of it, and variables defined outside of a function are not available within it.For this reason, a variable inside of a function can have the same name as one outside of it butstill be an entirely different variable with a different value. This is a confusing concept for manybeginning programmers.To alter the variable scope within a function, you can use the global statement.function function_name( ) {global $var;}$var = 20;function_name( ); // Function call.In this example, $var inside of the function is now the same as $var outside of it. This means thatthe function $var already has a value of 20, and if that value changes inside of the function, theexternal $var’s value will also change.Another option for circumventing variable scope is to make use of the superglobals: $_GET,$_POST, $_REQUEST, etc. These variables are automatically accessible within your functions(hence, they are superglobal). You can also add elements to the $GLOBALS array to make themavailable within a function.All of that being said, it’s almost always best not to use global variables within a function. Functionsshould be designed so that they receive every value they need as arguments and return whatevervalue (or values) need to be returned. Relying upon global variables within a function makes themmore context-dependent, and consequently less useful.Creating Dynamic Web Sites 109

Review and pursueIf you have any problems with thereview questions or the pursue prompts,turn to the book’s supporting forum(www.LarryUllman.com/forums/).nnWhat is the syntax for defining afunction that takes arguments withdefault values? How do default valuesimpact how the function can be called?How do you define and call a functionthat returns a value?ReviewnnnnnnnnnWhat is an absolute path? What is arelative path?What is the difference betweeninclude( ) and require( )?What is the difference betweeninclude( ) and include_once( )?Which function should you generallyavoid using and why?Why does it not matter what extensionis used for an included file?What is the significance of the$_SERVER['REQUEST_METHOD'] value?How do you make the following formelements sticky?> Text input> Select menu> Radio button> Check box> TextareaIf you have a PHP error caused by codeplaced within an HTML tag, where mustyou look to find the error message?What is the syntax for defining yourown function?What is the syntax for defining afunction that takes arguments?pursuennnnnnCreate a new HTML template for thepages in this chapter. Use that newtemplate as the basis for new headerand footer files. By doing so, you shouldbe able to change the look of the entiresite without modifying any of thePHP scripts.Create a new form and give it the abilityto be “sticky”. Have the form use a textareaand a check box (neither of whichis demonstrated in this chapter).Change calculator.php so that it usesa constant in lieu of the hard-coded averagespeed of 65. (As written, the averagespeed is a “magic number”: a valueused in a script without explanation.)Better yet, modify calculator.php sothat the user can enter the averagespeed or select it from a list of options.Update the output of calculator.phpso that it displays the number of daysand hours the trip will take, when thenumber of hours is greater than 24.As a more advanced trick, rewritecalculator.php so that the create_radio( ) function call is only in thescript once, but still creates three radiobuttons. Hint: Use a loop.110 Chapter 3

4Introductionto MySQLBecause this book discusses how to integrateseveral technologies (primarily PHP,SQL, and MySQL), a solid understandingof each individually is important beforeyou begin writing PHP scripts that use SQLto interact with MySQL. This chapter is adeparture from its predecessors in that ittemporarily leaves PHP behind to delveinto MySQL.MySQL is the world’s most popular opensourcedatabase application (accordingto MySQL’s Web site, www.mysql.com) andis commonly used with PHP. The MySQLsoftware comes with the database server(which stores the actual data), differentclient applications (for interacting with thedatabase server), and several utilities. Inthis chapter you’ll see how to define a simpletable using MySQL’s allowed data typesand other properties. Then you’ll learn howto interact with the MySQL server usingtwo different client applications. All of thisinformation will be the foundation for theSQL taught in the next chapter.in This ChapterNaming Database Elements 112Choosing Your Column Types 114Choosing Other Column Properties 118Accessing MySQL 121Review and Pursue 128

naming DatabaseelementsBefore you start working with databases,you have to identify your needs. Thepurpose of the application (or Web site,in this case) dictates how the databaseshould be designed. With that in mind,the examples in this chapter and the nextwill use a database that stores some userregistration information.When creating databases and tables, youshould come up with names (formally calledidentifiers) that are clear, meaningful, andeasy to type. Also, identifiersnnnnnShould only contain letters, numbers,and the underscore (no spaces)Should not be the same as an existingkeyword (like an SQL term or a functionname)Should be treated as case-sensitiveCannot be longer than 64 characters(approximately)Must be unique within its realmThis last rule means that a table cannothave two columns with the same name anda database cannot have two tables withthe same name. You can, however, use thesame column name in two different tablesin the same database (in fact, you often willdo this). As for the first three rules, I use theword should, as these are good policiesmore than exact requirements. Exceptionscan be made to these rules, but the syntaxfor doing so can be complicated. Abidingby these suggestions is a reasonablelimitation and will help avoid complications.To name a database’s elements:1. Determine the database’s name.This is the easiest and, arguably, leastimportant step. Just make sure thatthe database name is unique for thatMySQL server. If you’re using a hostedserver, your Web host will likely providea database name that may or may notinclude your account or domain name.For this first example, the database willbe called sitename, as the informationand techniques could apply to anygeneric site.2. Determine the table names.The table names just need to be uniquewithin this database, which shouldn’tbe a problem. For this example, whichstores user registration information, theonly table will be called users.112 Chapter 4

TABLe 4.1 users TableColumn NameExampleuser_id 834first_nameLarrylast_nameDavidemailld@example.compassemily07registration_date 2011-03-31 19:21:033. Determine the column names foreach table.The users table will have columnsto store a user ID, a first name, a lastname, an email address, a password,and the registration date. Table 4.1shows these columns, with sample data,using proper identifiers. As MySQLhas a function called password, I’vechanged the name of that column tojust pass. This isn’t strictly necessarybut is really a good idea.Chapter 6, “Database Design,” discussesdatabase design in more detail, using morecomplex examples.To be precise, the length limit for thenames of databases, tables, and columns isactually 64 bytes, not characters. While mostcharacters in many languages require 1 byteapiece, it’s possible to use a multi byte characterin an identifier. But 64 bytes is still a lotof space, so this probably won’t be an issuefor you.Whether or not an identifier in MySQLis case-sensitive actually depends upon manythings (because each database is actually afolder on the server and each table is actuallyone or more files). On Windows and normallyon Mac OS X, database and table names aregenerally case-insensitive. On Unix and someMac OS X setups, they are case-sensitive.Column names are always case-insensitive.It’s really best, in my opinion, to always useall lowercase letters and work as if casesensitivityapplied.Introduction to MySQL 113

Choosing YourColumn TypesOnce you have identified all of the tablesand columns that the database will need,you should determine each column’sdata type. When creating a table, MySQLrequires that you explicitly state what sortof information each column will contain.There are three primary types, which istrue for almost every database application:nnnText (aka strings)NumbersDates and timesWithin each of these, there are manyvariants—some of which are MySQL specific—you can use. Choosing your column typescorrectly not only dictates what informationcan be stored and how but also affects thedatabase’s overall performance. Table 4.2lists most of the available types for MySQL,how much space they take up, and briefdescriptions of each type. Note that someof these limits may change in differentversions of MySQL, and the character set(to be discussed in Chapter 6) may alsoimpact the size of the text types.Many of the types can take an optionalLength attribute, limiting their size. (Thesquare brackets, [ ], indicate an optionalparameter to be put in parentheses.) Forperformance purposes, you should placesome restrictions on how much data canbe stored in any column. But understandthat attempting to insert a string fivecharacters long into a CHAR(2) columnwill result in truncation of the final threecharacters (only the first two characterswould be stored; the rest would belost forever). This is true for any field inwhich the size is set (CHAR, VARCHAR, INT,etc.). Thus, your length should alwayscorrespond to the maximum possible value(as a number) or longest possible string (astext) that might be stored.The various date types have all sorts ofunique behaviors, the most important ofwhich you’ll learn in this book (all of thebehaviors are documented in the MySQLmanual). You’ll use the DATE and TIME fieldsprimarily without modification, so you neednot worry too much about their intricacies.There are also two special types—ENUMand SET—that allow you to define a seriesof acceptable values for that column. AnENUM column can store only one value of apossible several thousand, while SET allowsfor several of up to 64 possible values.These are available in MySQL but aren’tpresent in every database application.114 Chapter 4

TABLe 4.2 MySQL Data TypesType Size DescriptionCHAR[Length] Length bytes A fixed-length field from 0 to 255characters longVARCHAR[Length] String length + 1 or 2 bytes A variable-length field from 0 to 65,535characters longTINYTEXT String length + 1 bytes A string with a maximum length of255 charactersTEXT String length + 2 bytes A string with a maximum length of65,535 charactersMEDIUMTEXT String length + 3 bytes A string with a maximum length of16,777,215 charactersLONGTEXT String length + 4 bytes A string with a maximum length of4,294,967,295 charactersTINYINT[Length] 1 byte Range of –128 to 127 or 0 to255 unsignedSMALLINT[Length] 2 bytes Range of –32,768 to 32,767 or 0 to65,535 unsignedMEDIUMINT[Length] 3 bytes Range of –8,388,608 to 8,388,607or 0 to 16,777,215 unsignedINT[Length] 4 bytes Range of –2,147,483,648 to 2,147,483,647or 0 to 4,294,967,295BIGINT[Length] 8 bytes Range of –9,223,372,036,854,775,808to 9,223,372,036,854,775,807 or 0 to18,446,744,073,709,551,615 unsignedFLOAT[Length, Decimals] 4 bytes A small number with a floatingdecimal pointDOUBLE[Length, Decimals] 8 bytes A large number with a floatingdecimal pointDECIMAL[Length, Decimals] Length + 1 or 2 bytes A DOUBLE stored as a string, allowing fora fixed decimal pointDATE 3 bytes In the format of YYYY-MM-DDDATETIME 8 bytes In the format of YYYY-MM-DD HH:MM:SSTIMESTAMP 4 bytes In the format of YYYYMMDDHHMMSS;acceptable range starts in 1970 andends in the year 2038TIME 3 bytes In the format of HH:MM:SSENUM 1 or 2 bytes Short for enumeration, which means thateach column can have one of severalpossible valuesSET 1, 2, 3, 4, or 8 bytes Like ENUM except that each columncan have more than one of severalpossible valuesIntroduction to MySQL 115

To select the column types:1. Identify whether a column shouldbe a text, number, or date/time type(Table 4.3).This is normally an easy and obviousstep, but you want to be as specific aspossible. For example, the date 2006-08-02 (MySQL format) could be storedas a string—August 2, 2006. But if youuse the proper date format, you’ll havea more useful database (and, as you’llsee, there are functions that can turn2006-08-02 into August 2, 2006).2. Choose the most appropriate subtypefor each column (Table 4.4).For this example, the user_id is set asa MEDIUMINT, allowing for up to nearly17 million values (as an unsigned,or non-negative, number). Theregistration_date will be a DATETIME.It can store both the date and thespecific time a user registered. Whendeciding among the date types, considerwhether or not you’ll want toaccess just the date, the time, or possiblyboth. If unsure, err on the side ofstoring too much information.The other fields will be mostly VARCHAR,since their lengths will differ fromrecord to record. The only exception isthe password column, which will be afixed-length CHAR (you’ll see why wheninserting records in the next chapter).See the sidebar “CHAR vs. VARCHAR” formore information on these two types.TABLe 4.3 users TableColumn Nameuser_idfirst_namelast_nameemailpassregistration_dateTABLe 4.4 users TableColumn Nameuser_idfirst_namelast_nameemailpassregistration_dateTABLe 4.5 users TableColumn Nameuser_idfirst_namelast_nameemailpassregistration_dateTypenumbertexttexttexttextdate/timeTypeMEDIUMINTVARCHARVARCHARVARCHARCHARDATETIMETypeMEDIUMINTVARCHAR(20)VARCHAR(40)VARCHAR(60)CHAR(40)DATETIME116 Chapter 4

CHAR vs. VARCHARBoth of these types store strings andcan be set with a maximum length. Theprimary difference between the twois that anything stored as a CHAR willalways be stored as a string the lengthof the column (using spaces to pad it;these spaces will be removed whenyou retrieve the stored value from thedatabase). Conversely, strings storedin a VARCHAR column will require onlyas much space as the string itself. Sothe word cat in a VARCHAR(10) columnrequires 4 bytes of space (the lengthof the string plus 1), but in a CHAR(10)column, that same word requires 10 bytesof space. Hence, generally speaking,VARCHAR columns tend to require lessdisk space than CHAR columns.However, databases are normally fasterwhen working with fixed-size columns,which is an argument in favor of CHAR.And that same three-letter word—cat—in a CHAR(3) only uses 3 bytes but in aVARCHAR(10) requires 4. So how do youdecide which to use?If a string field will always be of aset length (e.g., a state abbreviation),use CHAR; otherwise, use VARCHAR.You may notice, though, that in somecases MySQL defines a column as theone type (like CHAR) even though youcreated it as the other (VARCHAR). This isperfectly normal and is MySQL’s way ofimproving performance.3. Set the maximum length for textcolumns (Table 4.5).The size of any field should berestricted to the smallest possible value,based upon the largest possible input.For example, if a column stores a stateabbreviation, it would be defined as aCHAR(2). Other times you might haveto guess somewhat: I can’t think ofany first names longer than about 10characters, but just to be safe I’ll allowfor up to 20.The length attribute for numeric typesdoes not affect the range of values that canbe stored in the column. Columns defined asTINYINT(1) or TINYINT(20) can store theexact same values. Instead, for integers, thelength dictates the display width; for decimals,the length is the total number of digits thatcan be stored.If you need absolute precision whenusing non-integers, DECIMAL is preferredover FLOAT or DOUBLE.MySQL has a BOOLEAN type, which isjust a TINYINT(1), with 0 meaning FALSEand 1 meaning TRUE.Many of the data types have synonymousnames: INT and INTEGER, DECand DECIMAL, etc.Depending upon the version of MySQLin use, the TIMESTAMP field type is automaticallyset as the current date and time when anINSERT or UPDATE occurs, even if no value isspecified for that particular field. If a table hasmultiple TIMESTAMP columns, only the first onewill be updated when an INSERT or UPDATEis performed.MySQL also has several variants onthe text types that allow for storing binarydata. These types are BINARY, VARBINARY,TINYBLOB, MEDIUMBLOB, and LONGBLOB.Such types can be used for storing files orencrypted data.Introduction to MySQL 117

Choosing otherColumn propertiesBesides deciding what data types and sizesyou should use for your columns, you shouldconsider a handful of other properties.First, every column, regardless of type, canbe defined as NOT NULL. The NULL value, indatabases and programming, is equivalentto saying that the field has no known value.Ideally, in a properly designed database,every column of every row in every tableshould have a value, but that isn’t alwaysthe case. To force a field to have a value,add the NOT NULL description to its columntype. For example, a required dollaramount can be described ascost DECIMAL(5,2) NOT NULLindexes, Keys, and AuTo_inCReMenTTwo concepts closely related to database design are indexes and keys. An index in a database isa way of requesting that the database keep an eye on the values of a specific column or combinationof columns (loosely stated). The end result of this is improved performance when retrievingrecords but marginally hindered performance when inserting records or updating them.A key in a database table is integral to the “normalization” process used for designing morecomplicated databases (see Chapter 6). There are two types of keys: primary and foreign. Eachtable should have exactly one primary key, and the primary key in one table is often linked as aforeign key in another.A table’s primary key is an artificial way to refer to a record and has to abide by three rules:1. It must always have a value.2. That value must never change.3. That value must be unique for each record in the table.In the users table, the user_id will be designated as a PRIMARY KEY, which is both a descriptionof the column and a directive to MySQL to index it. Since the user_id is a number (which primarykeys almost always will be), the AUTO_INCREMENT description is also added to the column, whichtells MySQL to use the next-highest number as the user_id value for each added record. You’llsee what this means in practice when you begin inserting records.118 Chapter 4

When creating a table, you can also specifya default value for any column, regardlessof type. In cases where a majority of therecords will have the same value for acolumn, presetting a default will saveyou from having to specify a value wheninserting new rows (unless that row’s valuefor that column is different from the norm).gender ENUM('M', 'F') default 'F'With the gender column, if no value isspecified when adding a record, thedefault will be used.If a column does not have a default valueand one is not specified for a new record,that field will be given a default valuebased upon its type. For numeric types,the default value is 0. For most date andtime types, the type’s version of “zero”will be the default (e.g., 0000-00-00).The first TIMESTAMP column in a table willhave a default value of the current dateand time. String types use an empty string('') as the default value, except for ENUM,whose default value (again, if not otherwisespecified) is the first possible enumeratedvalue (M in the above example).The number types can be marked asUNSIGNED, which limits the stored datato positive numbers and zero. This alsoeffectively doubles the range of positivenumbers that can be stored (because nonegative numbers will be kept, see Table 4.2).You can also flag the number types asZEROFILL, which means that any extra roomwill be padded with zeros (ZEROFILLs arealso automatically UNSIGNED).Finally, when designing a database, you’llneed to consider creating indexes, addingkeys, and using the AUTO_INCREMENT property.Chapter 6 discusses these conceptsin greater detail, but in the meantime,check out the sidebar “Indexes, Keys, andAUTO_INCREMENT” to learn how they affectthe users table.To finish defining your columns:1. Identify your primary key.The primary key is quixotically botharbitrary and critically important. Almostalways a number value, the primary keyis a unique way to refer to a particularrecord. For example, your phone numberhas no inherent value but is unique toyou (your home or mobile phone).In the users table, the user_id will bethe primary key: an arbitrary numberused to refer to a row of data. Again,Chapter 6 will go into the concept ofprimary keys in more detail.2. Identify which columns cannot havea NULL value.In this example, every field is required(cannot be NULL). As an example of acolumn that could have NULL values,if you stored peoples’ addresses,you might have address_line1 andaddress_line2, with the latter onebeing optional. In general, tables thathave a lot of NULL values suggesta poor design (more on this in…youguessed it…Chapter 6).continues on next pageIntroduction to MySQL 119

3. Make any numeric type UNSIGNED if itwon’t ever store negative numbers.The user_id, which will be a number,should be UNSIGNED so that it’s alwayspositive (primary keys should beunsigned). Other examples of UNSIGNEDnumbers would be the price of items inan e-commerce example, a telephoneextension for a business, or a zip code.4. Establish the default value for any column.None of the columns here logicallyimplies a default value.5. Confirm the final column definitions(Table 4.6).Before creating the tables, you shouldrevisit the type and range of data you’llstore to make sure that your databaseeffectively accounts for everything.TABLe 4.6 users TableColumn Nameuser_idfirst_namelast_nameemailpassregistration_dateTypeMEDIUMINT UNSIGNEDNOT NULLVARCHAR(20) NOT NULLVARCHAR(40) NOT NULLVARCHAR(60) NOT NULLCHAR(40) NOT NULLDATETIME NOT NULLText columns can also have definedcharacter sets and collations. This will meanmore…in Chapter 6.Default values must always be a staticvalue, not the result of executing a function,with one exception: the default valuefor a TIMESTAMP column can be assigned asCURRENT_TIMESTAMP.TEXT columns cannot be assigneddefault values.120 Chapter 4

Accessing MySQLIn order to create tables, add records, andrequest information from a database, somesort of client is necessary to communicatewith the MySQL server. Later in thebook, PHP scripts will act in this role, butbeing able to use another interface isnecessary. Although there are oodles ofclient applications available, I’ll focus ontwo: the mysql client and the Web-basedphpMyAdmin. A third option, the MySQLQuery Browser, is not discussed in thisbook but can be found at the MySQL Website (www.mysql.com), should you not besatisfied with these two choices.The rest of this chapter assumes you haveaccess to a running MySQL server. If youare working on your own computer, seeAppendix A, “Installation,” for instructionson installing MySQL, starting MySQL, andcreating MySQL users (all of which mustalready be done in order to finish thischapter). If you are using a hosted server,your Web host should provide you withthe database access. Depending uponthe hosting, you may be provided withphpMyAdmin, but not be able to use thecommand-line mysql client.using the mysql ClientThe mysql client is normally installed with therest of the MySQL software. Although themysql client does not have a pretty graphicalinterface, it’s a reliable, standard tool that’seasy to use and behaves consistently onmany different operating systems.The mysql client is accessed from acommand-line interface, be it the Terminalapplication in Linux or Mac OS X A, ora DOS prompt in Windows B. If you’renot comfortable with command-line interactions,you might find this interface to bechallenging, but it becomes easy to use inno time.To start the application from the commandline, type its name and press Return or Enter:mysqlDepending upon the server (or yourcomputer), you may need to enter the full pathin order to start the application. For example:/Applications/MAMP/Library/bin/mysql(Mac OS X, using MAMP)C:\xampp\mysql\bin\mysql (Windows,using XAMPP)When invoking this application, you can addarguments to affect how it runs. The mostcommon arguments are the username,continues on next pageA A Terminalwindow inMac OS X.B A WindowsDOS prompt orconsole (althoughthe default is forwhite text on ablack background).Introduction to MySQL 121

password, and hostname (computer name,URL, or IP address) you want to connectusing. You establish these arguments like so:mysql -u username -h hostname –pThe -p option will cause the client to promptyou for the password. You can also specifythe password on this line if you prefer—by typing it directly after the -p prompt—but it will be visible, which is insecure. The-h hostname argument is optional, andyou can leave it off unless you cannot connectto the MySQL server without it.Within the mysql client, every statement(SQL command) needs to be terminatedby a semicolon. These semicolons are anindication to the client that the query iscomplete and should be run. The semicolonsare not part of the SQL itself (this is acommon point of confusion). What this alsomeans is that you can continue the sameSQL statement over several lines within themysql client, which makes it easier to readand to edit, should that be necessary.As a quick demonstration of accessing andusing the mysql client, these next stepswill show you how to start the mysql client,select a database to use, and quit theclient. Before following these steps,nnThe MySQL server must be running.You must have a username andpassword with proper access.Both of these ideas are explained inAppendix A.As a side note, in the following steps andthroughout the rest of the book, I willcontinue to provide images using the mysqlclient on both Windows and Mac OS X.While the appearance differs, the steps andresults will be identical. So in short, don’t beconcerned about why one image shows theDOS prompt and the next a Terminal.To use the mysql client:1. Access your system from a commandlineinterface.On Unix systems and Mac OS X, this isjust a matter of bringing up the Terminalor a similar application.If you are using Windows and installedMySQL on your computer, choose Runfrom the Start menu (or press WindowsKey+R), type cmd in the window C, andpress Enter (or click OK) to bring up aDOS prompt.2. Invoke the mysql client, using theappropriate command D./path/to/mysql/bin/mysql -u➝ username -pThe /path/to/mysql part of this stepwill be largely dictated by the operatingsystem you are running and whereMySQL was installed. I’ve alreadyC Executing cmd within the Run prompt in Windowsis one way to access a DOS prompt interface.D Access the mysql client by entering the fullpath to the utility, along with the proper arguments.122 Chapter 4

provided two options, based uponinstallations of MAMP on Mac OS X orXAMPP on Windows (both are installedin Appendix A).The basic premise is that you arerunning the mysql client, connectingas username, and requesting to beprompted for the password. Not tooverstate the point, but the usernameand password values that you use mustalready be established in MySQL as avalid user (see Appendix A).3. Enter the password at the prompt andpress Return/Enter.The password you use here shouldbe for the user you specified in thepreceding step. If you used the properusername/password combination (i.e.,someone with valid access), you shouldbe greeted as shown in E. If accessis denied, you’re probably not usingthe correct values (see Appendix A forinstructions on creating users).4. Select the database you want to use F.USE test;The USE command selects the databaseto be used for every subsequentcommand. The test database isone that MySQL installs by default.Assuming it exists on your server, allusers should be able to access it.continues on next pageE If you are successfully able to log in, you’ll see a welcome message like this.F After getting into the mysql client, run a USE command to choose thedatabase with which you want to work.Introduction to MySQL 123

5. Quit out of mysql G.exitYou can also use the command quit toleave the client. This step—unlike mostother commands you enter in the mysqlclient—does not require a semicolon atthe end.6. Quit the Terminal or DOS console session.exitThe command exit will terminate thecurrent session. On Windows, it will alsoclose the DOS prompt window.If you know in advance which databaseyou will want to use, you can simplify mattersby starting mysql with/path/to/mysql/bin/mysql -u username-p databasenameTo see what else you can do with themysql client, type/path/to/mysql/bin/mysql --helpThe mysql client on most systems allowsyou to use the up and down arrows to scrollthrough previously entered commands. If youmake a mistake in typing a query, you canscroll up to find it, and then correct the error.In the mysql client, you can also terminateSQL commands using \G instead of thesemicolon. For queries that return results,using \G displays those results as a verticallist, as opposed to a horizontal table, which issometimes easier to peruse.If you are in a long statement and makea mistake, cancel the current operation bytyping c and pressing Return or Enter. If mysqlthinks a closing single or double quotationmark is missing (as indicated by the '> and ">prompts), you’ll need to enter the appropriatequotation mark first.using phpMyAdminphpMyAdmin (www.phpmyadmin.net) is oneof the best and most popular applicationswritten in PHP. Its sole purpose is toprovide an interface to a MySQL server. It’ssomewhat easier and more natural to usethan the mysql client but requires a PHPinstallation and must be accessed througha Web browser. If you’re running MySQLon your own computer, you might find thatusing the mysql client makes more sense,as installing and configuring phpMyAdminconstitutes unnecessary extra work(although all-in-one PHP and MySQLinstallers may do this for you). If using ahosted server, your Web host is virtuallyguaranteed to provide phpMyAdmin as theprimary way to work with MySQL and themysql client may not be an option.Using phpMyAdmin isn’t hard, but the nextsteps run through the basics so that you’llknow what to do in the following chapters.G Type either exit or quit to terminate your MySQL session andleave the mysql client.124 Chapter 4

To use phpMyAdmin:1. Access phpMyAdmin through yourWeb browser H.The URL you use will depend uponyour situation. If running on yourown computer, this might be http://localhost/phpMyAdmin/. If runningon a hosted site, your Web host willprovide you with the proper URL. Inall likelihood, phpMyAdmin would beavailable through the site’s controlpanel (should one exist).Note that phpMyAdmin will only work ifit’s been properly configured to connectto MySQL with a valid username/password/hostname combination. Ifyou see a message like the one in I,you’re probably not using the correctvalues (see Appendix A for instructionson creating users).continues on next pageH The first phpMyAdmin page (when connected as a MySQL user that can accessmultiple databases).I Every client applicationrequires a proper username/password/hostname combinationin order to interact with theMySQL server.Introduction to MySQL 125

2. If possible and necessary, use the list onthe left to select a database to use J.What options you have here willvary depending upon what MySQLuser phpMyAdmin is connecting as.That user might have access to onedatabase, several databases, or everydatabase. On a hosted site where youhave just one database, that databasewill probably already be selectedfor you. On your own computer, withphpMyAdmin connecting as the MySQLroot user, you would see a pull-downmenu or a simple list of availabledatabases J.3. Click on a table name in the left columnto select that table K.You don’t always have to select atable—in fact you never will if you justuse the SQL commands in this book, butdoing so can often simplify some tasks.4. Use the tabs and links (on the right sideof the page) to perform common tasks.For the most part, the tabs and links areshortcuts to common SQL commands.For example, the Browse tab performs aSELECT query and the Insert tab createsa form for adding new records.J Use the listof databases onthe left side ofthe window tochoose with whichdatabase youwant to work. Thisis the equivalentof running a USEdatabasenamequery within themysql client.K Selecting a tablefrom the left columnchanges the optionson the right side ofthe page.126 Chapter 4

5. Use the SQL tab L or the SQL querywindow M to enter SQL commands.The next three chapters, and a couplemore later in the book, will provide SQLcommands that must be run to create,populate, and manipulate tables. Thesemight look likeINSERT INTO tablename (col1, col2)➝ VALUES (x, y)These commands can be run usingthe mysql client, phpMyAdmin, or anyother interface. To run them withinphpMyAdmin, just enter them into oneof the SQL prompts and click Go.There’s a lot more that can be done withphpMyAdmin, but full coverage would requirea chapter in its own right (and a long chapterat that). The information presented here will beenough for you to follow any of the examplesin the book, should you not want to use themysql client.phpMyAdmin can be configured to use aspecial database that will record your query history,allow you to bookmark queries, and more.See the phpMyAdmin documentation for details.One of the best reasons to use php-MyAdmin is to transfer a database from onecomputer to another. Use the Export tabin phpMyAdmin connected to the sourcecomputer to create a file of data. Then, onthe destination computer, use the Import tabin phpMyAdmin (connected to that MySQLserver) to complete the transfer.L The SQL tab, in themain part of the window,can be used to run anySQL command.M The SQL window can also beused to run commands. It popsup after clicking the SQL iconat the top of the left side of thebrowser (see the second iconfrom the left in K ).Introduction to MySQL 127

Review and pursueIf you have any problems with thereview questions or the pursue prompts,turn to the book’s supporting forum(www.LarryUllman.com/forums/).ReviewnnnnnnnnnWhat version of MySQL are you using?If you don’t know, find out now!What characters can be used indatabase, table, and column names?Should you treat database, table, andcolumn names as case-sensitive orcase-insensitive?What are the three general columntypes?What are the differences betweenCHAR and VARCHAR?How do you determine what size (interms of subtype or length) a columnshould be?What are some of the other propertiesthat can be assigned to columns?What is a primary key?If you’re using the command-line mysqlclient to connect to MySQL, whatusername and password combinationis required?pursuennnFind the online MySQL manual for yourversion of MySQL. Bookmark it!Start thinking about what databasesyou may need for your projects.If you haven’t yet changed the MySQLroot user password (assuming you’veinstalled MySQL on your own computer),use the instructions inAppendix A to do so now.128 Chapter 4

5Introductionto SQLThe preceding chapter provides a quickintroduction to MySQL. The focus thereis on two topics: using MySQL’s rules anddata types to define a database, and howto interact with the MySQL server. Thischapter moves on to the lingua franca ofdatabases: SQL.SQL, short for Structured Query Language,is a group of special words used exclusivelyfor interacting with databases. SQL issurprisingly easy to learn and use, and yet,amazingly powerful. In fact, the hardest thingto do in SQL is use it to its full potential!In this chapter you’ll learn all the SQL youneed to know to create tables, populatethem, and run other basic queries. Theexamples will all use the users tablediscussed in the preceding chapter. Also,as with that other chapter, this chapterassumes you have access to a runningMySQL server and know how to use aclient application to interact with it.in This ChapterCreating Databases and Tables 130Inserting Records 133Selecting Data 138Using Conditionals 140Using LIKE and NOT LIKE 143Sorting Query Results 145Limiting Query Results 147Updating Data 149Deleting Data 151Using Functions 153Review and Pursue 164

Creating Databasesand TablesThe first logical use of SQL will be to createa database. The syntax for creating a newdatabase is simplyCREATE DATABASE databasenameThat’s all there is to it (as I said, SQL is easyto learn)!The CREATE term is also used for makingtables:CREATE TABLE tablename (column1name description,column2name description…)As you can see from this syntax, after namingthe table, you define each column withinparentheses. Each column-descriptionpair should be separated from the next bya comma. Should you choose to createindexes at this time, you can add those atthe end of the creation statement, but youcan add indexes at a later time as well.(Indexes are more formally discussed inChapter 6, “Database Design,” but Chapter 4,“Introduction to MySQL,” introduced the topic.)In case you were wondering, SQL is caseinsensitive.However, I make it a habitto capitalize the SQL keywords as in thepreceding example syntax and the followingsteps. Doing so helps to contrast theSQL terms from the database, table, andcolumn names.To create databases and tables:1. Access MySQL using whichever clientyou prefer.Chapter 4 shows how to use two ofthe most common interfaces—themysql command-line client andphpMyAdmin—to communicate with aMySQL server. Using the steps in thelast chapter, you should now connectto MySQL.Throughout the rest of this chapter,most of the SQL examples will beentered using the mysql client, but theywill work just the same in phpMyAdminor most other client tools.2. Create and select the new database A:CREATE DATABASE sitename;USE sitename;This first line creates the database(assuming that you are connected toMySQL as a user with permission tocreate new databases). The secondline tells MySQL that you want to workwithin this database from here onout. Remember that within the mysqlclient, you must terminate every SQLcommand with a semicolon, althoughthese semicolons aren’t technicallypart of SQL itself. If executing multiplequeries at once within phpMyAdmin,they should also be separated bysemicolons B. If running only asingle query within phpMyAdmin,no semicolons are necessary.A A new database,called sitename, iscreated in MySQL.It is then selectedfor future queries.130 Chapter 5

If you are using a hosting company’sMySQL, they will probably create thedatabase for you. In that case, just connectto MySQL and select the database.3. Create the users table C:CREATE TABLE users (user_id MEDIUMINT UNSIGNED NOT NULLAUTO_INCREMENT,first_name VARCHAR(20) NOT NULL,last_name VARCHAR(40) NOT NULL,email VARCHAR(60) NOT NULL,pass CHAR(40) NOT NULL,registration_date DATETIME NOT NULL,PRIMARY KEY (user_id));The design for the users table wasdeveloped in Chapter 4. There, thenames, types, and attributes of eachcolumn in the table are determinedbased upon a number of criteria (seethat chapter for more information).Here, that information is placed withinthe CREATE table syntax to actuallymake the table in the database.Because the mysql client will not run aquery until it encounters a semicolon(or \G or \g), you can enter statementsover multiple lines as in C (by pressingReturn or Enter at the end of each line).This often makes a query easier to readand debug. In phpMyAdmin, you canalso run queries over multiple lines,although they will not be executed untilyou click Go.continues on next pageB The same commandsfor creating and selectinga database can be runwithin phpMyAdmin’sSQL window.C This CREATE SQLcommand will makethe users table.Introduction to SQL 131

4. Confirm the existence of the table D:SHOW TABLES;SHOW COLUMNS FROM users;The SHOW command reveals the tablesin a database or the column names andtypes in a table.Also, you might notice in D that thedefault value for user_id is NULL,even though this column was definedas NOT NULL. This is actually correctand has to do with user_id being anautomatically incremented primary key.MySQL will often make minor changesto a column’s definition for betterperformance or other reasons.In phpMyAdmin, a database’s tablesare listed on the left side of the browserwindow, under the database’s name E.Click a table’s name to view itscolumns F.The rest of this chapter assumes thatyou are using the mysql client or comparabletool and have already selected the sitenamedatabase with USE.The order you list the columns when creatinga table has no functional impact, but there arestylistic suggestions for how to order them. I normallylist the primary-key column first, followedby any foreign-key columns (more on this subjectin the next chapter), followed by the rest of thecolumns, concluding with any date columns.When creating a table, you have theoption of specifying its type. MySQL supportsmany table types, each with its own strengthsand weaknesses. If you do not specify a tabletype, MySQL will automatically create the tableusing the default type for that MySQL installation.Chapter 6 discusses this in more detail.When creating tables and text columns,you have the option to specify its collation andcharacter set. Both come into play when usingmultiple languages or languages other thanthe default for the MySQL server. Chapter 6also covers these subjects.DESCRIBE tablename is the same statementas SHOW COLUMNS FROM tablename.D Confirm theexistence of, andcolumns in, atable using theSHOW command.E phpMyAdmin showsthat the sitenamedatabase contains onetable, named users.F phpMyAdmin shows a table’s definition on this screen(accessed by clicking the table’s name in the left-hand column).132 Chapter 5

inserting RecordsAfter a database and its table(s) have beencreated, you can start populating themusing the INSERT command. There are twoways that an INSERT query can be written.With the first method, you name thecolumns to be populated:INSERT INTO tablename (column1,➝ column2…) VALUES (value1, value2 …)INSERT INTO tablename (column4,➝ column8) VALUES (valueX, valueY)Using this structure, you can add rowsof records, populating only the columnsthat matter. The result will be that anycolumns not given a value will be treatedas NULL (or given a default value, if onewas defined). Note that if a column cannothave a NULL value (it was defined as NOTNULL) and does not have a default value,not specifying a value will cause an erroror warning A.The second format for inserting recordsis not to specify any columns at all but toinclude values for every one:INSERT INTO tablename VALUES (value1,➝ NULL, value2, value3, …)If you use this second method, you mustspecify a value, even if it’s NULL, for everycolumn. If there are six columns in thetable, you must list six values. Failure tomatch the number of values to the numberof columns will cause an error B. Forthis and other reasons, the first format ofinserting records is generally preferable.MySQL also allows you to insert multiplerows at one time, separating each recordby a comma.INSERT INTO tablename (column1,➝ column4) VALUES (valueA, valueB),(valueC, valueD),(valueE, valueF)continues on next pageA Failure to provide, or predefine, a value for a NOT NULL columnresults in errors or warnings.B Not providing a value for every column in a table, or named inan INSERT query, also causes an error.Introduction to SQL 133

While you can do this with MySQL, it isnot acceptable within the SQL standardand is therefore not supported by alldatabase applications. In MySQL, however,this syntax is faster than using individualINSERT queries.Note that in all of these examples,placeholders are used for the actualtable names, column names, and values.Furthermore, the examples forgo quotationmarks. In real queries, you must abideby certain rules to avoid errors (see the“Quotes in Queries” sidebar).To insert data into a table:1. Insert one row of data into the userstable, naming the columns to be populatedC:INSERT INTO users(first_name, last_name, email,➝ pass, registration_date)VALUES ('Larry', 'Ullman', 'email@➝ example.com', SHA1('mypass'),➝ NOW( ));Again, this syntax (where the specificcolumns are named) is more foolproof butnot always the most convenient. For thefirst name, last name, and email columns,simple strings are used for the values(and strings must always be quoted).Quotes in QueriesIn every SQL command:.Numeric values shouldn’t be quoted..String values (for CHAR, VARCHAR, andTEXT column types) must always bequoted..Date and time values must alwaysbe quoted..Functions cannot be quoted..The word NULL must not be quoted.Unnecessarily quoting a numeric valuenormally won’t cause problems (althoughyou still shouldn’t do it), but misusingquotation marks in the other situationswill almost always mess things up. Also,it does not matter if you use single ordouble quotation marks, so long as youconsistently pair them (an opening markwith a matching closing one).And, as with PHP, if you need to usea quotation mark in a value, eitheruse the other quotation mark type toencapsulate it or escape the mark bypreceding it with a backslash:INSERT INTO tablename (last_name)➝ VALUES ('O\'Toole')C This query inserts a single record into the users table. The 1 row affected messageindicates the success of the insertion.134 Chapter 5

Two MySQL FunctionsAlthough functions are discussed inmore detail later in this chapter, twoneed to be introduced at this time:SHA1( ) and NOW( ).The SHA1( ) function is one way toencrypt data. This function creates anencrypted string that is always exactly40 characters long (which is why theusers table’s pass column is definedas CHAR(40)). SHA1( ) is a one-wayencryption technique, meaning that itcannot be reversed (technically it’s ahashing function). It’s useful when youneed to store sensitive data that neednot be viewed in an unencrypted formagain. Because the output from SHA1( )cannot be decrypted, it’s obviously nota good choice for sensitive data thatshould be protected but later seen (likecredit card numbers). SHA1( ) is availableas of MySQL 5.0.2; if you are using anearlier version, you can use the MD5( )function instead. This function does thesame task, using a different algorithm,and returns a 32-character long string (ifusing MD5( ), your pass column could bedefined as a CHAR(32) instead).The NOW( ) function is handy forpopulating date, time, and timestampcolumns. It returns the current date andtime (on the server).For the password and registration datecolumns, two functions are being usedto generate the values (see the sidebar“Two MySQL Functions”). The SHA1( )function will encrypt the password(mypass in this example). The NOW( )function will set the registration_dateas this moment.When using any function in an SQLstatement, do not place it withinquotation marks. You also must nothave any spaces between the function’sname and the following parenthesis (soNOW( ) not NOW ( )).2. Insert one row of data into the userstable, without naming the columns D:INSERT INTO users VALUES(NULL, 'Zoe', 'Isabella',➝'email2@example.com',➝ SHA1('mojito'), NOW( ));In this second syntactical example,every column must be provided witha value. The user_id column is givena NULL value, which will cause MySQLto use the next logical number, per itsAUTO_INCREMENT description. In otherwords, the first record will be assigneda user_id of 1, the second, 2, and so on.continues on next pageD Another record is inserted into the table, this time by providing a value for every columnin the table.Introduction to SQL 135

3. Insert several values into the userstable E:INSERT INTO users (first_name,➝ last_name, email, pass,➝ registration_date) VALUES('John', 'Lennon', 'john@beatles.com',➝ SHA1('Happin3ss'), NOW( )),('Paul', 'McCartney',➝'paul@beatles.com',➝ SHA1('letITbe'), NOW( )),('George', 'Harrison',➝'george@beatles.com ',➝ SHA1('something'), NOW( )),('Ringo', 'Starr', 'ringo@beatles.com',➝ SHA1('thisboy'), NOW( ));Since MySQL allows you to insert multiplevalues at once, you can take advantageof this and fill up the table with records.4. Continue Steps 1 and 2 until you’vethoroughly populated the users table.Throughout the rest of this chapterI will be performing queries basedupon the records I entered into mydatabase. Should your database nothave the same specific records as mine,change the particulars accordingly.The fundamental thinking behind thefollowing queries should still applyregardless of the data, since thesitename database has a set columnand table structure.E This one query—which MySQL allows but other database applications will not—inserts several records intothe table at once.136 Chapter 5

On the downloads page of the book’ssupporting Web site (www.LarryUllman.com),you can download all of the SQL commandsfor the book. Using some of those commands,you can populate your users table exactly asI have.The term INTO in INSERT statements isoptional in MySQL.phpMyAdmin’s INSERT tab allows you toinsert records using an HTML form F.Depending upon the version of MySQLin use, failure to provide a value for a columnthat cannot be NULL may issue warnings withthe INSERT still working A, or issue errors,with the INSERT failing.You’ll occasionally see uses of thebacktick (`) in SQL commands. This character,found on the same key as the tilde (~), is differentthan a single quotation mark. The backtickis used to safely reference a table or columnname that might be the same as an existingkeyword.If MySQL warns you about the previousquery, the SHOW WARNINGS command willdisplay the problem A.An interesting variation on INSERT isREPLACE. If the value used for the table’sprimary key, or a UNIQUE index, alreadyexists, then REPLACE updates that row. Ifnot, REPLACE inserts a new row.F phpMyAdmin’s INSERT form shows a table’s columns and provides text boxes for entering values.The pull-down menu lists functions that can be used, like SHA1( ) for the password or NOW( ) for theregistration date.Introduction to SQL 137

Selecting DataNow that the database has somerecords in it, you can retrieve the storedinformation with the most used of all SQLterms, SELECT. A SELECT query returns rowsof records using the syntaxSELECT which_columns FROM which_tableThe simplest SELECT query isSELECT * FROM tablenameThe asterisk means that you want toretrieve every column. The alternativewould be to specify the columns to bereturned, with each separated from thenext by a comma:SELECT column1, column3 FROM tablenameThere are a few benefits to being explicitabout which columns are selected. The firstis performance: There’s no reason to fetchcolumns you will not be using. The secondis order: You can return columns in an orderother than their layout in the table. Third—andyou’ll see this later in the chapter—namingthe columns allows you to manipulate thevalues in those columns using functions.A The SELECT * FROM tablename query returns every column for every record stored in the table.138 Chapter 5

B Only two ofthe columns forevery recordin the table arereturned bythis query.C Many queries can berun without specifying adatabase or table. This queryselects the result of callingthe NOW( ) function, whichreturns the current date andtime (according to MySQL).To select data from a table:1. Retrieve all the data from the userstable A:SELECT * FROM users;This very basic SQL command willretrieve every column of every rowstored within that table.2. Retrieve just the first and last namesfrom users B:SELECT first_name, last_nameFROM users;Instead of showing the data from everycolumn in the users table, you can usethe SELECT statement to limit the resultsto only the fields you need.In phpMyAdmin, the Browse tab runsa simple SELECT query.You can actually use SELECT withoutnaming tables or columns. For example,SELECT NOW( ) C.The order in which you list columnsin your SELECT statement dictates the orderin which the values are presented (compareB with D).With SELECT queries, you can evenretrieve the same column multiple times,a feature that enables you to manipulatethe column’s data in many different ways.D If aSELECT queryspecifies thecolumns tobe returned,they’ll bereturned inthat order.Introduction to SQL 139

using ConditionalsThe SELECT query as used thus far willalways retrieve every record from atable. But often you’ll want to limit whatrows are returned, based upon certaincriteria. This can be accomplished byadding conditionals to SELECT queries.Conditionals use the SQL term WHEREand are written much as you’d write aconditional in PHP:SELECT which_columns FROM which_table➝ WHERE condition(s)Table 5.1 lists the most common operatorsyou would use within a conditional. Forexample, a simple equality check:SELECT name FROM peopleWHERE birth_date = '2011-01-26'The operators can be used together, alongwith parentheses, to create more complexexpressions:SELECT * FROM items WHERE(price BETWEEN 10.00 AND 20.00) AND(quantity > 0)SELECT * FROM cities WHERE(zip_code = 90210) OR (zip_code =➝ 90211)This last example could also be written as:SELECT * FROM cities WHEREzip_code IN (90210, 90211)To demonstrate using conditionals, let’srun some more SELECT queries on thesitename database. The examples thatfollow will be just a few of the nearlylimitless possibilities. Over the course ofthis chapter and the entire book you willsee how conditionals are used in all typesof queries.TABLe 5.1 MySQL OperatorsOperatorMeaning= Equals< Less than> Greater than= Greater than or equal to!= (also < >) Not equal toIS NOT NULLIS NULLIS TRUEIS FALSEBETWEENNOT BETWEENINNOT INOR (also ||)AND (also &&)NOT (also !)XORHas a valueDoes not have a valueHas a true valueHas a false valueWithin a rangeOutside of a rangeFound within a list of valuesNot found within a listof valuesWhere at least one of twoconditionals is trueWhere both conditionalsare trueWhere the condition isnot trueWhere only one of twoconditionals is true140 Chapter 5

To use conditionals:1. Select all of the users whose last nameis Simpson A:SELECT * FROM usersWHERE last_name = 'Simpson';This simple query returns every columnof every row whose last_name valueis Simpson. (Again, if the data in yourtable differs, you can change any ofthese queries accordingly.)2. Select just the first names of userswhose last name is Simpson B:SELECT first_name FROM usersWHERE last_name = 'Simpson';Here only one column (first_name) isbeing returned for each row. Althoughit may seem strange, you do not haveto select a column on which you areperforming a WHERE. The reason for thisis that the columns listed after SELECTdictate only what columns to return andthe columns listed in a WHERE dictatewhich rows to return.3. Select every column from every recordin the users table that does not have anemail address C:SELECT * FROM usersWHERE email IS NULL;The IS NULL conditional is the same assaying does not have a value. Keep inmind that an empty string is differentthan NULL and therefore would notmatch this condition. An empty stringwould, however, matchSELECT * FROM users WHERE email='';continues on next pageA All of the Simpsons who have registered.B Just the first names of all of theSimpsons who have registered.C No records are returned bythis query because the emailcolumn cannot have a NULLvalue. So this query did work; itjust had no matching records.Introduction to SQL 141

4. Select the user ID, first name, and lastname of all records in which the passwordis mypass D:SELECT user_id, first_name,➝ last_nameFROM usersWHERE pass = SHA1('mypass');Since the stored passwords wereencrypted with the SHA1( ) function,you can match a password by usingthat same encryption function in aconditional. SHA1( ) is case-sensitive, sothis query will work only if the passwords(stored vs. queried) match exactly.5. Select the user names whose user ID isless than 10 or greater than 20 E:SELECT first_name, last_nameFROM users WHERE(user_id < 10) OR (user_id > 20);This same query could also be written asSELECT first_name, last_name FROMusers WHERE user_idNOT BETWEEN 10 and 20;or evenSELECT first_name, last_name FROMusers WHERE user_id NOT IN(10, 11, 12, 13, 14, 15, 16, 17, 18,➝ 19, 20);D Conditionals can make use of functions, likeSHA1( ) here.E This query uses two conditions and theOR operator.You can perform mathematicalcalculations within your queries using themathematic addition (+), subtraction (-),multiplication (*), and division (/) characters.MySQL supports the keywords TRUEand FALSE, case-insensitive. Internally, TRUEevaluates to 1 and FALSE evaluates to 0. So,in MySQL, TRUE + TRUE equals 2.142 Chapter 5

Esing LiKe andnoT LiKeUsing numbers, dates, and NULLs inconditionals is a straightforward process,but strings can be trickier. You can checkfor string equality with a query such asSELECT * FROM usersWHERE last_name = 'Simpson'However, comparing strings in a moreliberal manner requires extra operatorsand characters. If, for example, you wantedto match a person’s last name that couldbe Smith or Smiths or Smithson, youwould need a more flexible conditional.This is where the LIKE and NOT LIKEterms come in. These are used—primarilywith strings—in conjunction with twowildcard characters: the underscore ( _ ),which matches a single character, andthe percentage sign (%), which matcheszero or more characters. In the last-nameexample, the query would beSELECT * FROM usersWHERE last_name LIKE 'Smith%'This query will return all rows whoselast_name value begins with Smith.Because it’s a case-insensitive search bydefault, it would also apply to names thatbegin with smith.To use LiKe:1. Select all of the records in which thelast name starts with Bank A:SELECT * FROM usersWHERE last_name LIKE 'Bank%';continues on next pageA The LIKE SQL term adds flexibility to your conditionals. This query matches any record where the lastname value begins with Bank.Introduction to SQL 143

2. Select the name for every recordwhose email address is not of theform something@authors.com B:SELECT first_name, last_nameFROM users WHEREemail NOT LIKE '%@authors.com';To rule out the presence of values in astring, use NOT LIKE with the wildcard.Queries with a LIKE conditional aregenerally slower because they can’t takeadvantage of indexes. Use LIKE and NOTLIKE only if you absolutely have to.The wildcard characters can be usedat the front and/or back of a string in yourqueries.B A NOT LIKE conditional returns recordsbased upon what a value does not contain.SELECT * FROM usersWHERE last_name LIKE ' _smith%'Although LIKE and NOT LIKE arenormally used with strings, they can alsobe applied to numeric columns.To use either the literal underscore or thepercentage sign in a LIKE or NOT LIKE query,you will need to escape it (by preceding thecharacter with a backslash) so that it is notconfused with a wildcard.The underscore can be used in combinationwith itself; as an example, LIKE ' __ 'would find any two-letter combination.In Chapter 7, “Advanced SQL and MySQL,”you’ll learn about FULLTEXT searches, whichcan be more useful than LIKE searches.144 Chapter 5

Sorting Query ResultsBy default, a SELECT query’s results will bereturned in a meaningless order (for manynew to databases, this is an odd concept).To give a meaningful order to a query’sresults, use an ORDER BY clause:SELECT * FROM tablename ORDER BY columnSELECT * FROM orders ORDER BY totalThe default order when using ORDER BYis ascending (abbreviated ASC), meaningthat numbers increase from small to large,dates go from oldest to most recent,and text is sorted alphabetically. You canreverse this by specifying a descendingorder (abbreviated DESC):SELECT * FROM tablenameORDER BY column DESCYou can even order the returned values bymultiple columns:SELECT * FROM tablenameORDER BY column1, column2You can, and frequently will, use ORDER BYwith WHERE or other clauses. When doingso, place the ORDER BY after the conditions:SELECT * FROM tablename WHERE conditionsORDER BY columnTo sort data:1. Select all of the users in alphabeticalorder by last name A:SELECT first_name, last_name FROMusers ORDER BY last_name;If you compare these results with thosein B in the “Selecting Data” section,you’ll see the benefits of using ORDER BY.2. Display all of the users in alphabeticalorder by last name and then first name B:SELECT first_name, last_name FROMusers ORDER BY last_name ASC,first_name ASC;continues on next pageA Therecords inalphabeticalorder bylast name.B Therecords inalphabeticalorder, first bylast name,and then byfirst namewithin that.Introduction to SQL 145

In this query, the effect would be thatevery row is returned, first ordered bythe last_name, and then by first_namewithin the last_names. The effect ismost evident among the Simpsons.3. Show all of the non-Simpson users bydate registered C:SELECT * FROM usersWHERE last_name != 'Simpson'ORDER BY registration_date DESC;You can use an ORDER BY on anycolumn type, including numbers anddates. The clause can also be used ina query with a conditional, placing theORDER BY after the WHERE.Because MySQL works naturally withany number of languages, the ORDER BY willbe based upon the collation being used (seeChapter 6).If the column that you choose to sorton is an ENUM type, the sort will be basedupon the order of the possible ENUM valueswhen the column was created. For example,if you have the column gender, defined asENUM('M', 'F'), the clause ORDER BY genderreturns the results with the M records first.C All of the users not named Simpson, displayed by date registered, with the most recent listed first.146 Chapter 5

A Using the LIMIT clause, a query can return aspecific number of records.Limiting Query ResultsAnother SQL clause that can be added tomost queries is LIMIT. In a SELECT query,WHERE dictates which records to return, andORDER BY decides how those records aresorted, but LIMIT states how many recordsto return. It is used like so:SELECT * FROM tablename LIMIT xIn such queries, only the initial x recordsfrom the query result will be returned. Toreturn only three matching records, use:SELECT * FROM tablename LIMIT 3Using this formatSELECT * FROM tablename LIMIT x, yyou can have y records returned, startingat x. To have records 11 through 20returned, you would writeSELECT * FROM tablename LIMIT 10, 10Like arrays in PHP, result sets begin at 0 whenit comes to LIMITs, so 10 is the 11th record.Because SELECT does not return results in anymeaningful order, you almost always want toapply an ORDER BY clause when using LIMIT.You can use LIMIT with WHERE and/or ORDERBY clauses, always placing LIMIT last:SELECT which_columns FROM tablename➝ WHEREconditions ORDER BY column LIMIT xTo limit the amount ofdata returned:1. Select the last five registered users A:SELECT first_name, last_nameFROM users ORDER BYregistration_date DESC LIMIT 5;To return the latest of anything, sortthe data by date, in descending order.Then, to see just the most recent five,add LIMIT 5 to the query.continues on next pageIntroduction to SQL 147

2. Select the second person to register B:SELECT first_name, last_nameFROM users ORDER BYregistration_date ASC LIMIT 1, 1;This may look strange, but it’s just agood application of the informationlearned so far. First, order all ofthe records by registration_dateascending, so the first people toregister would be returned first. Then,limit the returned results to start at 1(which is the second row) and to returnjust one record.B Thanks to the LIMIT clause, a query can evenreturn records from the middle of a group, usingthe LIMIT x, y format.The LIMIT x, y clause is most frequentlyused when paginating query results (showingthem in blocks over multiple pages). You’ll seethis in Chapter 10, “Common ProgrammingTechniques.”A LIMIT clause does not improve theexecution speed of a query, since MySQLstill has to assemble the entire result andthen truncate the list. But a LIMIT clause willminimize the amount of data to handle when itcomes to the mysql client or your PHP scripts.The LIMIT term is not part of the SQLstandard and is therefore (sadly) not availableon all databases.The LIMIT clause can be used with mosttypes of queries, not just SELECTs.148 Chapter 5

updating DataOnce tables contain some data, you havethe potential need to edit those existingrecords. This might be necessary ifinformation was entered incorrectly or ifthe data changes (such as a last name oremail address). The syntax for updatingrecords is:UPDATE tablename SET column=valueYou can alter multiple columns at a singletime, separating each from the next bya comma.UPDATE tablename SET column1=valueA,column5=valueB…You will almost always want to use a WHEREclause to specify what rows should beupdated:UPDATE tablename SET column2=valueWHERE column5=valueIf you don’t use a WHERE clause, thechanges would be applied to every record.Updates, along with deletions, are oneof the most important reasons to use aprimary key. This value—which shouldnever change—can be a reference pointin WHERE clauses, even if every other fieldneeds to be altered.To update a record:1. Find the primary key for the record tobe updated A:SELECT user_id FROM usersWHERE first_name = 'Michael'AND last_name='Chabon';In this example, I’ll change the emailfor this author’s record. To do so, Imust first find that record’s primary key,which this query accomplishes.2. Update the record B:UPDATE usersSET email='mike@authors.com'WHERE user_id = 18;To change the email address, use anUPDATE query, using the primary key(user_id) to specify to which record theupdate should apply. MySQL will reportupon the success of the query and howmany rows were affected.continues on next pageA Before updating a record, determinewhich primary key to use in the UPDATE’sWHERE clause.B This query altered the value of onecolumn in just one row.Introduction to SQL 149

3. Confirm that the change was made C:SELECT * FROM usersWHERE user_id=18;Although MySQL already indicated theupdate was successful B, it can’t hurtto select the record again to confirmthat the proper changes occurred.Be extra certain to use a WHEREconditional whenever you use UPDATE unlessyou want the changes to affect every row.If you run an update query thatdoesn’t actually change any values (likeUPDATE users SET first_name='mike'WHERE first_name='mike'), you won’tsee any errors but no rows will be affected.More recent versions of MySQL would showthat X rows matched the query but that 0 rowswere changed D.To protect yourself against accidentallyupdating too many rows, apply a LIMIT clauseto your UPDATEs:UPDATE users SET email='mike@authors.com' WHERE user_id = 18 LIMIT 1You should never perform an UPDATE ona primary-key column, because the primarykey value should never change. Altering thevalue of a primary key could have seriousrepercussions.To update a record in phpMyAdmin, youcan run an UPDATE query using the SQL windowor tab. Alternatively, run a SELECT queryto find the record you want to update, andthen click the pencil next to the record. Thiswill bring up a form similar to the insert form,where you can edit the record’s current values.C As a final step, you can confirm the update by selecting the record again.D Recent versions of MySQL will report upon both matchingand changed records for UPDATE queries.150 Chapter 5

Deleting DataAlong with updating existing records,another step you might need to takeis to entirely remove a record from thedatabase. To do this, you use the DELETEcommand:DELETE FROM tablenameThat command as written will delete everyrecord in a table, making it empty again.Once you have deleted a record, there isno way of retrieving it.In most cases you’ll want to deleteindividual rows, not all of them. To do so,apply a WHERE clause:DELETE FROM tablename WHERE conditionTo delete a record:1. Find the primary key for the record tobe deleted A:SELECT user_id FROM usersWHERE first_name='Peter'AND last_name='Tork';Just as in the UPDATE example, I firstneed to determine which primary keyto use for the delete.2. Preview what will happen when thedelete is made B:SELECT * FROM usersWHERE user_id = 8;A really good trick for safeguardingagainst errant deletions is to first runthe query using SELECT * instead ofDELETE. The results of this query willrepresent which row(s) will be affectedby the deletion.continues on next pageA The user_id value willbe used to refer to thisrecord in a DELETE query.B To preview the effect of a DELETE query, first run a syntactically similar SELECT query.Introduction to SQL 151

3. Delete the record C:DELETE FROM usersWHERE user_id = 8 LIMIT 1;As with the update, MySQL will reporton the successful execution of the queryand how many rows were affected. Atthis point, there is no way of reinstatingthe deleted records unless you backedup the database beforehand.Even though the SELECT query (Step 2and B) only returned the one row, justto be extra careful, a LIMIT 1 clause isadded to the DELETE query.4. Confirm that the change was made D:SELECT user_id FROM usersWHERE first_name='Peter'AND last_name='Tork';C Deleting one record from the table.D The record is no longer part ofthis table.The preferred way to empty a table is touse TRUNCATE:TRUNCATE TABLE tablenameTo delete all of the data in a table, as wellas the table itself, use DROP TABLE:DROP TABLE tablenameTo delete an entire database, includingevery table therein and all of its data, useDROP DATABASE databasename152 Chapter 5

AliasesAn alias is merely a symbolic renamingof an item used in a query, normallyapplied to tables, columns, or functioncalls. Aliases are created using theterm AS:SELECT registration_date AS regFROM usersAliases are case-sensitive stringscomposed of numbers, letters, and theunderscore but are normally kept to avery short length. As you’ll see in thefollowing examples, aliases are alsoreflected in the captions for the returnedresults. For the preceding example,the query results returned will containone column of data, named reg (notregistration_date).In MySQL, if you’ve defined an alias fora table or a column used in a query, theentire query should consistently use thatsame alias rather than the original name.For example,SELECT first_name AS name FROMusers WHERE name='Sam'This differs from standard SQL, whichdoesn’t support the use of aliases inWHERE conditionals.using FunctionsTo wrap up this chapter, you’ll learn abouta number of functions that you can usein your MySQL queries. You have alreadyseen two—NOW( ) and SHA1( )—but thoseare just the tip of the iceberg. Most of thefunctions you’ll see here are used withSELECT queries to format and alter thereturned data, but you may use MySQLfunctions in other types of queries as well.To apply a function to a column’s values,the query would look like:SELECT FUNCTION(column) FROM tablenameTo apply a function to one column’s valueswhile also selecting some other columns,you can write a query like either of these:nnSELECT *, FUNCTION(column) FROMtablenameSELECT column1, FUNCTION(column2),column3 FROM tablenameGenerally speaking, the latter syntax ispreferred, as it only returns the columnsyou need (as opposed to all of them).Before getting to the actual functions,make note of a couple more things. First,functions are often applied to stored data(i.e., columns) but can also be applied toliteral values. Either of these applicationsof the UPPER( ) function (which capitalizesa string) is valid:SELECT UPPER(first_name) FROM usersSELECT UPPER('this string')continues on next pageIntroduction to SQL 153

Second, while the function namesthemselves are case-insensitive, I willcontinue to write them in an all-capitalizedformat, to help distinguish them from tableand column names (as I also capitalizeSQL terms). Third, an important rulewith functions is that you cannot havespaces between the function nameand the opening parenthesis in MySQL,although spaces within the parenthesesare acceptable. And finally, when usingfunctions to format returned data, you’lloften want to make uses of aliases, aconcept discussed in the sidebar.Just as there are different standards ofSQL and different database applications havetheir own slight variations on the language,some functions are common to all databaseapplications and others are particular toMySQL. This chapter, and book, only concernsitself with the MySQL functions.Chapter 7 discusses two more categoriesof MySQL functions: grouping and encryption.Text functionsThe first group of functions to demonstrateare those meant for manipulating text. Themost common of the functions in this categoryare listed in Table 5.2. As with mostfunctions, these can be applied to eithercolumns or literal values (both representedby t, t1, t2, etc).CONCAT( ), perhaps the most useful of thetext functions, deserves special attention.The CONCAT( ) function accomplishesconcatenation, for which PHP uses theperiod (see Chapter 1, “Introduction toPHP”). The syntax for concatenationrequires you to place, within parentheses,the various values you want assembled, inorder and separated by commas:SELECT CONCAT(t1, t2) FROM tablenameWhile you can—and normally will—apply CONCAT( ) to columns, you canalso incorporate strings, entered withinquotation marks. For example, to formatTABLe 5.2 Text FunctionsFunction Usage ReturnsCONCAT( ) CONCAT(t1, t2, ...) A new string of the form t1t2.CONCAT_WS( ) CONCAT_WS(S, t1, t2, ...) A new string of the form t1St2S…LENGTH( ) LENGTH(t) The number of characters in t.LEFT( ) LEFT(t, y) The leftmost y characters from t.RIGHT( ) RIGHT(t, x) The rightmost x characters from t.TRIM( ) TRIM(t) t with excess spaces from the beginning and endremoved.UPPER( ) UPPER(t) t capitalized.LOWER( ) LOWER(t) t in all-lowercase format.REPLACE( ) REPLACE(t1, t2, t3) The string t1 with instances of t2 replaced with t3.SUBSTRING( ) SUBSTRING(t, x, y) y characters from t beginning with x (indexed from 1).154 Chapter 5

a person’s name as FirstLast, youwould useSELECT CONCAT(first_name, ' ',➝ last_name)FROM usersBecause concatenation normally returnsvalues in a new format, it’s an excellenttime to use an alias (see the sidebar):SELECT CONCAT(first_name, ' ',➝ last_name)AS Name FROM usersTo format text:1. Concatenate the names without usingan alias A:SELECT CONCAT(last_name, ', ',➝ first_name)FROM users;This query will demonstrate two things.First, the users’ last names, a commaand a space, plus their first namesare concatenated together to makeone string (in the format of Last, First).Second, as the figure shows, if you don’tuse an alias, the returned data’s columnheading will be the function call. In themysql client or phpMyAdmin, this is justunsightly; when using PHP to connect toMySQL, this will likely be a problem.2. Concatenate the names while using analias B:SELECT CONCAT(last_name, ', ',➝ first_name)AS Name FROM users ORDER BY Name;To use an alias, just add AS aliasnameafter the item to be renamed. The aliaswill be the new title for the returneddata. To make the query a little moreinteresting, the same alias is also usedin the ORDER BY clause.continues on next pageA This simple concatenation returns everyregistered user’s full name. Notice how the columnheading is the use of the CONCAT( ) function.B By using an alias, the returned data is underthe column heading of Name (compare with A ).Introduction to SQL 155

3. Find the longest last name C:SELECT LENGTH(last_name) AS L,last_name FROM usersORDER BY L DESC LIMIT 1;To determine which registered user’slast name is the longest (has the mostcharacters in it), use the LENGTH( )function. To find the name, select boththe last name value and the calculatedlength, which is given an alias of L. Tothen find the longest name, order all ofthe results by L, in descending order,but only return the first record.C By using the LENGTH( ) function, an alias, anORDER BY clause, and a LIMIT clause, this queryreturns the length and value of the longeststored name.A query like that in Step 3 (also C) maybe useful for helping to fine-tune your columnlengths once your database has some recordsin it.MySQL has two functions for performingregular expression searches on text:REGEXP( ) and NOT REGEXP( ). Chapter 14,“Perl-Compatible Regular Expressions,”introduces regular expressions using PHP.CONCAT( ) has a corollary function calledCONCAT_WS( ), which stands for with separator.The syntax is CONCAT_WS(separator,t1, t2, …). The separator will be insertedbetween each of the listed columns or values.For example, to format a person’s full nameas First_Middle_Last, youwould writeSELECT CONCAT_WS(' ', first, middle,last) AS Name FROM tablenameCONCAT_WS( ) has an added advantage overCONCAT( ) in that it will ignore columns withNULL values. So that query might return JoeBanks from one record but Jane SojournerAdams from another.156 Chapter 5

TABLe 5.3 Numeric FunctionsFunction Usage ReturnsABS( ) ABS(n) The absolutevalue of n.CEILING( ) CEILING(n) The next-highestinteger basedupon the valueof n.FLOOR( ) FLOOR(n) The integer valueof n.FORMAT( ) FORMAT(n1, n2) n1 formatted as anumber with n2decimal placesand commasinserted everythree spaces.MOD( ) MOD(n1, n2) The remainder ofdividing n1 by n2.POW( ) POW(n1, n2) n1 to the n2power.RAND( ) RAND( ) A random numberbetween 0 and 1.0.ROUND( ) ROUND(n1, n2) n1 rounded to n2decimal places.SQRT( ) SQRT(n) The square rootof n.D The RAND( ) function returns arandom number between 0 and 1.0.numeric functionsBesides the standard math operators thatMySQL uses (for addition, subtraction,multiplication, and division), there are acouple dozen functions for formattingand performing calculations on numericvalues. Table 5.3 lists the most common ofthese, some of which will be demonstratedshortly. As with most functions, these canbe applied to either columns or literalvalues (both represented by n, n1, n2, etc.).I want to specifically highlight three ofthese functions: FORMAT( ), ROUND( ), andRAND( ). The first—which is not technicallynumber-specific—turns any number into amore conventionally formatted layout. Forexample, if you stored the cost of a caras 20198.20, FORMAT(car_cost, 2) wouldturn that number into the more common20,198.20.ROUND( ) will take one value, presumablyfrom a column, and round that to aspecified number of decimal places. If nodecimal places are indicated, it will roundthe number to the nearest integer. If moredecimal places are indicated than exist inthe original number, the remaining spacesare padded with zeros (to the right of thedecimal point).The RAND( ) function, as you might infer, isused for returning random numbers D:SELECT RAND( )A further benefit to the RAND( ) functionis that it can be used with your queries toreturn the results in a random order:SELECT * FROM tablename ORDER BY➝ RAND( )Introduction to SQL 157

To use numeric functions:1. Display a number, formatting theamount as dollars E:SELECT CONCAT('$', FORMAT(5639.6, 2))AS cost;Using the FORMAT( ) function, as justdescribed, with CONCAT( ), you can turnany number into a currency format asyou might display it in a Web page.2. Retrieve a random email address fromthe table F:SELECT email FROM usersORDER BY RAND( ) LIMIT 1;What happens with this query is: Allof the email addresses are selected;the order they are in is shuffled (ORDERBY RAND( )); and then the first one isreturned. Running this same querymultiple times will produce differentrandom results. Notice that you do notspecify a column to which RAND( ) isapplied.E Using an arbitrary example, this queryshows how the FORMAT( ) function works.F This query uses the RAND( )function to select a random record.Subsequent executions of thesame query would return differentrandom results.Along with the mathematical functionslisted here, there are several trigonometric,exponential, and other types of numericfunctions available.The MOD( ) function is the same as usingthe percent sign:SELECT MOD(9,2)SELECT 9%2It returns the remainder of a division (1 inthese examples).158 Chapter 5

Date and time functionsThe date and time column types in MySQLare particularly flexible and useful. Butbecause many database users are notfamiliar with all of the available date andtime functions, these options are frequentlyunderused. Whether you want to makecalculations based upon a date or returnonly the month name from a value, MySQLhas a function for that purpose. Table 5.4lists most of these; see the MySQL manualfor a complete list. As with most functions,these can be applied to either columns orliteral values (both represented by dt, shortfor datetime).MySQL supports two data types that storeboth a date and a time (DATETIME andTIMESTAMP), one type that stores just thedate (DATE), one that stores just the time(TIME), and one that stores just a year(YEAR). Besides allowing for different typesof values, each data type also has its ownunique behaviors (again, I’d recommendreading the MySQL manual’s pages onthis for all of the details). But MySQL isvery flexible as to which functions youcan use with which type. You can apply adate function to any value that contains adate (i.e., DATETIME, TIMESTAMP, and DATE),or you can apply an hour function to anyvalue that contains the time (i.e., DATETIME,TIMESTAMP, and TIME). MySQL will use thepart of the value that it needs and ignorethe rest. What you cannot do, however, isapply a date function to a TIME value ora time function to a DATE or YEAR value.TABLe 5.4 Date and Time FunctionsFunction Usage ReturnsDATE( ) DATE(dt) The date value of dt.HOUR( ) HOUR(dt) The hour value of dt.MINUTE( ) MINUTE(dt) The minute value of dt.SECOND( ) SECOND(dt) The second value of dt.DAYNAME( ) DAYNAME(dt) The name of the day for dt.DAYOFMONTH( ) DAYOFMONTH(dt) The numerical day value of dt.MONTHNAME( ) MONTHNAME(dt) The name of the month of dt.MONTH( ) MONTH(dt) The numerical month value of dt.YEAR( ) YEAR(column) The year value of dt.CURDATE( ) CURDATE( ) The current date.CURTIME( ) CURTIME( ) The current time.NOW( ) NOW( ) The current date and time.UNIX_TIMESTAMP( ) UNIX_TIMESTAMP(dt) The number of seconds since the epoch until thecurrent moment or until the date specified.UTC_TIMESTAMP( ) UTC_TIMESTAMP(dt) The number of seconds since the epoch untilthe current moment or until the date specified,in Coordinated Universal Time (UTC).Introduction to SQL 159

To use date and time functions:1. Display the date that the last userregistered G:SELECT DATE(registration_date) ASDate FROM users ORDER BYregistration_date DESC LIMIT 1;The DATE( ) function returns the datepart of a value. To see the date that thelast person registered, an ORDER BYclause lists the users starting with themost recently registered and this resultis limited to just one record.2. Display the day of the week that thefirst user registered H:SELECT DAYNAME(registration_date) ASWeekday FROM users ORDER BYregistration_date ASC LIMIT 1;This is similar to the query in Step 1, butthe results are returned in ascendingorder and the DAYNAME( ) functionis applied to the registration_datecolumn. This function returns Sunday,Monday, Tuesday, etc., for a given date.3. Show the current date and time, accordingto MySQL I:SELECT CURDATE( ), CURTIME( );To show what date and time MySQLcurrently thinks it is, you can select theCURDATE( ) and CURTIME( ) functions,which return these values. This isanother example of a query that can berun without referring to a particular table.G The date functions can be used to extractinformation from stored values.H This query returns the name of the day thata given date represents.160 Chapter 5

I This query, not run on any particulartable, returns the current date and timeon the MySQL server.4. Show the last day of the current month J:SELECT LAST_DAY(CURDATE( )),MONTHNAME(CURDATE( ));As the last query showed, CURDATE( )returns the current date on the server.This value can be used as an argumentto the LAST_DAY( ) function, whichreturns the last date in the month for agiven date. The MONTHNAME( ) functionreturns the name of the current month.The date and time returned by MySQL’sdate and time functions correspond to thoseon the server, not on the client accessingthe database.J Among the many things MySQL can do withdate and time types is determine the last date ina month or the name value of a given date.Not mentioned in this section or in Table5.4 are ADDDATE( ), SUBDATE( ), ADDTIME( ),SUBTIME( ), and DATEDIFF( ). Each can be usedto perform arithmetic on date and time values.These can be very useful (for example, to findeveryone registered within the past week), buttheir syntax is cumbersome. As always, see theMySQL manual for more information.Chapter 6 discusses the concept of timezones in MySQL.As of MySQL 5.0.2, the server will alsoprevent invalid dates (e.g., February 31, 2011)from being inserted into a date or date/timecolumn.Introduction to SQL 161

Formatting the date and timeThere are two additional date and timefunctions that you might find yourselfusing more than all of the others combined:DATE_FORMAT( ) and TIME_FORMAT( ).There is some overlap between the twoand when you would use one or the other.DATE_FORMAT( ) can be used to formatboth the date and time if a value con -tains both (e.g., YYYY-MM-DD HH:MM:SS).Comparatively, TIME_FORMAT( ) can formatonly the time value and must be used ifonly the time value is being stored (e.g.,HH:MM:SS). The syntax isSELECT DATE_FORMAT(datetime, formatting)The formatting relies upon combinations ofkey codes and the percent sign to indicatewhat values you want returned. Table 5.5lists the available date- and time-formattingparameters. You can use these in anycombination, along with literal characters,such as punctuation, to return a date andtime in a more presentable form.Assuming that a column called the_datehas the date and time of 1996-04-2011:07:45 stored in it, common formattingtasks and results would bennTime (11:07:45 AM)TIME_FORMAT(the_date, '%r')Time without seconds (11:07 AM)TIME_FORMAT(the_date, '%l:%i %p')n Date (April 20th, 1996)TABLe 5.5 *_FORMAT( ) ParametersTerm Usage Example%e Day of themonth%d Day of themonth, twodigit1-3101-31%D Day with suffix 1st-31st%W Weekday name Sunday-Saturday%a Abbreviatedweekday name%c Month number 1-12%m Month number,two digitSun-Sat01-12%M Month name January-December%b Month name,abbreviatedJan-Dec%Y Year 2002%y Year 02%l (lowercase L) Hour 1-12%h Hour, two digit 01-12%k Hour, 24-hourclock%H Hour, 24-hourclock, two digit0-2300-23%i Minutes 00-59%S Seconds 00-59%r Time 8:17:02 PM%T Time, 24-hourclock20:17:02%p AM or PM AM or PMDATE_FORMAT(the_date, '%M %D, %Y')162 Chapter 5

K The current date and time, formatted.L The current time, in a 24-hour format.M The DATE_FORMAT( ) function is used topre-format the registration date when selectingrecords from the users table.To format the date and time:1. Return the current date and time asMonth DD, YYYY - HH:MM K:SELECT DATE_FORMAT(NOW( ),'%M %e, %Y➝ %l:%i');Using the NOW( ) function, which returnsthe current date and time, you canpractice formatting to see what resultsare returned.2. Display the current time, using 24-hournotation L:SELECT TIME_FORMAT(CURTIME( ),'%T');3. Select the email address and dateregistered, ordered by date registered,formatting the date as Weekday (abbreviated)Month (abbreviated) Day Year,for the last five registered users M:SELECT email, DATE_FORMAT➝ (registration_date, '%a %b %e %Y')AS Date FROM usersORDER BY registration_date DESCLIMIT 5;This is just one more example of howyou can use these formatting functionsto alter the output of an SQL query.In your Web applications, you shouldalmost always use MySQL functions to formatany dates coming from the database (asopposed to formatting the dates within PHPafter retrieving them from the database).The only way to access the date ortime on the client (the user’s machine) is touse JavaScript. It cannot be done with PHPor MySQL.Introduction to SQL 163

Review and pursueIf you have any problems with thereview questions or the pursue prompts,turn to the book’s supporting forum(www.LarryUllman.com/forums/).ReviewnnnnnWhat version of MySQL are you using?If you don’t know, find out now!What SQL command is used to make anew database? What command is usedto make a new table in a database?What SQL command is used to selectthe database with which you wantto work?What SQL commands are used foradding records to a table? Hint: Thereare multiple options.What types of values must be quoted inqueries? What types of values shouldn’tbe quoted?n What does the asterisk in SELECT *FROM tablename mean? How do yourestrict which columns are returned bya query?nnnnWhat does the NOW( ) function do?How do you restrict which rows arereturned by a query?How do LIKE and NOT LIKE differ fromsimple equality comparisons? Whichtype of comparison will be faster? Whatare the two LIKE and NOT LIKE wildcardcharacters?How do you affect the sorting of thereturned records? What is the defaultsorting method? How do you inversethe sort? What is the syntax for sortingby multiple columns?nnnnWhat does the LIMIT clause do? Howdoes LIMIT x differ from LIMIT x, y?What SQL command is used to changethe values already stored in a table?How do you change multiple columnsat once? How do you restrict to whichrows the changes are applied?What SQL command is used to deleterows stored in a table? How do yourestrict to which rows the deletionsare applied?What is an SQL alias? How do youcreate one? Why is an alias useful?pursuennnnnnnIf you haven’t done so already, bookmarkthe version of the MySQL manualthat matches the version of MySQL youare running.Go through each of the step sequencesin this chapter again, coming up withyour own queries to execute (that demonstratesimilar concepts as those inthe steps).Check out the MySQL manual pages foroperators used in conditionals.Check out the MySQL manual pages forsome of MySQL’s functions.Create, populate, and manipulate yourown table of data.Do some more practice using functionsand aliases.Check out the MySQL manual pages forthe various date and time types. Alsocheck out ADDDATE( ) and other daterelatedfunctions.164 Chapter 5

6DatabaseDesignNow that you have a basic understandingof databases, SQL, and MySQL, this chapterbegins the process of taking that knowledgedeeper. The focus on this chapter,as the title states, is real-world databasedesign. Like the work done in Chapter 4,“Introduction to MySQL,” much of the effortherein requires paper and pen, and seriousthinking about what your applications willneed to do.The chapter begins with thorough coverageof database normalization: a vitalapproach to the design process. Afterthat, the chapter turns to design-relatedconcepts specific to MySQL: indexes, tabletypes, language support, working withtimes, and foreign key constraints.By the end of this chapter, you’ll know thesteps involved in proper database design,understand how to make the most ofMySQL, and plan a couple of multi-tabledatabases. In the next chapter, you’ll learnmore advanced SQL and MySQL, usingthese new databases as examples.in This ChapterNormalization 166Creating Indexes 179Using Different Table Types 182Languages and MySQL 184Time Zones and MySQL 189Foreign Key Constraints 195Review and Pursue 202

normalizationWhenever you are working with arelational database management systemsuch as MySQL, the first step in creatingand using a database is to establish thedatabase’s structure (also called thedatabase schema). Database design, akadata modeling, is crucial for successfullong-term management of information.Using a process called normalization,you carefully eliminate redundancies andother problems that would undermine theintegrity of your database.The techniques you will learn over thenext few pages will help to ensure theviability, usefulness, and reliability of yourdatabases. The primary example to bediscussed—a forum where users can postmessages—will be more explicitly used inChapter 17, “Example—Message Board,” butthe principles of normalization apply to anydatabase you might create. (The sitenameexample as created and used in the pasttwo chapters was properly normalized, eventhough normalization was never discussed.)Normalization was developed by an IBMresearcher named E.F. Codd in the early1970s (he also invented the relationaldatabase). A relational database is merely acollection of data, organized in a particularmanner, and Dr. Codd created a series ofrules called normal forms that help definethat organization. This chapter discussesthe first three of the normal forms, whichare sufficient for most database designs.Before you begin normalizing yourdatabase, you must define the role of theapplication being developed. Whether itmeans that you thoroughly discuss thesubject with a client or figure it out foryourself, understanding how the informationwill be accessed dictates the modeling.Thus, this process will require paper andpen rather than the MySQL software itself(although database design is applicable toany relational database, not just MySQL).In this example, I want to create a messageboard where users can post messages andother users can reply. I imagine that userswill need to register, then log in with an emailaddress/password combination, in order topost messages. I also expect that there couldbe multiple forums for different subjects. Ihave listed a sample row of data in Table 6.1.The database itself will be called forum.One of the best ways to determine whatinformation should be stored in a database isto think about what questions will be asked ofthe database and what data would be includedin the answers.Always err on the side of storing moreinformation than you might need. It’s easy toignore unnecessary data but impossible tolater manufacture data that was never storedin the first place.Normalization can be hard to learn if youfixate on the little things. Each of the normalforms is defined in a very cryptic way; even whenput into layman’s terms, they can still be confounding.My best advice is to focus on the bigpicture as you follow along. Once you’ve gonethrough normalization and seen the end result,the overall process should be clear enough.TABLe 6.1 Sample Forum DataItemusernamepasswordactual nameuser emailforummessage subjectmessage bodymessage dateExampletroutstermypassLarry Ullmanemail@example.comMySQLQuestion about normalization.I have a question about…November 2, 2011 12:20 AM166 Chapter 6

KeysAs briefly mentioned in Chapter 4, keys areintegral to normalized databases. Thereare two types of keys: primary and foreign.A primary key is a unique identifier that hasto abide by certain rules. They mustnnnAlways have a value (they cannot be NULL)Have a value that remains the same(never changes)Have a unique value for each recordin a tableA good real-world example of a primarykey is the U.S. Social Security number:each individual has a unique SocialSecurity number, and that number neverchanges. Just as the Social Securitynumber is an artificial construct usedto identify people, you’ll frequently findcreating an arbitrary primary key for eachtable to be the best design practice.The second type of key is a foreign key.Foreign keys are the representation in TableB of the primary key from Table A. If youhave a cinema database with a movies tableand a directors table, the primary key fromdirectors would be linked as a foreign key inmovies. You’ll see better how this works asthe normalization process continues.TABLe 6.2 Sample Forum DataItemmessage ID 325usernamepasswordactual nameuser emailforummessage subjectmessage bodymessage dateExampletroutstermypassLarry Ullmanemail@example.comMySQLQuestion about normalization.I have a question about…November 2, 2011 12:20 AMThe forum database is just a simpletable as it stands (Table 6.1), but beforebeginning the normalization process,identify at least one primary key (theforeign keys will come in later steps).To assign a primary key:1. Look for any fields that meet the threetests for a primary key.In this example (Table 6.1), no column reallyfits all of the criteria for a primary key.The username and email address will beunique for each forum user but will not beunique for each record in the database(because the same user could postmultiple messages). The same subjectcould be used multiple times as well. Themessage body will likely be unique foreach message but could change (if edited),violating one of the rules of primary keys.2. If no logical primary key exists, inventone (Table 6.2).Frequently, you will need to create aprimary key because no good solutionpresents itself. In this example, amessage ID is manufactured. Whenyou create a primary key that has noother meaning or purpose, it’s calleda surrogate primary key.As a rule of thumb, I name my primarykeys using at least part of the table’sname (e.g., message) and the word id.Some database developers like to add theabbreviation pk to the name as well. Somedevelopers just use id.MySQL allows for only one primary keyper table, although you can base a primary keyon multiple columns (this means the combinationof those columns must be unique andnever change).Ideally, your primary key should alwaysbe an integer, which results in better MySQLperformance.Database Design 167

RelationshipsDatabase relationships refer to howthe data in one table relates to the datain another. There are three types ofrelationships between any two tables:one-to-one, one-to-many, or many-tomany.(Two tables in a database mayalso be unrelated.)A relationship is one-to-one if one andonly one item in Table A applies to oneand only one item in Table B. For example,each U.S. citizen has only one SocialSecurity number, and each Social Securitynumber applies to only one U.S. citizen;no citizen can have two Social Securitynumbers, and no Social Security numbercan refer to two citizens.A relationship is one-to-many if one item inTable A can apply to multiple items in TableB. The terms female and male will applyto many people, but each person can beonly one or the other (in theory). A one-tomanyrelationship is the most common onebetween tables in normalized databases.Finally, a relationship is many-to-manyif multiple items in Table A can apply tomultiple items in Table B. A book can bewritten by multiple authors, and authorscan write multiple books. Although manyto-manyrelationships are common inthe real word, you should avoid manyto-manyrelationships in your designbecause they lead to data redundancy andintegrity problems. Instead of having manyto-manyrelationships, properly designeddatabases use intermediary tables thatbreak down one many-to-many relationshipinto two one-to-many relationships A.Relationships and keys work together inthat a key in one table will normally relateto a key in another, as mentioned earlier.A A many-to-many relationship between two tables will be betterrepresented as two one-to-many relationships those tables have withan intermediary table.168 Chapter 6

Database modeling uses certainconventions to represent the structure of thedatabase, which I’ll follow through a series ofimages in this chapter. The symbols for thethree types of relationships are shown in B.The process of database design resultsin an ERD (entity-relationship diagram) or ERM(entity-relationship model). This graphicalrepresentation of a database uses shapes fortables and columns and the symbols from Bto represent the relationships.There are many programs available tohelp create a database schema, includingMySQL Workbench (http://wb.mysql.com).Many of the images in this chapter will comefrom MySQL Workbench.The term “relational” in RDBMS actuallystems from the tables, which are technicallycalled relations.B These symbols, or variations on them, arecommonly used to represent relationships indatabase modeling schemes.First normal FormAs already stated, normalizing a databaseis the process of changing the database’sstructure according to several rules, calledforms. Your database should adhere toeach rule exactly, and the forms must befollowed in order.Every table in a database must have thefollowing two qualities in order to be inFirst Normal Form (1NF):nnEach column must contain only onevalue (this is sometimes described asbeing atomic or indivisible).No table can have repeating groups ofrelated data.A table containing one field for a person’sentire address (street, city, state, zip code,country) would not be 1NF compliant,because it has multiple values in onecolumn, violating the first property above.As for the second, a movies table that hadcolumns such as actor1, actor2, actor3,and so on would fail to be 1NF compliantbecause of the repeating columns all listingthe exact same kind of information.To begin the normalization process, checkthe existing structure (Table 6.2) for 1NFcompliance. Any columns that are notatomic should be broken into multiplecolumns. If a table has repeating similarcolumns, then those should be turned intotheir own, separate table.Database Design 169

To make a database 1nF compliant:1. Identify any field that contains multiplepieces of information.Looking at Table 6.2, one field is not 1NFcompliant: actual name. The examplerecord contained both the first nameand the last name in this one column.The message date field contains a day,a month, and a year, plus a time, butsubdividing past that level of specificityis really not warranted. And, as the endof the last chapter shows, MySQL canhandle dates and times quite nicelyusing the DATETIME type.Other examples of problems wouldbe if a table used just one column formultiple phone numbers (mobile, home,work), or stored a person’s multipleinterests (cooking, dancing, skiing, etc.)in a single column.2. Break up any fields found in Step 1 intodistinct fields (Table 6.3).To fix this problem for the currentexample, create separate first nameand last name fields, each of whichcontains only one value.3. Turn any repeating column groups intotheir own table.The forum database doesn’t have thisproblem currently, so to demonstratewhat would be a violation, considerTable 6.4. The repeating columns (themultiple actor fields) introduce twoproblems. First of all, there’s no gettingaround the fact that each movie will belimited to a certain number of actorswhen stored this way. Even if you addcolumns actor 1 through actor 100,there will still be that limit (of a hundred).TABLe 6.3 Forum Database, AtomicItemExamplemessage ID 325username troutsterpassword mypassfirst name Larrylast name Ullmanuser email email@example.comforumMySQLmessage subject Question about normalization.message body I have a question about…message date November 2, 2011 12:20 AMTABLe 6.4 Movies TableColumnValuemovie ID 976movie title Casablancayear released 1943directorMichael Curtizactor 1Humphrey Bogartactor 2Ingrid Bergmanactor 3Peter Lorre170 Chapter 6

TABLe 6.5 Movies-Actors TableIDMovieActor FirstNameActor LastName1 Casablanca Humphrey Bogart2 Casablanca Ingrid Bergman3 Casablanca Peter Lorre4 The MalteseFalcon5 The MalteseFalconHumphreyPeterBogartLorreSecond, any record that doesn’t havethe maximum number of actors will haveNULL values in those extra columns. Youshould generally avoid columns withNULL values in your database schema.As another concern, the actor anddirector columns are not atomic.To fix the problems in the moviestable, a second table would be created(Table 6.5). This table uses one rowfor each actor in a movie, which solvesthe problems mentioned in the lastparagraph. The actor names are alsobroken up to be atomic. Notice as wellthat a primary-key column should beadded to the new table. The notion thateach table has a primary key is implicitin the First Normal Form.4. Double-check that all new columns andtables created in Steps 2 and 3 passthe 1NF test.The simplest way to think about 1NF isthat this rule analyzes a table horizontally:inspect all of the columns within a single rowto guarantee specificity and avoid repetitionof similar data.Various resources will describe the normalforms in somewhat different ways, likelywith much more technical jargon. What is mostimportant is the spirit—and end result—of thenormalization process, not the technical wordingof the rules.Database Design 171

Second normal FormFor a database to be in Second NormalForm (2NF), the database must first alreadybe in 1NF (you must normalize in order).Then, every column in the table that is not akey (i.e., a foreign key) must be dependentupon the primary key. You can normallyidentify a column that violates this rulewhen it has non-key values that are thesame in multiple rows. Such values shouldbe stored in their own table and relatedback to the original table through a key.Going back to the cinema example, amovies table (Table 6.4) would have thedirector Martin Scorsese listed 20+ times.This violates the 2NF rule as the column(s)that store the directors’ names would notbe keys and would not be dependentupon the primary key (the movie ID). Thefix is to create a separate directors tablethat stores the directors’ information andassigns each director a primary key. Totie the director back to the movies, thedirector’s primary key would also be aforeign key in the movies table.Looking at Table 6.5 (for actors in movies),both the movie name and the actor namesare also in violation of the 2NF rule (theyaren’t keys and they aren’t dependenton the table’s primary key). In the end,the cinema database in this minimal formrequires four tables C. Each director’sname, movie name, and actor’s name will bestored only once, and any non-key columnin a table is dependent upon that table’sprimary key. In fact, normalization couldbe summarized as the process of creatingmore and more tables until potentialredundancies have been eliminated.C To make the cinema database 2NF compliant (given the information being represented), four tables arenecessary. The directors are represented in the movies table through the director ID key; the movies arerepresented in the movies-actors table through the movie ID key; and the actors are represented in themovies-actors table through the actor ID key.172 Chapter 6

To make a database 2nF compliant:1. Identify any non-key columns that aren’tdependent upon the table’s primary key.Looking at Table 6.3, the username,first name, last name, email, and forumvalues are all non-keys (message IDis the only key column currently), andnone are dependent upon the messageID. Conversely, the message subject,body, and date are also non-keys, butthese do depend upon the message ID.2. Create new tables accordingly D.The most logical modification for theforum database is to make three tables:users, forums, and messages.In a visual representation of thedatabase, create a box for each table,with the table name as a header andall of its columns (also called itsattributes) underneath.3. Assign or create new primary keys E.Using the techniques described earlierin the chapter, ensure that each newtable has a primary key. Here I’veadded a user ID field to the userstable and a forum ID field to forums.These are both surrogate primary keys.Because the username field in theusers table and the name field in theforums table must be unique for eachrecord and must always have a value,you could have them act as the primarykeys for their tables. However, thiswould mean that these values couldnever change (per the rules of primarykeys) and the database will be a littleslower, using text-based keys insteadof numeric ones.continues on next pageD To make the forum database 2NF compliant, three tables are necessary.E Each table needs its own primary key.Database Design 173

4. Create the requisite foreign keys andindicate the relationships F.The final step in achieving 2NFcompliance is to incorporate foreign keysto link associated tables. Remember thata primary key in one table will often be aforeign key in another.With this example, the user ID fromthe users table links to the user IDcolumn in the messages table. Therefore,users has a one-to-many relationship withmessages (because each user can postmultiple messages, but each messagecan only be posted by one user).Also, the two forum ID columnsare linked, creating a one-to-manyrelationship between messages andforums (each message can only be inone forum, but each forum can havemultiple messages).There is no direct relationship betweenthe users and forums tables.Another way to test for 2NF is to lookat the relationships between tables. Theideal is to create one-to-one or one-to-manysituations. Tables that have a many-to-manyrelationship may need to be restructured.Looking back at C, the movies-actorstable is an intermediary table, which turns themany-to-many relationship between moviesand actors into two one-to-many relationships.You can often tell a table is acting as an intermediarywhen all of its columns are keys. Infact, in that table, the primary key could be thecombination of the movie ID and the actor ID.A properly normalized database shouldnever have duplicate rows in the same table(two or more rows in which the values in everynon–primary key column match).To simplify how you conceive of thenormalization process, remember that 1NFis a matter of inspecting a table horizontally,and 2NF is a vertical analysis (hunting forrepeating values over multiple rows).F To relate the three tables, two foreign keys are added to themessages table, each key representing one of the other two tables.174 Chapter 6

Third normal FormA database is in Third Normal Form (3NF)if it is in 2NF and every non-key columnis mutually independent. If you followedthe normalization process properly to thispoint, you may not have 3NF issues. Youwould know that you have a 3NF violationif changing the value in one column wouldrequire changing the value in another.In the forum example thus far, therearen’t any 3NF problems, but I’ll explain ahypothetical situation where this rule wouldcome into play.Take, as an example, a database aboutbooks. After applying the first twonormal forms, you might end up withone table listing the books, anotherlisting the authors, and a third acting asan intermediary table between booksand authors, as there’s a many-to-manyrelationship there. If the books table listedthe publisher’s name and address, thattable would be in violation of 3NF G. Thepublisher’s address isn’t related to thebook, but rather to the publisher itself. Inother words, that version of the bookstable has a column that’s dependent upona non-key column (the publisher’s name).As I said, the forum example is fine as is,but I’ll outline the 3NF steps just the same,showing how to fix the books examplejust mentioned.To make a database 3nF compliant:1. Identify any fields in any tables thatare interdependent.As just stated, what to look for arecolumns that depend more upon eachother than they do on the record as awhole. In the forum database, this isn’tan issue. Just looking at the messagestable, each subject will be specific to amessage ID, each body will be specificto that message ID, and so forth.With a books example, the problematicfields are those in the books table thatpertain to the publisher.2. Create new tables accordingly.If you found any problematic columnsin Step 1, like address1, address2, city,state, and zip in a books example, youwould create a separate publisherstable. (Addresses would be morecomplex once you factor internationalpublishers in.)continues on next pageG This database as currently designed fails the 3NF test.Database Design 175

3. Assign or create new primary keys.Every table must have a primary key, soadd publisher ID to the new tables.4. Create the requisite foreign keys thatlink any of the relationships H.Finally, add a publisher ID to the bookstable. This effectively links each book toits publisher.Despite there being set rules for how tonormalize a database, two different peoplecould normalize the same example in slightlydifferent ways. Database design does allow forpersonal preference and interpretations. Theimportant thing is that a database has no clearand obvious NF violations. Any NF violationwill likely lead to problems down the road.H Going with a minimal version of a hypothetical books database, one new table is created for storing thepublisher’s information.overruling normalizationAs much as ensuring that a database is in 3NF will help guarantee reliability and viability, you won’tfully normalize every database with which you work. Before undermining the proper methods,though, understand that doing so may have devastating long-term consequences.The two primary reasons to overrule normalization are convenience and performance. Fewertables are easier to manipulate and comprehend than more. Further, because of their moreintricate nature, normalized databases will most likely be slower for updating, retrieving datafrom, and modifying. Normalization, in short, is a trade-off between data integrity/scalability andsimplicity/speed. On the other hand, there are ways to improve your database’s performance butfew to remedy corrupted data that can result from poor design.This chapter includes an example where normalization is ignored: a message’s post date and timeis stored in one field. As mentioned, because MySQL is so good with dates, there are no dangersto this approach. Another situation where you would overrule normalization is a table that stored aperson’s gender, among other information. If stored as just M/F or Male/Female (instead of linkingto a genders table), there would be many repeating values. But that is fine in this case, as thoselabels are stable values, not likely to change over time (i.e., it’s unlikely that a third option will beinvented, or that “Female” will be renamed, forcing a mass update of half the records in the table).Practice and experience will teach you how best to model your database, but do try to err on theside of abiding by the normal forms, particularly as you are still mastering the concept.176 Chapter 6

Reviewing the DesignAfter walking through the normalizationprocess, it’s best to review the design onemore time. You want to make sure that thedatabase stores all of the data you mayever need. Often the creation of new tables,thanks to normalization, implies additionalinformation to record. For example, althoughthe original focus of the cinema databasewas on the movies, now that there areseparate actors and directors tables,additional facts about those people couldbe reflected in those tables.With that in mind, although there area number of additional columns thatcould be added to the forum database,particularly regarding the user, one morefield should be added to the messagestable. Because one message mightbe a reply to another, some method ofindicating that relationship is required. Onesolution is to add a parent_id column tomessages I. If a message is a reply, itsparent_id value will be the message_idof the original message (so message_id isacting as a foreign key to this same table).If a message has a parent_id of 0, then it’sa new thread, not a reply J.continues on next pageI To reflect a message hierarchy, the parent_id column is addedto messages.J How the parent_id field isused to track message threads.Database Design 177

After making any changes to the tables,you must run through the normal forms onemore time to ensure that the database is stillnormalized. Finally, choose the column typesand names, per the steps in Chapter 4 K.Note that every integer column is UNSIGNED,the three primary key columns are alsodesignated as AUTO_INCREMENT, and everycolumn is set as NOT NULL.Once the schema is fully developed, it canbe created in MySQL, using the commandsshown in Chapter 5, “Introduction to SQL.”You’ll do that later in the chapter, afterlearning a few more things.When you have a primary key–foreignkey link (like forum_id in forums to forum_idin messages), both columns should be of thesame type (in this case, TINYINT UNSIGNEDNOT NULL).K The final ERD for the forums database.178 Chapter 6

Creating indexesIndexes are a special system that databasesuse to improve the performance of SELECTqueries. Indexes can be placed on one ormore columns, of any data type, effectivelytelling MySQL to pay particular attention tothose values.While the maximum number of indexesthat a table can have varies, MySQL alwaysguarantees that you can create at least16 indexes for each table, and each indexcan incorporate up to 15 columns. Whilethe need for a multicolumn index maynot seem obvious, it will come in handyfor searches frequently performed on thesame combinations of columns (e.g., firstand last name, city and state, etc.).Although indexes are an integral part ofany table, not everything needs to beindexed. While an index does improve thespeed of reading from databases, it slowsdown queries that alter data in a database(because the changes need to be recordedin the index).Indexes are best used on columnsnnnThat are frequently used in the WHEREpart of a queryThat are frequently used in an ORDER BYpart of a queryThat are frequently used as the focalpoint of a JOIN (joins are discussed inthe next chapter)Generally speaking, you should not indexcolumns that:nnAllow for NULL valuesHave a very limited range of values(such as just Y/N or 1/0)MySQL has four types of indexes: INDEX(the standard), UNIQUE (which requireseach row to have a unique value for thatcolumn), FULLTEXT (for performing FULLTEXTsearches, also discussed in Chapter 7,“Advanced SQL and MySQL”), and PRIMARYKEY (which is just a particular UNIQUE indexand one you’ve already been using). Notethat a column should only ever have asingle index on it, so choose the index typethat’s most appropriate.With this in mind, let’s continue designingthe forum database by identifyingappropriate indexes. Later in this chapter,the indexes will be defined when the tablesare created in the database. To establishan index when creating a table, this clauseis added to the CREATE TABLE command:INDEX_TYPE index_name (columns)The index name is optional. If no nameis provided, the index will take the nameof the column, or columns, to which it isapplied. When indexing multiple columns,separate them by commas, and put them inthe order from most to least important:INDEX full_name (last_name,➝ first_name)You’ve already seen the syntax for creatingindexes in Chapter 5. This commandcreates a table with a PRIMARY KEY indexon the user_id field:CREATE TABLE users (user_id MEDIUMINT UNSIGNED NOT NULL➝ AUTO_INCREMENT,first_name VARCHAR(20) NOT NULL,last_name VARCHAR(40) NOT NULL,email VARCHAR(40) NOT NULL,pass CHAR(40) NOT NULL,registration_date DATETIME NOT NULL,PRIMARY KEY (user_id));continues on next pageDatabase Design 179

The last thing you should know aboutindexes are the implications of indexingmultiple columns. If you add an index oncol1, col2, and col3 (in that order), thiseffectively creates an index for uses ofcol1, col1 and col2 together, or on all threecolumns together. It does not provide anindex for referencing just col2 or col3 orthose two together.To create indexes:1. Add a PRIMARY KEY index on allprimary keys.Each table should always have aprimary key and therefore a PRIMARYKEY index. With the forums database,the specific columns to be indexed asprimary keys are: forums.forum_id,messages.message_id, and users.user_id. (The syntax table_name.column_name is a way to refer to aspecific column within a specific table.)2. Add UNIQUE indexes to any columnswhose values cannot be duplicatedwithin the table.The forums database has three columnsthat should always be unique or elsethere will be problems: forums.name,users.username, and users.email.3. Add FULLTEXT indexes, if appropriate.FULLTEXT indexes and FULLTEXTsearching are discussed in the nextchapter, so I won’t discuss this topicany more here, but as you’ll discover,there is one FULLTEXT index to be usedin this database.4. Add standard indexes to columnsfrequently used in a WHERE clause.It requires some experience to know inadvance which columns will often beused in WHERE clauses (and thereforeought to be indexed). With the forumsdatabase, one common WHERE standsout: when a user logs in, they’ll providetheir email address and password to login. The query to confirm the user hasprovided the correct information will besomething like:SELECT * FROM users WHERE pass=➝ SHA1('provided_password') AND➝ email='provided_email_address'From this query, one can deduce thatindexing the combination of the emailaddress and password would bebeneficial.5. Add standard indexes to columns frequentlyused in ORDER BY clauses.Again, in time such columns will standout while designing the database. In theforums example, there’s one columnleft that would be used in ORDER BYclauses that isn’t already indexed:messages.date_entered. This columnwill frequently be used in ORDER BYclauses as the site will, by default,show all messages in the order theywere entered.180 Chapter 6

TABLe 6.6 The forum Database IndexesColumn Name Table Index Typeforum_id forums PRIMARYname forums UNIQUEmessage_id messages PRIMARYforum_id messages INDEXparent_id messages INDEXuser_id messages INDEXdate_entered messages INDEXuser_id users PRIMARYusername users UNIQUEpass/email users INDEXemail users UNIQUE6. Add standard indexes to columns frequentlyused in JOINs.You may not know what a JOIN is now,and the topic is thoroughly coveredin Chapter 7, but the most obviouscandidates are the foreign key columns.Remember that a foreign key in Table Brelates to the primary key in Table A.When selecting data from the database,a JOIN will be written based upon thisrelationship. For that JOIN to be efficient,the foreign key must be indexed (theprimary key will already have beenindexed). In the forums example, threeforeign key fields in the messagestable ought to be indexed: forum_id,parent_id, and user_id.Table 6.6 lists all the indexes identifiedthrough these steps.Indexes can be created after you alreadyhave a populated table. However, you’ll get anerror and the index will not be created if youattempt to add a UNIQUE index to a columnthat has duplicate values.MySQL uses the term KEY as synonymousfor INDEX:KEY full_name (last_name, first_name)You can limit the length of an index toa certain number of characters, such as thefirst 10:INDEX index_name (column_name(10))You might do so in situations where the firstX characters will be sufficiently useful in anORDER BY clause.Database Design 181

using DifferentTable TypesA MySQL feature uncommon in otherdatabase applications is the ability to usedifferent types of tables (a table’s typeis also called its storage engine). Eachtable type supports different features, hasits own limits (in terms of how much datait can store), and even performs better orworse under certain situations. Still, howyou interact with any table type—in termsof running queries—is consistent acrossthem all.Historically, the most important table typewas MyISAM. Until version 5.5.5 of MySQL,MyISAM was the default table type on alloperating systems (on Windows, the switchto a different default was made in anearlier version of MySQL). MyISAM tablesare great for most applications, handlingSELECTs and INSERTs very quickly. TheMyISAM storage engine cannot handletransactions, though, which is its maindrawback (transactions are covered in thenext chapter). Between that feature and itslack of row-level locking (the entire tablemust be locked instead), MyISAM tablesare more vulnerable to corruption and dataloss should a crash occur.As of MySQL version 5.5.5, MySQL’s newdefault storage engine, on all operatingsystems, is InnoDB. InnoDB tables can beused for transactions and they performUPDATEs nicely. InnoDB tables also supportforeign key constraints (discussed at theend of the chapter) and row-level locking.But the InnoDB storage engine is generallyslower than MyISAM and requires moredisk space on the server. Also, an InnoDBtable does not support FULLTEXT indexes(covered in Chapter 7).To specify the storage engine when youdefine a table, add a clause to the end ofthe creation statement:CREATE TABLE tablename (column1name COLUMNTYPE,column2name COLUMNTYPE…) ENGINE = typeIf you don’t specify a storage engine whencreating tables, MySQL will use the defaulttype for that MySQL server.This feature of MySQL is even moresignificant because you can mix the tabletypes within the same database. This wayyou can best customize each table foroptimum features and performance. Tocontinue designing the forums database,the next step is to identify the storageengine to be used by each table.182 Chapter 6

To establish a table’s type:1. Find your MySQL server’s availabletable types A:SHOW ENGINES;The SHOW ENGINES command, whenexecuted on the MySQL server, willreveal not only the available storageengines but also the default storageengine. It will help to know thisinformation when it’s time to choosea table type for your database.2. If any of your tables requires a FULLTEXTindex, make it a MyISAM table.Again, FULLTEXT indexes and searchesare discussed in the next chapter, but I’llsay now that the messages table in theforums example will require a FULLTEXTindex. Therefore, this table must beMyISAM.3. If any of your tables requires support fortransactions, make it an InnoDB table.Yes, again, transactions are discussedin the next chapter, but the storageengines ought to be determined now.Neither the forums nor users tablesin the forums database will requiretransactions.4. If neither of the above applies to atable, use the default storage engine.Table 6.7 identifies the storage enginesto be used by the tables in the forumsdatabase.MySQL has several other table types,but MyISAM and InnoDB are the two mostimportant, by far. The MEMORY type createsthe table in memory, making it an extremelyfast table but with absolutely no permanence.At the time of this writing, the MySQLdocumentation claims that the InnoDB tabletype is overall faster than MyISAM. There aresome politics involved with the table types, soI take this claim with a grain of salt.TABLe 6.7 The forum Database Table TypesTableforumsmessagesusersTable TypeInnoDBMyISAMInnoDBA To confirm what table types your MySQL installation supports, run this command (in the mysql client, here,or phpMyAdmin).Database Design 183

Languages and MySQLChapter 1, “Introduction to PHP,” quicklyintroduced the concept of encodings. AnHTML page or PHP script can specify itsencoding, which dictates what characters,and therefore languages, are supported.The same is true for a MySQL database:by setting your database’s encoding,you can impact what characters can bestored in it. To see a list of encodingssupported by your version of MySQL, runa SHOW CHARACTER SET command A. Notethat the phrase character set is beingused in MySQL to mean encoding (whichI’ll generally follow in this section to beconsistent with MySQL).Each character set in MySQL has one ormore collations. Collation refers to therules used for comparing characters ina set. It’s like alphabetization, but takesinto account numbers, spaces, and othercharacters as well. Collation is tied to thecharacter set being used, reflecting boththe kinds of characters present in thatlanguage and the cultural habits of peoplewho generally use the language. Forexample, how text is sorted in English isnot the same as it is in Traditional Spanishor in Arabic. Other considerations include:Are upper- and lowercase versions of acharacter considered to be the same ordifferent (i.e., is it a case-sensitive comparison)?Or, how do accented characters getsorted? Is a space counted or ignored?A The list of charactersets supported by thisMySQL installation.184 Chapter 6

To view MySQL’s available collations, run thisquery B, replacing charset with the propervalue from the result in the last query A:SHOW COLLATION LIKE 'charset%'The results of this query will also indicatethe default collation for that character set.The names of collations use a concludingci to indicate case-insensitivity, cs for casesensitivity,and bin for binary.Generally speaking, I recommend usingthe UTF-8 character set, with its defaultcollation. More importantly, the characterset in use by the database should matchthat of your PHP scripts. If you’re notusing UTF-8 in your PHP scripts, use thematching encoding in the database. If thedefault collation doesn’t adhere to theconventions of the language primarily inuse, then adjust the collation accordingly.In MySQL, the server as a whole, eachdatabase, each table, and even everystring column can have a defined characterset and collation. To set these values whenyou create a database, useCREATE DATABASE name CHARACTER SET➝ charset COLLATE collationTo set these values when you create atable, useCREATE TABLE name (column definitions) CHARACTER SET charset COLLATE➝ collationcontinues on next pageB The list of collationsavailable in the UTF-8character set. The first one,utf_general_ci, is the default.Database Design 185

To establish the character set and collationfor a column, add the right clause to thecolumn’s definition (you’d only use this fortext types):CREATE TABLE name (something TEXT CHARACTER SET charset➝ COLLATE collation…)In each of these cases, both clauses areoptional. If omitted, a default character setor collation will be used.Establishing the character set and collationwhen you define a database affects whatdata can be stored (e.g., you can’t storea character in a column if its encodingdoesn’t support that character). A secondissue is the encoding used to communicatewith MySQL. If you want to store Chinesecharacters in a table with a Chineseencoding, those characters will need tobe transferred using the same encoding.To do so within the mysql client, set theencoding using justCHARSET charsetWith phpMyAdmin, the encoding to beused is established in the application itself(i.e., written in the configuration file).At this point in time, every aspect of thedatabase design for the forums examplehas been covered, so let’s create that databasein MySQL, including its indexes, storageengines, character sets, and collations.To assign character setsand collations:1. Access MySQL using whatever clientyou prefer.Like the preceding chapter, this onewill also use the mysql client for allof its examples. You are welcome touse phpMyAdmin or other tools as theinterface to MySQL.2. Create the forum database C:CREATE DATABASE forumCHARACTER SET utf8COLLATE utf8_general_ci;USE forum;Depending upon your setup, you maynot be allowed to create your owndatabases. If not, just use the databaseprovided to you and add the followingtables to it. Note that in the CREATEDATABASE command, the character setand collation are also defined. By doingso at this point, every table will usethose settings.3. Create the forums table D:CREATE TABLE forums (forum_id TINYINT UNSIGNED NOT➝ NULL AUTO_INCREMENT,name VARCHAR(60) NOT NULL,PRIMARY KEY (forum_id),UNIQUE (name)) ENGINE = INNODB;C The first steps are to create andselect the database.D Creating the first table.186 Chapter 6

It does not matter in what order youcreate your tables, but I’ll make theforums table first. Remember thatyou can enter your SQL queries overmultiple lines for convenience.This table only contains two columns(which will happen frequently in anormalized database). Because I don’texpect there to be many forums,the primary key is a really small type(TINYINT). If you wanted to add descriptionsof each forum, a VARCHAR(255) orTINYTEXT column could be added tothis table. This table uses the InnoDBstorage engine.4. Create the messages table E:CREATE TABLE messages (message_id INT UNSIGNED NOT NULL➝ AUTO_INCREMENT,parent_id INT UNSIGNED NOT NULL➝ DEFAULT 0,forum_id TINYINT UNSIGNED NOT NULL,user_id MEDIUMINT UNSIGNED NOT➝ NULL,subject VARCHAR(100) NOT NULL,body LONGTEXT NOT NULL,date_entered DATETIME NOT NULL,PRIMARY KEY (message_id),INDEX (parent_id),INDEX (forum_id),INDEX (user_id),INDEX (date_entered)) ENGINE = MYISAM;The primary key for this table has tobe big, as it could have lots and lotsof records. The three foreign keycolumns—forum_id, parent_id, anduser_id—will all be the same size andtype as their primary key counterparts.The subject is limited to 100 charactersand the body of each message can bea lot of text. The date_entered field isa DATETIME type.Unlike the other two tables, this one isof the MyISAM type.5. Create the users table F:CREATE TABLE users (user_id MEDIUMINT UNSIGNED NOTNULL AUTO_INCREMENT,username VARCHAR(30) NOT NULL,pass CHAR(40) NOT NULL,first_name VARCHAR(20) NOT NULL,last_name VARCHAR(40) NOT NULL,email VARCHAR(60) NOT NULL,PRIMARY KEY (user_id),UNIQUE (username),UNIQUE (email),INDEX login (pass, email)) ENGINE = INNODB;continues on next pageE Creating the second table.F The database’s third and final table.Database Design 187

Most of the columns here mimic thosein the sitename database’s users table,created in the preceding two chapters.The pass column is defined as CHAR(40),because the SHA1( ) function will beused and it always returns a string 40characters long (see Chapter 5).This table uses the InnoDB engine.6. If desired, confirm the database’sstructure G:SHOW TABLES;SHOW COLUMNS FROM forums;SHOW COLUMNS FROM messages;SHOW COLUMNS FROM users;The SHOW command reveals informationabout a database or a table. This step isoptional because MySQL reports on thesuccess of each query as it is entered.Still, it’s always nice to remind yourselfof a database’s structure.Collations in MySQL can also bespecified within a query, to affect the results:SELECT … ORDER BY column COLLATE➝ collationSELECT … WHERE column LIKE 'value'➝ COLLATE collationThe CONVERT( ) function can convert textfrom one character set to another.You can change the default character setor collation for a database or table using anALTER command, discussed in Chapter 7.Because different character sets requiremore space to represent a string, you willlikely need to increase the size of a column forUTF-8 characters. Do this before changing acolumn’s encoding so that no data is lost.G Check the structure of anydatabase or table using SHOW.188 Chapter 6

TABLe 6.8 UTC OffsetsCityNew York City, U.S.Cape Town, South AfricaMumbai, IndiaAuckland, New ZealandKathmandu, NepalSantiago, ChileDublin, IrelandTimeUTC–4UTC+2UTC+5:30UTC+13UTC+5:45UTC–3UTC+1Time Zones and MySQLChapter 5 discussed how to use NOW( )and other date- and time-related functions.That chapter explained that these functionsreflect the time on the server. Therefore,values stored in a database using thesefunctions are also storing the server’s time.That may not sound like a problem, butsay you move your site from one serverto another: you export all the data, importit into the other, and everything’s fine…unless the two servers are in different timezones, in which case all of the dates arenow technically off. For some sites, such analteration wouldn’t be a big deal, but whatif your site features paid memberships?That means some people’s membershipmight expire several hours early and forothers, several hours late! At the end of theday, the goal of a database is to reliablystore information.The solution to this particular problem isto store dates and times in a time zone–neutral way. Doing so requires somethingcalled UTC (Coordinated Universal Time,and, yes, the abbreviation doesn’t exactlymatch the term). UTC, like Greenwich MeanTime (GMT), provides a common point oforigin, from which all times in the world canbe expressed as UTC plus or minus somehours and minutes (Table 6.8).Fortunately, you don’t have to know thesevalues or perform any calculations in orderto determine UTC for your server. Instead,the UTC_DATE( ) function returns the UTCdate; UTC_TIME( ) returns the current UTCtime; and UTC_TIMESTAMP( ) returns thecurrent date and time.continues on next pageDatabase Design 189

Once you have stored a UTC time, you canretrieve the time adjusted to reflect theserver’s or the user’s location. To changea date and time from any one time zone toanother, use CONVERT_TZ( ) A:CONVERT_TZ(dt, from, to)The first argument is a date and timevalue, like the result of a function or what’sstored in a column. The second and thirdarguments are named time zones. Inorder to use this function, the list of timezones must already be stored in MySQL,which may or may not be the case foryour installation (see the sidebar). If yousee NULL results B, check out the MySQLmanual for how to install the time zones onyour server.To use this information, let’s start populatingthe forums database, recording the messageposted date and time using UTC.using Time Zones in MySQLMySQL does not necessarily installsupport for time zones by default. Inorder to use named time zones, there arefive tables in the mysql database thathave to be populated. While MySQL maynot automatically do this for you, it doesprovide the tools to do this yourself.This process is just complicated enoughthat there’s not room to discuss itin this book (not for every possiblecontingency, operating system, etc.).But you can find the instructions bylooking up “server time zone support”in the MySQL manual.If you continue to use time zones inMySQL, you also need to keep this informationin the mysql database updated.The rules for time zones, in particular,when and how they observe daylightsaving time, change often enough.Again, the MySQL manual has instructionsfor updating your time zones.A A conversion of the current UTC date and time to the American EasternDaylight Time (EDT).B The CONVERT_TZ( )function will returnNULL if it references aninvalid time zone or ifthe time zones haven’tbeen installed in MySQL(which is the case here).190 Chapter 6

To work with uTC:1. Access the forums database usingwhatever client you prefer.Like the preceding chapter, this onewill also use the mysql client for allof its examples. You are welcome touse phpMyAdmin or other tools as theinterface to MySQL.2. If necessary, change the encoding toUTF-8 C:CHARSET utf8;Because the database uses UTF-8 asits character set, the communicationwith the database should use the same.This line, explained in the previoussection of the chapter, does exactlythat. Note that you only need to dothis when using the mysql client. Also,if you’re not using UTF-8, change thecommand accordingly.3. Add some new records to the forumstable D:INSERT INTO forums (name) VALUES('MySQL'), ('PHP'), ('Sports'),('HTML'), ('CSS'), ('Kindling');Since the messages table relies onvalues retrieved from both the forumsand users tables, those two tables needto be populated first. With this INSERTcommand, only the name column mustbe provided a value (the table’s forum_id column will be given an automaticallyincremented integer by MySQL).4. Add some records to the users table E:INSERT INTO users (username, pass,first_name, last_name, email) VALUES('troutster', SHA1('mypass'),'Larry', 'Ullman', 'lu@example.com'),('funny man', SHA1('monkey'),'David', 'Brent', 'db@example.com'),('Gareth', SHA1('asstmgr'), 'Gareth','Keenan', 'gk@example.com');If you have any questions on the INSERTsyntax or use of the SHA1( ) functionhere, see Chapter 5.continues on next pageC The characterset used tocommunicate withMySQL shouldmatch that used inthe database.D Adding records to the forums table.E Addingrecords to theusers table.Database Design 191

5. Add new records to the messagestable F:SELECT * FROM forums;SELECT user_id, username FROM➝ users;INSERT INTO messages (parent_id,➝ forum_id, user_id, subject,➝ body, date_entered) VALUES(0, 1, 1, 'Question about➝ normalization.', 'I''m confused➝ about normalization. For the➝ second normal form (2NF), I➝ read...', UTC_TIMESTAMP( )),(0, 1, 2, 'Database Design', 'I''m➝ creating a new database and am➝ having problems with the➝ structure. How many➝ tables should I have?...',➝ UTC_TIMESTAMP( )),(2, 1, 2, 'Database Design', 'The➝ number of tables your database➝ includes...', UTC_TIMESTAMP( )),(0, 1, 3, 'Database Design', 'Okay,➝ thanks!', UTC_TIMESTAMP( )),(0, 2, 3, 'PHP Errors', 'I''m using➝ the scripts from Chapter 3 and➝ I can''t get the first calculator➝ example to work. When I submit➝ the form...', UTC_TIMESTAMP( ));Because two of the fields in themessages table (forum_id and user_id)relate to values in other tables, youneed to know those values beforeinserting new records into this table.For example, when the troutster usercreates a new message in the MySQLforum, the INSERT will have a forum_idof 1 and a user_id of 1.This is further complicated by theparent_id column, which shouldstore the message_id to which thenew message is a reply. The secondmessage added to the database willhave a message_id of 2, so replies tothat message need a parent_id of 2.F Populating themessages table requiresknowing foreign key valuesfrom users and forums.192 Chapter 6

With your PHP scripts—once you’vecreated an interface for this database,this process will be much easier, but it’simportant to comprehend the theory inSQL terms first.For the date_entered field, the valuereturned by the UTC_TIMESTAMP( )function will be used. Using the UTC_TIMESTAMP( ) function, the record willstore the UTC date and time, not thedate and time on the server.6. Repeat Steps 1 through 3 to populatethe database.The rest of the examples in this chapterand the next will use the populateddatabase. You’ll probably want todownload the SQL commands fromthe book’s corresponding Web site,although you can populate the tableswith your own examples and then justchange the queries in the rest of thechapter accordingly.7. View the most recent record in the messagestable, using the stored date andtime G:SELECT message_id, subject,➝ date_entered FROM messagesORDER BY date_entered DESC LIMIT 1;As you can see in the figure and thetable definition, UTC times are storedjust the same as non-UTC times. What’snot obvious in the figure is that therecord just inserted reflects a time fourhours ahead of the server (because myparticular server is in a time zone fourhours behind UTC).continues on next pageG The record that was just inserted, which reflects a time four hoursahead (the server is UTC-4).Database Design 193

8. Retrieve the same record convertingthe date_entered to your time zone H:SELECT message_id, subject,CONVERT_TZ(date_entered, 'UTC',➝'America/New_York') AS localFROM messages ORDER BY➝ date_entered DESC LIMIT 1;Using the CONVERT_TZ( ) function, youcan convert any date and time to adifferent time zone. For the from timezone, use UTC. For the to time zone,use yours.If you get a NULL result B, either thename of one of your time zones iswrong or MySQL hasn’t had its timezones loaded yet (see the sidebar).However you decide to handle dates,the key is to be consistent. If you decide touse UTC, then always use UTC.UTC is also known as Zulu time, representedby the letter Z.Besides being time zone and daylightsaving time agnostic, UTC is also more accurate.It factors in irregular leap seconds thatcompensate for the inexact movement ofthe planet.H The UTC-stored date and time converted to my local time.194 Chapter 6

Foreign Key ConstraintsA feature of the InnoDB table type, notsupported in other storage engines, is theability to apply foreign key constraints.When you have related tables, the foreignkey in Table B relates to the primary keyin Table A (for ease of understanding, itmay help to think of Table B as the childto Table A’s parent). For example, in theforums database, the messages.user_idis tied to users.user_id. If the administratorwere to delete a user account, therelationship between those tables wouldbe broken (because the messages tablewould have records with a user_id valuethat doesn’t exist in users). Foreign keyconstraints set rules as to what shouldhappen when a break would occur,including preventing that break.The syntax for creating a foreign keyconstraint is:FOREIGN KEY (item_name) REFERENCES➝ table (column)(This goes within a CREATE TABLE or ALTERTABLE statement.)The item name is the foreign key columnin the current table. The table(column)clause is a reference to the parent tablecolumn to which this foreign key shouldbe constrained. If you just use the above,thereby only identifying the relationship,without stating what should happen whenthe constraint would be broken, MySQLwill throw an error if you attempt to deletethe parent record while child records existA. MySQL will also throw an error if youattempt to create a child record using aparent ID that doesn’t exist B.You can dictate what alternative actionsshould occur by following the above syntaxwith one or both of these:ON DELETE actionON UPDATE actionThere are five action options, but two—RESTRICT and NO ACTION—are synonymousand also the default (i.e., the same as ifyou don’t specify the action at all). A thirdaction option—SET DEFAULT—doesn’t work(don’t ask me, ask the MySQL manual!).That leaves CASCADE and SET NULL. Ifthe action set is SET NULL, the removalof a parent record will result in settingthe corresponding foreign keys in thechild table to NULL. If that table definesthat column as NOT NULL (which it almostalways should), deletion of the parentrecord will trigger an error.continues on next pageA This error indicatesthat MySQL is preventing aquery from deleting a parentrecord because the record isconstrained to one or moreexisting children records.B Foreign keyconstraints alsoaffect INSERT queries.Database Design 195

The CASCADE action is the most usefuloption. It tells the database to apply thesame changes to the related table. With thisinstruction, if you delete the parent record,MySQL will also delete the child recordswith that parent ID as its foreign key.As only the InnoDB table type supportsforeign key constraints, both tables inthe relationship must be of the InnoDBtype. Also, in order for MySQL to be ableto compare the foreign key-primary keyvalues, the related columns must be ofequitable types. This means that numericcolumns must be the same type and size;text columns must use the same characterset and collation.With the forums example, it’s not possibleto use foreign key constraints as the soletable related to another—messages relatesto both forums and users—must use theMyISAM table type (to support FULLTEXTsearches). Instead, let’s take a look at anew hypothetical example for banking C.The customers table stores all of theinformation particular to a customer.It would logically also store contactinformation and so forth. The accountstable stores the accounts for eachcustomer, including the type (Checkingor Savings) and balance. Each customermay have more than one account, buteach account is associated with only onecustomer (for a bit of simplicity). In the realworld, the table might also store the datethe account was opened and use a BIGINTas the balance (thereby representing alltransactions in cents instead of dollarswith decimals). Finally, the transactionstable stores every movement of moneyfrom one account to another. Again, tomake the example a bit easier to follow,the example assumes that only accountswithin this same system will interact. Notethat the transactions table has two oneto-manyrelationships with accounts (notone many-to-many). Each transaction’sto_account_id value will be associatedwith a single account, but each accountcould be the “to” account multiple times.The same applies to the “from” account.Finally, foreign key constraints are appliedto preserve the integrity of the data.In this next series of steps, you’ll createand populate this database, payingattention to the constraints. In the nextchapter, this same database will be used todemonstrate transactions and encryption.C The banking database could be used for virtual banking.196 Chapter 6

To create foreign key constraints:1. Access MySQL using whatever clientyou prefer.Like the preceding chapter, this onewill also use the mysql client for allof its examples. You are welcome touse phpMyAdmin or other tools as theinterface to MySQL.2. Create the banking database D:CREATE DATABASE bankingCHARACTER SET utf8COLLATE utf8_general_ci;USE banking;As always, depending upon your setup,you may not be allowed to create yourown databases. If not, just use thedatabase provided to you and add thefollowing tables to it.3. If necessary, change the communicationencoding to UTF-8:CHARSET utf8;4. Create the customers table E:CREATE TABLE customers (customer_id INT UNSIGNED NOT NULL➝ AUTO_INCREMENT,first_name VARCHAR(20) NOT NULL,last_name VARCHAR(40) NOT NULL,PRIMARY KEY (customer_id),INDEX full_name (last_name,➝ first_name)) ENGINE = INNODB;The customers table just stores thecustomer’s ID—the primary key—andname (in two columns). An index is alsoplaced on the full name, in case thatmight be used in ORDER BY and otherquery clauses. So that the database canuse foreign key constraints, every tablewill use the InnoDB storage engine.continues on next pageD A new databaseis being created forthis example.E Creating the customers table.Database Design 197

5. Create the accounts table F:CREATE TABLE accounts (account_id INT UNSIGNED NOT NULL➝ AUTO_INCREMENT,customer_id INT UNSIGNED NOT NULL,type ENUM('Checking', 'Savings')➝ NOT NULL,balance DECIMAL(10,2) UNSIGNED NOT➝ NULL DEFAULT 0.0,PRIMARY KEY (account_id),INDEX (customer_id),FOREIGN KEY (customer_id) REFERENCES➝ customers (customer_id)ON DELETE NO ACTION ON UPDATE NO➝ ACTION) ENGINE = INNODB;The accounts table stores the accountID, customer ID, account type, andbalance. The customer_id column hasan index on it, as it will be used in JOINs(in Chapter 7). More importantly, thecolumn is constrained to customers.customer_id, thereby protecting bothtables. Even though NO ACTION is thedefault constraint, I’ve included it in thedefinition for added clarity.F Creating the accounts table.198 Chapter 6

6. Create the transactions table G:CREATE TABLE transactions (transaction_id INT UNSIGNED NOT➝ NULL AUTO_INCREMENT,to_account_id INT UNSIGNED NOT➝ NULL,from_account_id INT UNSIGNED NOT➝ NULL,amount DECIMAL(5,2) UNSIGNED NOT➝ NULL,date_entered TIMESTAMP NOT NULL,PRIMARY KEY (transaction_id),INDEX (to_account_id),INDEX (from_account_id),INDEX (date_entered),FOREIGN KEY (to_account_id)➝ REFERENCES accounts (account_id)ON DELETE NO ACTION ON UPDATE NO➝ ACTION,FOREIGN KEY (from_account_id)➝ REFERENCES accounts (account_id)ON DELETE NO ACTION ON UPDATE NO➝ ACTION) ENGINE = INNODB;The final table will be used to recordall movements of monies among theaccounts. To do so, it stores bothaccount IDs—the “to” and “from,” theamount, and the date/time. Indexes areadded accordingly, and both account IDsare constrained to the accounts table.continues on next pageG Creating the third, and final, table: transactions.Database Design 199

7. Populate the customers and accountstables H:INSERT INTO customers (first_name,➝ last_name)VALUES ('Sarah', 'Vowell'),➝ ('David', 'Sedaris'), ('Kojo',➝'Nnamdi');INSERT INTO accounts (customer_id,➝ balance)VALUES (1, 5460.23), (2, 909325.24),➝ (3, 892.00);First, sample data is entered into thefirst two tables (the third will be usedin the next chapter). Note that becausethe accounts.type column is definedas an ENUM NOT NULL, if no value isprovided for that column, the first itemin the ENUM definition—Checking—willbe used.8. Attempt to put data into the accountstable for which there is no customer I:INSERT INTO accounts (customer_id,➝ type, balance)VALUES (10, 'Savings', 200.00);The foreign key constraint presentin the accounts table will prevent anaccount being created without a validcustomer ID (a pretty useful check inthe real world).H Three records are added to both the customers and accounts tables.I Again, as in B, the constraint denies the INSERT query due to aninvalid value from the parent table.200 Chapter 6

9. Attempt to delete a record from thecustomers table for which there is anaccounts record J:DELETE FROM customersWHERE customer_id=2;The constraint will also prevent thedeletion of customer records whenthat customer still has an account.Despite the constraint, you couldstill delete a customer record if thecustomer does not have any recordsin the accounts table.To actually delete constrained records,you must first delete all the children records,and then the parent record.Foreign key constraints require that allcolumns in the constraint be indexed. Normaldatabase design would suggest this is thecase, but if the correct indexes do not exist,MySQL will create them when the constraintis defined.Similar to constraints are triggers. Simplyput, a trigger is a way of telling the database“when X happens to this table, do Y.” For example,when inserting a record in Table A, anotherrecord might be created or updated in Table B.See the MySQL manual for more on triggers.J Because the customer with an ID of 2 has one or more records in the accounts table, thecustomers record cannot be deleted.Database Design 201

Review and pursueIf you have any problems with thereview questions or the pursue prompts,turn to the book’s supporting forum(www.LarryUllman.com/forums/).ReviewnnnnnnnnnWhy is normalization important?What are the two types of keys?What are the three types of tablerelationships?How do you fix the problem of amany-to-many relationship betweentwo tables?What are the four types of indexes?What general types of columns shouldbe indexed? What general types ofcolumns should not be indexed?What are the two most common MySQLtable types? What is the default tabletype for your MySQL installation?What is a character set? What isa collation? What impact does thecharacter set have on the database?What impact does the collation have?What character set and collation areyou using?What is UTC? How do you find the UTCtime in MySQL? How do you convertfrom UTC to another time zone’s time?What are foreign key constraints?What table type supports foreign keyconstraints?pursuennnYou may want to consider downloading,installing, and learning to use theMySQL Workbench application. It canbe quite useful.If you don’t fully grasp the process ofnormalization—and that’s perfectlyunderstandable—search for additionaltutorials online or ask a question in mysupport forums.Design your own database using theinformation presented here.202 Chapter 6

7Advanced SQLand MySQLThis, the last chapter dedicated to SQL andMySQL (although most of the rest of thebook will use these technologies in someform or another), discusses the higher-endconcepts often needed to work with morecomplicated databases, like those createdin the previous chapter. The first such topicis the JOIN, a critical SQL term for queryingnormalized databases with multiple tables.From there, the chapter introduces a categoryof functions that are specifically usedwhen grouping query results, followed bymore complex ways to select values froma table.In the middle of the chapter, you’ll learnhow to perform FULLTEXT searches, whichcan add search engine-like functionality toany site. Next up is the EXPLAIN command:it provides a way to test the efficiency ofyour database schema and your queries.The chapter concludes with coverage oftransactions and database encryption.in This ChapterPerforming Joins 204Grouping Selected Results 214Advanced Selections 218Performing FULLTEXT Searches 222Optimizing Queries 230Performing Transactions 234Database Encryption 237Review and Pursue 240

performing JoinsBecause relational databases are morecomplexly structured, they sometimesrequire special query statements toretrieve the information you need most.For example, if you wanted to know whatmessages are in the MySQL forum (usingthe forum database created in the previouschapter), you would need to first find theforum_id for MySQL:SELECT forum_id FROM forums WHERE➝ name='MySQL'Then you would use that number toretrieve all the records from the messagestable that have that forum_id:SELECT * FROM messages WHERE➝ forum_id=1This one simple (and, in a forum, oftennecessary) task would require twoseparate queries. By using a join, you canaccomplish all of that in one fell swoop.A join is an SQL query that uses twoor more tables, and produces a virtualtable of results. Any time you need tosimultaneously retrieve information frommore than one table, a join is what you’llprobably use.Joins can be written in many differentways, but the basic syntax is:SELECT what_columns FROM tableA➝ JOIN_TYPE tableB JOIN_CLAUSEBecause joins involve multiple tables, thewhat_columns can include columns inany named table. And as joins often returnso much information, it’s normally best tospecify exactly what columns you wantreturned, instead of selecting them all.When selecting from multiple tables, youmust use the dot syntax (table.column)if the tables named in the query havecolumns with the same name. This is oftenthe case when dealing with relationaldatabases because a primary key fromone table may have the same name asa foreign key in another. If you are notexplicit when referencing your columns,you’ll get an error A:SELECT forum_id FROM messages INNER➝ JOINforums ON messages.forum_id=forums.➝ forum_idThe two main types of joins are inner andouter (there are subtypes within both).As you’ll see with outer joins, the order inwhich you reference the tables does matter.The join clause is where you indicate therelationship between the joined tables. Forexample, forums.forum_id should equalmessages.forum_id (as in the above).You can also use WHERE and ORDER BYclauses with a join, as you would with anySELECT query.As a last note, before getting into joinsmore specifically, the SQL conceptof an alias—introduced in Chapter 5,“Introduction to SQL”—will come in handywhen writing joins. Often an alias will justbe used as a shorthand way of referencingthe same table multiple times within thesame query. If you don’t recall the syntaxfor creating aliases, or how they’re used,revisit that part of Chapter 5.A Generically referring toa column name present inmultiple tables will causean ambiguity error.204 Chapter 7

(As in the previous two chapters, thischapter will use the command-line mysqlclient to execute queries, but you canalso use phpMyAdmin or another tool.The chapter assumes you know how toconnect to the MySQL server and declarethe character set to use, if necessary.)B This join returns three columns from two tableswhere the forum_id value—1—represents theMySQL forum.inner JoinsAn inner join returns all of the records fromthe named tables wherever a match ismade. For example, to find every messageposted in the MySQL forum, the inner joinwould be written as BSELECT m.message_id, m.subject, f.nameFROM messages AS m INNER JOIN forums➝ AS fON m.forum_id = f.forum_idWHERE f.name = 'MySQL'This join is selecting three columns fromthe messages table (aliased as m) and onecolumn from the forums table (aliased asf) under two conditions. First, the f.namecolumn must have a value of MySQL (thiswill return the forum_id of 1). Second, theforum_id value in the forums table mustmatch the forum_id value in the messagestable. Because of the equality comparisonbeing made across both tables (m.forum_id= f.forum_id), this is known as an equijoin.As an alternative syntax, if the columnin both tables being used in the equalitycomparison has the same name, you cansimplify your query with USING:SELECT m.message_id, m.subject, f.nameFROM messages AS m INNER JOIN forums➝ AS fUSING (forum_id)WHERE f.name = 'MySQL'Advanced SQL and MySQL 205

To use inner joins:1. Connect to MySQL and select theforum database.2. Retrieve the forum name and messagesubject for every record in the messagestable C:SELECT f.name, m.subject FROM forumsAS f INNER JOIN messages AS mUSING (forum_id) ORDER BY f.name;This query will effectively replace theforum_id value in the messages tablewith the corresponding name valuefrom the forums table for each of therecords in the messages table. Theend result is that it displays the textualversion of the forum name for eachmessage subject.Notice that you can still use ORDER BYclauses in joins.3. Retrieve the subject and date enteredfor every message posted by the userfunny man D:SELECT m.subject,DATE_FORMAT(m.date_entered,➝'%M %D, %Y') AS DateFROM users AS uINNER JOIN messages AS mUSING (user_id)WHERE u.username = 'funny man';This join also uses two tables: usersand messages. The linking columnfor the two tables is user_id, so that’splaced in the USING clause. The WHEREconditional identifies the user beingtargeted, and the DATE_FORMAT( )function will help format the date_entered value.C A basic inner join that returns only two columnsof values.D A slightly more complicated version of an innerjoin, based upon the users and messages tables.206 Chapter 7

E An ORDER BY clause and a LIMIT clause areapplied to this join, which returns the forums withthe five most recent messages.4. Find the forums that have had the fivemost recent postings E:SELECT f.name FROM forums AS fINNER JOIN messages AS mUSING (forum_id)ORDER BY m.date_entered DESC➝ LIMIT 5;Since the only information that needsto be returned is the forum name, that’sthe sole column selected by this query.The join is then across the forums andmessages table, linked via the forum_id. The query to that point would returnevery message matched with the forumit’s in. That result is then ordered by thedate_entered column, in descendingorder, and restricted to just the firstfive records.Inner joins can also be written withoutformally using the phrase INNER JOIN. To doso, place a comma between the table namesand turn the ON, or USING, clause into anotherWHERE condition:SELECT m.message_id, m.subject,➝ f.name FROM messages AS m, forums➝ AS f WHERE m.forum_id = f.forum_idAND f.name = 'MySQL'Joins that do not include a join clause (ONor USING) or a WHERE clause (e.g., SELECT *FROM urls INNER JOIN url_associations)are called full joins and will return every recordfrom both tables. This construct can haveunwieldy results with larger tables.A NULL value in a column referenced inan inner join will never be returned, becauseNULL matches no other value, including NULL.MySQL’s supported join types differslightly from the SQL standard. For example,SQL supports a CROSS JOIN and an INNERJOIN as two separate things, but in MySQLthey are syntactically the same.Advanced SQL and MySQL 207

outer JoinsWhereas an inner join returns recordsbased upon making matches between twotables, an outer join will return records thatare matched by both tables, and will returnrecords that don’t match. In other words,an inner join is exclusive but an outer joinis inclusive. There are three outer joinsubtypes: left, right, and full, with left beingthe most important by far. An example of aleft join is:SELECT f.*, m.subject FROM forums AS fLEFT JOIN messages AS mON f.forum_id = m.forum_idThe most important consideration with leftjoins is which table gets named first. In thisexample, all of the forums records will bereturned along with all of the messagesinformation, if a match is made. If nomessages records match a forums row,then NULL values will be returned for theselected messages columns instead F.As with an inner join, if the column inboth tables being used in the equalitycomparison has the same name, you cansimplify your query with USING:SELECT f.*, m.subject FROM forums AS fLEFT JOIN messages AS mUSING (forum_id)A right outer join does the opposite of aleft outer join: it returns all of the applicablerecords from the right-hand table, alongwith matches from the left-hand table. Thisquery is equivalent to the above:SELECT f.*, m.subject FROM messages➝ AS mRIGHT JOIN forums AS fUSING (forum_id)Generally speaking, the left join ispreferred over the right (and, arguably,there’s no need to have both).A full outer join is like a combination of aleft outer join and a right outer join. In otherwords, all of the matching records fromF An outer join returns all the records from the first table listed, withnon-matching records from the second table replaced with NULL values.208 Chapter 7

oth tables will be returned, along withall of the records from the left-hand tablethat do not have matches in the right-handtable, along with all of the records from theright-hand table that do not have matchesin the left-hand table. MySQL does notdirectly support the full outer join, but youcan replicate that functionality using a leftjoin, a right join, and a UNION statement. Afull outer join is not often needed, but seethe MySQL manual if you’re curious aboutit or unions.G This left join returns for every user,every posted message ID. If a user hasn’tposted a message (like finchy at the top),the message ID value will be NULL.To use outer joins:1. Connect to MySQL and select theforum database, if you have not already.2. Retrieve every username and everymessage ID posted by that user G:SELECT u.username, m.message_idFROM users AS uLEFT JOIN messages AS mUSING (user_id);If you were to run an inner join similarto this, a user who had not yet posted amessage would not be listed H. Hence,an outer join is required to be inclusiveof all users. Note that the fully includedtable (here, users), must be the firsttable listed in a left join.continues on next pageH This inner join will not return any userswho haven’t yet posted messages (seefinchy at the top of G ).Advanced SQL and MySQL 209

3. Retrieve every forum name and everymessage submission date in that forumin order of submission date I:SELECT f.name,DATE_FORMAT(m.date_entered,➝'%M %D, Y') AS DateFROM forums AS fLEFT JOIN messages AS mUSING (forum_id)ORDER BY date_entered DESC;This is really just a variation on thejoin in Step 2, this time swapping theforums table for the users table.I This left outer join returns every forum nameand the date of every message posted in that forum.performing Self-JoinsIt’s possible with SQL to perform a self-join: join a table with itself. For example, with the messagestable, the parent_id column is a way of indicating which postings are replies to other postings. Toretrieve a single hierarchy of postings, a SELECT query must join the messages table with itself,equating parent_id with message_id in the process.This may sound confusing or impossible, but it’s really not. The trick with self-joins is to treat thetwo references to the same table as if they were single references to two different tables. To pullthat off, assign a different alias to each table reference. The already described example wouldbe written like so:SELECT m1.subject, m2.subject AS Reply FROM messages AS m1 LEFT JOIN➝ messages AS m2 ON m1.message_id=m2.parent_id WHERE m1.parent_id=0That query first selects every root-level message—those with a 0 parent_id value—in the firstmessages table instance, m1. Those records are then outer joined with the second messages tableinstance, m2. If you run this query yourself, you’ll see that the root message’s subject is selected,along with the subject of that message’s reply, if applicable.Self-joins aren’t the most popular join type, but can sometimes solve a problem better than mostother solutions.210 Chapter 7

Joins can be created using conditionalsinvolving any columns, not just the primaryand foreign keys, although that’s the mostcommon basis for comparison.You can perform joins across multipledatabases using the database.table.columnsyntax, as long as every database is on thesame server (you cannot do this across anetwork) and you’re connected as a user withpermission to access every database involved.The word OUTER in a left outer join isoptional and often omitted. To be formal, youcould write:SELECT f.name, DATE_FORMAT➝ (m.date_entered, '%M %D, Y') AS➝ Date FROM forums AS f LEFT OUTER➝ JOIN messages AS m USING (forum_id)➝ ORDER BY date_entered DESC;Joining Three or More TablesJoins are a somewhat complicated butimportant concept, so hopefully you’refollowing along well enough thus far. Thereare two more ways joins can be used withwhich you ought to be familiar: self-joins,discussed in the sidebar, and joins on threeor more tables.When joining three or more tables, it helpsto remember that a join between twotables creates a virtual table of results.When you add a third table, the join isbetween this initial virtual table and thethird referenced table J. The syntax fora three-table join is of the formatSELECT what_columns FROM tableA➝ JOIN_TYPE tableB JOIN_CLAUSE➝ JOIN_TYPE tableC JOIN_CLAUSEcontinues on next pageJ How a join acrossthree tables works: byfirst creating a virtualtable of results, and thenby joining the third tableto that.Advanced SQL and MySQL 211

The join types do not have to be the samein both cases—one could be an inner andthe other an outer—and the join clausesare almost certain to be different. You caneven add WHERE, ORDER BY, and LIMITclauses to the end of this. Simply put, toperform a join on more than two tables,just continue to add JOIN_TYPE tableXJOIN_CLAUSE sections as needed.There are three likely problems you’ll havewith joins that span three or more tables.The first is a simple syntax error, especiallywhen you use parentheses to separate outthe clauses. The second is an ambiguouscolumn error, which is common enoughamong any join type. The third likelyproblem will be a lack of results returned.Should that happen to you, simplify thejoin down to just two tables to confirmthe result, and then try to reapply theadditional join clauses to find where theproblem is.K An inner join across all three tables.To use joins on three tables or more:1. Connect to MySQL and select theforum database, if you have not already.2. Retrieve the message ID, subject, andforum name for every message postedby the user troutster K:SELECT m.message_id, m.subject,➝ f.nameFROM users AS uINNER JOIN messages AS mUSING (user_id)INNER JOIN forums AS fUSING (forum_id)WHERE u.username = 'troutster';This join is similar to one earlier in thechapter, but takes things a step furtherby incorporating a third table.212 Chapter 7

L This left join returns for every user, everyposted message subject, and every forum name. Ifa user hasn’t posted a message (like finchy at thetop), his or her subject and forum name values willbe NULL.M This inner join returns values from all threetables, with applied ORDER BY and LIMIT clauses.3. Retrieve the username, message subject,and forum name for every user L:SELECT u.username, m.subject, f.nameFROM users AS uLEFT JOIN messages AS mUSING (user_id)LEFT JOIN forums AS fUSING (forum_id);Whereas the query in Step 2 performstwo inner joins, this one performs twoouter joins. The process behind thisquery is visually represented by thediagram in J.4. Find the users that have had the fivemost recent postings, while also selectingthe message subject, and the forumname M:SELECT u.username, m.subject, f.nameFROM users AS uINNER JOIN messages AS mUSING (user_id)INNER JOIN forums AS fUSING (forum_id)ORDER BY m.date_entered DESCLIMIT 5;In order to retrieve the username,the message subject, and the forumname, a join across all three tables isrequired. As the query is only lookingfor users that have posted, an inner joinis appropriate. The result of the twojoins will be every username, with everymessage they posted, in every forum.That result is then ordered by themessage’s date_entered column, andlimited to just the first five records.Advanced SQL and MySQL 213

Grouping SelectedResultsChapter 5 discussed and demonstratedseveral different categories of functionsone can use in MySQL. Another category,used for more complex queries, are thegrouping or aggregate functions (Table 7.1).Whereas most of the functions coveredin Chapter 5 manipulate a single value ina single row at a time (e.g., formatting thevalue in a date column), what the groupingfunctions return is based upon a valuepresent in a single column over a set ofrows. For example, to find the averageaccount balance in the banking database,you would run this query A:SELECT AVG(balance) FROM accountsTo find the smallest and largest accountbalances, use B:SELECT MAX(balance), MIN(balance)➝ FROM accountsTo simply count the number of records ina table (or result set), apply COUNT( ) toeither every column or every column that’sguaranteed to have a value:SELECT COUNT(*) FROM accountsTABLe 7.1 Grouping FunctionsFunctionAVG( )COUNT( )GROUP_CONCAT( )MAX( )MIN( )SUM( )ReturnsThe average of the valuesin a column.The number of values ina column.The concatenation of acolumn’s values.The largest value ina column.The smallest value ina column.The sum of all the values ina column.A The AVG( ) function is used to find the averageof all the account balances.B The MAX( ) and MIN( ) functions return thelargest and smallest account values found inthe table.214 Chapter 7

C The COUNT( ) function, with or without theDISTINCT keyword, simply counts the numberof records in a record set.D Use the GROUP BY clause with an aggregatingfunction to group the aggregate results.The AVG( ), COUNT( ), and SUM( ) functionscan also use the DISTINCT keyword sothat the aggregation only applies todistinct values. For example, SELECTCOUNT(customer_id) FROM accountswill return the number of accounts, butSELECT COUNT(DISTINCT customer_ID)FROM accounts will return the number ofcustomers that have accounts C.The aggregate functions as used on theirown return individual values (as in A, B,and C). When the aggregate functionsare used with a GROUP BY clause, a singleaggregate value will be returned for eachrow in the result set D:SELECT AVG(balance), customer_id FROM➝ accounts GROUP BY customer_idYou can apply combinations of WHERE,ORDER BY, and LIMIT conditions to a GROUPBY, structuring your query like this:SELECT what_columns FROM tableWHERE condition GROUP BY columnORDER BY column LIMIT x, yA GROUP BY clause can also be used in ajoin. Remember that a join returns a new,virtual table of data, so any grouping wouldthen apply to that virtual table.Advanced SQL and MySQL 215

To group data:1. Connect to MySQL and select thebanking database.2. Count the number of registeredcustomers E:SELECT COUNT(*) FROM customers;COUNT( ) is perhaps the most populargrouping function. With it, you canquickly count records, like the numberof records in the customers table here.The COUNT( ) function can be appliedto any column that’s certain to have avalue, such as * (i.e., every column) orcustomer_id, the primary key.Notice that not all queries using theaggregate functions necessarily haveGROUP BY clauses.3. Find the total balance of all accountsby customer, counting the number ofaccounts in the process F:SELECT SUM(balance) AS Total,COUNT(account_id) AS Number,➝ customer_idFROM accountsGROUP BY (customer_id);This query is an extension of that inStep 2, but instead of counting just thecustomers, it counts the number ofaccounts associated with each customerand totals the account balances, too.4. Repeat the query from Step 3, selectingthe customer’s name instead of theirID G:SELECT SUM(balance) AS Total,COUNT(account_id) AS Number,CONCAT(c.last_name, ', ',➝ c.first_name) AS NameFROM accounts AS aINNER JOIN customers AS cUSING (customer_id)GROUP BY (a.customer_id)ORDER BY Name;To retrieve the customer’s name,instead of his or her ID, a join isrequired: INNER JOIN customersUSING (customer_id). Next, aliases areadded for easier references, and theGROUP BY clause is modified to specifyto which customer_id field the groupingshould be applied. Thanks to the join,the customer’s name can be selectedas the concatenation of the customer’sfirst and last names, a comma, and aspace. And finally, the results can besorted by the customer’s name (notethat another reference to the alias isused in the ORDER BY clause).E This aggregating query counts the number ofrecords in the customers table.F This GROUP BY query aggregates all of theaccounts by customer_id, returning the sum ofeach customer’s accounts and the total numberof accounts the customer has, in the process.216 Chapter 7

Remember that if you used an outer joininstead of an inner join, you could thenretrieve customers who did not haveaccount balances.5. Concatenate each customer’s balanceinto a single string H:SELECT GROUP_CONCAT(balance),CONCAT(c.last_name, ', ',➝ c.first_name) AS NameFROM accounts AS aINNER JOIN customers AS cUSING (customer_id)GROUP BY (a.customer_id)ORDER BY Name;The GROUP_CONCAT( ) function is a usefuland often overlooked aggregating tool.As you can see in the figure, by defaultthis function concatenates values,separating each with a comma.NULL is a peculiar value, and it’sinteresting to know that GROUP BY willgroup NULL values together, since theyhave the same nonvalue.You have to be careful how you apply theCOUNT( ) function, as it only counts non-NULLvalues. Be certain to use it on either every column(*) or on columns that will never containNULL values (like the primary key).The GROUP BY clause, and the functionslisted here, take some time to figure out, andMySQL will report an error whenever yoursyntax is inapplicable. Experiment within themysql client or phpMyAdmin to determine theexact wording of any query you might want torun from a PHP script.A related clause is HAVING, which is likea WHERE condition applied to a group.You cannot apply SUM( ) and AVG( )to date or time values. Instead, you’ll needto convert date and time values to seconds,perform the SUM( ) or AVG( ), and then convertthat value back to a date and time.G This GROUP BY queryis like that in F, but alsoreturns the customer’s name,and sorts the results byname (which requires a join).H A variation onthe query in G, thisquery retrieves theconcatenation of allaccount balances foreach customer.Advanced SQL and MySQL 217

Advanced SelectionsThe previous two sections of the chapterpresent more advanced ways to selectdata from complex structures. But evenwith the use of the aggregate functions,the data being selected is comparativelystraightforward. Sometimes, though, you’llneed to select data conditionally, as ifyou were using an if-else clause withinthe query itself. This is possible in SQLthanks to the control flow and advancedcomparison functions.To start, GREATEST( ) returns the largestvalue in a list A:SELECT GREATEST(col1, col2) FROM tableSELECT GREATEST(235, 1209, 59)LEAST( ) returns the smallest value in a list:SELECT LEAST(col1, col2) FROM tableSELECT LEAST(235, 1209, 59)Note that unlike the aggregate functions,which apply to a list of values found inthe same column over multiple rows, thecomparison and control flow functionsapply to multiple columns within the samerow (or list of values).Another useful comparison function isCOALESCE( ). It returns the first non-NULLvalue in a list:SELECT COALESCE(col1, col2) FROM tableIf none of the listed items has a value,the function returns NULL (you’ll see anexample in the step sequence to follow).Whereas COALESCE( ) simply returns thefirst non-NULL value, you can use IF( ) toreturn any value, based upon a condition:SELECT IF (condition, return_if _true,➝ return_if _false)If the condition is true, the secondargument to the function is returned,otherwise the third argument is returned.As an example, assuming a table stored thevalues M or F in a gender column, a querycould select Male or Female instead B:SELECT IF(gender='M', 'Male', 'Female')➝ FROM people;As these functions return values, theycould even be used in other query types:INSERT INTO people (gender) VALUES➝ (IF(something='Male', 'M', 'F'))A The GREATEST( ) function returns thebiggest value in a given list.B The IF( ) function can dictate the returnedvalue based upon a conditional.218 Chapter 7

C CASE( ) can be used like IF( ) tocustomize the returned value.The CASE( ) function is a more complicatedtool that can be used in different ways. Thefirst approach is to treat CASE( ) like PHP’sswitch conditional:SELECT CASE col1 WHEN value1 THEN➝ return_this ELSE return_that END➝ FROM tableThe gender example could be rewritten as:SELECT CASE gender WHEN 'M' THEN➝'Male' ELSE 'Female' END FROM peopleThe CASE( ) function can have additionalWHEN clauses. The ELSE is also alwaysoptional:SELECT CASE gender WHEN 'M' THEN➝'Male' WHEN 'F' THEN 'FEMALE' END➝ FROM peopleIf you’re not looking to perform a simpleequality test, you can write conditions intoa CASE( ) C:SELECT message_id, CASE WHEN➝ date_entered > NOW( ) THEN 'Future'➝ ELSE 'PAST' END AS Posted FROM➝ messagesAgain, you can add multiple WHEN…THENclauses as needed, and omit the ELSE, ifthat’s not necessary.To practice using these functions, let’s runa few more queries on the forum database(as a heads up, they’re going to get a littlecomplicated).Advanced SQL and MySQL 219

To perform advanced selections:1. Connect to MySQL and select theforum database.2. For each forum, find the date and timeof the most recent post, or return N/A ifthe forum has no posts D:SELECT f.name,COALESCE(MAX(m.date_entered),➝'N/A') AS last_postFROM forums AS fLEFT JOIN messages AS mUSING (forum_id)GROUP BY (m.forum_id)ORDER BY m.date_entered DESC;To start, in order to find both the forumname and the date of the latest postingin that forum, a join is necessary.Specifically, an outer join, as there maybe forums without postings. To find themost recent posting in each forum, theaggregating MAX( ) function is applied tothe date_entered column, and the resultshave to be grouped by the forum_id (sothat MAX( ) is applied to each subset ofpostings within each forum).The results at that point, withoutthe COALESCE( ) function call, wouldreturn NULL for any forum without anymessages in it. The final step is to applyCOALESCE( ) so that the string N/A isreturned should MAX(m.date_entered)have a NULL value.3. For each message, append the string(REPLY) to the subject if the message isa reply to another message E:SELECT message_id,CASE parent_id WHEN 0 THEN subjectELSE CONCAT(subject, ' (Reply)')➝ END AS subjectFROM messages;D The COALESCE( ) function is used to turn NULLvalues into the string N/A (see the last record).E Here, the string (Reply) is appended to thesubject of any message that is a reply to anothermessage.220 Chapter 7

The records in the messages tablesthat have a parent_id other than 0are replies to existing messages. Forthese messages, let’s append (REPLY)to the subject value to indicate such.To accomplish that, a CASE statementreturns just the subject, unadulterated,if the parent_id value equals 0. If theparent_id value does not equal 0, thestring (REPLY) is concatenated to thesubject, again thanks to CASE. Thiswhole construct is assigned the alias ofsubject, so it’s still returned under theoriginal “subject” heading.4. For each user, find the number of messagesthey’ve posted, converting zerosto the string None F:SELECT u.username,IF(COUNT(message_id) > 0,➝ COUNT(message_id), 'None') AS➝ PostsFROM users AS uLEFT JOIN messages AS mUSING (user_id)GROUP BY (u.user_id);This is somewhat of a variation onthe query in Step 2. A left join bridgesusers and messages, in order to grabboth the username and the count ofmessages posted. To perform thecount, the results are grouped by users.user_id. The query to this point wouldreturn 0 for every user that has not yetposted G. To convert those zeros tothe string None, while maintaining thenon-zero counts, the IF( ) function isapplied. That function’s first argumentestablishes the condition: if the countis greater than zero. The secondargument says that the count shouldbe returned when that condition is true.The third argument says that the stringNone should be returned when thatcondition is false.The IFNULL( ) function can sometimesbe used instead of COALESCE( ). Its syntax is:IFNULL(value, return_if_null)If the first argument, such as a named column,has a NULL value, then the second argumentis returned. If argument does not have a NULLvalue, the value of that argument is returned.F Thanks to an IF( ) call, the count of postedmessages is displayed as None for any user thathas not yet posted a message.G What the query results would look like(compare with F ) without using IF( ).Advanced SQL and MySQL 221

performing FuLLTexTSearchesIn Chapter 5, the LIKE keyword wasintroduced as a way to perform somewhatsimple string matches likeSELECT * FROM usersWHERE last_name LIKE 'Smith%'This type of conditional is effective enoughbut is still very limiting. For example, itwould not allow you to do Google-likesearches using multiple words. For thosekinds of situations, you need FULLTEXTsearches. Over the next several pages,Altering TablesThe ALTER SQL term is primarily used to modify the structure of an existing table. Commonlythis means adding, deleting, or changing the columns therein, but it also includes the additionof indexes. An ALTER statement can even be used for renaming the table as a whole. The basicsyntax of ALTER isALTER TABLE tablename CLAUSEThere are many possible clauses; Table 7.2 lists the most common ones, where t represents thetable’s name, c a column’s name, and i an index’s name. As always, the MySQL manual covers thetopic in exhaustive detail.TABLe 7.2 ALTER TABLE ClausesClause Usage MeaningADD COLUMN ALTER TABLE t ADD COLUMN c TYPE Adds a new column to the table.CHANGE COLUMN ALTER TABLE t CHANGE COLUMN c c TYPE Changes the data type and propertiesof a column.DROP COLUMN ALTER TABLE t DROP COLUMN c Removes a column from a table,including all of its data.ADD INDEX ALTER TABLE t ADD INDEX i (c) Adds a new index on c.DROP INDEX ALTER TABLE t DROP INDEX i Removes an existing index.RENAME TO ALTER TABLE t RENAME TO new_t Changes the name of a table.You can also change a table’s character set and collation using ALTER t CONVERT TO CHARACTERSET x COLLATE y.222 Chapter 7

you’ll learn everything you need to knowabout FULLTEXT searches (and you’ll learnsome more SQL tricks in the process).Creating a FuLLTexT indexTo start, FULLTEXT searches requirea FULLTEXT index. This index type, aspreviewed in Chapter 6, “Database Design,”can only be created on a MyISAM table.These next examples will use the messagestable in the forum database. The first step,then, is to add a FULLTEXT index on thebody and subject columns. Adding indexesto existing tables requires use of the ALTERcommand, as described in the sidebar.A To confirm a table’s type, use the SHOW TABLESTATUS command.To add a FuLLTexT index:1. Connect to MySQL and select theforum database, if you have not already.2. Confirm the messages table’s type A:SHOW TABLE STATUS\GThe SHOW TABLE STATUS query returnsa fair amount of information abouteach table in the database, includingthe table’s storage engine. Becauseso much information is returned by thequery, the command concludes with\G instead of a semicolon. This tellsthe mysql client to return the results asa vertical list instead of a table (whichis sometimes easier to read). If you’reusing phpMyAdmin or another interface,you can omit the \G (just as you canomit concluding semicolons).To just find the information for themessages table, you can use the querySHOW TABLE STATUS LIKE 'messages'.continues on next pageAdvanced SQL and MySQL 223

3. If the messages table is not of theMyISAM type, change the storage engine:ALTER TABLE messages ENGINE =➝ MyISAM;Again, this is only necessary if the tableisn’t currently of the correct type.4. Add the FULLTEXT index to the messagestable B:ALTER TABLE messages ADD FULLTEXT➝ (body, subject);The syntax for adding any index,regardless of type, is ALTER TABLEtablename ADD INDEX_TYPE index_name (columns). The index nameis optional.Here, the body and subject columnsget a FULLTEXT index, to be used inFULLTEXT searches later in this chapter.Inserting records into tables withFULLTEXT indexes can be much slowerbecause of the complex index that’s required.FULLTEXT searches can successfully beused in a simple search engine. But a FULLTEXTindex can only be applied to a single table at atime, so more elaborate Web sites, with contentstored in multiple tables, would benefit fromusing a more formal search engine.performing Basic FuLLTexT SearchesOnce you’ve established a FULLTEXT indexon a column or columns, you can startquerying against it, using MATCH…AGAINSTin a WHERE conditional:SELECT * FROM tablename WHERE MATCH(columns) AGAINST (terms)MySQL will return matching rows in orderof a mathematically calculated relevance,just like a search engine. When doing so,certain rules apply:nnnnStrings are broken down into theirindividual keywords.Keywords less than four characters longare ignored.Very popular words, called stopwords,are ignored.If more than 50 percent of the recordsmatch the keywords, no records arereturned.This last fact is problematic to many usersas they begin with FULLTEXT searches andwonder why no results are returned. Whenyou have a sparsely populated table, therejust won’t be sufficient records for MySQLto return relevant results.B The FULLTEXT index is added to the messages table.224 Chapter 7

To perform FuLLTexT searches:1. Connect to MySQL and select theforum database, if you have not already.2. Thoroughly populate the messagestable, focusing on adding lengthy bodies.Once again, SQL INSERT commandscan be downloaded from this book’scorresponding Web site.3. Run a simple FULLTEXT search on theword database C:SELECT subject, body FROM messagesWHERE MATCH (body, subject)AGAINST('database');This is a very simple example that willreturn some results as long as at leastone and less than 50 percent of therecords in the messages table havethe word “database” in their bodyor subject. Note that the columnsreferenced in MATCH must be the sameas those on which the FULLTEXT indexwas made. In this case, you could useeither body, subject or subject,body, but you could not use just bodyor just subject D.continues on next pageC A basic FULLTEXT search.D A FULLTEXT query can only be run on the same column or combination of columns thatthe FULLTEXT index was created on. With this query, even though the combination of bodyand subject has a FULLTEXT index, attempting to run the match on just subject will fail.Advanced SQL and MySQL 225

4. Run the same FULLTEXT search whilealso showing the relevance E:SELECT subject, body, MATCH (body,subject) AGAINST('database') AS RFROM messages WHERE MATCH (body,➝ subject) AGAINST('database')\GIf you use the same MATCH…AGAINSTexpression as a selected value, theactual relevance will be returned. As inthe previous section of the chapter, tomake the results easier to view in themysql client, the query is terminatedusing \G, thereby returning the resultsas a vertical list.5. Run a FULLTEXT search using multiplekeywords F:SELECT subject, body FROM messagesWHERE MATCH (body, subject)AGAINST('html xhtml');With this query, a match will be madeif the subject or body contains eitherword. Any record that contains bothwords will be ranked higher.Remember that if a FULLTEXT searchreturns no records, this means that either nomatches were made or that over half of therecords match.For sake of simplicity, all of the queries inthis section are simple SELECT statements. Youcan certainly use FULLTEXT searches withinjoins or more complex queries.MySQL comes with several hundredstopwords already defined. These are partof the application’s source code.The minimum keyword length—fourcharacters by default—is a configurationsetting you can change in MySQL.FULLTEXT searches are case-insensitiveby default.E The relevance of a FULLTEXTsearch can be selected, too. Inthis case, you’ll see that the tworecords with the word “database”in both the subject and bodyhave higher relevance than therecord that contains the word injust the subject.F Using the FULLTEXT search, you can easily find messages that contain multiple keywords.226 Chapter 7

performing BooleanFuLLTexT SearchesThe basic FULLTEXT search is nice, but amore sophisticated FULLTEXT search canbe accomplished using its Boolean mode.To do so, add the phrase IN BOOLEAN MODEto the AGAINST clause:SELECT * FROM tablename WHEREMATCH(columns) AGAINST('terms' IN➝ BOOLEANMODE)Boolean mode has a number of operators(Table 7.3) to tweak how each keywordis treated:SELECT * FROM tablename WHEREMATCH(columns) AGAINST('+database-mysql' IN BOOLEAN MODE)In that example, a match will be made ifthe word database is found and mysql isnot present. Alternatively, the tilde (~) isused as a milder form of the minus sign,meaning that the keyword can be presentin a match, but such matches should beconsidered less relevant.TABLe 7.3 Boolean Mode OperatorsOperatorMeaning+ Must be present in every match- Must not be present in any match~ Lowers a ranking if present* Wildcard< Decrease a word’s importance> Increase a word’s importance" " Must match the exact phrase( ) Create subexpressionsThe wildcard character (*) matchesvariations on a word, so cata* matchescatalog, catalina, and so on. Twooperators explicitly state what keywordsare more (>) or less (

To perform FuLLTexTBoolean searches:1. Connect to MySQL and select theforum database, if you have not already.2. Run a simple FULLTEXT search thatfinds HTML, XHTML, or (X)HTML G:SELECT subject, body FROMmessages WHERE MATCH(body, subject)AGAINST('*HTML' IN BOOLEAN MODE)\GThe term HTML may appear in messagesin many formats, including HTML,XHTML, or (X)HTML. This Booleanmode query will find all of those, thanksto the wildcard character (*).To make the results easier to view,I’m using the \G trick mentioned earlierin the chapter, which tells the mysqlclient to return the results vertically,not horizontally.3. Find matches involving databases,with an emphasis on normal forms H:SELECT subject, body FROM messagesWHERE MATCH (body, subject)AGAINST('>"normal form"* +database*'IN BOOLEAN MODE)\GG A simple Boolean-mode FULLTEXT search.H This search looks for variations on two different keywords, ranking the one higher thanthe other.228 Chapter 7

This query first finds all records thathave database, databases, etc. andnormal form, normal forms, etc. inthem. The database* term is required(as indicated by the plus sign), butemphasis is given to the normal formclause (which is preceded by thegreater-than sign).4. Repeat the query from Step 2, with agreater importance on XHTML, returningthe results in order of relevance I:SELECT subject, body, MATCH(body,➝ subject)AGAINST('*HTML >XHTML' IN BOOLEAN➝ MODE) AS R FROMmessages WHERE MATCH(body, subject)AGAINST('*HTML >XHTML' IN BOOLEAN➝ MODE) ORDER BY R DESC\GThis is similar to the earlier query, butnow XHTML is specifically given extraweight. This query additionally selectsthe calculated relevance, and theresults are returned in that order.MySQL 5.1.7 added another FULLTEXTsearch mode: natural language. This is thedefault mode, if no other mode (like Boolean)is specified.The WITH QUERY EXPANSION modifiercan increase the number of returned results.Such queries perform two searches and returnone result set. It bases a second search onterms found in the most relevant results of theinitial search. While a WITH QUERY EXPANSIONsearch can find results that would not otherwisehave been returned, it can also returnresults that aren’t at all relevant to the originalsearch terms.I This modified version of an earlier query selects, and then sorts the results by,the relevance.Advanced SQL and MySQL 229

optimizing QueriesOnce you have a complete and populateddatabase, and have a sense as to whatqueries will commonly be run on it, it’s agood idea to take some steps to optimizeyour queries and your database as awhole. Doing so will ensure you’re gettingthe best possible performance out ofMySQL (and therefore, your Web site)To start, the sidebar reemphasizes keydesign ideas that have already beensuggested in this book. Along with thesetips, there are two simple techniques foroptimizing existing tables. One way toimprove MySQL’s performance is to runan OPTIMIZE command on occasion. Thisquery will rid a table of any unnecessaryoverhead, thereby improving the speedof any interactions with it:OPTIMIZE TABLE tablenameRunning this command is particularlybeneficial after changing a table via anALTER command, or after a table has hadlots of DELETE queries run on it, leavingvirtual gaps among the records.Second, you can occasionally use theANALYZE command:ANALYZE TABLE tablenameExecuting this command updates theindexes on the table, thereby improvingtheir usage in queries. You could execute itwhenever massive amounts of data storedin the table changes (e.g., via UPDATE orINSERT commands).Speaking of queries, as you’re probablyrealizing by now, there are often manydifferent ways of accomplishing thesame goal. To find out the most efficientapproach, it helps to understand howexactly MySQL will run that query. Thiscan be accomplished using the EXPLAINSQL keyword. Explaining queries is avery advanced topic, but I’ll introduce thefundamentals here, and you can alwayssee the MySQL manual or search the Webfor more information.Database optimizationThe performance of your database is primarily dependent upon its structure and indexes. Whencreating databases, try to.Choose the best storage engine.Use the smallest data type possible for each column.Define columns as NOT NULL whenever possible.Use integers as primary keys.Judiciously define indexes, selecting the correct type and applying them to the right columnor columns.Limit indexes to a certain number of characters, if possible.Avoid creating too many indexes.Make sure that columns to be used as the basis of joins are of the same type and, in the caseof strings, use the same character set and collation230 Chapter 7

To explain a query:1. Find a query that may beresource-intensive.Good candidates are queries that doany of the following:> Join two or more tables> Use groupings and aggregatefunctions> Have WHERE clauses.For example, this query from earlier inthe chapter meets two of these criteria:SELECT SUM(balance) AS Total,COUNT(account_id) AS Number,➝ CONCAT(c.last_name, ', ',➝ c.first_name) AS NameFROM accounts AS a INNER➝ JOIN customers AS c USING➝ (customer_id)GROUP BY (a.customer_id) ORDER BY➝ Name;2. Connect to MySQL and select the applicabledatabase, if you have not already.3. Execute the query on the database,prefacing it with EXPLAIN A:EXPLAIN SELECT SUM(balance) AS➝ Total,COUNT(account_id) AS Number,➝ CONCAT(c.last_name, ', ',➝ c.first_name) AS NameFROM accounts AS a INNER JOIN➝ customers AS c USING (customer_id)GROUP BY (a.customer_id) ORDER BY➝ Name\GIf you’re using the mysql client, you’ll findit also helps to use the concluding \Gtrick (instead of the semicolon), to makethe output more legible. The output itselfwill be one row of information for everytable used in the query. The tables arelisted in the same order that MySQLmust access them to execute the query.I’ll walk through the key parts of theoutput, but to begin, the select_typevalue should be SIMPLE for mostSELECT queries, and would be differentif the query involves a UNION or subquery(see the MySQL manual for moreon either UNIONs or subqueries).continues on next pageA This EXPLAINoutput reveals howMySQL will go aboutprocessing the query.Advanced SQL and MySQL 231

4. Check out the type value.Table 7.4 lists the different type values,from best to worst. The MySQL manualdiscusses what each means in detailbut understand first that eq_ref is thebest you’ll commonly see and ALL isthe worst. A type of eq_ref means thatan index is being properly used and anequality comparison is being made.Note that you’ll sometimes see ALLbecause the table has very few recordsin it, in which case it’s more efficient forMySQL to scan the table rather thanuse an index. This is presumably thecase with A, as the accounts table onlyhas four records.5. Check out the possible_keys value.The possible_keys value indicateswhich indexes exist that MySQLmight be able to use to find thecorresponding rows in this table. If youhave a NULL value here, there are noindexes that MySQL thinks would beuseful. Therefore, you might benefitfrom creating an index on that table’sapplicable columns.6. Check out the key, key_len, andref values.Whereas possible_keys indicates whatindexes might be usable, key says whatindex MySQL will actually use for thatquery. Occasionally, you’ll find a valuehere that’s not listed in possible_keys,which is okay. If no key is being used,that almost always indicates a problemthat can be remedied by adding anindex or modifying the query.The key_len value indicates the length(i.e., the size) of the key that MySQLused. Generally, shorter is better here,but don’t worry about it too much.TABLe 7.4 Join TypesTypesystemconsteq _refreffulltextref_or_nullindex_mergeunique_subqueryindex_subqueryrangeindexALLThe ref column indicates which columnsMySQL compared to the index namedin the key column.7. Check out the rows value.This column provides an estimate of howmany rows in the table MySQL thinks itwill need to examine. Once again, lower isbetter. In fact, on a join, a rough estimateof the efficiency can be determined bymultiplying all the rows values together.Often in a join, the number of rows tobe examined should go from more toless, as in B.8. Check out the Extra value.Finally, this column reports any additionalinformation about how MySQLwill execute the query that may beuseful. Two phrases you don’t want tofind here are: Using filesort and Usingtemporary. Both mean that extra stepsare required to complete the query(e.g., a GROUP BY clause often requiresMySQL creates a temporary table).232 Chapter 7

B Another explanation of a query, this one a joinacross three tables.If Extra says anything along the lines ofImpossible X or No matching Y, thatmeans your query has clauses that arealways false and can be removed.9. Modify your table or queries and repeat!If the output suggests problems withhow the query is being executed, youcan consider doing any of the following:> Changing the particulars of the query> Changing the properties of a table’scolumns> Adding or modifying a table’s indexesRemember that the validity of theexplanation will depend, in part, onhow many rows are in the involvedtables (as explained in Step 4, MySQLmay skip indexes for small tables).Also understand that not all queriesare fixable. Simple SELECT queries andeven joins can sometimes be improved,but there’s little one can do to improvethe efficiency of a GROUP BY query,considering everything MySQL mustdo to aggregate data.The EXPLAIN EXTENDED commandprovides a few more details about a query:EXPLAIN EXTENDED SELECT…Problematic queries can also be found byenabling certain MySQL logging features, butthat requires administrative control over theMySQL server.In terms of performance, MySQL dealswith more, smaller tables better than it doesfewer, larger tables. That being said, a normalizeddatabase structure should always be theprimary goal.In MySQL terms, a “big” database hasthousands of tables and millions of rows.Advanced SQL and MySQL 233

performingTransactionsA database transaction is a sequenceof queries run during a single session.For example, you might insert a recordinto one table, insert another record intoanother table, and maybe run an update.Without using transactions, each individualquery takes effect immediatelyand cannot be undone (the queries, bydefault, are automatically committed). Withtransactions, you can set start and stoppoints and then enact or retract all of thequeries between those points as needed(for example, if one query failed, all of thequeries can be undone).Commercial interactions commonly requiretransactions, even something as basic astransferring $100 from my bank account toyours. What seems like a simple process isactually several steps:nConfirm that I have $100 in my account.n Decrease my account by $100.nnnVerify the decrease.Increase the amount of money in youraccount by $100.Verify that the increase worked.If any of the steps failed, all of them shouldbe undone. For example, if the moneycouldn’t be deposited in your account, itshould be returned to mine until the entiretransaction can go through.The ability to execute transactionsdepends upon the features of the storageengine in use. To perform transactions withMySQL, you must use the InnoDB tabletype (or storage engine).To begin a new transaction in the mysqlclient, typeSTART TRANSACTION;Once your transaction has begun, youcan now run your queries. Once you havefinished, you can either enter COMMIT toenact all of the queries or ROLLBACK toundo the effect of all of the queries.After you have either committed or rolledback the queries, the transaction isconsidered complete, and MySQL returnsto an autocommit mode. This means thatany queries you execute take immediateeffect. To start another transaction, justtype START TRANSACTION.It is important to know that certain types ofqueries cannot be rolled back. Specifically,those that create, alter, truncate (empty),or delete tables or that create or deletedatabases cannot be undone. Furthermore,using such a query has the effect of committingand ending the current transaction.Second, you should understand that transactionsare particular to each connection.So one user connected through the mysqlclient has a different transaction thananother mysql client user, both of whichare different than a connected PHP script.Finally, you cannot perform transactionsusing phpMyAdmin. Each submission of aquery through phpMyAdmin’s SQL windowor tab is an individual and completetransaction, which cannot be undone withsubsequent submissions.With this in mind, let’s use transactionswith the banking database to perform thealready mentioned task. In Chapter 19,“Example— E-Commerce,” transactions willbe run through a PHP script.234 Chapter 7

To perform transactions:1. Connect to MySQL and select thebanking database.2. Begin a transaction and show thetable’s current values A:START TRANSACTION;SELECT * FROM accounts;3. Subtract $100 from David Sedaris’(or any user’s) checking account.UPDATE accountsSET balance = (balance-100)WHERE account_id=2;Using an UPDATE query, a little math, anda WHERE conditional, you can subtract100 from a balance. Although MySQLwill indicate that one row was affected,the effect is not permanent until thetransaction is committed.4. Add $100 to Sarah Vowell’s checkingaccount:UPDATE accountsSET balance = (balance+100)WHERE account_id=1;This is the opposite of Step 3, as if $100were being transferred from the oneperson to the other.5. Confirm the results B:SELECT * FROM accounts;As you can see in the figure, the onebalance is 100 more and the other is100 less than they originally were A.6. Roll back the transaction:ROLLBACK;To demonstrate how transactions can beundone, let’s undo the effects of thesequeries. The ROLLBACK command returnsthe database to how it was prior to startingthe transaction. The command alsoterminates the transaction, returningMySQL to its autocommit mode.continues on next pageA A transaction is begun and the existing tablerecords are shown.B Two UPDATE queries are executed and theresults are viewed.Advanced SQL and MySQL 235

7. Confirm the results C:SELECT * FROM accounts;The query should reveal the contents ofthe table as they originally were.8. Repeat Steps 2 through 4.To see what happens when the transactionis committed, the two UPDATEqueries will be run again. Be certain tostart the transaction first, though, or thequeries will automatically take effect!9. Commit the transaction and confirmthe results:COMMIT;SELECT * FROM accounts;Once you enter COMMIT, the entire transactionis permanent, meaning that anychanges are now in place. COMMIT alsoends the transaction, returning MySQLto autocommit mode.C Because the ROLLBACK command was used, thepotential effects of the UPDATE queries were ignored.One of the great features of transactionsis that they offer protection should a randomevent occur, such as a server crash. Either atransaction is executed in its entirety or all ofthe changes are ignored.To alter MySQL’s autocommit nature, typeSET AUTOCOMMIT=0;Then you do not need to type STARTTRANSACTION and no queries will be permanentuntil you type COMMIT (or use anALTER, CREATE, etc., query).You can create savepoints intransactions:D Invoking the COMMIT command makes thetransaction’s effects permanent.SAVEPOINT savepoint_name;Then you can roll back to that point:ROLLBACK TO SAVEPOINT savepoint_name;236 Chapter 7

Database encryptionUp to this point, pseudo-encryption hasbeen accomplished in the database usingthe SHA1( ) function. In the sitename andforum databases, the user’s passwordhas been stored after running it throughSHA1( ). Although using this function in thisway is perfectly fine (and quite common),the function doesn’t provide real encryption:the SHA1( ) function returns a representationof a value (called a hash), not anencrypted version of the value. By storingthe hashed version of some data, comparisonscan still be made later (such asupon login), but the original data cannot beretrieved from the database. If you needto store data in a protected way while stillbeing able to view the data in its originalform at some later point, other MySQLfunctions are necessary.MySQL has several encryption anddecryption functions built into the software.If you require data to be stored in anencrypted form that can be decrypted,you’ll want to use AES_ENCRYPT( ) and AES_DECRYPT( ). The AES_ENCRYPT( ) functionis considered to be the most secureencryption option.These functions take two arguments: thedata being encrypted or decrypted and asalt argument. The salt argument is a stringthat helps to randomize the encryption.Let’s look at the encryption and decryptionfunctions first, and then I’ll return to the salt.To add a record to a table while encryptingthe data, the query might look likeINSERT INTO users (username, pass)VALUES ('troutster', AES_ENCRYPT➝ ('mypass', 'nacl19874salt!'))The encrypted data returned by theAES_ENCRYPT( ) function will be in binaryformat. To store that data in a table, thecolumn must be defined as one of thebinary types (e.g., VARBINARY or BLOB).To run a login query for the record justinserted (matching a submitted usernameand password against those in thedatabase), you would writeSELECT * FROM users WHEREusername='troutster' ANDAES_DECRYPT(pass, 'nacl19874salt!') =➝'mypass'This is equivalent to:SELECT * FROM users WHEREusername = 'troutster' ANDAES_ENCRYPT('mypass', 'nacl19874salt!')➝ = passReturning to the issue of the salt, the exactsame salt must be used for both encryptionand decryption, which means that the saltmust be stored somewhere as well. Contraryto what you might think, it’s actuallysafe to store the salt in the database, evenin the same row as the salted data. This isbecause the purpose of the salt is to makethe encryption process harder to crack(specifically, by a “rainbow” attack). Suchattacks are done remotely, using bruteforce. Conversely, if someone can seeeverything stored in your database, youhave bigger problems to worry about (i.e.,all of your data has been breached).Finally, to get the maximum benefit from“salting” the stored data, each piece ofstored data should use a unique salt, andthe longer the salt the better.To put all this together, let’s add PIN andsalt columns to the banking.customerstable, and then store an encrypted versionof each customer’s PIN.Advanced SQL and MySQL 237

To encrypt and decrypt data:1. Access MySQL and select thebanking database:2. Add the two new columns to thecustomers table A:ALTER TABLE customers ADD COLUMN➝ pin VARBINARY(16) NOT NULL;ALTER TABLE customers ADD COLUMN➝ nacl CHAR(20) NOT NULL;The first column, pin, will store anencrypted version of the user’s PIN. AsAES_ENCRYPT( ) returns a binary value16 characters long, the pin column isdefined as VARBINARY(16). The secondcolumn stores the salt, which will be astring 20 characters long.3. Update the first customer’s PIN B:UPDATE customersSET nacl = SUBSTRING(MD5(RAND( )),➝ -20)WHERE customer_id=1;UPDATE customersSET pin=AES_ENCRYPT(1234, nacl)WHERE customer_id=1;The first query updates the customer’srecord, adding a salt value to thenacl column. That random valueis obtained by applying the MD5( )function to the output from theRAND( ) function. This will create astring 32 characters long, such as4b8bb06aea7f3d162ad5b4d83687e3ac.Then the last 20 characters are takenfrom this string, using SUBSTRING( ).The second query stores the customer’sPIN—1234, using the already-storednacl value as the salt.A Two columns are added to the customers table.B A record is updated, using an encryption function toprotect the PIN.238 Chapter 7

4. Retrieve the PIN in an unencryptedform C:SELECT customer_id, AES_DECRYPT(pin,nacl) AS pin FROM customersWHERE customer_id=1;This query returns the decrypted PIN forthe customer with a customer_id of 1.Any value stored using AES_ENCRYPT( )can be retrieved (and matched) usingAES_DECRYPT( ), as long as the samesalt is used.5. Check out the customer’s record withoutusing decryption D:SELECT * FROM customersWHERE customer_id=1;As you can see in the figure, theencrypted version of the PIN isunreadable.As a rule of thumb, use SHA1( ) forinformation that will never need to beviewable, such as passwords and perhapsusernames. Use AES_ENCRYPT( ) forinformation that needs to be protected butmay need to be viewable at a later date, suchas credit card information, Social Securitynumbers, addresses (perhaps), and so forth.As a reminder, never storing credit cardnumbers and other high-risk data is always thesafest option.The SHA2( ) function is an improvementover SHA1( ) and should be preferred for hashingdata. I only chose not to use it in this bookbecause SHA2( ) requires MySQL 5.5.5 or later.The same salting technique can beapplied to SHA1( ), SHA2( ), and other functions.Be aware that data sent to the MySQLserver, or received from it, could be interceptedand viewed. Better security can be had by usingan SSL connection to the MySQL database.C The record has been retrieved, decrypting thePIN in the process.D Encrypted data is stored in an unreadable format (here, as a binary string of data).Advanced SQL and MySQL 239

Review and pursueIf you have any problems with thereview questions or the pursue prompts,turn to the book’s supporting forum(www.LarryUllman.com/forums/).ReviewnnnnnnnnnnnnWhat are the two primary types of joins?Why are aliases often used with joins?Why is it considered often necessaryand at least a best practice to use thetable.column syntax in joins?What impact does the order of tablesused have on an outer join?How do you create a self-join?What are the aggregate functions?What impact does the DISTINCTkeyword have on an aggregatefunction? What impact does GROUP BYhave on an aggregate function?What kind of index is required in orderto perform FULLTEXT searches? Whattype of storage engine?What impact does it have when youconclude a SELECT query with \Ginstead of a semicolon in the mysqlclient?How do IN BOOLEAN MODE FULLTEXTsearches differ from standard FULLTEXTsearches?What commands can you use toimprove a table’s performance?How do you examine the efficiency ofa query?nnnnWhy doesn’t the forum databasesupport transactions?How do you begin a transaction? Howdo you undo the effects of a transactionin progress? How do you make theeffects of the current transactionpermanent?What kind of column type is requiredto store the output from the AES_ENCRYPT( ) function?What are the important criteria for thesalt used in the encryption process?pursuennnnnnnnCome up with more join examples forthe forum and banking databases. Performinner joins, outer joins, and joinsacross all three tables.Check out the MySQL manual pagesif you’re curious about the UNION SQLcommand or about subqueries.Perform some more grouping exerciseson the banking or forum databases.Practice running FULLTEXT searches onthe forum database.Examine other queries to see theresults.Read the MySQL manual pages, andother online tutorials, on explainingqueries and optimizing tables.Play with transactions some more.Research the subjects of salting passwordsand rainbow attacks to learnmore.240 Chapter 7

8Error Handling andDebuggingIf you’re working through this book sequentially(which would be for the best), the nextsubject to learn is how to use PHP andMySQL together. However, that process willundoubtedly generate errors, errors thatcan be tricky to debug. So before movingon to new concepts, these next few pagesaddress the bane of the programmer:errors. As you gain experience, you’ll makefewer errors and learn your own debuggingmethods, but there are plenty of tools andtechniques the beginner can use to helpease the learning process.This chapter has three main threads. Onefocus is on learning about the various kindsof errors that can occur when developingdynamic Web sites and what their likelycauses are. Second, a multitude of debuggingtechniques are taught, in a step-bystepformat. Finally, you’ll see differenttechniques for handling the errors that dooccur in the most graceful manner possible.in This ChapterError Types and Basic Debugging 242Displaying PHP Errors 248Adjusting Error Reporting in PHP 250Creating Custom Error Handlers 253PHP Debugging Techniques 258SQL and MySQL DebuggingTechniques 262Review and Pursue 264

error Types andBasic DebuggingWhen developing Web applications withPHP and MySQL, you end up with potentialbugs in one of four or more technologies.You could have HTML issues, PHP problems,SQL errors, or MySQL mistakes. The firststep in fixing any bug is finding its source.HTML problems are often the least disruptiveand the easiest to catch. You normallyknow there’s a problem when your layout isall messed up. Some steps for catching andfixing these, as well as general debugginghints, are discussed in the next section.PHP errors are the ones you’ll see mostoften, as this language will be at the heartof your applications. PHP errors fall intothree general areas:nnnSyntacticalRun-timeLogicalSyntactical errors are the most commonand the easiest to fix. You’ll see them if youmerely omit a semicolon. Such errors stopthe script from executing, and if display_errors is on in your PHP configuration, PHPwill show an error, including the line PHPthinks it’s on A. If display_errors is off,you’ll see a blank page. (You’ll learn moreabout display_errors later in this chapter.)Run-time errors include those things thatdon’t stop a PHP script from executing (likeparse errors do) but do stop the script fromdoing everything it was supposed to do.Examples include calling a function usingthe wrong number or types of parameters.With these errors, PHP will normally displaya message indicating the exact problem B(again, assuming that display_errors is on).A Parse errors—which you’ve probably seen manytimes over by now—are the most common sort ofPHP error, particularly for beginning programmers.B Misusing a function (calling it with improperparameters) will create errors during the executionof the script.The Right MentalityBefore getting much further, a wordregarding errors: they happen to thebest of us. Even the author of this herebook sees more than enough errors inhis Web development duties (but restassured that the code in this book shouldbe bug-free). Thinking that you’ll get toa skill level where errors never occur isa fool’s dream, but there are techniquesfor minimizing errors, and knowing howto quickly catch, handle, and fix errors isa major skill in its own right. So try not tobecome frustrated as you make errors;instead, bask in the knowledge thatyou’re becoming a better debugger!242 Chapter 8

The final category of error—logical—isactually the worst, because PHP won’tnecessarily report it to you. These are outand-outbugs: problems that aren’t obviousand don’t stop the execution of a script.Tricks for solving all of these PHP errorswill be demonstrated in just a few pages.SQL errors are normally a matter of syntax,and they’ll be reported when you try torun the query in MySQL. For example, I’vedone this too many times C:DELETE * FROM tablenameThe syntax is just wrong, a confusionwith the SELECT syntax (SELECT * FROMtablename). The correct syntax isDELETE FROM tablenameAgain, MySQL will raise a red flag whenyou have SQL errors, so these aren’t thatdifficult to find and fix. With modern Websites, the catch is that you don’t alwayshave static queries, but often ones dynamicallygenerated by PHP. In such cases, ifthere’s an SQL syntax problem, the issue isprobably in your PHP code.Besides reporting on SQL errors, MySQLhas its own errors to consider. An inabilityto access the database is a common oneand a showstopper at that D. You’ll also seeerrors when you misuse a MySQL functionor ambiguously refer to a column in a join.Again, MySQL will report any such error inspecific detail. Keep in mind that when aquery doesn’t return the records or otherwisehave the result you expect, that’s not aMySQL or SQL error, but rather a logical one.Toward the end of this chapter you’ll seehow to solve SQL and MySQL problems.But as you have to walk before you canrun, the next section covers the fundamentalsof debugging dynamic Web sites,starting with the basic checks you shouldmake and how to fix HTML problems.Basic debugging stepsThis first sequence of steps may seemobvious, but when it comes to debugging,missing one of these steps leads to anunproductive and extremely frustratingdebugging experience. And while I’m atit, I should mention that the best piece ofgeneral debugging advice is this:When you get frustrated, step away fromthe computer!continues on next pageC MySQL will report any errors found in the syntax of anSQL command.D An inability to connect to a MySQL server or a specific database is a common MySQL error.Error Handling and Debugging 243

I have solved almost all of the mostperplexing issues I’ve come across bytaking a break, clearing my head, andcoming back to the code with fresh eyes.Readers in the book’s supporting forum(www.LarryUllman.com/forums/) havefrequently found this to be true as well.Trying to forge ahead when you’re frustratedtends to make things worse. Much worse.To begin debugging any problem:nnMake sure that you are running theright page.It’s altogether too common that you try tofix a problem and no matter what you do,it never goes away. The reason: you’veactually been editing a different pagethan you thought. So verify that the nameand location of the file being executedmatches that of the file you’re editing. Inthis regard, using an all-in-one IDE, suchas Adobe Dreamweaver (www.adobe.com/go/dreamweaver), is an advantage.Make sure that you have saved yourlatest changes.nAn unsaved document will continueto have the same problems it hadbefore you edited it (because the editshaven’t been enacted). One of themany reasons I like the TextMate (www.macromates.com) text editor is that itautomatically saves every documentwhen the application loses focus.Make sure that you run all PHP pagesthrough the URL.Because PHP works through a Webserver (Apache, IIS, etc.), runningany PHP code requires that youaccess the page through a URL(http://www.example.com/page.phpor http://localhost/page.php). Ifyou double-click a PHP page to openit in a browser (or use the browser’sFile > Open option), you’ll see the PHPcode, not the executed result. Thisalso occurs if you load an HTML pagewithout going through a URL (which willwork on its own) but then submit theform to a PHP page E.E PHP code will only beexecuted if run througha URL. This means thatforms that submit to aPHP page must also beloaded through http://.244 Chapter 8

nKnow what versions of PHP and MySQLyou are running.Some problems are specific to a certainversion of PHP or MySQL. For example,some functions are added in laterversions of PHP, and MySQL addedsignificant new features in versions 4,4.1, and 5. Run a phpinfo( ) script F,(see Appendix A, “Installation,” for ascript example) and open a mysql clientsession G to determine this information.phpMyAdmin will often report onthe versions involved as well (but don’tconfuse the version of phpMyAdmin,which will likely be 3.something, withthe versions of PHP or MySQL).nnI consider the versions being used to besuch an important, fundamental pieceof information that I won’t normallyassist people looking for help until theyprovide this information!Know what Web server you are running.Similarly, some problems and featuresare unique to your Web serving application—Apache,IIS, or Abyss. You shouldknow which one you are using, andwhich version, from when you installedthe application. If you’re using a Webhost, the hosting company can provideyou with this information.Try executing pages in a differentWeb browser.Every Web developer should haveand use at least two Web browsers. Ifyou test your pages in different ones,you’ll be able to see if the problem hasto do with your script or a particularbrowser. Normally, only HTML and CSSproblems can arise (or disappear) whenyou switch browsers; rarely will PHP, letalone MySQL or SQL, errors be browserspecific.continues on next pageF A phpinfo( ) script is one of your best tools fordebugging, informing you of the PHP version andhow it’s configured.G When you connect to a MySQL server, it will let you know the version number in use.Error Handling and Debugging 245

nIf possible, try executing the page usinga different Web server, version of PHP,and/or version of MySQL.PHP and MySQL errors sometimes stemfrom particular configurations and versionson one server. If something workson one server but not another, thenyou’ll know that the script isn’t inherentlyat fault. From there it’s a matterof using phpinfo( ) scripts to see whatserver settings may be different.If taking a break is one thing you shoulddo when you become frustrated, here’s whatyou shouldn’t do: send off one or multiplepanicky and persnickety emails to a writer, toa newsgroup or mailing list, or to anyone else.When it comes to asking for free help fromstrangers, patience and pleasantries garnermuch better and faster results.For that matter, I would strongly adviseagainst randomly guessing at solutions. I’veseen far too many people only complicate mattersfurther by taking stabs at solutions, withouta full understanding of what the attemptedchanges should or should not do.There’s another different realm of errorsthat you could classify as usage errors: whatgoes wrong when the site’s user doesn’t dowhat you thought they would. As a goldenrule, write your code so that it doesn’t breakeven if the user doesn’t do anything right ordoes everything wrong! In other words, makeno assumptions. There’s a quote from DougLinder that applies here: “A good programmeris someone who looks both ways before crossinga one-way street.”Debugging HTMLDebugging HTML is relatively easy. Thesource code is very accessible, most problemsare overt, and attempts at fixing theHTML don’t normally make things worse(as can happen with PHP). Still, there aresome basic steps you should follow to findand fix an HTML problem.To debug an HTML error:nCheck the source code.If you have an HTML problem, you’llalmost always need to check the sourcecode of the page to find it. How youview the source code depends uponthe browser being used, but normallyit’s a matter of using something likeView > Page Source or View > Source.n Use a validation tool H.nValidation tools, like the one at http://validator.w3.org, are great for findingmismatched tags, broken tables, andother problems.Use Firefox.I’m not trying to start a discussion onwhich is the best Web browser, andas Internet Explorer is (still!) the mostused one, you’ll need to eventually testusing it, but I personally find that Firefox(available for free from www.mozilla.com) is the best Web browser for Webdevelopers. Firefox offers reliability anddebugging features not available inother browsers. If you want to stick withIE or Safari for your day-to-day browsing,that’s up to you, but when doingWeb development, turn to Firefox.n Use Firefox’s add-on widgets I.Besides being just a great Web browser,the very popular Firefox browser has aton of features that the Web developerwill appreciate. Furthermore, you canexpand Firefox’s functionality by installingany of the free widgets that areavailable. The Web Developer widgetin particular provides quick access togreat tools, such as showing a table’sborders, revealing the CSS, validatinga page, and more. I also frequently usethese add-ons: Firebug, DOM Inspector,and HTML Validator, among others.246 Chapter 8

nTest the page in another browser.PHP code is generally browser-independent,meaning you’ll get consistent resultsregardless of the client. Not so withHTML. Sometimes a particular browserhas a quirk that affects the renderedpage. Running the same page in anotherbrowser is the easiest way to know if it’san HTML problem or a browser quirk.H Validation tools like the one provided by theW3C (World Wide Web Consortium) are good forfinding problems and making sure your HTMLconforms to standards.The first step toward fixing any kind ofproblem is understanding what’s causing it.Remember the role each technology—HTML,PHP, SQL, and MySQL—plays as you debug. Ifyour page doesn’t look right, that’s an HTMLproblem. If your HTML is dynamically generatedby PHP, it’s still an HTML problem, but you’llneed to work with the PHP code to make it right.I Firefox’s Web Developer widget provides quickaccess to lots of useful tools.Book errorsIf you’ve followed an example in this book and something’s not working right, what should you do?1. Double-check your code or steps against those in the book.2. Use the index at the back of the book to see if I reference a script or function in an earlier page(you may have missed an important usage rule or tip).3. View the PHP manual for a specific function to see if it’s available in your version of PHP and toverify how the function is used.4. Check out the book’s errata page (through the supporting Web site, www.LarryUllman.com) tosee if an error in the code does exist and has been reported. Don’t post your particular problemthere yet, though!5. Triple-check your code and use all the debugging techniques outlined in this chapter.6. Search the book’s supporting forum to see if others have had this problem and if a solution hasalready been determined.7. If all else fails, use the book’s supporting forum to ask for assistance. When you do, make sureyou include all the pertinent information (version of PHP, version of MySQL, the debuggingsteps you took and what the results were, etc.).Error Handling and Debugging 247

Displaying pHp errorsPHP provides remarkably useful anddescriptive error messages when thingsgo awry. Unfortunately, PHP doesn’t showthese errors when running using its defaultconfiguration. This policy makes sense forlive servers, where you don’t want the endusers seeing PHP-specific error messages,but it also makes everything that muchmore confusing for the beginning PHPdeveloper. To be able to see PHP’s errors,you must turn on the display_ errors directive,either in an individual script or for thePHP configuration as a whole.To turn on display_errors in a script, usethe ini_set( ) function. As its arguments,this function takes a directive name andwhat setting that directive should have:ini_set('display_errors', 1);Including this line in a script will turn ondisplay_errors for that script. The onlydownside is that if your script has a syntaxerror that prevents it from running at all,then you’ll still see a blank page. To havePHP display errors for the entire server,you’ll need to edit its configuration, as isdiscussed in the “Configuring PHP” sectionof Appendix A.Script 8.1 The ini_set( ) function can be used to tella PHP script to reveal any errors that might occur.1 3 4 5 6 Displaying Errors7 8 9 Testing Display Errors10 20 21 To turn on display_errors:1. Create a new PHP document inyour text editor or IDE, to be nameddisplay_errors.php (Script 8.1):248 Chapter 8

Displaying ErrorsTesting Display Errors5. Save the file as display_errors.php,place it in your Web directory, and test itin your Web browser A.6. If you want, change the first line of PHPcode to read:ini_set('display_errors', 0);Then save and retest the script B.There are limits as to what PHP settingsthe ini_set( ) function can be used toadjust. See the PHP manual for specifics asto what can and cannot be changed using it.As a reminder, changing the display_errors setting in a script only works so longas that script runs (i.e., it cannot have anyparse errors). To be able to always see anyerrors that occur, you’ll need to enabledisplay_errors in PHP’s configuration file(again, see the appendix).A With display_errors turned on (for this script),the page reports the errors when they occur.B With display_errors turned off (for thispage), the same errors are no longer reported.Unfortunately, they still exist.Error Handling and Debugging 249

Adjusting errorReporting in pHpOnce you have PHP set to display the errorsthat occur, you might want to adjust thelevel of error reporting. Your PHP installationas a whole, or individual scripts, can be setto report or ignore different types of errors.Table 8.1 lists most of the levels, but theycan generally be one of these three kinds:nnnNotices, which do not stop the executionof a script and may not necessarilybe a problem.Warnings, which indicate a problem butdon’t stop a script’s execution.Errors, which stop a script from continuing(including the ever-common parse error,which prevents scripts from running at all).As a rule of thumb, you’ll want PHP to reporton any kind of error while you’re developinga site but report no specific errors oncethe site goes live. For security and aestheticpurposes, it’s generally unwise for a publicuser to see PHP’s detailed error messages.Suppressing errors with @Individual errors can be suppressed inPHP using the error suppression operator,@. For example, if you don’t want PHPto report if it couldn’t include a file, youwould code@include ('config.inc.php');Or if you don’t want to see a “division byzero” error:$x = 8;$y = 0;$num = @($x/$y);The @ symbol will work only on expressions,like function calls or mathematicaloperations. You cannot use @ beforeconditionals, loops, function definitions,and so forth.As a rule of thumb, I recommend that @be used on functions whose execution,should they fail, will not affect the functionalityof the script as a whole. Or youcan choose not to display PHP’s errors byhandling them more gracefully yourself(a topic discussed later in this chapter).TABLe 8.1 Error-Reporting LevelsNumber Constant Report On1 E_ERROR Fatal run-time errors (that stop execution of the script)2 E_WARNING Run-time warnings (non-fatal errors)4 E_PARSE Parse errors8 E_NOTICE Notices (things that could or could not be a problem)256 E_USER_ERROR User-generated error messages, generated by the trigger_error( ) function512 E_USER_WARNING User-generated warnings, generated by the trigger_error( ) function1024 E_USER_NOTICE User-generated notices, generated by the trigger_error( ) function2048 E_STRICT Recommendations for compatibility and interoperability8192 E_DEPRECATED Warnings about code that won’t work in future versions of PHP30719 E_ALL All errors, warnings, and recommendations250 Chapter 8

Script 8.2 This script will demonstrate how errorreporting can be manipulated in PHP.1 3 4 5 6 Reporting Errors7 8 9 Testing Error Reporting10 23 24 Frequently, error messages—particularlythose dealing with the database—will revealcertain behind-the-scenes aspects of yourWeb application that are best not shown.While you hope all of these will be workedout during the development stage, that maynot be the case.You can universally adjust the level oferror reporting following the instructions inAppendix A. Or you can adjust this behavioron a script-by-script basis using theerror_reporting( ) function. This functionis used to establish what type of errorsPHP should report on within a specificpage. The function takes either a numberor a constant, using the values in Table 8.1(the PHP manual lists a few others, relatedto the core of PHP itself).error_reporting(0); // Show no errors.A setting of 0 turns error reporting offentirely (errors will still occur; you just won’tsee them anymore). Conversely, error_reporting (E_ALL) will tell PHP to reporton every error that occurs. The numberscan be added up to customize the level oferror reporting, or you could use the bitwiseoperators—| (or), ~ (not), & (and)—withthe constants. With this following setting,any non-notice error will be shown:error_reporting (E_ALL & ~E_NOTICE);To adjust error reporting:1. Open display_errors.php (Script 8.1) inyour text editor or IDE, if it is not already.To play around with error reporting levels,use display_errors.php as an example.2. After adjusting the display_errors setting,add (Script 8.2):error_reporting(E_ALL | E_STRICT);continues on next pageError Handling and Debugging 251

For development purposes, have PHPnotify you of all errors, notices, warnings,and recommendations. Settingthe level of error reporting to E_ALL willaccomplish that. But E_ALL does notinclude E_STRICT, so another clause—| (or) E_STRICT—is added.In short, now PHP will let you knowabout anything that is, or just may be,a problem.Because E_ALL and E_STRICT areconstants, they are not enclosed inquotation marks.3. Save the file as report_errors.php,place it in your Web directory, and runit in your Web browser A.I also altered the page’s title and theheading, but both are immaterial tothe point of this exercise.4. Change the level of error reporting tosomething different and retest B and C.A On the highest level of error reporting, PHP hastwo warnings and one notice for this page (Script 8.2).B The same page (Script 8.2) after disabling thereporting of notices.The numeric value of E_ALL in Table 8.1can differ from one version of PHP to the next.Because you’ll often want to adjust thedisplay_errors and error_reporting for everypage in a Web site, you might want to placethose lines of code in a separate PHP file thatcan then be included by other PHP scripts.The scripts in this book were all writtenwith PHP’s error reporting on the highest level(with the intention of catching every possibleproblem).The trigger_error( ) function is away to programmatically generate an errorin a PHP script. Its first argument is an errormessage; its second, optional, argument isa numeric error type, corresponding to thevalues in Table 8.1. By default the type willbe E_USER.if (/* some condition */) {trigger_error('Something Bad➝ Happened!');}C The same page again (Script 8.2) witherror reporting turned off (set to 0). Theresult is the same as if display_errors wasdisabled. Of course, the errors still occur;they’re just not being reported.252 Chapter 8

Creating Customerror HandlersAnother option for error management withyour sites is to alter how PHP handleserrors. By default, if display_errors isenabled and an error is caught (that fallsunder the level of error reporting), PHP willprint the error, in a somewhat simplisticform, within some minimal HTML tags A.You can override how errors are handledby creating your own function that will becalled when errors occur. For example,function report_errors (arguments) {// Do whatever here.}set_error_handler ('report_errors');The PHP set_error_handler( ) function isused to name the user-defined function tobe called when an error occurs. The handlingfunction (report_errors, in this case)will, at that time, receive several values thatcan be used in any possible manner.This function can be written to take up tofive arguments. In order, these argumentsare: an error number (corresponding toTable 8.1), a textual error message, the nameof the file where the error was found, thespecific line number on which it occurred,and the variables that existed at the time ofthe error. Defining a function that accepts allthese arguments might look likefunction report_errors ($num, $msg,➝ $file, $line, $vars) {…To make use of this concept, the report_errors.php file (Script 8.2) will be rewrittenone last time.To create your own error handler:1. Open report_errors.php (Script 8.2) inyour text editor or IDE, if it is not already.2. Remove the ini_set( ) and error_reporting( ) lines (Script 8.3).When you establish your own errorhandlingfunction, the error reportinglevels no longer have any meaning,so the line that adjusts them can beremoved. Adjusting the display_errorssetting is also meaningless, as theerror-handling function will controlwhether errors are displayed or not.continues on page 255A The HTMLsource code showshow PHP formatserrors by default.Error Handling and Debugging 253

Script 8.3 By defining your own error-handling function, you can customize how errors are treated in yourPHP scripts.1 3 4 5 6 Handling Errors7 8 910 Testing Error Handling11

3. Before the script creates the errors, add:define ('LIVE', FALSE);This constant will be a flag used toindicate whether or not the site is currentlylive. It’s an important distinction,as how you handle errors and whatyou reveal in the browser should differgreatly when you’re developing a siteand when a site is live.This constant is being set outside of thefunction for two reasons. First, I wantto treat the function as a black box thatdoes what I need it to do without havingto go in and tinker with it. Second,in many sites, there might be othersettings (like the database connectivityinformation) that are also live versusdevelopment-specific. Conditionalscould, therefore, also refer to this constantto adjust those settings.4. Begin defining the error-handling function:function my_error_handler➝ ($e_number, $e_message, $e_file,➝ $e_line, $e_vars) {The my_error_handler( ) function isset to receive the full five argumentsthat a custom error handler can.5. Create the error message using thereceived values.$message = "An error occurred➝ in script '$e_file' on line➝ $e_line: $e_message\n";The error message will begin by referencingthe filename and line numberwhere the error occurred. Added to thisis the actual error message. All of thesevalues are passed to the function whenit is called (when an error occurs).6. Add any existing variables to theerror message:$message .= print_r ($e_vars, 1);The $e_vars variable will receive all ofthe variables that exist, and their values,when the error happens. Because thismight contain useful debugging information,it’s added to the message.The print_r( ) function is normallyused to print out a variable’s structureand value; it is particularly useful witharrays. If you call the function with asecond argument (1 or TRUE), the resultis returned instead of printed. So thisline adds all of the variable informationto $message.7. Print a message that will vary, dependingupon whether or not the site is live:if (!LIVE) {echo '' . $message . "\n";debug_print_backtrace( );echo '';} else {echo '➝ A system error occurred.➝ We apologize for the➝ inconvenience.';}continues on next pageError Handling and Debugging 255

If the site is not live (if LIVE is FALSE),which would be the case while the siteis being developed, a detailed errormessage should be printed B. Forease of viewing, the error message isprinted within HTML PRE tags. Furthermore,a useful debugging function,debug_print_backtrace( ), is alsocalled. This function returns a slewof information about what functionshave been called, what files have beenincluded, and so forth.If the site is live, a simple mea culpa willbe printed, letting the user know that anerror occurred but not what the specificproblem is C. Under this situation, youcould also use the error_log( ) function(see the sidebar) to have the detailederror message emailed or written to a log.B During the development phase, detailed error messages are printed in the Web browser. (In a more realworldscript, with more code, the messages would be more useful.)C Once a site has gonelive, more user-friendly (andless revealing) errors areprinted. Here, one messageis printed for each of thethree errors in the script.256 Chapter 8

Logging pHp errorsIn Script 8.3, errors are handled bysimply printing them out in detail or not.Another option is to log the errors: makea permanent note of them somehow. Forthis purpose, the error_log( ) functioninstructs PHP how to file an error. Itssyntax iserror_log (message, type,➝ destination, extra headers);The message value should be the textof the logged error (i.e., $message inScript 8.3). The type dictates how theerror is logged. The options are the numbers0, 1, 3, and 4: use the computer’sdefault logging method (0), send it in anemail (1), write it to a text file (3), or sendit to the Web server’s logging handler (4).The destination parameter can be eitherthe name of a file (for log type 3) or anemail address (for log type 1). The extraheaders argument is used only whensending emails (log type 1). Both the destinationand extra headers are optional.8. Complete the function and tell PHP touse it:}set_error_handler('my_error_➝ handler');This second line is the important one,telling PHP to use the custom error handlerinstead of PHP’s default handler.9. Save the file as handle_errors.php,place it in your Web directory, and testit in your Web browser B.10. Change the value of LIVE to TRUE,save, and retest the script C.To see how the error handler behaveswith a live site, just change this one value.If your PHP page uses special HTML formatting—likeCSS tags to affect the layout andfont treatment—add this information to yourerror reporting function.Obviously in a live site you’ll probablyneed to do more than apologize for the inconvenience(particularly if the error significantlyaffects the page’s functionality). Still, thisexample demonstrates how you can easilyadjust error handling to suit the situation.If you don’t want the error-handlingfunction to report on every notice, error, orwarning, you could check the error numbervalue (the first argument sent to the function).For example, to ignore notices when the site islive, you would change the main conditional toif (!LIVE) {echo '' . $message . "\n";debug_print_backtrace( );echo '';} elseif ($e_number != E_NOTICE) {echo 'A system➝ error occurred. We apologize➝ for the inconvenience.➝ ';}Error Handling and Debugging 257

pHp DebuggingTechniquesWhen it comes to debugging, what you’llbest learn from experience are the causesof certain types of errors. Understandingthe common causes will shorten the time ittakes to fix errors. To expedite the learningprocess, Table 8.2 lists the likely reasonsfor the most common PHP errors.The first, and most common, type of errorthat you’ll run across is syntactical and willprevent your scripts from executing. An errorlike this will result in messages like the onein A, which every PHP developer has seentoo many times. To avoid making this sort ofmistake when you program, be sure to:nnEnd every statement (but not languageconstructs like loops and conditionals)with a semicolon.Balance all quotation marks, parentheses,curly braces, and square brackets(each opening character must be closed).A The parse error prevents a script from runningbecause of invalid PHP syntax. This one wascaused by failing to enclose $array['key'] withincurly braces when printing its value.TABLe 8.2 Common PHP ErrorsErrorBlank PageParse errorEmpty variable valueUndefined variableCall to undefined functionCannot redeclare functionHeaders already sentLikely CauseHTML problem, or PHP error and display_errors or error_reporting is off.Missing semicolon; unbalanced curly braces, parentheses, or quotationmarks; or use of an unescaped quotation mark in a string.Forgot the initial $, misspelled or miscapitalized the variable name, orinappropriate variable scope (with functions).Reference made to a variable before it is given a value or an empty variablevalue (see those potential causes).Misspelled function name, PHP is not configured to use that function (like aMySQL function), or document that contains the function definition was notincluded.Two definitions of your own function exist; check within included files.White space exists in the script before the PHP tags, data has already beenprinted, or a file has been included.258 Chapter 8

nnBe consistent with your quotation marks(single quotes can be closed only withsingle quotes and double quotes withdouble quotes).Escape, using the backslash, all singleanddouble-quotation marks withinstrings, as appropriate.One thing you should also understandabout syntactical errors is that just becausethe PHP error message says the error isoccurring on line 12, that doesn’t mean thatthe mistake is actually on that line. At thevery least, it is not uncommon for there tobe a difference between what PHP thinksis line 12 and what your text editor indicatesis line 12. So while PHP’s directionis useful in tracking down a problem, treatthe line number referenced as more of astarting point than an absolute.If PHP reports an error on the last lineof your document, this is almost alwaysbecause a mismatched parenthesis, curlybrace, or quotation mark was not caughtuntil that moment.The second type of error you’ll encounterresults from misusing a function. This erroroccurs, for example, when a function iscalled without the proper arguments. Thiserror is discovered by PHP when attemptingto execute the code. In later chapters you’llprobably see such errors when using theheader( ) function, cookies, or sessions.To fix errors, you’ll need to do a little detectivework to see what mistakes were madeand where. For starters, though, alwaysthoroughly read and trust the error messagePHP offers. Although the referencedline number may not always be correct, aPHP error is very descriptive, normally helpful,and almost always 100 percent correct.To debug your scripts:nnTurn on display_errors.Use the earlier steps to enable display_errors for a script, or, if possible, the entireserver, as you develop your applications.Use comments.Just as you can use comments todocument your scripts, you can alsouse them to rule out problematic lines.If PHP is giving you an error on line 12,then commenting out that line shouldget rid of the error. If not, then you knowthe error is elsewhere. Just be carefulthat you don’t introduce more errors byimproperly commenting out only a portionof a code block: the syntax of yourscripts must be maintained.continues on next pageError Handling and Debugging 259

nnUse the print and echo functions.In more complicated scripts, I frequentlyuse echo statements to leave me notesas to what is happening as the script isexecuted B. When a script has severalsteps, it may not be easy to know if theproblem is occurring in step 2 or step 5.By using an echo statement, you cannarrow the problem down to the specificjuncture.Check what quotation marks are beingused for printing variables.It’s not uncommon for programmers tomistakenly use single quotation marksand then wonder why their variablesare not printed properly. Rememberthat single quotation marks treat textliterally and that you must use doublequotation marks to print out the valuesof variables.n Track variables C.It is pretty easy for a script not to workbecause you referred to the wrong variableor the right variable by the wrongname or because the variable doesnot have the value you would expect.To check for these possibilities, usethe print or echo statements to printout the values of variables at importantpoints in your scripts. This is simply amatter ofecho "\$var = $var\n";orecho "\$var is $var\n";The first dollar sign is escaped so thatthe variable’s name is printed. The secondreference of the variable will printits value.B More complex debugging can be accomplishedby leaving yourself notes as to what thescript is doing.C Printing the names and values of variables isthe easiest way to track them over the course ofa script.260 Chapter 8

using die( ) and exit( )Two functions that are often used witherror management are die( ) andexit( ), (they’re technically languageconstructs, not functions, but whocares?). When a die( ) or exit( ) iscalled in your script, the entire script isterminated. Both are useful for stoppinga script from continuing shouldsomething important—like establishinga database connection— fail to happen.You can also pass to die( ) and exit( )a string that will be printed out in thebrowser.You’ll commonly see die( ) or exit( )used in an OR conditional. For example:include('config.inc.php') OR die➝ ('Could not open the file. ');With a line like that, if PHP could notinclude the configuration file, the die( )statement will be executed and the“Could not open the file.” message willbe printed. You’ll see variations on thisthroughout this book and in the PHPmanual, as it’s a quick, but potentiallyexcessive, way to handle errors withoutusing a custom error handler.nPrint array values.For more complicated variable types(arrays and objects), the print_r( ) andvar_dump( ) functions will print out theirvalues without the need for loops. Bothfunctions accomplish the same task,although var_dump( ) is more detailedin its reporting than print_r( ).Many text editors include utilities tocheck for balanced parentheses, brackets,and quotation marks.If you cannot find the parse error in acomplex script, begin by using the /* */comments to render the entire PHP code inert.Then continue to uncomment sections at atime (by moving the opening or closingcomment characters) and rerun the scriptuntil you deduce what lines are causing theerror. Watch how you comment out controlstructures, though, as the curly braces mustcontinue to be matched in order to avoidparse errors. For example:if (condition) {/* Start comment.Inert code.End comment. */}To make the results of print_r( ) morereadable in the Web browser, wrap it withinHTML (preformatted) tags. This one lineis one of my favorite debugging tools:echo '' . print_r ($var, 1) .➝'';Error Handling and Debugging 261

SQL and MySQLDebugging TechniquesThe most common SQL errors are causedby the following issues:nnnnnUnbalanced use of quotation marksor parenthesesUnescaped apostrophes in columnvaluesMisspelling a column name, table name,or functionAmbiguously referring to a column ina joinPlacing a query’s clauses (WHERE, GROUPBY, ORDER BY, LIMIT) in the wrong orderFurthermore, when using MySQL you canalso run across the following:nnUnpredictable or inappropriate queryresultsInability to access the databaseSince you’ll be running the queries for yourdynamic Web sites from PHP, you needa methodology for debugging SQL andMySQL errors within that context (PHP willnot report a problem with your SQL).Debugging SQL problemsTo decide if you are experiencing a MySQL(or SQL) problem rather than a PHP one,you need a system for finding and fixingthe issue. Fortunately, the steps you shouldtake to debug MySQL and SQL problemsare easy to define and should be followedwithout thinking. If you ever have anyMySQL or SQL errors to debug, just abideby this sequence of steps.To hammer the point home, this nextsequence of steps is probably the mostuseful debugging technique in this chapterand the entire book. You’ll likely needto follow these steps in any PHP-MySQLWeb application when you’re not gettingthe results you expected.To debug your SQL queries:1. Print out any applicable queries in yourPHP script A.As you’ll see in the next chapter, SQLqueries will often be assigned to a variable,particularly when you use PHP todynamically create them. Using the codeecho $query (or whatever the queryvariable is called) in your PHP scripts, youcan send to the browser the exact querybeing run. Sometimes this step alone willhelp you see what the real problem is.2. Run the query in the mysql client orother tool B.The most foolproof method of debuggingan SQL or MySQL problem is torun the query used in your PHP scriptsthrough an independent application: themysql client, phpMyAdmin, or the like.Doing so will give you the same result asthe original PHP script receives but withoutthe overhead, hassle, or mystery.A Knowing exactly what query a PHP script is attempting to execute is the most useful first step for solvingSQL and MySQL problems.262 Chapter 8

If the independent application returnsthe expected result but you are still notgetting the proper behavior in your PHPscript, then you will know that the problemlies within the script itself, not yourSQL command or the MySQL database.3. If the problem still isn’t evident, rewritethe query in its most basic form, andthen keep adding dimensions backin until you discover which clause iscausing the problem. Continue to use athird-party interface to MySQL to do this(i.e., put away the PHP script until you’vegot the SQL query working properly).Sometimes it’s difficult to debug a querybecause there’s too much going on.Like commenting out most of a PHPscript, taking a query down to its bareminimum structure and slowly buildingit back up can be the easiest way todebug complex SQL commands.Debugging access problemsAccess-denied error messages are themost common problem beginning developersencounter when using PHP to interactwith MySQL. These are among the commonsolutions:nReload MySQL after altering the privilegesso that the changes take effect.Either use the mysqladmin tool or runnnFLUSH PRIVILEGES in the mysql client.You must be logged in as a user withthe appropriate permissions to do this(see Appendix A for more).Double-check the password used. Theerror message Access denied for user:‘user@localhost’ (Using password:YES) frequently indicates that the passwordis wrong or mistyped. (This is notalways the cause but is the first thingto check.)The error message Can’t connect to…(error number 2002) indicates thatMySQL either is not running or is notrunning on the socket or TCP/IP porttried by the client.MySQL keeps its own error logs, whichare very useful in solving MySQL problems(like why MySQL won’t even start). MySQL’serror log will be located in the MySQL datadirectory and titled hostname.err.The MySQL manual is very detailed,containing SQL examples, function references,and the meanings of error codes. Make themanual your friend and turn to it when confusingerrors pop up.B To understand what result a PHP script is receiving, run the same query through a separate interface. Inthis case the problem is the reference to the password column, when the table’s column is actually calledjust pass.Error Handling and Debugging 263

Review and pursueIf you have any problems with thereview questions or the pursue prompts,turn to the book’s supporting forum(www.LarryUllman.com/forums/).ReviewnnnnnnnnnWhy must PHP scripts be run througha URL?What version of PHP are you using?What version of MySQL? What versionof what Web server application are youusing? On what operating system?What debugging steps should you takeif the rendered Web page doesn’t lookright in your Web browser?Do you have display_errors enabled onyour server? Why is enabling display_errors useful on development servers?Why is revealing errors a bad thing onproduction servers?How does the level of error_reportingaffect PHP scripts? To what level oferror_reporting is your PHP server set?What does the @ operator do?What are the benefits of using yourown error-handling function? Whatimpact does the error reporting levelhave when using your own errorhandlingfunction?How can print or echo be used asdebugging tools? Hint: There are manycorrect answers.What is the method for fixing PHP-SQL-MySQL bugs?pursuennnnnInstall the Firebug and Web Developerextensions for Firefox, if you have notalready. Install Firefox if you haven’talready installed it!Enable display_errors on your developmentserver, if you can.If you can, set PHP’s level of errorreporting to E_ALL | E_STRICT onyour development server.Check out the PHP manual’s pagefor the debug_print_backtrace( )function to learn more about it.Consider using a professional-gradeIDE that provides built-in debuggingtools.264 Chapter 8

9Using PHP withMySQLNow that you have a sufficient amount ofPHP, SQL, and MySQL experience underyour belt, it’s time to put all of the technologiestogether. PHP’s strong integration withMySQL is just one reason so many programmershave embraced it; it’s impressivehow easily you can use the two together.This chapter will use the existing sitenamedatabase—created in Chapter 5, “Introductionto SQL”—to build a PHP interface forinteracting with the users table. The knowledgetaught and the examples used here willbe the basis for all of your PHP-MySQL Webapplications, as the principles involved arethe same for any PHP-MySQL interaction.Before heading into this chapter, youshould be comfortable with everythingcovered in the first eight chapters, includingthe error debugging and handlingtechniques just taught in the previouschapter. Finally, remember that you needa PHP-enabled Web server and accessto a running MySQL server in order toexecute the following examples.in This ChapterModifying the Template 266Connecting to MySQL 268Executing Simple Queries 273Retrieving Query Results 281Ensuring Secure SQL 285Counting Returned Records 290Updating Records with PHP 292Review and Pursue 298

Modifying the TemplateSince all of the pages in this chapter andthe next will be part of the same Web application,it’ll be worthwhile to use a commontemplate system. Instead of creating anew template from scratch, the layout fromChapter 3, “Creating Dynamic Web Sites,”will be used again, with only a minor modificationto the header file’s navigation links.To make the header file:1. Open header.html (Script 3.2) in yourtext editor or IDE.2. Change the list of links to read (Script 9.1):Home➝ Page➝ RegisterView➝ UsersChange➝ Passwordlink fiveAll of the examples in this chapter willinvolve the registration, view users, andchange password pages. The date formand calculator links from Chapter 3 canbe deleted.3. Save the file as header.html.4. Place the new header file in your Webdirectory, within the includes folderalong with footer.html (Script 3.3)and style.css (available for downloadfrom the book’s supporting Web site,www.LarryUllman.com).Script 9.1 The site’s header file, used for the pages’ template, modified with new navigation links.1 2 3 4 5 6 7 8 9 10 Your Website11 catchy slogan...12 13 14 15 Home Page16 Register17 View Users18 Change Password19 link five20 21 22 23 266 Chapter 9

5. Test the new header file by runningindex.php in your Web browser A.For a preview of this site’s structure, seethe sidebar “Organizing Your Documents” inthe next section.Remember that you can use any fileextension for your template files, including.inc or .php.A The dynamicallygenerated home pagewith new navigation links.WARninG: ReAD THiS!PHP and MySQL have gone through many changes over the past decade. Of these, the mostimportant for this chapter, and one of the most important for the rest of the book, involves whatPHP functions you use to communicate with MySQL. For years, PHP developers used the standardMySQL functions (called the mysql extension). As of PHP 5 and MySQL 4.1, you can use the newerImproved MySQL functions (called the mysqli extension). These functions provide improved performanceand take advantage of added features (among other benefits).As this book assumes you’re using at least PHP 5 and MySQL 5, all of the examples will only usethe Improved MySQL functions. If your server does not support this extension, you will not beable to run these examples as they are written! Most of the examples in the rest of the book willalso not work for you.If the server or home computer you’re using does not support the Improved MySQL functions,you have three options: upgrade PHP and MySQL, read the second edition of this book (whichteaches and primarily uses the older functions), or learn how to use the older functions andmodify all the examples accordingly. For questions or problems, see the book’s correspondingforum (www.LarryUllman.com/forums/).Using PHP with MySQL 267

Connecting to MySQLThe first step for interacting with MySQL—connecting to the server—requires theappropriately named mysqli_connect( )function:$dbc = mysqli_connect (hostname,➝ username, password, db_name);The first three arguments sent to thefunction (hostname, username, andpassword) are based upon the usersand privileges established within MySQL(see Appendix A, “Installation,” for moreinformation). Commonly (but not always),the host value will be localhost.The fourth argument is the name of thedatabase to use. This is the equivalentof saying USE databasename within themysql client.If the connection was made, the $dbcvariable, short for database connection(but you can use any name you want, ofcourse), will become a reference pointfor all of your subsequent databaseinteractions. Most of the PHP functions forworking with MySQL will take this variableas its first argument.If a connection problem occurred, youcan call mysqli_connect_error( ), whichreturns the connection error message. Ittakes no arguments, so would be calledusing justmysqli_connect_error( );Once you’ve connected to the database,you should set the encoding for theinteraction. You can do so (as of PHP 5.0.5)with the mysqli_set_charset( ) function:mysqli_set_charset($dbc, 'utf8');The value used as the encoding—thesecond argument—should match thatof your PHP scripts and the collation ofyour database (see Chapter 6, “DatabaseDesign,” for more on MySQL collations).If you fail to do this, all data will betransferred using the default character set,which could cause problems.To start using PHP with MySQL, let’s createa special script that makes the connection.Other PHP scripts that require a MySQLconnection can then include this file.To connect to and select a database:1. Create a new PHP document inyour text editor or IDE, to be namedmysqli_connect.php (Script 9.2):

isn’t required. In general, setting thesevalues as some sort of variable orconstant makes sense so that you canseparate the configuration parametersfrom the functions that use them, butagain, this is not obligatory.When writing your script, change thesevalues to ones that will work on yoursetup. If you have been provided with aMySQL username/password combinationand a database (like for a hostedsite), use that information here. Or, ifpossible, follow the steps in Appendix Ato create a user that has access to thesitename database, and insert thosevalues here. Whatever you do, don’tjust use the values written in this book’scode unless you know for certain theywill work on your server.3. Connect to MySQL:$dbc = @mysqli_connect (DB_HOST,➝ DB_USER, DB_PASSWORD, DB_NAME)➝ OR die ('Could not connect to➝ MySQL: ' . mysqli_connect_➝ error( ) );The mysqli_connect( ) function, if itsuccessfully connects to MySQL, willreturn a resource link that correspondsto the open connection. This link willbe assigned to the $dbc variable, sothat other functions can make use ofthis connection.The function call is preceded by theerror suppression operator (@). Thisprevents the PHP error from beingdisplayed in the Web browser. This ispreferable, as the error will be handledby the OR die( ) clause.continues on next pageScript 9.2 The mysqli_connect.php script will be used by every other script in this chapter. It establishesa connection to MySQL, selects the database, and sets the encoding.1

If the mysqli_connect( ) functioncannot return a valid resource link, thenthe OR die( ) part of the statement isexecuted (because the first part of theOR will be false, so the second part mustbe true). As discussed in the precedingchapter, the die( ) function terminatesthe execution of the script. The functioncan also take as an argument a stringthat will be printed to the Web browser.In this case, the string is a combinationof Could not connect to MySQL: andthe specific MySQL error A. Using thisblunt error management system makesdebugging much easier as you developyour sites.4. Save the file as mysqli_connect.php.Since this file contains information—the database access data—that mustbe kept private, it will use a .phpextension. With a .php extension, evenif malicious users ran this script in theirWeb browser, they would not see thepage’s actual content.You may also note that I did not includea terminating PHP tag: ?>. This isallowed in PHP (when the script endswith PHP code), and has a benefit to beexplained in subsequent chapters.5. Ideally, place the file outside of the Webdocument directory B.A If there wereproblems connecting toMySQL, an informativemessage is displayedand the script is halted.B A visual representationof a server’s Webdocuments, wheremysqli_connect.phpis not stored within themain directory (htdocs).270 Chapter 9

C If the MySQL connection script works properly,the end result will be a blank page (no HTML isgenerated by the script).Because the file contains sensitiveMySQL access information, it ought tobe stored securely. If you can, place itin the directory immediately above orotherwise outside of the Web directory.This way the file will not be accessiblefrom a Web browser. See the “OrganizingYour Documents” sidebar for more.6. Temporarily place a copy of the scriptwithin the Web directory and run it inyour Web browser C.In order to test the script, you’ll wantto place a copy on the server so thatit’s accessible from the Web browser(which means it must be in the Webdirectory). If the script works properly,the result should be a blank page C. Ifyou see an Access denied… or similarmessage A, it means that the combinationof username, password, and hostdoes not have permission to access theparticular database.continues on next pageorganizing Your DocumentsChapter 3 introduced the concept of site structure while developing the first Web application. Nowthat pages will begin using a database connection script, the topic is more important.Should the database connectivity information (username, password, host, and database) fall intomalicious hands, it could be used to steal your information or wreak havoc upon the database asa whole. Therefore, you cannot keep a script like mysqli_connect.php too secure.The best recommendation for securing such a file is to store it outside of the Web documents directory.If, for example, the htdocs folder in B is the root of the Web directory (in other words, the URLwww.example.com leads there), then not storing mysqli_connect.php anywhere within the htdocsdirectory means it will never be accessible via the Web browser. Granted, the source code of PHPscripts is not viewable from the Web browser (only the data sent to the browser by the script is), butyou can never be too careful. If you aren’t allowed to place documents outside of the Web directory,placing mysqli_connect.php in the Web directory is less secure, but not the end of the world.Secondarily, I recommend using a .php extension for your connection scripts. A properly configuredand working server will execute rather than display code in such a file. Conversely, if youuse just .inc as your extension, that page’s contents would be displayed in the Web browser ifaccessed directly.Using PHP with MySQL 271

7. Remove the temporary copy from theWeb directory.If you’re using a version of PHP that doesnot support the mysqli_set_charset( )function, you’ll need to execute a SET NAMESencoding query instead:mysqli_query($dbc, 'SET NAMES utf8');The same values used in Chapter 5 tolog in to the mysql client should work fromyour PHP scripts.D Another reason why PHP might not be ableto connect to MySQL (besides using invalidusername/password/hostname/databaseinformation) is if MySQL isn’t currently running.If you receive an error that claimsmysqli_connect( ) is an “undefined function”,it means that PHP has not been compiledwith support for the Improved MySQLExtension. See the appendix for installationinformation.If you see a Could not connect… errormessage when running the script D, it likelymeans that MySQL isn’t running.In case you are curious, E shows whatwould happen if you didn’t use @ beforemysqli_connect( ) and an error occurred.E If you don’t use the error suppression operator(@), you’ll see both the PHP error and the customOR die( ) error.If you don’t need to select the databasewhen establishing a connection to MySQL,omit that argument from the mysqli_connect( ) function:$dbc = mysqli_connect (hostname,➝ username, password);Then, when appropriate, you can select thedatabase using:mysqli_select_db($dbc, db_name);272 Chapter 9

executing SimpleQueriesOnce you have successfully connectedto and selected a database, you can startexecuting queries. The queries can be asbasic as inserts, updates, and deletionsor as involved as complex joins returningnumerous rows. Regardless of the SQLcommand type, the PHP function forexecuting a query is mysqli_query( ):result = mysqli_query(dbc, query);The function takes the databaseconnection as its first argument andthe query itself as the second. Withinthe context of a complete PHP script,I normally assign the query to anothervariable, called $query or just $q, sorunning a query might look like$r = mysqli_query($dbc, $q);For simple queries like INSERT, UPDATE,DELETE, etc. (which do not return records),the $r variable—short for result—will beeither TRUE or FALSE, depending uponwhether the query executed successfully.Keep in mind that “executed successfully”means that it ran without error; itdoesn’t mean that the query’s executionnecessarily had the desired result; you’llneed to test for that.For complex queries that return records(SELECT being the most important of these),$r will be a resource link to the resultsof the query if it worked or be FALSE ifit did not. Thus, you can use this line ofcode in a conditional to test if the querysuccessfully ran:$r = mysqli_query ($dbc, $q);if ($r) { // Worked!If the query did not successfully run, somesort of MySQL error must have occurred.To find out what that error was, call themysqli_error( ) function:echo mysqli_error($dbc);The function’s lone argument is thedatabase connection.One final, albeit optional, step in your scriptwould be to close the existing MySQLconnection once you’re finished with it:mysqli_close($dbc);This function call is not required, becausePHP will automatically close the connectionat the end of a script, but it does make forgood programming form to incorporate it.To demonstrate this process, let’s createa registration script. It will show the formwhen first accessed A, handle the formsubmission, and, after validating all thedata, insert the registration information intothe users table of the sitename database.As a forewarning, this script knowingly hasa security hole in it (depending upon theversion of PHP in use, and its settings), tobe remedied later in the chapter.A The registration form.Using PHP with MySQL 273

To execute simple queries:1. Begin a new PHP script in yourtext editor or IDE, to be namedregister.php (Script 9.3):

Script 9.3 The registration script adds a record to the database by running an INSERT query.1

Script 9.3 continued52 $r = @mysqli_query ($dbc, $q); // Run the query.53 if ($r) { // If it ran OK.5455 // Print a message:56 echo 'Thank you!57 You are now registered. In Chapter 12 you will actually be able to log in!';5859 } else { // If it did not run OK.6061 // Public message:62 echo 'System Error63 You could not be registered due to a system error. We apologize forany inconvenience.';6465 // Debugging message:66 echo '' . mysqli_error($dbc) . 'Query: ' . $q . '';6768 } // End of if ($r) IF.6970 mysqli_close($dbc); // Close the database connection.7172 // Include the footer and quit the script:73 include ('includes/footer.html');74 exit( );7576 } else { // Report the errors.7778 echo 'Error!79 The following error(s) occurred:';80 foreach ($errors as $msg) { // Print each error.81 echo " - $msg\n";82 }83 echo 'Please try again.';8485 } // End of if (empty($errors)) IF.8687 } // End of the main Submit conditional.88 ?>89 Register90 91 First Name:

To validate the password, the scriptneeds to check the pass1 input fora value and then confirm that thepass1 value matches the pass2 value(meaning the password and confirmedpassword are the same).6. Check if it’s OK to register the user:if (empty($errors)) {If the submitted data passed all of theconditions, the $errors array will haveno values in it (it will be empty), so thiscondition will be true and it’s safe toadd the record to the database. If the$errors array is not empty, then theappropriate error messages should beprinted (see Step 11) and the user givenanother opportunity to register.7. Include the database connection:require ('../mysqli_connect.php');This line of code will insert the contentsof the mysqli_connect.php file into thisscript, thereby creating a connectionto MySQL and selecting the database.You may need to change the referenceto the location of the file as it is on yourserver (as written, this line assumes thatmysqli_connect.php is in the parentfolder of the current folder).8. Add the user to the database:$q = "INSERT INTO users (first_➝ name, last_name, email, pass,➝ registration_date) VALUES ('$fn',➝'$ln', '$e', SHA1('$p'), NOW( ) );$r = @mysqli_query ($dbc, $q);The query itself is similar to thosedemonstrated in Chapter 5. TheSHA1( ) function is used to encrypt thepassword, and NOW( ) is used to set theregistration date as this moment.After assigning the query to a variable,it is run through the mysqli_query( )function, which sends the SQLcommand to the MySQL database. Asin the mysqli_connect.php script, themysqli_query( ) call is preceded by@ in order to suppress any ugly errors.If a problem occurs, the error will behandled more directly in the next step.9. Report on the success of theregistration:if ($r) {echo 'Thank you!You are now registered. In➝ Chapter 12 you will actually be➝ able to log in!';} else {echo 'System ErrorYou could➝ not be registered due to a➝ system error. We apologize➝ for any inconvenience.';echo '' . mysqli_error($dbc)➝ . 'Query: ' . $q .➝'';} // End of if ($r) IF.The $r variable, which is assigned thevalue returned by mysqli_query( ), canbe used in a conditional to test for thesuccessful operation of the query.continues on next pageUsing PHP with MySQL 277

If $r has a TRUE value, then a Thankyou! message is displayed B. If $rhas a FALSE value, error messagesare printed. For debugging purposes,the error messages will include boththe error spit out by MySQL (thanks tothe mysqli_error( ) function) and thequery that was run C. This informationis critical to debugging the problem.You would not want to display this kindof information on a live site, however.10. Close the database connection andcomplete the HTML template:mysqli_close($dbc);include ('includes/footer.html');exit( );Closing the connection isn’t requiredbut is a good policy. Then the footer isincluded and the script terminated (thanksto the exit( ) function). If those two linesweren’t here, the registration form wouldbe displayed again (which isn’t necessaryafter a successful registration).11. Print out any error messages and closethe submit conditional:} else { // Report the errors.echo 'Error!The following➝ error(s) occurred:';foreach ($errors as $msg) {➝ // Print each error.echo " - $msg\n";}echo 'Please try➝ again.';} // End of if (empty($errors))➝ IF.} // End of the main Submit➝ conditional.The else clause is invoked if therewere any errors. In that case, all of theerrors are displayed using a foreachloop D.The final closing curly brace closesthe main submit conditional. Themain conditional is a simple if, not anif-else, so that the form can be madesticky (again, see Chapter 3).B If the user could be registered in the database, thismessage is displayed.C Any MySQL errors caused by the query will be printed, as will the query that was being run.278 Chapter 9

12. Close the PHP section and begin theHTML form:?>RegisterFirst Name:

This is all much like that in Step 12, withthe addition of a submit button.As a side note, I don’t need to followmy maxlength recommendation (fromStep 12) with the password inputs,because they will be encrypted withSHA1( ), which always creates a string 40characters long. And since there are twoof them, they can’t both use the samename as the column in the database.14. Complete the template:15. Save the file as register.php, place itin your Web directory, and test it in yourWeb browser.Note that if you use an apostrophein one of the form values, it will likelybreak the query E. The section“Ensuring Secure SQL” later in thischapter will show how to protectagainst this.After running the script, you can alwaysensure that it worked by using the mysql clientor phpMyAdmin to view the records in theusers table.You should not end your queries witha semicolon in PHP, as you do when usingthe mysql client. When working with MySQL,this is a common, albeit harmless, mistaketo make. When working with other databaseapplications (Oracle, for one), doing so willmake your queries unusable.As a reminder, the mysqli_query( )function returns a TRUE value if the querycould be executed on the database withouterror. This does not necessarily mean that theresult of the query is what you were expecting.Later scripts will demonstrate how to moreaccurately gauge the success of a query.You are not obligated to create a $qvariable as I tend to do (you could directlyinsert your query text into mysqli_query( )).However, as the construction of your queriesbecomes more complex, using a variable willbe the only option.Practically any query you would run inthe mysql client can also be executed usingmysqli_query( ).Another benefit of the Improved MySQLExtension over the standard extension is thatthe mysqli_multi_query( ) function letsyou execute multiple queries at one time. Thesyntax for doing so, particularly if the queriesreturn results, is a bit more complicated, sosee the PHP manual if you have this need.E Apostrophes in form values (like the last name here) will conflict with the apostrophes used to delineatevalues in the query.280 Chapter 9

Retrieving QueryResultsThe preceding section of this chapterdemonstrates how to execute simplequeries on a MySQL database. A simplequery, as I’m calling it, could be definedas one that begins with INSERT, UPDATE,DELETE, or ALTER. What all four of these havein common is that they return no data, justan indication of their success. Conversely,a SELECT query generates information (i.e.,it will return rows of records) that has to behandled by other PHP functions.The primary tool for handling SELECT queryresults is mysqli_fetch_array( ), whichuses the query result variable (that I’vebeen calling $r) and returns one row ofdata at a time, in an array format. You’llwant to use this function within a loop thatwill continue to access every returned rowas long as there are more to be read. Thebasic construction for reading every recordfrom a query iswhile ($row = mysqli_fetch_array($r)){// Do something with $row.}You will almost always want to usea while loop to fetch the results froma SELECT query.The mysqli_fetch_array( ) function takesan optional second parameter specifyingwhat type of array is returned: associative,indexed, or both. An associative arrayallows you to refer to column values byname, whereas an indexed array requiresyou to use only numbers (starting at 0 forthe first column returned). Each parameteris defined by a constant listed in Table 9.1,with MYSQLI_BOTH being the default. TheMYSQLI_NUM setting is marginally faster(and uses less memory) than the otheroptions. Conversely, MYSQLI_ASSOC is moreovert ($row['column'] rather than $row[3])and may continue to work even if thequery changes.An optional step you can take when usingmysqli_fetch_array( ) would be to freeup the query result resources once you aredone using them:mysqli_free_result ($r);This line removes the overhead (memory)taken by $r. It’s an optional step, since PHPwill automatically free up the resourcesat the end of a script, but—like usingmysqli_close( )—it does make for goodprogramming form.To demonstrate how to handle resultsreturned by a query, let’s create a script forviewing all of the currently registered users.TABLe 9.1 mysqli_fetch_array( ) ConstantsConstantMYSQLI_ASSOCMYSQLI_NUMMYSQLI_BOTHExample$row['column']$row[0]$row[0] or $row['column']Using PHP with MySQL 281

To retrieve query results:1. Begin a new PHP document in yourtext editor or IDE, to be namedview_users.php (Script 9.4):

Script 9.4 The view_users.php script runs a static query on the database and prints all of the returned rows.1

5. Close the HTML table and free up thequery resources:echo '';mysqli_free_result ($r);Again, this is an optional step buta good one to take.6. Complete the main conditional:} else {echo 'The➝ current users could not be➝ retrieved. We apologize for➝ any inconvenience.';echo '' . mysqli_error($dbc)➝ . 'Query: ' . $q .➝'';} // End of if ($r) IF.As in the register.php example, thereare two kinds of error messages here.The first is a generic message, the typeyou’d show in a live site. The second ismuch more detailed, printing both theMySQL error and the query, both beingcritical for debugging purposes.7. Close the database connection and finishthe page:mysqli_close($dbc);include ('includes/footer.html');?>8. Save the file as view_users.php, placeit in your Web directory, and test it inyour browser B.As with any associative array, when youretrieve records from the database, you mustrefer to the selected columns or aliases exactlyas they are in the database or query. This is tosay that the keys are case-sensitive.If you are in a situation where you needto run a second query inside of your whileloop, be certain to use different variablenames for that query. For example, the innerquery would use $r2 and $row2 instead of $rand $row. If you don’t do this, you’ll encounterlogical errors.I sometimes see beginning PHP developersmuddle the process of fetching queryresults. Remember that you must execute thequery using mysqli_query( ), and then usemysqli_fetch_array( ) to retrieve a singlerow of information. If you have multiple rowsto retrieve, use a while loop.The function mysqli_fetch_row( )is the equivalent of mysqli_fetch_array($r, MYSQLI_NUM);The function mysqli_fetch_assoc( )is the equivalent of mysqli_fetch_array($r, MYSQLI_ASSOC);B All of the user records are retrieved from thedatabase and displayed in the Web browser.284 Chapter 9

ensuring Secure SQLDatabase security with respect to PHPcomes down to three broad issues:1. Protecting the MySQL accessinformation2. Not revealing too much about thedatabase3. Being cautious when running queries,particularly those involving usersubmitteddataYou can accomplish the first objective bysecuring the MySQL connection script outsideof the Web directory so that it is neverviewable through a Web browser (see Cin “Connecting to MySQL”). I discuss thisin some detail earlier in the chapter. Thesecond objective is attained by not lettingthe user see PHP’s error messages or yourqueries (in these scripts, that information isprinted out for your debugging purposes;you’d never want to do that on a live site).For the third objective, there are numeroussteps you can and should take, allbased upon the premise of never trustinguser-supplied data. First, validate thatsome value has been submitted, or that itis of the proper type (number, string, etc.).Second, use regular expressions to makesure that submitted data matches what youwould expect it to be (this topic is coveredin Chapter 14, “Perl-Compatible RegularExpressions”). Third, you can typecastsome values to guarantee that they’renumbers (discussed in Chapter 13, “SecurityMethods”). A fourth recommendationis to run user-submitted data through themysqli_real_escape_string( ) function.This function makes data safe to use in aquery by escaping what could be problematiccharacters. It’s used like so:$safe = mysqli_real_escape_string➝ ($dbc, data);To understand why this is necessary, see Ein “Executing Simple Queries.” The useof the apostrophe in the user’s last namemade the query syntactically invalid:INSERT INTO users (first_name,➝ last_name, email, pass,➝ registration_date) VALUES ('Peter',➝'O'Toole', 'pete@example.net',➝ SHA1('aPass8'), NOW( ) )In that particular example, valid user databroke the query, which is not good. But ifyour PHP script allows for this possibility,a malicious user can purposefully submitproblematic characters (the apostrophebeing one example) in order to hack into,or damage, your database. For securitypurposes, mysqli_real_escape_string( )should be used on every text input in aform. To demonstrate this, let’s revampregister.php (Script 9.3).Using PHP with MySQL 285

To use mysqli_real_escape_string( ):1. Open register.php (Script 9.3) in yourtext editor or IDE, if it is not already.2. Move the inclusion of the mysqli_connect.php file (line 48 in Script 9.3)to just after the main conditional(Script 9.5).Because the mysqli_real_escape_string( ) function requires a databaseconnection, the mysqli_connect.phpscript must be required earlier inthe script.continues on page 288Script 9.5 The register.php script now uses the mysqli_real_escape_string( ) function to makesubmitted data safe to use in a query.1

Script 9.5 continued30 $errors[ ] = 'You forgot to enter your email address.';31 } else {32 $e = mysqli_real_escape_string($dbc, trim($_POST['email']));33 }3435 // Check for a password and match against the confirmed password:36 if (!empty($_POST['pass1'])) {37 if ($_POST['pass1'] != $_POST['pass2']) {38 $errors[ ] = 'Your password did not match the confirmed password.';39 } else {40 $p = mysqli_real_escape_string($dbc, trim($_POST['pass1']));41 }42 } else {43 $errors[ ] = 'You forgot to enter your password.';44 }4546 if (empty($errors)) { // If everything's OK.4748 // Register the user in the database...4950 // Make the query:51 $q = "INSERT INTO users (first_name, last_name, email, pass, registration_date) VALUES('$fn', '$ln', '$e', SHA1('$p'), NOW( ) )";52 $r = @mysqli_query ($dbc, $q); // Run the query.53 if ($r) { // If it ran OK.5455 // Print a message:56 echo 'Thank you!57 You are now registered. In Chapter 12 you will actually be able to log in!';5859 } else { // If it did not run OK.6061 // Public message:62 echo 'System Error63 You could not be registered due to a system error. We apologize forany inconvenience.';6465 // Debugging message:66 echo '' . mysqli_error($dbc) . 'Query: ' . $q . '';6768 } // End of if ($r) IF.6970 mysqli_close($dbc); // Close the database connection.7172 // Include the footer and quit the script:73 include ('includes/footer.html');74 exit( );7576 } else { // Report the errors.code continues on next pageUsing PHP with MySQL 287

3. Change the validation routines to usethe mysqli_real_escape_string( )function, replacing each occurrenceof $var = trim($_POST['var'])with $var = mysqli_real_escape_string($dbc, trim($_POST['var'])):$fn = mysqli_real_escape_string➝ ($dbc, trim($_POST['first_name']));$ln = mysqli_real_escape_string➝ ($dbc, trim($_POST['last_name']));$e = mysqli_real_escape_string➝ ($dbc, trim($_POST['email']));$p = mysqli_real_escape_string➝ ($dbc, trim($_POST['pass1']));Instead of just assigning the submittedvalue to each variable ($fn, $ln, etc.), thevalues will be run through the mysqli_real_escape_string( ) function first.The trim( ) function is still used to getrid of any unnecessary spaces.4. Add a second call to mysqli_close( )before the end of the main conditional:mysqli_close($dbc);To be consistent, since the databaseconnection is opened as the first step ofthe main conditional, it should be closedas the last step of this same conditional.It still needs to be closed beforeincluding the footer and terminating thescript (lines 73 and 74), though.Script 9.5 continued7778 echo 'Error!79 The following error(s) occurred:';80 foreach ($errors as $msg) { // Print each error.81 echo " - $msg\n";82 }83 echo 'Please try again.';8485 } // End of if (empty($errors)) IF.8687 mysqli_close($dbc); // Close the database connection.8889 } // End of the main Submit conditional.90 ?>91 Register92 93 First Name:

5. Save the file as register.php, place itin your Web directory, and test it in yourWeb browser A and B.The mysqli_real_escape_string( )function escapes a string in accordance withthe language being used (i.e., the collation),which is an advantage using this function hasover alternative solutions.If you see results like those in C, itmeans that the mysqli_real_escape_string( ) function cannot access the database(because it has no connection, like $dbc).A Values with apostrophes in them,like a person’s last name, will no longerbreak the INSERT query, thanks tothe mysqli_real_ escape_string( )function.If Magic Quotes is enabled on yourserver, you’ll need to remove any slashesadded by Magic Quotes, prior to using themysqli_real_escape_string( ) function.The code (cumbersome as it is) would look like:$fn = mysqli_real_escape_string➝ ($dbc, trim(stripslashes($_POST➝ ['first_name'])));If you don’t use stripslashes( ) and MagicQuotes is enabled, the form values will bedoubly escaped.If you look at the values stored in thedatabase (using the mysql client, phpMyAdmin,or the like), you will not see the apostrophesand other problematic characters stored withpreceding backslashes. This is correct. Thebackslashes keep the problematic charactersfrom breaking the query but the backslashesare not themselves stored.B Now the registrationprocess will handleproblematic charactersand be more secure.C Since the mysqli_real_escape_string( ) requires a database connection, using it without thatconnection (e.g., before including the connection script) can lead to other errors.Using PHP with MySQL 289

Counting ReturnedRecordsThe next logical function to discuss ismysqli_num_rows( ). This function returnsthe number of rows retrieved by a SELECTquery. It takes one argument, the queryresult variable:$num = mysqli_num_rows($r);Although simple in purpose, this functionis very useful. It’s necessary if you want topaginate your query results (an exampleof this can be found in the next chapter).It’s also a good idea to use this functionbefore you attempt to fetch any resultsusing a while loop (because there’s noneed to fetch the results if there aren’t any,and attempting to do so may cause errors).In this next sequence of steps, let’s modifyview_users.php to list the total number ofregistered users.To modify view_users.php:1. Open view_users.php (refer to Script9.4) in your text editor or IDE, if it is notalready.2. Before the if ($r) conditional, add thisline (Script 9.6):$num = mysqli_num_rows ($r);This line will assign the number ofrows returned by the query to the$num variable.3. Change the original $r conditional to:if ($num > 0) {The conditional as it was written beforewas based upon whether the query didor did not successfully run, not whetheror not any records were returned. Nowit will be more accurate.Script 9.6 Now the view_users.php script willdisplay the total number of registered users,thanks to the mysqli_num_rows( ) function.1

Script 9.6 continued3435 echo ''; // Close the table.3637 mysqli_free_result ($r); // Free upthe resources.3839 } else { // If no records were returned.4041 echo 'There arecurrently no registered users.';4243 }4445 mysqli_close($dbc); // Close the databaseconnection.4647 include ('includes/footer.html');48 ?>4. Before creating the HTML table, printthe number of registered users:echo "There are currently $num➝ registered users.\n";5. Change the else part of the mainconditional to read:echo 'There are➝ currently no registered users.';The original conditional was based uponwhether or not the query worked. Hopefully,you’ve successfully debuggedthe query so that it is working and theoriginal error messages are no longerneeded. Now the error message justindicates if no records were returned.6. Save the file as view_users.php, placeit in your Web directory, and test it inyour Web browser A.A The number of registered users is nowdisplayed at the top of the page.Modifying register.phpThe mysqli_num_rows( ) function could be applied to register.php to prevent someonefrom registering with the same email address multiple times. Although the UNIQUE index on thatcolumn in the database will prevent that from happening, such attempts will create a MySQL error.To prevent this using PHP, run a SELECT query to confirm that the email address isn’t currentlyregistered. That query would be simplySELECT user_id FROM users WHERE ➝ email='$e'You would run this query (using the mysqli_query( ) function) and then call mysqli_num_rows( ).If mysqli_num_rows( ) returns 0, you know that the email address hasn’t already been registeredand it’s safe to run the INSERT.Using PHP with MySQL 291

Ppdating Recordswith pHpThe last technique in this chapter showshow to update database records througha PHP script. Doing so requires an UPDATEquery, and its successful execution canbe verified with PHP’s mysqli_affected_rows( ) function.While the mysqli_num_rows( ) function willreturn the number of rows generated by aSELECT query, mysqli_affected_rows( )returns the number of rows affected by anINSERT, UPDATE, or DELETE query. It’s usedlike so:$num = mysqli_affected_rows($dbc);Unlike mysqli_num_rows( ), the one argumentthe function takes is the databaseconnection ($dbc), not the results of theprevious query ($r).The following example will be a scriptthat allows registered users to changetheir password. It demonstrates twoimportant ideas:nnChecking a submitted username andpassword against registered values(the key to a login system as well)Updating database records using theprimary key as a referenceAs with the registration example, this onePHP script will both display the form Aand handle it.To update records with pHp:1. Begin a new PHP script in your text editoror IDE, to be named password.php(Script 9.7):

Script 9.7 continued30 if (!empty($_POST['pass1'])) {31 if ($_POST['pass1'] != $_POST['pass2']) {32 $errors[ ] = 'Your new password did not match the confirmed password.';33 } else {34 $np = mysqli_real_escape_string($dbc, trim($_POST['pass1']));35 }36 } else {37 $errors[ ] = 'You forgot to enter your new password.';38 }3940 if (empty($errors)) { // If everything's OK.4142 // Check that they've entered the right email address/password combination:43 $q = "SELECT user_id FROM users WHERE (email='$e' AND pass=SHA1('$p') )";44 $r = @mysqli_query($dbc, $q);45 $num = @mysqli_num_rows($r);46 if ($num = = 1) { // Match was made.4748 // Get the user_id:49 $row = mysqli_fetch_array($r, MYSQLI_NUM);5051 // Make the UPDATE query:52 $q = "UPDATE users SET pass=SHA1('$np') WHERE user_id=$row[0]";53 $r = @mysqli_query($dbc, $q);5455 if (mysqli_affected_rows($dbc) = = 1) { // If it ran OK.5657 // Print a message.58 echo 'Thank you!59 Your password has been updated. In Chapter 12 you will actually be able to login!';6061 } else { // If it did not run OK.6263 // Public message:64 echo 'System Error65 Your password could not be changed due to a system error. Weapologize for any inconvenience.';6667 // Debugging message:68 echo '' . mysqli_error($dbc) . 'Query: ' . $q . '';6970 }7172 mysqli_close($dbc); // Close the database connection.7374 // Include the footer and quit the script (to not show the form).75 include ('includes/footer.html');76 exit( );7778 } else { // Invalid email address/password combination.79 echo 'Error!code continues on next pageUsing PHP with MySQL 293

2. Start the main conditional:if ($_SERVER['REQUEST_METHOD'] = =➝'POST') {Since this page both displays and handlesthe form, it’ll use the standard conditionalto check for the form’s submission.3. Include the database connection andcreate an array for storing errors:require ('../mysqli_connect.php');$errors = array( );The initial part of this script mimics theregistration form.4. Validate the email address and currentpassword fields:if (empty($_POST['email'])) {$errors[ ] = 'You forgot to➝ enter your email address.';} else {$e = mysqli_real_escape_string➝ ($dbc, trim($_POST['email']));}if (empty($_POST['pass'])) {$errors[ ] = 'You forgot to➝ enter your current password.';} else {$p = mysqli_real_escape_string➝ ($dbc, trim($_POST['pass']));}The form A has four inputs: the emailaddress, the current password, andtwo for the new password. The processfor validating each of these is thesame as it is in register.php. Any datathat passes the validation test will betrimmed and run through the mysqli_real_escape_string( ) function, sothat it is safe to use in a query.Script 9.7 continued80 The emailaddress and password do notmatch those on file.';81 }8283 } else { // Report the errors.8485 echo 'Error!86 The followingerror(s) occurred:';87 foreach ($errors as $msg) { //Print each error.88 echo " - $msg\n";89 }90 echo 'Please try again.';9192 } // End of if (empty($errors)) IF.9394 mysqli_close($dbc); // Close thedatabase connection.9596 } // End of the main Submit conditional.97 ?>98 Change Your Password99 100 Email Address:

5. Validate the new password:if (!empty($_POST['pass1'])) {if ($_POST['pass1'] != $_POST➝ ['pass2']) {$errors[ ] = 'Your new➝ password did not match the➝ confirmed password.';} else {$np = mysqli_real_escape_➝ string($dbc, trim➝ ($_POST['pass1']));}} else {$errors[ ] = 'You forgot to➝ enter your new password.';}This code is also exactly like that in theregistration script, except that a validnew password is assigned to a variablecalled $np (because $p represents thecurrent password).6. If all the tests are passed, retrieve theuser’s ID:if (empty($errors)) {$q = "SELECT user_id FROM➝ users WHERE (email='$e' AND➝ pass=SHA1('$p') )";$r = @mysqli_query($dbc, $q);$num = @mysqli_num_rows($r);if ($num = = 1) {$row = mysqli_fetch_array($r,➝ MYSQLI_NUM);This first query will return just theuser_id field for the record thatmatches the submitted email addressand password B. To compare thesubmitted password against the storedone, encrypt it again with the SHA1( )function. If the user is registered andhas correctly entered both the emailaddress and password, exactly onecolumn from one row will be selected(since the email value must be uniqueacross all rows). Finally, this one recordis assigned as an array (of one element)to the $row variable.If this part of the script doesn’t workfor you, apply the standard debuggingmethods: remove the error suppressionoperators (@) so that you can see whaterrors, if any, occur; use the mysqli_error( ) function to report any MySQLerrors; and print, then run the queryusing another interface B.7. Update the database for the newpassword:$q = "UPDATE users SET pass=➝ SHA1('$np') WHERE user_id=$row[0]";$r = @mysqli_query($dbc, $q);This query will change the password—using the new submitted value—wherethe user_id column is equal to thenumber retrieved from the previous query.continues on next pageB The result whenrunning the SELECT queryfrom the script (the first oftwo queries it has) withinthe mysql client.Using PHP with MySQL 295

8. Check the results of the query:if (mysqli_affected_rows($dbc)➝ = = 1) {echo 'Thank you!Your password has been➝ updated. In Chapter 12 you➝ will actually be able to log➝ in!';} else {echo 'System ErrorYour password➝ could not be changed due to➝ a system error. We apologizefor any inconvenience.';echo '' . mysqli_error($dbc) .➝'Quer y: ' . $q .➝'';}This part of the script again workssimilar to register.php. In this case, ifmysqli_affected_rows( ) returns thenumber 1, the record has been updated,and a success message will be printed.If not, both a public, generic messageand a more useful debugging messagewill be printed.9. Close the database connection, includethe footer, and terminate the script:mysqli_close($dbc);include ('includes/footer.html');exit( );At this point in the script, the UPDATEquery has been run. It either worked orit did not (because of a system error).In both cases, there’s no need to showthe form again, so the footer is included(to complete the page) and the script isterminated, using the exit( ) function.Prior to that, just to be thorough, thedatabase connection is closed.10. Complete the if ($num = = 1) conditional:} else {echo 'Error!The email➝ address and password do not➝ match those on file.';}If mysqli_num_rows( ) does not returna value of 1, then the submitted emailaddress and password do not matchthose in the database and this error isprinted. In this case, the form will bedisplayed again so that the user canenter the correct information.11. Print any validation error messages:} else {echo 'Error!The following➝ error(s) occurred:';foreach ($errors as $msg) {➝ // Print each error.echo " - $msg\n";}echo 'Please try again.➝ ';}This else clause applies if the $errorsarray is not empty (which means thatthe form data did not pass all thevalidation tests). As in the registrationpage, the errors will be printed.12. Close the database connection andcomplete the PHP code:mysqli_close($dbc);}?>13. Display the form:Change Your Password296 Chapter 9

Email Address:

Review and pursueIf you have any problems with thereview questions or the pursue prompts,turn to the book’s supporting forum(www.LarryUllman.com/forums/).ReviewnnnnnnnWhat version of PHP are you using?What version of MySQL? Does yourPHP-MySQL combination support theMySQL Improved extension?What is the most important sequenceof steps for debugging PHP-MySQLproblems (explicitly covered at theend of Chapter 8, “Error Handling andDebugging”?What hostname, username, andpassword combination do you,specifically, use to connect to MySQL?What PHP code is used to connect to aMySQL server, select the database, andestablish the encoding?What encoding are you using? Why is itnecessary for the PHP scripts to use thesame encoding that is used to interactwith MySQL that is used for storing thetext in the database?Why is it preferable to store themysqli_connect.php script outside ofthe Web root directory? And what is theWeb root directory?Why shouldn’t live sites show MySQLerrors and the queries being run?nnnnWhat syntax will you almost always useto handle the results of a SELECT query?What syntax could you use if the SELECTquery returns only a single row?Why is it important to use the mysqli_real_escape_string( ) function?After what kind of queries would youuse the mysqli_num_rows( ) function?After what types of queries would youuse the mysqli_affected_rows( )function?pursuennIf you don’t remember how the templatesystem works, or how to use theinclude( ) function, revisit Chapter 3.Use the information covered in Chapter8 to apply your own custom error handlerto this site’s examples.n Change the use of mysqli_num_rows( )in view_users.php so that it’s onlycalled if the query had a TRUE result.nApply the mysqli_num_rows( ) functionto register.php, as suggested in anearlier sidebar.n Apply the mysqli_affected_rows( )function to register.php to confirmthat the INSERT worked.nIf you want, create scripts that interactwith the banking database. Easyprojects to begin with include: viewingall customers, viewing all accounts (doa JOIN to also show the customer’sname), and adding to or subtractingfrom an account’s balance.298 Chapter 9

10CommonProgrammingTechniquesNow that you have a little PHP and MySQLinteraction under your belt, it’s time to takethings up a notch. This chapter is similar toChapter 3, “Creating Dynamic Web Sites,”in that it covers myriad independent topics.But what all of these have in common is thatthey demonstrate common PHP-MySQLprogramming techniques. You won’t learnany new functions here; instead, you’ll seehow to use the knowledge you already possessto create standard Web functionality.The examples themselves will broaden theWeb application started in the precedingchapter by adding new, popular features.You’ll see several tricks for managing databaseinformation, in particular editing anddeleting records using PHP. At the sametime, a couple of new ways of passing datato your PHP pages will be introduced. Thefinal sections of the chapter add featuresto the view_users.php page.in This ChapterSending Values to a Script 300Using Hidden Form Inputs 304Editing Existing Records 309Paginating Query Results 316Making Sortable Displays 323Review and Pursue 328

Sending Valuesto a ScriptIn the examples so far, all of the data receivedin the PHP script came from what the userentered in a form. There are, however, twodifferent ways you can pass variables andvalues to a PHP script, both worth knowing.The first method is to make use of HTML’shidden input type:As long as this code is anywhere betweenthe form tags, the variable $_POST['do']will have a value of this in the handling PHPscript, assuming that the form uses the POSTmethod. If the form uses the GET method,then $_GET['do'] would have that value.With that in mind, you can actually skip thecreation of the form, and just directly appenda name=value pair to the URL:www.example.com/page.php?do=thisAgain, with this specific example, page.phpreceives a variable called $_GET['do'] witha value of this.To demonstrate this GET method trick, anew version of the view_users.php script,first created in the last chapter, will bewritten. This one will provide links to pagesthat will allow you to edit or delete anexisting user’s record. The links will passthe user’s ID to the handling pages, both ofwhich will also be written in this chapter.To manually send valuesto a pHp script:1. Open view_users.php (Script 9.6) inyour text editor or IDE.2. Change the SQL query to read (Script 10.1):$q = "SELECT last_name,➝ first_name, DATE_FORMAT➝ (registration_date, '%M %d, %Y')➝ AS dr, user_id FROM users ORDER➝ BY registration_date ASC";Script 10.1 The view_users.php script, started in Chapter 9, “Using PHP with MySQL,” now modified so that itpresents Edit and Delete links, passing the user’s ID number along in each URL.1

The query has been changed in acouple of ways. First, the first and lastnames are selected separately, not concatenatedtogether. Second, the user_idis also now being selected, as that valuewill be necessary in creating the links.3. Add three more columns to themain table:echo 'EditDelete➝ Last Name➝ First Name➝ Date➝ Registered';continues on next pageScript 1.10 continued1920 // Print how many users there are:21 echo "There are currently $num registered users.\n";2223 // Table header:24 echo '25 26 Edit27 Delete28 Last Name29 First Name30 Date Registered31 32 ';3334 // Fetch and print all the records:35 while ($row = mysqli_fetch_array($r, MYSQLI_ASSOC)) {36 echo '37 Edit38 Delete39 ' . $row['last_name'] . '40 ' . $row['first_name'] . '41 ' . $row['dr'] . '42 43 ';44 }4546 echo '';47 mysqli_free_result ($r);4849 } else { // If no records were returned.50 echo 'There are currently no registered users.';51 }5253 mysqli_close($dbc);5455 include ('includes/footer.html');56 ?>Common Programming Techniques 301

In the previous version of the script,there were only two columns: one forthe name and another for the date theuser registered. The name column hasbeen separated into its two parts andtwo new columns added: one for theEdit link and another for the Delete link.4. Change the echo statement within thewhile loop to match the table’s newstructure:echo 'EditDelete' .➝ $row['last_name'] . '' .➝ $row['first_name'] . '' . $row['dr'] .➝'';For each record returned from thedatabase, this line will print out arow with five columns. The last threecolumns are obvious and easy to create:just refer to the returned column name.For the first two columns, which providelinks to edit or delete the user, thesyntax is slightly more complicated. Thedesired end result is HTML code likeEdit, where X is the user’s ID. Knowingthis, all the PHP code has to do is print$row['user_id'] for X, being mindful ofthe quotation marks to avoid parse errors.Because the HTML attributes use alot of double quotation marks andthis echo statement requires a lot ofvariables to be printed, I find it easiestto use single quotes for the HTML andthen to concatenate the variables to theprinted text.5. Save the file as view_users.php, placeit in your Web directory, and run it inyour Web browser A.There’s no point in clicking the newlinks, though, as those scripts havenot yet been created.A The revised version of the view_users.php page, with newcolumns and links.302 Chapter 10

6. If you want, view the HTML source ofthe page to see each dynamically generatedlink B.To append multiple variables to a URL,use this syntax: page.php?name1=value1&name2=value2&name3=value3. It’s simply amatter of using the ampersand, plus anothername=value pair.One trick to adding variables to URLs isthat strings should be encoded to ensure thatthe value is handled properly. For example,the space in the string Elliott Smith would beproblematic. The solution then is to use theurlencode( ) function:$url = 'page.php?name=' . urlencode➝ ('Elliott Smith');You only need to do this when programmaticallyadding values to a URL. When a formuses the GET method, it automatically encodesthe data.B Part of the HTML source of the page (see A ) shows how the user’s ID is added toeach link’s URL.Common Programming Techniques 303

using HiddenForm inputsIn the preceding example, a new versionof the view_users.php script was written.This one now includes links to the edit_user.php and delete_user.php pages,passing each a user’s ID through the URL.This next example, delete_user.php, willtake the passed user ID and allow theadministrator to delete that user. Althoughyou could have this page simply executea DELETE query as soon as the page isaccessed, for security purposes (and toprevent an inadvertent deletion), thereshould be multiple steps A:1. The page must check that it receiveda numeric user ID.2. A message will confirm that this usershould be deleted.3. The user ID will be stored in a hiddenform input.4. Upon submission of this form, the userwill actually be deleted.To use hidden form inputs:1. Begin a new PHP document in yourtext editor or IDE, to be nameddelete_user.php (Script 10.2):

Script 10.2 This script expects a user ID to be passedto it through the URL. It then presents a confirmationform and deletes the user upon submission.1

This script relies upon having a validuser ID, to be used in a DELETE query’sWHERE clause. The first time this page isaccessed, the user ID should be passedin the URL (the page’s URL will end withdelete_user.php?id=X), after clicking theDelete link in the view_users.php page.The first if condition checks for such avalue and that the value is numeric.As you will see, the script will then storethe user ID value in a hidden form input.When the form is submitted (back tothis same page), the script will receivethe ID through $_POST. The secondcondition checks this and, again, thatthe ID value is numeric.If neither of these conditions is TRUE,then the page cannot proceed, so anerror message is displayed and thescript’s execution is terminated B.4. Include the MySQL connection script:require_once ('../mysqli_➝ connect.php');Both of this script’s processes—showingthe form and handling the form—require adatabase connection, so this line is outsideof the main submit conditional (Step 5).5. Begin the main submit conditional:if ($_SERVER['REQUEST_METHOD'] = =➝'POST') {To test for a form submission, the scriptuses the same conditional first explainedin Chapter 3, and also used in Chapter 9.6. Delete the user, if appropriate:if ($_POST['sure'] = = 'Yes') {$q = "DELETE FROM users WHERE➝ user_id=$id LIMIT 1";$r = @mysqli_query ($dbc, $q);The form C will force the user to clicka radio button to confirm the deletion.This little requirement prevents anyaccidents. Thus, the handling processfirst checks that the correct radio buttonwas selected. If so, a basic DELETE queryis defined, using the user’s ID in theWHERE clause. A LIMIT clause is addedto the query as an extra precaution.7. Check if the deletion worked andrespond accordingly:if (mysqli_affected_rows($dbc)➝ = = 1) {echo 'The user has been➝ deleted.';C The page confirms the user deletionusing this simple form.B If the page does not receive a number ID value,this error is shown.D If you select Yes in the form(see C ) and click Submit, thisshould be the result.306 Chapter 10

} else {echo 'The user➝ could not be deleted due to a➝ system error.';echo '' . mysqli_error($dbc) .➝'Quer y: ' . $q . '';}The mysqli_affected_rows( ) functionchecks that exactly one row wasaffected by the DELETE query. If so, ahappy message is displayed D. If not,an error message is sent out.Keep in mind that it’s possible that norows were affected without a MySQLerror occurring. For example, if the querytries to delete the record where the userID is equal to 42000 (and if that doesn’texist), no rows will be deleted but noMySQL error will occur. Still, because ofthe checks made when the form is firstloaded, it would take a fair amount ofhacking by the user to get to that point.8. Complete the $_POST['sure'] conditional:} else {echo 'The user has NOT been➝ deleted.';}If the user did not explicitly check theYes button, the user will not be deletedand this message is displayed E.9. Begin the else clause of the mainsubmit conditional:} else {The page will either handle the formor display it. Most of the code prior tothis takes effect if the form has beensubmitted (if $_SERVER['REQUEST_METHOD'] equals POST). The code fromhere on takes effect if the form has notyet been submitted, in which case theform should be displayed.10. Retrieve the information for the userbeing deleted:$q = "SELECT CONCAT(last_name, ',➝', first_na m e) FROM users WHERE➝ user_id=$id";$r = @mysqli_query ($dbc, $q);if (mysqli_num_rows($r) = = 1) {$row = mysqli_fetch_array ($r,➝ MYSQLI_NUM);To confirm that the script received avalid user ID and to state exactly whois being deleted (refer back to C), theto-be-deleted user’s name is retrievedfrom the database F.The conditional—checking that a singlerow was returned—ensures that a validuser ID was provided to the script. Ifso, that one record is fetched into the$row variable.11. Display the record being deleted:echo "Name: $row[0]Are you sure you want to delete➝ this user?";continues on next pageE If you do not select Yes in the form,no database changes are made.F Running the same SELECT query in the mysql client.Common Programming Techniques 307

To help prevent accidental deletions ofthe wrong record, the name of the userto be deleted is first displayed. Thatvalue is available in $row[0], becausethe mysqli_fetch_array( ) function (inStep 10), uses the MYSQLI_NUM constant,thereby assigning the returned recordto $row as an indexed array. The user’sname is the first, and only, column in thereturned record, so it’s indexed at 0 (asarrays normally begin indexing at 0).12. Create the form:echo ' Yes No';The form posts back to this same page. Itcontains two radio buttons, with the samename but different values, a submit button,and a hidden input. The most importantstep here is that the user ID ($id) is storedas a hidden form input so that the handlingprocess can also access this value G.13. Complete the mysqli_num_rows( )conditional:} else {echo 'This page➝ has been accessed in error.';}If no record was returned by the SELECTquery (because an invalid user ID wassubmitted), this message is displayed.If you see this message when you testthis script but don’t understand why,apply the standard debugging stepsoutlined at the end of Chapter 8,“Error Handling and Debugging.”14. Complete the PHP page:}mysqli_close($dbc);include ('includes/footer.html');?>The closing brace finishes the mainsubmission conditional. Then theMySQL connection is closed and thefooter is included.15. Save the file as delete_user.php andplace it in your Web directory (it shouldbe in the same directory as view_users.php).16. Run the page by first clicking a Deletelink in the view_users.php page.Hidden form elements don’t displayin the Web browser but are still present inthe HTML source code G. For this reason,never store anything there that must be kepttruly secure.Using hidden form inputs and appendingvalues to a URL are just two ways to makedata available to other PHP pages. Two moremethods—cookies and sessions—are thoroughlycovered in Chapter 12, “Cookiesand Sessions.”G The user ID is stored as a hidden input so that it’s available when the form is submitted.308 Chapter 10

A The form for editing a user’s record.Script 10.3 The edit_user.php page first displaysthe user’s current information in a form. Uponsubmission of the form, the record will be updatedin the database.1

Script 10.3 continued2627 // Check for a first name:28 if (empty($_POST['first_name'])) {29 $errors[ ] = 'You forgot to enteryour first name.';30 } else {31 $fn = mysqli_real_escape_string($dbc,trim($_POST['first_name']));32 }3334 // Check for a last name:35 if (empty($_POST['last_name'])) {36 $errors[ ] = 'You forgot to enteryour last name.';37 } else {38 $ln = mysqli_real_escape_string($dbc,trim($_POST['last_name']));39 }4041 // Check for an email address:42 if (empty($_POST['email'])) {43 $errors[ ] = 'You forgot to enteryour email address.';44 } else {45 $e = mysqli_real_escape_string($dbc, trim($_POST['email']));46 }4748 if (empty($errors)) { // Ifeverything's OK.4950 // Test for unique email address:51 $q = "SELECT user_id FROM usersWHERE email='$e' AND user_id != $id";52 $r = @mysqli_query($dbc, $q);53 if (mysqli_num_rows($r) = = 0) {5455 // Make the query:56 $q = "UPDATE users SET first_name='$fn', last_name='$ln',email='$e' WHERE user_id=$idLIMIT 1";57 $r = @mysqli_query ($dbc, $q);58 if (mysqli_affected_rows($dbc)= = 1) { // If it ran OK.5960 // Print a message:61 echo 'The user has beenedited.';62Script 10.3 continued63 } else { // If it did not run OK.64 echo 'The usercould not be edited due to asystem error. We apologize forany inconvenience.';// Public message.65 echo '' . mysqli_error($dbc). 'Query: ' . $q . ''; // Debugging message.66 }6768 } else { // Already registered.69 echo 'Theemail address has already beenregistered.';70 }7172 } else { // Report the errors.7374 echo 'Thefollowing error(s) occurred:';75 foreach ($errors as $msg) {// Print each error.76 echo " - $msg\n";77 }78 echo 'Please try again.';7980 } // End of if (empty($errors)) IF.8182 } // End of submit conditional.8384 // Always show the form...8586 // Retrieve the user's information:87 $q = "SELECT first_name, last_name,email FROM users WHERE user_id=$id";88 $r = @mysqli_query ($dbc, $q);8990 if (mysqli_num_rows($r) = = 1) { // Validuser ID, show the form.9192 // Get the user's information:93 $row = mysqli_fetch_array ($r,MYSQLI_NUM);9495 // Create the form:96 echo '97 First Name: code continues on next page310 Chapter 10

Script 10.3 continued98 Last Name: 99 Email Address: 100 101 102 ';103104 } else { // Not a valid user ID.105 echo 'This page hasbeen accessed in error.';106 }107108 mysqli_close($dbc);109110 include ('includes/footer.html');111 ?>2. Check for a valid user ID value:if ( (isset($_GET['id'])) &&➝ (is_numeric($_GET['id'])) ) {$id = $_GET['id'];} elseif ( (isset($_POST['id'])) &&➝ (is_numeric($_POST['id'])) ) {$id = $_POST['id'];} else {echo 'This page➝ has been accessed in error.';include ('includes/footer.html');exit( );}This validation routine is exactly the sameas that in delete_user.php, confirmingthat a numeric user ID has been received,whether the page has first been accessedfrom view_users.php (the first condition)or upon submission of the form (thesecond condition).3. Include the MySQL connection scriptand begin the main submit conditional:require_once ('../mysqli_connect.➝ php');if ($_SERVER['REQUEST_METHOD'] = =➝'POST') {$errors = array( );Like the registration examples you havealready done, this script makes use ofan array to track errors.continues on next pageCommon Programming Techniques 311

4. Validate the first name:if (empty($_POST['first_name'])) {$errors[ ] = 'You forgot to➝ enter your first name.';} else {$fn = mysqli_real_escape_string➝ ($dbc, trim($_POST➝ ['first_name']));}The form A is like a registration pagebut without the password fields (seethe second tip). The form data cantherefore be validated by applying thesame techniques used in a registrationscript. As with a registration example,the validated data is trimmed and thenrun through mysqli_real_escape_string( ) for security.5. Validate the last name and emailaddress:if (empty($_POST['last_name'])) {$errors[ ] = 'You forgot to➝ enter your last name.';} else {$ln = mysqli_real_escape_string➝ ($dbc, trim($_POST➝ ['last_name']));}if (empty($_POST['email'])) {$errors[ ] = 'You forgot to➝ enter your email address.';} else {$e = mysqli_real_escape_string➝ ($dbc, trim($_POST['email']));}6. If there were no errors, check that thesubmitted email address is not alreadyin use:if (empty($errors)) {$q = "SELECT user_id FROM users➝ WHERE email='$e' AND user_id➝ != $id";$r = @mysqli_query($dbc, $q);if (mysqli_num_rows($r) = = 0) {The integrity of the database and ofthe application as a whole partiallydepends upon having unique emailaddress values in the users table. Thatrequirement guarantees that the loginsystem, which uses a combination ofthe email address and password (tobe developed in Chapter 12), works.Because the form allows for altering theuser’s email address (see A), specialsteps have to be taken to ensureuniqueness of that value across everydatabase record. To understand thisquery, consider two possibilities....In the first, the user’s email addressis being changed. In this case youjust need to run a query making surethat that particular email address isn’talready registered: SELECT user_idFROM users WHERE email='$e'.In the second possibility, the user’semail address will remain the same. Inthis case, it’s okay if the email addressis already in use, because it’s already inuse for this user.312 Chapter 10

To write one query that will work forboth possibilities, don’t check to seeif the email address is being used, butrather see if it’s being used by anyoneelse, hence:SELECT user_id FROM users WHEREemail='$e' AND user_id != $idIf this query returns no records, it’s safeto run the UPDATE query.7. Update the database:$q = "UPDATE users SET➝ first_name='$fn', last_name=➝'$ln', email='$e' WHERE user_id=➝ $id LIMIT 1";$r = @mysqli_query ($dbc, $q);The UPDATE query is similar to examplesyou could have seen in Chapter 5,“Introduction to SQL.” The queryupdates three fields—first name, lastname, and email address—using thevalues submitted by the form. Thissystem works because the form ispreset with the existing values. So,if you edit the first name in the formbut nothing else, the first name valuein the database is updated using thisnew value, but the last name and emailaddress values are “updated” usingtheir current values. This system ismuch easier than trying to determinewhich form values have changed andupdating just those in the database.8. Report on the results of the update:if (mysqli_affected_rows($dbc) = =➝ 1) {echo 'The user has been➝ edited.';} else {echo 'The user➝ could not be edited due to a➝ system error. We apologize➝ for any inconvenience.';echo '' . mysqli_error($dbc) .➝'Quer y: ' . $q . '';}The mysqli_affected_rows( ) functionwill return the number of rows in thedatabase affected by the most recentquery. If any of the three form valueswas altered, then this function willreturn the value 1. This conditional testsfor that and prints a message indicatingsuccess or failure.Keep in mind that the mysqli_affected_rows( ) function will returna value of 0 if an UPDATE commandsuccessfully ran but didn’t actuallyaffect any records. Therefore, if yousubmit this form without changing anyof the form values, a system error isdisplayed, which may not technicallybe correct. Once you have this scripteffectively working, you could changethe error message to indicate thatno alterations were made if mysqli_affected_rows( ) returns 0.continues on next pageCommon Programming Techniques 313

9. Complete the email conditional:} else {echo 'The➝ email address has already➝ been registered.';}This else completes the conditionalthat checked if an email address wasalready being used by another user.If so, that message is printed.10. Complete the $errors conditional:} else {echo 'The following➝ error(s) occurred:';foreach ($errors as $msg) {echo " - $msg\n";}echo 'Please try again.';}The else is used to report any errors inthe form (namely, a lack of a first name,last name, or email address), just like inthe registration script.11. Complete the submission conditional:} // End of submit conditional.The final closing brace completes themain submit conditional. In this example,the form will be displayed wheneverthe page is accessed. After submittingthe form, the database will be updated,and the form will be shown again, nowdisplaying the latest information.12. Retrieve the information for the userbeing edited:$q = "SELECT first_name,➝ last_name, email FROM users➝ WHERE user_id=$id";$r = @mysqli_query ($dbc, $q);if (mysqli_num_rows($r) = = 1) {$row = mysqli_fetch_array ($r,➝ MYSQLI_NUM);In order to populate the form elements,the current information for the user mustbe retrieved from the database. Thisquery is similar to the one in delete_user.php. The conditional—checkingthat a single row was returned—ensuresthat a valid user ID was provided.13. Display the form:echo 'First Name: Last Name: Email Address: ';The form has but three text inputs, eachof which is made sticky using the dataretrieved from the database. Again, theuser ID ($id) is stored as a hidden forminput so that the handling process canalso access this value.14. Complete the mysqli_num_rows( )conditional:} else {echo 'This page➝ has been accessed in error.';}If no record was returned from thedatabase, because an invalid user ID wassubmitted, this message is displayed.314 Chapter 10

15. Complete the PHP page:mysqli_close($dbc);include ('includes/footer.html');?>16. Save the file as edit_user.php andplace it in your Web directory (in thesame folder as view_users.php).17. Run the page by first clicking an Editlink in the view_users.php page Band C.B The new values are displayed in theform after successfully updating thedatabase (compare with the form valuesin A ).C If you try to change a record to an existingemail address or if you omit an input, errors arereported.As written, the sticky form always showsthe values retrieved from the database. Thismeans that if an error occurs, the databasevalues will be used, not the ones the user justentered (if those are different). To change thisbehavior, the sticky form would have to checkfor the presence of $_POST variables, usingthose if they exist, or the database values if not.This edit page does not include the functionalityto change the password. That conceptwas already demonstrated in password.php (Script 9.7). If you would like to incorporatethat functionality here, keep in mind thatyou cannot display the current password, asit is stored in a hashed format (i.e., it’s notdecryptable). Instead, just present two boxesfor changing the password (the new passwordinput and a confirmation). If these values aresubmitted, update the password in the databaseas well. If these inputs are left blank, donot update the password in the database.Common Programming Techniques 315

paginatingQuery ResultsPagination is a concept you’re familiar witheven if you don’t know the term. When youuse a search engine like Google, it displaysthe results as a series of pages and not asone long list. The view_users.php scriptcould benefit from this feature.Paginating query results makes extensiveuse of the LIMIT SQL clause introduced inChapter 5. LIMIT restricts which subset ofthe matched records is actually returned.To paginate the returned results of a query,each iteration of the page will run the samequery using different LIMIT parameters.The first page viewing will request the firstX records; the second page viewing, thesecond group of X records; and so forth. Tomake this work, two values must be passedfrom page to page in the URL, like theuser IDs passed from the view_users.phppage. The first value is the total number ofpages to be displayed. The second valueis an indicator of which records the pageshould display with this iteration (i.e., whereto begin fetching records).Another, more cosmetic technique will bedemonstrated here: displaying each rowof the table—each returned record—usingan alternating background color A. Thiseffect will be achieved with ease, usingthe ternary operator (see the sidebar“The Ternary Operator”).There’s a lot of good, new information to becovered here, so to make it easier to followalong, let’s write this version from scratchinstead of trying to modify Script 10.1.To paginate view_users.php:1. Begin a new PHP document in yourtext editor or IDE, to be namedview_users.php (Script 10.4):

Script 10.4 This new version of view_users.phpincorporates pagination so that the users arelisted over multiple Web browser pages.1

Script 10.4 continued21 // Count the number of records:22 $q = "SELECT COUNT(user_id) FROMusers";23 $r = @mysqli_query ($dbc, $q);24 $row = @mysqli_fetch_array ($r,MYSQLI_NUM);25 $records = $row[0];2627 // Calculate the number of pages...28 if ($records > $display) { // Morethan 1 page.29 $pages = ceil ($records/$display);30 } else {31 $pages = 1;32 }3334 } // End of p IF.3536 // Determine where in the database tostart returning results...37 if (isset($_GET['s']) && is_numeric($_GET['s'])) {38 $start = $_GET['s'];39 } else {40 $start = 0;41 }4243 // Define the query:44 $q = "SELECT last_name, first_name,DATE_FORMAT(registration_date, '%M%d, %Y') AS dr, user_id FROM usersORDER BY registration_date ASC LIMIT$start, $display";45 $r = @mysqli_query ($dbc, $q);4647 // Table header:48 echo '49 50 Edit51 Delete52 Last Name53 First Name54 Date Registered55 56 ';5758 // Fetch and print all the records....59Script 10.4 continued60 $bg = '#eeeeee'; // Set the initialbackground color.6162 while ($row = mysqli_fetch_array($r,MYSQLI_ASSOC)) {6364 $bg = ($bg= ='#eeeeee' ? '#ffffff' :'#eeeeee'); // Switch thebackground color.6566 echo '67 Edit68 Delete69 ' . $row['last_name'] . '70 ' . $row['first_name'] . '71 ' . $row['dr'] .'72 73 ';7475 } // End of WHILE loop.7677 echo '';78 mysqli_free_result ($r);79 mysqli_close($dbc);8081 // Make the links to other pages, ifnecessary.82 if ($pages > 1) {8384 // Add some spacing and start aparagraph:85 echo '';8687 // Determine what page the script ison:88 $current_page = ($start/$display)+ 1;8990 // If it's not the first page, make aPrevious link:91 if ($current_page != 1) {92 echo 'Previous ';93 }code continues on next page318 Chapter 10

Script 10.4 continued9495 // Make all the numbered pages:96 for ($i = 1; $i

The second parameter the script willreceive—on subsequent viewings of thepage—will be the starting record. Thiscorresponds to the first number in aLIMIT x, y clause. Upon initially callingthe script, the first ten records—0 through10—should be retrieved (because$display has a value of 10). The secondpage would show records 10 through 19;the third, 20 through 29; and so forth.The first time this page is accessed,the $_GET['s'] variable will not be set,and so $start should be 0 (the firstrecord in a LIMIT clause is indexed at0). Subsequent pages will receive the$_GET['s'] variable from the URL, andit will be assigned to $start.8. Write the SELECT query with a LIMITclause:$q = "SELECT last_name,➝ first_name, DATE_FORMAT➝ (registration_date, '%M %d, %Y')➝ AS dr, user_id FROM users ORDER➝ BY registration_date ASC LIMIT➝ $start, $display";$r = @mysqli_query ($dbc, $q);The LIMIT clause dictates with whichrecord to begin retrieving ($start) andhow many to return ($display) fromthat point. The first time the page is run,the query will be SELECT last_name,first_name … LIMIT 0, 10. Clicking tothe next page will result in SELECT last_name, first_name … LIMIT 10, 10.9. Create the HTML table header:echo 'EditDelete➝ Last Name➝ First Name➝ Date➝ Registered';In order to simplify this script a little bit,I’m assuming that there are recordsto be displayed. To be more formal,this script, prior to creating the table,would invoke the mysqli_num_rows( )function and have a conditional thatconfirms that some records werereturned.10. Initialize the background color variable:$bg = '#eeeeee';To make each row have its ownbackground color, a variable will beused to store that color. To start, the$bg variable is assigned a value of#eeeeee, a light gray. This color willalternate with white (#ffffff ).11. Begin the while loop that retrievesevery record, and then swap the backgroundcolor:while ($row = mysqli_fetch_array➝ ($r, MYSQLI_ASSOC)) {$bg = ($bg= ='#eeeeee' ?➝'#ffffff' : '#eeeeee');The background color used by eachrow in the table is assigned to the $bgvariable. Because the background colorshould alternate, this one line of codewill, upon each iteration of the loop,assign the opposite color to $bg. If $bgis equal to #eeeeee, then it will beassigned the value of #ffffff and viceversa (again, see the sidebar for thesyntax and explanation of the ternaryoperator). For the first row fetched,$bg is initially equal to #eeeeee (seeStep 10) and will therefore be assigned#ffffff, making a white background.320 Chapter 10

For the second row, $bg is not equalto #eeeeee, so it will be assigned thatvalue, making a gray background.12. Print the records in a table row:echo 'EditDelete' . $row['last_➝ name'] . '' . $row➝ ['first_name'] . '' . $row['dr'] .➝'';This code only differs in one way fromthat in the previous version of thisscript: the initial TR tag now includesthe bgcolor attribute, whose value willbe the $bg variable (so #eeeeee and#ffffff, alternating).13. Complete the while loop and the table,free up the query result resources, andclose the database connection:} // End of WHILE loop.echo '';mysqli_free_result ($r);mysqli_close($dbc);14. Begin a section for displaying links toother pages, if necessary:if ($pages > 1) {echo '';If the script requires multiple pages todisplay all of the records, it needs theappropriate links at the bottom of thepage A.15. Determine the current page being viewed:$current_page = ($start/$display)➝ + 1;To make the links, the script must firstdetermine the current page. This canbe calculated as the starting numberdivided by the display number, plus 1. Forexample, on the second viewing of thispage, $start will be 10 (because on thefirst instance, $start is 0), making the$current_page value 2: (10/10) + 1 = 2.16. Create a link to the previous page,if necessary:if ($current_page != 1) {echo 'Previous➝ ';}If the current page is not the first page,it should also have a Previous link tothe earlier result set C. This isn’t strictlynecessary, but is nice.Each link will be made up of the scriptname, plus the starting point and thenumber of pages. The starting point forthe previous page will be the currentstarting point minus the number beingdisplayed. These values must be passedin every link, or else the pagination will fail.continues on next pageC The Previous link willappear only if the currentpage is not the first one(compare with A ).Common Programming Techniques 321

17. Make the numeric links:for ($i = 1; $i 20. Save the file as view_users.php, placeit in your Web directory, and test it inyour Web browser.This example paginates a simple query,but if you want to paginate a more complexquery, like the results of a search, it’s not thatmuch more complicated. The main differenceis that whatever terms are used in the querymust be passed from page to page in thelinks. If the main query is not exactly the samefrom one viewing of the page to the next, thepagination will fail.If you run this example and the paginationdoesn’t match the number of results thatshould be returned (for example, the countingquery indicates there are 150 records butthe pagination only creates 3 pages, with 10records on each), it’s most likely because themain query and the COUNT( ) query are toodifferent. These two queries will never be thesame, but they must perform the same join (ifapplicable) and have the same WHERE and/orGROUP BY clauses to be accurate.No error handling has been included inthis script, as I know the queries function aswritten. If you have problems, remember yourMySQL/SQL debugging steps: print the query,run it using the mysql client or phpMyAdmin toconfirm the results, and invoke the mysqli_error( ) function as needed.D The final resultspage will not displaya Next link (comparewith A and C ).322 Chapter 10

Script 10.5 This latest version of the view_users.php script creates clickable links out of the table’scolumn headings.1

Script 10.5 continued38 // Determine the sort...39 // Default is by registration date.40 $sort = (isset($_GET['sort'])) ?$_GET['sort'] : 'rd';4142 // Determine the sorting order:43 switch ($sort) {44 case 'ln':45 $order_by = 'last_name ASC';46 break;47 case 'fn':48 $order_by = 'first_name ASC';49 break;50 case 'rd':51 $order_by = 'registration_dateASC';52 break;53 default:54 $order_by = 'registration_dateASC';55 $sort = 'rd';56 break;57 }5859 // Define the query:60 $q = "SELECT last_name, first_name,DATE_FORMAT(registration_date, '%M %d,%Y') AS dr, user_id FROM users ORDERBY $order_by LIMIT $start, $display";61 $r = @mysqli_query ($dbc, $q); // Run thequery.6263 // Table header:64 echo '65 66 Edit67 Delete68 Last Name69 First Name70 Date Registered71 72 ';73Script 10.5 continued74 // Fetch and print all the records....75 $bg = '#eeeeee';76 while ($row = mysqli_fetch_array($r,MYSQLI_ASSOC)) {77 $bg = ($bg= ='#eeeeee' ? '#ffffff' :'#eeeeee');78 echo '79 Edit80 Delete81 ' . $row['last_name'] . '82 ' . $row['first_name'] . '83 ' . $row['dr'] .'84 85 ';86 } // End of WHILE loop.8788 echo '';89 mysqli_free_result ($r);90 mysqli_close($dbc);9192 // Make the links to other pages, ifnecessary.93 if ($pages > 1) {9495 echo '';96 $current_page = ($start/$display) +1;9798 // If it's not the first page, make aPrevious button:99 if ($current_page != 1) {100 echo 'Previous ';101 }102103 // Make all the numbered pages:104 for ($i = 1; $i

Script 10.5 continued106 echo '' .$i . ' ';107 } else {108 echo $i . ' ';109 }110 } // End of FOR loop.111112 // If it's not the last page, make aNext button:113 if ($current_page != $pages) {114 echo 'Next';115 }116117 echo ''; // Close the paragraph.118119 } // End of links section.120121 include ('includes/footer.html');122 ?>3. Determine how the results should beordered:switch ($sort) {case 'ln':$order_by = 'last_name ASC';break;case 'fn':$order_by = 'first_name ASC';break;case 'rd':$order_by = 'registration_➝ date ASC';break;default:$order_by = 'registration_➝ date ASC';$sort = 'rd';break;}The switch checks $sort againstseveral expected values. If, for example,it is equal to ln, then the resultsshould be ordered by the last namein ascending order. The assigned$order_by variable will be used in theSQL query.If $sort has a value of fn, then theresults should be in ascending orderby first name. If the value is rd, thenthe results will be in ascending orderof registration date. This is also thedefault case. Having this default casehere protects against a malicious userchanging the value of $_GET['sort'] tosomething that could break the query.continues on next pageCommon Programming Techniques 325

4. Modify the query to use the new$order_by variable:$q = "SELECT last_name, first_➝ name, DATE_FORMAT(registration_➝ date, '%M %d, %Y') AS dr, user_➝ id FROM users ORDER BY $order_by➝ LIMIT $start, $display";By this point, the $order_by variablehas a value indicating how the returnedresults should be ordered (for example,registration_date ASC), so it can beeasily added to the query. Rememberthat the ORDER BY clause comes beforethe LIMIT clause. If the resulting querydoesn’t run properly for you, print it outand inspect its syntax.5. Modify the table header echo statementto create links out of the columnheadings:echo 'EditDeleteLast➝ NameFirst➝ NameDate➝ Registered';To turn the column headings into clickablelinks, just surround them with theA tag. The value of the href attribute foreach link corresponds to the acceptablevalues for $_GET['sort'] (see theswitch in Step 3).6. Modify the echo statement that createsthe Previous link so that the sort valueis also passed:echo '➝ Previous ';Add another name=value pair to thePrevious link so that the sort order isalso sent to each page of results. If youdon’t, then the pagination will fail, asthe ORDER BY clause will differ from onepage to the next.7. Repeat Step 6 for the numbered pagesand the Next link:echo '' .➝ $i . ' ';echo '➝ Next';326 Chapter 10

8. Save the file as view_users.php, placeit in your Web directory, and run it inyour Web browser A and B.A very important security conceptwas also demonstrated in this example.Instead of using the value of $_GET['sort']directly in the query, it’s checked againstassumed values in a switch. If, for somereason, $_GET['sort'] has a value other thanwould be expected, the query uses a defaultsorting order. The point is this: don’t makeassumptions about received data, and don’tuse unvalidated data in an SQL query.A After clicking the firstname column, the results areshown in ascending order byfirst name.B After clicking the LastName column, and thenclicking to the secondpaginated display, the pageshows the second group ofresults in ascending orderby last name.Common Programming Techniques 327

Review and pursueIf you have any problems with thereview questions or the pursue prompts,turn to the book’s supporting forum(www.LarryUllman.com/forums/).ReviewnnnnnnnnWhat is the standard sequence of stepsfor debugging PHP-MySQL problems(explicitly conveyed at the end ofChapter 8)?What are the two ways of passingvalues to a PHP script (aside fromuser input)?What security measures do the delete_user.php and edit_user.php scriptstake to prevent malicious or accidentaldeletions?Why is it safe to use the $id valuein queries without running it throughmysqli_real_escape_string( ) first?In what situation will the mysqli_affected_rows( ) function return a falsenegative (i.e., report that no recordswere affected despite the fact that thequery ran without error)?What is the ternary operator? How isit used?What two values are required to properlypaginate query results?How do you alter a query so that itsresults are paginated?nnnIf a paginated query is based uponadditional criteria (beyond those used ina LIMIT clause), what would happen ifthose criteria are not also passed alongin every pagination link?Why is it important not to directly usethe value of $_GET['sort'] in a query?Why is it important to pass the sortingvalue along in each pagination link?pursuennnnnnChange the delete_user.php andedit_user.php pages so that they bothdisplay the user being affected in thebrowser window’s title bar.Modify edit_user.php so that you canalso change a user’s password.If you’re up for a challenge, modifyedit_user.php so that the form elements’values come from $_POST, if set,and the database if not.Change the value of the $displayvariable in view_users.php to alterthe pagination.Paginate another query result, such asa list of accounts or customers found inthe banking database.Create delete and edit scripts for thebanking database. You’ll have to factorin the foreign key constraints in place,which limit, for example, the deletion ofcustomers that still have accounts.328 Chapter 10

11Web ApplicationDevelopmentThe preceding two chapters focus on usingPHP and MySQL together (which is, afterall, the primary point of this book). Butthere’s still a lot of PHP-centric materialto be covered. Taking a quick break fromusing PHP with MySQL, this chapter coversa handful of techniques that are often usedin more complex Web applications.The first topic covered in this chapter issending email using PHP. It’s a very commonthing to do and is surprisingly simple(assuming that the server is properlyset up). After that, the chapter has usesrelatedexamples to cover three new ideas:handling file uploads through an HTMLform, using PHP and JavaScript together,and how to use the header( ) function tomanipulate the Web browser. The chapterconcludes by touching upon some of thedate and time functions present in PHP.in This ChapterSending Email 330Handling File Uploads 336PHP and JavaScript 348Understanding HTTP Headers 355Date and Time Functions 362Review and Pursue 366

Sending emailOne of my absolute favorite things aboutPHP is how easy it is to send an email. Ona properly configured server, the process isas simple as using the mail( ) function:mail (to, subject, body, [headers]);The to value should be an email addressor a series of addresses, separated bycommas. Any of these are allowed:nnnnemail@example.comemail1@example.com,email2@example.comActual Name Actual Name ,This Name The subject value will create the email’ssubject line, and body is where you put thecontents of the email. To make things morelegible, variables are often assigned valuesand then used in the mail( ) function call:$to = 'email@example.com';$subject = 'This is the subject';$body = 'This is the body.It goes over multiple lines.';mail ($to, $subject, $body);As you can see in the assignment to the$body variable, you can create an emailmessage that goes over multiple linesby having the text do exactly that withinthe quotation marks. You can also usethe newline character (\n) within doublequotation marks to accomplish this:$body = "This is the body.\nIt goes➝ over multiple lines.";This is all very straightforward, and thereare only a couple of caveats. First, thesubject line cannot contain the newlinecharacter (\n). Second, each line of thepHp mail( ) DependenciesPHP’s mail( ) function doesn’t actually send the email itself. Instead, it tells the mail server runningon the computer to do so. What this means is that the computer on which PHP is running musthave a working mail server in order for this function to work.If you have a computer running a Unix variant or if you are running your Web site through aprofessional host, this should not be a problem. But if you are running PHP on your own desktopor laptop computer, you’ll probably need to make adjustments.If you are running Windows and have an Internet service provider (ISP) that provides you with anSMTP server (like smtp.comcast.net), this information can be set in the php.ini file (downloadAppendix A, “Installation,” from peachpit.com to see how to edit this file). Unfortunately, this willonly work if your ISP does not require authentication—a username and password combination—to use the SMTP server. Otherwise, you’ll need to install an SMTP server on your computer. Thereare plenty available: just search the Internet for free windows smtp server and you’ll see someoptions. The XAMPP application, which Appendix A recommends you use, includes the Mercurymail server.If you are running Mac OS X, you’ll need to enable the built-in SMTP server (either sendmailor postfix, depending upon the specific version of Mac OS X you are running). You can findinstructions online for doing so (search with enable sendmail “Mac OS X”). If you’re usingMAMP, per the recommendation in Appendix A, search online for sending email with MAMP.330 Chapter 11

ody should be no longer than 70 charactersin length (this is more of a recommendationthan a requirement). You canaccomplish this using the wordwrap( )function. It will insert a newline into a stringevery X number of characters. To wrap textto 70 characters, use$body = wordwrap($body, 70);The mail( ) function takes a fourth, optionalparameter for additional headers. This iswhere you could set the From, Reply-To, Cc,Bcc, and similar settings. For example,mail ($to, $subject, $body, 'From:➝ reader@example.com');To use multiple headers of different typesin your email, separate each with \r\n:$headers = "From: John@example.com\➝ r\n";$headers .= "Cc: Jane@example.com,➝ Joe@example.com\r\n";mail ($to, $subject, $body, $headers);Although this fourth argument is optional,it is advised that you always include aFrom value (although that can also beestablished in PHP’s configuration file).To use the mail( ) function, let’s create apage that shows a contact form A and thenhandles the form submission, validating thedata and sending it along in an email. Thisexample will also provide a nice tip you’llsometimes use on pages with sticky forms.Note two things before running thisscript: First, for this example to work, thecomputer on which PHP is running musthave a working mail server. If you’re usinga hosted site, this shouldn’t be an issue;on your own computer, you’ll likely need totake preparatory steps (see the sidebar). Iwill say in advance that these steps can bedaunting for the beginner; it will likely beeasiest and most gratifying to use a hostedsite for this particular script.Second, this example, while functional,could be manipulated by bad people,allowing them to send spam through yourcontact form (not just to you but to anyone).The steps for preventing such attacks areprovided in Chapter 13, “Security Methods.”Following along and testing this example isjust fine; relying upon it as your long-termcontact form solution is a bad idea.A A standard contact form.Web Application Development 331

To send email:1. Begin a new PHP script in your texteditor or IDE, to be named email.php(Script 11.1):Contact MeContact Me3 4 5 Contact Me6 7 8 Contact Me9

Script 11.1 continued3536 } // End of main isset( ) IF.3738 // Create the HTML form:39 ?>40 Please fill out this form to contactme.41 42 Name:

6. Complete the conditionals:} else {echo 'Please➝ fill out the form➝ completely.';}} // End of main isset( ) IF.The error message contains some inlineCSS, so that it’s in red and made bold.7. Begin the form:Please fill out this form to➝ contact me.Name: The comments input is a textarea,which does not use a value attribute.Instead, to be made sticky, the valueis printed between the opening andclosing textarea tags.9. Complete the HTML page:334 Chapter 11

C Successful completion and submission ofthe form.10. Save the file as email.php, place it inyour Web directory, and test it in yourWeb browser C.11. Check your email to confirm that youreceived the message D.If you don’t actually get the email, you’llneed to do some debugging work.With this example, you should confirmwith your host (if using a hosted site) oryourself (if running PHP on your server),that there’s a working mail serverinstalled. You should also test this usingdifferent email addresses (for both the toand from values). Also, watch that yourspam filter isn’t eating up the message.The mail( ) function takes an optionalfifth argument, for additional parameters to besent to the mail-sending application.The mail( ) function returns a 1 or a 0indicating the success of the function call. Thisis not the same thing as the email successfullybeing sent or received. Again, you cannot easilytest for either using PHP.D The resulting email (from the data in A ).While it’s easy to send a simple messagewith the mail( ) function, sending HTMLemails or emails with attachments involvesmore work. I discuss how you can do both inmy book PHP 5 Advanced: Visual QuickProGuide (Peachpit Press, 2007).Using a contact form that has PHP sendan email is a great way to minimize the spamyou receive. With this system, your actualemail address is not visible in the Web browser,meaning it can’t be harvested by spambots.Web Application Development 335

Handling File uploadsChapters 2, “Programming with PHP,”and 3, “Creating Dynamic Web Sites,” goover the basics of handling HTML formswith PHP. For the most part, every type ofform element can be handled the samein PHP, with one exception: file uploads.The process of uploading a file has twodimensions. First the HTML form must bedisplayed, with the proper code to allow forfile uploads. Upon submission of the form,the server will first store the uploaded filein a temporary directory, so the next step isfor the PHP script to copy the uploaded fileto its final destination.For this process to work, several thingsmust be in place:nnnPHP must run with the correct settings.A temporary storage directory mustexist with the correct permissions.The final storage directory must existwith the correct permissions.With this in mind, this next section willcover the server setup to allow for fileuploads; then a PHP script will be createdthat actually does the uploading.Allowing for file uploadsAs I said, certain settings must be establishedin order for PHP to be able to handle fileuploads. I’ll first discuss why or when you’dneed to make these adjustments beforewalking you through the steps.The first issue is PHP itself. There areseveral settings in PHP’s configuration file(php.ini) that dictate how PHP handlesuploads, specifically stating how large of afile can be uploaded and where the uploadshould temporarily be stored (Table 11.1).Generally speaking, you’ll need to edit thisfile if any of these conditions apply:nnnfile_uploads is disabled.PHP has no temporary directory to use.You will be uploading very large files(larger than 2MB).If you don’t have access to your php.inifile—like if you’re using a hosted site—presumably the host has already configuredPHP to allow for file uploads.The second issue is the location of, andpermissions on, the temporary directory.This is where PHP will store the uploadedfile until your PHP script moves it to its finalTABLe 11.1 File Upload ConfigurationsSetting Value Type Importancefile_uploads Boolean Enables PHP support for file uploadsmax_input_time integer Indicates how long, in seconds, a PHP script is allowed to runpost_max_size integer Size, in bytes, of the total allowed POST dataupload_max_filesize integer Size, in bytes, of the largest possible file upload allowedupload_tmp_dir string Indicates where uploaded files should be temporarily stored336 Chapter 11

destination. If you installed PHP on yourown Windows computer, you might need totake steps here. Mac OS X and Unix usersneed not worry about this, as a temporarydirectory already exists for such purposes(namely, a special directory called /tmp).Finally, the destination folder must becreated and have the proper permissionsestablished on it. This is a step that everyonemust take for every application that handlesfile uploads. Because there are importantsecurity issues involved in this step, pleasealso make sure that you read and understandthe sidebar, “Secure Folder Permissions.”With all of this in mind, let’s go throughthe steps.Secure Folder permissionsThere’s normally a trade-off between security and convenience. With this example, it’d be moreconvenient to place the uploads folder within the Web document directory (the conveniencearises with respect to how easily the uploaded images can be viewed in the Web browser), butdoing that is less secure.For PHP to be able to place files in the uploads folder, it needs to have write permissions onthat directory. On most servers, PHP is running as the same user as the Web server itself. On ahosted server, this means that all X number of sites being hosted are running as the same user.Creating a folder that PHP can write to means creating a folder that everyone can write to. Literallyanyone with a site hosted on the server can now move, copy, or write files to your uploadsfolder (assuming that they know it exists). This even means that a malicious user could copy atroublesome PHP script to your uploads directory. However, since the uploads directory in thisexample is not within the Web directory, such a PHP script cannot be run in a Web browser. It’s lessconvenient to do things this way, but more secure.If you must keep the uploads folder publicly accessible, and if you’re using the Apache Webserver, you could limit access to the uploads folder using an .htaccess file. Basically, you wouldstate that only image files in the folder be publicly viewable, meaning that even if a PHP scriptwere to be placed there, it could not be executed. Or, because you’ll learn how to use proxyscripts later in this chapter, you could deny all external access to that folder. Information on howto use .htaccess files can be found in Appendix A, a free download from peachpit.com.Sometimes even the most conservative programmer will make security concessions. Theimportant point is that you’re aware of the potential concerns and that you do the most youcan to minimize the danger.Web Application Development 337

To prepare the server:1. Run the phpinfo( ) function to confirmyour server settings A.The phpinfo( ) function prints out aslew of information about your PHPsetup. It’s one of the most importantfunctions in PHP, if not the most (in myopinion). Search for the settings listed inTable 11.1 and confirm their values. Makesure that file_uploads has a value ofOn and that the limit for upload_max_filesize (2MB, by default) and post_max_size (8MB) won’t be a restrictionfor you. If running PHP on Windows,see if upload_tmp_dir has a value. If itdoesn’t, that might be a problem (you’llknow for certain after running the PHPscript that handles the file upload). Fornon-Windows users, if this value saysno value, that’s perfectly fine.By the way, another advantage of usingan all-in-one installer, such as XAMPPfor Windows or MAMP for Mac OS X,is that the installer should properlyconfigure these settings, too.2. If necessary, open php.ini in yourtext editor.If there’s anything you saw in Step 1that needs to be changed, or if somethinghappens when you actually go tohandle a file upload using PHP, you’llneed to edit the php.ini file. To findthis file, see the Configuration File(php.ini) path value in the phpinfo( )output. This indicates exactly wherethis file is on your computer (alsodownload Appendix A for more).If you are not allowed to edit your php.ini file (if, for instance, you’re using ahosted server), then presumably anynecessary edits would have alreadybeen made to allow for file uploads. Ifnot, you’ll need to request these changesfrom your hosting company (which mayor may not agree to make them).A A phpinfo( ) script returns all the information regarding your PHP setup,including all the file-upload handling stuff.338 Chapter 11

3. Search the php.ini file for the configurationto be changed and make anyedits B.For example, in the File Uploadssection, you’ll see these three lines:file_uploads = On;upload_tmp_dir =upload_max_filesize = 2MThe first line dictates whether or notuploads are allowed. The second stateswhere the uploaded files should betemporarily stored. On most operatingsystems, including Mac OS X and Unix,this setting can be left commented out(preceded by a semicolon) without anyproblem.If you are running Windows and needto create a temporary directory, set thisvalue to C:\tmp, making sure that theline is not preceded by a semicolon.Again, using XAMPP on Windows 7,I did not need to create a temporarydirectory, so you may be able to getaway without one too.Finally, a maximum upload file size isset (the M is shorthand for megabytesin configuration settings).4. Save the php.ini file and restart yourWeb server.How you restart your Web serverdepends upon the operating systemand Web-serving application beingused. See Appendix A for instructions.5. Confirm the changes by rerunning thephpinfo( ) script.Before going any further, confirm thatthe necessary changes have beenenacted by repeating Step 1.continues on next pageB The File Uploads subsection of the php.ini file.Web Application Development 339

6. If you are running Windows and need tocreate a temporary directory, add a tmpfolder within C:\ and make sure thateveryone can write to that directory C.PHP, through your Web server, willtemporarily store the uploaded file inthe upload_tmp_dir. For this to work,the Web user (if your Web serverruns as a particular user) must havepermission to write to the folder.In all likelihood, you may not actuallyhave to change the permissions, but todo so, depending upon what versionof Windows you are running, you cannormally adjust the permissions byright-clicking the folder and selectingProperties. With the Properties window,there should be a Security tab wherepermissions are set. It may also beunder Sharing. Windows uses a morelax permissions system, so you probablywon’t have to change anything unlessthe folder is deliberately restricted.Mac OS X and Unix users can skip thisstep as the temporary directory—/tmp—has open permissions already.C Windows users need to make sure that theC:\tmp (or whatever directory is used) is writableby PHP.D Assuming that htdocsis the Web root directory(http://www.example.comor http://localhost pointsthere), then the uploadsdirectory needs to beplaced outside of it.340 Chapter 11

7. Create a new directory, called uploads,in a directory outside of the Web rootdirectory.All of the uploaded files will be permanentlystored in the uploads directory.If you’ll be placing your PHP script inthe C:\xampp\htdocs\ch11 directory,then create a C:\xampp\uploadsdirectory. Or if the files are going in/Users/~/Sites/ch11,make a /Users/~/uploadsfolder. Figure D shows the structureyou should establish, and the sidebardiscusses why this step is necessary.8. Set the permissions on the uploadsdirectory so that the Web server canwrite to it.Again, Windows users can use theProperties window to make thesechanges, although it may not benecessary. Mac OS X users can…A. Select the folder in the Finder.B. Press Command+I.C. Allow everyone to Read & Write, underthe Ownership & Permissions panel E.If you’re using a hosted site, the hostlikely provides a control panel throughwhich you can tweak a folder’s settingsor you might be able to do this withinyour FTP application.Depending upon your operatingsystem, you may be able to upload fileswithout first taking this step. You cantry the following script before alteringthe permissions, just to see. If you seemessages like those in F, then you willneed to make some adjustments.Unix users can use the chmod commandto adjust a folder’s permissions. The properpermissions in Unix terms can be either 755or 777.Because of the time it can take to uploada large file, you may also need to change themax_input_time value in the php.ini file ortemporarily bypass it using the set_time_limit( ) function in your script.E Adjusting the properties on theuploads folder in Mac OS X.File and directory permissions can becomplicated stuff, particularly if you’ve neverdealt with them before. If you have problemswith these steps or the next script, searchthe Web or turn to the book’s correspondingforum (www.LarryUllman.com/forums/).F If PHP could notmove the uploadedimage over to theuploads folder becauseof a permissions issue,you’ll see an errormessage like this one.Fix the permissions onuploads to correct this.Web Application Development 341

uploading files with pHpNow that the server has (hopefully) been setup to properly allow for file uploads, you cancreate the PHP script that does the actualfile handling. There are two parts to such ascript: the HTML form and the PHP code.The required syntax for a form to handlea file upload has three parts:File The enctype part of the initial form tagindicates that the form should be able tohandle multiple types of data, includingfiles. If you want to accept file uploads,you must include this enctype! Also notethat the form must use the POST method.The MAX_FILE_SIZE hidden input is a formrestriction on how large the chosen filecan be, in bytes, and must come beforethe file input. While it’s easy for a user tocircumvent this restriction, it should still beused. Finally, the file input type will createthe proper button in the form (G and H).Upon form submission, the uploadedfile can be accessed using the $_FILESsuperglobal. The variable will be an arrayof values, listed in Table 11.2.Once the file has been received by thePHP script, the move_uploaded_file( )function can transfer it from the temporarydirectory to its permanent location.move_uploaded_file➝ (temporary _filename,/path/to/destination/filename);G The file input as it appears in IE 9 on Windows.H The file input as it appears inGoogle Chrome on Mac OS X.TABLe 11.2 The $_FILES ArrayIndexnametypesizetmp_nameerrorMeaningThe original name of thefile (as it was on the user’scomputer).The MIME type of the file, asprovided by the browser.The size of the uploaded filein bytes.The temporary filename ofthe uploaded file as it wasstored on the server.The error code associatedwith any problem.342 Chapter 11

Script 11.2 This script allows the user to upload animage file from their computer to the server.1 2 3 4 5 Upload an Image6 7 .error {8 font-weight: bold;9 color: #C00;10 }11 12 13 14 Upload an Image.error {font-weight: bold;color: #C00;}

2. Check if the form has been submittedand that a file was selected:if ($_SERVER['REQUEST_METHOD'] = =➝'POST') {if (isset($_FILES['upload'])) {Since this form will have no other fieldsto be validated I, this is the onlyconditional required. You could alsovalidate the size of the uploaded file todetermine if it fits within the acceptablerange (refer to the $_FILES['upload']['size'] value).3. Check that the uploaded file is of theproper type:$allowed = array ('image/pjpeg',➝'image/jpeg', 'image/JPG',➝'image/X-PNG', 'image/PNG',➝'image/png', 'image/x-png');if (in_array($_FILES['upload']➝ ['type'], $allowed)) {The file’s type is its MIME type,indicating what kind of file it is. Thebrowser can determine and mayprovide this information, dependingupon the properties of the selected file.To validate the file’s type, first createan array of allowed options. The list ofallowed types is based upon acceptingJPEGs and PNGs. Some browsershave variations on the MIME types, sothose are included here as well. If theuploaded file’s type is in this array, thefile is valid and should be handled.Script 11.2 continued3637 // Check for an error:38 if ($_FILES['upload']['error'] > 0) {39 echo 'The file couldnot be uploaded because: ';4041 // Print a message based upon theerror.42 switch ($_FILES['upload']['error']) {43 case 1:44 print 'The file exceeds theupload_max_filesize settingin php.ini.';45 break;46 case 2:47 print 'The file exceeds theMAX_FILE_SIZE setting in theHTML form.';48 break;49 case 3:50 print 'The file was onlypartially uploaded.';51 break;52 case 4:53 print 'No file was uploaded.';54 break;55 case 6:56 print 'No temporary folderwas available.';57 break;58 case 7:59 print 'Unable to write tothe disk.';60 break;61 case 8:62 print 'File upload stopped.';63 break;code continues on next pageI This very basicHTML form only takesone input: a file.344 Chapter 11

Script 11.2 continued64 default:65 print 'A system erroroccurred.';66 break;67 } // End of switch.6869 print '';7071 } // End of error IF.7273 // Delete the file if it still exists:74 if (file_exists ($_FILES['upload']['tmp_name']) && is_file($_FILES['upload']['tmp_name']) ) {75 unlink ($_FILES['upload']['tmp_name']);76 }7778 } // End of the submitted conditional.79 ?>8081 8283 8485 Select a JPEG orPNG image of 512KB or smaller to beuploaded:8687 File: 8889 90 9192 93 94 J If the user uploads a file that’s not a JPEGor PNG, this is the result.4. Copy the file to its new location onthe server:if (move_uploaded_file ($_FILES➝ ['upload']['tmp_name'],➝ "../uploads/{$_FILES['upload']➝ ['name']}")) {echo 'The file has been➝ uploaded!';} // End of move... IF.The move_uploaded_file( ) functionwill move the file from its temporary toits permanent location (in the uploadsfolder). The file will retain its original name.In Chapter 18, “Example—E-Commerce,”you’ll see how to give the file a new name,which is generally a good idea.As a rule, you should always use aconditional to confirm that a file wassuccessfully moved, instead of justassuming that the move worked.5. Complete the image type and isset($_FILES['upload']) conditionals:} else { // Invalid type.echo 'Please➝ upload a JPEG or PNG➝ image.';}} // End of isset($_FILES➝ ['upload']) IF.The first else clause completes the ifbegun in Step 3. It applies if a file wasuploaded but it wasn’t of the right MIMEtype J.6. Check for, and report on, any errors:if ($_FILES['upload']['error'] > 0) {echo 'The file➝ could not be uploaded➝ because: ';If an error occurred, then $_FILES['upload']['error'] will have a valuegreater than 0. In such cases, this scriptwill report what the error was.continues on next pageWeb Application Development 345

7. Begin a switch that prints a moredetailed error:switch ($_FILES['upload']['error']) {case 1:print 'The file exceeds the➝ upload_max_filesize setting➝ in php.ini.';break;case 2:print 'The file exceeds the➝ MAX_FILE_SIZE setting in➝ the HTML form.';break;case 3:print 'The file was only➝ partially uploaded.';break;case 4:print 'No file was uploaded.';break;There are several possible reasons afile could not be uploaded and moved.The first and most obvious one is if thepermissions are not set properly on thedestination directory. In such a case,you’ll see an appropriate error message(see F in the previous section of thechapter). PHP will often also store anerror number in the $_FILES['upload']['error'] variable. The numbers correspondto specific problems, from 0 to 4,plus 6 through 8 (oddly enough, there isno 5). The switch conditional here printsout the problem according to the errornumber. The default case is added forfuture support (if different numbers areadded in later versions of PHP).For the most part, these errors are usefulto you, the developer, and not thingsyou’d indicate to the average user.8. Complete the switch:case 6:print 'No temporary folder➝ was available.';break;case 7:print 'Unable to write to the➝ disk.';break;case 8:print 'File upload stopped.';break;default:print 'A system error➝ occurred.';break;} // End of switch.9. Complete the error if conditional:print '';} // End of error IF.10. Delete the temporary file if it still exists:if (file_exists ($_FILES['upload']➝ ['tmp_name']) && is_file($_FILES➝ ['upload']['tmp_name']) ) {unlink ($_FILES['upload']➝ ['tmp_name']);}If the file was uploaded but it couldnot be moved to its final destinationor some other error occurred, thenthat file is still sitting on the server inits temporary location. To remove it,apply the unlink( ) function. Just tobe safe, prior to applying unlink( ), aconditional checks that the file existsand that it is a file (because the file_exists( ) function will return TRUE ifthe named item is a directory).346 Chapter 11

11. Complete the PHP section:} // End of the submitted➝ conditional.?>12. Create the HTML form:Select a JPEG➝ or PNG image of 512KB or➝ smaller to be uploaded:➝ File: This form is very simple C, but it containsthe three necessary parts for fileuploads: the form’s enctype attribute,the MAX_FILE_SIZE hidden input, andthe file input.13. Complete the HTML page:14. Save the file as upload_image.php,place it in your Web directory, and testit in your Web browser (K and L).If you want, you can confirm that thescript works by checking the contentsof the uploads directory.Omitting the enctype form attributeis a common reason for file uploads tomysteriously fail.The existence of an uploaded file canalso be validated with the is_uploaded_file( ) function.Windows users must use either forwardslashes or double backslashes to refer todirectories (so C:\\ or C:/ but not C:\). This isbecause the backslash is the escape characterin PHP.The move_uploaded_file( ) functionwill overwrite an existing file without warningif the new and existing files both have thesame name.The MAX_FILE_SIZE is a restriction in thebrowser as to how large a file can be, althoughnot all browsers abide by this restriction. ThePHP configuration file has its own restrictions.You can also validate the uploaded file sizewithin the receiving PHP script.In Chapter 13, you’ll learn a method forimproving the security of this script by validatingthe uploaded file’s type more reliably.K The result upon successfullyuploading and moving a file.L The result upon attempting to upload a file thatis too large.Web Application Development 347

pHp and JavaScriptAlthough PHP and JavaScript arefundamentally different technologies,they can be used together to make betterWeb sites. The most significant differencebetween the two languages is thatJavaScript is primarily client-side (meaningit runs in the Web browser) and PHP isalways server-side. Therefore, JavaScriptcan do such things as detect the size of thebrowser window, create pop-up windows,make image mouseovers, whereasPHP can do nothing like these things.Conversely, PHP can interact with MySQLon the server, but JavaScript cannot.Although PHP cannot do certain things thatJavaScript can, PHP can be used to createJavaScript, just as PHP can create HTML.To be clear, in a Web browser, JavaScriptis incorporated by, and interacts withHTML, but PHP can dynamically generateJavaScript code, just as you’ve been usingPHP to dynamically generate HTML.To demonstrate this, one PHP script will becreated that lists all the images uploaded bythe upload_image.php script A. The PHPscript will also create each image name asa clickable link. The links themselves willcall a JavaScript function B that createsa pop-up window. The pop-up windowwill actually show the clicked image. Thisexample will in no way be a thoroughdiscussion of JavaScript, but it doesadequately demonstrate how the varioustechnologies—PHP, HTML, and JavaScript—can be used together. In Chapter 15,“Introducing jQuery,” you’ll learn how to usethe jQuery JavaScript framework to add allsorts of functionality to PHP-based scripts.A This PHP pagedynamically createsa list of all theuploaded images.B Each image’s name is linked as a call to a JavaScript function. The function call’s parameters are createdby PHP.348 Chapter 11

Creating the JavaScript FileEven though JavaScript and PHP are twodifferent languages, they are similar enoughthat it’s possible to dabble with JavaScriptwithout any formal training. Before creatingthe JavaScript code for this example, I’llexplain a few of the fundamentals.First, JavaScript code can be added toan HTML page in one of two ways: inlineor through an external file. To add inlineJavaScript, place the JavaScript codebetween HTML script tags:// Actual JavaScript code.To use an external JavaScript file, add asrc attribute to the script tag:Your HTML pages can have multiple usesof the script tag, but each can onlyinclude an external file or have someJavaScript code, but not both.As you can see in the above, JavaScriptfiles use a .js extension. The file shoulduse the same encoding (as set in your texteditor or IDE) as the HTML script that willinclude the file. You can indicate the file’sencoding in the script tag:➝ Whether you place your JavaScript codewithin script tags or in an externalfile, there are no opening and closingJavaScript tags, like the opening andclosing PHP tags.Next, know that variables in JavaScript arecase-sensitive, just like PHP, but variablesin JavaScript do not begin with dollar signs.Finally, one of the main differences betweenJavaScript and PHP is that JavaScript isan Object-Oriented Programming (OOP)language. Whereas PHP can be used inboth a procedural approach, as most of thisbook demonstrates, and an object-orientedapproach (introduced in Chapter 16, “An OOPPrimer”), JavaScript is only ever an objectorientedlanguage. This means you’ll see the“dot” syntax like something.something( ) orsomething.something.something.That’s enough of the basics; in thefollowing script I’ll explain the particularsof each bit of code in sufficient detail. Inthis next sequence of steps, you’ll create aseparate JavaScript file that will define oneJavaScript function. The function itself willtake three arguments—an image’s name,width, and height. The function will usethese values to create a pop-up windowspecifically for that image.Web Application Development 349

To create JavaScript with pHp:1. Begin a new JavaScript document inyour text editor or IDE, to be namedfunction.js (Script 11.3):// Script 11.3 - function.jsAgain, there are no opening JavaScripttags here, you can just start writingJavaScript code. Comments inJavaScript can use either the singleline (//) or multiline (/* */) syntax.2. Begin the JavaScript function:function create_window (image,➝ width, height) {The JavaScript create_window( )function will accept three parameters: theimage’s name, its width, and its height.Each of these will be passed to thisfunction when the user clicks a link. Theexact values of the image name, width,and height will be determined by PHP.The syntax for creating a function inJavaScript is very similar to a userdefinedfunction in PHP, except that thevariables do not have initial dollar signs.3. Add ten pixels to the received widthand height values:width = width + 10;height = height + 10;Some pixels will be added to the widthand height values to create a windowslightly larger than the image itself. Mathin JavaScript uses the same operatorsas in pretty much every language.4. Resize the pop-up window if it isalready open:if (window.popup && !window.popup.➝ closed) {window.popup.resizeTo(width,➝ height);}Later in the function, a window will becreated, associated with the popupScript 11.3 The function.js script defines aJavaScript function for creating the pop-upwindow that will show an individual image.1 // Script 11.3 - function.js23 // Make a pop-up window function:4 function create_window (image, width,height) {56 // Add some pixels to the width andheight:7 width = width + 10;8 height = height + 10;910 // If the window is already open,11 // resize it to the new dimensions:12 if (window.popup && !window.popup.closed) {13 window.popup.resizeTo(width, height);14 }1516 // Set the window properties:17 var specs = "location=no,scrollbars=no, menubars=no,toolbars=no, resizable=yes,left=0, top=0, width=" + width + ",height=" + height;1819 // Set the URL:20 var url = "show_image.php?image=" +image;2122 // Create the pop-up window:23 popup = window.open(url, "ImageWindow",specs);24 popup.focus( );2526 } // End of function.350 Chapter 11

variable. If the user clicks one imagename, creating the pop-up window,and then clicks another image’s namewithout having closed the first pop-upwindow, the new image will be displayedin a mis-sized window. To prevent that, abit of code here first checks if the pop-upwindow exists and if it is not closed. Ifboth conditions are TRUE (which is tosay that the window is already open),the window will be resized accordingto the new image dimensions. This isaccomplished by calling the resizeTo( )method of the popup object (a method isthe OOP term for a function).5. Determine the properties of thepop-up window:var specs = "location=no,➝ scrollbars=no, menubars=no,➝ toolbars=no, resizable=yes,➝ left=0, top=0, width=" +➝ width + ", height=" + height;This line creates a new JavaScriptvariable with a name of specs. The varkeyword before the variable name isthe preferred way to create variableswithin a function (specifically, it creates avariable local to the function). Note thatthe image, width, and height variablesdidn’t use this keyword, as they werecreated as the arguments to a function.This variable will be used to establish theproperties of the pop-up window. Thewindow will have no location bar, scrollbars, menus, or toolbars; it should beresizable; it will be located in the upperleftcorner of the screen; and it will have awidth of width and a height of height C.With strings in JavaScript, the plussign is used to perform concatenation(whereas PHP uses the period).6. Define the URL:var url = "show_image.php?image="➝ + image;This code sets the URL of the pop-upwindow, which is to say what pagethe window should load. That page isshow_image.php, to be created laterin this chapter. The show_image.phpscript expects to receive an image’sname in the URL, so the value ofthe url variable is show_image.php?image= plus the name of theimage concatenated to the end D.7. Create the pop-up window:popup = window.open(url,➝ "ImageWindow", specs);popup.focus( );Finally, the pop-up window is createdusing the open( ) method of the windowobject. The window object is a globalJavaScript object created by thebrowser to refer to the open windows.The open( ) method’s first argument isthe page to load, the second is the titleto be given to the window, and thecontinues on next pageC The pop-upwindow, createdby JavaScript.D The address of the pop-up window shows howthe image value is passed in the URL.Web Application Development 351

third is a list of properties. Note thatthe creation of this window is assignedto the popup variable. Because thisvariable’s creation does not begin withthe keyword var, popup will be a globalvariable. This is necessary in orderfor multiple calls of this function toreference that same variable.Finally, focus is given to the newwindow, meaning it should appearabove the current window.8. Save the script as function.js.9. Place the script, or a copy, in the jsfolder of your Web directory.JavaScript, like CSS, ought to beseparated out when organizing yourWeb directory. Normally, externalJavaScript files are placed in a foldernamed js, javascript, or scripts.Creating the pHp ScriptNow that the JavaScript code required bythe page has been created, it’s time to createthe PHP script itself (which will output theHTML that calls the JavaScript function). Thepurpose of this script is to list all of the imagesalready uploaded by upload_image.php. Todo this, PHP needs to dynamically retrievethe contents of the uploads directory. Thatcan be done via the scandir( ) function. Itreturns an array listing the files in a givendirectory (it was added in PHP 5).The PHP script must link each displayedimage name as a call to the just-definedJavaScript function. That function expects toreceive three arguments: the image’s name,its width, and its height. For PHP to findthese last two values, the script will use thegetimagesize( ) function. It returns an arrayof information for a given image (Table 11.3).To create JavaScript with pHp:1. Begin a new PHP document in your texteditor or IDE, to be named images.php(Script 11.4):Images2. Include the JavaScript file:You can use the script tags anywherein an HTML page, but inclusions ofexternal files are commonly performedTABLe 11.3 The getimagesize( ) ArrayElement Value Example0 image’s width in pixels 4231 image’s height in pixels 3682 image’s type 2 (representing JPG)3 appropriate HTML img tag data height=”368” width=”423”mime image’s MIME type image/png352 Chapter 11

Script 11.4 The images.php script uses JavaScriptand PHP to create links to images stored onthe server. The images will be viewable throughshow_image.php (Script 11.5).1 2 3 4 5 Images6 7 8 9 Click on an image to view it in aseparate window.10 11

file’s name is a period. On non-Windowssystems, hidden files start with a period,the current directory is referred to usingjust a single period, and two periodsrefers to the parent directory. Since allof these might be included in $files,they need to be weeded out.7. Get the image information and encodeits name:$image_size = getimagesize➝ ("$dir/$image");$image_name = urlencode($image);The getimagesize( ) function returnsan array of information about an image(Table 11.3). The values returned bythis function will be used to set thewidth and height sent to the create_window( ) JavaScript function.Next, the urlencode( ) function makes astring safe to pass in a URL. Because theimage name may contain characters notallowed in a URL (and it will be passedin the URL when invoking show_image.php), the name should be encoded.8. Print the list item:echo "➝ $image\n";Finally, the loop creates the HTML listitem, consisting of the linked imagename. The link itself is a call to theJavaScript create_window( ) function.In order to execute the JavaScriptfunction from within HTML, preface itwith javascript:. (There’s much moreto calling JavaScript from within HTML,but just use this syntax for now.)The function’s three arguments are:the image’s name, the image’s width,and the image’s height. Because theimage’s name will be a string, it mustbe wrapped in quotation marks.9. Complete the if conditional, theforeach loop, and the PHP section:} // End of the IF.} // End of the foreach loop.?>10. Complete the unordered list and theHTML page:11. Save the file as images.php, place it inyour Web directory (in the same directoryas upload_image.php), and test itin your Web browser A.Note that clicking the links will not workyet, as show_image.php—the pagethe pop-up window attempts to load—hasn’t been created.12. View the source code to see thedynamically generated links B.Notice how the parameters to eachfunction call are appropriate to thespecific image.Different browsers will handle the sizingof the window differently. In my tests, forexample, Google Chrome always required thatthe window be at least a certain width andInternet Explorer 9 would pad the displayedimage on all four sides.Some versions of Windows create aThumbs.db file in a folder of images. Youmight want to check for this value in theconditional in Step 6 that weeds out somereturned items. That code would beif ( (substr($image, 0, 1) != '.') &&➝ ($image != 'Thumbs.db') ) {Not to belabor the point, but most everythingWeb developers do with JavaScript (forexample, resize or move the browser window)cannot be done using the server-side PHP.There is a little overlap between the PHPand JavaScript. Both can set and read cookies,create HTML, and do some browser detection.354 Chapter 11

understandingHTTp HeadersThe images.php script, just created, displaysa list of image names, each of which is linkedto a JavaScript function call. That JavaScriptfunction creates a pop-up window whichloads a PHP script that will actually revealthe image. This may sound like a lot of workfor little effort, but there’s a method to mymadness. A trivial reason for this approach isthat JavaScript is required in order to createa window sized to fit the image (as opposedto creating a pop-up window of any size,with the image in it). More importantly,because the images are being stored in theuploads directory, ideally stored outside ofthe Web root directory, the images cannotbe viewed directly in the Web browser usingeither of the following:http://www.example.com/uploads/➝ image.pngorThe reason why neither of the abovewill work is that files and folders locatedoutside of the Web root directory are, bydefinition, unavailable via a Web browser.This is actually a good thing, because itallows you to safeguard content, providingit only when appropriate. To make thatcontent available through a Web browser,you need to create a proxy script in PHP.A proxy script just fulfills a role, such asproviding a file (displaying an image isactually the same thing as providing afile to the browser). Thus, given the proxyscript proxy.php, the above examplescould be made to work using either A:http://www.example.com/proxy.php?➝ image=image.pngorThis, of course, is exactly what’s beingdone with show_image.php, linked in thecreate_window( ) JavaScript function. Buthow does proxy.php, or show_image.php,work? The answer lies in an understandingof HTTP headers.continues on next pageA A proxy script is able to provide access to content on the server that would otherwise be unavailable.Web Application Development 355

HTTP (Hypertext Transfer Protocol) is thetechnology at the heart of the World WideWeb and defines the way clients andservers communicate (in layman’s terms).When a browser requests a Web page,it receives a series of HTTP headers inreturn. This happens behind the scenes;most users aren’t aware of this at all.PHP’s built-in header( ) function can beused to take advantage of this protocol.The most common example of this will bedemonstrated in the next chapter, whenthe header( ) function will be used toredirect the Web browser from the currentpage to another. Here, you’ll use it to sendfiles to the Web browser.In theory, the header( ) function is easy touse. Its syntax isheader(header string);The list of possible header strings isquite long, as headers are used for everythingfrom redirecting the Web browser,to sending files, to creating cookies, tocontrolling page caching, and much, muchmore. Starting with something simple, touse header( ) to redirect the Webbrowser, typeheader ('Location: http://www.➝ example.com/page.php');That line will send the Web browser fromthe page it’s on over to that other URL. You’llsee examples of this in the next chapter.In this next example, which will send animage file to the Web browser, three headercalls are used. The first is Content-Type.This is an indication to the Web browserof what kind of data is about to follow. TheContent-Type value matches the data’sMIME type. This line lets the browser knowit’s about to receive a PDF file:header("Content-Type:application/➝ pdf\n");Next, you can use Content-Disposition,which tells the browser how to treat the data:header ("Content-Disposition:➝ attachment; filename=\➝ "somefile.pdf\"\n");The attachment value will prompt thebrowser to download the file B. AnB Firefox prompts the userto download the file becauseof the attachment Content-Disposition value.356 Chapter 11

alternative is to use inline, which tells thebrowser to display the data, assuming thatthe browser can. The filename attributeis just that: it tells the browser the nameassociated with the data. Some browsersabide by this instruction, others do not.A third header to use for downloading filesis Content-Length. This is a value, in bytes,corresponding to the amount of data tobe sent.header ("Content-Length: 4096\n");That’s the basics with respect to using theheader( ) function. Before getting to theexample, note that if a script uses multipleheader( ) calls, each should be terminatedby a newline (\n) as in the precedingcode snippets. More importantly, theabsolutely critical thing to remember aboutthe header( ) function is that it must becalled before anything is sent to the Webbrowser. This includes HTML or even blankspaces. If your code has any echo or printstatements, has blank lines outside of PHPtags, or includes files that do any of thesethings before calling header( ), you’ll seean error message like that in C.C The headers already sent error means that the Web browser was sent something—HTML,plain text, even a space—prior to using the header( ) function.Web Application Development 357

To use the header( ) function:1. Begin a new PHP document in yourtext editor or IDE, to be namedshow_image.php (Script 11.5):

accomplishes this). The extension is alsorun through the strtolower( ) functionso that .PNG and .png are treatedthe same. Then a conditional checks tosee if $ext is equal to any of the threeallowed values.4. Check that the image is a file onthe server:$image = "../uploads/➝ {$_GET['image']}";if (file_exists ($image) &&➝ (is_file($image))) {Before attempting to send the imageto the Web browser, make sure that itexists and that it is a file (as opposedto a directory). As a security measure,the image’s full path is defined as acombination of ../uploads and thereceived image name.5. Set the value of the flag variable to theimage’s name:$name = $_GET['image'];Once the image has passed all of thesetests, the $name variable is assigned thevalue of the image.6. Complete the conditionals begun inSteps 2, 3, and 4:} // End of file_exists( ) IF.} // End of $ext IF.} // End of isset($_GET['image']) IF.There are no else clauses for anyof these three conditions. If all threeconditions aren’t TRUE, then theflag variable $name will still have aFALSE value.7. If no valid image was received by thispage, use a default image:if (!$name) {$image = 'images/unavailable.png';$name = 'unavailable.png';}If the image doesn’t exist, if it isn’t a file,or if it doesn’t have the proper extension,then the $name variable will still have avalue of FALSE. In such cases, a defaultimage will be used instead D. Theimage itself can be downloaded fromthe book’s corresponding Web site(www.LarryUllman.com, found with allthe downloadable code) and should beplaced in an images folder. The imagesfolder should be in the same directory asthis script, not in the same directory asthe uploads folder.8. Retrieve the image’s information:$info = getimagesize($image);$fs = filesize($image);continues on next pageD This image will beshown any time there’sa problem with showingthe requested image.Web Application Development 359

To send a file to the Web browser, thescript needs to know the file’s MIME typeand size. An image file’s type can befound using getimagesize( ). The file’ssize, in bytes, is found using filesize( ).Because the $image variable representseither ../uploads/{$_GET['image']} orimages/unavailable.png, these lineswill work on both the correct and theunavailable image.9. Send the file:header ("Content-Type:➝ {$info['mime']}\n");header ("Content-Disposition:➝ inline; filename=\"$name\"\n");header ("Content-Length: $fs\n");These header( ) calls will send thefile data to the Web browser. The firstline uses the image’s MIME type forthe value of the Content-Type header.The second line tells the browser thename of the file and that it should bedisplayed in the browser (inline). Thelast header( ) function indicates howmuch data is to be expected.The file data itself is sent using thereadfile( ) function, which reads in afile and immediately sends the contentto the Web browser.10. Save the file as show_image.php, placeit in your Web directory, in the samefolder as images.php, and test it inyour Web browser by clicking a link inimages.php E.Notice that this page contains no HTML.It only sends an image file to the Webbrowser. Also note that I omitted theterminating PHP tag. This is acceptable,and in certain situations like this,preferred. If you included the closingPHP tag, and you inadvertently hadan extra space or blank line after thattag, the browser could have problemsdisplaying the image (because thebrowser will have received the imagedata of X length, matching the Content-Length header, plus a bit of extra data).E This image is displayed by having PHP sendthe file to the Web browser.360 Chapter 11

I cannot stress strongly enough thatnothing can be sent to the Web browserbefore using the header( ) function. Evenan included file that has a blank line afterthe closing PHP tag will make the header( )function unusable.To avoid problems when usingheader( ), you can call the headers_sent( )function first. It returns a Boolean value indicatingif something has already been sent tothe Web browser:if (!headers_sent( )) {// Use the header( ) function.} else {// Do something else.}Output buffering, demonstrated in Chapter 17,“Example—User Registration,” can also preventproblems when using header( ).Debugging scripts like this, where PHPsends data, not text, to the Web browser, canbe challenging. For help, use one of the manydeveloper plug-ins for the Firefox browser F.You can also indicate to the Web browserthe page’s encoding using PHP and theheader( ) function:This can be more effective than using a METAtag, but it does require the page to be a PHPscript. If using this, it must be the first line inthe page, before any HTML.A proxy script can only ever send to thebrowser a single file (or image) at a time.F The Web Developer Toolbar extension for Firefox includes the ability to see what headers were sent bya page and/or server. This can be useful debugging information.Web Application Development 361

Date and Time FunctionsChapter 5, “Introduction to SQL,”demonstrates a handful of great dateand time functions that MySQL supports.Naturally, PHP has its own date and timefunctions. To start, there’s date_default_timezone_set( ). This function is used toestablish the default time zone (which canalso be set in PHP’s configuration file).date_default_timezone_set(tz);The tz value is a string like America/New_York or Pacific/Auckland. There are too manyto list here (Africa alone has over 50), but seethe PHP manual for them all. Note that as ofPHP 5.1, the default time zone must be set,either in a script or in PHP’s configurationfile, prior to calling any of the date and timefunctions, or else you’ll see an error.Next up, the checkdate( ) function takesa month, a day, and a year and returns aBoolean value indicating whether that dateactually exists (or existed). It even takesinto account leap years. This function canbe used to ensure that a user supplied avalid date (birth date or other):if (checkdate(month, day, year)) { // OK!Perhaps the most frequently used functionis the aptly named date( ). It returns thedate and/or time as a formatted string. Ittakes two arguments:date (format, [timestamp]);The timestamp is an optional argumentrepresenting the number of seconds sincethe Unix Epoch (midnight on January 1,1970) for the date in question. It allows youto get information, like the day of the week,for a particular date. If a timestamp is notspecified, PHP will just use the current timeon the server.TABLe 11.4 Date( ) Function FormattingCharacter Meaning ExampleY Year as 4 digits 2011y Year as 2 digits 11L Is it a leap year? 1 (for yes)n Month as 1 or 2 digits 2m Month as 2 digits 02F Month FebruaryM Month as 3 letters Febjdl (lowercaseL)DwDay of the monthas 1 or 2 digitsDay of the monthas 2 digitsDay of the weekDay of the weekas 3 lettersDay of the weekas a single digitz Day of the year: 0to 365tSgGhHNumber of days inthe monthEnglish ordinalsuffix for a day,as 2 charactersHour; 12-hour formatas 1 or 2 digitsHour; 24-hour formatas 1 or 2 digitsHour; 12-hour formatas 2 digitsHour; 24-hour formatas 2 digits808MondayMon0 (Sunday)18931rd6180618i Minutes 45s Seconds 18u Microseconds 1234a am or pm amA AM or PM PMUSeconds since theepoche Timezone UTC1048623008I (capital i) Is it daylight savings? 1 (for yes)O Difference from GMT +0600362 Chapter 11

TABLe 11.5 The getdate( ) ArrayKey Value Exampleyear year 2011mon month 11month month name Novembermday day of the month 24weekday day of the week Thursdayhours hours 11minutes minutes 56seconds seconds 47There are myriad formatting parametersavailable (Table 11.4), and these can be usedin conjunction with literal text. For example,echo date('F j, Y'); // January 26, 2011echo date('H:i'); // 23:14echo date('D'); // SatYou can find the timestamp for a particulardate using the mktime( ) function:$stamp = mktime (hour, minute,➝ second, month, day, year);If called with no arguments, mktime( )returns the current timestamp, which is thesame as calling the time( ) function.Finally, the getdate( ) function can beused to return an array of values (Table 11.5)for a date and time. For example,$today = getdate( );echo $today['month']; // OctoberThis function also takes an optionaltimestamp argument. If that argument isnot used, getdate( ) returns informationfor the current date and time.These are just a handful of the many dateand time functions PHP has. For more, seethe PHP manual. To practice working withthese functions, let’s modify images.php(Script 11.4) in a couple of ways. First, thescript will show each image’s uploadeddate and time. Second, while a change isbeing made to the layout, the script willshow each image’s file size, too A.A The revisedimages.php showstwo more pieces ofinformation abouteach image.Web Application Development 363

To use the date and time functions:1. Open images.php (Script 11.4) in yourtext editor or IDE, if it is not already.2. As the first line of code after the openingPHP tag, establish the time zone(Script 11.6):date_default_timezone_set➝ ('America/New_York');Before calling any of the date and timefunctions, the time zone has to beestablished. To find your time zone, seewww.php.net/timezones.3. Within the foreach loop, after gettingthe image’s dimensions, calculate itsfile size:$file_size = round ( (filesize➝ ("$dir/$image")) / 1024) . "kb";The filesize( ) function was first usedin the show_image.php script. It returnsthe size of a file in bytes. To calculatethe kilobytes of a file, divide thisnumber by 1,024 (there are that manybytes in a kilobyte) and round it off.4. On the next line, determine the image’smodification date and time:$image_date = date("F d, Y H:i:s",➝ filemtime("$dir/$image"));To find a file’s modification date andtime, call the filemtime( ) function,providing the function with the file, ordirectory, to be examined. This functionreturns a timestamp, which can thenbe used as the second argumentto the date( ), which will format thetimestamp accordingly.If you’re perplexed by what’s happeninghere, you can break the code into twosteps:$filemtime = filemtime➝ ("$dir/$image");$image_date = date("F d, Y H:i:s ",➝ $filemtime);5. Change the echo statement so that italso prints the file size and modificationdate:echo "➝ $image $file_size➝ ($image_date)\n";Both are printed outside of the A tag, sothey aren’t part of the links.6. Save the file as images.php, place it inyour Web directory, and test it in yourWeb browser.The date( ) function has some parametersthat are used for informative purposes,not formatting. For example, date('L')returns 1 or 0 indicating if it’s a leap year;date('t') returns the number of days in thecurrent month; and date('I') returns a 1 ifit’s currently daylight saving time.PHP’s date functions reflect the time onthe server (because PHP runs on the server);you’ll need to use JavaScript if you want todetermine the date and time on the user’scomputer.In Chapter 16, you’ll learn how to use thenew DateTime class to work with dates andtimes in PHP.364 Chapter 11

Script 11.6 This modified version of images.php (Script 11.4) uses PHP’s date and time functions in order toreport some information to the user.1 2 3 4 5 Images6 7 8 9 Click on an image to view it in a separate window.10 11

Review and pursueIf you have any problems with thereview questions or the pursue prompts,turn to the book’s supporting forum(www.LarryUllman.com/forums/).ReviewnnnnnnnnnnWhat function is used to send email?What are the function’s arguments?What does the server need in order tosend email?Does it make a difference whether \n isused within single or double quotationmarks?Can you easily know for certain if, orwhen, a recipient received an emailsent by PHP?What debugging steps can you takeif you aren’t receiving any email thatshould be sent from a PHP script?How do folder permissions come intoplay for handling uploaded files?What two directories are used inhandling file uploads?What additional attribute must be madeto the opening form tag in order tohandle a file upload?What is a MIME type?In what ways are PHP and JavaScriptalike? How are they different?What tag is used to add JavaScript toan HTML page?nnnnnnWhat does the var keyword mean inJavaScript?What is the concatenation operator inJavaScript?What does the PHP header( ) function do?What do headers already sent errormessages mean?What is a proxy script? When might aproxy script be necessary?What does the readfile( ) function do?pursuennnnnCreate a more custom contact form.Have the PHP script also send a morecustom email, including any other datarequested by the form.Search online using the keywords phpemail spam filters to learn techniquesfor improving the successful deliveryof PHP-sent email (i.e., to minimize thechances of spam filters eating legitimateemails).Make a variation on upload_image.phpthat supports the uploading of differentfile types. Create a correspondingversion of show_image.php. Note: You’llneed to do some research on MIMEtypes to complete these challenges.Check out the PHP manual page for theglob( ) function.A lot of information and new functionswere introduced in this chapter. Checkout the PHP manual for some of them tolearn more.366 Chapter 11

12Cookies andSessionsThe Hypertext Transfer Protocol (HTTP)is a stateless technology, meaning thateach individual HTML page is an unrelatedentity. HTTP has no method for trackingusers or retaining variables as a persontraverses a site. Without the server beingable to track a user, there can be no shoppingcarts or custom Web-site personalization.Using a server-side technology likePHP, you can overcome the statelessnessof the Web. The two best PHP tools for thispurpose are cookies and sessions.The key difference between cookies andsessions is that cookies store data in theuser’s Web browser and sessions storedata on the server itself. Sessions aregenerally more secure than cookies andcan store much more information. As bothtechnologies are easy to use with PHP andare worth knowing, this chapter coversboth cookies and sessions. The examplesfor demonstrating this information will bea login system, based upon the existingsitename database.in This ChapterMaking a Login Page 368Making the Login Functions 371Using Cookies 376Using Sessions 388Improving Session Security 396Review and Pursue 400

Making a Login pageA login process involves just a fewcomponents A:nnnnA form for submitting the logininformationA validation routine that confirms thenecessary information was submittedA database query that compares thesubmitted information against thestored informationCookies or sessions to store data thatreflects a successful loginSubsequent pages can then have checksto confirm that the user is logged in (to limitaccess to that page or add features). There isalso, of course, a logging-out process, whichinvolves clearing out the cookies or sessiondata that represent a logged-in status.To start all this, let’s take some of thesecommon elements and place them intoseparate files. Then, the pages that requirethis functionality can include the necessaryfiles. Breaking up the logic this way willmake some of the following scripts easierto read and write, plus cut down on theirredundancies. You’ll define two includablefiles. This first script will contain the bulkof a login page, including the header, theerror reporting, the form, and the footer B.A The login process.B The loginform and page.368 Chapter 12

Script 12.1 The login_page.inc.php script createsthe complete login page, including the form, andreports any errors. It will be included by otherpages that need to show the login page.1 Login21 22 Email Address: 23 Password: 24 25 2627 To make a login page:1. Begin a new PHP page in yourtext editor or IDE, to be namedlogin_page.inc.php (Script 12.1):

This code was also developed backin Chapter 9, although an additionalisset( ) clause has been added as anextra precaution. If any errors exist (inthe $errors array variable), they’ll beprinted as an unordered list C.4. Display the form:?>LoginEmail Address: Password: The HTML form only needs two textinputs: one for an email address and asecond for the password. The namesof the inputs match those in the userstable of the sitename database (whichthis login system is based upon).To make it easier to create the HTMLform, the PHP section is closed first.The form is not sticky, but you couldeasily add code to accomplish that.5. Complete the page:6. Save the file as login_page.inc.phpand place it in your Web directory (inthe includes folder, along with the filesfrom Chapter 3 and Chapter 9: header.html, footer.html, and style.css).The page will use a .inc.php extensionto indicate both that it’s an includablefile and that it contains PHP code.It may seem illogical that this scriptincludes the header and footer file from withinthe includes directory when this script willalso be within that same directory. This codeworks because this script will be includedby pages within the main directory; thus theinclude references are with respect to theparent file, not this one.C As with other scripts in this book, form errorsare displayed above the form itself.370 Chapter 12

Making the LoginFunctionsAlong with the login page that was storedin login_page.inc.php, there’s a littlebit of functionality that will be common toseveral scripts in this chapter. In this nextscript, also to be included by other pagesin the login/logout system, two functionswill be defined.First, many pages will end up redirectingthe user from one page to another. Forexample, upon successfully logging in, theuser will be taken to loggedin.php. If a useraccesses loggedin.php and they aren’tlogged in, they should be taken to index.php. Redirection uses the header( ) function,introduced in Chapter 11, “Web ApplicationDevelopment.” The syntax for redirection isheader ('Location: http://www.➝ example.com/page.php');Because this function will send the browserto page.php, the current script should beterminated using exit( ) immediatelyafter this:header ('Location: http://www.➝ example.com/page.php');exit( );If you don’t call exit( ), the currentscript will continue to run (just not inthe Web browser).The location value in the header( ) callshould be an absolute URL (www.example.com/page.php instead of just page.php).You can hard-code this value into everyheader( ) call or, better yet, have PHPdynamically determine it. The first functionin this next script will do just that, and thenredirect the user to that absolute URL.The other bit of code that will be used bymultiple scripts in this chapter validates thelogin form. This is a three-step process:1. Confirm that an email address wasprovided.2. Confirm that a password was provided.3. Confirm that the provided emailaddress and password match thosestored in the database (during theregistration process).This next script will define two differentfunctions. The details of how each functionworks will be explained in the stepsthat follow.Cookies and Sessions 371

To create the login functions:1. Begin a new PHP document in yourtext editor or IDE, to be namedlogin_functions.inc.php (Script 12.2):

Script 12.2 continued3738 // Validate the email address:39 if (empty($email)) {40 $errors[ ] = 'You forgot to enteryour email address.';41 } else {42 $e = mysqli_real_escape_string($dbc, trim($email));43 }4445 // Validate the password:46 if (empty($pass)) {47 $errors[ ] = 'You forgot to enteryour password.';48 } else {49 $p = mysqli_real_escape_string($dbc, trim($pass));50 }5152 if (empty($errors)) { // Ifeverything's OK.5354 // Retrieve the user_id andfirst_name for that email/passwordcombination:55 $q = "SELECT user_id, first_nameFROM users WHERE email='$e' ANDpass=SHA1('$p')";56 $r = @mysqli_query ($dbc, $q);// Run the query.5758 // Check the result:59 if (mysqli_num_rows($r) = = 1) {6061 // Fetch the record:62 $row = mysqli_fetch_array ($r,MYSQLI_ASSOC);6364 // Return true and the record:65 return array(true, $row);6667 } else { // Not a match!68 $errors[ ] = 'The email addressand password entered do notmatch those on file.';69 }7071 } // End of empty($errors) IF.7273 // Return false and the errors:74 return array(false, $errors);7576 } // End of check_login( ) function.directory name. That whole value mightbe /somedir/page.php. The dirname( )function will return just the directorypart from that value (i.e., /somedir/).4. Remove any ending slashes fromthe URL:$url = rtrim($url, '/\\');Because the existence of a subfoldermight add an extra slash (/) orbackslash (\, for Windows), the functionneeds to remove that. To do so, applythe rtrim( ) function. By default, thisfunction removes spaces from theright side of a string. If provided witha list of characters to remove as thesecond argument, it’ll chop those offinstead. The characters to be removedare / and \. But since the backslashis the escape character in PHP, youneed to use \\ to refer to a singlebackslash. With this one line of code,if $url concludes with either of thesecharacters, the rtrim( ) function willremove them.5. Append the specific page to the URL:$url .= '/' . $page;Next, the specific page name isconcatenated to the $url. It’s precededby a slash because any trailing slasheswere removed in Step 4 and you can’thave www.example.compage.php asthe URL.This may all seem to be quitecomplicated, but it’s a very effectiveway to ensure that the redirectionworks no matter on what server, orfrom what directory, the script is beingrun (as long as the redirection is takingplace within that directory).continues on next pageCookies and Sessions 373

6. Redirect the user and completethe function:header("Location: $url");exit( ); // Quit the script.} // End of redirect_user( )➝ function.The final steps are to send a Locationheader and terminate the execution ofthe script.7. Begin a new function:function check_login($dbc,➝ $email = '', $pass = '') {This function will validate the logininformation. It takes three arguments:the database connection, which isrequired; the email address, which isoptional; and the password, which isalso optional.Although this function could access$_POST['email'] and $_POST['pass']directly, it’s better if the function ispassed these values, making thefunction more independent.8. Validate the email address and password:$errors = array( );if (empty($email)) {$errors[ ] = 'You forgot to➝ enter your email address.';} else {$e = mysqli_real_escape_string➝ ($dbc, trim($email));}if (empty($pass)) {$errors[ ] = 'You forgot to➝ enter your password.';} else {$p = mysqli_real_escape_string➝ ($dbc, trim($pass));}This validation routine is similar to thatused in the registration page. If anyproblems occur, they’ll be added to the$errors array, which will eventually beused on the login page (see C under“Making a Login Page”). Note that this$errors array is local to the function.Even though it has the same name, thisis not the same $errors variable thatis used in the login page. Code laterin the function will return this $errorsvariable’s value, and code in the scriptsthat call this function will then assignthis returned value to the proper, global$errors array, usable on the login page.9. If no errors occurred, run the databasequery:if (empty($errors)) {$q = "SELECT user_id, first_name➝ FROM users WHERE email='$e'➝ AND pass=SHA1('$p')";$r = @mysqli_query ($dbc, $q);The query selects the user_id and first_name values from the database wherethe submitted email address (fromthe form) matches the stored emailaddress and the SHA1( ) version ofthe submitted password matches thestored password A.A The results of the login query, shown in themysql client, if the user submitted the proper emailaddress/password combination.374 Chapter 12

10. Check the results of the query:if (mysqli_num_rows($r) = = 1) {$row = mysqli_fetch_array ($r,➝ MYSQLI_ASSOC);return array(true, $row);If the query returned one row, thenthe login information was correct. Theresults are then fetched into $row. Thefinal step in a successful login is toreturn two pieces of information back tothe requesting script: the Boolean true,indicating that the login was a success;and the data fetched from MySQL.Using the array( ) function, both theBoolean value and the $row array canbe returned by this function.11. If no record was selected by the query,create an error:} else { // Not a match!$errors[ ] = 'The email address➝ and password entered do not➝ match those on file.';}If the query did not return one row, thenan error message is added to the array.It will end up being displayed on thelogin page B.12. Complete the conditional begun inStep 9 and complete the function:} // End of empty($errors) IF.return array(false, $errors);} // End of check_login( ) function.The final step is for the function to returna value of false, indicating that loginfailed, and to return the $errors array,which stores the reason(s) for failure.This return statement can be placedhere—at the end of the function insteadof within a conditional—because thefunction will only get to this point if thelogin failed. If the login succeeded, thereturn line in Step 10 will stop the functionfrom continuing (a function stops assoon as it executes a return).13. Save the file as login_functions.inc.php and place it in your Webdirectory (in the includes folder, alongwith header.html, footer.html, andstyle.css).This page will also use a .inc.php extensionto indicate both that it’s an includablefile and that it contains PHP code.As with some other includable filescreated in this book (although notlogin_page.inc.php), the closing PHPtag—?>—is omitted. Doing so preventspotential complications that can ariseshould an includable file have an errantblank space or line after the closing tag.B If the user entered an email address andpassword, but they don’t match the values stored inthe database, this is the result in the Web browser.The scripts in this chapter include nodebugging code (like the MySQL error orquery). If you have problems with these scripts,apply the debugging techniques outlined inChapter 8, “Error Handling and Debugging.”You can add name=value pairs to theURL in a header( ) call to pass values to thetarget page:$url .= '?name=' . urlencode(value);Cookies and Sessions 375

using CookiesCookies are a way for a server to storeinformation on the user’s machine. This isone way that a site can remember or tracka user over the course of a visit. Think ofa cookie as being like a name tag: you tellthe server your name and it gives you asticker to wear. Then it can know who youare by referring back to that name tag A.In this section, you will learn how to set acookie, retrieve information from a storedcookie, alter a cookie’s settings, and thendelete a cookie.A How cookies aresent back and forthbetween the serverand the client.Testing for CookiesTo effectively program using cookies, you need to be able to accurately test for their presence.The best way to do so is to have your Web browser ask what to do when receiving a cookie. Insuch a case, the browser will prompt you with the cookie information each time PHP attemptsto send a cookie.Different versions of different browsers on different platforms all define their cookie-handlingpolicies in different places. I’ll quickly run through a couple of options for popular Web browsers.To set this up using Internet Explorer on Windows, choose Tools > Internet Options. Then click thePrivacy tab, followed by the Advanced button under Settings. Click “Override automatic cookiehandling” and then choose “Prompt” for First-party Cookies.Using Firefox, you’ll want to select “ask me every time” in the “Keep until” drop-down menu. To getto that point on Windows, choose Tools > Options > Privacy. If you are using Firefox on Mac OS X,start by choosing Firefox > Preferences. Then, on the Privacy tab, select “Use custom settings forhistory” and you’ll see the “Keep until” selector.Unfortunately, Safari and Google Chrome do not have options to prompt you when cookies aresent (not so far as I can see, that is, without installing extensions or plug-ins). Both do allow youto view existing cookies, which is still a useful debugging tool.376 Chapter 12

Setting cookiesThe most important thing to understandabout cookies is that they must be sentfrom the server to the client prior to anyother information. Should the serverattempt to send a cookie after the Webbrowser has already received HTML—evenan extraneous white space—an errormessage will result and the cookie will notbe sent B. This is by far the most commoncookie-related error but is easily fixed. Ifyou see such a message:1. Note the script and line number followingoutput started at.2. Open that script and head to that linenumber.3. Remove the blank space, line, text,HTML, or whatever that is outputtedby that line.Cookies are sent via the setcookie( )function:setcookie (name, value);setcookie ('name', 'Nicole');The second line of code will send a cookieto the browser with a name of name and avalue of Nicole C.You can continue to send more cookies tothe browser with subsequent uses of thesetcookie( ) function:setcookie ('ID', 263);setcookie ('email', 'email@example.com');As for the cookies name, it’s best not touse white spaces or punctuation, and payattention to the exact case used.B The headers already sent… error message is all too common when creating cookies.Pay attention to what the error message says in order to find and fix the problem.C If the browser is set toask for permission whenreceiving cookies, you’ll seea message like this when asite attempts to send one(this is Firefox’s version ofthe prompt).Cookies and Sessions 377

To send a cookie:1. Begin a new PHP document in your texteditor or IDE, to be named login.php(Script 12.3):378 Chapter 12

3. Validate the form data:list ($check, $data) = check_login➝ ($dbc, $_POST['email'],➝ $_POST['pass']);After including both files, the check_login( ) function can be called. It’spassed the database connection (whichcomes from mysqli_connect.php), alongwith the email address and the password(both of which come from the form). Asan added precaution, the script couldconfirm that both variables are set andnot empty prior to invoking the function.This function returns an array of twoelements: a Boolean value and an array(of user data or errors). To assign thosereturned values to variables, apply thelist( ) function. The first value returnedby the function (the Boolean) will beassigned to $check. The second valuereturned (either the $row or $errorsarray) will be assigned to $data.4. If the user entered the correct information,log them in:if ($check) { // OK!setcookie ('user_id',➝ $data['user_id']);setcookie ('first_name',➝ $data['first_name']);The $check variable indicates thesuccess of the login attempt. If it has aTRUE value, then $data contains theuser’s ID and first name. These twovalues can be used in cookies.Generally speaking, you should neverstore a database table’s primary keyvalue, such as $data['user_id'], ina cookie, because cookies can bemanipulated easily. In this situation, it’snot going to be a problem as the user_id value isn’t actually used anywhere inthe site (it’s being stored in the cookiefor demonstration purposes).5. Redirect the user to another page:redirect_user('loggedin.php');Using the function defined earlier in thechapter, the user will be redirected toanother script upon a successful login.The specific page to be redirected to isloggedin.php.6. Complete the $check conditional(started in Step 4) and then closethe database connection:} else {$errors = $data;}mysqli_close($dbc);If $check has a FALSE value, then the$data variable is storing the errorsgenerated within the check_login( )function. If so, the errors should beassigned to the $errors variable,because that’s what the code in thescript that displays the login page—login_page.inc.php—is expecting.7. Complete the main submit conditionaland include the login page:}include ('includes/➝ login_page.inc.php');?>This login.php script itself primarilyperforms validation, by calling thecheck_login( ) function, and handlesthe cookies and redirection. The login_page.inc.php file contains the login pageitself, so it just needs to be included.continues on next pageCookies and Sessions 379

8. Save the file as login.php, place it inyour Web directory (in the same folderas the files from Chapter 9), and loadthis page in your Web browser (see Bunder “Making a Login Page”).If you want, you can submit the formerroneously, but you cannot correctlylog in yet, as the final destination—loggedin.php—hasn’t been written.Cookies are limited to about 4 KB of totaldata, and each Web browser can remember alimited number of cookies from any one site.This limit is 50 cookies for most of the currentWeb browsers (but if you’re sending out 50different cookies, you may want to rethinkhow you do things).The setcookie( ) function is one of thefew functions in PHP that could have differentresults in different browsers, since eachbrowser treats cookies in its own way. Be sureto test your Web sites in multiple browsers ondifferent platforms to ensure consistency.If the first two included files send anythingto the Web browser or even have blanklines or spaces after the closing PHP tag, you’llsee a headers already sent error. This is whyneither includes the terminating PHP tag.Accessing cookiesTo retrieve a value from a cookie, you onlyneed to refer to the $_COOKIE superglobal,using the appropriate cookie name asthe key (as you would with any array).For example, to retrieve the value of thecookie established with the linesetcookie ('username', 'Trout');you would refer to $_COOKIE['username'].In the following example, the cookies setby the login.php script will be accessedin two ways. First, a check will be madethat the user is logged in (otherwise, theyshouldn’t be accessing this page). Second,the user will be greeted by their first name,which was stored in a cookie.To access a cookie:1. Begin a new PHP document in your texteditor or IDE, to be named loggedin.php(Script 12.4):

Script 12.4 The loggedin.php script prints agreeting to a user thanks to a stored cookie.1

8. To see the cookies being set E and F,change the cookie settings for yourbrowser and test again.Some browsers (e.g., Internet Explorer)will not adhere to your cookie-promptingpreferences for cookies sent over localhost.A cookie is not accessible until the settingpage (e.g., login.php) has been reloadedor another page has been accessed (in otherwords, you cannot set and access a cookie inthe same page).If users decline a cookie or have theirWeb browser set not to accept them, theywill automatically be redirected to the homepage in this example, even if they successfullylogged in. For this reason, you may want to letthe user know that cookies are required.Setting cookie parametersAlthough passing just the name and valuearguments to the setcookie( ) function willsuffice, you ought to be aware of the otherarguments available. The function can takeup to five more parameters, each of whichwill alter the definition of the cookie.setcookie (name, value, expiration,➝ path, host, secure, httponly);The expiration argument is used to set adefinitive length of time for a cookie toexist, specified in seconds since the epoch(the epoch is midnight on January 1, 1970).If it is not set or if it’s set to a value of 0, thecookie will continue to be functional untilthe user closes their browser. These cookiesare said to last for the browser session(also indicated in E and F).To set a specific expiration time, add anumber of minutes or hours to the currentmoment, retrieved using the time( )function. The following line will set theexpiration time of the cookie to be 30minutes (60 seconds times 30 minutes)from the current moment:setcookie (name, value, time( )+1800);The path and host arguments are used tolimit a cookie to a specific folder within aWeb site (the path) or to a specific host (www.example.com or 192.168.0.1). For example,you could restrict a cookie to exist only whilea user is within the admin folder of a domain(and the admin folder’s subfolders):setcookie (name, value, expire,➝'/ad min/');Setting the path to / will make the cookievisible within an entire domain (Web site).Setting the domain to .example.com willmake the cookie visible within an entiredomain and every subdomain (www.example.com, admin.example.com,➝ pages.example.com, etc.).E The user_id cookie with a value of 1.F The first_name cookie with a value of Larry(yours will probably be different).382 Chapter 12

Script 12.5 The login.php script now uses everyargument the setcookie( ) function can take.1 The secure value dictates that a cookieshould only be sent over a secure HTTPSconnection. A 1 indicates that a secureconnection must be used, and a 0 saysthat a standard connection is fine.setcookie (name, value, expire,➝ path, host, 1);If your site is using a secure connection,you ought to restrict any cookies to HTTPSas well.Finally, added in PHP 5.2 is the httponlyargument. A Boolean value is used to makethe cookie only accessible through HTTP(and HTTPS). Enforcing this restriction willmake the cookie more secure (preventingsome hack attempts) but is not supportedby all browsers at the time of this writing.setcookie (name, value, expire,➝ path, host, secure, TRUE);As with all functions that take arguments,you must pass the setcookie( ) values inorder. To skip any parameter, use NULL, 0,or an empty string (don’t use FALSE). Theexpiration and secure values are bothintegers and are therefore not quoted.To demonstrate this information, let’s addan expiration setting to the login cookiesso that they last for only one hour.To set a cookie’s parameters:1. Open login.php in your text editor(refer to Script 12.3), if it is not already.2. Change the two setcookie( ) lines toinclude an expiration date that’s 60minutes away (Script 12.5):setcookie ('user_id', $data['user_➝ id'], time( )+3600, '/', '', 0, 0);setcookie ('first_name',➝ $data['first_name'],➝ time( )+3600, '/', '', 0, 0);continues on next pageCookies and Sessions 383

With the expiration date set to time( )+ 3600 (60 minutes times 60 seconds),the cookie will continue to exist foran hour after it is set. While makingthis change, every other parameter isexplicitly addressed.For the final parameter, which acceptsa Boolean value, you can also use 0 torepresent FALSE (PHP will handle theconversion for you). Doing so is a goodidea, as using false in any of the cookiearguments can cause problems.3. Save the script, place it in your Webdirectory, and test it in your Webbrowser by logging in G.Some browsers have difficulties withcookies that do not list every argument.Explicitly stating every parameter—even asan empty string—will achieve more reliableresults across all browsers.Here are some general guidelines forcookie expirations: If the cookie should lastas long as the user’s session, do not set anexpiration time; if the cookie should continueto exist after the user has closed andreopened his or her browser, set an expirationtime weeks or months ahead; and if the cookiecan constitute a security risk, set an expirationtime of an hour or fraction thereof so thatthe cookie does not continue to exist too longafter a user has left his or her browser.For security purposes, you could set a5- or 10-minute expiration time on a cookie andhave the cookie resent with every new pagethe user visits (assuming that the cookie exists).This way, the cookie will continue to persist aslong as the user is active but will automaticallydie 5 or 10 minutes after the user’s last action.E-commerce and other privacy-relatedWeb applications should use an SSL (SecureSockets Layer) connection for all transactions,including the cookie.Be careful with cookies created by scriptswithin a directory. If the path isn’t specified,then that cookie will only be available to otherscripts within that same directory.Deleting cookiesThe final thing to understand about usingcookies is how to delete one. While acookie will automatically expire whenthe user’s browser is closed or whenthe expiration date/time is met, oftenyou’ll want to manually delete the cookieinstead. For example, in Web sites thathave login capabilities, you will want todelete any cookies when the user logs out.Although the setcookie( ) function cantake up to seven arguments, only oneis actually required—the cookie name. Ifyou send a cookie that consists of a namewithout a value, it will have the same effectas deleting the existing cookie of the samename. For example, to create the cookiefirst_name, you use this line:setcookie('first_name', 'Tyler');To delete the first_name cookie, youwould code:setcookie('first_name');As an added precaution, you can also setan expiration date that’s in the past:setcookie('first_name', '',➝ time( )-3600);To demonstrate all of this, let’s add alogout capability to the site. The link tothe logout page appears on loggedin.php.G Changes to the setcookie( ) parameters, likean expiration date and time, will be reflected in thecookie sent to the Web browser (compare with F ).384 Chapter 12

As an added feature, the header file willbe altered so that a Logout link appearswhen the user is logged in and a Loginlink appears when the user is logged out.To delete a cookie:1. Begin a new PHP document in your texteditor or IDE, to be named logout.php(Script 12.6):

Thus, in short, the original first_namecookie data is available to this scriptwhen it first runs. The set of cookiessent by this page (the delete cookies)aren’t available to this page, so theoriginal values are still usable.5. Save the file as logout.php and placeit in your Web directory (in the samefolder as login.php).To create the logout link:1. Open header.html (refer to Script 9.1) inyour text editor or IDE.2. Change the fifth and final link to(Script 12.7):Instead of having a permanent login linkin the navigation area, it should display aLogin link if the user is not logged in H ora Logout link if the user is I. The precedingconditional will accomplish just that,depending upon the presence of a cookie.For that condition, if the cookie is set,the user is logged in and can be shownthe logout link. If the cookie is not set,the user should be shown the login link.There is one catch, however: Because thelogout.php script would ordinarily displaya logout link (because the cookie existswhen the page is first being viewed), theconditional has to also check that thecurrent page is not the logout.php script.An easy way to dynamically determine theScript 12.7 The header.html file now displayseither a Login or a Logout link, depending uponthe user’s current status.1 2 3

current page is to apply the basename( )function to $_SERVER['PHP_SELF'].3. Save the file, place it in your Web directory(within the includes folder), andtest the login/logout process in yourWeb browser J.To see the result of the setcookie( )calls in the logout.php script, turn on cookieprompting in your browser K.Due to a bug in how Internet Exploreron Windows handles cookies, you may needto set the host parameter to false (withoutquotes) in order to get the logout process towork when developing on your own computer(i.e., through localhost).When deleting a cookie, you shouldalways use the same parameters that set thecookie (aside from the value and expiration,naturally). If you set the host and path in thecreation cookie, use them again in the deletioncookie.To hammer the point home, rememberthat the deletion of a cookie does not takeeffect until the page has been reloaded oranother page has been accessed. In otherwords, the cookie will still be available toa page after that page has deleted it.H The homepage with aLogin link.I After theuser logs in, thepage now has aLogout link.J The result afterlogging out.K This is how thedeletion cookieappears in a Firefoxprompt (comparewith G ).Cookies and Sessions 387

using SessionsAnother method of making data availableto multiple pages of a Web site is to usesessions. The premise of a session is thatdata is stored on the server, not in theWeb browser, and a session identifier isused to locate a particular user’s record(the session data). This session identifier isnormally stored in the user’s Web browservia a cookie, but the sensitive data itself—like the user’s ID, name, and so on—alwaysremains on the server.The question may arise: why use sessionsat all when cookies work just fine? First ofall, sessions are likely more secure in thatall of the recorded information is storedon the server and not continually sentback and forth between the server and theclient. Second, you can store more data ina session. Third, some users reject cookiesor turn them off completely. Sessions,while designed to work with a cookie,can function without them, too.To demonstrate sessions—and to comparethem with cookies—let’s rewrite theprevious set of scripts.Setting session variablesThe most important rule with respect tosessions is that each page that will usethem must begin by calling the session_start( ) function. This function tells PHPto either begin a new session or access anexisting one. This function must be calledbefore anything is sent to the Web browser!The first time this function is used, session_start( ) will attempt to send a cookiewith a name of PHPSESSID (the defaultsession name) and a value of something likea61f8670baa8e90a30c878df89a2074b(32 hexadecimal letters, the session ID).Because of this attempt to send a cookie,session_start( ) must be called beforeany data is sent to the Web browser, as isthe case when using the setcookie( ) andheader( ) functions.Sessions vs. CookiesThis chapter has examples accomplishing the same tasks—logging in and logging out—using bothcookies and sessions. Obviously, both are easy to use in PHP, but the true question is when to useone or the other.Sessions have the following advantages over cookies:.They are generally more secure (because the data is being retained on the server)..They allow for more data to be stored..They can be used without cookies.Whereas cookies have the following advantages over sessions:.They are easier to program..They require less of the server..They can be made to last far longer.In general, to store and retrieve just a couple of small pieces of information, or to store informationfor a longer duration, use cookies. For most of your Web applications, though, you’ll use sessions.388 Chapter 12

Script 12.8 This version of the login.php scriptuses sessions instead of cookies.1 Once the session has been started, valuescan be registered to the session using thenormal array syntax, using the $_SESSIONsuperglobal:$_SESSION['key'] = value;$_SESSION['name'] = 'Roxanne';$_SESSION['id'] = 48;Let’s update the login.php script with thisin mind.To begin a session:1. Open login.php (refer to Script 12.5) inyour text editor or IDE.2. Replace the setcookie( ) lines (18–19)with these lines (Script 12.8):session_start( );$_SESSION['user_id'] =$data['user_id'];$_SESSION['first_name'] =$data['first_name'];The first step is to begin the session.Since there are no echo statements,inclusions of HTML files, or even blankspaces prior to this point in the script,it will be safe to use session_start( )at this point in the script (although thefunction call could be placed at the topof the script as well). Then, two keyvaluepairs are added to the $_SESSIONsuperglobal array to register the user’sfirst name and user ID to the session.continues on next pageCookies and Sessions 389

3. Save the page as login.php, place it inyour Web directory, and test it in yourWeb browser A.Although loggedin.php and the headerand script will need to be rewritten, youcan still test the login script and see theresulting cookie B. The loggedin.phppage should redirect you back to thehome page, though, as it’s still checkingfor the presence of a $_COOKIE variable.Because sessions will normally sendand read cookies, you should always try tobegin them as early in the script as possible.Doing so will help you avoid the problem ofattempting to send a cookie after the headers(HTML or white space) have already been sent.If you want, you can set session.auto_start in the php.ini file to 1, making it unnecessaryto use session_start( ) on eachpage. This does put a greater toll on the serverand, for that reason, shouldn’t be used withoutsome consideration of the circumstances.You can store arrays in sessions (making$_SESSION a multidimensional array), just asyou can store strings or numbers.Accessing session variablesOnce a session has been started andvariables have been registered to it, youcan create other scripts that will accessthose variables. To do so, each scriptmust first enable sessions, again usingsession_start( ).This function will give the current scriptaccess to the previously started session(if it can read the PHPSESSID value storedin the cookie) or create a new session ifit cannot. Understand that if the currentsession ID cannot be found and a newsession ID is generated, none of the datastored under the old session ID will beavailable. I mention this here and nowbecause if you’re having problems withsessions, checking the session ID value tosee if it changes from one page to the nextis the first debugging step.Assuming that there was no problemaccessing the current session, to then referto a session variable, use $_SESSION['var'],as you would refer to any other array.A The login form remains unchanged to theend user, but the underlying functionality nowuses sessions.B This cookie, created by PHP’s session_start( )function, stores the session ID in the user’s browser.390 Chapter 12

Script 12.9 The loggedin.php script is updatedso that it refers to $_SESSION and not $_COOKIE(changes are required on two lines).1

5. Replace the reference to $_COOKIEwith $_SESSION in header.html (fromScript 12.7 to Script 12.10):if (isset($_SESSION['user_id'])) {For the Login/Logout links to functionproperly (notice the incorrect link in C),the reference to the cookie variable withinthe header file must be switched over tosessions. The header file does not needto call the session_start( ) function, asit’ll be included by pages that do.Note that this conditional does not needto check if the current page is the logoutpage, as session data behaves differentlythan cookie data (I’ll explain this further inthe next section of the chapter).6. Save the header file, place it in yourWeb directory (in the includes folder),and test it in your browser D.For the Login/Logout links to work on theother pages (register.php, index.php, etc.),you’ll need to add the session_start( )command to each of those.As a reminder of what I already said, ifyou have an application where the sessiondata does not seem to be accessible from onepage to the next, it could be because a newsession is being created on each page. Tocheck for this, compare the session ID (the lastfew characters of the value will suffice) to seeif it is the same. You can see the session’s IDby viewing the session cookie as it is sent orby invoking the session_id( ) function:echo session_id( );Session variables are available assoon as you’ve established them. So, unlikewhen using cookies, you can assign a valueto $_SESSION['var'] and then refer to$_SESSION['var'] later in that same script.Script 12.10 The header.html file now alsoreferences $_SESSION instead of $_COOKIE.1 2 3

Script 12.11 Destroying a session, as you would ina logout page, requires special syntax to deletethe session cookie and the session data on theserver, as well as to clear out the $_SESSION array.1 Deleting session variablesWhen using sessions, you ought to createa method of deleting the session data.In the current example, this would benecessary when the user logs out.Whereas a cookie system only requires thatanother cookie be sent to destroy the existingcookie, sessions are slightly more demanding,since there are both the cookie on the clientand the data on the server to consider.To delete an individual session variable,you can use the unset( ) function (whichworks with any variable in PHP):unset($_SESSION['var']);But to delete every session variable, youshouldn’t use unset( ), instead, reset the$_SESSION array:$_SESSION = array( );Finally, to remove all of the session datafrom the server, call session_destroy( ):session_destroy( );Note that prior to using any of these methods,the page must begin with session_start( )so that the existing session is accessed. Let’supdate the logout.php script to clean out thesession data.To delete a session:1. Open logout.php (Script 12.6) in yourtext editor or IDE.2. Immediately after the opening PHP line,start the session (Script 12.11):session_start( );Anytime you are using sessions, you mustcall the session_start( ) function, preferablyat the very beginning of a page. Thisis true even if you are deleting a session.continues on next pageCookies and Sessions 393

3. Change the conditional so that it checksfor the presence of a session variable:if (!isset($_SESSION['user_id'])) {As with the logout.php script in thecookie examples, if the user is not currentlylogged in, they will be redirected.4. Replace the setcookie( ) lines (thatdelete the cookies) with:$_SESSION = array( );session_destroy( );setcookie ('PHPSESSID', '',➝ time( )-3600, '/', '', 0, 0);The first line here will reset the entire$_SESSION variable as a new array,erasing its existing values. The secondline removes the data from the server,and the third sends a cookie to delete theexisting session cookie in the browser.Garbage CollectionGarbage collection with respect to sessionsis the process of the server automaticallydeleting the session files (where theactual data is stored). Creating a logoutsystem that destroys a session is ideal, butthere’s no guarantee all users will formallylog out as they should. For this reason,PHP includes a cleanup process.Whenever the session_start( ) functionis called, PHP’s garbage collectionkicks in, checking the last modificationdate of each session (a session ismodified whenever variables are set orretrieved). Two settings dictate garbagecollection: session.gc_maxlifetime andsession.gc_probability. The first statesafter how many seconds of inactivitya session is considered idle and willtherefore be deleted. The second settingdetermines the probability that garbagecollection is performed, on a scale of1 to 100. With the default settings, eachcall to session_start( ) has a 1 percentchance of invoking garbage collection. IfPHP does start the cleanup, any sessionsthat have not been used in more than1,440 seconds will be deleted.You can change these settings using theini_set( ) function, although be carefulin doing so. Too frequent or too probablegarbage collection can bog down theserver and inadvertently end the sessionsof slower users.394 Chapter 12

5. Remove the reference to $_COOKIE inthe message:echo "Logged Out!You are now logged out!";Unlike when using the cookie version ofthe logout.php script, you cannot referto the user by their first name anymore,as all of that data has been deleted.6. Save the file as logout.php, place it inyour Web directory, and test it in yourbrowser E.The header.html file only needs tocheck if $_SESSION['user_id'] is set, and notif the page is the logout page, because by thetime the header file is included by logout.php, all of the session data will have alreadybeen destroyed. The destruction of sessiondata applies immediately, unlike with cookies.Never set $_SESSION equal to NULL andnever use unset($_SESSION). Either couldcause problems on some servers.In case it’s not absolutely clear what’sgoing on, there exists three kinds of informationwith a session: the session identifier(which is stored in a cookie by default), thesession data (which is stored in a text file onthe server), and the $_SESSION array (whichis how a script accesses the session data inthe text file). Just deleting the cookie doesn’tremove the data file and vice versa. Clearingout the $_SESSION array would erase thedata from the text file, but the file itself wouldstill exist, as would the cookie. The threesteps outlined in this logout script effectivelyremove all traces of the session.E The logout page (now featuring sessions).Cookies and Sessions 395

improving SessionSecurityBecause important information is normallystored in a session (you should neverstore sensitive data in a cookie), securitybecomes more of an issue. With sessionsthere are two things to pay attention to:the session ID, which is a reference pointto the session data, and the session dataitself, stored on the server. A maliciousperson is far more likely to hack into asession through the session ID than thedata on the server, so I’ll focus on that sideof things here (in the tips at the end of thissection I mention two ways to protect thesession data itself).The session ID is the key to the sessiondata. By default, PHP will store this in acookie, which is preferable from a securitystandpoint. It is possible in PHP to usesessions without cookies, but that leavesChanging the Session BehaviorAs part of PHP’s support for sessions, there are over 20 different configuration options you can setfor how PHP handles sessions. For the full list, see the PHP manual, but I’ll highlight a few of themost important ones here. Note two rules about changing the session settings:1. All changes must be made before calling session_start( ).2. The same changes must be made on every page that uses sessions.Most of the settings can be set within a PHP script using the ini_set( ) function (discussed inChapter 8):ini_set (parameter, new_setting);For example, to require the use of a session cookie (as mentioned, sessions can work withoutcookies but it’s less secure), useini_set ('session.use_only_cookies', 1);Another change you can make is to the name of the session (perhaps to use a more user-friendlyone). To do so, call the session_name( ) function:session_name('YourSession');The benefits of creating your own session name are twofold: it’s marginally more secure and it maybe better received by the end user (since the session name is the cookie name the end user willsee). The session_name( ) function can also be used when deleting the session cookie:setcookie (session_name( ), '', time( )-3600);If not provided with an argument, this function instead returns the current session name.Finally, there’s also the session_set_cookie_params( ) function. It’s used to tweak the settingsof the session cookie:session_set_cookie_params(expire, path, host, secure, httponly);Note that the expiration time of the cookie refers only to the longevity of the cookie in the Webbrowser, not to how long the session data will be stored on the server.396 Chapter 12

Script 12.12 This final version of the login.phpscript also stores an encrypted form of the user’sHTTP_USER_AGENT (the browser and operatingsystem of the client) in a session.1 the application vulnerable to sessionhijacking: If malicious user Alice can learnuser Bob’s session ID, Alice can easily tricka server into thinking that Bob’s sessionID is also Alice’s session ID. At that point,Alice would be riding coattails on Bob’ssession and would have access to Bob’sdata. Storing the session ID in a cookiemakes it somewhat harder to steal.One method of preventing hijacking is tostore some sort of user identifier in thesession, and then to repeatedly doublecheckthis value. The HTTP_USER_AGENT—a combination of the browser andoperating system being used—is a likelycandidate for this purpose. This adds a layerof security in that one person could onlyhijack another user’s session if they areboth running the exact same browser andoperating system. As a demonstration ofthis, let’s modify the examples one last time.To use sessions more securely:1. Open login.php (refer to Script 12.8) inyour text editor or IDE.2. After assigning the other sessionvariables, also store the HTTP_USER_AGENT value (Script 12.12):$_SESSION['agent'] =➝ md5($_SERVER['HTTP_USER_AGENT']);The HTTP_USER_AGENT is part of the$_SERVER array (you may recall usingit way back in Chapter 1, “Introductionto PHP”). It will have a value likeMozilla/4.0 (compatible; MSIE 8.0;Windows NT 6.1…).continues on next pageCookies and Sessions 397

Instead of storing this value in thesession as is, it’ll be run through themd5( ) function for added security.That function returns a 32-characterhexadecimal string (called a hash)based upon a value. In theory, no twostrings will have the same md5( ) result.3. Save the file and place it in yourWeb directory.4. Open loggedin.php (Script 12.9) in yourtext editor or IDE.5. Change the !isset($_SESSION['user_id']) conditional to (Script 12.13):if (!isset($_SESSION['agent']) OR➝ ($_SESSION['agent'] != md5($_SERVER➝ ['HTTP_USER_AGENT']) )) {This conditional checks two things.First, it sees if the $_SESSION['agent']variable is not set (this part is just as itwas before, although agent is beingused instead of user_id). The secondpart of the conditional checks if themd5( ) version of $_SERVER['HTTP_USER_AGENT'] does not equal the valuestored in $_SESSION['agent']. If eitherof these conditions is true, the user willbe redirected.6. Save this file, place in your Web directory,and test in your Web browser bylogging in.Script 12.13 This loggedin.php script now confirmsthat the user accessing this page has the sameHTTP_USER_AGENT as they did when theylogged in.1

preventing Session FixationAnother specific kind of session attackis known as session fixation. Thisapproach is the opposite of sessionhijacking. Instead of malicious userAlice finding and using Bob’s sessionID, she instead creates her own sessionID (perhaps by logging in legitimately),and then gets Bob to access the siteusing that session. The hope is that Bobwould then do something that wouldunknowingly benefit Alice.You can help protect against thesetypes of attacks by changing the sessionID after a user logs in. The session_regenerate_id( ) does just that, providinga new session ID to refer to thecurrent session data. You can use thisfunction on sites for which security isparamount (like e-commerce or onlinebanking) or in situations when it’d be particularlybad if certain users (i.e., administrators)had their sessions manipulated.For critical uses of sessions, requirethe use of cookies and transmit them over asecure connection, if at all possible. You caneven set PHP to only use cookies by settingsession.use_only_cookies to 1.By default, a server stores every sessionfile for every site within the same temporarydirectory, meaning any site could theoreticallyread any other site’s session data. If you areusing a server shared with other domains,changing the session.save_path from its defaultsetting will be more secure. For example, it’d bebetter if you stored your site’s session data in adedicated directory particular to your site.The session data itself can also be storedin a database rather than a text file. This is amore secure, but more programming-intensive,option. I teach how to do this in my book PHP 5Advanced: Visual QuickPro Guide.The user’s IP address (the networkaddress from which the user is connecting) isnot a good unique identifier, for two reasons.First, a user’s IP address can, and normallydoes, change frequently (ISPs dynamicallyassign them for short periods of time). Second,many users accessing a site from the samenetwork (like a home network or an office)could all have the same IP address.Cookies and Sessions 399

Review and pursueIf you have any problems with thereview questions or the pursue prompts,turn to the book’s supporting forum(www.LarryUllman.com/forums/).ReviewnnnnnnWhat code is used to redirect the user’sbrowser from one page to the next?What does the headers already senterror message mean?What value does $_SERVER['HTTP_HOST']store? What value does $_SERVER['PHP_SELF'] store?What does the dirname( ) function do?What does the rtrim( ) function do?What arguments can it take?How do you write a function that returnsmultiple values? How do you call such afunction?n What arguments can the setcookie( )function take?nnnnnnnnHow do you reference values previouslystored in a cookie?How do you delete an existing cookie?Are cookies available immediately afterbeing sent (on the same page)? Whycan you still refer to a cookie (on thesame page) after it is deleted?What debugging steps can you takewhen you have problems with cookies?What does the basename( ) function do?How do you begin a session?How do you reference values previouslystored in a session?Is session data available immediatelyafter being assigned (on the same page)?nnHow do you terminate a session?What debugging steps can you takewhen you have problems with sessions?pursuennnnnnnnnIf you have not already done so, learnhow to view cookie data in your Webbrowser. When developing sites thatuse cookies, enable the option so thatthe browser prompts you when cookiesare received.Make the login form sticky.Add code to the handling of the $errorsvariable on the login page that uses aforeach loop if $errors is an array, orjust prints the value of $errors otherwise.Modify the redirect_user( ) functionso that it can be used to redirect theuser to a page within another directory.Implement another cookie example,such as storing a user’s preference inthe cookie, then base a look or featureof a page upon the stored value (whenpresent).Change the code in logout.php (Script12.11) so that it uses the session_name( )function to dynamically set the namevalue of the session cookie being deleted.Implement another session example, ifyou’d like more practice with sessions(you’ll get more practice later in thebook, too).Check out the PHP manual pagesfor any new function introduced inthis chapter with which you’re notcomfortable.Check out the PHP manual pages oncookies and sessions (two separatesections) to learn more. Also read someof the user-submitted comments foradditional tips.400 Chapter 12

13SecurityMethodsThe security of your Web applications issuch an important topic that it really cannotbe overstressed. Although security-relatedissues have been mentioned throughoutthis book, this chapter will help to fill in certaingaps, finalize other points, and teachseveral new things.The topics discussed here include: preventingspam; typecasting variables; preventingcross-site scripting (XSS) and SQL injectionattacks; the new Filter extension; and validatinguploaded files by type. This chapterwill use five discrete examples to bestdemonstrate these concepts. Some othercommon security issues and best practiceswill be mentioned in sidebars as well.in This ChapterPreventing Spam 402Validating Data by Type 409Validating Files by Type 414Preventing XSS Attacks 418Using the Filter Extension 421Preventing SQL Injection Attacks 425Review and Pursue 432

preventing SpamSpam is nothing short of a plague, clutteringup the Internet and email inboxes.There are steps you can take to avoidreceiving spam at your email accounts,but in this book the focus is on preventingspam being sent through your PHP scripts.Chapter 11, “Web Application Development,”shows how easy it is to send email usingPHP’s mail( ) function. The example there,a contact form, took some information fromthe user A and sent it to an email address.Although it may seem like there’s no harmin this system, there’s actually a big securityhole. But first, some background on whatan email actually is.Regardless of how an email is sent, howit’s formatted, and what it looks like whenit’s received, an email contains two parts:a header and a body. The header includessuch information as the to and fromaddresses, the subject, the date, and moreB. Each item in the header is on its ownline, in the format Name: value. The bodyof the email is exactly what you think it is:the body of the email.A A simple, standard HTML contact form.B The raw source version of the email sent by the contact form A.402 Chapter 13

In looking at PHP’s mail( ) function—mail (to, subject, body [,headers]);—you can see that one of the argumentsgoes straight to the email’s body and therest appear in its header. To send spam toyour address (as in Chapter 11’s example),all a person would have to do is enter thespam message into the comments sectionof the form A. That’s bad enough, but tosend spam to anyone else at the sametime, all the user would have to do is addBcc: poorsap@example.org, followedby some sort of line terminator (like anewline or carriage return), to the email’sheader. With the example as is, this justmeans entering this into the from valueof the contact form: me@example.com\nBcc:poorsap@example.org.You might think that safeguarding everythingthat goes into an email’s headerwould be sufficiently safe, but as an emailis just one document, bad input in a bodycan impact the header, too.TABLe 13.1 Spam Tip-offsStringscontent-type:mime-version:multipart-mixed:content-transfer-encoding:bcc:cc:to:\r\n%0a%0dThere are a couple of preventive techniquesthat can be applied to this contact form.First, validate any email addresses usingregular expressions, covered in Chapter 13,“Perl-Compatible Regular Expressions,” orthe Filter extension, discussed in just a fewpages. Second, now that you know what anevildoer must enter to send spam (Table 13.1),watch for those characters and strings inform values. If a value contains anything fromthat list, don’t use that value in a sent email.(The last four values in Table 13.1 are all differentways of creating newlines.)In this next example, a modification of theemail script from Chapter 11, I’ll define afunction that scrubs all potentially dangerouscharacters from provided data. Two new PHPfunctions will be used as well: str_replace( )and array_map( ). Both will be explained indetail in the steps that follow.A Security ApproachThe most important concept tounderstand about security is that it’s nota binary state: don’t think of a Web siteor script as being either secure or notsecure. Security isn’t a switch that youturn on and off; it’s a scale that you canmove up and down. When you program,think about what you can do to makeyour site more secure and what you’vedone that makes it less secure. Also,keep in mind that improved securitynormally comes at a cost of convenience(both to you, the programmer, and to theend user) and performance. Increasedsecurity normally means more code, morechecks, and more required of the server.When developing Web applications, thegoal is to achieve a level of security that’sappropriate for the particular situation.And then err on the side of being a tadtoo secure, just to be prudent.Security Methods 403

To prevent spam:1. Open email.php (Script 11.1) in your texteditor or IDE.To complete this spam-purification, theemail script needs to be modified.2. After checking for the form submission,begin defining a function (Script 13.1):function spam_scrubber($value) {This function will take one argument:a string. Normally, I would definefunctions at the top of the script, orin a separate file, but to make thingssimpler, it’ll be defined within thesubmission-handling block of code.3. Create a list of really bad things thatwouldn’t be in a legitimate contactform submission:$very_bad = array('to:', 'cc:',➝'bcc:', 'content-type:',➝'mime-version:',➝'multipart-mixed:',➝'content-transfer-encoding:');Any of these strings should not bepresent in an honest contact formsubmission (it’s possible someonemight legitimately use to: in theircomments, but unlikely). If any of thesestrings are present, then this is a spamattempt. To make it easier to test forall these, they’re placed in an array,which will be looped through (Step 4).The comparison in Step 4 will be caseinsensitive,so each of the dangerousstrings is written in all lowercase letters.4. Loop through the array. If a very badthing is found, return an empty stringinstead:foreach ($very_bad as $v) {if (stripos($value, $v) != =➝ false) return '';}Script 13.1 This version of the script can nowsafely send emails without concern for spam.Any problematic characters will be caught bythe spam_scrubber( ) function.1 2 3 4 5 Contact Me6 7 8 Contact Me9

Script 13.1 continued31 // Replace any newline characterswith spaces:32 $value = str_replace(array( "\r","\n", "%0a", "%0d"), ' ', $value);3334 // Return the value:35 return trim($value);3637 } // End of spam_scrubber( )function.3839 // Clean the form data:40 $scrubbed = array_map('spam_scrubber', $_POST);4142 // Minimal form validation:43 if (!empty($scrubbed['name']) &&!empty($scrubbed['email']) &&!empty($scrubbed['comments']) ) {4445 // Create the body:46 $body = "Name: {$scrubbed['name']}\n\nComments:{$scrubbed['comments']}";4748 // Make it no longer than 70characters long:49 $body = wordwrap($body, 70);5051 // Send the email:52 mail('your_email@example.com','Contact Form Submission', $body,"From: {$scrubbed['email']}");5354 // Print a message:55 echo 'Thank you forcontacting me. I will reply someday.';5657 // Clear $_POST (so that the form'snot sticky):58 $_POST = array( );5960 } else {61 echo 'Please fill out theform completely.';62 }6364 } // End of main isset( ) IF.The foreach loop will access eachitem in the $very_bad array one at atime, assigning each item to $v. Withinthe loop, the stripos( ) functionwill check if the item is in the stringprovided to this function as $value. Thestripos( ) function performs a caseinsensitivesearch (so it would matchbcc:, Bcc:, bCC:, etc.). The functionreturns a Boolean TRUE if the needleis found in the haystack (e.g., lookingfor occurrences of $v in $value). Theconditional therefore says that if thatfunction’s results do not equal FALSE(i.e., $v was not found in $value), returnan empty string.Therefore, for each of the dangerouscharacter strings, the first time that anyof them is found in the submitted value,the function will return an empty stringand terminate (functions automaticallystop executing once they hit a return).5. Replace any newline characterswith spaces:$value = str_replace(array( "\r",➝ "\n", "%0a", "%0d"), ' ', $value);Newline characters, which arerepresented by \r, \n , %0a, and %0d,may or may not be problematic. Anewline character is required to sendspam (or else you can’t create theproper header) but will also appear ifa user just hits Enter or Return whiletyping in a textarea box. For this reason,any found newlines will just be replacedby a space. This means that thesubmitted value could lose some of itsformatting, but that’s a reasonable priceto pay to stop spam.continues on next pagecode continues on next pageSecurity Methods 405

The str_replace( ) function looksthrough the value in the third argumentand replaces any occurrences of thecharacters in the first argument with thecharacter or characters in the second.Or as the PHP manual puts it:mixed str_replace (mixed $search,➝ mixed $replace, mixed $subject)This function is very flexible in that itcan take strings or arrays for its threearguments (the mixed means it accepts amix of argument types). Hence, this line ofcode in the script assigns to the $valuevariable its original value, with any newlinecharacters replaced by a single space.There is a case-insensitive version ofthis function, but it’s not necessary here,as, for example, \r is a carriage returnbut \R is not.6. Return the value and complete thefunction:return trim($value);} // End of spam_scrubber( )➝ function.Finally, this function returns the value,trimmed of any leading and endingspaces. Keep in mind that the functionwill only get to this point if none of thevery bad things was found.7. After the function definition, invoke thespam_scrubber( ) function:$scrubbed = array_map➝ ('spam_scrubber', $_POST);This approach is beautiful in itssimplicity! The array_map( ) functionhas two required arguments. The firstis the name of the function to call.In this case, that’s spam_scrubber(without the parentheses, becauseyou’re providing the function’s name,not calling the function). The secondargument is an array.What array_map( ) does is apply thenamed function once for each arrayelement, sending each array element’svalue to that function call. In this script,$_POST has four elements—name,email, comments, and submit, meaningthat the spam_scrubber( ) functionwill be called four times, thanks toarray_map( ). After this line of code,the $scrubbed array will end up withfour elements: $scrubbed['name'] willScript 13.1 continued6566 // Create the HTML form:67 ?>68 Please fill out this form to contact me.69 70 Name:

C The presence of cc: in the email address fieldwill prevent this submission from being sent in anemail D.D The email was not sent because of the verybad characters used in the email address, whichgets turned into an empty string by the spamprevention function.have the value of $_POST['name'] afterrunning it through spam_scrubber( );$scrubbed['email'] will have the samevalue as $_POST['email'] after running itthrough spam_scrubber( ); and so forth.This one line of code then takes anentire array of potentially tainteddata ($_POST), cleans it using spam_scrubber( ), and assigns the result to anew variable. Here’s the most importantthing about this technique: from here onout, the script must use the $scrubbedarray, which is clean, not $_POST, whichis still potentially dirty.8. Change the form validation to use thisnew array:if (!empty($scrubbed['name']) &&➝ !empty($scrubbed['email']) &&➝ !empty($scrubbed['comments']) ) {Each of these elements could have anempty value for two reasons. First, if theuser left them empty. Second, if the userentered one of the bad strings in thefield C, which would be turned into anempty string by the spam_scrubber( )function D.9. Change the creation of the $body variableso that it uses the clean values:$body = "Name: {$scrubbed➝ ['name']}\n\nComments:➝ {$scrubbed['comments']}";10. Change the invocation of the mail( )function to use the clean email address:mail('your_email@example.com',➝'Contact Form Submission', $body,➝ "From: {$scrubbed['email']}");Remember to use your own emailaddress in the mail( ) call, or you’llnever get the message!continues on next pageSecurity Methods 407

11. Change the form so that it uses the$scrubbed version of the values:Name:

TABLe 13.2 Type Validation FunctionsFunctionis_array( )is_bool( )is_float( )is_int( )is_null( )is_numeric( )is_resource( )is_scalar( )is_string( )Checks ForArraysBooleans (TRUE, FALSE)Floating-point numbersIntegersNULLsNumeric values, even as astring (e.g., '20')Resources, like a databaseconnectionScalar (single-valued)variablesStringsValidating Databy TypeFor the most part, the form validationused in this book thus far has been ratherminimal, often just checking if a variablehas any value at all. In many situations, thisreally is the best you can do. For example,there’s no perfect test for what a validstreet address is or what a user mightenter into a comments field. Still, much ofthe data you’ll work with can be validatedin stricter ways. In the next chapter,the sophisticated concept of regularexpressions will demonstrate just that. Buthere I’ll cover the more approachable waysyou can validate some data by type.PHP supports many types of data: strings,numbers (integers and floats), arrays, andso on. For each of these, there’s a specificfunction that checks if a variable is of thattype (Table 13.2). You’ve already seen theis_numeric( ) function in action in earlierchapters, and is_array( ) is great forcontinues on next pageTwo Validation ApproachesA large part of security is based upon validation: if data comes from outside of the server—fromHTML forms, the URL, cookies, it can’t be trusted. (A higher level of security also validates anydata coming from outside of the script, including sessions and databases.) There are two typesof validation: whitelist and blacklist. In the calculator example, we know that all values must bepositive, that they must all be numbers, and that the quantity must be an integer (the other twonumbers could be integers or floats, it makes no difference). Typecasting forces the inputs to benumbers, and a check confirms that they are positive. At this point, the assumption is that the inputis valid. This is a whitelist approach: these values are good; anything else is bad.The preventing spam example uses a blacklist approach. That script knows exactly which charactersare bad and invalidates input that contains them. All other input is considered to be good.Many security experts prefer the whitelist approach, but it can’t always be used. Each example willdictate which approach will work best, but it’s important to use one or the other. Don’t just assumethat data is safe without some sort of validation.Security Methods 409

confirming a variable is acceptable to usein a foreach loop. Each function returnsTRUE if the submitted variable is of acertain type and FALSE otherwise.In PHP, you can even change a variable’stype, after it’s been assigned a value. Doingso is called typecasting and is accomplishedby preceding a variable’s name by thedestination type in parentheses:$var = 20.2;echo (int) $var; // 20Depending upon the original and destinationtypes, PHP will convert the variable’svalue accordingly:$var = 20;echo (float) $var; // 20.0With numeric values, the conversion isstraightforward, but with other variabletypes, more complex rules apply:$var = 'trout';echo (int) $var; // 0In most circumstances you don’t need tocast a variable from one type to another,as PHP will often automatically do so asneeded. But forcibly casting a variable’stype can be a good security measurein your Web applications. To show howyou might use this notion, let’s create acalculator script for determining the totalpurchase price of an item A.To use typecasting:1. Begin a new PHP document in yourtext editor or IDE, to be namedcalculator.php (Script 13.2):A The HTML form takes three inputs:a quantity, a price, and a tax rate.Script 13.2 By typecasting variables, this scriptmore definitively validates that data is of thecorrect format.1 2 3 4 5 Widget Cost Calculator6 7 8

Script 13.2 continued2122 // Calculate the total:23 $total = $quantity * $price;24 $total += $total * ($tax/100);2526 // Print the result:27 echo 'The total cost of purchasing' . $quantity . ' widget(s) at $' .number_format ($price, 2) . ' each,plus tax, is $' . number_format($total, 2) . '.';2829 } else { // Invalid submitted values.30 echo 'Please enter a validquantity, price, and tax rate.';31 }3233 } // End of main isset( ) IF.3435 // Leave the PHP section and create theHTML form.36 ?>37 Widget Cost Calculator38 39 Quantity:

5. Calculate and print the results:$total = $quantity * $price;$total += $total * ($tax/100);echo 'The total cost of➝ purchasing ' . $quantity . '➝ widget(s) at $' . number_format➝ ($price, 2) . ' each, plus tax,➝ is $' . number_format➝ ($total, 2) . '.';To calculate the total, first the quantityis multiplied by the price. To apply thetax to the total, the value of the totaltimes the tax divided by 100 (e.g., 6.5%becomes .065) is then added, using theaddition assignment shortcut operator.The number_format( ) function is usedto print both the price and total valuesin the proper format B.6. Complete the conditionals:} else {echo 'Please➝ enter a valid quantity,➝ price, and tax rate.';}} // End of main isset( ) IF.A little CSS is used to create a bold,red error message, should there bea problem C.7. Begin the HTML form:?>Widget Cost CalculatorQuantity:

entered. By referring to $quantity etc.instead of $_POST['quantity'] etc., theform will reflect the value for each inputas it was typecast.8. Complete the HTML form:Price:

Validating Filesby TypeChapter 11 includes an example of handlingfile uploads in PHP. As uploading filesallows users to place a more potent typeof content on your server (compared withjust the text sent via a form), one cannotbe too mindful of security when it comes tohandling them. In that particular example,the uploaded file was validated bychecking its MIME type. Specifically, with anuploaded file, $_FILES['upload']['type']refers to the MIME type provided by theuploading browser. This is a good start, butit’s easy for a malicious user to trick thebrowser into providing a false MIME type. Amore reliable way of confirming a file’s typeis to use the Fileinfo extension.Added in PHP 5.3, the Fileinfo extensiondetermines a file’s type (and encoding)by hunting for “magic bytes” or “magicnumbers” within the file. For example,the data that makes up a GIF image mustbegin with the ASCII code that representseither GIF89a or GIF87a; the data thatmakes up a PDF file starts with %PDF.To use Fileinfo, start by creating a Fileinforesource:$fileinfo = finfo_open(kind);The kind value will be one of severalconstants, indicating the type of resourceyou want to create. To determine a file’stype, the constant is FILEINFO_MIME_TYPE:$fileinfo = finfo_open➝ (FILEINFO_MIME_TYPE);Next, call the finfo_file( ) function,providing the Fileinfo resource and areference to the file you want to examine:finfo_file($fileinfo, $filename);This function returns the file’s MIME type(given the already created resource), basedupon the file’s actual magic bytes.Finally, once you’re done, you should closethe Fileinfo resource:finfo_close($fileinfo);This next script will use this information toconfirm that an uploaded file is an RTF (RichText Format). Note that you’ll only be able totest this example if you are using version 5.3of PHP or later A. If you are using an earlierversion, you’ll need to install the Fileinfoextension through PECL (PHP ExtensionCommunity Library, http://pecl.php.net).On Windows, if you are using PHP 5.3 orlater, the Fileinfo DLL file should be includedwith your installation, but you may need toenable it in your php.ini configuration file(download Appendix A, “Installation” frompeachpit.com).A If your PHP installation does not support theFileinfo extension, you’ll see an error messagelike this one.414 Chapter 13

Script 13.3 Using the Fileinfo extension, thisscript does a good job of confirming an uploadedfile’s type.1 2 3 4 5 Upload a RTF Document6 7 8

4. Create the Fileinfo resource:$fileinfo = finfo_open➝ (FILEINFO_MIME_TYPE);This line, as already explained, createsa Fileinfo resource whose specificpurpose is to retrieve a file’s MIME type.5. Check the file’s type:if (finfo_file($fileinfo,➝ $_FILES['upload']['tmp_name']) = =➝'text/rtf') {echo 'The file would be➝ acceptable!';If the finfo_file( ) function returnsa value of text/rtf for the uploaded file,then the file has the proper type for thepurposes of this script. In that case,a message is printed B.6. Delete the uploaded file:unlink($_FILES['upload']➝ ['tmp_name']);In a real-world example, the scriptwould now move the file over to its finaldestination on the server. As this script issimply for the purpose of validating a file’stype, the file can be removed instead.7. Complete the type conditional:} else { // Invalid type.echo 'Please➝ upload an RTF document.';}Script 13.3 continued33 // Close the resource:34 finfo_close($fileinfo);3536 } // End of isset($_FILES['upload'])IF.3738 // Add file upload error handling, ifdesired.3940 } // End of the submitted conditional.41 ?>4243 44 45 Select an RTFdocument of 512KB or smaller to beuploaded:46 File: 47 48 49 50 51 B If the selected and uploaded document has avalid RTF MIME type, the user will see this result.416 Chapter 13

If the uploaded file’s MIME type is nottext/rtf, the script will print an errormessage C.8. Close the Fileinfo resource:finfo_close($fileinfo);The final step is to close the open Fileinforesource, once it’s no longer needed.9. Complete the remaining conditionals:} // End of isset($_FILES➝ ['upload']) IF.} // End of the submitted➝ conditional.?>You could also add debugging information,such as the related uploaded errormessage, if an error occurs.10. Create the form:Select an RTF➝ document of 512KB or smaller➝ to be uploaded:File: The form uses the proper enctype attribute,has a MAX_FILE_SIZE recommendationin a hidden form input, and uses afile input type: the three requirements foraccepting file uploads. That’s all there isto this example (as in B and C).11. Complete the page:12. Save the file as upload_rtf.php, placeit in your Web directory, and test it inyour Web browser.The same Fileinfo resource can be appliedto multiple files. Just close the resource afterthe script is done with the resource.C Uploaded files without the proper MIME typeare rejected.Security Methods 417

preventing xSS AttacksHTML is simply plain text, like , which isgiven special meaning by Web browsers(as by making text bold). Because of thisfact, your Web-site’s user could easilyput HTML in their form data, like in thecomments field in the email example.What’s wrong with that, you might ask?Many dynamically driven Web applicationstake the information submitted by a user,store it in a database, and then redisplaythat information on another page. Think ofa forum, as just one example. At the veryleast, if a user enters HTML code in theirdata, such code could throw off the layoutand aesthetic of your site. Taking this a stepfurther, JavaScript is also just plain text,but text that has special meaning—executablemeaning—within a Web browser. Ifmalicious code entered into a form werere-displayed in a Web browser A, it couldcreate pop-up windows B, steal cookies,or redirect the browser to other sites. Suchattacks are referred to as cross-site scripting(XSS). As in the email example, whereyou need to look for and nullify bad stringsfound in data, prevention of XSS attacks isaccomplished by addressing any potentiallydangerous PHP, HTML, or JavaScript.PHP includes a handful of functions forhandling HTML and other code foundwithin strings. These include:nnnhtmlspecialchars( ), which turns&, ‘, “, into an HTML entityformat (&amp;, &quot;, etc.)htmlentities( ), which turns allapplicable characters into their HTMLentity formatstrip_tags( ), which removes all HTMLand PHP tagsThese three functions are roughly listed inorder from least disruptive to most. WhichA The malicious and savvy user can enter HTML,CSS, and JavaScript into textual form fields.B The JavaScriptentered into thecomments field Awould create thisalert window whenthe comments weredisplayed in theWeb browser.C Thanks to the htmlentities( ) and strip_tags( ) functions, malicious code entered into aform field A can be rendered inert.418 Chapter 13

Script 13.4 Applying the htmlentities( ) andstrip_tags( ) functions to submitted text canprevent XSS attacks.1 2 3 4 5 XSS Attacks6 7 8 20 21 Do your worst! 22 23 24 25 function you’ll want to use depends uponthe application at hand. To demonstratehow these functions work and differ,let’s just create a simple PHP page thattakes some text and runs it through thesefunctions, printing the results C.To prevent xSS attacks:1. Begin a new PHP document in yourtext editor or IDE, to be named xss.php(Script 13.4):XSS Attacks

To keep submitted information frommessing up a page or hacking theWeb browser, it’s run through thehtmlentities( ) function. With thisfunction, any HTML entity will betranslated; for instance, < and > willbecome &lt; and &gt; respectively.4. Apply the strip_tags( ) function,printing the results:echo 'After strip_tags( )➝ ' . strip_tags($_POST➝ ['data']). '';The strip_tags( ) function completelytakes out any HTML, JavaScript, or PHPtags. It’s therefore the most foolprooffunction to use on submitted data.5. Complete the PHP section:}?>6. Display the HTML form:Do your worst! The form A has only one field for theuser to complete: a textarea.7. Complete the page:8. Save the page as xss.php, place it inyour Web directory, and test it in yourWeb browser.9. View the source code of the page tosee the full effect of these functions D.Both htmlspecialchars( ) andhtmlentities( ) take an optional parameterindicating how quotation marks should behandled. See the PHP manual for specifics.The strip_tags( ) function takesan optional parameter indicating what tagsshould not be stripped.$var = strip_tags ($var, '');The strip_tags( ) function will removeeven invalid HTML tags, which may causeproblems. For example, strip_tags( ) willyank out all of the code it thinks is an HTMLtag, even if it’s improperly formed, like

using the FilterextensionEarlier, this chapter introduced the conceptof typecasting, which is a good way to forcea variable to be of the right type. In the nextchapter, you’ll learn about regular expressions,which can validate both the type ofdata and its specific contents or format.Introduced in PHP 5.2 is the Filter extension(www.php.net/filter), an important tool thatbridges the gap between the relatively simpleapproach of typecasting and the morecomplex concept of regular expressions.The Filter extension can be used for one oftwo purposes: validating data or sanitizingit. A validation process, as you know well bynow, confirms that data matches expectations.Sanitization, by comparison, alters databy removing inappropriate characters inorder to make the data meet expectations.The most important function in the Filterextension is filter_var( ):filter_var(variable, filter➝ [,options]);The function’s first argument is the variableto be filtered; the second is the filter toapply; and, the optional third argument isfor adding additional criteria. Table 13.3lists the validation filters, each of which isrepresented as a constant.For example, to confirm that a variable hasa decimal value, you would use:if (filter_var($var, FILTER_VALIDATE_➝ FLOAT)) {A couple of filters take an optionalparameter, the most common being theFILTER_VALIDATE_INT filter, which hasmin_range and max_range optionsfor controlling the smallest and largestacceptable values. For example, this nextbit of code confirms that the $age variableis an integer between 1 and 120 (inclusive):if (filter_var($var, FILTER_VALIDATE_➝ INT, array('min_range' => 1,➝'max_range' => 120))) {To sanitize data, you’ll still use thefilter_var( ) function, but use one of thesanitation filters as listed in Table 13.4.continues on next pageTABLe 13.3 Validation FiltersConstantFILTER_VALIDATE_BOOLEANFILTER_VALIDATE_EMAILFILTER_VALIDATE_FLOATFILTER_VALIDATE_INTFILTER_VALIDATE_IPFILTER_VALIDATE_REGEXPFILTER_VALIDATE_URLTABLe 13.4 Sanitization FiltersConstantFILTER_SANITIZE_EMAILFILTER_SANITIZE_ENCODEDFILTER_SANITIZE_MAGIC_QUOTESFILTER_SANITIZE_NUMBER_FLOATFILTER_SANITIZE_NUMBER_INTFILTER_SANITIZE_SPECIAL_CHARSFILTER_SANITIZE_STRINGFILTER_SANITIZE_STRIPPEDFILTER_SANITIZE_URLFILTER_UNSAFE_RAWSecurity Methods 421

Many of the filters duplicate otherPHP functions. For example, FILTER_SANITIZE_MAGIC_QUOTES is the sameas applying addslashes( ); FILTER_SANITIZE_SPECIAL_CHARS can be usedin lieu of htmlspecialchars( ), andFILTER_SANITIZE_STRING( ) can be usedas a replacement for strip_tags( ). ThePHP manual lists several additional flags,as constants, that can be used as theoptional third argument to affect how eachfilter behaves. As an example of applyinga sanitizing filter, this code is equivalentto how strip_tags( ) is used in xss.php(Script 13.4):echo 'After strip_tags( )➝ ' . filter_var($_POST['data'],➝ FILTER_SANITIZE_STRING) . '';If you get hooked on using the Filterextension, you may appreciate theconsistency of being able to use it for alldata sanitization, even when functionssuch as strip_tags( ) exist.To practice this, the next example willupdate calculator.php (Script 13.2) sothat it sanitizes all of the incoming data.Remember that you need PHP 5.2 or laterto use the Filter extension. If you’re usingan earlier version of PHP, you can installthe Filter extension using PECL.To use the Filter extension:1. Open calculator.php (Script 13.2) inyour text editor or IDE.2. Change the assignment of the$quantity variable to (Script 13.5):$quantity = (isset($_POST➝ ['quantity'])) ? filter_var➝ ($_POST['quantity'], FILTER_➝ VALIDATE_INT, array('min_range'➝ => 1)) : NULL;Script 13.5 Using the Filter extension, this scriptsanitizes incoming data rather than typecasting it,as in the earlier version of the script.1 2 3 4 5 Widget Cost Calculator6 7 8

Script 13.5 continued29 } else { // Invalid submitted values.30 echo 'Please enter a validquantity, price, and tax rate.';31 }3233 } // End of main isset( ) IF.3435 // Leave the PHP section and create theHTML form.36 ?>37 Widget Cost Calculator38 39 Quantity:

4. Change the assignment of the $taxvariable to:$tax = (isset($_POST['tax'])) ?➝ filter_var($_POST['tax'],➝ FILTER_SANITIZE_NUMBER_FLOAT,➝ FILTER_FLAG_ALLOW_FRACTION) :➝ NULL;This is a repetition of the code in Step 3.5. Save the page, place it in your Webdirectory, and test it in your Webbrowser A and B.A Invalid values in submittedform data…The filter_has_var( ) functionconfirms if a variable with a given name exists.The filter_input_array( ) functionallows you to apply an array of filters to an arrayof variables in one step. For details (and perhapsto be blown away), see the PHP manual.B …will be nullified by the Filter extension (asopposed to typecasting, which, for example,converted the string cat to the number 0).424 Chapter 13

preventing SQLinjection AttacksAnother type of attack that malicious userscan attempt is SQL injection attacks. Asthe name implies, these are endeavors toinsert bad code into a site’s SQL queries.One aim of such attacks is that they wouldcreate a syntactically invalid query, therebyrevealing something about the script ordatabase in the resulting error messageA. An even bigger aspiration is that theinjection attack could alter, destroy, orexpose the stored data.Fortunately, SQL injection attacks arerather easy to prevent. Start by validatingall data to be used in queries (and performtypecasting, or apply the Filter extension,whenever possible). Second, use a functionlike mysqli_real_escape_string( ),which makes data safe to use in queries.This function was introduced in Chapter 9,“Using PHP and MySQL.” Third, don’t showdetailed errors on live sites.An alternative to using mysqli_real_escape_string( ) is to use preparedstatements. Prepared statements wereadded to MySQL in version 4.1, and PHPcontinues on next pageA If a site reveals a detailed error message and doesn’t properly handle problematic characters in submittedvalues, hackers can learn a lot about your server.prepared Statement performancePrepared statements can be more secure than running queries in the old-fashioned way, but theymay also be faster. If a PHP script sends the same query to MySQL multiple times, using differentvalues each time, prepared statements can really speed things up. In such cases, the query itselfis only sent to MySQL and parsed once. Then, the values are sent to MySQL separately.As a trivial example, the following code would run 100 queries in MySQL:$q = 'INSERT INTO counter (num) VALUES (?)';$stmt = mysqli_prepare($dbc, $q);mysqli_stmt_bind_param($stmt, 'i', $n);for ($n = 1; $n

can use them as of version 5 (thanks tothe Improved MySQL extension). When notusing prepared statements, the entire query,including the SQL syntax and the specificvalues, is sent to MySQL as one long string.MySQL then parses and executes it. With aprepared query, the SQL syntax is sent toMySQL first, where it is parsed, making sureit’s syntactically valid (e.g., confirming thatthe query does not refer to tables or columnsthat don’t exist). Then the specific valuesare sent separately; MySQL assemblesthe query using those values, then executesit. The benefits of prepared statements areimportant: greater security and potentiallybetter performance. I’ll focus on the securityaspect here, but see the sidebar for a discussionof performance.Prepared statements can be created outof any INSERT, UPDATE, DELETE, or SELECTquery. Begin by defining your query,marking placeholders using questionmarks. As an example, take the SELECTquery from edit_user.php (Script 10.3):$q = "SELECT first_name, last_name,➝ email FROM users WHERE user_id=$id";As a prepared statement, this query becomes$q = "SELECT first_name, last_name,➝ email FROM users WHERE user_id=?";Next, prepare the statement in MySQL,assigning the results to a PHP variable:$stmt = mysqli_prepare($dbc, $q);At this point, MySQL will parse the query,but it won’t execute it.Next, you bind PHP variables to the query’splaceholders. In other words, you statethat one variable should be used for thefirst question mark, another variable for thenext question mark, and so on. Continuingwith the same example, you would codemysqli_stmt_bind_param($stmt, 'i', $id);The i part of the command indicates whatkind of value should be expected, usingthe characters listed in Table 13.5. In thiscase, the query expects to receive oneinteger. As another example, here’s howthe login query from Chapter 12, “Cookiesand Sessions,” would be handled:$q = "SELECT user_id, first_name➝ FROM users WHERE email=? AND➝ pass=SHA1(?)";$stmt = mysqli_prepare($dbc, $q);mysqli_stmt_bind_param($stmt, 'ss',➝ $e, $p);In this example, something interesting isalso revealed: even though both the emailaddress and password values are strings,they are not placed within quotes in thequery. This is another difference between aprepared statement and a standard query.Once the statement has been bound, youcan assign values to the PHP variables (if thathasn’t happened already) and then executethe statement. Using the login example,that’d be:$e = 'email@example.com';$p = 'mypass';mysqli_stmt_execute($stmt);The values of $e and $p will be used whenthe prepared statement is executed.To see this process in action, let’s write ascript that adds a post to the messages tablein the forum database (created in Chapter 6,“Database Design”). I’ll also use the opportunityto demonstrate a couple of the otherprepared statement-related functions.TABLe 13.5 Bound Value TypesLetterdibsRepresentsDecimalIntegerBlob (binary data)All other types426 Chapter 13

Script 13.6 This script, which represents asimplified version of a message posting page,uses prepared statements as a way of preventingSQL injection attacks.1 2 3 4 5 Post a Message6 7 8 Post a Message

3. Define and prepare the query:$q = 'INSERT INTO messages➝ (forum_id, parent_id, user_id,➝ subject, body, date_entered)➝ VALUES (?, ?, ?, ?, ?, NOW( ))';$stmt = mysqli_prepare($dbc, $q);This syntax has already been explained.The query is defined, using placeholdersfor values to be assigned later. Then themysqli_prepare( ) function sends thisto MySQL, assigning the result to $stmt.The query itself was first used in Chapter6. It populates six fields in the messagestable. The value for the date_enteredcolumn will be the result of the NOW( )function, not a bound value.4. Bind the appropriate variables andcreate a list of values to be inserted:mysqli_stmt_bind_param($stmt,➝'iiiss', $forum_id, $parent_id,➝ $user_id, $subject, $body);$forum_id = (int)➝ $_POST['forum_id'];$parent_id = (int)➝ $_POST['parent_id'];$user_id = 3;$subject = strip_tags($_POST➝ ['subject']);$body = strip_tags($_POST['body']);The first line says that three integersand two strings will be used in theprepared statement. The values will befound in the variables to follow.For those variables, the subject andbody values come straight from theform B, after running them throughstrip_tags( ) to remove any potentiallydangerous code. The forum ID andparent ID (which indicates if the messageis a reply to an existing message or not)also come from the form. They’ll betypecast to integers (for added security,you would confirm that they’re positiveScript 13.6 continued36 // Print a message based upon the result:37 if (mysqli_stmt_affected_rows($stmt)= = 1) {38 echo 'Your message has beenposted.';39 } else {40 echo 'Your message couldnot be posted.';41 echo '' . mysqli_stmt_error($stmt) . '';42 }4344 // Close the statement:45 mysqli_stmt_close($stmt);4647 // Close the connection:48 mysqli_close($dbc);4950 } // End of submission IF.5152 // Display the form:53 ?>54 5556 Post a message:5758 Subject: 5960 Body: 6162 63 64 65 6667 68 69 428 Chapter 13

numbers after typecasting them, or youcould use the Filter extension).The user ID value, in a real script, wouldcome from the session, where it wouldbe stored when the user logged in.5. Execute the query:mysqli_stmt_execute($stmt);Finally, the prepared statementis executed.6. Print the results of the execution andcomplete the loop:if (mysqli_stmt_affected_rows➝ ($stmt) = = 1) {echo 'Your message has been➝ posted.';} else {echo 'Your message➝ could not be posted.';echo '' . mysqli_stmt_error➝ ($stmt) . '';}The successful insertion of arecord can be confirmed using themysqli_stmt_affected_rows( ) function,which works as you expect it would(returning the number of affected rows). Inthat case, a simple message is printed C.If a problem occurred, the mysqli_stmt_error( ) function returns the specificMySQL error message. This is for yourdebugging purposes, not to be used in alive site. That being said, often the PHPerror message is more useful than thatreturned by mysqli_stmt_error( ) D.7. Close the statement and the databaseconnection:mysqli_stmt_close($stmt);mysqli_close($dbc);The first function closes the preparedstatement, freeing up the resources.At this point, $stmt no longer has avalue. The second function closes thedatabase connection.8. Complete the PHP section:} // End of submission IF.?>continues on next pageB The simple HTML form.C If one record in the database was affected bythe query, this will be the result.D Error reporting withprepared statementscan be confoundingsometimes!Security Methods 429

9. Begin the form:Post a➝ message:Subject: Body: The form begins with just a subjecttext input and a textarea for themessage’s body.More Security RecommendationsThis chapter covers many specific techniques for improving your Web security. Here are a handfulof other recommendations:.Do your best to limit what information is requested from the user, and what the site stores. The lessinformation handled by the site in any way means there’s less data to worry about being stolen..Make it your job to study, follow, and abide by security recommendations. Don’t just rely uponthe advice of one chapter, one book, or one author..Don’t retain user-supplied names for uploaded files. You’ll see an alternative solution inChapter 19, “Example—E-Commerce.”.Watch how database references are used. For example, if a person’s user ID is their primarykey from the database and this is stored in a cookie (as in Chapter 12), a malicious user justneeds to change that cookie value to access another user’s account..Don’t show detailed error messages (this point was repeated in Chapter 8, “Error Handlingand Debugging”)..Use cryptography (this is discussed in Chapter 7, “Advanced SQL and MySQL,” with respect tothe database, and in my book PHP 5 Advanced: Visual QuickPro Guide (Peachpit Press, 2007)with respect to the server)..Don’t store credit card numbers, social security numbers, banking information, and the like. Theonly exception to this would be if you have deep enough pockets to pay for the best security andto cover the lawsuits that arise when this data is stolen from your site (which will inevitably happen)..Use SSL, when appropriate. A secure connection is one of the best protections a server canoffer a user..Reliably and consistently protect every page and directory that needs it. Never assume thatpeople won’t find sensitive areas just because there’s no link to them. If access to a page ordirectory should be limited, make sure it is.My final recommendation is to be aware of your own limitations. As the programmer, you probablyapproach a script thinking how it should be used. This is not the same as to how it will be used,either accidentally or on purpose. Try to break your site to see what happens. Do bad things, dothe wrong thing. Have other people try to break it, too (it’s normally easy to find such volunteers).When you code, if you assume that no one will ever use a page properly, it’ll be much more securethan if you assume people always will.430 Chapter 13

10. Complete the form:The form contains two fields the userwould fill out and two hidden inputsthat store values the query needs. In areal version of this script, the forum_idand parent_id values would bedetermined dynamically.11. Complete the page:12. Save the file as post_message.php,place it in your Web directory, and testit in your Web browser E.There are two kinds of prepared statements.Here I have demonstrated bound parameters,where PHP variables are bound to a query.The other type is bound results, where theresults of a query are bound to PHP variables.E Selecting the most recent entry inthe messages table confirms that theprepared statement (Script 13.6) worked.Notice that the HTML was stripped out ofthe post but the quotes are still present.preventing Brute Force AttacksA brute force attack is an attempt to log in to a secure system by making lots of attempts in thehopes of eventual success. It’s not a sophisticated type of attack, hence the name “brute force.”For example, if you have a login process that requires a username and password, there is a limitas to the possible number of username/password combinations. That limit may be in the billionsor trillions, but still, it’s a finite number. Using algorithms and automated processes, a brute forceattack repeatedly tries combinations until they succeed.The best way to prevent brute force attacks from succeeding is requiring users to register with good,hard-to-guess passwords: containing letters, numbers, and punctuation; both upper and lowercase;words not in the dictionary; at least eight characters long, etc. Also, don’t give indications as to why alogin failed: saying that a username and password combination isn’t correct gives away nothing, butsaying that a username isn’t right or that the password isn’t right for that username says too much.To stop a brute force attack in its tracks, you could also limit the number of incorrect login attemptsby a given IP address. IP addresses do change frequently, but in a brute force attack, the same IPaddress would be trying to log in multiple times in a matter of minutes. You would have to trackincorrect logins by IP address, and then, after X number of invalid attempts, block that IP addressfor 24 hours (or something). Or, if you didn’t want to go that far, you could use an “incrementaldelay” defense: each incorrect login from the same IP address creates an added delay in theresponse (use PHP’s sleep( ) function to create the delay). Humans might not notice or be botheredby such delays, but automated attacks most certainly would.Security Methods 431

Review and pursueIf you have any problems with thereview questions or the pursue prompts,turn to the book’s supporting forum(www.LarryUllman.com/forums/).ReviewnnnnnnnWhat are some of the inappropriatestrings and characters that could beindicators of potential spam attempts?What does the stripos( ) function do?What is its syntax?What does the str_replace( ) functiondo? What is its syntax?What does the array_map( ) functiondo? What is its syntax?What is typecasting? How do you typecasta variable in PHP?What function is used to move anuploaded file to its final destination onthe server?What is the Fileinfo extension? How isit used?n What does the htmlspecialchars( )function do?n What does the htmlentities( )function do?nnnnnWhat does the strip_tags( ) function do?What function converts newline charactersinto HTML break tags?What is the most important function inthe Filter extension? How is it used?What are prepared statements? Whatbenefits might prepared statementshave over the standard method of queryinga database?What is the syntax for using preparedstatements?pursuennIf you haven’t applied the Filter function,for email validation, and the spam_scrubber( ) function to a contact formused on one of your sites, do so now!Change calculator.php to allow for notax rate.n Update calculator.php, from Chapter 3,“Creating Dynamic Web Sites,” so that italso uses typecasting or the Filter extension.(As a reminder, that calculator determinedthe cost of a car trip, based uponthe distance, average miles per gallon,and average price paid per gallon.)nnnnnnModify upload_rtf.php so that itreports the actual MIME type for theuploaded file, should it not be text/rtf.Create a PHP script that reports theMIME type of any uploaded file.Apply the strip_tags( ) function toa previous script in the book, such asthe registration example, to preventinappropriate code from being storedin the database.Apply the Filter function to the loginprocess in Chapter 12 to guarantee thatthe submitted email address meets theemail address format, prior to using it ina query.Apply the Filter function, or typecasting,to the delete_user.php and edit_user.php scripts from Chapter 10.Apply the Fileinfo extension to theshow_image.php script from Chapter 11.432 Chapter 13

14Perl-CompatibleRegular ExpressionsRegular expressions are an amazinglypowerful (but tedious) tool available inmost of today’s programming languagesand even in many applications. Think ofregular expressions as an elaborate systemof matching patterns. You first write thepattern and then use one of PHP’s built-infunctions to apply the pattern to a value(regular expressions are applied to strings,even if that means a string with a numericvalue). Whereas a string function could seeif the name John is in some text, a regularexpression could just as easily find John,Jon, and Jonathon.Because the regular expression syntax isso complex, while the functions that usethem are simple, the focus in this chapterwill be on mastering the syntax in littlebites. The PHP code will be very simple;later chapters will better incorporate regularexpressions into real-world scripts.in This ChapterCreating a Test Script 434Defining Simple Patterns 438Using Quantifiers 441Using Character Classes 443Finding All Matches 446Using Modifiers 450Matching and Replacing Patterns 452Review and Pursue 456

Creating a Test ScriptAs already stated, regular expressions area matter of applying patterns to values.The application of the pattern to a valueis accomplished using one of a handfulof functions, the most important beingpreg_match( ). This function returns a 0or 1, indicating whether or not the patternmatched the string. Its basic syntax ispreg_match(pattern, subject);The preg_match( ) function will stop onceit finds a single match. If you need to findall the matches, use preg_match_all( ).That function will be discussed toward theend of the chapter.When providing the pattern to preg_match( ), it needs to be placed withinquotation marks, as it’ll be a string.Because many escaped characters withindouble quotation marks have specialmeaning (like \n), I advocate using singlequotation marks to define your patterns.Secondarily, within the quotation marks,the pattern needs to be encased withindelimiters. The delimiter can be anycharacter that’s not alphanumeric or thebackslash, and the same character mustbe used to mark the beginning and endof the pattern. Commonly, you’ll seeforward slashes used. To see if the wordcat contains the letter a, you would code(spoiler alert: it does):if (preg_match('/a/', 'cat')) {If you need to match a forward slash in thepattern, use a different delimiter, like thepipe (|) or an exclamation mark (!).The bulk of this chapter covers all the rulesfor defining patterns. In order to best learn byexample, let’s start by creating a simple PHPscript that takes a pattern and a string A andreturns the regular expression result B.A The HTML form, which will be used forpracticing regular expressions.B The script will print what values were used inthe regular expression and what the result was.The form will also be made sticky to rememberpreviously submitted values.434 Chapter 14

Script 14.1 The complex regular expression syntaxwill be best taught and demonstrated using thisPHP script.1 2 3 4 5 Testing PCRE6 7 8 30 31 Regular Expression Pattern:Testing PCRE

Note that if Magic Quotes is enabledon your server, you’ll see extraslashes added to the form data C.To combat this, you’ll need to applystripslashes( ) here as well:$pattern = stripslashes(trim➝ ($_POST['pattern']));$subject = stripslashes(trim➝ ($_POST['subject']));4. Print a caption:echo "The result of checking➝ $patternagainst$subjectis ";As you can see B, the form-handlingpart of this script will start by printingthe values submitted.5. Run the regular expression:if (preg_match ($pattern,➝ $subject) ) {echo 'TRUE!';} else {echo 'FALSE!';}To test the pattern against the string,feed both to the preg_match( ) function.If this function returns 1, that meansa match was made, this condition willbe TRUE, and the word TRUE will beprinted. If no match was made, thecondition will be FALSE and that willbe stated D.C With Magic Quotes enabled on your server, thescript will add slashes to certain characters, mostlikely making the regular expressions fail.D If the pattern does not match the string, thiswill be the result. This submission and responsealso conveys that regular expressions are casesensitiveby default.436 Chapter 14

6. Complete the submission conditionaland the PHP block:} // End of submission IF.?>7. Create the HTML form:Regular Expression Pattern:➝

Defining SimplepatternsUsing one of PHP’s regular expressionfunctions is really easy, defining patternsto use is hard. There are lots of rules forcreating a pattern. You can use theserules separately or in combination, makingyour pattern either quite simple or verycomplex. To start, then, you’ll see whatcharacters are used to define a simplepattern. As a formatting rule, I’ll definepatterns in bold and will indicate what thepattern matches in italics. The patterns inthese explanations won’t be placed withindelimiters or quotes (both being neededwhen used within preg_match( )), just tokeep things cleaner.The first type of character you will usefor defining patterns is a literal. A literalis a value that is written exactly as it isinterpreted. For example, the pattern awill match the letter a, ab will match ab,and so forth. Therefore, assuming a caseinsensitivesearch is performed, rom willmatch any of the following strings, sincethey all contain rom:nnnCD-ROMRommel crossed the desert.I’m writing a roman à clef.Along with literals, your patterns willuse meta-characters. These are specialsymbols that have a meaning beyond theirliteral value (Table 14.1). While a simplymeans a, the period (.) will match anysingle character except for a newline (.matches a, b, c, the underscore, a space,etc., just not \n). To match any metacharacter,you will need to escape it, muchas you escape a quotation mark to printit. Hence \. will match the period itself.So 1.99 matches 1.99 or 1B99 or 1299(a 1 followed by any character followedby 99) but 1\.99 only matches 1.99.Two meta-characters specify where certaincharacters must be found. There is thecaret (^), which marks the beginning ofa pattern. There is also the dollar sign($), which marks the conclusion of apattern. Accordingly, ^a will match anystring beginning with an a, while a$ willcorrespond to any string ending with an a.Therefore, ^a$ will only match a (a stringthat both begins and ends with a).These two meta-characters—the caret andthe dollar sign—are crucial to validation,as validation normally requires checkingthe value of an entire string, not just thepresence of one string in another. Forexample, using an email-matching patternwithout those two characters will matchany string containing an email address.Using an email-matching pattern thatbegins with a caret and ends with a dollarsign will match a string that contains onlya valid email address.TABLe 14.1 Meta-CharactersCharacterMeaning\ Escape character^Indicates the beginningof a string$ Indicates the end of a string. Any single characterexcept newline| Alternatives (or)[ Start of a class] End of a class( Start of a subpattern) End of a subpattern{ Start of a quantifier} End of a quantifier438 Chapter 14

A Looking for a cat in a string.B PCRE performs a case-sensitive comparisonby default.Regular expressions also make use of thepipe (|) as the equivalent of or: a|b willmatch strings containing either a or b.(Using the pipe within patterns is calledalternation or branching). So yes|noaccepts either of those two words in theirentirety (the alternation is not just betweenthe two letters surrounding it: s and n).Once you comprehend the basic symbols,then you can begin to use parenthesesto group characters into more involvedpatterns. Grouping works as you mightexpect: (abc) will match abc, (trout) willmatch trout. Think of parentheses as beingused to establish a new literal of a largersize. Because of precedence rules inPCRE, yes|no and (yes)|(no) are equivalent.But (even|heavy) handed will match eithereven handed or heavy handed.To use simple patterns:1. Load pcre.php in your Web browser,if it is not already.2. Check if a string contains the letterscat A.To do so, use the literal cat as thepattern and any number of strings as thesubject. Any of the following would be amatch: catalog, catastrophe, my cat left,etc. For the time being, use all lowercaseletters, as cat will not match Cat B.Remember to use delimiters around thepattern, as well (see the figures).continues on next pagePerl-Compatible Regular Expressions 439

3. Check if a string starts with cat C.To have a pattern apply to the startof a string, use the caret as the firstcharacter (^cat). The sentence my catleft will not be a match now.4. Check if a string contains the wordcolor or colour D.The pattern to look for the American orBritish spelling of this word is col(o|ou)r.The first three letters—col—must bepresent. This needs to be followed byeither an o or ou. Finally, an r is required.C The caret in a pattern means that the matchhas to be found at the start of the string.If you are looking to match an exactstring within another string, use the strstr( )function, which is faster than regularexpressions. In fact, as a rule of thumb, youshould use regular expressions only if the taskat hand cannot be accomplished using anyother function or technique.You can escape a bunch of charactersin a pattern using \Q and \E. Every characterwithin those will be treated literally (so\Q$2.99?\E matches $2.99?).To match a single backslash, you haveto use \\\\. The reason is that matching abackslash in a regular expression requires youto escape the backslash, resulting in \\. Thento use a backslash in a PHP string, it also hasto be escaped, so escaping both backslashesmeans a total of four.D By using the pipe meta-character, the performedsearch can be more flexible.440 Chapter 14

using QuantifiersYou’ve just seen and practiced with acouple of the meta-characters, the mostimportant of which are the caret and theTABLe 14.2 QuantifiersCharacterMeaning? 0 or 1* 0 or more+ 1 or more{x}{x,y}{x,}Exactly x occurrencesBetween x and y (inclusive)At least x occurrencesA The plus sign, when used as a quantifier,requires that one or more of a thing be present.B You can check for the plural form of manywords by adding s? to the pattern.dollar sign. Next, there are three metacharactersthat allow for multiple occurrences:a* will match zero or more a’s (noa’s, a, aa, aaa, etc.); a+ matches one ormore a’s (a, aa, aaa, etc., but there mustbe at least one); and a? will match up toone a (a or no a’s match). These metacharactersall act as quantifiers in yourpatterns, as do the curly braces.Table 14.2 lists all of the quantifiers.To match a certain quantity of a thing, putthe quantity between curly braces ( {}),stating a specific number, just a minimum,or both a minimum and a maximum. Thus,a{3} will match aaa; a{3,} will match aaa,aaaa, etc. (three or more a’s); and a{3,5}will match just aaa, aaaa, and aaaaa(between three and five).Note that quantifiers apply to the thing thatcame before it, so a? matches zero or onea’s, ab? matches an a followed by zeroor one b’s, but (ab)? matches zero or oneab’s. Therefore, to match color or colour,you could also use colou?r as the pattern.To use quantifiers:1. Load pcre.php in your Web browser, if itis not already.2. Check if a string contains the letters c andt, with one or more letters in between A.To do so, use c.+t as the pattern andany number of strings as the subject.Remember that the period matches anycharacter (except for the newline). Eachof the following would be a match: cat,count, coefficient, etc. The word doctorwould not match, as there are no lettersbetween the c and the t (althoughdoctor would match c.*t).3. Check if a string matches either cator cats B.continues on next pagePerl-Compatible Regular Expressions 441

To start, if you want to make an exactmatch, use both the caret and the dollarsign. Then you’d have the literal textcat, followed by an s, followed by aquestion mark (representing 0 or 1 s’s).The final pattern—^cats?$—matches cator cats but not my cat left or I like cats.4. Check if a string ends with .33, .333,or .3333 C.To find a period, escape it with abackslash: \.. To find a three, use aliteral 3. To find a range of 3’s, use thecurly brackets ({}). Putting this together,the pattern is \.3{2,4}. Because thestring should end with this (nothing elsecan follow), conclude the pattern with adollar sign: \.3{2,4}$.Admittedly, this is kind of a stupidexample (not sure when you’d need todo exactly this), but it does demonstrateseveral things. This pattern will matchlots of things—12.333, varmit.3333, .33,look .33—but not 12.3 or 12.334.5. Match a five-digit number D.A number can be any one of thenumbers 0 through 9, so the heartof the pattern is (0|1|2|3|4|5|6|7|8|9).Plainly said, this means: a number isa 0 or a 1 or a 2 or a 3…. To make ita five-digit number, follow this with aquantifier: (0|1|2|3|4|5|6|7|8|9){5}. Finally,to match this exactly (as opposed tomatching a five-digit number within astring), use the caret and the dollar sign:^(0|1|2|3|4|5|6|7|8|9){5}$.This, of course, is one way to matcha United States zip code, a veryuseful pattern.When using curly braces to specifya number of characters, you must alwaysinclude the minimum number. The maximumis optional: a{3} and a{3,} are acceptable,but a{,3} is not.Although it demonstrates good dedicationto programming to learn how to write andexecute your own regular expressions, numerousworking examples are available already bysearching the Internet.C The curly braces let you dictate the acceptablerange of quantities present.D The proper test for confirming that a numbercontains five digits.442 Chapter 14

using Character ClassesAs the last example demonstrated (D in theprevious section), relying solely upon literalsin a pattern can be tiresome. Having to writeout all those digits to match any number issilly. Imagine if you wanted to match anyfour-letter word: ^(a|b|c|d…){4}$ (and thatdoesn’t even take into account uppercaseletters)! To make these common referenceseasier, you can use character classes.Classes are created by placing characterswithin square brackets ( [ ] ). For example,you can match any one vowel with [aeiou].This is equivalent to (a|e|i|o|u). Or you canuse the hyphen to indicate a range ofcharacters: [a-z] is any single lowercaseletter and [A-Z] is any uppercase, [A-Za-z]is any letter in general, and [0-9] matchesany digit. As an example, [a-z]{3} wouldmatch abc, def, oiw, etc.Within classes, most of the meta-charactersare treated literally, except for four. Thebackslash is still the escape, but the caret(^) is a negation operator when used as thefirst character in the class. So [^aeiou] willmatch any non-vowel. The only other metacharacterwithin a class is the dash, whichindicates a range. (If the dash is used as thelast character in a class, it’s a literal dash.)And, of course, the closing bracket (]) stillhas meaning as the terminator of the class.Naturally, a class can have both rangesand literal characters. A person’s firstname, which can contain letters, spaces,apostrophes, and periods, could berepresented by [A-z ‘.] (again, the perioddoesn’t need to be escaped within theclass, as it loses its meta-meaning there).Along with creating your own classes, thereare six already-defined classes that havetheir own shortcuts (Table 14.3). The digit andspace classes are easy to understand. Theword character class doesn’t mean “word” inthe language sense but rather as in a stringunbroken by spaces or punctuation.Using this information, the five-digit number(aka, zip code) pattern could more easily bewritten as ^[0-9]{5}$ or ^\d{5}$. As anotherexample, can\s?not will match both can notand cannot (the word can, followed by zeroor one space characters, followed by not).TABLe 14.3 Character ClassesClass Shortcut Meaning[0-9] \d Any digit[\f\r\t\n\v] \s Any white space[A-Za-z0-9_] \w Any word character[^0-9] \D Not a digit[^\f\r\t\n\v] \S Not white space[^A-Za-z0-9_] \W Not a word characterPerl-Compatible Regular Expressions 443

To use character classes:1. Load pcre.php in your Web browser,if it is not already.2. Check if a string is formatted as a validUnited States zip code A.A United States zip code always startswith five digits (^\d{5}). But a valid zipcode could also have a dash followedby another four digits (-\d{4}$). Tomake this last part optional, use thequestion mark (the 0 or 1 quantifier).This complete pattern is then ^(\d{5})(-\d{4})?$. To make it all clearer, the firstpart of the pattern (matching the fivedigits) is also grouped in parentheses,although this isn’t required in this case.3. Check if a string contains no spaces B.The \S character class shortcut will matchnon-space characters. To make sure thatthe entire string contains no spaces, usethe caret and the dollar sign: ^\S$. If youdon’t use those, then all the pattern isconfirming is that the subject contains atleast one non-space character.A The pattern to match a United States zip code,in either the five-digit or five plus four format.B The no-white-space shortcut can be used toensure that a submitting string is contiguous.using BoundariesBoundaries are shortcuts for helping to find, um, boundaries. In a way, you’ve already seen this:using the caret and the dollar sign to match the beginning or end of a value. But what if you wantedto match boundaries within a value?The clearest boundary is between a word and a non-word. A “word” in this case is not cat, month,or zeitgeist, but in the \w shortcut sense: the letters A through Z (both upper- and lowercase), plusthe numbers 0 through 9, and the underscore. To use words as boundaries, there’s the \b shortcut.To use non-word characters as boundaries, there’s \B. So the pattern \bfor\b matches they’vecome for you but doesn’t match force or forebode. Therefore \bfor\B would match force but notthey’ve come for you or informal.444 Chapter 14

4. Validate an email address C.The pattern ^[\w.-]+@[\w.-]+\.[A-Za-z]{2,6}$ provides for reasonably goodemail validation. It’s wrapped in thecaret and the dollar sign, so thestring must be a valid email addressand nothing more. An email addressstarts with letters, numbers, and theunderscore (represented by \w), plus aperiod (.) and a dash. This first block willmatch larryullman, larry77, larry.ullman,larry-ullman, and so on. Next, all emailaddresses include one and only one @.After that, there can be any number ofletters, numbers, periods, and dashes.This is the domain name: larryullman,smith-jones, amazon.co (as in amazon.co.uk), etc. Finally, all email addressesconclude with one period and betweentwo and six letters. This accounts for.com, .edu, .info, .travel, etc.I think that the zip code example is agreat demonstration as to how complex anduseful regular expressions are. One patternaccurately tests for both formats of the zipcode, which is fantastic. But when you putthis into your PHP code, with quotes anddelimiters, it’s not easily understood:if (preg_match ('/^(\d{5})(-\d{4})?$/',➝ $zip)) {That certainly looks like gibberish, right?This email address validation pattern ispretty good, although not perfect. It will allowsome invalid addresses to pass through (likeones starting with a period or containing multipleperiods together). However, a 100 percentfoolproof validation pattern is ridiculouslylong, and frequently using regular expressionsis really a matter of trying to exclude the bulkof invalid entries without inadvertently excludingany valid ones.Regular expressions, particularly PCREones, can be extremely complex. When startingout, it’s just as likely that your use of themwill break the validation routines instead ofimproving them. That’s why practicing like thisis important.C A pretty good and reliable validation for email addresses.Perl-Compatible Regular Expressions 445

Finding All MatchesGoing back to the PHP functions usedwith Perl-Compatible regular expressions,preg_match( ) has been used just to seeif a pattern matches a value or not. But thescript hasn’t been reporting what, exactly,in the value did match the pattern. Youcan find out this information by providing avariable as a third argument to the function:preg_match(pattern, subject, $match);The $match variable will contain the firstmatch found (because this function onlyreturns the first match in a value). To findevery match, use preg_match_all( ). Itssyntax is the same:preg_match_all(pattern, subject,➝ $matches);This function will return the number ofmatches made, or FALSE if none werefound. It will also assign to $matches everymatch made. Let’s update the PHP script toprint the returned matches, and then run acouple more tests.To report all matches:1. Open pcre.php (Script 14.1) in your texteditor or IDE, if it is not already.2. Change the invocation of preg_match( )to (Script 14.2):if (preg_match_all ($pattern,➝ $subject, $matches) ) {There are two changes here. First, theactual function being called is different.Second, the third argument is provideda variable name that will be assignedevery match.Script 14.2 To reveal exactly what values in astring match which patterns, this revised versionof the script will print out each match. You canretrieve the matches by naming a variableas the third argument in preg_match( ) orpreg_match_all( ).1 2 3 4 5 Testing PCRE6 7 8

Script 14.2 continued33 // Display the HTML form.34 ?>35 36 Regular Expression Pattern:➝ continues on next pageBeing Less GreedyA key component to Perl-Compatible regular expressions is the concept of greediness. Bydefault, PCRE will attempt to match as much as possible. For example, the pattern matchesany HTML tag. When tested on a string like Link, it will actuallymatch that entire string, from the opening < to the closing one. This string contains three possiblematches, though: the entire string, the opening tag (from ), and the closing tag ().To overrule greediness, make the match lazy. A lazy match will contain as little data as possible.Any quantifier can be made lazy by following it with the question mark. For example, the pattern would return two matches in the preceding string: the opening tag and the closing tag. Itwould not return the whole string as a match. (This is one of the confusing aspects of the regularexpression syntax: the same character—here, the question mark—can have different meaningsdepending on its context.)Another way to make patterns less greedy is to use negative classes. The pattern ]+> matcheseverything between the opening and closing except for a closing >. So using this pattern wouldhave the same result as using . This pattern would also match strings that contain newlinecharacters, which the period excludes.Perl-Compatible Regular Expressions 447

In order to be able to enter in moretext for the subject, this element willbecome a textarea.6. Save the file as matches.php, place it inyour Web directory, and test it in yourWeb browser.For the first test, use for as the patternand This is a formulaic test for informalmatches. as the subject A. It maynot be proper English, but it’s a goodtest subject.For the second test, change the patternto for.* B. The result may surprise you,the cause of which is discussed in thesidebar, “Being Less Greedy.” To makethis search less greedy, the pattern couldbe changed to for.*?, whose resultswould be the same as those in A.A This first test returns three matches, as theliteral text for was found three times.B Because regular expressions are “greedy” by default (see thesidebar), this pattern only finds one match in the string. That matchhappens to start with the first instance of for and continues until theend of the string.448 Chapter 14

For the third test, use for[\S]*, or, moresimply for\S* C. This has the effectof making the match stop as soonas a white space character is found(because the pattern wants to match forfollowed by any number of non–whitespace characters).For the final test, use \b[a-z]*for[a-z]*\bas the pattern D. This pattern makesuse of boundaries, discussed in thesidebar “Using Boundaries,” earlier inthe chapter.The preg_split( ) function will takea string and break it into an array using aregular expression pattern.C This revised pattern matches strings that beginwith for and end on a word.D Unlike the pattern in C, this one matchesentire words that contain for (informal here,formal in C ).Perl-Compatible Regular Expressions 449

using ModifiersThe majority of the special charactersyou can use in regular expression patternsare introduced in this chapter. One finaltype of special character is the patternmodifier. Table 14.4 lists these. Patternmodifiers are different than the other metacharactersin that they are placed after theclosing delimiter.Of these delimiters, the most important is i,which enables case-insensitive searches.All of the examples using variations onfor (in the previous sequence of steps)would not match the word For. However,/for.*/i would be a match. Note that I amincluding the delimiters in that pattern, asthe modifier goes after the closing one.Similarly, the last step in the previoussequence referenced the sidebar “BeingLess Greedy” and stated how for.*? wouldperform a lazy search. So would /for.*/U.The multiline mode is interesting in thatyou can make the caret and the dollar signbehave differently. By default, each appliesto the entire value. In multiline mode, thecaret matches the beginning of any line andthe dollar sign matches the end of any line.To use modifiers:1. Load matches.php in your Web browser,if it is not already.2. Validate a list of email addresses A.To do so, use /^[\w.-]+@[\w.-]+\.[A-Za-z]{2,6}\r?$/m as the pattern. You’ll seethat I’ve added an optional carriagereturn (\r?) before the dollar sign. Thisis necessary because some of the lineswill contain returns and others won’t.And in multiline mode, the dollar signmatches the end of a line. (To be moreflexible, you could use \s? instead.)TABLe 14.4 Pattern ModifiersCharacterAimsxUResultAnchors the pattern to thebeginning of the stringEnables case-insensitive modeEnables multiline matchingHas the period match everycharacter, including newlineIgnores most white spacePerforms a non-greedy matchA A list of email addresses, one per line, can bevalidated using the multiline mode. Each validaddress is stored in $matches.450 Chapter 14

3. Validate a list of United States zipcodes B.Very similar to the example in Step 2,the pattern is now /^(\d{5})(-\d{4})?\s?$/m. You’ll see that I’m using themore flexible \s? instead of \r?.You’ll also notice when you try thisyourself (or in B) that the $matchesvariable contains a lot more informationnow. This will be explained in the nextsection of the chapter.To always match the start or end of apattern, regardless of the multiline setting,there are shortcuts you can use. Within thepattern, the shortcut \A will match only thevery beginning of the value, \z matches thevery end, and \Z matches any line end, like$ in single-line mode.B Validating a list of zip codes, one per line.If your version of PHP supports it, it’sprobably best to use the Filter extension tovalidate an email address or a URL. But if youhave to validate a list of either, the Filter extensionwon’t cut it, and regular expressions willbe required.Perl-Compatible Regular Expressions 451

Matching andReplacing patternsThe last subject to discuss in this chapteris how to match and replace patterns ina value. While preg_match( ) and preg_match_all( ) will find things for you, if youwant to do a search and replace, you’llneed to use preg_replace( ). Its syntax ispreg_replace(pattern, replacement,➝ subject);This function takes an optional fourthargument limiting the number ofreplacements made.To replace all instances of cat with dog,you would use$str = preg_replace('/cat/', 'dog',➝'I like my cat.');This function returns the altered value(or unaltered value if no matches weremade), so you’ll likely want to assign itto a variable or use it as an argument toanother function (like printing it by callingecho). Also, as a reminder, the above is justan example: you’d never want to replaceone literal string with another using regularexpressions, use str_replace( ) instead.There is a related concept to discussthat is involved with this function: backreferencing. In a zip code matchingpattern—^(\d{5})(-\d{4})?$—there are twogroups within parentheses: the first fivedigits and the optional dash plus four-digitextension. Within a regular expressionpattern, PHP will automatically numberparenthetical groupings beginning at 1.Back referencing allows you to refer toeach individual section by using $ plus thecorresponding number. For example, if youmatch the zip code 94710-0001 with thispattern, referring back to $2 will give you-0001. The code $0 refers to the wholeinitial string. This is why B in the previoussection shows entire zip code matches in$matches[0], the matching first five digitsin $matches[1], and any matching dashplus four digits in $matches[2].To practice with this, let’s modify Script 14.2to also take a replacement input A.To match and replace patterns:1. Open matches.php (Script 14.2) in yourtext editor or IDE, if it is not already.2. Add a reference to a third incomingvariable (Script 14.3):$replace = trim($_POST['replace']);As you can see in A, the third forminput (added between the existing two)takes the replacement value. That valueis also trimmed to get rid of any extraneousspaces.If your server has Magic Quotesenabled, you’ll again need to applystripslashes( ) here.continues on page 454A One use of preg_replace( ) would be toreplace variations on inappropriate words withsymbols representing their omission.452 Chapter 14

Script 14.3 To test the preg_replace( ) function, which replaces a matched pattern in a string with anothervalue, you can use this third version of the PCRE test script1 2 3 4 5 Testing PCRE Replace6 7 8 32 33 Regular Expression Pattern:

3. Change the caption:echo "The result of replacing➝ $pattern➝ with$replacein➝ $subject";The caption will print out all of theincoming values, prior to applyingpreg_replace( ).4. Change the regular expressionconditional so that it only callspreg_replace( ) if a match is made:if (preg_match ($pattern,➝ $subject) ) {echo preg_replace($pattern,➝ $replace, $subject) . '';} else {echo 'The pattern was not➝ found!';}You can call preg_replace( ) withoutrunning preg_match( ) first. If no matchwas made, then no replacement will occur.But to make it clear when a match is or isnot being made (which is always good toconfirm, considering how tricky regularexpressions are), the preg_match( )function will be applied first. If it returnsa TRUE value, then preg_replace( ) iscalled, printing the results B. Otherwise,a message is printed indicating that nomatch was made C.5. Change the form’s action attribute toreplace.php:This file will be renamed, so this valueneeds to be changed accordingly.B The resulting text has uses of bleep, bleeps,bleeped, bleeper, and bleeping replaced with *****.C If the pattern is not found within the subject,the subject will not be changed.454 Chapter 14

6. Add a text input for the replacementstring:Replacement:

Review and pursueIf you have any problems with thereview questions or the pursue prompts,turn to the book’s supporting forum(www.LarryUllman.com/forums/).ReviewnnnnnnWhat function is used to match a regularexpression? What function is usedto find all matches of a regular expression?What function is used to replacematches of a regular expression?What characters can you use and notuse to delineate a regular expression?How do you match a literal character orstring of characters?What are meta-characters? How do youescape a meta-character?What meta-character do you use to binda pattern to the beginning of a string?To the end?How do you create subpatterns(aka groupings)?nnnnnnnnWhat are the quantifiers? How do yourequire 0 or 1 of a character or string?0 or more? 1 or more? Precisely Xoccurrences? A range of occurrences?A minimum of occurrences?What are character classes?What meta-characters still have meaningwithin character classes?What shortcut represents the “any digit”character class? The “any white space”class? “Any word”? What shortcuts representthe opposite of these?What are boundaries? How do youcreate boundaries in patterns?How do you make matches “lazy”?And what does that mean anyway?What are the pattern modifiers?What is back referencing? How doesit work?pursuennSearch online for a PCRE “cheat sheet”(PHP or otherwise) that lists all themeaningful characters and classes.Print out the cheat sheet and keep itbeside your computer.Practice, practice, practice!456 Chapter 14

15IntroducingjQueryNew in this edition of the book is thischapter, introducing the jQuery JavaScriptframework. As JavaScript has developedinto a more valuable language over thepast decade, its meaningful usage hasbecome commonplace in today’s Websites. Accordingly, many PHP developersare expected to know a bit of JavaScriptas well.Although this chapter cannot present fullcoverage of JavaScript or jQuery, you’lllearn more than enough to be able to addto your PHP-based projects the featuresthat users have come to expect. In theprocess, you’ll also learn some basics ofprogramming in JavaScript in general, andget a sense of into what areas of jQueryyou may want to further delve.in This ChapterWhat is jQuery? 458Incorporating jQuery 460Using jQuery 463Selecting Page Elements 466Event Handling 469DOM Manipulation 473Using Ajax 479Review and Pursue 492

What is jQuery?In order to grasp jQuery, you must havea solid sense of what JavaScript is. Asdiscussed in Chapter 11, “Web ApplicationDevelopment,” JavaScript is a programminglanguage that’s primarily used to adddynamic features to Web pages. UnlikePHP, which always runs on the server,JavaScript generally runs on the client(JavaScript is starting to be used as aserver-side tool, too, although that’s stillmore on the fringe). PHP, precisely becauseit is server-side, is browser-agnostic for themost part: very few things you’ll do in PHPwill have different results from one browserto the next. Conversely, precisely becauseit’s running in the Web browser, JavaScriptcode often has to be customized for thevariations in browsers. For many years, thiswas the bane of the Web developer: creatingreliable cross-browser code. Overcomingthis particular hurdle is one of the manystrengths of jQuery (www.jquery.com A).jQuery is a JavaScript framework, a frameworkjust being a library of code whose usecan expedite and simplify development.The core of the jQuery framework is ableto handle all key JavaScript functionality, asyou’ll see in this chapter. But the frameworkis extendable via plug-ins to provide otherfeatures, such as the ability to create adynamic, paginated, sortable table of data.In fact, a number of useful user interfaceA The homepage for thejQuery JavaScriptframework.B The home pagefor the jQuery UserInterface library( jQuery UI), whichworks in conjunctionwith jQuery.458 Chapter 15

tools have been wrapped inside their ownbundle, jQuery UI (www.jqueryui.com B).There are many JavaScript frameworks outthere, and in no way am I claiming jQuery isthe best. I do prefer jQuery, however, and it’squickly earned a place as one of the premierJavaScript frameworks. As you’ll soon see,jQuery has a simple, albeit cryptic, syntax,and by using it, you can manipulate theDocument Object Model (DOM) with aplomb.This is to say that you can easily referenceelements within an HTML page, therebygrabbing the values of form inputs, adding orremoving any kind of HTML element, changingelement properties, and so forth.Before getting into the particulars of usingjQuery, do understand that jQuery is just aJavaScript framework, meaning that whatyou’ll actually be doing over the next severalpages is JavaScript programming. JavaScriptas a language, while similar in someways to PHP, differs in other ways, such ashow variables are created, what character isused to perform concatenation, and so forth.Moreover, JavaScript is an object-orientedlanguage, meaning the syntax you’ll sometimessee will be that much different than theprocedural PHP programming you’ve doneto this point (the next chapter introducesObject-Oriented Programming—OOP—inPHP). Because you’ll inevitably have problems—likesimply omitting a semicolon, you’llneed to know a bit about how to debugJavaScript. For a quick introduction to thatsubject, see the sidebar.For examples of server-side JavaScript,check out Node (www.nodejs.org) or Jaxer(www.jaxer.org).I’ve written a several-part series onjQuery, covering many of the same topics asthis chapter. You can find the series on myWeb site (www.LarryUllman.com).Debugging JavaScriptTo this point, you may not have thought it so wonderful that PHP dumped all its errors into yourWeb browser, shoving your mistakes in your face. Until now. When Web pages have JavaScripterrors, you rarely are notified. In order to debug problematic JavaScript code, the first thing you’llneed to do is see what actual errors exist.The first tool you’ll need when programming in JavaScript is a good Web browser. Not a goodWeb browser for users, but a good one for developers. Firefox (www.mozilla.com) is the clearchampion in this regard, although Opera (www.opera.com) and Google Chrome (www.google.com/chrome/) may be close seconds. By opening Firefox’s built-in error console (found under the Toolsmenu), you’ll be able to see any JavaScript errors as they occur.An added advantage that Firefox has over the other browsers is a long history of excellent thirdpartyextensions. In particular, Firebug and Web Developer are fantastic assets for understandingwhat’s happening within the Web page. There are also extensions such as FireQuery, which addjQuery-aware development tools to Firefox.Before beginning this chapter, I would recommend that you download and install the latest versionof Firefox, and the aforementioned extensions (if you have not already). Running your JavaScriptenabledWeb pages in Firefox will make it easier for you to see the errors as they happen, therebymaking it that much easier to debug.Introducing jQuery 459

incorporating jQueryJavaScript is built into all graphical Webbrowsers by default, meaning no specialsteps must be taken to include JavaScriptin a Web page (users have the option ofdisabling JavaScript, although statisticallyfew do). jQuery is a framework of code,though; in order to use it, a Web pagemust first incorporate the jQuery library.To include any external JavaScript file in aWeb page involves the HTML script tag,providing the name of the external file asthe value of its src attribute:The jQuery framework file will have a namelike jquery-X.Y.Z.min.js, where X.Y.Z isthe version number (1.6.1 at the time of thiswriting). The min part of the file’s nameindicates that the JavaScript file has beenminified. Minification is the removal ofspaces, newlines, and comments fromcode. The result is code that’s barelylegible A, but still completely functional.The benefit of minified code is that it willload in the browser slightly faster becauseit will be a marginally smaller file size.A What the minified jQuery code looks like.460 Chapter 15

The following set of steps will walk youthrough installing the jQuery library onyour Web server and incorporating it intoa Web page; see the sidebar for an alternativeapproach.B The form for downloading the current versionof jQuery.To incorporate jQuery:1. Load www.jquery.com in your Webbrowser.2. At the top of the page, selectPRODUCTION (it’s the default option),and click Download(jQuery); B.Because the resulting file is justJavaScript, it will load directly in yourWeb browser A.3. Save the page on your computer.Most browsers offer a Save Page, SaveAs, or Save Page As option. Save thefile as jquery-X.Y.Z.min.js, whereX.Y.Z is the actual version number.continues on next pageusing Hosted jQueryThis chapter recommends that you download a copy of jQuery and place it in your Web directory.Upon doing so, you just need to update the script tag to point to the location of the jQueryfile on your Web site. I want to mention an alternative solution, though: using a hosted version ofjQuery. By this, I mean that instead of using a version of the jQuery library stored on your own Webserver, you could use a version stored elsewhere online. For example, Google provides copies ofmany JavaScript frameworks for public use (http://code.google.com/apis/libraries/). To useGoogle’s copy of the jQuery library, the code would be:By using Google’s hosted version of jQuery, your site (i.e., your site’s visitors) will likely see a performanceboost, due to Google’s Content Delivery Network (CDN) and the way browsers cachemedia. I’ve only chosen not to use the Google-provided version of jQuery in this chapter becausenot all readers will have constant Internet connections and because knowing how to use localJavaScript files is a critical skill.Introducing jQuery 461

4. Move the downloaded file to a js folderwithin your Web server directory.All of the JavaScript files to be used bythis chapter’s examples will be placedwithin a subdirectory named js.5. Begin a new HTML document in yourtext editor or IDE, to be named test.html (Script 15.1):Testing jQueryThis very first example will simply testthe incorporation and basic use of thejQuery library.6. Within the HTML head, include jQuery:The script tag is used to include aJavaScript file. Conventionally, scripttags are placed within the HTML page’shead, although that’s not required (oralways the case). The value of the srcattribute needs to match the name andlocation of your jQuery library. In thiscase, the assumption is that this HTMLpage is in the same directory as the jsfolder, created as part of Step 4.7. Save the file as test.html.Because this script won’t be executingany PHP, it uses the .html extension.8. If you want, load the page in your Webbrowser and check for errors.As this is just an HTML page, youcan load it directly in a Web browser,without going through a URL. You canthen use your browser’s error consoleor other development tools (see the“Debugging JavaScript” sidebar) tocheck that no errors occurred in loadingthe JavaScript file.Script 15.1 This blank HTML page shows how the jQuery library can be included.1 2 3 4 5 Testing jQuery6 7 8 9 10 11 462 Chapter 15

using jQueryOnce you successfully have jQuery incorporatedinto a Web page, you can beginusing it. jQuery, or any JavaScript code,can be written between opening and closingscript tags:// JavaScript goes here.(Note that in JavaScript, the double slashescreate comments, just as in PHP.)Alternatively, you can place jQuery andJavaScript code within a separate file, andthen include that file using the script tags,just as you included the jQuery library. Thisis the route to be used in this chapter, inorder to further separate the JavaScriptfrom the HTML.To be clear, a Web page can have multipleuses of the script tags, and the samescript tag cannot both include an externalfile and contain JavaScript code.The code placed within a script tagwill be executed as soon as the browserencounters it. This is often problematic,though, as JavaScript is frequently usedto interact with the DOM: if immediatelyexecuted JavaScript code references aDOM element, the code will fail, as thatDOM element will not have been encounteredby the browser at that point A. Theonly reliable way to reference DOM elementsis after the browser has knowledgeof the entire DOM.In standard JavaScript, you can have codebe executed after the page is completelyloaded by referencing window.onLoad. InjQuery, the preferred method is to confirmthat the Web document is ready:$(document).ready(some_function);As mentioned already, the jQuery syntaxcan seem especially strange for theuninitiated, so I’ll explain this in detail.First of all, the code $(something) is howelements and such within the Web browserare selected in jQuery. In this particularcase, the item being selected is the entireWeb document. To this selection, theready( ) function is applied. It takes oneargument: a function to be called. Notethat the argument is a reference to thefunction: its name, without quotation marks.Separately, some_function( ) wouldhave to be defined, wherein the actualwork—that which should be done whenthe document is loaded—takes place.continues on next pageA A browser reads aWeb page as the HTMLis loaded, meaning thatJavaScript code cannotreference DOM elementsuntil the browser hasseen them all.Introducing jQuery 463

An alternative syntax is to use ananonymous function, which is a functiondefinition without a name. Anonymousfunctions are common to JavaScript(anonymous functions are possible inPHP, too, but not common). To createan anonymous function, the function’sdefinition is placed inline, in lieu of thefunction’s name:$(document).ready(function( ) {// Function code.});Because the need to execute code whenthe browser is ready is so common, thiswhole construct is often simplified injQuery to just:$(function( ) {// Function code.});The syntax is unusual, especially the}); at the end, so be mindful of this asyou program. As with any programminglanguage, incorrect JavaScript syntax willmake the code inoperable.To test jQuery, this next sequence of stepswill create a JavaScript alert once thedocument is ready B. After you have thissimple test working, you can safely beginusing jQuery more practically.B This JavaScript alert is created once jQueryrecognizes that the Web document is ready inthe browser.Script 15.2 This simple JavaScript file creates analert to test successful incorporation and use ofthe jQuery library.1 // Script 15.2 - test.js2 // This script is included by test.html.3 // This script just creates an alert totest jQuery.45 // Do something when the document isready:6 $(function( ) {78 // Alert!9 alert('Ready!');1011 });To use jQuery:1. Create a new JavaScript document inyour text editor or IDE, to be namedtest.js (Script 15.2):// Script 15.2 - test.jsA JavaScript file has no script tags—those are in the HTML document—orother opening tags. You can just beginentering JavaScript code. Again, adouble slash creates a comment.464 Chapter 15

2. Create an alert when the documentis ready:$(function( ) {alert('Ready!');});This is just the syntax already explained,with a call to alert( ) in place of theFunction code. comment shown earlier.The alert( ) function takes a string asits argument, which will be used in thepresented alert box B.3. Save the file as test.js, in your Webserver’s js directory.4. Open test.html (Script 15.1), in yourtext editor or IDE.The next step is to update the HTMLpage so that it includes the newJavaScript file.5. After including the jQuery library, includethe new JavaScript file (Script 15.3):➝ Assuming that the test.js JavaScriptfile is placed in the same directoryas the jQuery library, with the samerelative location to test.html, this codewill successfully incorporate it.6. Save the HTML page and test it in yourWeb browser B.If you do not see the alert window, you’llneed to debug the JavaScript code.Technically, in OOP, a function is calleda method. For the duration of this chapter,I’ll continue to use the term “function” as it’slikely to be more familiar to you.The code $( ) is shorthand for calling thejQuery( ) function.jQuery’s “ready” status is slightly differentthan JavaScript’s onLoad: the latteralso waits for the loading of images and othermedia, whereas jQuery’s ready status is triggeredby the full loading of the DOM.Script 15.3 The updated test HTML page loads a new JavaScript file.1 2 3 4 5 Testing jQuery6 7 8 9 10 11 12 Introducing jQuery 465

Selecting pageelementsOnce you’ve got basic jQuery functionalityworking, the next thing to learn is how toselect page elements. Being able to do sowill allow you to hide and show images orblocks of text, manipulate forms, and more.You’ve already seen how to select the Webdocument itself: $(document). To selectother page elements, use CSS selectors inplace of document:nnn#something selects the element with anid value of something.something selects every element witha class value of somethingsomething selects every element ofsomething type (e.g., p selects everyparagraph)Those three rules are more than enoughto get you started, but know that unlikedocument, each of these gets placedwithin quotation marks. For example,the code $('a') selects every link and$('#caption') selects the element withan id value of caption. By definition, notwo elements in a single Web page shouldhave the same identifying value, thus toreference individual elements on the page,#something is the easiest solution.These rules can be combined as well:nn$('img.landscape') selects everyimage with a class of landscape$('#register input') selects everyinput element found within an elementthat has an id of registerFor the next jQuery example, aJavaScript-driven version of the WidgetCost Calculator form, similar to the onedeveloped in Chapter 13, “SecurityMethods,” will be developed. In these nextfew steps, the HTML page will be created,with the appropriate elements, classes, andunique identifiers to be easily manipulatedby jQuery A.A The Widget Cost Calculator as an HTML form.466 Chapter 15

To create the HTML form:1. Open test.html (Script 15.3) in yourtext editor or IDE, if it is not already.Since this file is already jQuery-enhanced,it’ll be easiest to just update it.2. Change the page’s title (Script 15.4):Widget Cost Calculator➝ 3. After the page title, incorporate a CSS file:To make the form a bit more attractive,some CSS code will style it. You can findthe CSS file in the book’s correspondingdownloads at www.LarryUllman.com.The CSS file also defines two significantclasses—error and errorMessage, to bemanipulated by jQuery later in the chapter.The first turns everything red; thesecond italicizes text (but the class will bemore meaningful as a way of identifyinga group of similar items). In time, you’llsee how these classes are used.4. Change the second script tag so that itreferences calculator.js, not test.js:The JavaScript for this example will goin calculator.js, to be written subsequently.It will be stored in the same jsfolder as the other JavaScript documents.continues on next pageScript 15.4 In this HTML page is a form with three textual inputs for performing a calculation.1 2 3 4 5 Widget Cost Calculator6 7 8 9 10 11 12 Widget Cost Calculator13 14 15 Quantity: 16 Price: 17 Tax (%): 18 19 20 21 Introducing jQuery 467

5. Within the HTML body, create an emptyparagraph and begin a form:Widget Cost CalculatorThe paragraph with the id of resultsbut no content will be used later in thechapter to present the results of thecalculations. It has a unique id value,for easy reference. The form, too, hasa unique id value. The form, in theory,would be submitted to calculator.php(a separate script, not actually written inthis chapter), but that submission will beinterrupted by JavaScript.6. Create the first form element:Quantity: Each form input, as originally written inChapter 13, involved the textual prompt,the element itself, and a paragraphsurrounding both. To the paragraph andform input, unique id values are added.Note that I tend to use “camel-case”style names—quantityP—in objectorientedlanguages such as JavaScript.This approach just better follows OOPconventions (conversely, I would usequantity_p in procedural PHP code).7. Create the remaining two form elements:Price: Tax (%): 8. Complete the form and the HTML page:The submit button also has a uniqueid, but that’s for the benefit of the CSS;it won’t actually be referenced in theJavaScript.9. Save the page as calculator.html andload it in your Web browser A.Even though the second JavaScriptfile, calculator.js, has not yet beenwritten, the form is still loadable.jQuery has its own additional, customselectors, allowing you to select pageelements in more sophisticated ways. Forexamples, see the jQuery manual.468 Chapter 15

event HandlingJavaScript, like PHP, is often used to respondto events. Differently, though, events inJavaScript terms are primarily user actionswithin the Web browser, such as:nnnnMoving the cursor over an image orpiece of textClicking a linkChanging the value of a form elementSubmitting a formTo handle events in JavaScript, you applyan event listener (also called an eventhandler) to an element, which is to say, youtell JavaScript that when A event happensto B element, the C function should becalled. In jQuery, event listeners areassigned using the syntaxselection.eventType(function);The selection part would be like$('.something') or $('a'): whateverelement or elements to which the eventlistener should be applied. The eventTypevalue will differ based upon the selection.Common values are change, focus,mouseover, click, submit, and select:different events can be triggered by differentHTML elements. In jQuery, these areall actually the names of functions beingcalled on the selection. These functionstake one argument: a function to be calledwhen the event occurs on that selection.Commonly, the function to be invoked iswritten inline, anonymously. For example,to handle the event of any image beingmoused-over, you would code:$('img').mouseover(function( ) {// Do this!});This construct should look familiar, astest.js assigns an event handler thatlistens for the ready event occurring on theWeb document.Let’s take this new information and applyit to the HTML page already begun. Atthis point, an event listener can be addedto the form so that its submission can behandled. In this particular case, the form’sthree inputs will be minimally validated,the total calculation will be performed, andthe results of the calculation displayedin an alert A. In order to do all this, youneed to know one more thing: to fetch thevalues entered into the textual form inputsrequires the val( ) function. It returns thevalue for the selection, as you’ll see inthese next steps.A The calculations are displayed using an alertbox (for now).Introducing jQuery 469

To handle the form submission:1. Open test.js in your text editor or IDE:Since the test.js file already has theproper syntax for executing code whenthe browser is ready, it’ll be easiest andmost foolproof to start with it.2. Remove the existing alert( ) call(Script 15.5).All of the following code will go in placeof the original alert( ).3. In place of the alert( ) call, add anevent handler to the form’s submission:$('#calculator').submit(function( ) {}); // End of form submission.The selector grabs a reference to theform, which has an id value of calculator.To this selection the submit( ) functionis applied, so that when the form issubmitted, the inline anonymous functionwill be called. Because the syntaxcan be so tricky, my recommendationis to add this block of code, and thenwrite the contents of the anonymousfunction—found in the following steps—secondarily. Note that this and thefollowing code goes within the existing$(document).ready( ) { } block.4. Within the new anonymous function,initialize four variables:var quantity, price, tax, total;In JavaScript, the var keyword is usedto declare a variable. It can also declaremultiple variables at once, if separatedby commas. Note that variables inJavaScript do not have an initial dollarsign, like those in PHP.Script 15.5 This JavaScript file is included bycalculator.html (Script 15.4). Upon submissionof the form, the form’s values are validated anda calculation performed.1 // Script 15.5 - calculator.js2 // This script is included bycalculator.html.3 // This script handles and validates theform submission.45 // Do something when the document isready:6 $(function( ) {78 // Assign an event handler to the form:9 $('#calculator').submit(function( ) {1011 // Initialize some variables:12 var quantity, price, tax, total;1314 // Validate the quantity:15 if ($('#quantity').val( ) > 0) {1617 // Get the quantity:18 quantity = $('#quantity').val( );1920 } else { // Invalid quantity!2122 // Alert the user:23 alert('Please enter a validquantity!');2425 }2627 // Validate the price:28 if ($('#price').val( ) > 0) {29 price = $('#price').val( );30 } else {31 alert('Please enter a validprice!');32 }3334 // Validate the tax:35 if ($('#tax').val( ) > 0) {36 tax = $('#tax').val( );37 } else {38 alert('Please enter a validtax!');39 }40code continues on next page470 Chapter 15

Script 15.5 continued41 // If appropriate, perform thecalculations:42 if (quantity && price && tax) {4344 total = quantity * price;45 total += total * (tax/100);4647 // Display the results:48 alert('The total is $' + total);4950 }5152 // Return false to prevent anactual form submission:53 return false;5455 }); // End of form submission.5657 }); // End of document ready.B If a form element does not have a positivenumeric value, an alert box indicates the error.5. Validate the quantity:if ($('#quantity').val( ) > 0) {quantity = $('#quantity').val( );} else {alert('Please enter a valid➝ quantity!');}For each of the three form inputs, thevalue needs to be a number greaterthan zero. The value entered can befound by calling the val( ) function onthe selected element. If the returnedvalue is greater than zero, then thevalue is assigned to the local variablequantity. Otherwise, an alert boxindicates the problem to the user B.This is admittedly a tedious use ofalerts; you’ll learn a smoother approachin the next section of the chapter.6. Repeat the validation for the other twoform inputs:if ($('#price').val( ) > 0) {price = $('#price').val( );} else {alert('Please enter a valid➝ price!');}if ($('#tax').val( ) > 0) {tax = $('#tax').val( );} else {alert('Please enter a valid➝ tax!');}continues on next pageIntroducing jQuery 471

7. If all three variables have valid values,perform the calculations:if (quantity && price && tax) {total = quantity * price;total += total * (tax/100);This code should be fairly obvious bynow: it looks almost exactly as it wouldin PHP, save for the lack of dollar signsin front of each variable’s name.8. Report the total:alert('The total is $' + total);Again, a crude alert window will beused to display the results of thecalculation A. As you can see inthis code, the plus sign performsconcatenation in JavaScript.9. Complete the conditional begun inStep 7 and return the value false:}return false;Having the function return falseprevents the form from actually beingsubmitted to the script that’s identifiedas the form’s action.10. Save the page as calculator.js (in thejs folder) and test the calculator in yourWeb browser.Note that if you already hadcalculator.html loaded in your Webbrowser, you’ll need to refresh thebrowser to load the updated JavaScript.There are many jQuery plug-insspecifically for validating forms, but Iwanted to keep this simple (and explaincore JavaScript concepts in the process).It is possible to format numbers inJavaScript, for example, so they alwayscontain two decimals, but it’s not easily done.For this reason, and because I didn’t want todetract from the more important informationbeing covered, the results of the calculationmay not always look as good as they should.With jQuery, if the browser supports it,the JavaScript code will perform the calculations.If the user has JavaScript disabled, orif she or he is using a really old browser, theJavaScript will not take effect and the formwill be submitted as per usual (here, to thenon-existent calculator.php).472 Chapter 15

DoM ManipulationOne of the most critical uses of JavaScriptin general, and jQuery in particular, ismanipulation of the DOM: changing, in anyway, the contents of the Web browser. Normally,DOM manipulation is manifested byaltering what the user sees; how easily youcan do this in jQuery is one of its strengths.Once you’ve selected the element orelements to be manipulated, applyingany number of jQuery functions to theselection will change its properties. Forstarters, the hide( ) and show( ) functions…um…hide and show the selection. Thus,to hide a form (perhaps after the user hassuccessfully completed it), you would use:$('#actualFormId').hide( );The toggle( ) function, when called, willhide a visible element and show a hiddenone (i.e., it toggles between those twostates). Note that these functions neithercreate nor destroy the selection (i.e., theselection will remain part of the DOM,whether it’s visible or not).Similar to show( ) and hide( ) arefadeIn( ) and fadeOut( ). These functionsalso reveal or hide the selection, but do sowith a bit of effect added in.Another way to impact the DOM is tochange the CSS classes that apply toa selection. The addClass( ) functionapplies a CSS class and removeClass( )removes one. The following code adds theemphasis class to a specific blockquoteand removes it from all paragraphs:$('#blockquoteID').addClass➝ ('emphasis');$('p').removeClass('emphasis');The toggleClass( ) function can be usedto toggle the application of a class toa selection.The already mentioned functions generallychange the properties of the page’selements, but you can also change thecontents of those elements. In the previoussection, you used the val( ) function, whichreturns the value of a form element. Butwhen provided with an argument, val( )assigns a new value to that form element:$('#something').val('cat');Similarly, the html( ) function returns theHTML contents of an element and text( )returns the textual contents. Both functionscan also take arguments used to assignnew HTML and text, accordingly.continues on next pageIntroducing jQuery 473

Let’s use all this information to finish off thewidget cost calculator. A few key changeswill be made:nnnnErrors will be indicated by applying theerror classErrors will also be indicated by hidingor showing error messages AThe final total will be written to thepage BAlerts will not be usedThere are a couple of ways of showing andhiding error messages. The simplest, to beimplemented here, is to manually add themessages to the form, and then toggle theirvisibility using JavaScript. Accordingly, thesesteps begin by updating the HTML page.A Error messages are now displayed next to theproblematic form inputs.To manipulate the DoM:1. Open calculator.html in your text editoror IDE, if it is not already.2. Between the quantity form element andits closing paragraph tag, add an errormessage (Script 15.6):Quantity:➝ ➝ Please enter➝ a valid quantity!Now following the input is a textualerror, which also has a unique id. Thespan containing the error also uses theerrorMessage class. This impacts themessage’s formatting, thanks to theexternal CSS document, and makes iteasier for jQuery to globally hide all errormessages upon first loading the page.B The results of the calculationsare now displayed abovethe form.474 Chapter 15

3. Repeat Step 2 for the other twoform inputs:Price: ➝ Please enter a valid price!➝ Tax (%): ➝ Please enter a valid tax!➝ 4. Save the file.5. Open calculator.js in your text editoror IDE, if it is not already.continues on next pageScript 15.6 The updated HTML page has hardcoded error messages beside the key form inputs.1 2 3 4 5 Widget Cost Calculator6 7 8 9 10 11 12 Widget Cost Calculator13 14 15 Quantity: Please enter a valid quantity!16 Price: Please enter a valid price!17 Tax (%): Please enter a valid tax!18 19 20 21 Introducing jQuery 475

6. Remove all existing alert( ) calls(Script 15.7).7. Before the submit event handler, hideevery element with the errorMessageclass:$('.errorMessage').hide( );The selector grabs a reference to anyelement of any type that has a class oferrorMessage. In the HTML form, thisapplies only to the three span tags.8. In the if clause code after assigninga value to the local quantity variable,remove the error class and hide theerror message:$('#quantityP').removeClass➝ ('error');$('#quantityError').hide( );As you’ll see in Step 9, when theuser enters an invalid quantity, thequantity paragraph (with an id value ofquantityP) will be assigned the errorclass and the quantity error message(i.e., #quantityError) will be shown. If theuser entered an invalid quantity, but thenentered a valid one, those two effectsmust be undone, using this code here.In the case that an invalid quantity wasnever submitted, the quantity paragraphwill not have the error class and thequantity error message will still be hidden.In situations where jQuery is askedto do something that’s not possible,such as hiding an already hidden element,jQuery just ignores the request.9. If the quantity is not valid, add the errorclass and show the error message:$('#quantityP').addClass('error');$('#quantityError').show( );This is the converse of the code in Step 8.Note that it goes within the else clause.Script 15.7 Using jQuery, the JavaScript code nowmanipulates the DOM instead of using alert( ) calls.1 // Script 15.7 - calculator.js #22 // This script is included by calculator.html.3 // This script handles and validates theform submission.45 // Do something when the document isready:6 $(function( ) {78 // Hide all error messages:9 $('.errorMessage').hide( );1011 // Assign an event handler to theform:12 $('#calculator').submit(function( ) {1314 // Initialize some variables:15 var quantity, price, tax, total;1617 // Validate the quantity:18 if ($('#quantity').val( ) > 0) {1920 // Get the quantity:21 quantity = $('#quantity').val( );2223 // Clear an error, if oneexisted:24 $('#quantityP').removeClass('error');2526 // Hide the error message, ifit was visible:27 $('#quantityError').hide( );2829 } else { // Invalid quantity!3031 // Add an error class:32 $('#quantityP').addClass('error');3334 // Show the error message:35 $('#quantityError').show( );3637 }38code continues on next page476 Chapter 15

Script 15.7 continued39 // Validate the price:40 if ($('#price').val( ) > 0) {41 price = $('#price').val( );42 $('#priceP').removeClass('error');43 $('#priceError').hide( );44 } else {45 $('#priceP').addClass('error');46 $('#priceError').show( );47 }4849 // Validate the tax:50 if ($('#tax').val( ) > 0) {51 tax = $('#tax').val( );52 $('#taxP').removeClass('error');53 $('#taxError').hide( );54 } else {55 $('#taxP').addClass('error');56 $('#taxError').show( );57 }5859 // If appropriate, perform thecalculations:60 if (quantity && price && tax) {6162 total = quantity * price;63 total += total * (tax/100);6465 // Display the results:66 $('#results').html('The totalis $' + total + '.');6768 }6970 // Return false to prevent anactual form submission:71 return false;7273 }); // End of form submission.7475 }); // End of document ready.10. Repeat Steps 8 and 9 for the price,making that if-else read:if ($('#price').val( ) > 0) {price = $('#price').val( );$('#priceP').removeClass➝ ('error');$('#priceError').hide( );} else {$('#priceP').addClass('error');$('#priceError').show( );}11. Repeat Steps 8 and 9 for the tax,making that if-else read:if ($('#tax').val( ) > 0) {tax = $('#tax').val( );$('#taxP').removeClass('error');$('#taxError').hide( );} else {$('#taxP').addClass('error');$('#taxError').show( );}12. After calculating the total, within thesame if clause, update the resultsparagraph:$('#results').html('The total is➝ $' + total + '.');Instead of using an alert box, the totalmessage can just be written to the HTMLpage dynamically. One way of doingso is by changing the text or HTMLof an element on the page. The pagealready has an empty paragraph for thispurpose, with an id value of results. Tochange the text found within the paragraph,one would apply the text( ) function.To change the HTML found withinthe paragraph, use html( ) instead.continues on next pageIntroducing jQuery 477

13. Save the page as calculator.js (in thejs folder) and test the calculator in yourWeb browser.Again, remember that you must reloadthe HTML page (because both the HTMLand the JavaScript have been updated).jQuery will not throw an error if youattempt to select page elements that don’texist. jQuery will also not throw an error ifyou call a function on non-existent elements.In JavaScript, as in other OOP languages,you can “chain” function callstogether, performing multiple actions at onetime. This code reveals a previously hiddenparagraph, adds a new class, and changesits textual content, all in one line:$('#pId').show( ).addClass('thisClass').➝ text('Hello, world!');You can change the attributes of aselection using the attr( ) function. Its firstargument is the attribute to be impacted; thesecond, the new value. For example, the followingcode will disable a submit button byadding the property disabled="disabled":$('#submitButtonId').attr('disabled',➝'disabled');You can add, move, or remove elementsusing the prepend( ), append( ), remove( ),and other functions. See the jQuery manualfor specifics.478 Chapter 15

using AjaxAlong with DOM manipulation, anotherkey use of JavaScript and jQuery is Ajax.The term Ajax was first coined in 2005,although browser support was mixedfor years. Come 2011, Ajax is a standardfeature of many dynamic Web sites, and itsstraightforward use is supported by all themajor browsers. But what is Ajax?Ajax can mean many things, involving severaldifferent technologies and approaches, but atthe end of the day, Ajax is simply the use ofJavaScript to perform a server-side requestunbeknownst to the user. In a standardrequest model, which is to say pretty muchevery other example in this book, the usermay begin on, say, login.html. Upon submissionof the form, the browser will be takento perhaps login.php, where the actualform validation is done, the registration in thedatabase takes place, and the results are displayedA. (Even if the same PHP script bothdisplays and handles a form, the standardrequest model requires two separate andovert requests of that same page.)continues on next pageA A standard client-server request model, with the browser constantly reloadingentire Web pages.Introducing jQuery 479

With the Ajax model, the form submissionwill be hijacked by JavaScript, which willin turn send the form data to a server-sidePHP script. That PHP script does whatevervalidation and other tasks necessary, andthen returns only data to the client-sideJavaScript, indicating the results of theoperation. The client-side JavaScript thenuses the returned data to update the Webpage B. Although there are more steps,the user will be unaware of most of them,and be able to continue interacting with theWeb page while this process takes place.Incorporating Ajax into a Web site resultsin an improved user experience, more similarto how desktop applications behave.Secondarily, there can be better performance,with less data being transmittedback and forth (e.g., an entire second pageof HTML, like login.php, does not need tobe transmitted).You already know much of the informationrequired for performing Ajax transactions:form validation with JavaScript, form validationwith PHP, and using JavaScript toupdate the DOM. The last bit of knowledgeyou need is how to perform the actualAjax request using jQuery. Over the nextseveral pages, you’ll create the HTML form,the server-side PHP script, and the intermediaryJavaScript, all for the sake of handlinga login form. In order to shorten andsimplify the code a bit, I’ve cut a coupleof corners, but I’ll indicate exactly when Ido so, and every cut will be in an area youcould easily flesh out on your own.B With Ajax, server requests are made behind the scenes, and the Web browser can beupdated without reloading.480 Chapter 15

Creating the FormThe login form simply needs two inputs:one for an email address and anotherfor a password C. The form will use thesame techniques for displaying errors andindicating results as calculator.html D.C The login form.D Error messages are revealed beside eachform element.To create the form:1. Begin a new PHP document in your texteditor or IDE, to be named login.php(Script 15.8):continues on next pageScript 15.8 The login form has one text input for the email address, a password input, and a submit button.Other elements exist to be manipulated by jQuery.1 2 3 4 5 Login6 7 8 9 10 11 12 Login13 14 15 Email Address: Please enter your email address!16 Password: Please enter your password!17 18 19 20 Introducing jQuery 481

LoginThis will actually be a PHP script, not justan HTML file. The page uses the sameexternal CSS file as calculator.html.2. Incorporate the jQuery library and asecond JavaScript file:The page will use the same jQuerylibrary as calculator.html. The pagespecificJavaScript will go in login.js.Both will be stored in the js folder, foundin the same directory as this script.3. Complete the HTML head and beginthe body:LoginWithin the body, before the form, is anempty paragraph with an id of results,to be dynamically populated withjQuery later E.4. Create the form:Email Address:➝ Please enter➝ your email address!Password:➝ Please➝ enter your password!This form is quite similar to that incalculator.html. Both form elementsare wrapped within paragraphs thathave unique id values, making it easyfor jQuery to apply the error class whenneeded. Both elements are followed bythe default error message, to be hiddenand shown by jQuery as warranted.5. Complete the HTML page:6. Save the page as login.php and loadin your Web browser.Remember that this is a PHP script,so it must be accessed through a URL(http://something).E Upon successfully loggingin, the form will disappear anda message will appear justunder the header.482 Chapter 15

Creating the Server-Side ScriptThe previous sequence of steps goesthrough creating the client side of theprocess: the HTML form. Next, I’m going toskip ahead and look at the server side: thePHP script that handles the form data. Thisscript has to do two things:1. Validate the submitted data.2. Return a string indicating the results.For simplicity’s sake, the PHP script willmerely compare the submitted valuesagainst hardcoded ones, but you couldeasily modify this code to perform adatabase query instead.In terms of the Ajax process, the importantthing is that this PHP script only everreturns a single string F, without any HTMLor other markup G. This is mandatory, asthe entire output of the PHP script is whatthe JavaScript performing the Ajax requestwill receive. And, as you’ll see in the Java-Script for this example, the PHP script’s outputwill be the basis for the error reportingand DOM manipulation to be performed.F The results of the server-side PHP script when a proper request is made.G The HTML source of the server-side PHP script shows that the only output isa simple string, without any HTML at all.Introducing jQuery 483

To handle the Ajax request:1. Begin a new PHP document in yourtext editor or IDE, to be namedlogin_ajax.php (Script 15.9):484 Chapter 15

or begin a session (although see thefollowing tip for the “gotchas” involvedwith doing so).Most importantly, the script simplyechoes the word CORRECT, withoutany other HTML (F and G).5. Complete the three conditionals:} else {echo 'INCORRECT';}} else {echo 'INVALID_EMAIL';}} else {echo 'INCOMPLETE';}These three else clauses complete theconditionals begun in Steps 2, 3, and4. Each simply prints a string indicatinga certain status. The JavaScript associatedwith the login form, to be writtennext, will take different actions basedupon each of the possible results.6. Complete the PHP page:?>7. Save the file as login_ajax.php, andplace it in the same folder of your Webdirectory as login.php.It’s important that the two files are inthe same directory in order for the Ajaxrequest to work.It’s perfectly acceptable for the serversidePHP script in an Ajax process to setcookies or begin a session. Keep in mind,however, that the page in the Web browserhas already been loaded, meaning that pagecannot access cookies or sessions createdafter the fact. You’ll need to use JavaScriptto update the page after creating a cookieor starting a session, but subsequent pagesloaded in the browser will have full access tocookie or session data.Creating the JavaScriptThe final step is to create the JavaScript thatinterrupts the form submission, sends thedata to the server-side PHP script, reads thePHP script’s results, and updates the DOMaccordingly. This is the “glue” between theclient-side HTML form and the server-sidePHP. All of the JavaScript form validation andDOM manipulation will be quite similar towhat you’ve already seen in this chapter. Twonew concepts will be introduced, though.First, you’ll need to know how to createa generic object in JavaScript. In thisparticular case, one object will representthe data to be sent to the PHP script andanother will represent the options for theAjax request. Here is how you create anew object in JavaScript:var objectName = new Object( );The next chapter gets into OOP in moredetail, but understand now that this justcreates a new variable of type Object.The capital letter “O” Object is a blanktemplate in JavaScript (being an objectorientedlanguage, most variables inJavaScript are objects of some type).Once you’ve created the object, youcan add values to it using the syntax:objectName.property = value;If you’re new to JavaScript or OOP, it mayhelp to think of the generic object as beinglike an indexed array, with a name and acorresponding value.The second new piece of information is theusage of jQuery’s ajax( ) function. This functionperforms an Ajax request. It takes as itslone argument the request’s settings. Beingpart of the jQuery library, it’s invoked like so:$.ajax(settings);That’s the basic premise; the particulars willbe discussed in detail in the following code.Introducing jQuery 485

To perform an Ajax request:1. Begin a new JavaScript file in your texteditor or IDE, to be named login.js(Script 15.10):// Script 15.10 - login.js2. Add the jQuery code for handling the“ready” state of the document:$(function( ) {});The JavaScript needs to start with thiscode, in order to set the table once theWeb browser is ready. Because of thecomplicated syntax, I think it’s best toadd this entire block of code first andthen place all of the subsequent codewithin the curly braces.3. Hide every element that has theerrorMessage class:$('.errorMessage').hide( );The selector grabs a reference to anyelement of any type that has a classof errorMessage. In the HTML form,this applies only to the three span tags.Those will be hidden by this code assoon as the DOM is loaded.4. Create an event listener for the form’ssubmission:$('#login').submit(function( ) {});This code is virtually the same as that inthe calculator form. All of the remainingcode will go within these curly brackets.5. Initialize two variables:var email, password;These two variables will act as localrepresentations of the form data.Script 15.10 The JavaScript code in this file performsan Ajax request of a server-side script and updatesthe DOM based upon the returned response.1 // Script 15.10 - login.js2 // This script is included by login.php.3 // This script handles and validates theform submission.4 // This script then makes an Ajaxrequest of login_ajax.php.56 // Do something when the document isready:7 $(function( ) {89 // Hide all error messages:10 $('.errorMessage').hide( );1112 // Assign an event handler to the form:13 $('#login').submit(function( ) {1415 // Initialize some variables:16 var email, password;1718 // Validate the email address:19 if ($('#email').val( ).length >= 6) {2021 // Get the email address:22 email = $('#email').val( );2324 // Clear an error, if one existed:25 $('#emailP').removeClass('error');2627 // Hide the error message, ifit was visible:28 $('#emailError').hide( );2930 } else { // Invalid email address!3132 // Add an error class:33 $('#emailP').addClass('error');3435 // Show the error message:36 $('#emailError').show( );3738 }39code continues on next page486 Chapter 15

Script 15.10 continued40 // Validate the password:41 if ($('#password').val( ).length > 0) {42 password = $('#password').val( );43 $('#passwordP').removeClass('error');44 $('#passwordError').hide( );45 } else {46 $('#passwordP').addClass('error');47 $('#passwordError').show( );48 }4950 // If appropriate, perform theAjax request:51 if (email && password) {5253 // Create an object for theform data:54 var data = new Object( );55 data.email = email;56 data.password = password;5758 // Create an object of Ajaxoptions:59 var options = new Object( );6061 // Establish each setting:62 options.data = data;63 options.dataType = 'text';64 options.type = 'get';65 options.success = function(response) {6667 // Worked:68 if (response = = 'CORRECT') {6970 // Hide the form:71 $('#login').hide( );72code continues on next page6. Validate the email address:if ($('#email').val( ).length >= 6) {email = $('#email').val( );$('#emailP').removeClass➝ ('error');$('#emailError').hide( );The calculator form validated that all ofthe numbers were greater than zero,which isn’t an appropriate validation forthe login form. Instead, the conditionalconfirms that the string length of thevalue of the email input is greater thanor equal to 6 (six characters being theabsolute minimum required for a validemail address, such as a@b.cc). Youcould also use regular expressions inJavaScript to perform more stringentvalidation, but I’m trying to keep thissimple (and the server-side PHP scriptwill validate the email address as well,as you’ve already seen).If the email address value passes theminimal validation, it’s assigned to thelocal variable. Next, the error class isremoved from the paragraph, in case itwas added previously, and the emailspecificerror is hidden, in case it wasshown previously.7. Complete the email addressconditional:} else {$('#emailP').addClass('error');$('#emailError').show( );}This code completes the conditionalbegun in Step 6. The code is the sameas that used in calculator.html, addingthe error class to the entire paragraphand showing the error message D.continues on next pageIntroducing jQuery 487

8. Validate the password:if ($('#password').val( ).length >➝ 0) {password = $('#password').val( );$('#passwordP').removeClass➝ ('error');$('#passwordError').hide( );} else {$('#passwordP').addClass➝ ('error');$('#passwordError').show( );}For the password, the minimum lengthwould likely be determined by theregistration process. As a placeholder,this code just confirms a positivestring length. Otherwise, this codeis essentially the same as that in theprevious two steps.9. If both values were received, storethem in a new object:if (email && password) {var data = new Object( );data.email = email;data.password = password;Script 15.10 continued73 // Show a message:74 $('#results').removeClass('error');75 $('#results').text('You are now logged in!');7677 } else if (response = = 'INCORRECT') {78 $('#results').text('The submitted credentials do not match those on file!');79 $('#results').addClass('error');80 } else if (response = = 'INCOMPLETE') {81 $('#results').text('Please provide an email address and a password!');82 $('#results').addClass('error');83 } else if (response = = 'INVALID_EMAIL') {84 $('#results').text('Please provide your email address!');85 $('#results').addClass('error');86 }8788 }; // End of success.89 options.url = 'login_ajax.php';9091 // Perform the request:92 $.ajax(options);9394 } // End of email && password IF.9596 // Return false to prevent an actual form submission:97 return false;9899 }); // End of form submission.100101 }); // End of document ready.488 Chapter 15

The premise behind this code wasexplained before these steps. First anew, generic object is created. Thena property of that object named emailis created, and assigned the valueof the email address. Finally, a propertynamed password is created, andassigned the value of the entered password.If it helps to imagine this code inPHP terms, the equivalent would be:$data = array( );$data['email'] = $email;$data['password'] = $password;10. Create a new object for the Ajax options,and establish the first three settings:var options = new Object( );options.data = data;options.dataType = 'text';options.type = 'get';Here, another generic object is created.Next, a property named data is assignedthe value of the data object. Thisproperty of the options object storesthe data being passed to the PHP scriptas part of the Ajax request.The second setting is the data typeexpected back from the server-siderequest. As the PHP script login_ajax.php returns (i.e., prints) a simple string,the value here is text. The dataTypesetting impacts how the JavaScriptwill attempt to work with the returnedresponse: it needs to match what theactual server response will be.The type setting is the type of requestbeing made, with get and post beingthe two most common. A GET requestis the default, so it does not need to beassigned here, but the code is beingexplicit anyway.To be clear, because of the name of theproperties in the data object—emailand password—and because of thetype value of get, the login_ajax.phpscript will receive $_GET['email'] and$_GET['password']. If you were to changethe names of the properties in data, orthe value of options.type, the serversidePHP script would receive the Ajaxdata in different superglobal variables.11. Begin defining what should happenupon a successful Ajax request:options.success = function➝ (response) {}; // End of success.The success property defines what theJavaScript should do when the Ajaxquery works. By “work,” I mean that theJavaScript is able to perform a requestof the server-side page and receivea result. For what should actuallyhappen, an anonymous function isassigned to this property. In this step,the anonymous function is definedand the assignment line is completed.The code in subsequent steps will gobetween these curly brackets.As you can see, the anonymous functiontakes one argument: the responsefrom the server-side script, assignedto the response variable. As alreadyexplained, the response received bythe JavaScript will be the entirety ofwhatever is outputted by the PHP script.continues on next pageIntroducing jQuery 489

12. Within the anonymous function createdin Step 11, if the server response equalsCORRECT, hide the form and updatethe page:if (response = = 'CORRECT') {$('#login').hide( );$('#results').removeClass➝ ('error');$('#results').text('You are now➝ logged in!');When the user submits the correctcredentials—email@example.com andtestpass, login_ajax.php will returnthe string CORRECT. In that case, theJavaScript will hide the entire loginform and assign a string to the resultsparagraph, indicating such E. Becauseincorrect submissions may have addedthe error class to this paragraph (seeStep 13), that class is also removed here.13. If the server response equalsINCORRECT, indicate an error:} else if (response = =➝'INCORRECT') {$('#results').text('The submitted➝ credentials do not match➝ those on file!');$('#results').addClass('error');When the user submits a password anda syntactically valid email address, butdoes not provide the correct specificvalues, the server-side PHP script willreturn the string INCORRECT. In thatcase, a different string is assigned to theresults paragraph and the error class isapplied to the paragraph as well H.H The results upon providing invalid login credentials.490 Chapter 15

14. Add clauses for the other two possibleserver responses:} else if (response = =➝'INCOMPLETE') {$('#results').text('Please➝ provide an email address and➝ a password!');$('#results').addClass('error');} else if (response = =➝'INVALID_EMAIL') {$('#results').text('Please➝ provide your email address!');$('#results').addClass('error');}These are repetitions of the code inStep 13, with different messages. This isthe end of the code that goes within thesuccess property’s anonymous function.15. Add the url property and make therequest:options.url = 'login_ajax.php';$.ajax(options);The url property of the Ajax objectnames the actual server-side script towhich the request should be sent. Aslong as login.php and login_ajax.phpare in the same directory, this referencewill work.Finally, after establishing all of the requestoptions, the request is performed.16. Complete the conditional begun in Step9 and return false:} // End of email && password IF.return false;If the email and password variables donot have TRUE values, no Ajax requestis made (i.e., that conditional has noelse clause). Finally, the value falseis returned here to prevent the actualsubmission of the form.17. Save the page as login.js (in the jsfolder) and test the login form in yourWeb browser.As a debugging tip, it often helps to runthe server-side script directly F, to confirmthat it works (e.g., that it doesn’t contain aparse or other error).The Firefox Firebug extension can revealthe details about Ajax requests made by aWeb page I.The Opera Web browser has a built-intool named Dragonfly, which is also an excellentdevelopment resource.Because JavaScript can be disabled byusers, you can never rely strictly upon Java-Script form validation. You must always alsouse server-side PHP validation in order toprotect your Web site.I Thanks to the Firebug extension, you can see what transpires in a behindthe-scenesAjax request.Introducing jQuery 491

Review and pursueIf you have any problems with thereview questions or the pursue prompts,turn to the book’s supporting forum(www.LarryUllman.com/forums/).ReviewnnnnnnnnnnnnnWhat is JavaScript? How doesJavaScript compare to PHP?What is jQuery? What is the relationshipbetween jQuery and JavaScript?How is an external JavaScript fileincorporated into an HTML page? Howis JavaScript code placed within theHTML page itself?Why is it important to wait until theentire DOM has been loaded in orderto execute JavaScript code thatreferences DOM elements?Why are unique identifiers in theDOM necessary?In jQuery, how do you select elementsof a given tag type? How do you selectelements that have a certain class? Howdo you select a specific element?In jQuery, how do you add an eventlistener to a page element (or elements)?What is an event listener?Why must you reload HTML pages afteraltering its JavaScript?What are some of the jQuery functionsone can use to manipulate the DOM?What is Ajax? Why is Ajax a “good thing”?Why must an HTML page that performsa server-side request be loaded througha URL?How do you create a generic objectin JavaScript?What impact does the Ajax request’s typeproperty have? What impact do the namesof the properties in the data object have?pursuennnnnnnnnHead to the jQuery Web site and startperusing the jQuery documentation.Check out jQuery UI and what it can dofor your Web pages.Use the jQuery documentation, or simplysearch online, for some of jQuery’splug-ins. Attempt to use one or more ofthem in a Web page.Once you feel comfortable with the Ajaxprocess, search online for informationabout performing Ajax requests usingJSON (JavaScript Object Notation) orXML (eXtensible Markup Language)to represent the data transmitted backto the JavaScript.See what happens when you referencea DOM element in JavaScript before theentire DOM has been loaded. Witnessingthis should help you recognize what’shappening when you inevitably andaccidentally fail to wait until the browseris ready before referencing the DOM.Update calculator.js so that theresults paragraph is initially clearedupon each form submission. By doingso, the results of previous submissionswon’t be shown upon subsequentinvalid submissions.Modify login_ajax.php so that it usesa database to confirm successful login.Modify login_ajax.php so that it sendsa cookie or begins a session. Create asecondary PHP script that accesses thecreated cookie or session.Modify login.php so that it also performsthe login validation, should the user haveJavaScript disabled. Hint: This is simplerthan you might think—just use PHP tohandle the form submission (in the samefile) as if JavaScript were not present at all.492 Chapter 15

16An OOP PrimerPHP is somewhat unusual as a languagein that it can be used both procedurally,as most of this book demonstrates, andas an Object-Oriented Programming(OOP) language. There are merits to bothapproaches, and one ought to be familiarwith each as well (eventually).Unfortunately, mastery of OOP requires lots oftime and information: my PHP 5 Advanced:Visual QuickPro Guide (Peachpit Press)spends 150 pages on the subject! Still, oneof the great things about OOP is that youcan use it without fully knowing it. You’llsee what this means shortly.In this chapter, which is new to this editionof the book, is a primer for OOP in PHP.Some of the examples will replicate proceduralones already shown in the book, inorder to best compare and contrast the twoapproaches. Various sidebars and tips willmention other uses of OOP in PHP, many ofwhich will not have procedural equivalents.in This ChapterFundamentals and Syntax 494Working with MySQL 497The DateTime Class 511Review and Pursue 518

Fundamentalsand SyntaxIf you’ve never done any Object-OrientedProgramming before, both the conceptand the syntax can be quite foreign. Simplyput, all applications, or scripts, involvetaking actions with information: validatingit, manipulating it, storing it in a database,and so forth. Philosophically, proceduralprogramming is written with a focus on theactions: do this, then this, then this; OOP isdata-centric, focusing more on the kinds ofinformation being used.oop FundamentalsOOP begins with the definition of a class,which is a template for a particular typeof data: an employee, a user, a page ofcontent, and so forth. A class definitioncontains both variables and functions.Syntactically, a variable in a class definitionis called an attribute or property, anda function in a class definition is calledoop vs. proceduralDiscussions as to the merits of OOP vs. procedural programming can quickly escalate to verbalwars, with each side fiercely advocating for their approach. PHP is somewhat unique in that youhave a choice (by comparison, C is strictly a procedural language and Java object-oriented). Inmy opinion, each programming style has its strengths and weaknesses, but neither is “better”than the other.Procedural programming is arguably faster to learn and use, particularly for smaller projects. Butprocedural code can be harder to maintain and expand, especially in more complicated sites, andhas the potential to be buggier.Code written using OOP, on the other hand, may be easier to maintain, specifically on larger projects,and may be more appropriate in team environments. But OOP is harder to master, and whennot done well, is that much more challenging to remedy.In time, you’ll naturally come up with your own opinions and preferences. The real lesson, to me, isto take advantage of the fact that PHP allows for both syntaxes, and not to limit yourself to just onestyle regardless of the situation.494 Chapter 16

a method. Combined, the attributes andmethods are the members of the class.As a theoretical example, you might havea class called Car. Note that class namesconventionally begin with an uppercaseletter. The properties of a Car wouldinclude make, model, year, odometer, andso forth: all information that can be knownabout a car. A Car’s properties can be set,changed, and retrieved, and the valuesof the properties distinguish this Car fromthat Car. A Car’s methods—the things thatthe car can do—would include: start( ),drive( ), park( ), and turnOff( ). Theseactions are common to all Cars.In the introduction to this chapter, I statedthat you can use OOP without reallyknowing it. By that I mean that it’s veryeasy, and common enough, to use anexisting class definition for your ownneeds. In fact, the reusability of code—particularly code created by others—isone of the key benefits of OOP. Whatactually takes a lot of effort, at least to doit right, is to master the design process:understanding what members to defineand, more importantly, how to implementsophisticated OOP concepts such as:nnnnnnInheritanceAccess controlOverriding methodsScope resolutionAbstractionAnd so onWhen you’re interested in learning howto properly create your own classes, youcan look into these subjects in my PHP 5Advanced: Visual QuickPro Guide, amongother resources, but in this chapter, let’sfocus on using existing classes instead ofcreating your own custom ones.oop Syntax in pHpSo let’s say someone has gone throughthe process of designing and defininga Car class. Most classes are not useddirectly; rather, you create an instance ofthat class—a specific variable of the class’stype. That instance is called an object. InPHP, an instance is created using the newkeyword:$obj = new ClassName( );$mine = new Car( );Whereas the code $name = 'Larry'creates a variable of type string, theabove code creates a variable of type Car.Everything that’s part of Car’s definition—every property (i.e., variable) and method(i.e., function)—is now embedded in $mine.Behind the scenes (i.e., in the class definition),a special method called the constructoris automatically invoked when anew object of that type is generated. Theconstructor normally provides whateverinitial setup would be required by the subsequentusage of that object. For example,the MySQLi class’s constructor establishesa connection to the database and theDateTime class’s constructor creates areference to an exact date and time (boththe MySQLi and DateTime classes will beexplicitly used in this chapter).If the constructor takes arguments, like anyfunction can, those may be provided whenthe object is created:$mine = new Car('Honda', 'Fit', 2008);Once you have an object, you referenceits properties (i.e., variables) and call itsmethods (i.e., functions) using the syntax$object_name->member_name:$mine->color = 'Purple';$mine->start( );continues on next pageAn OOP Primer 495

The first line (theoretically) assigns thevalue Purple to the object’s color property.The second line invokes the object’sstart( ) method. As with any functioncall, the parentheses are required. If themethod takes arguments, those can beprovided, too:$mine->drive('Forward');Sometimes you’ll use an object’sproperties as you would any other variable:$mine->odometer += 20;echo "My car currently has $mine->➝ odometer miles on it.";If an object’s method returns a value, themethod can be invoked in the same manneras any function that returns a value:// The fill( ) method takes a number of// gallons being added and returns// how full the tank is:$tank = $mine->fill(8.5);And that’s really enough to know aboutOOP in order to start using it. As you’llsee, the examples over the next fewpages will replicate functionality explainedearlier in the book, so that the contrastingapproaches to the same end result shouldhelp you better understand what’s going on.In documentation, you’ll see theClassName::method_name( ) syntax.This is a way of specifying to which classa method belongs.One of the major changes in PHP 5.3is support for namespaces. Namespaces,in layman’s terms, provide a way to groupmultiple class definitions under a single title.Namespaces are useful for organizing code, aswell as preventing conflicts (e.g., differentiatingbetween my Car class and your Car class).Classes can also have their own constants,just as they have their own variablesand functions. Class constants are normallyused without an instance of that class, as in:echo ClassName::CONSTANT_NAME;OOP in PHP has changed dramaticallyfrom PHP 3 to PHP 4 to PHP 5. The syntaxdiscussed in this chapter will only work withPHP 5 and above.More oop ClassesThere are more OOP classes defined in PHP than just those illustrated in this chapter, althoughI think the MySQLi and DateTime classes are the two most obviously accessible and usable. Thelargest body of classes can be found in the Standard PHP Library (SPL), built into PHP as of version5.0, and greatly expanded in version 5.3.The SPL provides high-end classes in several categories: exception handling, iterators (loops that canwork on any collection of data), custom data types, and more. The SPL is definitely for more advancedPHP programmers and is most beneficial for otherwise strongly or entirely OOP-based code.There are several good classes defined for internationalization purposes, too (www.php.net/intl).These classes define some of the functionality originally intended as part of the now-defunct PHP 6,including the ability to sort words, format numbers, and so forth, in a manner customized to thegiven locale (a locale is a combination of the language, cultural habits, and other unique choicesfor a region).496 Chapter 16

Working with MySQLJust as you can write PHP code in bothprocedural and object-oriented styles,the MySQL Improved extension cansimilarly be used either way to interactwith a database. Chapter 9, “Using PHPwith MySQL,” introduced the basics of theprocedural approach. As a comparison,this chapter will run through the samefunctionality using OOP.There are three defined classes that youwill use herein:nnnMySQLi, the primary class, providesa database connection, a queryingmethod, and more.MySQLi_Result, is used to handlethe results of SELECT queries (amongothers).MySQLi_STMT is for performing preparedstatements (introduced in Chapter 13,“Security Methods”).For each, I’ll explain the basic usage andwalk you through an example script. Fora full listing of all the possibilities—all theproperties and methods of each class—seethe PHP manual.Creating a ConnectionAs with the procedural approach, creatinga connection is the first step in interactingwith MySQL when using object notation.With the MySQLi class, a connection isestablished when the object is instantiated(i.e., when the object is created), by passingthe appropriate connection values tothe constructor:$mysqli = new MySQLi(hostname,➝ username, password, database);Even though this is OOP, you would usethe same MySQL values as you wouldwhen programming procedurally, or whenconnecting to MySQL using the commandlineclient or other interface.If a connection could not be made, theconnect_error property will store thereason why A:if ($mysqli->connect_error) {echo $mysqli->connect_error;}Unfortunately, that approach was buggy(or just plain broken) in versions of PHPprior to 5.2.9, so you’ll see this kludge (anunseemly fix) in the PHP manual instead:if (mysqli_connect_error( )) {echo mysqli_connect_error( );}continues on next pageA A MySQL connection error.An OOP Primer 497

If you are not using PHP 5.2.9 or later,you’ll have to use this last bit of code inyour own scripts.Next, you should establish the character set:$mysqli->set_charset(charset);$mysqli->set_charset('utf8');At this point, you’re ready to execute yourqueries, to be covered next.After executing the queries, call the close( )method to close the database connection:$mysqli->close( );To be extra tidy, you can delete theobject, too:unset($mysqli);To practice this, let’s write a PHP script thatconnects to MySQL. As the subsequenttwo scripts will be updates of scripts fromChapter 9, and will use the same templateas Chapter 9, you’ll want to place thesenext three scripts in the same Web directoriesyou used for Chapter 9.To make an oop MySQL connection:1. Begin a new PHP script in your text editoror IDE, to be named mysqli_oop_connect.php (Script 16.1):

2. Set the database connection parametersas constants:DEFINE ('DB_USER', 'username');DEFINE ('DB_PASSWORD', 'password');DEFINE ('DB_HOST', 'localhost');DEFINE ('DB_NAME', 'sitename');As always, you’ll need to changethe particulars to be correct foryour server. As with Chapter 9, thischapter’s examples will make useof the sitename database.3. Create a MySQLi object:$mysqli = new MySQLi(DB_HOST,➝ DB_USER, DB_PASSWORD, DB_NAME);This is the syntax already explained,using the constants as the values tobe passed to the constructor.4. If an error occurred, show it:if ($mysqli->connect_error) {echo $mysqli->connect_error;unset($mysqli);If the MySQLi object’s connect_errorproperty has a value, it means that thescript could not establish a connection tothe database. In that case, the connectionerror is displayed A, and the objectvariable is unset, since it’s useless.Remember that if you’re using a versionof PHP prior to 5.2.9 (and you do knowwhat, exact, version you’re using, correct?),you’ll need to change this code to:if (mysqli_connect_error( )) {echo mysqli_connect_error( );unset($mysqli);5. If a connection was made, establishthe encoding:} else {$mysqli->set_charset('utf8');}Remember that the encoding used tocommunicate with MySQL needs tomatch the encoding set by the HTMLpages and by the database.6. Save the script as mysqli_oop_connect.php.As with most files in this book that aremeant to be included by other scripts,this one omits the closing PHP tag.7. Ideally, place the file outside of the Webdocument directory.Because the file contains sensitiveMySQL access information, it ought tobe stored securely. If you can, place itin the directory immediately above orotherwise outside of the Web directory(see Chapter 9 for particulars).Again, the following two scripts willuse the template that Chapter 9 used,so you should store this connectionscript in the same directory as mysqli_connect.php from Chapter 9.continues on next pageAn OOP Primer 499

8. Temporarily place a copy of the scriptwithin the Web directory and run it inyour Web browser.In order to test the script, you’ll wantto place a copy on the server so thatit’s accessible from the Web browser(which means it must be in the Webdirectory). If the script works properly,the result should be a blank page.If you see an Access denied… orsimilar message A, it means that thecombination of username, password,and host does not have permission toaccess the particular database.9. Remove the temporary copy from theWeb directory.You can use print_r( ) to learn about,and debug, objects in PHP code B:echo '' . print_r($mysqli, 1) .➝'';Since the $mysqli object is unset if noconnection is made, any script that needs itcan be written to test for a successful connectionby just using:if (isset($mysqli)) { // Do whatever.For brevity sake, this test is omitted in subsequentscripts, but know it’s possible.The MySQLi constructor takes two morearguments: the port to use and the socket.When running MAMP or XAMPP (see AppendixA, “Installation” which you can downloadfrom peachpit.com), you may need to providethe port.The MySQLi::character_set_name( )method returns the current character set. TheMySQLi::get_charset( ) method returns thecharacter set, collation, and more.You can change the database used bythe current connection via the select_db( )method:$mysqli->select_db(dbname);B Using print_r( ) on an object, perhaps wrapped within preformatted tagsto make its output easier to read, reveals the object’s many property namesand values.500 Chapter 16

executing Simple QueriesOnce you’ve successfully established aconnection to the MySQL server, you canbegin using the MySQLi object to query thedatabase. For that, call the appropriatelynamed query( ) method:$mysqli->query(query);Its lone argument is the SQL command tobe executed, which I normally assign to aseparate variable beforehand:$q = 'SELECT * FROM tablename';$mysqli->query($q);You can test for the query’s error-freeexecution by using the method call asa condition:if ($mysqli->query($q)) { // Worked!Alternatively, you can check the errorproperty C:if ($mysqli->error) { // Did not➝ work!echo $mysqli->error;}If the query just executed was an INSERT,you can retrieve the automaticallygenerated primary key value via theinsert_id property:$id = $mysqli->insert_id;If the query just executed was an UPDATE,INSERT, or DELETE, you can retrieve thenumber of affected rows—how many rowswere updated, inserted, or deleted—fromthe affected_rows property:echo "$mysqli->affected_rows rows➝ were affected by the query.";The last thing to know, before executingany queries, is how to sanctify data usedin the query. To do so, apply the real_escape_method( ) to a string variablebeforehand:$var = $mysqli->real_escape_➝ string($var);This is equivalent to invoking mysqli_real_escape_string( ), and preventsapostrophes and other problematiccharacters from breaking the syntax of theSQL command.Using all this information, the next set ofsteps will rewrite register.php (Script 9.5)from Chapter 9, using OOP.C A problem with a query results in a MySQL error.An OOP Primer 501

To execute simple queries:1. Open register.php (Script 9.5) in yourtext editor or IDE.2. Change the inclusion of the MySQLconnection script to (Script 16.2):require ('../mysqli_oop_connect.php');Assuming that mysqli_oop_connect.php is in the directory above this one,this code will work. If your directorystructure differs, change the referenceto the file accordingly.3. Change each use of mysqli_real_escape_string( ) to:$mysqli->real_escape_string( ):$fn = $mysqli->real_escape_string➝ (trim($_POST['first_name']));$ln = $mysqli->real_escape_string➝ (trim($_POST['last_name']));$e = $mysqli->real_escape_string➝ (trim($_POST['email']));$p = $mysqli->real_escape_string➝ (trim($_POST['pass1']));Four pieces of data—all strings,naturally—are escaped for addedprotection in the query. Because thescript now uses the MySQL Improvedextension using an object-orientedapproach, these four lines shouldbe changed.4. Update how the query is executed(line 52 of the original script):$mysqli->query($q);To execute a query on the databaseusing OOP, call the object’s query( )method, providing it with the query tobe run.Script 16.2 This updated version of the registrationscript uses the MySQL Improved extension via OOP.1

Script 16.2 continued38 if ($_POST['pass1'] != $_POST['pass2']) {39 $errors[ ] = 'Your passworddid not match the confirmedpassword.';40 } else {41 $p = $mysqli->real_escape_string(trim($_POST['pass1']));42 }43 } else {44 $errors[ ] = 'You forgot to enteryour password.';45 }4647 if (empty($errors)) { // Ifeverything's OK.4849 // Register the user in thedatabase...5051 // Make the query:52 $q = "INSERT INTO users(first_name, last_name, email,pass, registration_date) VALUES('$fn', '$ln', '$e', SHA1('$p'),NOW( ) )";5354 // Execute the query:55 $mysqli->query($q);5657 if ($mysqli->affected_rows = =1) { // If it ran OK.5859 // Print a message:60 echo 'Thank you!61 You are now registered. InChapter 12 you will actually beable to log in!';6263 } else { // If it did not run OK.6465 // Public message:66 echo 'System Error67 You could notbe registered due to a systemerror. We apologize for anyinconvenience.';6869 // Debugging message:70 echo '' . $mysqli->error .'Quer y: ' . $q .'';5. Change the confirmation of the query’sexecution to read (originally line 53):if ($mysqli->affected_rows = = 1) {The previous version of the script usedthe result variable to confirm that thequery worked:if ($r) {Here, the conditional more formallyasserts that the number of affectedrows equals 1.Script 16.2 continuedcontinues on next page7172 } // End of if ($r) IF.7374 $mysqli->close( ); // Close thedatabase connection.75 unset($mysqli);7677 // Include the footer and quit thescript:78 include ('includes/footer.html');79 exit( );8081 } else { // Report the errors.8283 echo 'Error!84 The followingerror(s) occurred:';85 foreach ($errors as $msg) {// Print each error.86 echo " - $msg\n";87 }88 echo 'Please try again.';8990 } // End of if (empty($errors)) IF.9192 $mysqli->close( ); // Close thedatabase connection.93 unset($mysqli);9495 } // End of the main Submit conditional.96 ?>code continues on next pageAn OOP Primer 503

6. Update the debugging error messageto use the object (line 66 of theoriginal script):echo '' . $mysqli->error .➝'Quer y: ' . $q .➝'';Instead of invoking the mysqli_error( ) function, the error propertyof the object will store the databasereported problem C.7. Finally, change both instances wherethe database connection is closed to:$mysqli->close( );unset($mysqli);The first line closes the connection. Thesecond line removes the variable fromexistence. This step frees up the usedmemory and while not obligatory, is aprofessional touch.The original script closed the databaseconnection in two places; make sureyou update both.8. Save the script, place it in your Webdirectory, and test it in your Webbrowser D.D If all of the code was updated as appropriate,the registration script should work as it did before.Script 16.2 continued97 Register98 99 First Name:

Fetching ResultsThe previous section demonstrated howto execute “simple” queries, which is howI categorize queries that don’t return rowsof results. When executing SELECT queries,the code is a bit different, as you haveto handle the query’s results. First, afterestablishing the MySQLi object, you run thequery on the database using the query( )method. If the query is expected to return aresult set, assign the results of the methodinvocation to another variable:$q = 'SELECT * FROM tablename';$result = $mysqli->query($q);The $result variable will be an objectof type MySQLi_Result: just as somefunctions return a string or an integer,MySQLi::query( ) will return a MySQLi_Result object. Its num_rows property willreflect the number of records in the queryresult:if ($result->num_rows > 0) {➝ // Handle the results.If you have only one row returned by thequery, you can just call the fetch_array( )method to get it:$row = $result->fetch_array( );This method, like the procedural mysqli_fetch_array( ) counterpart, takes aconstant as an optional argument toindicate whether the returned row shouldbe treated as an associative array (MYSQLI_ASSOC), an indexed array (MYSQLI_NUM), orboth (MYSQLI_BOTH). MYSQLI_BOTH is thedefault value.When you have multiple records to fetch,you can do so using a loop:while ($row = $result->fetch_array➝ (MYSQLI_NUM)) {// Use $row.}With that code, $row within the loopwill be an array, meaning you accessindividual columns using either $row[0]or $row['column'] (assuming you’re usingthe appropriate constant). If you’re reallyenjoying the OOP syntax, you can use thefetch_object( ) method instead, therebycreating an object instead of an array:$q = 'SELECT user_id, first_name➝ FROM users';$result = $mysqli->query($q);while ($row = $result->fetch_➝ object( )) {// Use $row->user_id// Use $row->first_name}Once you’re done with the results, youshould free the resources they required:$result->free( );Let’s take this information to updateview_users.php (Script 9.6).An OOP Primer 505

To retrieve query results:1. Open view_users.php (Script 9.6) inyour text editor or IDE.2. Change the inclusion of the MySQLconnection script to (Script 16.3):require ('../mysqli_oop_connect.php');Again, the path needs to be correct foryour setup.3. Change the execution of the query to(originally line 14):$r = $mysqli->query($q);Regardless of the type of query beingexecuted, the same MySQLi::query( )method is called. Here, though, theresults of executing the query areassigned to a new variable, which willbe an object of type MySQLi_Result.For brevity, I’m calling this variable just$r, but you can use the more formal$result, if you’d prefer.4. Alter how the number of returned rowsis determined to (line 17 of the originalscript):$num = $r->num_rows;The result object’s num_rows propertyreflects the number of records returnedby the query. This value is assigned tothe variable $num, as before.Note that this is a property, nota method (it’s $r->num_rows, not$r->num_rows( )).5. Change the while loop to read:while ($row = $r->fetch_object( )) {The change here is that the MySQLi_Result object’s fetch_object( )function is called instead of invokingmysqli_fetch_array( ).Script 16.3 The MySQLi and MySQLi_Resultclasses are used in this script to fetch recordsfrom the database.1

Script 16.3 continued3536 echo ''; // Close the table.3738 $r->free( ); // Free up theresources.39 unset($r);4041 } else { // If no records were returned.4243 echo 'There arecurrently no registered users.';4445 }4647 // Close the database connection.48 $mysqli->close( );49 unset($mysqli);5051 include ('includes/footer.html');52 ?>E The object-oriented version of view_users.php(Script 16.3) looks the same as the original proceduralversion.6. Within the while loop, change howeach column’s value is printed:echo '' .➝ $row->name . '' . $row->dr . '';Since the $row variable is now anobject, object notation, instead of arraynotation, must be used to refer to thecolumns in each row: $row->name and$row->dr instead of $row['name'] and$row['dr'].7. Change how the resources are freed:$r->free( );unset($r);To free the memory taken by thereturned results, call the MySQLi_Resultobject’s free( ) method. Furthermore,since that object won’t be usedanymore in the script, it can be unset.8. Update how the database connectionis closed:$mysqli->close( );unset($mysqli);9. Save the script, place it in your Webdirectory, and test it in your Webbrowser E.The real benefit of using the fetch_object( ) method is that you can have theresults fetched as a particular type of object.For example, say you have defined a Car classin PHP and a script fetches all of the storedinformation about cars from the database. Inthe PHP script, each record can be fetched asan object of Car class type. By doing so, you’llhave created a PHP Car object, whose data ispopulated from the database record, but canstill invoke the methods of the Car class.An OOP Primer 507

prepared StatementsChapter 13 introduced another way of executingqueries: using prepared statements. Preparedstatements can offer improved security,and possibly even better performance, overthe standard approach to running queries.Naturally, you can execute prepared statementsusing the MySQL Improved extensionas objects. The steps are the same: aftercreating a MySQLi object (and therefore aconnection to the database), younnnPrepare the queryBind the parametersExecute the queryIn actual code that looks like:$q = 'INSERT INTO tablename (this,➝ that) VALUES (?, ?)';$stmt = $mysqli->prepare($q);$stmt->bind_param('si', $this, $that);$this = 'Larry';$that = 234;$stmt->execute( );The MySQLi::prepare( ) method returnsan object of type MySQLi_STMT. That objecthas a few key properties:nnnnaffected_rows stores how many rowswere affected by the statement, normallyapplicable to INSERT, UPDATE, andDELETE queries.num_rows reflects the number of recordsin the result set for a SELECT query.insert_id stores the automaticallygenerated ID value for the previousINSERT query.error represents any error that mighthave occurred.Once you’re done executing the preparedstatement, you should close the statement:$stmt->close( );Let’s apply this information by updatingpost_message.php (Script 13.6). This isa stand-alone script that uses the forumdatabase and isn’t, in Chapter 13 or thischapter, tied to any other scripts.To execute prepared statements:1. Open post_message.php (Script 13.6) inyour text editor or IDE.2. Change the creation of the databaseconnection to (Script 16.4):$mysqli = new MySQLi('localhost',➝'username', 'password', 'forum');$mysqli->set_charset('utf8');The previous version of the script didnot use a separate connection script,and neither will this one. Make sureyour values are correct for connectingto the forum database on your server.3. Alter the preparation of the query toread (line 21 of the original script):$stmt = $mysqli->prepare($q);The MySQLi::prepare( ) method preparesa statement, taking the query as itslone argument. It returns an object of typeMySQLi_STMT, assigned to $stmt here.4. Change the binding of parameters to:$stmt->bind_param('iiiss',➝ $forum_id, $parent_id, $user_id,➝ $subject, $body);This code change is simply frommysqli_stmt_bind_param($stmt… to$stmt->bind_param(… The method’s firstargument is an indicator of the data typesto follow. The subsequent arguments arethe PHP variables to which the query’splaceholders are bound.5. Update the execution of the statement to:$stmt->execute( );continues on page 510508 Chapter 16

Script 16.4 In this version of a script from Chapter13, the MySQLi_STMT class is used to execute aprepared statement.1 2 3 4 5 Post a Message6 7 8 58 5960 Post a message:6162 Subject: 6364 Body: 6566 67 68 69 7071 72 73 An OOP Primer 509

6. Change the conditional that tests thesuccess to:if ($stmt->affected_rows = = 1) {To confirm the success of an INSERTquery, check the number of affectedoutbound parametersAs in Chapter 13, the post_message.phpscript is a demonstration of using inboundparameters: associating placeholders ina query with PHP variables. You can alsouse outbound parameters: binding thevalues returned by a query to PHP variables.To start, you prepare the query:$q = 'SELECT this, that FROM➝ tablename';$stmt = $mysqli->prepare($q);Then you bind the returned rows tovariables:$stmt->bind_result($this, $that);Next, you call the MySQLi_STMT::fetch( )method, most likely as part of a while loop:while ($stmt->fetch( )) {}Within the while loop, $this and $thatwill store each record’s returned columns.Outbound parameters don’t offer addedsecurity, like inbound parameters, ornecessarily better performance, but ifyou have a query that uses preparedstatements, it would make sense to useboth inbound and outbound parameters.For example, take a login query:SELECT user_id, first_name➝ FROM users WHERE email='?' AND➝ pass=SHA1('?')You would use inbound parameters torepresent the submitted email addressand password but use outbound parametersfor the retrieved user ID and firstname from that same query.rows, here referencing the affected_rows property of the MySQLi_STMT object.7. Change the error reporting to use:echo '' . $stmt->error . '';At this point in the script, an error wouldmost likely be because of something likeusing a duplicate value for a column thatmust be unique. If there was a syntacticalerror in the query, that would be in$mysqli->error after preparing the query.8. Update how the statement is closed:$stmt->close( );unset($stmt);9. Alter how the database connectionis closed:$mysqli->close( );unset($mysqli);10. Save the script, place it in your Webdirectory, and test it in your Webbrowser F and G.F The HTML form for posting a new message.G The new message has been successfullystored in the database.510 Chapter 16

The DateTime ClassAdded in version 5.2 of the language is theDateTime class. An alternative to the dateandtime-related functions introduced inChapter 11, “Web Application Development,”the DateTime class packages together all thefunctionality you might need for manipulatingdates and times. It’s especially useful forconverting and comparing dates and times.To begin, create a new DateTime object:$dt = new DateTime( );If created without providing any arguments tothe constructor, the generated DateTime argumentwill represent the current date and time.To create a representation of a specific dateand time, provide that as the first argument:$dt = new DateTime('2011-04-20');$dt = new DateTime('2011-04-20 11:15');There are many acceptable formats forspecifying the date and time, detailed inthe PHP manual. You can also establish thedate or time after creating the object usingthe setDate( ) and setTime( ) methods.The setDate( ) method expects to receive,in order, the desired year, month, and day.The setTime( ) method takes the hour, minute,and optional seconds, as its arguments:$dt = new DateTime( );$dt->setDate(2001, 4, 20);$dt->setTime(11, 15);The DateTime object will only allow you toestablish valid dates and times, throwingan exception for invalid ones A:$dt = new DateTime('2011-13-42');Exceptions are a topic not previouslyintroduced. Whereas procedural code maygenerate errors, objects throw exceptions(yes, it’s said that they’re thrown). Whenyou get further along with OOP, you’ll learnhow to use try…catch blocks to “catch”and handle thrown exceptions.The DateTime constructor takes anoptional second argument, which is thetime zone to use. If not provided, thedefault time zone for that PHP installationapplies. You can also change the time zoneafter the fact, using setTimezone( ). Notethat both the setTimezone( ) method, andthe constructor, take DateTimeZone objectsas arguments, not strings:$tz = new DateTimeZone('America/➝ New_York');$dt->setTimezone($tz);Once you have a DateTime object, youcan manipulate its value by adding andsubtracting time periods. One way to doso is the modify( ) method:$dt->modify('+1 day');$dt->modify('-1 month');$dt->modify('next Thursday');The values you can provide to the methodare quite flexible, and correspond tothose that are usable in the strtotime( )function (which converts a string to atimestamp; see the PHP manual for details).The add( ) method is used to add a timeperiod to the represented date and time.continues on next pageA Attempting tocreate a DateTimeobject with an invaliddate or time results inan exception.An OOP Primer 511

It takes as its lone argument an object oftype DateInterval:$di = new DateInterval(interval);$dt->add($di);There’s a specific notation used to set theinterval, always starting with the letter P,for “period.” After that, add an integer anda period designator: Y, for years; M, formonths; D, for days; W, for weeks; H, forhours; M, for minutes; and S, for seconds.You may wonder how the letter M canrepresent both months and minutes: thisis possible because hours, minutes, andseconds should also be preceded by a T, fortime. These characters should be combinedin order from largest to smallest (i.e., fromyears to seconds). Here are some examples:nnnP3W represents three weeksP2Y3M represents two years andthree monthsP2M3DT4H18M43S representstwo months, three days, four hours,18 minutes, and 43 secondsThe sub( ) method functions just the sameas add( ), but subtracts the time periodfrom the object:$di = new DateInterval('P2W');➝ // 2 weeks$dt->sub($di);The diff( ) method returns a DateIntervalobject that reflects the amount of timebetween two DateTime objects:$diff = $dt->diff($dt2);The DateInterval class defines severalproperties for representing the calculatedinterval: y for years, m for months, d for days,h for hours, i for minutes, s for seconds,and days, which also represents days.The last DateTime class method you shouldbe familiar with is format( ), which returns therepresented date formatted as you want it:echo $dt->format(format);For the formatting, you can use the samecharacters as the date( ) function, coveredin Chapter 11.To demonstrate all of this information, thisnext script will perform a task needed bymany Web sites: allow the user to entertwo dates to create a range B. This scriptwill perform top-quality validation of thesubmitted dates, and calculate the numberof days between them C. The informationpresented could easily be applied to, say,a hotel registration system or the like. Thescript will use much of the informationjust presented, and even do a straightcomparison of two DateTime objects, afeature possible since PHP 5.2.2.B A simple form for entering two dates, with theformat specified.C If two valid dates are submitted, with the endingdate being after the starting date, the dates aredisplayed again, along with the calculated interval.512 Chapter 16

Script 16.5 Emulating common date selectionfunctionality, this script accepts and validatestwo dates.1 2 3 4 5 DateTime Usage6 7 body {8 font-family: Verdana, Arial,Helvetica, sans-serif;9 font-size: 12px;10 margin: 10px;11 }12 label { font-weight: bold; }13 .error { color: #F00; }14 15 16 17

Script 16.5 continued37 // Return FALSE if it's not a valid date:38 if (!checkdate($date_array[0], $date_array[1], $date_array[2])) return false;3940 // Return the array:41 return $date_array;4243 } // End of validate_date( ) function.4445 // Check for a form submission:46 if (isset($_POST['start'], $_POST['end'])) {4748 // Call the validation function on both dates:49 if ( (list($sm, $sd, $sy) = validate_date($_POST['start'])) && (list($em, $ed, $ey) =validate_date($_POST['end'])) ) {5051 // If it's okay, adjust the DateTime objects:52 $start->setDate($sy, $sm, $sd);53 $end->setDate($ey, $em, $ed);5455 // The start date must come first:56 if ($start < $end) {5758 // Determine the interval:59 $interval = $start->diff($end);6061 // Print the results:62 echo "The event has been planned starting on {$start->format($format)} and endingon {$end->format($format)}, which is a period of $interval->days day(s).";6364 } else { // End date must be later!65 echo 'The starting date must precede the ending date.';66 }6768 } else { // An invalid date!69 echo 'One or both of the submitted dates was invalid.';70 }7172 } // End of form submission.7374 // Show the form:75 ?>76 Set the Start and End Dates for the Thing77 7879 Start Date:

4. Create two DateTime objects:$start = new DateTime( );$end = new DateTime( );Whether the form has been submittedor not, two DateTime objects arefirst created, both of which will beinstantiated using the current date andtime. Subsequently, one or both objectswill be assigned new values.5. Add one day to the end date:$end->modify('+1 day');By default, when the page is firstloaded, the form will be preset withtoday as the starting date and tomorrowas the ending date. To determine theending date, simply modify the object’scurrent value, adding one day.Using the DateInterval object and theDateTime::add( ) method, the samething can be done like so:$day = new DateInterval('P1D');$end->add($day);6. Establish the default format for displayeddates:$format = 'm/d/Y';The script will display a formattedversion of the date in four places.Assigning the preferred format—MM/DD/YYYY—to a variable makesit easier to change later, if desired.7. Begin defining a function:function validate_date($date) {$array = explode('/', $date);Both submitted dates will need to bevalidated in a couple of ways, andwhenever you have repeating code in ascript or application, defining a functionto execute that code may make sense.This function takes a date string (not aDateTime object) as its lone argument.The string will be the user-submittedvalue, something like 08/02/2011. Thefirst thing the function does is breakup the string into its three separateparts—month, day, and year—using theexplode( ) function. The resulting arrayis assigned to the $array variable.8. If the array does not contain threeelements, return false:if (count($array) != 3) return➝ false;The first thing the function does is confirmthat it has exactly three discrete valuesto work with, representing a month, day,and year. If the array does not containthree elements, the function returns thevalue false to indicate an invalid date.The explode( ) line in Step 7 and thisline invalidates any submitted value thatdoesn’t fit the pattern X/Y/Z (althoughthat could still be cat/dog/zebra).Note that normally I would recommendalways using curly brackets inconditionals, but I’ve made this code asshort as possible by omitting them, andkeeping the entire construct on a singleline. Also remember that as soon as afunction executes a return statement,the function is exited.9. If the provided date isn’t a valid date,return false:if (!checkdate($array[0],➝ $array[1], $array[2])) return➝ false;Similar to Step 8, this code invokes PHP’scheckdate( ) function to confirm that theprovided date actually exists. If the datedoes not exist, such as 13/43/2011, thefunction again returns false.continues on next pageAn OOP Primer 515

10. Return the date array and completethe function:return $array;} // End of validate_date( )➝ function.If the provided date is of the correctformat and corresponds to an existingdate, the array of date elements isreturned by the function.11. If the form has been submitted, validatethe user-submitted values:if (isset($_POST['start'],➝ $_POST['end'])) {if ( (list($sm, $sd, $sy) =➝ validate_date($_POST['start']))➝ && (list($em, $ed, $ey) =➝ validate_date($_POST['end'])) ) {If the two variables are set, meaning theform has been submitted, both are runthrough the validate_date( ) function.If that function returns FALSE for eitherdate, this conditional will be FALSE. If thefunction returns an array for both dates,assigned to corresponding month, day,and year variables, then the results canbe determined and displayed.12. Reset the dates to the user-submitteddates:$start->setDate($sy, $sm, $sd);$end->setDate($ey, $em, $ed);Because the provided dates are valid atthis point, both objects can be updatedto represent the user-entered dates. Todo so, the setDate( ) method is invoked,providing it with the individual values.13. If the end date comes after the start date,calculate the interval between them:if ($start < $end) {$interval = $start->diff($end);Just as you can compare two numbersto see if one is greater than orless than the other, you can comparetwo DateTime objects. If the end datedoes come later, then the differencebetween the two dates is calculated byinvoking the diff( ) method on oneobject and providing the other as itsargument. The result is assigned to the$interval variable, which will be anobject of type DateInterval.14. Print the results:echo "The event has been➝ planned starting on {$start->➝ format($format)} and ending on➝ {$end->format($format)}, which➝ is a period of $interval->days➝ day(s).";Finally, the results are displayed C.As you can see, it’s possible to invokeobject methods within quotation marks,thereby printing the output of thatfunction call, but you have to wrapthe whole construct in curly brackets.Referencing attributes, such as$interval->days, does not requirethe curly brackets.15. Complete the conditionals begun inSteps 11 and 13:} else { // End date must be➝ later!echo 'The➝ starting date must precede➝ the ending date.';}} else { // An invalid date!echo 'One or➝ both of the submitted dates➝ was invalid.';}The first else clause applies if bothdates are valid, but the end date does516 Chapter 16

not follow the start date D. The secondelse clause applies if either of the submitteddates does not pass the validate_date() test. In this case, bothdates will retain the default settings E.16. Complete the form submission conditional,close the PHP block, and beginthe HTML form:} // End of form submission.?>Set the Start and End Dates➝ for the Thing17. Create the two inputs for the dates:Start➝ Date:

Review and pursueIf you have any problems with thereview questions or the pursue prompts,turn to the book’s supporting forum(www.LarryUllman.com/forums/).ReviewnnnnnnnnnnnWhat is a class? What is a method?What are variables defined withinclasses called?What is an object? How do you createan object in PHP? How do you call anobject’s methods?What is a constructor?What is the syntax for creating aMySQLi object?How do you execute any kind of queryusing MySQLi?How do you make string data safe touse in a query, when using MySQLi?Hint: there are two answers.How do you check for, and display, aMySQLi error?How do you fetch the results of SELECTqueries using the MySQLi (and other)objects? What is the difference betweenusing MySQLi_Result::fetch_array( )and MySQLi_Result::fetch_object( )?How do you execute a preparedstatement using the MySQLi andMySQLi_STMT classes?What syntax is used to create a newDateTime object? What are the twoways you can set the object’s dateand/or time?What is an exception?pursuennnnnWhen you’re interested in learningmore about OOP, consider reading abook or tutorial on the generic subjectof OOP, without respect to any givenprogramming language.Check out the PHP manual’s documentationon OOP in PHP (www.php.net/oop).Revisit Chapter 9 if you’re unclear asto the need to apply real_escape_string( ) to string data used in queries.Rewrite some of the other scripts fromChapter 9, “Using PHP with MySQL,”and Chapter 10, “Common ProgrammingTechniques,” using MySQLi.Read through the full documentation forthe DateTime class in the PHP manual(www.php.net/datetime).n Learn about the strtotime( )function in the PHP manual(www.php.net/strtotime).nIf you want a big challenge, apply theinformation presented in the previouschapter, along with the jQuery UIDatepicker tool, to create two nice,JavaScript date selectors for thedatetime.php script.518 Chapter 16

17Example—Message BoardThe functionality of a message board (akaa forum) is really rather simple: a post caneither start a new topic or be in responseto an existing one; posts are added to adatabase and then displayed on a page.That’s really about it. Of course, sometimesimplementing simple concepts can bequite hard!To make this example even more excitingand useful, it’s not going to be just amessage board but rather a multilingualmessage board. Each language will haveits own forum, and the key elements—navigation, prompts, introductory text,etc.—will be language-specific.In order to focus on the most importantaspects of this Web application, this chapteromits some others. The three glaringomissions will be: user management, errorhandling, and administration. This shouldn’tbe a problem for you, though, as the nextchapter goes over user management anderror handling in great detail. As for theadministration, you’ll find some recommendationsat the chapter’s end.in This ChapterMaking the Database 520Creating the Index Page 537Creating the Forum Page 538Creating the Thread Page 543Posting Messages 548Review and Pursue 558

Making the DatabaseThe first step, naturally, is to create thedatabase. A sample message boarddatabase A is developed in Chapter 6,“Database Design.” Although that databaseis perfectly fine, a variation on it will be usedhere instead B. I’ll compare and contrastthe two to better explain the changes.To start, the forums table is replaced with alanguages table. Both serve the same purpose:allowing for multiple forums. In thisnew database, the topic—PHP and MySQLfor Dynamic Web Sites—will be the samein every forum, but each forum will use adifferent language. The posts will differin each forum (this won’t be a translationof the same forum in multiple languages).The languages table stores the nameof a language in its own alphabet and inEnglish, for the administrator’s benefit (thisassumes, of course, that English is theadministrator’s primary language).The threads table in the new databaseacts like the messages table in the oldone, with one major difference. Just asthe old messages table relates to forums,threads relates to the languages and userstables (each message can only be in oneforum and by one user; each forum canhave multiple messages, and each usercan post multiple messages). However, thisthreads table will only store the subject, notthe message itself. There are a couple ofA The model for the forum database developed in Chapter 6.B The revised model for the forum database to be used in this chapter.520 Chapter 17

easons for this change. First, having a subjectrepeat multiple times with each reply(replies, in my experience, almost alwayshave the same subject anyway) is unnecessary.Second, the same goes for the lang_idassociation (it doesn’t need to be in eachreply as long as each reply is associatedwith a single thread). Third, I’m changingthe way a thread’s hierarchy will be indicatedin this database (you’ll see how in thenext paragraph), and changing the tablestructures helps in that regard. Finally, thethreads table will be used every time a userlooks at the posts in a forum. Removing themessage bodies from that table will improvethe performance of those queries.Moving on to the posts table, its solepurpose is to store the actual bodies ofthe messages associated with a thread. InChapter 6’s database, the messages tablehad a parent_id column, used to indicatethe message to which a new message wasa response. It was hierarchical: message 3might be the starting post; message 18 mightbe a response to 3, message 20 a responseto 18, and so on C. That version of the databasemore directly indicated the responses;this version will only store the thread that amessage goes under: messages 18 and 20both use a thread_id of 3. This alteration willmake showing a thread much more efficient(in terms of the PHP and MySQL required),and the date/time that each message wasposted can be used to order them.Those three tables provide the bulk of theforum functionality. The database also needsa users table. In this version of the forum,only registered users can post messages,which I think is a really, really, really goodpolicy (it cuts way down on spam and hackattempts). Registered users can also havetheir default language (from the languagestable) and time zone recorded along withtheir account information, in order to givethem a more personalized experience. Acombination of their username and passwordwould be used to log in.The final table, words, is necessary tomake the site multilingual. This table willstore translations of common elements:navigation links, form prompts, headers,and so forth. Each language in the site willhave one record in this table. It’ll be a niceand surprisingly easy feature to use. Arguably,the words listed in this table couldalso go in the languages table, but thenthe implication would be that the wordsare also related to the threads table, whichwould not be the case.That’s the thinking behind this new databasedesign. You’ll learn more as you createthe tables in the following steps. As withthe other examples in this book, you canalso download the SQL necessary for thischapter—the commands suggested in thesesteps, plus more—from the book’s correspondingWeb site (www.LarryUllman.com).C How the relationshipamong messages wasindicated using the olderdatabase schema.Example—Message Board 521

To make the database:1. Access your MySQL server and set thecharacter set to be used for communicatingD:CHARSET utf8;I’ll be using the mysql client in thefigures, but you can use whateverinterface you’d like. The first step,though, has to be changing thecharacter set to UTF-8 for the queriesto come. If you don’t do this, some ofthe characters in the queries will bestored as gibberish in the database(see the sidebar “Strange Characters”).Note that if you’re using phpMyAdmin,you’ll need to establish the characterset in its configuration file.Strange CharactersIf, when you’re implementing thischapter’s example, you see strangecharacters—boxes, numeric codes,or question marks instead of actuallanguage characters—there might beseveral reasons why. When this happens,the underlying issue is one ofmismatching encodings (or, in databaseterms, character sets).A computer’s ability to display a characterdepends on both the file’s encodingand the characters (i.e., fonts) supportedby the operating system. This meansthat every PHP or HTML page must usethe proper encoding. Secondarily, thedatabase in MySQL must use the properencoding (as indicated in the steps forcreating the database). Third, and thiscan be a common cause of problems,the communication between PHPand MySQL must also use the properencoding. I address this issue in themysqli_connect.php script (see the firsttip). Finally, if you use the mysql client,phpMyAdmin, or another tool to populatethe database, that interaction must usethe proper encoding, too.D In order to use Unicode data in queries, you need to change the character set used tocommunicate with MySQL.522 Chapter 17

2. Create a new database E:CREATE DATABASE forum2 CHARACTER➝ SET utf8;USE forum2;So as not to muddle things with thetables created in the original forumdatabase (from Chapter 6), a newdatabase will be created.If you’re using a hosted site and cannotcreate your own databases, use thedatabase provided for you and selectthat. If your existing database hastables with these same names—words,languages, threads, users, and posts,rename the tables (either the existing orthe new ones) and change the code inthe rest of the chapter accordingly.Whether you create this database fromscratch or use a new one, it’s veryimportant that the tables use the UTF-8encoding, in order to be able to supportmultiple languages (see Chapter6 for more). If you’re using an existingdatabase and don’t want to potentiallycause problems by changing the characterset for all of your tables, just addthe CHARACTER SET utf8 clause to eachtable definition (Steps 3 through 7).3. Create the languages table F:CREATE TABLE languages (lang_id TINYINT UNSIGNED NOT NULL➝ AUTO_INCREMENT,lang VARCHAR(60) NOT NULL,lang_eng VARCHAR(20) NOT NULL,PRIMARY KEY (lang_id),UNIQUE (lang));This is the simplest table of the bunch.There won’t be many languages represented,so the primary key (lang_id ) canbe a TINYINT. The lang column is defineda bit larger, as it’ll store characters inother languages, which may requiremore space. This column must also beunique. Note that I don’t call this column“language,” as that’s a reserved keywordin MySQL (actually, I could still call it that,and you’ll see what would be required todo that in Step 7). The lang_eng columnis the English equivalent of the languageso that the administrator can easily seewhich languages are which.continues on next pageE Creating andselecting the databasefor this example. Thisdatabase uses theUTF-8 character set,so that it can supportmultiple languages.F Creating thelanguages table.Example—Message Board 523

4. Create the threads table G:CREATE TABLE threads (thread_id INT UNSIGNED NOT NULL➝ AUTO_INCREMENT,lang_id TINYINT(3) UNSIGNED NOT➝ NULL,user_id INT UNSIGNED NOT NULL,subject VARCHAR(150) NOT NULL,PRIMARY KEY (thread_id),INDEX (lang_id),INDEX (user_id));The threads table contains fourcolumns and relates to both thelanguages and users tables (throughthe lang_id and user_id foreign keys,respectively). The subject here needsto be long enough to store subjects inmultiple languages (characters take upmore bytes in non-Western languages).The columns that will be used in joinsand WHERE clauses—lang_id anduser_id—are indexed, as is thread_id(as a primary key, it’ll be indexed).5. Create the posts table H:CREATE TABLE posts (post_id INT UNSIGNED NOT NULL➝ AUTO_INCREMENT,thread_id INT UNSIGNED NOT NULL,user_id INT UNSIGNED NOT NULL,message TEXT NOT NULL,posted_on DATETIME NOT NULL,PRIMARY KEY (post_id),INDEX (thread_id),INDEX (user_id));The main column in this table is message,which stores each post’s body.Two columns are foreign keys, tyinginto the threads and users tables. TheG Creating the threads table. This table stores the topic subjectsand associates them with a language (i.e., a forum).H Creating the posts table, which links to both threads and users.524 Chapter 17

posted_on column is of type DATETIME,but will use UTC (Coordinated UniversalTime, see Chapter 6). Nothing specialneeds to be done here for that, though.6. Create the users table I:CREATE TABLE users (user_id MEDIUMINT UNSIGNED NOT➝ NULL AUTO_INCREMENT,lang_id TINYINT UNSIGNED NOT NULL,time_zone VARCHAR(30) NOT NULL,username VARCHAR(30) NOT NULL,pass CHAR(40) NOT NULL,email VARCHAR(60) NOT NULL,PRIMARY KEY (user_id),UNIQUE (username),UNIQUE (email),INDEX login (username, pass));For the sake of brevity, I’m omittingsome of the other columns you’d putin this table, such as registration date,first name, and last name. For more oncreating and using a table like this, seethe next chapter.In my thinking about this site, I expectusers will select their preferred languageand time zone when theyregister, so that they can have a morepersonalized experience. They can alsohave a username, which will be displayedin posts (instead of their emailaddress). Both the username and theemail address must be unique, which issomething you’d need to address in theregistration process.continues on next pageI Creating a bare-bones version of the users table.Example—Message Board 525

7. Create the words table J:CREATE TABLE words (word_id TINYINT UNSIGNED NOT NULL➝ AUTO_INCREMENT,lang_id TINYINT UNSIGNED NOT NULL,title VARCHAR(80) NOT NULL,intro TINYTEXT NOT NULL,home VARCHAR(30) NOT NULL,forum_home VARCHAR(40) NOT NULL,`language` VARCHAR(40) NOT NULL,register VARCHAR(30) NOT NULL,login VARCHAR(30) NOT NULL,logout VARCHAR(30) NOT NULL,new_thread VARCHAR(40) NOT NULL,subject VARCHAR(30) NOT NULL,body VARCHAR(30) NOT NULL,submit VARCHAR(30) NOT NULL,posted_on VARCHAR(30) NOT NULL,posted_by VARCHAR(30) NOT NULL,replies VARCHAR(30) NOT NULL,latest_reply VARCHAR(40) NOT NULL,post_a_reply VARCHAR(40) NOT NULL,PRIMARY KEY (word_id),UNIQUE (lang_id));This table will store differenttranslations of common elements usedon the site. Some elements—home,forum_home, language, register,login, logout, and new_thread—will bethe names of links. Other elements—subject, body, submit—are used on thepage for posting messages. Anothercategory of elements are those usedon the forum’s main page: posted_on,posted_by, replies, and latest_reply.Some of these will be used multipletimes in the site, and yet, this is still anincomplete list. As you implement thesite yourself, you’ll see other placeswhere word definitions could be added.Each column is of VARCHAR type, exceptfor intro, which is a body of text to beused on the main page. Most of thecolumns have a limit of 30, allowingfor characters in other languages thatrequire more bytes, except for a handfulof columns that might need to be bigger.For each column, its name implies thevalue to be stored in that column. Forone—language—I’ve used a MySQLJ Creating the wordstable, which storesrepresentations ofkey words in differentlanguages.526 Chapter 17

keyword, simply to demonstrate howthat can be done. The fix is to surroundthe column’s name in backticks so thatMySQL doesn’t confuse this column’sname with the keyword “language.”8. Populate the languages table:INSERT INTO languages (lang,➝ lang_eng) VALUES('English', 'English'),('Português', 'Portuguese'),('Français', 'French'),('Norsk', 'Norwegian'),('Romanian', 'Romanian'),(' ', 'Greek'),('Deutsch', 'German'),('Srpski', 'Serbian'),(' ', 'Japanese'),('Nederlands', 'Dutch');This is just a handful of the languagesthe site will represent thanks to someassistance provided me (see thesidebar “A Note on Translations”).For each, the native and English wordfor that language is stored K.9. Populate the users table L:INSERT INTO users (lang_id,➝ time_zone, username, pass,➝ email) VALUES(1, 'America/New_York',➝'troutster', SHA1('password'),➝'email@example.com'),(7, 'Europe/Berlin', 'Ute',➝ SHA1('pa24word'),➝'email1@example.com'),(4, 'Europe/Oslo', 'Silje',➝ SHA1('2kll13'),➝'email2@example.com'),(2, 'America/Sao_Paulo', 'João',➝ SHA1('fJDLN34'),➝'email3@example.com'),(1, 'Pacific/Auckland', 'kiwi',➝ SHA1('conchord'),➝'kiwi@example.org');continues on next pageK The populated languagestable, with each languagewritten in its own alphabet.L A few users areadded manually,as there is noregistration processin this site (butsee Chapter 18,“Example—UserRegistration,”for that).Example—Message Board 527

Because the PHP scripts will show theusers associated with posts, a coupleof users are necessary. A language anda time zone are associated with each(see Chapter 6 for more on time zonesin MySQL). Each user’s password will beencrypted with the SHA1( ) function.10. Populate the words table:INSERT INTO words VALUES(NULL, 1, 'PHP and MySQL for➝ Dynamic Web Sites: The Forum!',➝'Welco m e to our site....➝ please use the links above...➝ blah, blah, blah.\r\n➝ Welcome to our site....please➝ use the links above...blah,➝ blah, blah.', 'Home',➝'Forum Home', 'Language',➝'Register', 'Login', 'Logout',➝'New Thread', 'Subject', 'Body',➝'Submit', 'Posted on', 'Posted➝ by', 'Replies', 'Latest Reply',➝'Post a Reply');These are the words associated witheach term in English. The record has alang_id of 1, which matches the lang_idfor English in the languages table. TheSQL to insert words for other languagesinto this table is available from thebook’s supporting Web site.A note on TranslationsSeveral readers around the world werekind enough to provide me with translationsof key words, names, messagesubjects, and message bodies. For theirhelp, I’d like to extend my sincerestthanks to (in no particular order): Angelo(Portuguese); Iris (German); Johan(Norwegian); Gabi (Romanian); Darko(Serbian); Emmanuel and Jean-François(French); Andreas and Simeon (Greek);Darius (Filipino/Tagalog); Olaf (Dutch);and Tsutomu (Japanese).If you know one of these languages, youmay see linguistic mistakes made in thistext or in the corresponding images. Ifso, it’s almost certainly my fault, havingmiscommunicated the words I neededtranslated or improperly entered theresponses into the database. I apologizein advance for any such mistakes buthope you’ll focus more on the database,the code, and the functionality. Mythanks, again, to those who helped!This chapter doesn’t go through thesteps for creating the mysqli_connect.php page, which connects to the database.Instead, just copy the one from Chapter9, “Using PHP with MySQL.” Then changethe parameters in the script to use a validusername/password/hostname combinationto connect to the forum2 database.As a reminder, the foreign key in onetable should be of the exact same type and sizeas the matching primary key in another table.528 Chapter 17

Writing the TemplatesThis example, like any site containing lotsof pages, will make use of a template toseparate out the bulk of the presentationfrom the logic. Following the instructionslaid out in Chapter 3, “Creating DynamicWeb Sites,” a header file and a footer filewill store most of the HTML code. EachPHP script will then include these files tomake a complete HTML page A. But thisexample is a little more complicated.One of the goals of this site is to serveusers in many different languages. Accomplishingthat involves not just letting thempost messages in their native language butmaking sure they can use the whole site intheir native language as well. This meansthat the page title, the navigation links, thecaptions, the prompts, and even the menusneed to appear in their language B.The instructions for making the databaseshow how this is accomplished: by storingtranslations of all key words in a table. Theheader file, therefore, needs to pull outall these key words so that they can beused as needed. Secondarily, this headerfile will also show different links basedupon whether the user is logged in or not.Adding just one more little twist: if theuser is on the forum page, viewing all thethreads in a language, the user will also begiven the option to post a new thread C.The template itself uses CSS for someformatting (there’s not much to it, really).You can download all these files fromthe book’s supporting Web site (www.LarryUllman.com).A The basic layout andappearance of the site.B The home pageviewed in French(compare with A ).C The same home page as in A,but with an added link allowing theuser to start a new thread.Example—Message Board 529

To make the template:1. Begin a new document in your texteditor or IDE, to be named header.html(Script 17.1):

Script 17.1 continued42 $q = "SELECT * FROM words WHERElang_id = {$_SESSION['lid']}";43 $r = mysqli_query($dbc, $q);4445 }4647 // Fetch the results into a variable:48 $words = mysqli_fetch_array($r,MYSQLI_ASSOC);4950 // Free the results:51 mysqli_free_result($r);52 ?>53 55 56 57 58 59 60 body { background-color: #ffffff; }6162 .content {63 background-color: #f5f5f5;64 padding-top: 10px; padding-right:10px; padding-bottom: 10px;padding-left: 10px;65 margin-top: 10px; margin-right:10px; margin-bottom: 10px;margin-left: 10px;66 }6768 a.navlink:link { color: #003366;text-decoration: none; }69 a.navlink:visited { color: #003366;text-decoration: none; }70 a.navlink:hover { color: #cccccc;text-decoration: none; }7172 .title {73 font-size: 24px; font-weight:normal; color: #ffffff;74 margin-top: 5px; margin-bottom:5px; margin-left: 20px;code continues on next page4. Determine the language ID:if ( isset($_GET['lid']) &&filter_var($_GET['lid'],➝ FILTER_VALIDATE_INT,➝ array('min_range' => 1))) {$_SESSION['lid'] = $_GET['lid'];} elseif (!isset($_SESSION['lid'])) {$_SESSION['lid'] = 1; // Default.}Next, the language ID value (abbreviatedlid) needs to be established. Thelanguage ID controls what language isused for all of the site elements, and italso dictates the forum to be viewed.The language ID could be found in thesession, after retrieving that informationupon a successful login (becausethe user’s language ID is stored in theusers table). Alternatively, any user canchange the displayed language on thefly by submitting the language formin the navigation links (see A). In thatcase, the submitted language ID needsto be validated as an integer greaterthan 1: easily accomplished using theFilter extension (see Chapter 13, “SecurityApproaches”). If you’re not using aversion of PHP that supports the Filterextension, you’ll need to use typecastinghere instead (again, see Chapter 13).The second clause applies if thepage did not receive a language IDin the URL and the language ID hasnot already been established in thesession. In that case, a default languageis selected. This value corresponds toEnglish in the languages table in thedatabase. You can change it to anyID that matches the default languageyou’d like to use.continues on next pageExample—Message Board 531

5. Get the keywords for this language:$q = "SELECT * FROM words WHERE➝ lang_id = {$_SESSION['lid']}";$r = mysqli_query($dbc, $q);The next step in the header file is toretrieve from the database all of thekey words for the given language.6. If the query returned no records, get thedefault words:if (mysqli_num_rows($r) = = 0) {$_SESSION['lid'] = 1;$q = "SELECT * FROM words WHERE➝ lang_id = {$_SESSION['lid']}";$r = mysqli_query($dbc, $q);}It’s possible, albeit unlikely, that$_SESSION['lid'] does not equate toa record from the words table. In thatcase the query would return no records(but run without error). Consequently,the default language words mustnow be retrieved. Notice that neitherthis block of code, nor that in Step 5,actually fetches the returned record.That will happen, for both potentialqueries, in Step 7.7. Fetch the retrieved words into an array,free the resources, and close the PHPsection:$words = mysqli_fetch_array($r,➝ MYSQLI_ASSOC);mysqli_free_result($r);?>After this point, the $words array representsall of the navigation and commonelements in the user’s selected language(or the default language).Calling mysqli_free_result( )isn’t necessary, but makes for tidyprogramming.Script 17.1 continued75 padding-top: 5px; padding-bottom:5px; padding-left: 20px;76 }77 78 79 8081 8283 84 85 8687 88 89

Script 17.1 continued108 // Register and login links:109 echo '' . $words['register']. '110 '. $words['login'] . '';111112 }113114 // For choosing a forum/language:115 echo '116 117 ' . $words['language']. '118 ';119120 // Retrieve all the languages...121 $q = "SELECT lang_id, lang FROMlanguages ORDER BY lang_eng ASC";122 $r = mysqli_query($dbc, $q);123 if (mysqli_num_rows($r) > 0) {124 while ($menu_row = mysqli_fetch_array($r, MYSQLI_NUM)) {125 echo "$menu_row[1]\n";126 }127 }128 mysqli_free_result($r);129130 echo '131 132 133 134135 ';136 ?>8. Start the HTML page:Note that the encoding is also indicatedin a META tag, even though the PHPheader( ) call already identifies theencoding. This is just a matter of beingthorough.The header file as written uses asthe title of every page a value in the$words array (i.e., the page title willalways be the same for every page ina chosen language). You could easilymodify this code so that the page’s titleis a combination of the language wordand a page-specific variable, such as$page_title used in Chapter 3 andsubsequent examples.9. Add the CSS:body { background-color: #ffffff; }.content {background-color: #f5f5f5;padding-top: 10px; padding-right:➝ 10px; padding-bottom: 10px;➝ padding-left: 10px;margin-top: 10px; margin-right:➝ 10px; margin-bottom: 10px;➝ margin-left: 10px;}continues on next pageExample—Message Board 533

a.navlink:link { color: #003366;➝ text-decoration: none; }a.navlink:visited { color:➝ #003366; text-decoration:➝ none; }a.navlink:hover { color: #cccccc;➝ text-decoration: none; }.title {font-size: 24px; font-weight:➝ normal; color: #ffffff;margin-top: 5px; margin-bottom:➝ 5px; margin-left: 20px;padding-top: 5px; padding-bottom:➝ 5px; padding-left: 20px;}This is all taken from a template I foundsomewhere some time ago. It adds alittle decoration to the site.10. Complete the HTML head and beginthe page:➝ The page itself uses a table for thelayout, with one row showing thepage title, the next row containing thenavigation links on the left and the pagespecificcontent on the right, and thefinal row containing the copyright D.You’ll see in this code that the page titlewill also be language-specific.11. Start displaying the links:

The first two links will always appear,whether the user is logged in ornot, and regardless of the pagethey’re currently viewing. For eachlink, the text of the link itself will belanguage-specific.12. If the user is logged in, show “newthread” and logout links:if (isset($_SESSION['user_id'])) {if (basename($_SERVER['PHP_➝ SELF']) = = 'forum.php') {echo '' .➝ $words['new_thread'] .➝'';}echo '' .➝ $words['logout'] . '';Confirmation of the user’s logged-instatus is achieved by checking for thepresence of a $_SESSION['user_id']variable. If it’s set, then the logout linkcan be created. Before that, a checkis made to see if this is the forum.phppage. If so, then a link to start a newthread is created (users can only createnew threads if they’re on the forum page;you wouldn’t want them to create a newthread on some of the other pages, likethe home page, because it wouldn’t beclear to which forum the thread shouldbe posted). The code for checking whatpage it is, using the basename( ) function,was first introduced in Chapter 12,“Cookies and Sessions.”13. Display the links for users not logged in:} else {echo '' .➝ $words['register'] . '' . $words['login'] .➝'';}If the user isn’t logged in, links areprovided for registering and logging in.14. Start a form for choosing a language:echo '' . $words➝ ['language'] . '';The user can choose a language (whichis also a forum), via a pull-down menu E.The first value in the menu will be theword “language,” in the user’s defaultlanguage. The select menu’s name is lid,short for language ID, and its actionattribute points to forum.php. When theuser submits this simple form, they’ll betaken to the forum of their choice.continues on next pageE The language pull-downmenu, with each option in itsnative language.Example—Message Board 535

15. Retrieve every language from the database,and add each to the menu:$q = "SELECT lang_id, lang FROM➝ languages ORDER BY lang_eng ASC";$r = mysqli_query($dbc, $q);if (mysqli_num_rows($r) > 0) {while ($menu_row = mysqli_➝ fetch_array($r, MYSQLI_NUM)) {echo "$menu_row[1]➝ \n";}}mysqli_free_result($r);This query retrieves the languages andthe language ID from the languagestable. Each is added as an option to theselect menu.Again, calling mysqli_free_result( )isn’t required, but doing so can helplimit bugs and improve performance. Inparticular, when you have pages thatrun multiple SELECT queries, mysqli_free_result( ) can help avoid confusionissues between PHP and MySQL.16. Complete the form and the PHP page:echo '';?>17. Save the file as header.html.Even though it contains a fair amountof PHP, this script will still use the .htmlextension (which I prefer to use fortemplate files). Make sure that the fileis saved using UTF-8 encoding.18. Create a new document in your texteditor or IDE, to be named footer.html(Script 17.2):19. Complete the HTML page:&copy; 2011 Larry➝ Ullman20. Save the file as footer.html.Again, make sure that the file is savedusing UTF-8 encoding.21. Place both files in your Web directory,within a folder named includes.Script 17.2 The footer file completes the HTML page.1 2 3 45 6 &copy;2011 Larry Ullman7 89 10 11 536 Chapter 17

Creating theindex pageThe index page in this example won’t dothat much. It’ll provide some introductorytext and the links for the user to register,log in, choose the preferred language/forum, and so forth. From a programmingperspective, it’ll show how the templatefiles are to be used.To make the home page:1. Begin a new PHP document in your texteditor or IDE, to be named index.php(Script 17.3):That’s it for the home page!5. Save the file as index.php, place it inyour Web directory, and test it in yourWeb browser (see A and B in theprevious section).Once again, make sure that the file issaved using UTF-8 encoding. This willbe the last time I remind you!Script 17.3 The home page includes the header and footerfiles to make a complete HTML document. It also prints someintroductory text in the chosen language.1 Example—Message Board 537

Creating theForum pageThe next page in the Web site is the forumpage, which displays the threads in a forum(each language being its own forum). Thepage will use the language ID, passedto this page in a URL and/or stored in asession, to know what threads to display.The basic functionality of this page—running a query, displaying the results—is simple A. The query this page usesis perhaps the most complex one in thebook. It’s complicated for three reasons:1. It performs a JOIN across three tables.2. It uses three aggregate functions anda GROUP BY clause.3. It converts the dates to the user’s timezone, but only if the person viewing thepage is logged in.So, again, the query is intricate, but I’ll gothrough it in detail in the following steps.Script 17.4 This script performs one rather complicatedquery to display five pieces of information—the subject, the original poster, the date the threadwas started, the number of replies, and the date ofthe latest reply—for each thread in a forum.1

Script 17.4 continued17 // The query for retrieving all the threads in this forum, along with the original user,18 // when the thread was first posted, when it was last replied to, and how many replies it's had:19 $q = "SELECT t.thread_id, t.subject, username, COUNT(post_id) - 1 AS responses, MAX(DATE_FORMAT($last, '%e-%b-%y %l:%i %p')) AS last, MIN(DATE_FORMAT($first, '%e-%b-%y %l:%i %p')) AS firstFROM threads AS t INNER JOIN posts AS p USING (thread_id) INNER JOIN users AS u ON t.user_id =u.user_id WHERE t.lang_id = {$_SESSION['lid']} GROUP BY (p.thread_id) ORDER BY last DESC";20 $r = mysqli_query($dbc, $q);21 if (mysqli_num_rows($r) > 0) {2223 // Create a table:24 echo '25 26 ' . $words['subject'] . ':27 ' . $words['posted_by'] . ':28 ' . $words['posted_on'] . ':29 ' . $words['replies'] . ':30 ' . $words['latest_reply'] . ':31 ';3233 // Fetch each thread:34 while ($row = mysqli_fetch_array($r, MYSQLI_ASSOC)) {3536 echo '37 ' . $row['subject']. '38 ' . $row['username'] . '39 ' . $row['first'] . '40 ' . $row['responses'] . '41 ' . $row['last'] . '42 ';4344 }4546 echo ''; // Complete the table.4748 } else {49 echo 'There are currently no messages in this forum.';50 }5152 // Include the HTML footer file:53 include ('includes/footer.html');54 ?>Example—Message Board 539

2. Determine what dates and times to use:if (isset($_SESSION['user_tz'])) {$first = "CONVERT_TZ➝ (p.posted_on, 'UTC',➝'{$_SESSION['user_tz']}')";$last = "CONVERT_TZ(p.posted_on,➝'UTC', '{$_SESSION['user_tz']}')";} else {$first = 'p.posted_on';$last = 'p.posted_on';}As already stated, the query will formatthe date and time to the user’s time zone(presumably selected during the registrationprocess), but only if the viewer islogged in. Presumably, this informationwould be retrieved from the databaseand stored in the session upon login.To make the query dynamic, what exactdate/time value should be selectedwill be stored in a variable to be usedin the query later in the script. If theuser is not logged in, which means that$_SESSION['user_tz'] is not set, thetwo dates—when a thread was startedand when the most recent reply wasposted—will be unadulterated valuesfrom the table. In both cases, the tablecolumn being referenced is posted_onin the posts table ( p will be an alias toposts in the query).If the user is logged in, the CONVERT_TZ( )function will be used to convert the valuestored in posted_on from UTC to theuser’s chosen time zone. See Chapter 6for more on this function. Note that usingthis function requires that your MySQLinstallation includes the list of time zones(see Chapter 6 for more).3. Define and execute the query:$q = "SELECT t.thread_id,➝ t.subject, username, COUNT➝ (post_id) - 1 AS responses,➝ MAX(DATE_FORMAT($last,➝'%e-%b-%y %l:%i %p')) AS last,➝ MIN(DATE_FORMAT($first, '%e-%b-%y➝ %l:%i %p')) AS first FROM➝ threads AS t INNER JOIN posts➝ AS p USING (thread_id) INNER➝ JOIN users AS u ON t.user_id =➝ u.user_id WHERE t.lang_id =➝ {$_SESSION['lid']} GROUP BY➝ (p.thread_id) ORDER BY last DESC";$r = mysqli_query($dbc, $q);if (mysqli_num_rows($r) > 0) {The query needs to return six things:the ID and subject of each thread (whichcomes from the threads table), thename of the user who posted the threadin the first place (from users), the numberof replies to each thread, the datethe thread was started, and the date thethread last had a reply (all from posts).The overarching structure of this queryis a join between threads and postsusing the thread_id column (which isthe same in both tables). This result isthen joined with the users table usingthe user_id column.As for the selected values, threeaggregate functions are used (seeChapter 7): COUNT( ), MIN( ), and MAX( ).Each is applied to a column in theposts table, so the query has a GROUPBY (p.thread_id) clause. MIN( ) andMAX( ) are used to return the earliest(for the original post) and latest dates.540 Chapter 17

Both will be shown on the forum page(see A). The latest date is also usedto order the results so that the mostrecent activity always gets returnedfirst. The COUNT( ) function is used tocount the number of posts in a giventhread. Because the original post is alsoin the posts table, it’ll be factored intoCOUNT( ) as well, so 1 is subtracted fromthat value.Finally, aliases are used to make thequery shorter to write and to make iteasier to use the results in the PHPscript. If you’re confused by what thisquery returns, execute it using themysql client B or phpMyAdmin.4. Create a table for the results:echo '➝ ' . $words['subject'] .➝':' . $words➝ ['posted_by'] . ':' . $words['posted_➝ on'] . ':' . $words['replies']➝ . ':➝ ' . $words['latest_➝ reply'] . ':';As with some items in the header file,the captions for the columns in thisHTML page will use language-specificterminology.continues on next pageB The results of running the complex query in the mysql client.Example—Message Board 541

5. Fetch and print each returned record:while ($row = mysqli_fetch_array➝ ($r, MYSQLI_ASSOC)) {echo '' .➝ $row['subject'] . '' .➝ $row['username'] . '' .➝ $row['first'] . '' .➝ $row['responses'] . '' .➝ $row['last'] . '';}This code is fairly simple, and there aresimilar examples many times over in thebook. The thread’s subject is linked toread.php, passing that page the threadID in the URL.6. Complete the page:echo '';} else {echo 'There are currently no➝ messages in this forum.';}include ('includes/footer.html');?>This else clause applies if the queryreturned no results. In actuality, thismessage should also be in the user’schosen language. I’ve omitted that forthe sake of brevity. To fully implementthis feature, create another column inthe words table and store for each languagethe translated version of this text.7. Save the file as forum.php, place it inyour Web directory, and test it in yourWeb browser C.If you see no values for the dates andtimes when you run this script, it is probablybecause your MySQL installation hasn’t beenupdated with the full list of time zones.As noted in the chapter’s introduction,I’ve omitted all error handling in this example. Ifyou have problems with the queries, apply thedebugging techniques outlined in Chapter 8,“Error Handling and Debugging.”C The forum.php page, viewed in another language (compare with A ).542 Chapter 17

Creating theThread pageNext up is the page for viewing all of themessages in a thread A. This page isaccessed by clicking a link in forum.php B.Thanks to a simplified database structure,the query used by this script is not thatcomplicated (with the database design fromChapter 6, this page would have been muchmore complex). All this page has to do thenis make sure it receives a valid thread ID,display every message, and display theform for users to add their own replies.A The read.php page showsevery messagein a thread.B Part of thesource code fromforum.php showshow the thread ID ispassed to read.phpin the URL.Example—Message Board 543

To make read.php:1. Begin a new PHP document in your texteditor or IDE, to be named read.php(Script 17.5):

3. Determine if the dates and times shouldbe adjusted:if (isset($_SESSION['user_tz'])) {$posted = "CONVERT_TZ➝ (p.posted_on, 'UTC',➝'{$_SESSION['user_tz']}')";} else {$posted = 'p.posted_on';}As in the forum.php page (Script 17.4),the query will format all of the dates andtimes in the user’s time zone, if the useris logged in. To be able to adjust thequery accordingly, this variable storeseither the column’s name (posted_on,from the posts table) or the invocationof MySQL’s CONVERT_TZ( ) function.4. Run the query:$q = "SELECT t.subject, p.message,➝ username, DATE_FORMAT($posted,➝'%e-%b-%y %l:%i %p') AS posted➝ FROM threads AS t LEFT JOIN➝ posts AS p USING (thread_id)➝ INNER JOIN users AS u ON➝ p.user_id = u.user_id WHERE➝ t.thread_id = $tid ORDER BY➝ p.posted_on ASC";$r = mysqli_query($dbc, $q);if (!(mysqli_num_rows($r) > 0)) {$tid = FALSE;}continues on next pageScript 17.5 continued2728 if ($tid) { // Get the messages in this thread...2930 $printed = FALSE; // Flag variable.3132 // Fetch each:33 while ($messages = mysqli_fetch_array($r, MYSQLI_ASSOC)) {3435 // Only need to print the subject once!36 if (!$printed) {37 echo "{$messages['subject']}\n";38 $printed = TRUE;39 }4041 // Print the message:42 echo "{$messages['username']} ({$messages['posted']}){$messages['message']}\n";4344 } // End of WHILE loop.4546 // Show the form to post a message:47 include ('includes/post_form.php');4849 } else { // Invalid thread ID!50 echo 'This page has been accessed in error.';51 }5253 include ('includes/footer.html');54 ?>Example—Message Board 545

This query is like the query on theforum page, but it’s been simplified intwo ways. First, it doesn’t use any ofthe aggregate functions or a GROUP BYclause. Second, it only returns one dateand time. The query is still a JOIN acrossthree tables, in order to get the subject,message bodies, and usernames. Therecords are ordered by their posteddates in ascending order (i.e., from thefirst post to the most recent).If the query doesn’t return any rows,then the thread ID isn’t valid and theflag variable is made false again.5. Complete the $_GET['tid'] conditionaland check, again, for a valid thread ID:} // End of isset($_GET['tid']) IF.if ($tid) {Before printing the messages in thethread, one last conditional is used.This conditional would be false if:> No $_GET['tid'] value was passed tothis page.> A $_GET['tid'] value was passed tothe page, but it was not an integergreater than 0.> A $_GET['tid'] value was passedto the page and it was an integergreater than 0, but it matched nothread records in the database.6. Print each message:$printed = FALSE;while ($messages = mysqli_fetch_➝ array($r, MYSQLI_ASSOC)) {if (!$printed) {echo"{$messages['subject']}\n";$printed = TRUE;}echo "{$messages['username']}➝ ({$messages['posted']})➝ {$messages['message']}➝ \n";} // End of WHILE loop.As you can see in A, the threadsubject needs to be printed only once.However, the query will return thesubject for each returned message C.C The results of the read.phpquery when run in the mysqlclient. This version of thequery converts the dates tothe logged-in user’s preferredtime zone.546 Chapter 17

To achieve this effect, a flag variable iscreated. If $printed is FALSE, then thesubject needs to be printed. This wouldbe the case for the first row fetchedfrom the database. Once that’s beendisplayed, $printed is set to TRUE sothat the subject is not printed again.Then the username, posted date, andmessage are displayed.7. Include the form for posting a message:include ('includes/post_form.php');As users could post messages in twoways—as a reply to an existing threadand as the first post in a new thread, theform for posting messages is definedwithin a separate file (to be created next),stored within the includes directory.8. Complete the page:} else { // Invalid thread ID!echo 'This page has been➝ accessed in error.';}include ('includes/footer.html');?>Again, in a complete site, this errormessage would also be stored in thewords table in each language. Thenyou would write here:echo "{$words['access_error']}➝ ";9. Save the file as read.php, place it inyour Web directory, and test it in yourWeb browser D.D The read.php page, viewed in Japanese.Example—Message Board 547

posting MessagesThe final two pages in this application arethe most important, because you won’thave threads to read without them. Twofiles for posting messages are required:One will make the form, and the other willhandle the form.Creating the formThe first page required for postingmessages is post_form.php. It hassome contingencies:1. It can only be included by other files,never accessed directly.2. It should only be displayed if the user islogged in (which is to say only logged-inusers can post messages).3. If it’s being used to add a reply to anexisting message, it only needs a messagebody input A.4. If it’s being used to create a new thread,it needs both subject and body inputs B.5. It needs to be sticky C.Still, all of this can be accomplished in 60lines of code and some smart conditionals.To create post_form.php:1. Begin a new PHP document inyour text editor or IDE, to be namedpost_form.php (Script 17.6):

Script 17.6 This script will be included by otherpages (notably, read.php and post.php). It displaysa form for posting messages that is also sticky.1

This is where things get a little bittricky. As mentioned earlier, and asshown in A and B, the form will differslightly depending upon how it’s beingused. When included on read.php, theform will be used to provide a reply toan existing thread. To check for thisscenario, the script sees if $tid (shortfor thread ID) is set and if it has a TRUEvalue. That will be the case when thispage is included by read.php. Whenthis script is included by post.php, $tidwill be set but have a FALSE value.If this conditional is true, the languagespecificversion of “Post a Reply” will beprinted and the thread ID will be storedin a hidden form input.5. Complete the conditional begun in Step4:} else { // New threadecho '' . $words['new_➝ thread'] . '';echo '' . $words['subject']➝ . ': ';} // End of $tid IF.If this is not a reply, then the captionshould be the language-specific versionof “New Thread” and a subject inputshould be created. That input needs tobe sticky. To check for that, look for theexistence of a $subject variable. Thisvariable will be created in post.php,and that file will then include this page.Script 17.6 continued34 // Check for existing value:35 if (isset($subject)) {36 echo "value=\"$subject\" ";37 }3839 echo '/>';4041 } // End of $tid IF.4243 // Create the body textarea:44 echo '' . $words['body'] .': ';4546 if (isset($body)) {47 echo $body;48 }4950 echo '';5152 // Finish the form:53 echo '54 ';5556 } else {57 echo 'You must be logged in topost messages.';58 }5960 ?>550 Chapter 17

D The form prompts and even the submit buttonwill be in the user’s chosen language (comparewith the other figures in this section of the chapter).E The result of the post_form.php page if theuser is not logged in (remember that you canemulate not being logged in by using the$_SESSION = array( ); line in the header file).6. Create the textarea for the messagebody:echo '' . $words['body'] .➝': ';if (isset($body)) {echo $body;}echo '';Both uses of this page will have thistextarea. Like the subject, it will bemade sticky if a $body variable (definedin post.php) exists. For both inputs, theprompts will be language-specific.7. Complete the form:echo '';All that’s left is a language-specificsubmit button D.8. Complete the page:} else {echo 'You must be logged in➝ to post messages.';}?>Once again, you could store thismessage in the words table and usethe translated version here. I didn’t onlyfor the sake of simplicity.9. Save the file as post_form.php, placeit in the includes folder of your Webdirectory, and test it in your Webbrowser by accessing read.php E.Example—Message Board 551

Handling the formThis file, post.php, will primarily be usedto handle the form submission from post_form.php. That sounds simple enough,but there’s a bit more to it. This page willactually be called in three different ways:1. To handle the form for a thread reply2. To display the form for a new threadsubmission3. To handle the form for a new threadsubmissionThis means that the page will be accessedusing either POST (modes 1 and 3) or GET(mode 2). Also, the data that will be sentto the page, and therefore needs to bevalidated, will differ between modes 1and 3 F.Adding to the complications, if a new threadis being created, two queries must be run:one to add the thread to the threads tableand a second to add the new thread body tothe posts table. If the submission is a replyto an existing thread, then only one query isrequired, inserting a record into posts.Of course, successfully pulling this off isjust a matter of using the right conditionals,as you’ll see. In terms of validation, thesubject and body, as text types, will just bechecked for a non-empty value. All tags willbe stripped from the subject (because whyshould it have any?) and turned into entitiesin the body. This will allow for HTML,JavaScript, and PHP code to be written ina post but still not be executed when thethread is shown (because in a forum aboutWeb development, you’ll need to showsome code).F The various uses of the post.php page.552 Chapter 17

Script 17.7 The post.php page will process theform submissions when a message is posted. Thispage will be used to both create new threads andhandle replies to existing threads.1

3. Validate the message subject:if (!$tid && empty($_POST➝ ['subject'])) {$subject = FALSE;echo 'Please enter a subject➝ for this post.';} elseif (!$tid && !empty($_POST➝ ['subject'])) {$subject = htmlspecialchars➝ (strip_tags($_POST['subject']));} else { // Thread ID, no need➝ for subject.$subject = TRUE;}Script 17.7 continued31 echo 'Please enter a body for this post.';32 }3334 if ($subject && $body) { // OK!3536 // Add the message to the database...3738 if (!$tid) { // Create a new thread.39 $q = "INSERT INTO threads (lang_id, user_id, subject) VALUES ({$_SESSION['lid']},{$_SESSION['user_id']}, '" . mysqli_real_escape_string($dbc, $subject) . "')";40 $r = mysqli_query($dbc, $q);41 if (mysqli_affected_rows($dbc) = = 1) {42 $tid = mysqli_insert_id($dbc);43 } else {44 echo 'Your post could not be handled due to a system error.';45 }46 } // No $tid.4748 if ($tid) { // Add this to the replies table:49 $q = "INSERT INTO posts (thread_id, user_id, message, posted_on) VALUES ($tid,{$_SESSION['user_id']}, '" . mysqli_real_escape_string($dbc, $body) . "', UTC_TIMESTAMP( ))";50 $r = mysqli_query($dbc, $q);51 if (mysqli_affected_rows($dbc) = = 1) {52 echo 'Your post has been entered.';53 } else {54 echo 'Your post could not be handled due to a system error.';55 }56 } // Valid $tid.5758 } else { // Include the form:59 include ('includes/post_form.php');60 }6162 } else { // Display the form:6364 include ('includes/post_form.php');6566 }6768 include ('includes/footer.html');69 ?>554 Chapter 17

The tricky part about validating thesubject is that three scenarios exist.First, if there’s no valid thread ID, thenthis should be a new thread and thesubject can’t be empty. If the subjectelement is empty, then an erroroccurred and a message is printed.In the second scenario, there’s no validthread ID and the subject isn’t empty,meaning this is a new thread and thesubject was entered, so it should behandled. In this case, any tags areremoved, using the strip_tags( )function, and htmlspecialchars( ) willturn any remaining quotation marksinto their entity format. Calling thissecond function will prevent problemsshould the form be displayed againand the subject placed in the input tomake it sticky. To be more explicit, if thesubmitted subject contains a doublequotation mark but the body wasn’tcompleted, the form will be shownagain with the subject placed withinvalue="", and the double quotationmark in the subject will cause problems.The third scenario is when the form hasbeen submitted as a reply to an existingthread. In that case, $tid will be validand no subject is required.4. Validate the body:if (!empty($_POST['body'])) {$body = htmlentities($_POST➝ ['body']);} else {$body = FALSE;echo 'Please enter a body➝ for this post.';}This is a much easier validation, as thebody is always required. If present, it’llbe run through htmlentities( ).5. Check if the form was properly filledout:if ($subject && $body) {6. Create a new thread, when appropriate:if (!$tid) {$q = "INSERT INTO threads➝ (lang_id, user_id, subject)➝ VALUES ({$_SESSION['lid']},➝ {$_SESSION['user_id']}, '" .➝ mysqli_real_escape_string➝ ($dbc, $subject) . "')";$r = mysqli_query($dbc, $q);if (mysqli_affected_rows($dbc)➝ = = 1) {$tid = mysqli_insert_id➝ ($dbc);} else {echo 'Your post could➝ not be handled due to a➝ system error.';}}If there’s no thread ID, then this is anew thread and a query must be run onthe threads table. That query is simple,populating the three columns. Two ofthese values come from the session(after the user has logged in). The otheris the subject, which is run throughmysqli_real_escape_string( ).Because the subject already had strip_tags( ) and htmlspecialchars( )applied to it, you could probably getaway with not using this function, butthere’s no need to take that risk.If the query worked, meaning it affectedone row, then the new thread ID isretrieved.continues on next pageExample—Message Board 555

7. Add the record to the posts table:if ($tid) {$q = "INSERT INTO posts➝ (thread_id, user_id,➝ message, posted_on) VALUES➝ ($tid, {$_SESSION['user_➝ id']}, '" . mysqli_real_➝ escape_string($dbc, $body) .➝ "', UTC_TIMESTAMP( ))";$r = mysqli_query($dbc, $q);if (mysqli_affected_rows➝ ($dbc) = = 1) {echo 'Your post hasbeen entered.';} else {echo 'Your post could➝ not be handled due to a➝ system error.';}}This query should only be run if thethread ID exists. That will be the case ifthis is a reply to an existing thread or ifthe new thread was just created in thedatabase (Step 6). If that query failed,then this query won’t be run.The query populates four columns inthe table, using the thread ID, the userID (from the session), the messagebody, run through mysqli_real_escape_string( ) for security, and theposted date. For this last value, theUTC_TIMESTAMP( ) column is used sothat it’s not tied to any one time zone(see Chapter 6).Note that for all of the printedmessages in this page, I’ve just usedhard-coded English. To finish roundingout the examples, each of thesemessages should be stored in thewords table and printed here instead.How This example is ComplicatedIn the introduction to this chapter, I statethat the example is fundamentally simple,but that sometimes the simple thingstake some extra effort to do. So how isthis example complicated, in my opinion?First, supporting multiple languagesdoes add a couple of issues. If theencoding isn’t handled properlyeverywhere—when creating the pages inyour text editor or IDE, in communicatingwith MySQL, in the Web browser, etc.—things can go awry. Also, you have tohave the proper translations for everylanguage for every bit of text that thesite might need. This includes errormessages (ones the user should actuallysee), the bodies of emails, and so forth.How the PHP files are organized andwhat they do also complicates things. Inparticular, some variables are created inone file but used in another. Doing thiscan lead to confusion at best and bugs atthe worst. To overcome those problems,I recommend adding lots of commentsindicating where variables come fromor where else they might be used. Also,try to use unique variable names withinpages so that they are less likely toconflict with variables in included files.Finally, this example was complicated bythe way only one page is used to displaythe posting form and only one page isused to handle it, despite the fact thatmessages can be posted in two differentways, with different expectations.556 Chapter 17

H The result if no subject was provided whileattempting to post a new thread.I The reply has been successfully added tothe thread.8. Complete the page:} else { // Include the form:include ('includes/➝ post_form.php');}} else { // Display the form:include ('includes/post_form.php');}include ('includes/footer.html');?>The first else clause applies if the formwas submitted but not completed. Inthat case, the form will be includedagain and can be sticky, as it’ll haveaccess to the $subject and $bodyvariables created by this script. Thesecond else clause applies if this pagewas accessed directly (by clicking alink in the navigation), thereby creatinga GET request (i.e., without a formsubmission).9. Save the file as post.php, place it inyour Web directory, and test it in yourWeb browser (H and I).Administering the ForumMuch of the administration of the forum would involve user management, discussed in thenext chapter. Depending upon who is administering the forum, you might also create formsfor managing the languages and lists of translated words.Administrators would also likely have the authority to edit and delete posts or threads. Toaccomplish this, store a user level in the session as well (the next chapter shows you how). If thelogged-in user is an administrator, add links to edit and delete threads on forum.php. Each linkwould pass the thread ID to a new page (like edit_user.php and delete_user.php from Chapter10, “Common Programming Techniques”). When deleting a thread, you have to make sure youdelete all the records in the posts table that also have that thread ID. A foreign key constraint(see Chapter 6) can help in this regard.Finally, an administrator could edit or delete individual posts (the replies to a thread). Again, checkfor the user level and then add links to read.php (a pair of links after each message). The linkswould pass the post ID to edit and delete pages (different ones than are used on threads).Example—Message Board 557

Review and pursueIf you have any problems with thereview questions or the pursue prompts,turn to the book’s supporting forum(www.LarryUllman.com/forums/).Note: Most of these questions and some ofthe prompts rehash information covered inearlier chapters, in order to reinforce someof the most important points.ReviewnnnnnnnWhat impact does a database’s characterset, or a PHP or HTML page’sencoding, have?Why does the encoding and characterset have to be the same everywhere?What happens if there are differences?What is a primary key? What is aforeign key?What is the benefit of using UTC forstored dates and times?Why is the pass column in the userstable set as a CHAR instead of a VARCHAR,when each user’s password could be ofa variable length?How do you begin a session in PHP?How do you store a value in a session?How do you retrieve a previouslystored value?How do you create an alias in a SQLcommand? What are the benefits ofusing an alias?pursuennnnnnnnnReview Chapter 6 if you need arefresher on database design.Review Chapter 6 to remind yourselfas to what kinds of columns in a tableshould be indexed.Review Chapter 6’s section on timezones if your MySQL installation isnot properly converting the datesand times from the UTC time zone toanother (i.e., if the returned converteddate value is NULL).Review Chapter 7, “Advanced SQL andMySQL,” for a refresher on joins and theaggregating functions.Modify the header and other files so thateach page’s title uses both the defaultlanguage page title and a subtitle basedupon the page being viewed (e.g., thename of the thread currently shown).Add pagination—see Chapter 10—to theforum.php script.If you want, add the necessary columnsto the words table, and the appropriatecode to the PHP scripts, so that everynavigational, error, and other element islanguage-specific. Use a Web site suchas Yahoo! Babel Fish (http://babelfish.yahoo.com) for the translations.Apply the redirect_user( ) functionfrom Chapter 12 to post_form.php here.Create a search page for this forum. Ifyou need some help, see the search.php basic example available in thedownloadable code.558 Chapter 17

18Example —User RegistrationThe second example in the book—a userregistration system—has already beentouched upon in several other chapters,as the registration, login, and logout processesmake for good examples of manyconcepts. But this chapter will place all ofthose ideas within the same context, usinga consistent programming approach.Users will be able to register, log in, logout, and change their password. Thischapter includes three features not shownelsewhere: the ability to reset a password,should it be forgotten; the requirement thatusers activate their account before theycan log in; and support for different userlevels, allowing you to control the availablecontent according to the type of userlogged in.As in the preceding chapter, the focus herewill be on the public side of things, butalong the way you’ll see recommendationsas to how this application could easily beexpanded or modified, including how toadd administrative features.in This ChapterCreating the Templates 560Writing the Configuration Scripts 566Creating the Home Page 574Registration 576Activating an Account 586Logging In and Logging Out 589Password Management 594Review and Pursue 604

Creating theTemplatesThe application in this chapter will usea new template design A. This templatemakes extensive use of Cascading StyleSheets (CSS), creating a clean look withoutthe need for images. It has tested well onall current browsers and will appear asunformatted text on browsers that don’tsupport CSS2. The layout for this siteis derived from one freely provided byBlueRobot (www.bluerobot.com).Creating this chapter’s example beginswith two template files: header.htmland footer.html. As in the Chapter 12,“Cookies and Sessions,” examples,the footer file will display certain linksdepending upon whether or not the useris logged in, determined by checking forthe existence of a session variable. Takingthis concept one step further, additionallinks will be displayed if the logged-in useris also an administrator (a session valuewill indicate such).The header file will begin sessions andoutput buffering, while the footer filewill terminate output buffering. Outputbuffering hasn’t been formally covered inthe book, but it’s introduced sufficientlyin the sidebar.To make header.html:1. Begin a new document in your texteditor or IDE, to be named header.html(Script 18.1):15 17 18 19 20 21 @import "includes/layout.css";22 23 24 User Registration25 26 560 Chapter 18

2. Begin output buffering and start asession:ob_start( );session_start( );This Web site will use output buffering,eliminating any error messages thatcould occur when using HTTP headers,redirecting the user, or sending cookies.Every page will make use of sessionsas well. It’s safe to place the session_start( ) call after ob_start( ), sincenothing has been sent to the Webbrowser yet.Since every public page will use bothoutput buffering and sessions, placingthese lines in the header.html filesaves the hassle of placing them inevery single page. Secondarily, ifyou later want to change the sessionsettings (for example), you only needto edit this one file.3. Check for a $page_title variable andclose the PHP section:if (!isset($page_title)) {$page_title = 'User➝ Registration';}?>As in the other times this book has useda template system, the page’s title—which appears at the top of the browserwindow—will be set on a page-by-pagebasis. This conditional checks if the$page_title variable has a value and,if it doesn’t, sets it to a default string.This is a nice, but optional, check toinclude in the header.continues on next pageusing output BufferingBy default, anything that a PHP script prints or any HTML outside of the PHP tags (even in includedfiles) is immediately sent to the Web browser. Output buffering (or output control, as the PHPmanual calls it) is a PHP feature that overrides this behavior. Instead of immediately sending HTMLto the Web browser, that output will be placed in a buffer—temporary memory. Then, when thebuffer is flushed, it’s sent to the Web browser. There can be a performance improvement withoutput buffering, but the main benefit is that it eradicates those pesky headers already sent errormessages. Some functions—header( ), setcookie( ), and session_start( )—can only be calledif nothing has been sent to the Web browser. With output buffering, nothing will be sent to the Webbrowser until the end of the page, so you are free to call these functions at any point in a script.To begin output buffering, invoke the ob_start( ) function. Once you call it, the output from everyecho, print, and similar function call will be sent to a memory buffer rather than the Web browser.Conversely, HTTP calls (like header( ) and setcookie( )) will not be buffered and will operateas usual.At the conclusion of the script, call the ob_end_flush( ) function to send the accumulated bufferto the Web browser. Or, use the ob_end_clean( ) function to delete the buffered data withoutsending it. Both functions have the secondary effect of turning off output buffering.Example —User Registration 561

4. Create the HTML head:@import➝ "includes/layout.css";The PHP $page_title variable isprinted out between the title tagshere. Then, the CSS document isincluded. It will be called layout.cssand stored in a folder called includes.You can find the CSS file in the downloadablecode found at the book’s supportingWeb site (www.LarryUllman.com).5. Begin the HTML body:User➝ RegistrationThe body creates the banner acrossthe top of the page and then starts thecontent part of the Web page (up untilWelcome! in A).6. Save the file as header.html.Script 18.2 The footer file concludes the HTML,displaying links based upon the user status(logged in or not, administrator or not), andflushes the output to the Web browser.1 2 34 5 Home6 30 Some Pagecode continues on next page562 Chapter 18

Script 18.2 continued31 Another Page32 3334 35 36 paste code hereB The user will see these navigation linkswhile she or he is logged in.C A logged-in administrator will see extralinks (compare with B ) .To make footer.html:1. Begin a new document in your texteditor or IDE, to be named footer.html(Script 18.2):Home

4. Show the links for non-logged-in usersand complete the PHP block:} else { // Not logged in.echo 'RegisterLoginRetrieve Password';}?>If the user isn’t logged in, they will seelinks to register, log in, and reset aforgotten password D.5. Complete the HTML:Some PageAnother PageTwo dummy links are included for otherpages you could add.6. Flush the buffer:The footer file will send the accumulatedbuffer to the Web browser,completing the output buffering begunin the header script (again, see thesidebar).D The user will see these links if she or heis not logged in.564 Chapter 18

7. Save the file as footer.html andplace it, along with header.html andlayout.css (from the book’s supportingWeb site), in your Web directory, puttingall three in an includes folder E.If this site has any page that does notmake use of the header file but does needto work with sessions, that script must callsession_start( ) on its own. If you fail todo so, that page won’t be able to access thesession data.In more recent versions of PHP, outputbuffering is enabled by default. The buffersize—the maximum number of bytes stored inmemory—is 4,096, but this can be changedin PHP’s configuration file.The ob_get_contents( ) function willreturn the current buffer so that it may beassigned to a variable, should the need arise.The ob_flush( ) function will send thecurrent contents of the buffer to the Webbrowser and then discard them, allowing anew buffer to be started. This function allowsyour scripts to maintain more moderate buffersizes. Conversely, ob_end_flush( ) turns offoutput buffering after sending the buffer tothe Web browser.The ob_clean( ) function deletes thecurrent contents of the buffer without stoppingthe buffer process.PHP will automatically run ob_end_flush( ) at the conclusion of a script if itis not otherwise done.E The directory structure of the site on the Web server, assuming htdocs is the documentroot (where www.example.com points).Example —User Registration 565

Writing theConfiguration ScriptsThis Web site will make use of twoconfiguration-type scripts. One, config.inc.php, will really be the most importantscript in the entire application. It willnnnnnHave comments about the siteas a wholeDefine constantsEstablish site settingsDictate how errors are handledDefine any necessary functionsBecause it does all this, the configurationscript will be included by every other pagein the application.The second configuration-type script,mysqli_connect.php, will store all of thedatabase-related information. It will beincluded only by those pages that need tointeract with the database.Making a configuration fileThe configuration file is going to servemany important purposes. It’ll be like across between the site’s owner’s manualand its preferences file. The first purposeof this file will be to document the siteoverall: who created it, when, why, forwhom, etc., etc. The version in the bookwill omit all that, but you should put it inyour script. The second role will be todefine all sorts of constants and settingsthat the various pages will use.Third, the configuration file will establishthe error-management policy for thesite. The technique involved—creatingyour own error-handling function—wascovered in Chapter 8, “Error Handling andDebugging.” As in that chapter, duringthe development stages, every error willbe reported in the most detailed way A.A During the development stages of the Web site, all errors should be asobvious and as informative as possible.566 Chapter 18

B If errors occur when the site is live, the user willonly see a message like this (but a detailed errormessage will be emailed to the administrator).Script 18.3 This configuration script dictates howerrors are handled, defines site-wide settings andconstants, and could (but doesn’t) declare anynecessary functions.1

3. Establish two constants for site-widesettings:define ('BASE_URL', 'http://www.➝ example.com/');define ('MYSQL', '/path/to/mysqli_➝ connect.php');These two constants are defined justto make it easier to do certain thingsin the other scripts. The first, BASE_URL,refers to the root domain (http://www.example.com/), with an ending slash.If developing on your own computer,this might be http://localhost/ or http://localhost/ch18/. When a script redirectsthe browser, the code can simply besomething likeheader('Location: ' . BASE_URL .➝'page.php');The second constant, MYSQL, is anabsolute path to the MySQL connectionscript (to be written next). By setting thisas an absolute path, any file can includethe connection script by referring to thisconstant:require (MYSQL);Change both of these values to correspondto your environment. When usingXAMPP on Windows, for example, theproper value for the MYSQL constant maybe C:\\xampp\mysqli_connect.php.If you move the site from one server ordomain to another, just change thesetwo constants and the application willstill work.Script 18.3 continued313233 // ****************************************** //34 // ************ ERROR MANAGEMENT************ //3536 // Create the error handler:37 function my_error_handler ($e_number,$e_message, $e_file, $e_line, $e_vars) {3839 // Build the error message:40 $message = "An error occurred inscript '$e_file' on line $e_line:$e_message\n";4142 // Add the date and time:43 $message .= "Date/Time: " . date('nj-YH:i:s') . "\n";4445 if (!LIVE) { // Development (print theerror).4647 // Show the error message:48 echo '' .nl2br($message);4950 // Add the variables and abacktrace:51 echo '' . print_r ($e_vars, 1). "\n";52 debug_print_backtrace( );53 echo '';5455 } else { // Don't show the error:5657 // Send an email to the admin:58 $body = $message . "\n" . print_r($e_vars, 1);59 mail(EMAIL, 'Site Error!', $body,'From: email@example.com');6061 // Only print an error message ifthe error isn't a notice:62 if ($e_number != E_NOTICE) {63 echo 'Asystem error occurred.We apologize for theinconvenience.';code continues on next page568 Chapter 18

Script 18.3 continued64 }65 } // End of !LIVE IF.6667 } // End of my_error_handler( )definition.6869 // Use my error handler:70 set_error_handler ('my_error_handler');7172 // ************ ERROR MANAGEMENT************ //73 // ****************************************** //4. Establish any other site-wide settings:date_default_timezone_set ('US/➝ Eastern');As mentioned in Chapter 11, “WebApplication Development,” any useof a PHP date or time function (as ofPHP 5.1) requires that the time zone beset. Change this value to match yourtime zone (see the PHP manual for thelist of zones).5. Begin defining the error-handlingfunction:function my_error_handler ($e_➝ number, $e_message, $e_file,➝ $e_line, $e_vars) {$message = "An error occurred➝ in script '$e_file' on line➝ $e_line: $e_message\n";The function definition will be verysimilar to the one explained inChapter 8. The function expects toreceive five arguments: the errornumber, the error message, the scriptin which the error occurred, the linenumber on which PHP thinks the erroroccurred, and an array of variables thatexisted at the time of the error. Then thefunction begins defining the $messagevariable, starting with the informationprovided to this function.6. Add the current date and time:$message .= "Date/Time: " .➝ date('n-j-Y H:i:s') . "\n";To make the error reporting moreuseful, it will include the current dateand time in the message. A newlinecharacter terminates the string to makethe resulting display more legible.continues on next pageExample —User Registration 569

7. If the site is not live, show the errormessage in detail:if (!LIVE) {echo '' .➝ nl2br($message);echo '' . print_r➝ ($e_vars, 1) . "\n";debug_print_backtrace( );echo '';As mentioned earlier, if the site isn’tlive, the entire error message is printed,for any type of error. The message isplaced within ,which will format the message per therules defined in the site’s CSS file. Thefirst part of the error message is thestring already defined, with the addedtouch of converting newlines to HTMLbreak tags. Then, within preformattedtags, all of the variables that exist at thetime of the error are shown, along witha backtrace (a history of function callsand such). See Chapter 8 for more ofan explanation on any of this.8. If the site is live, email the details tothe administrator and print a genericmessage for the visitor:} else { // Don't show the error:$body = $message . "\n" .➝ print_r ($e_vars, 1);mail(EMAIL, 'Site Error!', $body,➝'From: email@example.com');if ($e_number != E_NOTICE) {echo 'A➝ system error occurred. We➝ apologize for the➝ inconvenience.';}} // End of !LIVE IF.If the site is live, the detailed messageshould be sent in an email and theWeb user should only see a genericmessage. To take this one step further,the generic message will not beprinted if the error is of a specific type:E_NOTICE. Such errors occur for thingslike referring to a variable that doesnot exist, which may or may not be aproblem. To avoid potentially inundatingthe user with error messages, only printthe error message if $e_number is notequal to E_NOTICE, which is a constantdefined in PHP (see the PHP manual).9. Complete the function definition and tellPHP to use your error handler:}set_error_handler➝ ('my_error_handler');You have to use the set_error_handler( ) function to tell PHP touse your own function for errors.10. Save the file as config.inc.php, andplace it in your Web directory, withinthe includes folder.Note that in keeping with many otherexamples in this book, as this scriptwill be included by other PHP scripts,it omits the terminating PHP tag.Making the database scriptThe second configuration-type script willbe mysqli_connect.php, the databaseconnection file used multiple times in thebook already. Its purpose is to connect toMySQL, select the database, and establishthe character set in use. If a problemoccurs, this script will make use of theerror-handling tools established in config.inc.php. To do so, this script will call thetrigger_error( ) function when appropriate.The trigger_error( ) function letsyou tell PHP that an error occurred. Ofcourse PHP will handle that error using themy_error_handler( ) function, as establishedin the configuration script.570 Chapter 18

Script 18.4 This script connects to the ch18database. If it can’t, then the error handler will betriggered, passing it the MySQL connection error.1

If the script could not connect to thedatabase, the error message shouldbe sent to the my_error_handler( )function. By doing so, the error willbe handled according to the currentlyset management technique (livestage versus development). Instead ofcalling my_error_handler( ) directly,use trigger_error( ), whose firstargument is the error message C.5. Establish the encoding:} else {mysqli_set_charset($dbc, 'utf8');}If a database connection could be made,the encoding used to communicate withthe database is then established. SeeChapter 9, “Using PHP with MySQL,”for details.6. Save the file as mysqli_connect.php,and place it in the directory above theWeb document root.This script, as an includable file, alsoomits the terminating PHP tag. As withother examples in this book, ideallythe file should not be within the Webdirectory, but wherever you put it, makesure the value of the MYSQL constant(in config.inc.php) matches.7. Create the database D.See the sidebar “Database Scheme”for a discussion of the database andthe command required to make theone table. If you cannot create yourown database, just add the table towhatever database you have accessto. Also make sure that you edit themysqli_connect.php file so that ituses the proper username/password/hostname combination to connect tothis database.C A database connection error occurring during the development of the site.572 Chapter 18

On the one hand, it might make sense toplace the contents of both configuration files inone script for ease of reference. Unfortunately,doing so would add unnecessary overhead(namely, connecting to and selecting the database)to scripts that don’t require a databaseconnection (e.g., index.php).D Creating the database for this chapter.In general, define common functions inthe configuration file or a separate functionsfile. One exception would be any function thatrequires a database connection. If you knowthat a function will only be used on pages thatalso connect to MySQL, then defining thatfunction within the mysqli_connect.phpscript is only logical.Database SchemeThe database being used by this application is called ch18. The database currently consists of onlyone table, users. To create the table, use this SQL command:CREATE TABLE users (user_id INT UNSIGNED NOT NULL AUTO_INCREMENT,first_name VARCHAR(20) NOT NULL,last_name VARCHAR(40) NOT NULL,email VARCHAR(60) NOT NULL,pass CHAR(40) NOT NULL,user_level TINYINT(1) UNSIGNED NOT NULL DEFAULT 0,active CHAR(32),registration_date DATETIME NOT NULL,PRIMARY KEY (user_id),UNIQUE KEY (email),INDEX login (email, pass));Most of the table’s structure should be familiar to you by now; it’s quite similar to the users tablein the sitename database, used in several examples in this book. One new addition is the activecolumn, which will indicate whether a user has activated their account (by clicking a link in theregistration email) or not. This column will either store the 32-character-long activation code orhave a NULL value. Because the active column may have a NULL value, it cannot be defined as NOTNULL. If you do define active as NOT NULL, no one will ever be able to log in (you’ll see why later inthe chapter). The other new addition is the user_level column, which will differentiate the kinds ofusers the site has.A unique index is placed on the email field, and another index is placed on the combination of theemail and pass fields. These two fields will be used together during the login query, so indexingthem as one, creating an index called login, makes sense.Example —User Registration 573

Creating theHome pageThe home page for the site, called index.php, will be a model for the other pageson the public side. It will require theconfiguration file (for error management)and the header and footer files to createthe HTML design. This page will alsowelcome the user by name, assumingthe user is logged in A.To write index.php:1. Begin a new PHP document in your texteditor or IDE, to be named index.php(Script 18.5):18 Spam spam spam spam spam spam19 spam spam spam spam spam spam20 spam spam spam spam spam spam21 spam spam spam spam spam spam.22 Spam spam spam spam spam spam23 spam spam spam spam spam spam24 spam spam spam spam spam spam25 spam spam spam spam spam spam.2627 574 Chapter 18

A If the user is logged in, the index page willgreet them by name.B If the user is not logged in, this is the homepage they will see.3. Greet the user and complete thePHP code:echo 'Welcome';if (isset($_SESSION['first_name'])){echo ",{$_SESSION['first_name']}";}echo '!';?>The Welcome message will be printedto all users. If a $_SESSION['first_name'] variable is set, the user’s firstname will also be printed. So the endresult will be either just Welcome! Bor Welcome, ! A.4. Create the content for the page:Spam spam…You might want to consider puttingsomething more useful on the homepage of a real site. Just a suggestion….5. Include the HTML footer:The footer file will complete the HTMLlayout (primarily the menu bar on theright side of the page) and concludethe output buffering.6. Save the file as index.php, place itin your Web directory, and test it ina Web browser.Example —User Registration 575

RegistrationThe registration script was first startedin Chapter 9. It has since been improvedupon in many ways. This version ofregister.php will do the following:nnnnnnBoth display and handle the formValidate the submitted data usingregular expressions and the FilterextensionRedisplay the form with the valuesremembered if a problem occurs(the form will be sticky)Process the submitted data usingthe mysqli_real_escape_string( )function for securityEnsure a unique email addressSend an email containing an activationlink (users will have to activate theiraccount prior to logging in—see the“Activation Process” sidebar)To write register.php:1. Begin a new PHP document in your texteditor or IDE, to be named register.php (Script 18.6):

Script 18.6 continued37 }3839 // Check for a password and match against the confirmed password:40 if (preg_match ('/^\w{4,20}$/', $trimmed['password1']) ) {41 if ($trimmed['password1'] = = $trimmed['password2']) {42 $p = mysqli_real_escape_string ($dbc, $trimmed['password1']);43 } else {44 echo 'Your password did not match the confirmed password!';45 }46 } else {47 echo 'Please enter a valid password!';48 }4950 if ($fn && $ln && $e && $p) { // If everything's OK...5152 // Make sure the email address is available:53 $q = "SELECT user_id FROM users WHERE email='$e'";54 $r = mysqli_query ($dbc, $q) or trigger_error("Query: $q\nMySQL Error: " .mysqli_error($dbc));5556 if (mysqli_num_rows($r) = = 0) { // Available.5758 // Create the activation code:59 $a = md5(uniqid(rand( ), true));6061 // Add the user to the database:62 $q = "INSERT INTO users (email, pass, first_name, last_name, active, registration_date) VALUES ('$e', SHA1('$p'), '$fn', '$ln', '$a', NOW( ) )";63 $r = mysqli_query ($dbc, $q) or trigger_error("Query: $q\nMySQL Error: " .mysqli_error($dbc));6465 if (mysqli_affected_rows($dbc) = = 1) { // If it ran OK.6667 // Send the email:68 $body = "Thank you for registering at . To activate your account,please click on this link:\n\n";69 $body .= BASE_URL . 'activate.php?x=' . urlencode($e) . "&y=$a";70 mail($trimmed['email'], 'Registration Confirmation', $body, 'From: admin@sitename.com');7172 // Finish the page:73 echo 'Thank you for registering! A confirmation email has been sent toyour address. Please click on the link in that email in order to activate youraccount.';74 include ('includes/footer.html'); // Include the HTML footer.75 exit( ); // Stop the page.7677 } else { // If it did not run OK.code continues on next pageExample —User Registration 577

Script 18.6 continued78 echo 'You could not be registered due to a system error. Weapologize for any inconvenience.';79 }8081 } else { // The email address is not available.82 echo 'That email address has already been registered. If you haveforgotten your password, use the link at right to have your password sent to you.';83 }8485 } else { // If one of the data tests failed.86 echo 'Please try again.';87 }8889 mysqli_close($dbc);9091 } // End of the main Submit conditional.92 ?>9394 Register95 96 9798 First Name:

3. Create the conditional that checks forthe form submission and then includethe database connection script:if ($_SERVER['REQUEST_METHOD'] = =➝'POST') {require (MYSQL);As the full path to the mysqli_connect.php script is defined as a constant inthe configuration file, the constant canbe used as the argument to require( ).The benefit to this approach is that anyfile stored anywhere in the site, evenwithin a subdirectory, can use this samecode to successfully include theconnection script.4. Trim the incoming data and establishsome flag variables:$trimmed = array_map('trim',➝ $_POST);$fn = $ln = $e = $p = FALSE;The first line runs every element in$_POST through the trim( ) function,assigning the returned result to thenew $trimmed array. The explanationfor this line can be found in Chapter 13,“Security Methods,” when array_map( )was used with data to be sent in anemail. In short, the trim( ) function willbe applied to every value in $_POST,saving the hassle of applying trim( )to each individually.The second line initializes four variablesas FALSE. This one line is just a shortcutin lieu of$fn = FALSE;$ln = FALSE;$e = FALSE;$p = FALSE;5. Validate the first and last names:if (preg_match ('/^[A-Z \'.-]{2,20}➝ $/i', $trimmed['first_name'])) {$fn = mysqli_real_escape_string➝ ($dbc, $trimmed['first_name']);} else {echo 'Please➝ enter your first name!';}if (preg_match ('/^[A-Z \'.-]➝ {2,40}$/i', $trimmed['last_➝ name'])) {$ln = mysqli_real_escape_string➝ ($dbc, $trimmed['last_name']);} else {echo 'Please➝ enter your last name!';}Much of the form will be validatedusing regular expressions, covered inChapter 14, “Perl-Compatible RegularExpressions.” For the first name value,the assumption is that it will containonly letters, a period (as in an initial),an apostrophe, a space, and the dash.Further, the value should be withinthe range of 2 to 20 characters long.To guarantee that the value containsonly these characters, the caret andthe dollar sign are used to match boththe beginning and end of the string.While using Perl-Compatible RegularExpressions, the entire pattern must beplaced within delimiters (the forwardslashes).continues on next pageExample —User Registration 579

If this condition is met, the $fn variableis assigned the value of the mysqli_real_escape_string( ) version of thesubmitted value; otherwise, $fn willstill be FALSE and an error messageis printed A.The same process is used to validatethe last name, although that regularexpression allows for a longer length.Both patterns are also case-insensitive,thanks to the i modifier.6. Validate the email address B:if (filter_var($trimmed['email'],➝ FILTER_VALIDATE_EMAIL)) {$e = mysqli_real_escape_string➝ ($dbc, $trimmed['email']);} else {echo 'Please➝ enter a valid email address!➝ ';}An email address can easily be validatedusing the Filter extension, discussed inChapter 13. If your version of PHP doesnot support the Filter extension, you’llneed to use a regular expression hereinstead (the pattern for an email addresswas described in Chapter 14).7. Validate the passwords:if (preg_match ('/^\w{4,20}$/',➝ $trimmed['password1']) ) {if ($trimmed['password1'] = =➝ $trimmed['password2']) {$p = mysqli_real_escape_➝ string ($dbc, $trimmed➝ ['password1']);} else {echo 'Your➝ password did not match the➝ confirmed password!';}A If the first name value does not pass the regularexpression test, an error message is printed.B The submitted email address must be of theproper format.C The passwords are checked for the properformat, length, and…580 Chapter 18

D …that the password value matches theconfirmed password value.E If a MySQL query error occurs, it should beeasier to debug thanks to this informative errormessage.} else {echo 'Please➝ enter a valid password!';}The password must be between 4 and20 characters long and contain onlyletters, numbers, and the underscore C.That exact combination is representedby \w in Perl-Compatible RegularExpressions. Furthermore, the firstpassword (password1) must match theconfirmed password (password2) D.8. If every test was passed, check for aunique email address:if ($fn && $ln && $e && $p) {$q = "SELECT user_id FROM users➝ WHERE email='$e'";$r = mysqli_query ($dbc, $q)➝ or trigger_error("Query: $q\nMySQL Error: " .➝ mysqli_error($dbc));If the form passed every test, thisconditional will be TRUE. Then thescript must search the database tosee if the submitted email addressis currently being used, since thatcolumn’s value must be unique acrosseach record. As with the MySQLconnection script, if a query doesn’t run,call the trigger_error( ) function toinvoke the self-defined error reportingfunction. The specific error messagewill include both the query being runand the MySQL error E, so that theproblem can easily be debugged.continues on next pageExample —User Registration 581

9. If the email address is unused, registerthe user:if (mysqli_num_rows($r) = = 0) {$a = md5(uniqid(rand( ), true));$q = "INSERT INTO users (email,➝ pass, first_name, last_name,➝ active, registration_date)➝ VALUES ('$e', SHA1('$p'), '$fn',➝'$ln', '$a', NOW( ) )";$r = mysqli_query ($dbc, $q)➝ or trigger_error("Query:➝ $q\nMySQL Error: " .➝ mysqli_error($dbc));The query itself is rather simple, but itdoes require the creation of a uniqueactivation code. Generating thatrequires the rand( ), uniqid( ), andmd5( ) functions. Of these, uniqid( ) isthe most important; it creates a uniqueidentifier. It’s fed the rand( ) functionto help generate a more randomvalue. Finally, the returned result ishashed using md5( ), which createsa string exactly 32 characters long (ahash is a mathematically calculatedrepresentation of a piece of data). Youdo not need to fully comprehend thesethree functions, just note that the resultwill be a unique 32-character string.As for the query itself, it should befamiliar enough to you. Most of thevalues come from variables in thePHP script, after applying trim( ) andmysqli_real_escape_string( ) tothem. The MySQL SHA1( ) functionis used to encrypt the password andNOW( ) is used to set the registrationdate as the current moment.Because the user_level columnhas a default value of 0 (i.e., not anadministrator), that column does nothave to be provided a value in thisquery. Presumably the site’s mainadministrator would edit a user’srecord to give him or her administrativepower after the user has registered.10. Send an email if the query worked:if (mysqli_affected_rows($dbc) = =➝ 1) {$body = "Thank you for➝ registering at . To activate your➝ account, please click on this➝ link:\n\n";$body .= BASE_URL . 'activate.➝ php?x=' . urlencode($e) .➝ "&y=$a";mail($trimmed['email'],➝'Registration Confirmation',➝ $body, 'From: admin@sitename.➝ com');With this registration process, theimportant thing is that the confirmationmail gets sent to the user, becausethey will not be able to log in untilafter they’ve activated their account.This email should contain a link to theactivation page, activate.php. The linkto that page starts with BASE_URL, whichis defined in config.inc.php. The linkalso passes two values along in theURL. The first, generically called x, willbe the user’s email address, encodedso that it’s safe to have in a URL. Thesecond, y, is the activation code.The URL, then, will be something likehttp://www.example.com/activate.php?x=email%40example.com&y=901e09ef25bf6e3ef95c93088450b008.582 Chapter 18

F The resulting page after a user has successfullyregistered.Activation processNew in this chapter is an activation process,where users have to click a link inan email to confirm their accounts, priorto being able to log in. Using a systemlike this prevents bogus registrationsfrom being usable. If an invalid emailaddress is entered, that account cannever be activated. And if someoneregistered another person’s address,hopefully the maligned person wouldnot activate this undesired account.From a programming perspective, thisprocess requires the creation of a uniqueactivation code for each registered user,to be stored in the users table. The codeis then sent in a confirmation email tothe user (as part of a link). When the userclicks the link, he or she will be takento a page on the site that activates theaccount (by removing that code fromtheir record). The end result is that noone can register and activate an accountwithout receiving the confirmation email(i.e., without having a valid email addressthat the registrant controls).11. Tell the user what to expect and completethe page:echo 'Thank you for➝ registering! A confirmation➝ email has been sent to your➝ address. Please click on the➝ link in that email in order to➝ activate your account.';include ('includes/footer.html');exit( );A thank-you message is printed outupon successful registration, alongwith the activation instructions F.Then the footer is included and thepage is terminated.12. Print errors if the query failed:} else { // If it did not run OK.echo 'You could➝ not be registered due to a➝ system error. We apologize➝ for any inconvenience.';}If the query failed for some reason,meaning that mysqli_affected_rows( ) did not return 1, an errormessage is printed to the browser.Because of the security methodsimplemented in this script, the liveversion of the site should neverhave a problem at this juncture.continues on next pageExample —User Registration 583

13. Complete the conditionals and thePHP code:} else {echo 'That➝ email address has already➝ been registered. If you➝ have forgotten your➝ password, use the link➝ at right to have your➝ password sent to you.➝ ';}} else {echo 'Please➝ try again.';}mysqli_close($dbc);}?>The first else is executed if a personattempts to register with an emailaddress that has already been used G.The second else applies when the submitteddata fails one of the validationroutines (see A through D).G If an email address has already beenregistered, the user is told as much.H The registration form as it looks when the user first arrives.584 Chapter 18

14. Begin the HTML form H:RegisterFirst Name:

Activating an AccountAs described in the “Activation Process”sidebar earlier in the chapter, each userwill have to activate her or his account priorto being able to log in. Upon successfullyregistering, the user will receive an emailcontaining a link to activate.php A. Thislink also passes two values to this page:the user’s registered email address anda unique activation code. To completethe registration process—to activate theaccount, the user will need to click thatlink, taking her or him to the activate.phpscript on the Web site.The activate.php script needs to firstconfirm that those two values werereceived in the URL. Then, if the receivedtwo values match those stored in thedatabase, the activation code will beremoved from the record, indicatingan active account.To create the activation page:1. Begin a new PHP script in your text editoror IDE, to be named activate.php(Script 18.7):

As already mentioned, when theuser clicks the link in the registrationconfirmation email, two values will bepassed to this page: the email addressand the activation code. Both valuesmust be present and validated, beforeattempting to use them in a queryactivating the user’s account.The first step is to ensure that bothvalues are set. Since the isset( )function can simultaneously check forthe presence of multiple variables, thefirst part of the validation condition isisset($_GET['x'], $_GET['y']).Second, $_GET['x'] must be in the formatof a valid email address. The samecode as in the registration script can beused for that purpose (either the Filterextension or a regular expression).Third, for y (the activation code), thelast clause in the conditional checksthat this string’s length (how manycharacters are in it) is exactly 32. TheScript 18.7 continued22 echo 'Your accountcould not be activated. Pleasere-check the link or contact thesystem administrator.';23 }2425 mysqli_close($dbc);2627 } else { // Redirect.2829 $url = BASE_URL . 'index.php'; //Define the URL.30 ob_end_clean( ); // Delete the buffer.31 header("Location: $url");32 exit( ); // Quit the script.3334 } // End of main IF-ELSE.3536 include ('includes/footer.html');37 ?>md5( ) function, which created theactivation code, always returns a string32 characters long.3. Attempt to activate the user’s account:require (MYSQL);$q = "UPDATE users SET active=NULL➝ WHERE (email='" . mysqli_real_➝ escape_string($dbc, $_GET['x'])➝ . "' AND active='" . mysqli_➝ real_escape_string($dbc, $_➝ GET['y']) . "') LIMIT 1";$r = mysqli_query ($dbc, $q)➝ or trigger_error("Query:➝ $q\nMySQL Error: " .➝ mysqli_error($dbc));If all three conditions (in Step 2) areTRUE, an UPDATE query is run. This queryremoves the activation code from theuser’s record by setting the activecolumn to NULL. Before using the valuesin the query, both are run throughmysqli_real_escape_string( ) forextra security.4. Report upon the success of the query:if (mysqli_affected_rows($dbc) = =➝ 1) {echo "Your account is now➝ active. You may now log in.";} else {echo 'Your➝ account could not be➝ activated. Please re-check➝ the link or contact the➝ system administrator.';}continues on next pageExample —User Registration 587

If one row was affected by the query,then the user’s account is now activeand a message says as much B. If norows are affected, the user is notifiedof the problem C. This would mostlikely happen if someone tried tofake the x and y values or if there’s aproblem in following the link from theemail to the Web browser.5. Complete the main conditional:mysqli_close($dbc);} else { // Redirect.$url = BASE_URL . 'index.php';ob_end_clean( );header("Location: $url");exit( );} // End of main IF-ELSE.The else clause takes effect if $_GET['x'] and $_GET['y'] are not of theproper value and length. In such a case,the user is just redirected to the indexpage. The ob_end_clean( ) line heredeletes the buffer (whatever was tobe sent to the Web browser up to thispoint, stored in memory), as it won’tbe used.6. Complete the page:include ('includes/footer.html');?>7. Save the file as activate.php, placeit in your Web directory, and test it byclicking the link in the registration email.If you wanted to be a little moreforgiving, you could have this page print anerror message if the correct values are notreceived, rather than redirect them to theindex page (as if they were attempting tohack the site).I specifically use the vague x and y asthe names in the URL for security purposes.While someone may figure out that the oneis an email address and the other is a code,it’s sometimes best not to be explicit aboutsuch things.An alternative method, which I used inthe second edition of this book, was to placethe activation code and the user’s ID (fromthe database) in the link. That also works, butfrom a security perspective, it’s really best thatusers never see, or are even aware of, a userID that’s otherwise not meant to be public.B If the database could be updatedusing the provided email address andactivation code, the user is notifiedthat their account is now active.C If an account is notactivated by the query, theuser is told of the problem.588 Chapter 18

Script 18.8 The login page will redirect the user tothe home page after registering the user ID, firstname, and access level in a session.1

3. Validate the submitted data:if (!empty($_POST['email'])) {$e = mysqli_real_escape_string➝ ($dbc, $_POST['email']);} else {$e = FALSE;echo 'You➝ forgot to enter your email➝ address!';}if (!empty($_POST['pass'])) {$p = mysqli_real_escape_string➝ ($dbc, $_POST['pass']);} else {$p = FALSE;echo 'You forgot➝ to enter your password!';}There are two ways of thinking aboutthe validation. On the one hand, youcould use regular expressions and theFilter extension, copying the same codefrom register.php, to validate thesevalues. On the other hand, the true testof the values will be whether the loginquery returns a record or not, so onecould arguably skip more stringent PHPvalidation. This script uses the latterthinking.If the user does not enter any valuesinto the form, error messages will beprinted A.A The login form checks only if values wereentered, without using regular expressions.Script 18.8 continued35 $_SESSION = mysqli_fetch_array($r, MYSQLI_ASSOC);36 mysqli_free_result($r);37 mysqli_close($dbc);3839 // Redirect the user:40 $url = BASE_URL . 'index.php';// Define the URL.41 ob_end_clean( ); // Delete thebuffer.42 header("Location: $url");43 exit( ); // Quit the script.4445 } else { // No match was made.46 echo 'Eitherthe email address and passwordentered do not match thoseon file or you have not yetactivated your account.';47 }4849 } else { // If everything wasn't OK.50 echo 'Please tryagain.';51 }5253 mysqli_close($dbc);5455 } // End of SUBMIT conditional.56 ?>5758 Login59 Your browser must allow cookies inorder to log in.60 61 62 Email Address: 63 Password: 64 65 66 6768 590 Chapter 18

4. If both validation routines were passed,retrieve the user information:if ($e && $p) {$q = "SELECT user_id, first_➝ name, user_level FROM users➝ WHERE (email='$e' AND pass=SHA1➝ ('$p')) AND active IS NULL";$r = mysqli_query ($dbc, $q)➝ or trigger_error("Query:➝ $q\nMySQL Error: " .➝ mysqli_error($dbc));The query will attempt to retrieve theuser ID, first name, and user level forthe record whose email address andpassword match those submitted. TheMySQL query uses the SHA1( ) functionon the pass column, as the password isencrypted using that function in duringthe registration process. The query alsochecks that the active column has aNULL value, meaning that the user hassuccessfully accessed the activate.php page.If you know an account has beenactivated but you still can’t log in usingthe proper values, it’s likely becauseyour active column was erroneouslydefined as NOT NULL.5. If a match was made in the database,log the user in:if (@mysqli_num_rows($r) = = 1) {$_SESSION = mysqli_fetch_array➝ ($r, MYSQLI_ASSOC);mysqli_free_result($r);mysqli_close($dbc);The login process consists of storingthe retrieved values in the session(which was already started in header.html) and then redirecting the user tothe home page. Because the query willreturn an array with three elements—one indexed at user_id, one atfirst_name, and the third at user_level,all three can be fetched right into $_SESSION, resulting in $_SESSION['user_id'], $_SESSION['first_name'], and$_SESSION['user_level']. If $_SESSIONhad other values in it already, youwould not want to take this shortcut, asyou’d wipe out those other elements.6. Redirect the user:$url = BASE_URL . 'index.php';➝ ob_end_clean( );header("Location: $url");exit( );The ob_end_clean( ) function willdelete the existing buffer (the outputbuffering is also begun in header.html),since it will not be used.7. Complete the conditionals and closethe database connection:} else {echo '➝ Either the email address➝ and password entered do➝ not match those on file➝ or you have not yet➝ activated your account.➝ ';}} else {echo 'Please➝ try again.';}mysqli_close($dbc);} // End of SUBMIT conditional.?>continues on next pageExample —User Registration 591

The error message B indicates that thelogin process could fail for two possiblereasons. One is that the submittedemail address and password do notmatch those on file. The other reason isthat the user has not yet activated theiraccount.8. Display the HTML login form C:LoginYour browser must allow cookiesin order to log in.Email Address: Password: The login form, like the registrationform, will submit the data back to itself.This one is not sticky, though, but youcould add that functionality.Notice that the page includes amessage informing the user thatcookies must be enabled to use thesite (if a user does not allow cookies,she or he will never get access to thelogged-in user pages).9. Include the HTML footer:10. Save the file as login.php, place it inyour Web directory, and test it in yourWeb browser D.B An error message is displayed if the loginquery does not return a single record.C The login form.D Upon successfully logging in, the user willbe redirected to the home page, where theywill be greeted by name.E The results of successfully logging out.592 Chapter 18

To write logout.php:1. Begin a new PHP document in your texteditor or IDE, to be named logout.php(Script 18.9):2. Redirect the user if she or he is notlogged in:if (!isset($_SESSION['first_name']))➝ {$url = BASE_URL . 'index.php';ob_end_clean( );header("Location: $url");exit( );If the user is not currently logged in(determined by checking for a$_SESSION['first_name'] variable),the user will be redirected to the homepage (because there’s no point in tryingto log the user out).3. Log out the user if they are currentlylogged in:} else { // Log out the user.$_SESSION = array( );session_destroy( );setcookie (session_name( ), '',➝ time( )-3600);}To log the user out, the session valueswill be reset, the session data willbe destroyed on the server, and thesession cookie will be deleted. Theselines of code were first used anddescribed in Chapter 12. The cookiename will be the value returned by thesession_name( ) function. If you decideto change the session name later, thiscode will still be accurate.4. Print a logged-out message and completethe PHP page:echo 'You are now loggedout.';include ('includes/footer.html');?>5. Save the file as logout.php, place it inyour Web directory, and test it in yourWeb browser E (on the previous page).Example —User Registration 593

passwordManagementThe final aspect of the public side of thissite is the management of passwords.There are two processes to consider:resetting a forgotten password andchanging an existing one.Resetting a passwordIt inevitably happens that people forgettheir login passwords for Web sites, sohaving a contingency plan for theseoccasions is important. One option wouldbe to have the user email the administratorwhen this occurs, but administering a siteis difficult enough without that extra hassle.Instead, this site will have a script whosepurpose is to reset a forgotten password.Because the passwords stored in the databaseare encrypted using MySQL’s SHA1( )function, there’s no way to retrieve anunencrypted version (the database actuallystores a hashed version of the password,not an encrypted version). The alternativeis to create a new, random password andchange the existing password to this value.Rather than just display the new passwordin the Web browser (that would be terriblyinsecure), the new password will beemailed to the address with which theuser registered.To write forgot_password.php:1. Begin a new PHP document in yourtext editor or IDE, to be namedforgot_password.php (Script 18.10):

Script 18.10 The forgot_password.php scriptallows users to reset their password withoutadministrative assistance.1

4. Retrieve the selected user ID:if (mysqli_num_rows($r) = = 1) {list($uid) = mysqli_fetch_array➝ ($r, MYSQLI_NUM);} else { // No database match made.echo 'The➝ submitted email address does➝ not match those on file!';}If the query returns one row, it’ll befetched and assigned to $uid (shortfor user ID). This value will be neededto update the database with the newpassword, and it’ll also be used as aflag variable.The list( ) function has not beenformally discussed in the book, but youmay have run across it. It’s a shortcutfunction that allows you to assign arrayelements to other variables. Sincemysqli_fetch_array( ) will alwaysreturn an array, even if it’s an array ofjust one element, using list( ) cansave having to write:$row = mysqli_fetch_array($r,MYSQLI_NUM);$uid = $row[0];If no matching record could be foundfor the submitted email address, anerror message is displayed A.5. Report upon no submitted emailaddress:} else { // No email!echo 'You➝ forgot to enter your email➝ address!';} // End of empty($_POST['email'])➝ IF.If no email address was provided, that isalso reported B.Script 18.10 continued55 } else { // Failed the validationtest.56 echo 'Please tryagain.';57 }5859 mysqli_close($dbc);6061 } // End of the main Submit conditional.62 ?>6364 Reset Your Password65 Enter your email address below andyour password will be reset.66 67 68 Email Address:

6. Create a new, random password:if ($uid) {$p = substr ( md5(uniqid(rand( ),➝ true)), 3, 10);Creating a new, random password willmake use of four PHP functions. Thefirst is uniqid( ), which will return aunique identifier. It is fed the argumentsrand( ) and true, which makes thereturned string more random. Thisreturned value is then sent throughthe md5( ) function, which calculatesthe MD5 hash of a string. At this stage,a hashed version of the unique ID isreturned, which ends up being a string32 characters long. This part of thecode is similar to that used to createthe activation code in activate.php(Script 18.7).From this string, the password iscreated by pulling out ten charactersstarting with the third one, usingthe substr( ) function. All in all, thiscode will return a very random andmeaningless ten-character string(containing both letters and numbers)to be used as the temporary password.Note that the creation of a new, randompassword is only necessary if $uid hasa TRUE value by this point.7. Update the password in the database:$q = "UPDATE users SET➝ pass=SHA1('$p') WHERE user_➝ id=$uid LIMIT 1";$r = mysqli_query ($dbc, $q)➝ or trigger_error("Query: $q\nMySQL Error: " .➝ mysqli_error($dbc));if (mysqli_affected_rows($dbc) = =➝ 1) {Using the user ID (the primary key forthe table) that was retrieved earlier,the password for this particular user isupdated to the SHA1( ) version of $p,the random password.8. Email the password to the user:$body = "Your password to log➝ into has been➝ temporarily changed to '$p'.➝ Please log in using this➝ password and this email address.➝ Then you may change your password➝ to something more familiar.";mail ($_POST['email'], 'Your➝ temporary password.', $body,➝'From: admin@sitename.com');Next, the user needs to be emailedthe new password so that she orhe may log in C. It’s safe to use$_POST['email'] in the mail( ) code,because to get to this point, $_POST['email'] must match an addressalready stored in the database. Thataddress would have already been validatedvia the Filter extension (or a regularexpression), in the registration script.continues on next pageC The email message receivedafter resetting a password.Example —User Registration 597

9. Complete the page:echo 'Your password has been➝ changed. You will receive the➝ new, temporary password at the➝ email address with which you➝ registered. Once you have logged➝ in with this password, you may➝ change it by clicking on the➝ "Change Password" link.';mysqli_close($dbc);include ('includes/footer.html');exit( );Next, a message is printed and thepage is completed so as not to showthe form again D.10. Complete the conditionals and thePHP code:} else {echo 'Your➝ password could not be➝ changed due to a system➝ error. We apologize for➝ any inconvenience.';}} else {echo 'Please➝ try again.';}mysqli_close($dbc);} // End of the main Submit➝ conditional.?>The first else clause applies only ifthe UPDATE query did not work, whichhopefully shouldn’t happen on a livesite. The second else applies if the userdidn’t submit an email address or if thesubmitted email address didn’t matchany in the database.11. Make the HTML form E:Reset Your PasswordEnter your email address➝ below and your password will➝ be reset.Email Address:

Script 18.11 With this page, users can change anexisting password (if they are logged in).1

2. Redirect the user if she or he is notlogged in:if (!isset($_SESSION['user_id'])) {$url = BASE_URL . 'index.php';ob_end_clean( );header("Location: $url");exit( );}The assumption is that this page is onlyto be accessed by logged-in users. Toenforce this idea, the script checks forthe existence of the $_SESSION['user_id'] variable (which would be requiredby the UPDATE query). If this variable isnot set, then the user will be redirected.3. Check if the form has been submittedand include the MySQL connection:if ($_SERVER['REQUEST_METHOD'] = =➝'POST') {require (MYSQL);The key to understanding how thisscript performs is remembering thatthere are three possible scenarios:the user is not logged in (and thereforeredirected), the user is logged in andviewing the form, and the user islogged in and has submitted the form.The user will only get to this point inthe script if she or he is logged in.Otherwise, the user would have beenredirected by now. So the script justneeds to determine if the form hasbeen submitted or not.Script 18.11 continued36 $r = mysqli_query ($dbc, $q)or trigger_error("Query: $q\nMySQL Error: " .mysqli_error($dbc));37 if (mysqli_affected_rows($dbc) = =1) { // If it ran OK.3839 // Send an email, if desired.40 echo 'Your password hasbeen changed.';41 mysqli_close($dbc); // Closethe database connection.42 include ('includes/footer.html'); // Include the HTMLfooter.43 exit( );4445 } else { // If it did not run OK.4647 echo 'Yourpassword was not changed.Make sure your new passwordis different than the currentpassword. Contact the systemadministrator if you think anerror occurred.';4849 }5051 } else { // Failed the validationtest.52 echo 'Please tryagain.';53 }5455 mysqli_close($dbc); // Close thedatabase connection.5657 } // End of the main Submit conditional.58 ?>5960 Change Your Password61 62 code continues on next page600 Chapter 18

Script 18.11 continued63 New Password: Useonly letters, numbers, and theunderscore. Must be between 4 and 20characters long.64 Confirm New Password: 65 66 67 6869 F As in the registration process, the user’s newpassword must pass the validation routines;otherwise, they will see error messages.4. Validate the submitted password:$p = FALSE;if (preg_match ('/^(\w){4,20}$/',➝ $_POST['password1']) ) {if ($_POST['password1'] = = $_➝ POST['password2']) {$p = mysqli_real_escape_➝0string ($dbc,$_POST['password1']);} else {echo 'Your➝ password did not match the➝ confirmed password!';}} else {echo 'Please➝ enter a valid password!';}The new password should be validatedusing the same tests as those in theregistration process. Error messages willbe displayed if problems are found F.5. Update the password in the database:if ($p) {$q = "UPDATE users SET➝ pass=SHA1('$p') WHERE user_➝ id={$_SESSION['user_id']}➝ LIMIT 1";$r = mysqli_query ($dbc,➝ $q) or trigger_error("Query:➝ $q\nMySQL Error: " .mysqli_error($dbc));Using the user’s ID—stored in thesession when the user logged in—the password field can be updatedin the database. The LIMIT 1 clauseisn’t strictly necessary but adds extrainsurance.continues on next pageExample —User Registration 601

6. If the query worked, complete the page:if (mysqli_affected_rows($dbc) = =➝ 1) {echo 'Your password has been➝ changed.';mysqli_close($dbc);include ('includes/footer.html');➝ exit( );If the update worked, a confirmationmessage is printed to the Webbrowser G.7. Complete the conditionals and thePHP code:} else {echo 'Your➝ password was not changed.➝ Make sure your new➝ password is different➝ than the current➝ password. Contact the➝ system administrator if➝ you think an error➝ occurred.';}} else {echo 'Please➝ try again.';}mysqli_close($dbc);} // End of the main Submit➝ conditional.?>The first else clause applies if themysqli_affected_rows( ) function didnot return a value of 1. This could occurfor two reasons. The first is that a queryor database error happened. Hopefully,that’s not likely on a live site, afteryou’ve already worked out all the bugs.The second reason is that the user triedto “change” their password but enteredthe same password again. In that case,G The script has successfully changed the user’spassword.Site AdministrationFor this application, how the siteadministration works depends uponwhat you want it to do. One additionalpage you would probably want for anadministrator would be a view_users.php script, like the one created inChapter 9 and modified in Chapter 10,“Common Programming Techniques.”It’s already listed in the administrator’slinks. You could use such a script to linkto an edit_user.php page, which wouldallow the administrator to manuallyactivate an account, declare that a useris an administrator, or change a person’spassword. An administrator could alsodelete a user using such a page.While the footer file creates links toadministrative pages only if the loggedinuser is an administrator, every administrationpage should also include sucha check.602 Chapter 18

the UPDATE query wouldn’t affect anyrows because the password column inthe database wouldn’t be changed. Amessage implying such is printed.8. Create the HTML form H:Change Your PasswordNew Password: Use➝ only letters, numbers, and➝ the underscore. Must be➝ between 4 and 20 characters➝ long.Confirm New Password: This form takes two inputs: the newpassword and a confirmation of it. Adescription of the proper format is givenas well. Because the form is so simpleit’s not sticky, but that’s a feature youcould add.9. Complete the HTML page:10. Save the file as change_password.php,place it in your Web directory, and test itin your Web browser.Once this script has been completed,users can reset their password with theprevious script and then log in using thetemporary, random password. After loggingin, users can change their password back tosomething more memorable with this page.Because the site’s authentication doesnot rely upon the user’s password from pageto page (in other words, the password is notchecked on each subsequent page after loggingin), changing a password will not requirethe user to log back in.H The Change Your Password form.Example —User Registration 603

Review and pursueIf you have any problems with thereview questions or the pursue prompts,turn to the book’s supporting forum(www.LarryUllman.com/forums/).Note: Most of these questions and some ofthe prompts rehash information covered inearlier chapters, in order to reinforce someof the most important points.ReviewnnnnWhat is output buffering? What are thebenefits of using it?Why shouldn’t detailed error informationbe displayed on live sites?Why must the active column in theusers table allow for NULL values?What is the result if active is definedas NOT NULL?What are the three steps in terminatinga session?n What does the session_name( )function do?nWhat are the differences between trulyencrypting data and creating a hashrepresentation of some data?pursuennnnnnnnnnCheck out the PHP manual’s pages foroutput buffering (or output control).Check out the PHP manual’s pagesfor the rand( ), uniqid( ), and md5( )functions.Check out the PHP manual’s page forthe trigger_error( ) function.Apply the same validation techniques tologin.php as used in register.php.Make the login form sticky.Add a last_login DATETIME field to theusers table and update its value whena user logs in. Use this information toindicate to the user how long it hasbeen since the last time she or heaccessed the site.If you’ve added the last_login field, useit to print a message on the home pageas to how many users have logged in inthe past, say, hour or day.Validate the submitted email address inforgot_password.php using the Filterextension or a regular expression.Check out the PHP manual’s page forthe list( ) function.Create view_users.php and edit_user.php scripts as recommendedin the final sidebar. Restrict access tothese scripts to administrators (thoseusers whose access level is 1).604 Chapter 18

19Example —E-CommerceIn this, the final chapter of the book, you’lldevelop one last Web application: ane-commerce site that sells prints of art.Unfortunately, to write and explain a completeapplication would require a book initself, and some aspects of e-commerce—like how you handle the money—are particularto each individual site. With theselimitations in mind, the focus in this chapteris on the core e-commerce functionality:designing the database, populating a catalogas an administrator, displaying productsto the public, creating a shopping cart, andstoring orders in a database.This example includes many conceptsthat have already been covered: usingPHP with MySQL (of course), handling fileuploads, using PHP to send images to theWeb browser, prepared statements, sessions,etc. This chapter also has one newtopic: how to perform MySQL transactionsfrom a PHP script. Along the way you’llfind tons of suggestions for extendingthe project.in This ChapterCreating the Database 606The Administrative Side 612Creating the Public Template 629The Product Catalog 633The Shopping Cart 645Recording the Orders 654Review and Pursue 659

Creating the DatabaseThe e-commerce site in this example willuse the simply named ecommerce database.I’ll explain each table’s role prior tocreating the database in MySQL.With any type of e-commerce applicationthere are three kinds of data to be stored:the product information (what is beingsold), the customer information (whois making purchases), and the orderinformation (what was purchased and bywhom). Going through the normalizationprocess (see Chapter 6, “DatabaseDesign”), I’ve come up with five tables A.The first two tables store all of the productsbeing sold. As already stated, the site willbe selling artistic prints. The artists table(Table 19.1) stores the information for theartists whose work is being sold. This tablecontains just a minimum of information (theartists’ first, middle, and last names), butyou could easily add the artists’ birth anddeath dates, other biographical data, andso forth. The prints table (Table 19.2) is themain products table for the site. It storesTABLe 19.1 The artists TableColumnartist_idfirst_namemiddle_namelast_nameTABLe 19.2 The prints TableColumnprint_idartist_idprint_namepricesizedescriptionimage_nameTypeINT UNSIGNED NOT NULLVARCHAR(20) DEFAULT NULLVARCHAR(20) DEFAULT NULLVARCHAR(40) NOT NULLTypeINT UNSIGNED NOT NULLINT UNSIGNED NOT NULLVARCHAR(60) NOT NULLDECIMAL(6,2) UNSIGNED NOTNULLVARCHAR(60) DEFAULT NULLVARCHAR(255) DEFAULT NULLVARCHAR(60) NOT NULLA This entity-relationship diagram (ERD) shows how the five tables in theecommerce database relate to one another.606 Chapter 19

TABLe 19.3 The customers TableColumncustomer_idemailpassTypeINT UNSIGNED NOT NULLVARCHAR(60) NOT NULLCHAR(40) NOT NULLTABLe 19.4 The orders TableColumnorder_idcustomer_idtotalorder_dateTypeINT UNSIGNED NOT NULLINT UNSIGNED NOT NULLDECIMAL(10,2) UNSIGNED NOTNULLTIMESTAMPTABLe 19.5 The order_contents TableColumnoc_idorder_idprint_idquantitypriceship_dateTypeINT UNSIGNED NOT NULLINT UNSIGNED NOT NULLINT UNSIGNED NOT NULLTINYINT UNSIGNED NOT NULLDEFAULT 1DECIMAL(6,2) UNSIGNED NOT NULLDATETIME DEFAULT NULLthe print names, prices, and other relevantdetails. It is linked to the artists table usingthe artist_id. The prints table is arguablythe most important, as it provides a uniqueidentifier for each product being sold. Thatconcept is key to any e-commerce site(without unique identifiers, how would youknow what a person bought?).The customers table (Table 19.3) doesexactly what you’d expect: it records thepersonal information for each client. At theleast, it reflects the customer’s first name,last name, email address, password, andshipping address, as well as the date theyregistered. Presumably the combinationof the email address and password wouldallow the user to log in, shop, and accesstheir account. Since it’s fairly obviouswhat information this table would store,I’ll define it with only the three essentialcolumns for now.The final two tables store all of the orderinformation. There are any number ofways you could do this, but I’ve chosen tostore general order information—the total,the date, and the customer’s ID—in anorders table (Table 19.4). This table couldalso have separate columns reflecting theshipping cost, the amount of sales tax,any discounts that applied, and so on. Theorder_contents table (Table 19.5) will storethe actual items that were sold, includingthe quantity and price. The order_contentstable is essentially a middleman, used tointercept the many-to-many relationshipbetween prints and orders (each print canbe in multiple orders, and each order canhave multiple prints).In order to be able to use transactions(in the final script), the two order tableswill use the InnoDB storage engine. Theothers will use MyISAM. See Chapter 6 formore information on the available storageengines (i.e., table types).Example —E-Commerce 607

To create the database:1. Log in to the mysql client and createthe ecommerce database, if it doesn’talready exist.CREATE DATABASE ecommerce;USE ecommerce;For these steps, you can use eitherthe mysql client or another tool likephpMyAdmin. Depending uponyour situation, you may also need toestablish the character set at this point,in terms of the communications withthe database application. You can alsoestablish the default character set andencoding when creating the database(again, see Chapter 6).If you’re using a hosted site, the hostingcompany will likely provide a databasefor you already.2. Create the artists table B:CREATE TABLE artists (artist_id INT UNSIGNED NOT NULL➝ AUTO_INCREMENT,first_name VARCHAR(20) DEFAULT NULL,middle_name VARCHAR(20) DEFAULT➝ NULL,last_name VARCHAR(40) NOT NULL,PRIMARY KEY (artist_id),UNIQUE full_name (last_name,➝ first_name, middle_name)) ENGINE=MyISAM;This table stores just four piecesof information for each artist. Ofthese, only last_name is required (isdefined as NOT NULL), as there areartists who go by a single name (e.g.,Christo). I’ve added definitions for theindexes as well. The primary key is theartist_id, and an index is placed onthe combination of the last name, firstname, and middle name, which may beused in an ORDER BY clause. This indexis more specifically a unique index,so that the same artist’s name is notentered multiple times.3. Create the prints table C:CREATE TABLE prints (print_id INT UNSIGNED NOT NULL➝ AUTO_INCREMENT,artist_id INT UNSIGNED NOT NULL,print_name VARCHAR(60) NOT NULL,price DECIMAL(6,2) UNSIGNED NOT➝ NULL,size VARCHAR(60) DEFAULT NULL,description VARCHAR(255) DEFAULT➝ NULL,image_name VARCHAR(60) NOT NULL,PRIMARY KEY (print_id),INDEX (artist_id),INDEX (print_name),INDEX (price)) ENGINE=MyISAM;B Making the first table.C Making the second table.608 Chapter 19

All of the columns in the prints tableare required except for the size anddescription. There are indexes on theartist_id, print_name, and price fields,each of which may be used in queries.Each print will be associated with oneimage. The image will be stored onthe server using the same name as theprint_id. When displaying the image inthe Web browser, its original name willbe used, so that needs to be stored inthis table.You could add to this table an in_stockor qty_on_hand field, to indicate theavailability of products.4. Create the customers table D:CREATE TABLE customers (customer_id INT UNSIGNED NOT NULL➝ AUTO_INCREMENT,email VARCHAR(60) NOT NULL,pass CHAR(40) NOT NULL,PRIMARY KEY (customer_id),UNIQUE (email),INDEX login (email, pass)) ENGINE=MyISAM;This is the code used to create thecustomers table. You could throw in theother appropriate fields (name, address,phone number, the registration date,etc.). As this chapter won’t be usingthose values—or user management atall—they are being omitted.5. Create the orders table E:CREATE TABLE orders (order_id INT UNSIGNED NOT NULL➝ AUTO_INCREMENT,customer_id INT UNSIGNED NOT NULL,total DECIMAL(10,2) UNSIGNED NOT➝ NULL,order_date TIMESTAMP,PRIMARY KEY (order_id),INDEX (customer_id),INDEX (order_date)) ENGINE=InnoDB;All of the orders fields are required,and three indexes have been created.Notice that a foreign key column here,like customer_id, is of the same exacttype as its corresponding primary key(customer_id in the customers table).The order_date field will store thedate and time an order was entered.Being defined as a TIMESTAMP, it willautomatically be given the currentvalue when a record is inserted (for thisreason it does not formally need to bedeclared as NOT NULL).Finally, because transactions will beused with the orders and order_contents tables, both must use theInnoDB storage engine.continues on next pageD Creating a basic version of the customerstable. In a real e-commerce site, you’d need toexpand this table to store more information.E Making the orders table.Example —E-Commerce 609

6. Create the order_contents table F:CREATE TABLE order_contents (oc_id INT UNSIGNED NOT NULL➝ AUTO_INCREMENT,order_id INT UNSIGNED NOT NULL,print_id INT UNSIGNED NOT NULL,quantity TINYINT UNSIGNED NOT NULL➝ DEFAULT 1,price DECIMAL(6,2) UNSIGNED NOT➝ NULL,ship_date DATETIME DEFAULT NULL,PRIMARY KEY (oc_id),INDEX (order_id),INDEX (print_id),INDEX (ship_date)) ENGINE=InnoDB;In order to have a normalized databasestructure, each order is separated into itsgeneral information—the customer, theorder date, and the total amount—andits specific information—the actual itemsordered and in what quantity. This tablehas foreign keys to the orders and printstables. The quantity has a set defaultvalue of 1. The ship_date is defined asa DATETIME, so that it can have a NULLvalue, indicating that the item has notyet shipped. Again, this table must usethe InnoDB storage engine in order tobe part of a transaction.You may be curious why this tablestores the price of an item when thatinformation is already present in theprints table. The reason is simply this:the price of a product may change. Theprints table indicates the current priceof an item; the order_contents tableindicates the price at which an itemwas purchased.F Making the final table for the ecommercedatabase.610 Chapter 19

Depending upon what a site is selling,the underlying database would have differenttables in place of artists and prints. Themost important attribute of any e-commercedatabase is that there is a “products” tablethat lists the individual items being sold witha product ID associated with each. So a large,red polo shirt would have one ID, which isdifferent than a large, blue polo shirt’s ID,which is different than a medium, blue poloshirt’s ID. Without unique, individual productidentifiers, it would be impossible to trackorders and product quantities.If you wanted to store multiple addressesfor users—home, billing, friends, etc.—create aseparate addresses table. In this table store allof that information, including the address type,and link those records back to the customerstable using the customer ID as a primaryforeignkey.SecurityWith respect to an e-commerce site, there are four broad security considerations. The first ishow the data is stored on the server. You need to protect the MySQL database itself (by settingappropriate access permissions) and the directory where session information is stored (seeChapter 12, “Cookies and Sessions,” for what settings could be changed). With respect tothese issues, using a non-shared hosting would definitely improve the security of your site.The second security consideration has to do with protecting access to sensitive information. Theadministrative side of the site, which would have the ability to view orders and customer records,must be safeguarded to the highest level. This means requiring authentication to access it, limitingwho knows the access information, using a secure connection, and so forth.The third factor is protecting the data during transmission. By the time the customer gets to thecheckout process (where credit card and shipping information comes in), secure transactionsmust be used. To do so entails establishing a Secure Sockets Layer (SSL) on your server with avalid certificate and then changing to an https:// URL. Also be aware of what information is beingsent via email, since those messages are normally not transmitted through secure avenues.The fourth issue has to do with the handling of the payment information. You really, really, really,really (really!) don’t want to keep this information in any way. Ideally, let a third-party resourcehandle the payment and keep your site’s figurative hands clean. I discuss this a little bit in a sidebartitled “The Checkout Process,” found at the end of the chapter.This broad topic of e-commerce, with lots of specific details and tons of real-world code, isthoroughly covered in my book Effortless E-Commerce with PHP and MySQL (New Riders, 2011).Example —E-Commerce 611

The Administrative SideThe administration side of an e-commerceapplication is primarily for the managementof the three main components:n Products (the items being sold)n Customersn OrdersIn this chapter, you’ll create two scriptsfor adding products to the catalog. As theproducts being sold are works of art, onescript will be for populating the artiststable and a second will be for populatingthe prints table (which has a foreign keyto artists).Due to space constraints, and the fact thatwithout a payment system, this will not bea complete e-commerce example anyway,the customers and orders aspects cannotbe detailed in this chapter. However,customer management is just the sameas user management, covered in theprevious chapter, and you’ll see manyrecommendations for administration ofthe orders.The first two scripts—and pretty muchevery script in this chapter—will requirea connection to the MySQL database.Instead of writing a new one from scratch,just copy mysqli_connect.php (Script 9.2)from Chapter 9, “Using PHP with MySQL,”to the appropriate directory for this site’sfiles. Then edit the information so that itconnects to a database called ecommerce,using a username/password/hostnamecombination that has the proper privileges.Also, the two administration scripts willuse prepared statements, introduced inChapter 13, “Security Methods,” in orderto provide you with more experienceusing them. If you’re confused about theprepared statements syntax or functions,review that chapter.Adding ArtistsThe first script to be written simply addsartist records to the artists table. The scriptpresents a form with three inputs A; uponsubmission, the inputs are validated—buttwo are optional—and the record is addedto the database.A The HTML form for adding artists to thecatalog.612 Chapter 19

Script 19.1 This administration page adds newartist names to the database.1 3 4 5 6 Add an Artist7 8 9 Add an Artist

Script 19.1 continued34 } else { // Error!35 $error = 'The new artist could not be added to the database!';36 }3738 // Close this prepared statement:39 mysqli_stmt_close($stmt);40 mysqli_close($dbc); // Close the database connection.4142 } else { // No last name value.43 $error = 'Please enter the artist\'s name!';44 }4546 } // End of the submission IF.4748 // Check for an error and print it:49 if (isset($error)) {50 echo 'Error!51 ' . $error . ' Please try again.';52 }5354 // Display the form...55 ?>56 Add a Print57 5859 Fill out the form to add an artist:6061 First Name:

The artist’s first and middle names areoptional fields, whereas the last nameis not (since there are artists referredto by only one name). To validate thefirst two name inputs, I’ve reduced theamount of code by using the ternaryoperator (introduced in Chapter 10,“Common Programming Techniques”).The code here is the same asif (!empty($_POST['first_name'])) {$fn = trim($_POST['first_name']);} else {$fn = NULL;}Because this script will rely uponprepared statements, the values tobe used in the query don’t need to berun through mysqli_real_escape_string( ). See Chapter 13 for more onthis subject.4. Validate the artist’s last name:if (!empty($_POST['last_name'])) {$ln = trim($_POST['last_name']);The last name value is required. Formore stringent validation, you could useregular expressions. For added security,you could apply the strip_tags( )function.5. Include the database connection:require ('../../mysqli_connect.php');The administration folder will be locatedinside of the main (htdocs) folder andis therefore two directories above theconnection script. Keep your directorystructure B in mind when including files.continues on next pageB The site structure for this Web application. The MySQL connection script and theuploads directory (where images will be stored) are not within the Web directory(they aren’t available via http://).Example —E-Commerce 615

6. Add the artist to the database:$q = 'INSERT INTO artists (first_➝ name, middle_name, last_name)➝ VALUES (?, ?, ?)';$stmt = mysqli_prepare($dbc, $q);mysqli_stmt_bind_param($stmt,➝'sss', $fn, $mn, $ln);mysqli_stmt_execute($stmt);To add the artist to the database, thequery will be something like INSERTINTO artists (first_name, middle_name, last_name) VALUES ('John','Singer', 'Sargent') or INSERT INTOartists (first_name, middle_name,last_name) VALUES (NULL, NULL,'Christo'). The query is run usingprepared statements, covered inChapter 13.The mysqli_stmt_bind_param( ) functionindicates that the query needs threeinputs (one for each question mark) ofthe type: string, string, and string. Forquestions on any of this, see Chapter 13.7. Report on the results:if (mysqli_stmt_affected_➝ rows($stmt) = = 1) {echo 'The artist has been➝ added.';$_POST = array( );} else {$error = 'The new artist could➝ not be added to the database!';}If executing the prepared statementaffected one row, which is to say onerow was created, a positive messageis displayed C. In this case, the $_POSTarray is also reset, so that the stickyform does not redisplay the artist’sinformation.If the prepared statement failed, amessage is added to the $errorvariable, to be outputted later in thescript. For debugging purposes, youcould add other details here, such asthe MySQL error.8. Close the prepared statement and thedatabase connection:mysqli_stmt_close($stmt);mysqli_close($dbc);9. Complete the artist’s last name andsubmission conditionals:} else { // No last name value.$error = 'Please enter the➝ artist\'s name!';}} // End of the submission IF.If no last name value was submitted,then an error message is assigned tothe $error variable.C An artist has successfully beenadded to the database.616 Chapter 19

10. Print the error, if one occurred, andclose the PHP block:if (isset($error)) {echo 'Error!' . $error . '➝ Please try again.';}?>Either of the two errors that could haveoccurred would be represented by the$error variable. If this variable is set, itcan be printed out at this point D. Theerror will be written within some CSS tomake it bold and red.11. Begin creating the HTML form:Add a PrintFill out the➝ form to add an artist:D If the artist’s last name is not provided,an error message is displayed.The form is sticky, however, rememberingvalues entered into the other twoform inputs.12. Create the inputs for adding a new artist:First Name:

Although I did not do so here for thesake of brevity, I would recommend thatseparate MySQL users be created for theadministrative and the public sides. Theadmin user would need SELECT, INSERT,UPDATE, and DELETE privileges, while thepublic one would need only SELECT,INSERT and UPDATE.The administrative pages should beprotected in the most secure way possible.This could entail HTTP authentication usingApache, a login system using sessions orcookies, or even placing the admin pages onanother, possibly offline, server (so the sitecould be managed from just one location).Adding printsThe second script to be written is for addinga new product (specifically a print) to thedatabase. The page will allow the administratorto select the artist from the database,upload an image, and enter the details forthe print E. The image will be stored on theserver and the print’s record inserted intothe database. This will be one of the morecomplicated scripts in this chapter, but all ofthe technology involved has already beencovered elsewhere in the book.To create add_print.php:1. Begin a new PHP document, startingwith the HTML head, to be namedadd_print.php (Script 19.2):continues on page 622E The HTML form for adding prints to the catalog.Script 19.2 This administration page addsproducts to the database. It handles a file uploadand inserts the new print into the prints table.1 3 4 5 6 Add a Print7 8 9

Script 19.2 continued22 } else {23 $errors[ ] = 'Please enter the print\'s name!';24 }2526 // Check for an image:27 if (is_uploaded_file ($_FILES['image']['tmp_name'])) {2829 // Create a temporary file name:30 $temp = '../../uploads/' . md5($_FILES['image']['name']);3132 // Move the file over:33 if (move_uploaded_file($_FILES['image']['tmp_name'], $temp)) {3435 echo 'The file has been uploaded!';3637 // Set the $i variable to the image's name:38 $i = $_FILES['image']['name'];3940 } else { // Couldn't move the file over.41 $errors[ ] = 'The file could not be moved.';42 $temp = $_FILES['image']['tmp_name'];43 }4445 } else { // No uploaded file.46 $errors[ ] = 'No file was uploaded.';47 $temp = NULL;48 }4950 // Check for a size (not required):51 $s = (!empty($_POST['size'])) ? trim($_POST['size']) : NULL;5253 // Check for a price:54 if (is_numeric($_POST['price']) && ($_POST['price'] > 0)) {55 $p = (float) $_POST['price'];56 } else {57 $errors[ ] = 'Please enter the print\'s price!';58 }5960 // Check for a description (not required):61 $d = (!empty($_POST['description'])) ? trim($_POST['description']) : NULL;6263 // Validate the artist...64 if ( isset($_POST['artist']) && filter_var($_POST['artist'], FILTER_VALIDATE_INT, array('min_range' => 1)) ) {65 $a = $_POST['artist'];66 } else { // No artist selected.67 $errors[ ] = 'Please select the print\'s artist!';68 }6970 if (empty($errors)) { // If everything's OK.code continues on next pageExample —E-Commerce 619

Script 19.2 continued7172 // Add the print to the database:73 $q = 'INSERT INTO prints (artist_id, print_name, price, size, description, image_name)VALUES (?, ?, ?, ?, ?, ?)';74 $stmt = mysqli_prepare($dbc, $q);75 mysqli_stmt_bind_param($stmt, 'isdsss', $a, $pn, $p, $s, $d, $i);76 mysqli_stmt_execute($stmt);7778 // Check the results...79 if (mysqli_stmt_affected_rows($stmt) = = 1) {8081 // Print a message:82 echo 'The print has been added.';8384 // Rename the image:85 $id = mysqli_stmt_insert_id($stmt); // Get the print ID.86 rename ($temp, "../../uploads/$id");8788 // Clear $_POST:89 $_POST = array( );9091 } else { // Error!92 echo 'Your submission could not be processeddue to a system error.';93 }9495 mysqli_stmt_close($stmt);9697 } // End of $errors IF.9899 // Delete the uploaded file if it still exists:100 if ( isset($temp) && file_exists ($temp) && is_file($temp) ) {101 unlink ($temp);102 }103104 } // End of the submission IF.105106 // Check for any errors and print them:107 if ( !empty($errors) && is_array($errors) ) {108 echo 'Error!109 The following error(s) occurred:';110 foreach ($errors as $msg) {111 echo " - $msg\n";112 }113 echo 'Please reselect the print image and try again.';114 }115116 // Display the form...117 ?>118 Add a Printcode continues on next page620 Chapter 19

Script 19.2 continued119 120121 122123 Fill out the form to add a print to the catalog:124125 Print Name:

Add a Print

5. Move the file to its more permanentdestination:if (move_uploaded_file($_➝ FILES['image']['tmp_name'],➝ $temp)) {echo 'The file has been➝ uploaded!';$i = $_FILES['image']['name'];At this point in the script, the printimage will have been moved to itspermanent location (the uploadsdirectory) but given a temporary name(to be renamed later). A message isprinted F indicating the success indoing so. Finally, the $i variable will beassigned the original name of the file(for use later on in the script).F The result if a file was selected for the print’simage and it was successfully uploaded.6. Complete the image-handling section:} else {$errors[ ] = 'The file could➝ not be moved.';$temp = $_FILES['image']➝ ['tmp_name'];}} else {$errors[ ] = 'No file was➝ uploaded.';$temp = NULL;}The first else clause applies if the filecould not be moved to the destinationdirectory. This should only happen ifthe path to that directory is not corrector if the proper permissions haven’tbeen set on the directory G. In eithercase, the $temp variable is assignedthe value of the original upload, whichis still residing in its temporary location.This is necessary, as unused files will beremoved later in the script.The second else clause applies if nofile was uploaded. As the purposeof this site is to sell prints, it’s ratherimportant to actually display what’sbeing sold. If you wanted, you couldadd to this error message more detailsor recommendations as to what typeand size of file should be uploaded.continues on next pageG If the uploads directory is not writable by PHP,you’ll see errors like these.Example —E-Commerce 623

7. Validate the size, price, and descriptioninputs:$s = (!empty($_POST['size'])) ?➝ trim($_POST['size']) : NULL;if (is_numeric($_POST['price']) &&➝ ($_POST['price'] > 0)) {$p = (float) $_POST['price'];} else {$errors[ ] = 'Please enter the➝ print\'s price!';}$d = (!empty($_➝ POST['description'])) ? trim($_➝ POST['description']) : NULL;The size and description values areoptional, but the price is not. As abasic validity test, ensure that thesubmitted price is a number (it shouldbe a decimal) using the is_numeric( )function, and that the price is greaterthan 0 (it’d be bad to sell productsat negative prices). If the value isappropriate, it’s typecast as a floatingpointnumber just to be safe. An errormessage will be added to the array ifno price or an invalid price is entered.8. Validate the artist:if ( isset($_POST['artist']) &&➝ filter_var($_POST['artist'],➝ FILTER_VALIDATE_INT, array('min_➝ range' => 1)) ) {$a = $_POST['artist'];} else { // No artist selected.$errors[ ] = 'Please select the➝ print\'s artist!';}To enter the print’s artist, the administratorwill use a pull-down menu H. Theresult will be a $_POST['artist'] valuethat’s a positive integer. Rememberthat if you’re using an older version ofPHP, that does not support the Filterextension, you’ll need to use the is_numeric( ) function, typecasting, anda conditional that checks for a valuegreater than 0 instead. See Chapter 13for details.9. Insert the record into the database:if (empty($errors)) {$q = 'INSERT INTO prints➝ (artist_id, print_name, price,➝ size, description, image_➝ name) VALUES (?, ?, ?, ?, ?,➝ ?)';$stmt = mysqli_prepare($dbc, $q);mysqli_stmt_bind_param($stmt,➝'isdsss', $a, $pn, $p, $s, $d,➝ $i);mysqli_stmt_execute($stmt);H The administrator can selectan existing artist using this dropdownmenu.624 Chapter 19

If the $errors array is still empty, thenall of the validation tests were passedand the print can be added. Usingprepared statements again, the queryis something like INSERT INTO prints(artist_id, print_name, price,size, description, image_name)VALUES (34, 'The Scream', 25.99,NULL, 'This classic…', 'scream.jpg').The mysqli_stmt_bind_param( )function indicates that the query needssix inputs (one for each question mark)of the type: integer, string, double (akafloat), string, string, and string. Forquestions on any of this, see Chapter 13.10. Confirm the results of the query:if (mysqli_stmt_affected_➝ rows($stmt) = = 1) {echo 'The print has been➝ added.';$id = mysqli_stmt_insert_➝ id($stmt);rename ($temp, "../../➝ uploads/$id");$_POST = array( );} else {echo 'Your➝ submission could not be➝ processed due to a system➝ error.';}If the query affected one row, then amessage of success is printed in theWeb browser F. Next, the print ID hasto be retrieved so that the associatedimage can be renamed (it currentlyis in the uploads folder but under atemporary name), using the rename( )function. That function takes the file’scurrent name as its first argument andthe file’s new name as its second.The value for the first argument waspreviously assigned to $temp. The valuefor the second argument is the path tothe uploads directory, plus the print’sID value, just determined. Note that thefile’s new name will not contain a fileextension. This may look strange whenviewing the actual files on the server,but is not a problem when the files—theimages—are served by the public sideof the site, as you’ll soon see.Finally, the $_POST array is cleared sothat its values are displayed in thesticky form.If the query did not affect one row,there’s probably some MySQL errorhappening and you’ll need to applythe standard debugging techniquesto figure out why.11. Complete the conditionals:mysqli_stmt_close($stmt);} // End of $errors IF.if ( isset($temp) && file_exists➝ ($temp) && is_file($temp) ) {unlink ($temp);}} // End of the submission IF.The first closing brace terminates thecheck for $errors being empty. Inthis case, the file on the server shouldbe deleted because it hasn’t beenpermanently moved and renamed.continues on next pageExample —E-Commerce 625

12. Print any errors:if ( !empty($errors) && is_➝ array($errors) ) {echo 'Error!The following➝ error(s) occurred:';foreach ($errors as $msg) {echo " - $msg\n";}echo 'Please reselect the print➝ image and try again.';}?>All of the errors that occurred wouldbe in the $errors array. These can beprinted using a foreach loop I. Theerrors are printed within some CSS tomake them bold and red. Also, sincea sticky form cannot recall a selectedfile, the user is reminded to reselectthe print image. (My book EffortlessE-Commerce with PHP and MySQLhas an example script that does recalla previously uploaded file, but thecode is somewhat tricky.)13. Begin creating the HTML form:Add a PrintFill out➝ the form to add a print to➝ the catalog:Print Name:

In case the print’s name, size, ordescription uses potentiallyproblematic characters, each is runthrough htmlspecialchars( ), so asnot to mess up the value (e.g., theuse of quotation marks in the print’ssize and description in E).14. Begin the artist pull-down menu:Artist:Select OneThe artist pull-down menu will bedynamically generated from therecords stored in the artists tableusing this PHP code H.15. Retrieve every artist:

Description:➝ (optional)Particulars about each form element,such as the description being optionalor that the price should not contain adollar sign E, help the administratorcomplete the form correctly.17. Complete the HTML page:18. Save the file as add_print.php.19. Create the necessary directories onyour server, if you have not already.This administrative page will requirethe creation of two new directories.One, which I’ll call admin (see B),will house the administrative filesthemselves. On a real site, it’d bebetter to name your administrativedirectory something less obvious.The second, uploads, should be placedbelow the Web document directory andhave its privileges changed so that PHPcan move files into it. See Chapter 10for more information on this.20. Place add_print.php in your Webdirectory (in the administration folder)and test it in your Web browser.628 Chapter 19

Script 19.3 The header file creates the initial HTMLand begins the PHP session.1 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 Creating thepublic TemplateBefore getting to the heart of the publicside, the requisite HTML header and footerfiles should be created. I’ll whip throughthese quickly, since the techniques involvedshould be familiar territory by this point inthe book.To make header.html:1. Begin a new PHP document in your texteditor or IDE, to be named header.html(Script 19.3):continues on next pageExample —E-Commerce 629

As with all the other versions of thisscript, the page’s title will be set as aPHP variable and printed out within thetitle tags. In case it’s not set beforethis page is included, a default title isalso provided.4. Create the top row of the table:➝ This layout will use images to createthe links for the public pages A.5. Start the middle row:All of each individual page’s contentwill go in the middle row; the headerfile begins this row and the footer filewill close it.6. Save the file as header.html and placeit in your Web directory (create anincludes folder in which to store it).A The banner createdby the header file.630 Chapter 19

Script 19.5 A minimal script for the site’s homepage.1 89 Welcome to our site....please use thelinks above...blah, blah, blah.10 Welcome to our site....please use thelinks above...blah, blah, blah.1112 Script 19.4 The footer file closes the HTML,creating a copyright message in the process.1 2 3 4 5 &copy;➝ Copyright...6 7 8 9 To make footer.html:1. Create a new HTML document in yourtext editor or IDE, to be named footer.html (Script 19.4):2. Complete the middle row:This completes the table row begun inthe header file.3. Create the bottom row, complete thetable, and complete the HTML B:&copy;➝ Copyright...4. Save the file as footer.html and placeit in your Web directory (also in theincludes folder).To make index.php:1. Begin a new PHP document in your texteditor or IDE, to be named index.php(Script 19.5).continues on next pageB The copyright row created by the footer file.Example —E-Commerce 631

2. Add the page’s content:Welcome to our site....please➝ use the links above...blah,➝ blah, blah.Welcome to our site....please➝ use the links above...blah,➝ blah, blah.Obviously a real e-commerce site wouldhave some actual content on the mainpage. For example, you could easilydisplay the most recently added printshere (see the second tip).3. Complete the HTML page:4. Save the file as index.php, place it inyour Web directory, and test it in yourWeb browser C.The images used in this example areavailable for download through the book’scompanion Web site (www.LarryUllman.com). You’ll find them among all of the filesin the complete set of downloadable scriptsand SQL commands.You could easily show recently addeditems on the index page by adding a date_entered column to the prints table and thenretrieving a handful of products in descendingorder of date_entered.C The public home page for the e-commerce site.632 Chapter 19

A The current product listing, created bybrowse_prints.php.The product CatalogFor customers to be able to purchase products,they’ll need to view them first. To thisend, two scripts will present the productcatalog. The first, browse_prints.php, willdisplay a list of the available prints A. If aparticular artist has been selected, only thatartist’s work will be shown B; otherwise,every print will be listed.The second script, view_print.php, willbe used to display the information for asingle print, including the image C. On thispage customers will find an Add to Cartlink, so that the print may be added to theshopping cart. Because the print’s imageis stored outside of the Web root directory,view_print.php will use a separatescript—nearly identical to show_image.php from Chapter 11—for the purpose ofdisplaying the image.B If a particular artist is selected (by clicking onthe artist’s name), the page displays works onlyby that artist.C The page that displays an individual product.Example —E-Commerce 633

To make browse_prints.php:1. Begin a new PHP document in your texteditor or IDE, to be named browse_prints.php (Script 19.6):

Script 19.6 The browse_prints.php script displays every print in the catalog or every print for a particularartist, depending upon the presence of $_GET['aid'].1

3. Overwrite the query if an artist ID waspassed in the URL:if (isset($_GET['aid']) && filter_➝ var($_GET['aid'], FILTER_VALIDATE_➝ INT, array('min_range' => 1)) ) {$q = "SELECT artists.artist_id,➝ CONCAT_WS(' ', first_name,➝ middle_name, last_name) AS➝ artist, print_name, price,➝ description, print_id FROM➝ artists, prints WHERE artists.➝ artist_id=prints.artist_id➝ AND prints.artist_id={$_➝ GET['aid']} ORDER BY prints.➝ print_name";}If a user clicks an artist’s name in theonline catalog, the user will be returnedback to this page, but now the URLwill be, for example, browse_prints.php?aid=6 B. In that case, the queryis redefined, adding the clause ANDprints.artist_id=X, so just that artist’sworks are displayed (and the ORDERBY is slightly modified). Hence, the twodifferent roles of this script—showingevery print or just those for an individualartist—are handled by variations on thesame query, while the rest of the scriptworks the same in either case.For security purposes, the Filterextension is used to validate the artistID. If your version of PHP does notsupport the Filter extension, you’ll needto use typecasting and make sure thatthe value is a positive integer prior tousing it in a query.4. Create the table head:echo '➝ Artist➝ Print Name➝ Description➝ Price';5. Display every returned record:$r = mysqli_query ($dbc, $q);while ($row = mysqli_fetch_array➝ ($r, MYSQLI_ASSOC)) {echo "\t➝ {$row['artist']}{$row['print_➝ name']}{$row➝ ['description']}\${$row➝ ['price']}\n";} // End of while loop.636 Chapter 19

The page should display the artist’sfull name, the print name, thedescription, and the price for eachreturned record. Further, the artist’sname should be linked back to thispage (with the artist’s ID appended tothe URL), and the print name shouldbe linked to view_print.php (with theprint ID appended to the URL E).This code doesn’t include a call tomysqli_num_rows( ), to confirm thatsome results were returned prior tofetching them, but you could add that ina live version, just to be safe.6. Close the table, the database connection,and the HTML page:echo '';mysqli_close($dbc);include ('includes/footer.html');?>7. Save the file as browse_prints.php,place it in your Web directory, and test itin your Web browser (A and B).See the “Review and Pursue” sectionat the end of the chapter for many ways youcould expand this particular script.E The source code for the page reveals how the artist and print IDs are appended to the links.Example —E-Commerce 637

To make view_print.php:1. Begin a new PHP document in your texteditor or IDE, to be named view_print.php (Script 19.7):

The query is a join like the one inbrowse_prints.php, but it selects onlythe information for a particular print F.continues on next pageF The result of running the view_print.php query in the mysql client.Script 19.7 continued32 Add to Cart33 ";3435 // Get the image information and display the image:36 if ($image = @getimagesize ("../uploads/$pid")) {37 echo "\n";38 } else {39 echo "No image available.\n";40 }4142 // Add the description or a default message:43 echo '' . ((is_null($row['description'])) ? '(No description available)' :$row['description']) . '';4445 } // End of the mysqli_num_rows( ) IF.4647 mysqli_close($dbc);4849 } // End of $_GET['pid'] IF.5051 if (!$row) { // Show an error message.52 $page_title = 'Error';53 include ('includes/header.html');54 echo 'This page has been accessed in error!';55 }5657 // Complete the page:58 include ('includes/footer.html');59 ?>Example —E-Commerce 639

5. If a record was returned, retrieve theinformation, set the page title, andinclude the HTML header:if (mysqli_num_rows($r) = = 1) {$row = mysqli_fetch_array ($r,➝ MYSQLI_ASSOC);$page_title = $row['print_name'];include ('includes/header.html');The browser window’s title will be thename of the print C.6. Begin displaying the print information:echo "{$row['print_name']} by{$row['artist']}";echo (is_null($row['size'])) ? '(No➝ size information available)' :➝ $row['size'];echo "\${$row['price']}Add to Cart";The header for the print will be theprint’s name (in bold), followed by theartist’s name, the size of the print, andits price. Finally, a link is displayed givingthe customer the option of addingthis print to the shopping cart G. Theshopping cart link is to the add_cart.php script, passing it the print ID.G The print information and a link to buy it aredisplayed at the top of the page.Because the print’s size can have aNULL value, the ternary operator is usedto print out either the size or a defaultmessage.7. Display the image:if ($image = @getimagesize ("../➝ uploads/$pid")) {echo "➝ \n";} else {echo "No➝ image available.\n";}Because the images are being safelystored outside of the Web rootdirectory, another PHP script is requiredto provide the image to the browser(the show_image.php script is beingused as a proxy script). The nameof the image itself is just the print ID,which was already passed to thispage in the URL.This section of the script will firstattempt to retrieve the image’s dimensionsby using the getimagesize( )function. If it is successful in doing so,the image itself will be displayed. Thatprocess is a little unusual in that thesource for the image calls the show_image.php page H. The show_image.php script, to be written next, expectsthe print ID to be passed in the URL,H The HTML source of the view_print.php page shows how the src attribute of the img tag calls theshow_image.php script, passing it the values it needs.640 Chapter 19

along with the image’s filename (storedin the database when the print isadded). This use of a PHP script todisplay an image is exactly like the useof show_image.php in Chapter 11, onlynow it’s occurring within another page,not in its own window.If the script could not retrieve theimage information (because the imageis not on the server or no image wasuploaded), a message is displayedinstead.8. Display the description:echo '' .➝ ((is_null($row['description']))➝ ? '(No description available)' :➝ $row['description']) . '';Finally, the print’s description isadded I. A default message willbe created if no print description wasstored in the database.9. Complete the two main conditionals:} // End of the mysqli_num_➝ rows( ) IF.mysqli_close($dbc);} // End of $_GET['pid'] IF.10. If a problem occurred, display an errormessage:if (!$row) {$page_title = 'Error';include ('includes/header.html');echo 'This➝ page has been accessed in➝ error!';}If the print’s information could not beretrieved from the database for whateverreason, then $row is still falseand an error should be displayed J.Because the HTML header wouldnot have already been included if aproblem occurred, it must be includedhere first.11. Complete the page:include ('includes/footer.html');?>12. Save the file as view_print.php andplace it in your Web directory.If you were to run this page in thebrowser at this point, no print imagewould be displayed as show_image.phphas not yet been written.continues on next pageI The print’s image followed by its description.J The view_print.php page, should it notreceive a valid print ID in the URL.Example —E-Commerce 641

Many e-commerce sites use an image forthe Add to Cart link. To do so in this example,replace the text Add to Cart (within the link tag) with the code for the image to beused. The important consideration is that theadd_cart.php page still gets passed theproduct ID number.If you wanted to add Add to Cart linkson a page that displays multiple products (likebrowse_prints.php), do exactly what’s donehere for individual products. Just make surethat each link passes the right print ID to theadd_cart.php page.If you want to show the availability ofa product, add an in_stock field to the printstable. Then display an Add to Cart link orProduct Currently Out of Stock messageaccording to the value from this column forthat print.To write show_image.php:1. Begin a new PHP document in your texteditor or IDE, to be named show_image.php (Script 19.8):

proven otherwise. The $name variable,which will be the name of the fileprovided to the Web browser, shouldcome from the URL. If not, a defaultvalue is assigned.2. Check for an image value in the URL:if (isset($_GET['image']) &&➝ filter_var($_GET['image'], FILTER_➝ VALIDATE_INT, array('min_range'➝ => 1)) ) {Before continuing, ensure that the scriptreceived an image value, which shouldbe part of the HTML src attribute foreach print in view_print.php H.3. Check that the image exists as a file onthe server:$image = '../uploads/' .➝ $_GET['image'];if (!file_exists ($image) ||➝ (!is_file($image))) {$image = FALSE;}As a security measure, the image’s fullpath is hard-coded as a combinationof ../uploads and the received imagename. You could also validate the MIMEtype (image/jpg, image/gif ) of the filehere, for extra security.Next, the script checks that the imageexists on the server and that it is a file(as opposed to a directory). If eithercondition is FALSE, then $image is setto FALSE, indicating a problem.4. Complete the validation conditional andcheck for a problem:} // End of $_GET['image'] IF.if (!$image) {$image = 'images/unavailable.➝ png';$name = 'unavailable.png';}If the image doesn’t exist, isn’t a file,or if no image name was passed tothis script, this condition will be TRUE.In such cases, a default image will beused. For that to happen, however, afair amount of hacking on the user’spart will have had to take place: theview_print.php script does somepreliminary verification of the image,only calling show_image.php if it canaccess the image.5. Retrieve the image information:$info = getimagesize($image);$fs = filesize($image);To send the file to the Web browser,the script needs to know the file’s typeand size. This code is the same as inChapter 11.6. Send the file:header ("Content-Type:➝ {$info['mime']}\n");header ("Content-Disposition:➝ inline; filename=\"$name\"\n");header ("Content-Length: $fs\n");readfile ($image);These header( ) calls will send to theWeb browser information about the fileto follow, exactly as in Chapter 11. Torevisit the overall syntax, the first lineprepares the browser to receive the file,based upon the MIME type. The secondline sets the name of the file being sent.The last header( ) function indicateshow much data is to be expected.The file data itself is sent using thereadfile( ) function, which reads in afile and immediately sends the contentto the Web browser.continues on next pageExample —E-Commerce 643

7. Save the file as show_image.php, placeit in your Web directory, and test it inyour Web browser by viewing any print.Notice that this page contains no HTML.It only sends an image file to the Webbrowser. As in Chapter 11, the closingPHP tag is omitted, to avoid potentialproblems.If the view_print.php page does notshow the image for some reason, you’ll needto debug the problem by running the show_image.php directly in your Web browser. Viewthe HTML source of view_print.php andfind the value of the img tag’s src attribute.Then use this as your URL (in other words, goto http://www.example.com/show_image.php?image=23&name=BirthOfVenus.jpeg).If an error occurred, running show_image.phpdirectly is the best way to find it.Searching the product CatalogThe structure of this database makesfor a fairly easy search capability, shouldyou desire to add it. As it stands, thereare only three logical fields to use forsearch purposes: the print’s name, itsdescription, and the artist’s last name.A LIKE query could be run on thesefields using the following syntax:SELECT…WHERE prints.description➝ LIKE'%keyword%' OR prints.print_➝ name LIKE '%keyword%' …Another option would be to create anadvanced search, wherein the userselects whether to search the artist’sname or the print’s name (similar towhat the Internet Movie Database,www.imdb.com, does with peopleversus movie titles).644 Chapter 19

Table 19.6 Sample $_SESSION['cart'] Values(index) Quantity Price2 1 54.00568 2 22.9537 1 33.50Script 19.9 This script adds products to theshopping cart by referencing the product(or print) ID and manipulating the session data.1

2. Check that a print ID was passed tothis script:if (isset ($_GET['pid']) &&➝ filter_var($_GET['pid'], FILTER_➝ VALIDATE_INT, array('min_range'➝ => 1)) ) {$pid = $_GET['pid'];As with the view_print.php script,the script should not proceed if no,or a non-numeric, print ID has beenreceived. If one has been received,then its value is assigned to $pid, tobe used later in the script.3. Determine if a copy of this print hadalready been added to the cart:if (isset($_SESSION['cart'][$pid])) {$_SESSION['cart'][$pid]➝ ['quantity']++;echo 'Another copy of the➝ print has been added to your➝ shopping cart.';Before adding the current print to theshopping cart (by setting its quantityto 1), check if a copy is already in thecart. For example, if the customerselected print #519 and then decidedto add another, the cart should nowcontain two copies of the print. Thescript therefore first checks if thecart has a value for the current printID. If so, the quantity is incremented.The code $_SESSION['cart'][$pid]['quantity']++ is the same as$_SESSION['cart'][$pid]['quantity']➝ = $_SESSION['cart'][$pid]➝ ['quantity'] + 1.Finally, a message is displayed A.Script 19.9 continued26 if (mysqli_num_rows($r) = = 1) { //Valid print ID.2728 // Fetch the information.29 list($price) = mysqli_fetch_array ($r, MYSQLI_NUM);3031 // Add to the cart:32 $_SESSION['cart'][$pid] = array('quantity' => 1, 'price' =>$price);3334 // Display a message:35 echo 'The print has beenadded to your shopping cart.';3637 } else { // Not a valid print ID.38 echo 'Thispage has been accessed inerror!';39 }4041 mysqli_close($dbc);4243 } // End of isset($_SESSION['cart'][$pid] conditional.4445 } else { // No print ID.46 echo 'This pagehas been accessed in error!';47 }4849 include ('includes/footer.html');50 ?>A The result after clicking an Add to Cart link foran item that was already present in the shoppingcart.646 Chapter 19

4. If the product is not already in the cart,retrieve its price from the database:} else { // New product to the➝ cart.require ('../mysqli_connect.php');$q = "SELECT price FROM prints➝ WHERE print_id=$pid";$r = mysqli_query ($dbc, $q);if (mysqli_num_rows($r) = = 1) {list($price) = mysqli_fetch_➝ array ($r, MYSQLI_NUM);If the product is not currently in the cart,this else clause comes into play. Here,the print’s price is retrieved from thedatabase using the print ID.5. Add the new product to the cart:$_SESSION['cart'][$pid] = array➝ ('quantity' => 1, 'price' =>➝ $price);echo 'The print has been added➝ to your shopping cart.';After retrieving the item’s price, anew element is added to the $_SESSION['cart'] multidimensionalarray. Since each element in $_SESSION['cart'] is itself an array,use the array( ) function to setthe quantity and price. A simplemessage is then displayed B.6. Complete the conditionals:} else { // Not a valid print➝ ID.echo '➝ This page has been➝ accessed in error!';}mysqli_close($dbc);} // End of isset($_SESSION➝ ['cart'][$pid] conditional.} else { // No print ID.echo 'This➝ page has been accessed in➝ error!';}The first else applies if no price couldbe retrieved from the database, meaningthat the submitted print ID is invalid.The second else applies if no print ID,or a non-numeric one, is received bythis page. In both cases, an error messagewill be displayed C.7. Include the HTML footer and completethe PHP page:include ('includes/footer.html');?>8. Save the file as add_cart.php, place itin your Web directory, and test it in yourWeb browser (by clicking an Add toCart link).continues on next pageB The result after adding a new item to theshopping cart.C The add_cart.php page will only add an itemto the shopping cart if the page received a validprint ID in the URL.Example —E-Commerce 647

The most important thing to store in thecart is the unique product ID and the quantityof that item. Everything else, including theprice, can be retrieved from the database.Alternatively, you could retrieve the price, printname, and artist name from the database, andstore all that in the session so that it’s easilydisplayed anywhere on the site.The shopping cart is stored in $_SESSION['cart'], not just $_SESSION.Presumably other information, like the user’sID from the database, would also be storedin $_SESSION.Viewing the shopping cartThe view_cart.php script will be morecomplicated than add_cart.php becauseit serves two purposes. First, it will displaythe contents of the cart in detail D.Second, it will give the customer the optionof updating the cart by changing the quantitiesof the items therein (or deleting anitem by making its quantity 0). To fulfill bothroles, the cart’s contents will be displayedin a form that gets submitted back to thissame page.Finally, this page will link to a checkout.php script, intended as the first step in thecheckout process.To create view_cart.php:1. Begin a new PHP document in your texteditor or IDE, to be named view_cart.php (Script 19.10):

Script 19.10 continued23 }2425 } // End of FOREACH.2627 } // End of SUBMITTED IF.2829 // Display the cart if it's not empty...30 if (!empty($_SESSION['cart'])) {3132 // Retrieve all of the information for the prints in the cart:33 require ('../mysqli_connect.php'); // Connect to the database.34 $q = "SELECT print_id, CONCAT_WS(' ', first_name, middle_name, last_name) AS artist, print_nameFROM artists, prints WHERE artists.artist_id = prints.artist_id AND prints.print_id IN (";35 foreach ($_SESSION['cart'] as $pid => $value) {36 $q .= $pid . ',';37 }38 $q = substr($q, 0, -1) . ') ORDER BY artists.last_name ASC';39 $r = mysqli_query ($dbc, $q);4041 // Create a form and a table:42 echo '43 44 45 Artist46 Print Name47 Price48 Qty49 Total Price50 51 ';5253 // Print each item...54 $total = 0; // Total cost of the order.55 while ($row = mysqli_fetch_array ($r, MYSQLI_ASSOC)) {5657 // Calculate the total and sub-totals.58 $subtotal = $_SESSION['cart'][$row['print_id']]['quantity'] * $_SESSION['cart'][$row['print_id']]['price'];59 $total += $subtotal;6061 // Print the row:62 echo "\t63 {$row['artist']}64 {$row['print_name']}65 \${$_SESSION['cart'][$row['print_id']]['price']}66 67 $" . number_format ($subtotal, 2) . "68 \n";code continues on next pageExample —E-Commerce 649

2. Update the cart if the form has beensubmitted:if ($_SERVER['REQUEST_METHOD'] = =➝'POST') {foreach ($_POST['qty'] as $k =>➝ $v) {$pid = (int) $k;$qty = (int) $v;if ( $qty = = 0 ) {unset ($_SESSION['cart']➝ [$pid]);} elseif ( $qty > 0 ) {$_SESSION['cart'][$pid]➝ ['quantity'] = $qty;}} // End of FOREACH.} // End of SUBMITTED IF.If the form has been submitted, then thescript needs to update the shoppingcart to reflect the entered quantities.These quantities will come in the $_POST['qty'] array, whose index is theprint ID and whose value is the newquantity (see E for the HTML sourcecode of the form). If the new quantityis 0, then that item should be removedScript 19.10 continued6970 } // End of the WHILE loop.7172 mysqli_close($dbc); // Close thedatabase connection.7374 // Print the total, close the table,and the form:75 echo '76 Total:77 $' . number_format ($total, 2) . '78 79 80 81 Enter aquantity of 0 to remove an item.82 Checkout';8384 } else {85 echo 'Your cart is currentlyempty.';86 }8788 include ('includes/footer.html');89 ?>E The HTML source code of the view shopping cart form shows how the quantity fieldsreflect both the product ID and the quantity of that print in the cart.650 Chapter 19

from the cart by unsetting it. If thenew quantity is not 0 but is a positivenumber, then the cart is updated toreflect this.If the quantity is not a number greaterthan or equal to 0, then no change willbe made to the cart. This will prevent auser from entering a negative number,creating a negative balance due, andgetting a refund!Alternatively, you could use the Filterextension to validate the print ID andthe quantity.3. If the cart is not empty, create the queryto display its contents:if (!empty($_SESSION['cart'])) {require ('../mysqli_connect.php');$q = "SELECT print_id, CONCAT_➝ WS(' ', first_name, middle_➝ name, last_name) AS artist,➝ print_name FROM artists,➝ prints WHERE artists.artist_➝ id = prints.artist_id AND➝ prints.print_id IN (";foreach ($_SESSION['cart'] as➝ $pid => $value) {$q .= $pid . ',';}$q = substr($q, 0, -1) . ')➝ ORDER BY artists.last_name➝ ASC';$r = mysqli_query ($dbc, $q);The query is a JOIN similar to one usedalready in this chapter. It retrieves allthe artist and print information for eachprint in the cart. One addition is the useof the IN SQL clause. Instead of justretrieving the information for one print(as in the view_print.php example),retrieve all the information for everyprint in the shopping cart. To do so, usea list of print IDs in a query like SELECT…print_id IN (519,42,427)…. You canalso use SELECT… WHERE print_id=519OR print_id=42 or print_id=427…, butthat’s unnecessarily long-winded.To generate the IN (519,42,427) partof the query, a for loop adds each printID plus a comma to $q. To remove thelast comma, the substr( ) function isapplied, chopping off the last character.4. Begin the HTML form and create a table:echo '➝ Artist➝ Print Name➝ Price➝ Qty➝ Total Price';5. Retrieve the returned records:$total = 0;while ($row = mysqli_fetch_array➝ ($r, MYSQLI_ASSOC)) {$subtotal = $_SESSION['cart']➝ [$row['print_id']]['quantity'] *➝ $_SESSION['cart'][$row['print_➝ id']]['price'];$total += $subtotal;continues on next pageExample —E-Commerce 651

When displaying the cart, the pageshould also calculate the order total,so a $total variable is initialized at 0first. Then for each returned row (whichrepresents one print), the price of thatitem is multiplied by the quantity todetermine the subtotal (the syntax ofthis is a bit complex because of themultidimensional $_SESSION['cart']array). This subtotal is added to the$total variable.6. Print the returned records:echo "\t{$row['artist']}➝ {$row['print_➝ name']}\${$_SESSION➝ ['cart'][$row['print_id']]➝ ['price']}$" . number_➝ format ($subtotal, 2) . "\n";Each record is printed out as a row inthe table, with the quantity displayedas a text input type whose value ispreset (based upon the quantity valuein the session). The subtotal amount(the quantity times the price) for eachitem is also formatted and printed.7. Complete the while loop and close thedatabase connection:} // End of the WHILE loop.mysqli_close($dbc);8. Complete the table and the form:echo '➝ Total:$' . number_➝ format ($total, 2) . 'Enter a➝ quantity of 0 to remove an item.Checkout';The order total is displayed in the finalrow of the table, using the number_format( ) function for formatting. Theform also provides instructions to theuser on how to remove an item, and alink to the checkout page is included.9. Finish the main conditional and thePHP page:} else {echo 'Your cart is currently➝ empty.';}include ('includes/footer.html');?>This else clause completes theif (!empty($_SESSION['cart'])) {conditional.652 Chapter 19

10. Save the file as view_cart.php, place itin your Web directory, and test it in yourWeb browser (F and G).On more complex Web applications, Iwould be inclined to write a PHP page strictlyfor the purpose of displaying a cart’s contents.Since several pages might want to displaythat, having that functionality in an includablefile would make sense.One aspect of a secure e-commerceapplication is watching how data is being sentand used. For example, it would be far lesssecure to place a product’s price in the URL,where it could easily be changed.F Changes made to any quantitiesupdate the shopping cart and ordertotal after clicking Update My Cart(compare with D ).G Remove everything in theshopping cart by setting thequantities to 0.Example —E-Commerce 653

Recording the ordersAfter displaying all the products as acatalog, and after the user has filled theshopping cart, there are three final steps:nnnChecking the user outRecording the order in the databaseFulfilling the orderIronically, the most important part—checking out (i.e., taking the customer’smoney)—could not be adequatelydemonstrated in a book, as it’s so particularto each individual site. So what I’ve doneinstead is given an overview of thatprocess in the sidebar. My book EffortlessE-Commerce with PHP and MySQL, bycontrast, specifically shows how to use twodifferent payment gateways, but doing sorequires two full chapters on their own.Similarly, the act of fulfilling the order isbeyond the scope of the book. For physicalproducts, this means that the order willneed to be packaged and shipped. Thenthe order in the database would be markedas shipped by indicating the shipping date.This concept shouldn’t be too hard for youto implement, but you do also have to payattention to managing the store’s inventory.For virtual products, order fulfillment is amatter of providing the user with the digitalcontent.So those are some of the issues thatcannot be well covered in this chapter;what I can properly demonstrate in thischapter is how the order informationwould be stored in the database. Toensure that the order is completely andcorrectly entered into both the orders andorder_contents tables, the script will usetransactions. This subject was introducedin Chapter 7, “Advanced MySQL,” using themysql client. Here the transactions will beThe Checkout processThe checkout process involves threesteps:1. Confirmation of the order.2. Confirmation and submission of thebilling and shipping information.3. Processing of the billing information.Steps 1 and 2 should be easy enough forintermediate programmers to completeon their own by now. In all likelihood,most of the data in Step 2 would comefrom the customers table, after the userhas registered and logged in.Step 3 is the trickiest one and couldnot be adequately addressed in thisbook. The particulars of this step varygreatly, depending upon how the billingis being handled and by whom. To makeit more complex, the laws are differentdepending upon whether the productbeing sold is to be shipped later or isimmediately delivered (like access toa Web site or a downloadable file).Most small- to medium-sized e-commercesites use a third party to handle thefinancial transactions. Normally thisinvolves sending the billing information,the order total, and a store number (areference to the e-commerce site itself)to another Web site. That site will handlethe actual billing process, debitingthe customer and crediting the store.Then a result code will be sent back tothe e-commerce site, which would beprogrammed to react accordingly. Insuch cases, the third party handling thebilling will provide the developer withthe appropriate code and instructionsto interface with their system.For more information, or assistancewith, any of this, see my book EffortlessE-Commerce with PHP and MySQLor turn to the supporting forums(www.LarryUllman.com/forums/).654 Chapter 19

Script 19.11 The final script in the e-commerceapplication records the order information in thedatabase. It uses transactions to ensure that thewhole order gets submitted properly.1

3. Include the database connection andturn off MySQL’s autocommit mode:require ('../mysqli_connect.php');mysqli_autocommit($dbc, FALSE);The mysqli_autocommit( ) functioncan turn MySQL’s autocommit featureon or off. Since transactions will beused to ensure that the entire orderis entered properly, the autocommitbehavior should be disabled first. If youhave any questions about transactions,see Chapter 7 or the MySQL manual.4. Add the order to the orders table:$q = "INSERT INTO orders➝ (customer_id, total) VALUES($cid, $total)";$r = mysqli_query($dbc, $q);if (mysqli_affected_rows($dbc) = =➝ 1) {This query is very simple, entering onlythe customer’s ID number and the totalamount of the order into the orderstable. The order_date field in the tablewill automatically be set to the currentdate and time, as it’s a TIMESTAMPcolumn.5. Retrieve the order ID:$oid = mysqli_insert_id($dbc);The order_id value from the orderstable is needed in the order_contentstable to relate the two.6. Prepare the query that inserts the ordercontents into the database:$q = "INSERT INTO order_contents➝ (order_id, print_id, quantity,➝ price) VALUES (?, ?, ?, ?)";$stmt = mysqli_prepare($dbc, $q);mysqli_stmt_bind_param($stmt,➝'iiid', $oid, $pid, $qty, $price);The query itself inserts four valuesinto the order_contents table, whereScript 19.11 continued33 $stmt = mysqli_prepare($dbc, $q);34 mysqli_stmt_bind_param($stmt, 'iiid',$oid, $pid, $qty, $price);3536 // Execute each query; count thetotal affected:37 $affected = 0;38 foreach ($_SESSION['cart'] as $pid =>$item) {39 $qty = $item['quantity'];40 $price = $item['price'];41 mysqli_stmt_execute($stmt);42 $affected += mysqli_stmt_affected_rows($stmt);43 }4445 // Close this prepared statement:46 mysqli_stmt_close($stmt);4748 // Report on the success....49 if ($affected = = count($_SESSION['cart'])) { // Whohoo!5051 // Commit the transaction:52 mysqli_commit($dbc);5354 // Clear the cart:55 unset($_SESSION['cart']);5657 // Message to the customer:58 echo 'Thank you for your order.You will be notified when theitems ship.';5960 // Send emails and do whateverelse.6162 } else { // Rollback and report theproblem.6364 mysqli_rollback($dbc);6566 echo 'Your order could not beprocessed due to a system error.You will be contacted in orderto have the problem fixed. Weapologize for the inconvenience.';67 // Send the order information tocode continues on next page656 Chapter 19

there will be one record for each printpurchased in this order. The query isdefined, using placeholders for the values,and prepared. The mysqli_stmt_bind_param( ) function associates fourvariables to the placeholders. Theirtypes, in order, are: integer, integer,integer, double (aka float).7. Run through the cart, inserting eachprint into the database:$affected = 0;foreach ($_SESSION['cart'] as $pid➝ => $item) {$qty = $item['quantity'];$price = $item['price'];mysqli_stmt_execute($stmt);$affected += mysqli_stmt_➝ affected_rows($stmt);}mysqli_stmt_close($stmt);Script 19.11 continuedthe administrator.6869 }7071 } else { // Rollback and report theproblem.7273 mysqli_rollback($dbc);7475 echo 'Your order could not beprocessed due to a system error. Youwill be contacted in order to havethe problem fixed. We apologize forthe inconvenience.';7677 // Send the order information to theadministrator.7879 }8081 mysqli_close($dbc);8283 include ('includes/footer.html');84 ?>By looping through the shopping cart,as done in view_cart.php, the scriptcan access each item, one at a time.To be clear about what’s happening inthis step: the query has already beenprepared—sent to MySQL and parsed—and variables have been assigned tothe placeholders. Within the loop, twonew variables are assigned valuesthat come from the session. Then, themysqli_stmt_execute( ) function iscalled, which executes the preparedstatement, using the variable values atthat moment. The $oid value will notchange from iteration to iteration, but$pid, $qty, and $price will.To confirm the success of all thequeries, the number of affected rowsmust be tracked. A variable, $affected,is initialized to 0 outside of the loop.Within the loop, the number of affectedrows is added to this variable after eachexecution of the prepared statement.8. Report on the success of thetransaction:if ($affected = = count($_SESSION➝ ['cart'])) {mysqli_commit($dbc);unset($_SESSION['cart']);echo 'Thank you for your➝ order. You will be notified➝ when the items ship.';The conditional checks to see if asmany records were entered into thedatabase as exist in the shopping cart.In short: did each product get insertedinto the order_contents table? If so,then the transaction is complete andcan be committed. Next, the shoppingcart is emptied and the user is thanked.Logically you’d want to send a confirmationemail to the customer here as well.continues on next pageExample —E-Commerce 657

9. Handle any MySQL problems:} else {mysqli_rollback($dbc);echo 'Your order could➝ not be processed due to a➝ system error. You will be➝ contacted in order to have➝ the problem fixed. We➝ apologize for the➝ inconvenience.';}} else {mysqli_rollback($dbc);echo 'Your order could not be➝ processed due to a➝ system error. You will be➝ contacted in order to have➝ the problem fixed. We➝ apologize for the➝ inconvenience.';}The first else clause applies if thecorrect number of records were notinserted into the order_contents table.The second else clause applies ifthe original orders table query fails.In either case, the entire transactionshould be undone, so the mysqli_rollback( ) function is called.If a problem occurs at this point of theprocess, it’s rather serious becausethe customer has been charged butno record of the order has made it intothe database. This shouldn’t happen,but just in case, you should write all thedata to a text file and/or email all of it tothe site’s administrator or do somethingthat will create a record of this order. Ifyou don’t, you’ll have some very iratecustomers on your hands.10. Complete the page:mysqli_close($dbc);include ('includes/footer.html');?>11. Save the file as checkout.php, place itin your Web directory, and test it in yourWeb browser A.You can access this page by clickingthe link in view_cart.php.12. Confirm that the order was properlystored by looking at the database usinganother interface B.On a live, working site, you should assignthe $customer and $total variables realvalues for this script to work. You would alsolikely want to make sure that the cart isn’tempty prior to trying to store the order inthe database.If you’d like to learn more aboute-commerce or see variations on this process,a quick search on the Web will turn upvarious examples and tutorials for makinge-commerce applications with PHP, or checkout my book Effortless E-Commerce withPHP and MySQL.A The customer’s order is now complete, afterentering all of the data into the database.B The order in the MySQL database, as viewedusing the mysql client.658 Chapter 19

Review and pursueIf you have any problems with the reviewquestions or the pursue prompts, turnto the book’s supporting forum (www.LarryUllman.com/forums/).Note: Some of these questions andprompts rehash information covered earlierin the book, in order to reinforce some ofthe most important points.ReviewnnnnnnnWhat kind of storage engine in MySQLsupports transactions?What types of indexes does MySQLsupport? What criteria go into decidingwhat columns should be indexed andwhat type of index is most appropriate?What is a Secure Sockets Layer (SSL)?Why is it important for e-commercesites? Do you have SSL enabled foryour Web site?Why isn’t it problematic that the imagesfor the prints are stored without fileextensions?What steps should you take to debugproblems in PHP scripts that interactwith a MySQL database?What is a multidimensional array?What is meant by MySQL’s autocommitfeature?n What does the mysqli_insert_id( )function do?nWhat does it mean to commit orrollback a transaction?pursuennnnnnnnnExpand the definition of the artists tableto record other information about eachartist. Also display this other informationon the public side of the site.Add a quantity_on_hand column tothe prints table. Add a form element toadd_print.php so that the administratorcan indicate how many copies ofthe product are initially in stock. On thepublic side, only offer an “Add to Cart”option for products that are available.When an item is sold (i.e., in checkout.php), reduce each product’s quantityon hand by the number of copies sold.Expand the definition of the customerstable to include other pertinentinformation.Create registration, login, and logoutfunctionality for customers, using theinformation from Chapter 18, “Example—UserRegistration,” as your basis.Create the ability for customers to viewtheir accounts, change their passwords,view previous orders, etc.Create and use a template for theadministrative side of the site.Using sessions, restrict access to theadministrative side of the site to verifiedusers.Apply the code from Chapter 11 toimprove the security of add_print.php, so that it properly validates theuploaded file’s type and size.Take the dynamically generated artistspull-down menu from add_print.phpand use it as a navigational tool on thepublic side. To do so, set the form’saction attribute to browse_print.php,change the name of the pull-down menucontinues on next pageExample —E-Commerce 659

nnnnnnto aid, use the GET method, and whenusers select an artist and click Submit,he or she will be taken to, for example,browse_print.php?aid=5.Apply pagination to browse_prints.php. See Chapter 10 for more onpagination.On browse_prints.php, add theoption to affect how the prints aredisplayed by adding links to the columnheadings (e.g., to browse_prints.php?order=price). Then change theORDER BY in the queries based upon thepresence, and value, of $_GET['order'].Again, this idea was demonstrated inChapter 9.Combine some of the functionality ofview_print.php and add_cart.phpso that the details of the print justadded to the cart are also shown onadd_cart.php.To show the contents of the cart onadd_cart.php, add the applicable codefrom view_cart.php to the end of add_cart.php.Create the ability for the administrator toview the list of orders. Hint: the first pagewould function like browse_prints.php, except that it would perform a joinacross orders and customers. This pagecould display the order total, the orderID, the order date, and the customer’sname. You could link the order ID toa view_order.php script, passing theorder ID in the URL. That script woulduse the order ID to retrieve the detailsof the order from the order_contentstable (joining prints and artists in theprocess).Add the ability to calculate tax and shippingfor orders. Store these values inthe orders table, too.660 Chapter 19

Indexnumbers1NF (First Normal Form), 169–1712NF (Second Normal Form), 172–1743NF (Third Normal Form), 175–1768-bit Unicode Transformation Format, 2Symbols-- operator, 23, 45− operator, 23! operator, 45!= operator, 140\$ escape sequence, 29% operator, 23* operator, 23. operator, 21, 26–27/ operator, 23@ error suppression operator, 250, 270\' escape sequence, 29\\ escape sequence, 29\" escape sequence, 29| operator, 140|| operator, 45, 48, 140+ operator, 23++ operator, 23< operator, 45- operator, 45>= operator, 140!- operator, 45&& (and) operator, 45, 48, 56, 140* (asterisk), using with SELECT queries, 138`(backticks), use in SQL commands, 137{ } (curly braces)using with arrays, 55, 57using with conditionals, 45, 48$ (dollar sign), using with variables, 14= = (double equals sign) vs. = (equals sign), 47" (double) quotation marks, using, 29–31\ (escape), using, 6( ) (parentheses)using with clauses, 25using with functions, 8# (pound) symbol, using in comments, 10–11; (semicolon)avoiding, 280using with statements, 6' (single) quotation marks, using, 29–31// (slashes), using in comments, 10–11[ ] (square brackets)using with databases, 114using with functions, 104_ (underscore), using with variables, 17AABS( ) function, 157absolute vs. relative paths, 76access problems, debugging, 263addition operator, symbol for, 23AES_DECRYPT( ) function, 237AES_ENCRYPT( ) function, 237, 239Ajax. See also jQuerycreating JavaScript, 485form, 481–482handling request, 484login_ajax.php script, 484login.php script, 481–482overview, 479–480performing request, 486–491server-side script, 483aliases, 153, 155ALTER command, 230ALTER TABLE clauses, 222ANALYZE command, 230and (&&) operator, 45, 48, 56and not (XOR) logical operator, 45, 48AND operator, 45, 48, 156, 140Index 661

argument values, setting defaults, 101–104argumentsempty strings, 104FALSE value, 104$name, 103NULL value, 104using with user-defined functions, 97–100values, 104arithmetic, precedence issue, 25arithmetic operatorsaddition, 23decrement, 23division, 23increment, 23modulus, 23multiplication, 23subtraction, 23array( ) function, using, 58array values, printing during debugging, 261array_map( ) function, 408arrays&& (and) operator, 56{ } (curly braces), 55, 57accessing, 58–59arsort( ) function, 65, 68$artists, 54asort( ) function, 65, 68associative, 54, 62calendar.php document, 59–61combining, 63and conditionals, 56–57$_COOKIE superglobal, 55creating, 58creating and accessing, 59–60defined, 54$_ENV superglobal, 55examples, 54foreach loop, 58–61, 63–64$_GET superglobal, 55$GLOBALS, 109HTML table for sorting, 66indexed, 54indexing, 58keys, 54, 57key-value pairs, 54ksort( ) function, 65, 67of Mexican states, 62–64multidimensional, 61–64naming rules, 54natsort( ) function, 68$_POST superglobal, 55–56printing, 55printing after sorting, 67randomizing order of, 68referring to values in, 54$_REQUEST superglobal, 55–56returning from functions, 108$_SERVER superglobal, 55$_SESSION superglobal, 55shuffle( ) function, 68sort( ) function, 65sorting, 65–68of sphenic numbers, 61$states, 54and strings, 65superglobals, 55–56using, 56–57using for pull-down menus, 59–60using with loops, 70usort( ) function, 68arsort( ) function, using with arrays, 65, 68asort( ) function, using with arrays, 65, 68assignment operator (=), 140example, 25using for concatenation, 22using with variables, 14asterisk (*), using with SELECT queries, 138AUTO_INCREMENT example, 135autocommit nature, altering, 236AVG( ) grouping function, 214–215, 217Bbackslash code, 29backticks (`), use in SQL commands, 137banking databaseaccounts table, 198average account balance, 214customers table, 197transactions table, 199BETWEEN operator, 140blacklist validation, 409blank pagedisplaying in error, 8error, 258books database, 176Boolean FULLTEXT searches, performing, 227–229Boolean mode operators, 227boundaries, using with regular expressions, 444browsersending data to, 7–9sending HTML to, 12brute force attacks, preventing, 431662 Index

Ccalculator.html pageDOM manipulation, 474–478saving, 468calculator.js page, saving, 472calculator.php documentchanging echo statement, 107create_gallon_radio( ) function, 98creating, 86default argument values, 101–104Filter extension, 422–424formatting costs, 107$name argument, 103radio buttons, 98–103return statement, 108returning costs, 107rewriting for sticky form, 90–94saving, 90, 100saving for sticky form, 94script, 87, 92–93typecasting, 410–413user-defined function, 98–100calendar.php documentcreating, 59loop examples, 70–71saving, 61call to undefined function error, 97, 258cannot redeclare function error, 258CAPTCHA test, 408carriage return code, 29CASCADE action, using with foreign keyconstraints, 196Cascading Style Sheets (CSS). See CSS(Cascading Style Sheets)CASE( ) function, 219ceil( ) function, 319CEILING( ) function, 157CHAR( ) function, 135CHAR vs. VARCHAR, 117character classes, using with regular expressions,443–445character codes, replacing with values, 29character setsassigning, 186–188collations, 184establishing for columns, 186explained, 184UTF-8, 188UTF-8 encoding, 185characters, printing, 31CHARSET command, 186@charset "utf-8", using with CSS files, 5cinema database, 172clauses, grouping in parentheses, 25COALESCE( ) function, 218Codd, E.F., 166collationsassigning, 186–188establishing for columns, 186explained, 184specifying in queries, 188viewing, 185column types, choosing for databases, 114–117column values, applying functions to, 153columns, using indexes on, 179comma, concatenating to variables, 21commentsavoiding nesting, 13example, 15guidelines for, 13HTML, 10keeping up to date, 13multiline, 10, 12PHP, 10using at end of line, 13using to debug scripts, 259writing, 10–13comments.php documentcreating, 11saving, 12COMMIT command, using with queries, 233, 236comparative operators-- (is equal to), 45< (less than), 45 (greater than), 45>- (greater than or equal to), 45!- (is not equal to), 45comparison functions, 218CONCAT( ) functions, 154–156concatenating values, 22concatenationassignment operator (=), 22defined, 21operator (.), 21using, 21–22using with numbers, 21using with strings, 21concatenation operator (.)using, 21using with constants, 26–27concat.php file, saving, 22Index 663

conditionals{ } (curly braces), 45, 48adding to print message, 47default values, 48else, 45elseif, 45$gender variable, 46if, 45if-elseif-else, 47indicating subsets of, 48switch, 48using, 46–48using with arrays, 56–57connection scripts .php with, 271constantsaccessing values of, 26assigning scalar values, 26concatenation (.) operator, 26–27creating, 26date, 27define( ) function, 26mysqli_fetch_array( ), 281naming, 26omitting quotation marks, 26PHP_OS, 26PHP_VERSION, 26predefined, 26using, 27–28vs. variables, 26constants.php documentcreating, 27saving, 28constraints vs. triggers, 201CONVERT( ) function, 188CONVERT_TZ function, 190cookiesaccessing, 380–382creating logout link, 386–387deleting, 384–385expirations, 384explained, 376sending, 378–380vs. sessions, 388setting, 377setting parameters, 382–384size limit, 380testing for, 376Coordinated Universal Time (UTC)explained, 189using, 189COUNT( ) grouping function, 214–215, 319applying, 217create_ad( ) function, calling, 97create_gallon_radio( ) function, 98CSS (Cascading Style Sheets)error class, 51using with HTML forms, 37CSS file, declaring encoding for, 5CUR( ) functions, 159–160curly braces ({ })using with arrays, 55, 57using with conditionals, 45, 48Ddata, validating by type, 409–413database designERD (entity-relationship diagram), 169foreign key constraints, 195–201forum data, 166–167indexes, 179–181process, 169reviewing, 177–178database elements, naming, 112–113database schemaexplained, 166MySQL Workbench program, 169database structure, confirming, 188database tablesaltering, 222deleting data in, 152emptying, 152joining three or more, 211–213databasesAUTO_INCREMENT, 118–119banking, 196–197“big,” 233books, 176choosing column types, 114–117connecting to, 268–272data types, 115default values for columns, 119–120deleting, 152encrypting, 237–239forum, 175, 181–182indexes, 118keys, 118, 167Length attribute, 114message board, 520–528modeling, 169movies table, 170optimizing, 230planning contents of, 166PRIMARY KEY, 118–119relationships, 168–169664 Index

selecting, 268–272square brackets ([ ]), 114TEXT columns, 120TIMESTAMP column, 119UNSIGNED number types, 119–120USE command, 123, 126users table, 116, 120ZEROFILL number types, 119date and timeaccessing on client, 163*_FORMAT parameters, 162functions, 159–161, 362–365NOW( ) function, 163returning current, 163date constant, creating, 27DATE( ) function, 159date( ) function formattingformatting, 362parameters, 364dates, handling consistently, 194DateTime class, 511–517datetime.php script, 513–514DAY( ) functions, 159–160debugging. See also error messagesaccess problems, 263basics, 242–243beginning, 244–246with Firefox, 246FLUSH PRIVILEGES, 263HTML errors, 246–247JavaScript, 459MySQL techniques, 262–263PHP scripts, 5, 8, 33, 259–261with phpinfo( ) script, 245SQL techniques, 262–263steps, 243–244using display_errors, 33validation tools, 246decimals vs. integers, 25decrement operator, symbol for, 23define( ) function, using with constants, 26DELETE command, 151delete_user.php script, 303–305deletingconstrained records, 201cookies, 384–385data, 151–152records, 297session variables, 393sessions, 393–395die( ) function, using in debugging, 261, 270display_errors, 248–249confirming, 33turned off, 8using in debugging, 33using to debug scripts, 259display_errors.php, opening, 251division operator, symbol for, 23do...while, 70documents, organizing, 271dollar sign ($)code, 29–31using with variables, 14DOM manipulation, 473–478double (") quotation marks, 29–31double equals sign (= =) vs. equals sign (=), 47DROP command, 152dynamic Web sites. See also external files; HTMLforms; Web sitesease of maintenance, 78handling HTML forms, 85–90.html file extension, 78.inc file extension, 78including multiple files, 78–84$page_title variable, 82security, 78sticky forms, 91–94structure, 78eecho language constructsending HTML code to browser, 8using, 6–7using over multiple lines, 9using to debug scripts, 260echo statementconcatenation example, 21in HTML forms, 43using with strings, 20e-commerceadd_artist.php document, 613–618add_cart.php script, 645–648add_print.php document, 618–628artists table, 606, 608browse_prints.php document, 634–637checkout process, 654checkout.php script, 655–658customers table, 607, 609database, 606–611footer.html document, 631header.html document, 629–630index.php document, 631–632Index 665

e-commerce (continued)order_contents table, 607, 610orders table, 607, 609prints table, 606, 608–609product catalog, 633–644public template, 629–632recording orders, 654–658security, 611shopping cart, 645–653show_image.php document, 642–644view_cart.php script, 648–653view_print.php document, 638–642, 644edit_user.php script, 309–311else conditional, 45elseif conditional, 45email, sending, 330–335email.php script, 332–333array_map( ) function, 408preventing spam, 404empty( ) function, using with forms, 49empty variable value error, 258encodingdeclaring for external CSS file, 5explained, 2indicating to Web browser, 2listing, 184encrypting databases, 237–239. See also securitymethodsenctype, including with form tag, 342, 347ENUM types, sorting on, 146equals sign (=) vs. double equals sign (= =), 47ERD (entity-relationship diagram)example, 178explained, 169error CSS class, defining, 51error handlers, customizing, 253–257error managementdie( ) function, 261exit( ) function, 261error messages. See also debuggingaccess-denied, 263call to undefined function error, 97column values in MySQL, 137deleting parent records, 195SHOW WARNINGS command, 137trusting, 33Undefined variable: variablename, 44error reportingadjusting in PHP, 250–252levels, 250notices, 250warnings, 250errorsin book, 247display_errors, 248–249PHP, 248–249suppressing with @, 250syntactical, 242types of, 242–243escape (\), 6escape sequences, 29exit( ) function, using in debugging, 261EXPLAIN command, 231, 233extensions, 4external files. See also Web sitesabsolute paths, 76include( ) function, 76–77, 82referencing, 76relative paths, 76require( ) function, 76–77using, 78Ffetch_object( ) method, 507file extensions, 4file not found error, receiving, 5file uploadsallowing for, 336–337configurations, 336$_FILES array, 342with PHP, 342–347preparing server, 338–341secure folder permissions, 337Unix chmod command, 341Fileinfo extension, 415–416filesincluding multiple, 76–84validating by type, 414–417$_FILES array, using with uploads, 342filters, 421–424sanitation, 421validation, 421Firefox, using for debugging, 246First Normal Form (1NF), 169–171first.php documentcreating, 3running in browser, 4saving, 4sending data to Web browser, 7FLOOR( ) function, 157FLUSH PRIVILEGES, using in debugging, 263folder permissions, securing, 337footer file, including in HTML form, 90666 Index

footer.html filecreating, 81saving, 82for loop. See also loopsexample, 69functionality, 70rewriting foreach loop as, 70–71foreach loop. See also loopsrewriting as for loop, 70–71using with arrays, 58–61, 63–64foreign key constraintsaccounts table, 198action options, 195banking database, 197CASCADE action, 196creating, 197–201customers table, 197ON DELETE action, 195explained, 195–196impact on INSERT queries, 195populating tables, 200syntax, 195transactions table, 199ON UPDATE action, 195form dataadding CSS to HTML head, 51empty( ) function, 49, 51error CSS class, 51if-else conditional, 52is_numeric( ) function, 53isset( ) function, 49, 51validating, 49–53validating gender variable, 51–52form tagaction attribute, 36enctype part of, 342, 347method attribute, 36specifying encoding, 40using in HTML forms, 36, 38FORMAT( ) function, 157*_FORMAT parameters, date and time, 162form.html documentcreating, 37saving, 40testing, 43forms. See also HTML formspreventing automated submissions, 408validating, 56validation errors, 279forum database, 175. See also message boardatomic, 170creating, 186ERD (entity-relationship diagram),explained, 178indexes, 181items, 166–167table types, 182time zones, 190–194forum page, creating for message board,538–542forums table, creating, 186FULLTEXT indexes, adding, 180, 223–224FULLTEXT searchesBoolean, 227–229performing, 222–226function.js documentcreating, 350saving, 352functions. See also MySQL functions; PHPfunctions; user-defined functions[ ] (square brackets), 104applying to column values, 153avoiding global variables in, 109calling and returning arrays, 108date and time, 159errors, 258grouping, 214for numbers, 23numeric, 157–158optional parameters, 104returning multiple values, 108searching in PHP manual, 22for strings, 22text, 154–156type validation, 409Ggarbage collection, 394gender radio buttons, validating, 46gender variable, validating, 51–52GET request, using with HTML forms, 85$_GET variable vs. variable scope, 109getdate( ) array, 363getimagesize( ) array, 352$GLOBALS array, adding elements to, 109greater than (>) operator, 45greater than or equal to (>-) operator, 45GREATEST( ) function, 218GROUP BY clauses, using with joins, 215GROUP_CONCAT( ) grouping function, 214groupingfunctions, 214–215data, 216–217Index 667

Hhandle_form.php documentfor arrays, 56–57conditionals example, 46–48creating, 42saving, 43, 53using stripslashes( ) function in, 44validating form data, 49–53HAVING clause, explained, 217header( ) function, 356–361header.html filefor logout link, 386modifying, 266–267saving, 81, 266for session variables, 392headers already sent error, 258hidden form inputs, 304–308home page, creating for message board, 537HOUR( ) function, 159.htaccess file, 337HTMLprinting with PHP, 31resource for, 5sending to Web browser, 12HTML attributes, double quoting, 94HTML code, sending, 8HTML errors, debugging, 246–247.html extension, 3, 78HTML for Web page script, 80HTML forms. See also dynamic Web sites; forms;sticky formsage element, 42beginning, 89comments element, 42completing, 89creating, 37–40CSS (Cascading Style Sheets), 37echo statement, 43email element, 42encoding for form tag, 39footer file, 90form data variables, 42form tag, 36, 38gender element, 42gender radio button, 46GET method, 36GET request, 85handling, 42–44, 86–90.html extension, 39input types, 44method attribute, 36multidimensional arrays from, 64name element, 42number_format( ) function, 88performing calculations, 88POST method, 36, 85printing, 42printing results, 88printing values in, 42pull-down menu, 39, 59–60radio buttons, 39, 90$_REQUEST[ ] variables, 42–43sample script, 37–38starting, 38submit element, 42submitting back to itself, 90testing, 43testing submission of, 85–86text box for comments, 39text inputs, 38textarea element, 39validating, 88variables for form elements, 42HTML source codealtering spacing of, 9checking, 33HTML table, creating to sort arrays, 66HTML template script, 79HTML5, development of, 3HTML-embedded language, PHP as, 2htmlentities( ) function, 418–420.html extension, 39htmlspecialchars( ) function, 418, 420HTTP headers, 355–357iif conditional, 45if-else conditional, 52if-elseif-else conditional, 47IFNULL( ) function, 221images.php document. See also show_image.phpscriptcreating, 352date and time functions, 363–365script, 353–355IN operator, 140.inc file extension, 78include( ) functionvs. require( ) function, 84using, 76–77, 82increment operator, symbol for, 23index page, creating for message board, 537indexescreating, 179–181FULLTEXT, 180PRIMARY KEY, 180668 Index

UNIQUE, 180using on columns, 179using with JOINs, 181index.php filesaving, 83using to create function, 95ini_set( ) function, 248–249inner joins, 205–207, 212InnoDB storage enginefeatures, 182foreign key constraints, 195vs. MyISAM, 182integersvs. decimals, 25maximum, 25is equal to (--) operator, 45IS FALSE operator, 140is not equal to (!-) operator, 45IS NOT NULL operator, 140IS NULL operator, 140–141IS TRUE operator, 140is_* type validation functions, 409is_numeric( ) function, using with forms, 53is_uploaded_file( ) function, 347ISO-8859-1 encoding, use of, 5isset( ) functionusing with conditionals, 45validating form data, 49, 51JJavaScriptalert( ) call, 470debugging, 459event handling, 469–472form submission, 470–472form validation, 491formatting numbers, 472test.js file, 470JavaScript filecreating, 349–354creating with PHP, 352–354join types, 232joining tables, 211–213joinscreating, 211GROUP BY clauses in, 215inner, 205–207, 212outer, 208–211performing, 204–205self-, 210JOINs, using indexes with, 181jQuery. See also Ajax$(document), 466DOM manipulation, 473–478hosted, 461HTML form, 467–468incorporating, 460–462overview, 458–459selecting page elements, 466–468selecting Web documents, 466test.html script, 462, 467using, 463–465jQuery( ) function, calling, 465Kkeysassigning, 167foreign, 167primary, 167ksort( ) function, using with arrays, 65, 67LLEFT( ) function, 154LENGTH( ) function, 154, 156less than (< ) operator, 45less than or equal to (

logout.php script, 385, 393loops. See also for loop; foreach loop;while loopconditions, 70do...while, 70infinite, 70parameters, 70using, 70–71using with arrays, 70LOWER( ) function, 154MMagic Quotes. See also quotation marksstripslashes( ) function, 44undoing effect of, 44mail( ) function, 330–335many-to-many relationship, 168matches.php document, 450, 452mathematical calculationsassignment operators, 25performing, 24MAX( ) grouping function, 214MAX_FILE_SIZE, 347MD5( ) function, 135message board. See also forum databaseadministering, 557database, 520–528footer file, 536forum page, 538–542header.html template, 530–536home page, 537index page, 537languages table, 527post_form.php page, 548–551posting messages, 548–557post.php file, 552–557read.php file for thread page, 544–546templates, 529–537thread page, 543–547threads table, 524users table, 525, 527words table, 526, 528messages table, creating, 187meta tag, using in encoding, 2meta-characters, using in regularexpressions, 438method attribute, using with HTML forms, 36MIN( ) grouping function, 214MINUTE( ) function, 159MOD( ) function, 157–158modulus operator, symbol for, 23MONTH( ) functions, 159movies table, 170movies-actors table, 171, 174multi.php document, creating, 62multiplication operator, symbol for, 23MyISAM table type, 182MySQL. See also SQL (Structured QueryLanguage)accessing, 121–127case sensitivity of identifiers, 113CHAR( ) function, 135column properties, 118–120column types, 114–117connecting to, 268–272connection for OOP, 497–500debugging techniques, 262–263described, 111errors related to column values, 137FALSE keyword, 142INTO in INSERT, 137inserting rows, 133length limits for element names, 113MD5( ) function, 135naming database elements, 112–113NOT NULL value for columns, 118NOW( ) function, 135, 137NULL value for columns, 119Query Browser, 121selecting column types, 116–117SHA1( ) function, 135, 137, 142SHOW CHARACTER SET command, 184SHOW command, 188time zones, 189–194TRUE keyword, 142users table, 113mysql client, 121–124MySQL data typesBIGINT, 115BINARY, 117BOOLEAN, 117CHAR, 115, 117DATE, 115DATETIME, 115DECIMAL, 115DECIMAL vs. FLOAT or DOUBLE, 117DOUBLE, 115ENUM, 114–115FLOAT, 115INSERT, 117INT, 115LONGBLOB, 117LONGTEXT, 115MEDIUMBLOB, 117MEDIUMINT, 115MEDIUMTEXT, 115670 Index

SET, 114–115SHOW ENGINES command, 183SMALLINT, 115TEXT, 115TIME, 115TIMESTAMP, 115, 117TINYBLOB, 117TINYINT, 115, 117TINYTEXT, 115UPDATE, 117VARBINARY, 117VARCHAR, 115, 117MySQL functions, support for, 267. See alsofunctionsMySQL Workbench program, 169mysqli_connect.php documentcreating, 268saving, 270script, 269security, 271mysqli_fetch_array( ) constants, 281mysqli_num_rows( ) function, 290–291mysqli_real_escape_string( ) function,286–289, 425n\n (newline) characterescape sequence, meaning, 29, 31printing, 9namespaces, support for, 496natsort( ) function, using with arrays, 68newline (\n) character, printing, 9newline code, 29, 31nl2br( ) function, 420normalization1NF (First Normal Form), 169–1712NF (Second Normal Form), 172–1743NF (Third Normal Form), 175–176defined, 165development, 166forms, 169overruling, 176process, 166, 169not (!) operator, 45NOT BETWEEN operator, 140NOT IN operator, 140NOT LIKE keywordliteral underscore, 144percentage, 144using, 143–144NOT operator, 140Notepad, avoiding use of, 3–4notices, error reporting, 250NOW( ) function, 135, 159NULL type, explained, 45NULL values vs. empty strings, 141number_format( ) function, 23, 25, 88numbersarithmetic operators, 23functions for, 23quoting, 23sphenic, 61using, 24–25using typecasting with, 413using variables with, 24numbers.php documentcreating, 24quotation marks examples, 29–31saving, 25number-type variables, examples, 23numeric functions, 157–158oone-to-many relationship, 168one-to-one relationship, 168OOP (Object-Oriented Programming). See alsoprogramming techniquesclasses, 496DateTime class, 511–517executing queries, 501–504fetch_object( ) method, 507fetching results, 505–507fundamentals, 494–495MySQL connection, 497–500outbound parameters, 510prepared statements, 508–510vs. procedural, 494syntax in PHP, 495–496operating system (OS) constant, 26operatorscomparative, 45exclusive or, 48logical, 45ternary, 317OPTIMIZE command, 230or (||) operator, 45, 48OR operator, 45, 48, 140ORDER BY clausealias in, 155using with indexes, 180ORDER BY clause, using with queries, 145–146OS (operating system) constant, 26outbound parameters, 510outer joins, 208–211output buffering, 561Index 671

ppagination, explained, 316parameters. See argumentsparentheses (( ))using with clauses, 25using with functions, 8parse error, 258for arrays, 55receiving, 8password, validating, 277password.php script, 292–297paths, absolute vs. relative, 76patternsback references, 455defining for regular expressions, 438–440matching, 452–455meta-characters, 438modifiers, 450replacing, 452–455pcre.php scriptcharacter classes, 444–445matching patterns, 435quantifiers, 441–442reporting matches, 446–449using patterns, 439–440PHPadjusting error reporting, 250–252debugging technique, 258–261namespaces, 496OOP syntax in, 495–496updating records with, 292–297PHP and JavaScript, 348PHP codeexecuting, 5objects in, 500placing in PHP tags, 3PHP errorsblank page, 258call to undefined function, 258cannot redeclare function, 258displaying, 248–249empty variable value, 258headers already sent, 258logging, 257parse error, 258undefined variable, 258.php extensionusing, 3, 78using with connection scripts, 271PHP files, including extensions with, 3PHP functions, using with MySQL, 267. Seealso functionsPHP mail( ) dependencies, 330PHP manual, accessing, 22PHP pages, storing data sent to, 44PHP scripts. See also scriptsdebugging, 5, 8, 33, 259–261for JavaScript, 352–354making, 3–5running through URLs, 7, 33sending values to, 300–303writing, 3PHP tags, 4PHP_OS constantexplained, 26using, 27PHP_VERSION constantexplained, 26using, 27, 33phpinfo( ) functionusing, 33using for debugging, 245php.ini configuration file, include_pathsetting, 84phpMyAdminINSERT form, 137INSERT tab, 137SELECT queries, 139sitename database, 132updating records, 150using, 124–127“Plain and Simple” template, 78POST method, using with HTML forms, 85$_POST variable vs. variable scope, 109post_message.php script, 427–431, 508–510pound (#) symbol, using in comments, 10–11POW( ) function, 157precedence, explained, 25predefined.php documentcreating, 15saving, 17preg_match( ) function, using with regularexpressions, 446–447preg_replace( ) function, 452–454prepared statementsin OOP, 508–510performance, 425using, 427–431primary key, assigning, 167PRIMARY KEY index, adding, 180–181print language constructsending HTML code to browser, 8using, 6–7using over multiple lines, 9using to debug scripts, 260print_r( ) function, 500672 Index

printingarrays, 55arrays after sorting, 67backslashes, 29characters, 31date, 27dollar signs, 30–31HTML forms, 42HTML with PHP, 31names of scripts, 16operating system information, 27parse error, receiving, 55PHP version, 27quotation marks, 29results of HTML forms, 88server information, 16user information for scripts, 16validation results for form data, 52values in HTML forms, 43values of strings, 18values of variables, 31programming techniques. See also OOP (Object-Oriented Programming)editing records, 309–315hidden form inputs, 304–308paginating query results, 316–322sending values to scripts, 300–303sortable displays, 323–327proxy.php script, using with HTTP headers, 355pull-down menuadding to HTML form, 39preselecting in sticky forms, 91using arrays for, 59–60Qquantifiers, using with regular expressions,441–442queriesexecuting, 273–280executing in OOP, 501–504explaining, 231–233identifying problems with, 233limiting results, 147–148optimizing, 230–233ORDER BY clause, 145–146performing calculations in, 142quotes in, 134sorting results, 145–146specifying collations in, 188query resultsfetching, 284paginating, 316–322retrieving, 281–284quotation marks. See also Magic Quoteschecking during debugging, 260escape sequences, 29printing, 29single vs. double, 29–31using in queries, 134using with functions, 6–7using with HTML attributes, 94using with strings, 18using with variables, 14quotes.php file, saving, 31R\r escape sequence, meaning, 29radio buttonsadding to HTML forms, 39changing in sticky forms, 93presetting in sticky forms, 91using in HTML forms, 90RAND( ) function, 157–158RDBMS, “relational” aspect, 169read.php, creating for thread page, 544–546recordscounting returned, 290–291deleting, 151–152, 297deleting constrained, 201editing, 309–315fetching, 506finding in users table, 319updating, 149–150updating with PHP, 292–297register.php script, 274–276modifying, 291mysqli_real_escape_string( ), 286–288OOP example, 502–504regular expressionsboundaries, 444character classes, 443–446finding matches, 446–449matching patterns, 452–455modifiers, 450–451patterns, 438–440preg_match( ) function, 446quantifiers, 441–442reducing greediness, 447–448replacing patterns, 452–455searching, 156strstr( ) function, 440test script, 434–437using, 403, 409, 413Index 673

elationshipsmany-to-many, 168one-to-many, 168one-to-one, 168relative vs. absolute paths, 76REPLACE command, 137REPLACE( ) function, 154$_REQUEST variable vs. variable scope, 109require( ) function, vs. include( ) function, 84return, including in messages, 9return statement, using with functions, 105–108RIGHT( ) function, 154ROLLBACK command, with queries, 233, 236round( ) function, 23ROUND( ) function, 157rows, inserting in MySQL, 133Ssanitation filters, 421savepoints, creating in transactions, 236scandir( ) function, 352schema, defined, 166script files, 352scripts. See also PHP scriptsdynamic, 17printing names of, 16searches, performing FULLTEXT, 222–226SECOND( ) function, 159Second Normal Form (2NF), 172–174second.php file, saving, 7secure SQL, ensuring, 285–289securitye-commerce, 611of sortable displays, 327security methods. See also encrypting databasesapproaching, 403CAPTCHA test, 408Filter extension, 421–424preventing brute force attacks, 431preventing spam, 402–408preventing SQL injection attacks, 425–431preventing XSS attacks, 418–420recommendations, 430validating data by type, 409–413validating files by type, 414–417SELECT queries* (asterisk) used with, 138adding conditionals to, 140–143listing columns in, 139retrieving columns, 139using with column values, 153selections, advanced, 218–221self-joins, performing, 210semicolon (;)avoiding, 280using with statements, 6server, preparing for file uploads, 338–341server information, printing, 16session behavior, changing, 396session fixation, preventing, 399session variablesaccessing, 390–392deleting, 393setting, 388–389session_start( ) function, calling, 394sessionsbeginning, 389–390vs. cookies, 388deleting, 393–395destroying, 393improving security, 396–399using, 388setcookie( ) function, 377, 380arguments, 384result of, 387SHA1( ) function, 135, 236, 239SHOW CHARACTER SET command, 184SHOW command, 188SHOW ENGINES command, 183SHOW WARNINGS command, 137show_image.php script. See also images.phpdocumentcreating, 358saving, 360shuffle( ) function, using with arrays, 68single (') quotation marks, 29–31sitename databasecreating, 130SELECT queries, 140–142users table, 131slashes (//), using in comments, 10–11sort( ) function, using with arrays, 65sortable displays, making, 323–327sortingarrays, 65–68on ENUM types, 146query results, 145–146sorting.php documentcreating, 66saving, 68space, concatenating to variables, 21spacing, altering in Web pages, 9spam, preventing, 402–408spam_scrubber( ) function, 404–406special characters, printing, 31sphenic numbers, creating array of, 61674 Index

SQL (Structured Query Language). Seealso MySQLaliases, 153, 155AUTO_INCREMENT, 135character set, 132collation, 132conditionals, 140–142confirming tables, 132CREATE DATABASE syntax, 130creating databases, 130–132creating tables, 130–132date and time functions, 159–161debugging techniques, 262–263DELETE command, 151deleting data, 151–152DESCRIBE tablename syntax, 132DROP command, 152formatting date and time, 162–163formatting text, 155–156functions, 153–156INSERT command, 133–137inserting records, 133–137LIKE, 143–144LIMIT clause, 147–148limiting query results, 147–148listing columns, 132NOT LIKE, 143–144NULL values, 133numeric functions, 157–158quotes in queries, 134securing, 285–289SELECT query, 138–139SHOW COLUMNS FROM tablename, 132SHOW TABLES syntax, 132sorting query results, 145–146specifying collation, 132table types, 132text columns, 132text functions, 154–155TRUNCATE TABLE command, 151UPDATE syntax, 149–150updating data, 149–150users table, 131WHERE term, 140–141SQL commandsbackticks (`) in, 137entering, 127REPLACE, 137SELECT, 138–139SQL injection attacksbound value types, 426prepared statements, 427–431preventing, 425–431SQRT( ) function, 157square brackets ([ ])using with databases, 114using with functions, 104sticky forms. See also HTML formschanging distance input, 92changing radio buttons, 93described, 91making, 92–94preselecting pull-down menu, 91presetting status of radio buttons, 91presetting value of textarea, 91select menu options, 94using, 309, 314–315value attribute, 91storage engine, defined, 182string equality, checking for, 143strings. See also variablesand arrays, 65assigning values to variables, 18calculating length of, 22comparing, 143concatenating, 21–22converting case of, 22creating, 18defined, 18echo statement, 20functions, 22matching, 222printing values of, 18size consideration, 20using, 19–20using quotation marks with, 18using variables with, 19strings.php documentconcatenation example, 21–22creating, 19saving, 20strip_tags( ) function, 418, 420stripslashes( ) function, 44strlen( ) function, 22strstr( ) function 440strtolower( ) function, 22strtoupper( ) function, 22Structured Query Language (SQL). See SQL(Structured Query Language)style.css file, downloading, 79SUBSTRING( ) function, 154subtraction operator, symbol for, 23SUM( ) grouping function, 214, 217superglobal variable, $_REQUEST, 44switch conditional, 48syntax, errors in, 242Index 675

T\t escape sequence, meaning, 29tab code, 29table typesconfirming, 223establishing, 183finding, 183MyISAM, 182storage engine, 182using, 182tables. See database tablestemplate systemcreating, 77–78header file, 266–267index.php page, 83ternary operator, structure of, 317textconverting, 188formatting, 155–156text box for comments, adding to HTML form, 39text editor, 3text functions, 154–156textarea elementadding to HTML form, 39presetting value in sticky forms, 91Third Normal Form (3NF), 175–176thread page, creating for message board,543–547Thumbs.db file, 354time. See date and timetime zones, changing, 190transactionscreating savepoints in, 236performing, 234–236triggers vs. constraints, 201TRIM( ) function, 154TRUNCATE command, 297TRUNCATE TABLE command, 151.txt extension, avoiding use of, 4type validation functions, 409typecasting, 410–413uucfirst( ) function, 22ucwords( ) function, 22undefined variable error, 258Undefined variable: variablename error, 44underscore ( _ ), using with variables, 17UNIQUE indexes, adding, 180Unix chmod command, using for file uploads, 341UNIX_TIMESTAMP( ) functions, 159UPDATE query, running, 292–297UPDATE syntax, 149–150upload_image.php document, 343–345upload_rtf.php script, 415–417UPPER( ) function, 153–154URLsappending variables to, 303using with PHP scripts, 5, 7, 33user information, printing, 16user registrationaccount activation, 586–588activation page, 586–588activation process, 583change_password.php script, 599–603configuration scripts, 566–573database connection, 571–573database scheme, 573database script, 570footer.html file, 563–565forgot_password.php script, 594–599header.html file, 560–562home page, 574–575index.php script, 574–575login.php script, 589–592logout.php script, 593output buffering, 561password management, 594–603register.php script, 576–585site administration, 602templates, 560–565user-defined functions. See also functionscalculation script, 105–107calling after creating, 97case insensitivity, 95create_ad( ), 97creating, 95–97default argument values, 101–104memory usage, 97naming, 95return statement, 105returning values from, 105–108taking arguments, 97–100variable scope, 109users tablecreating, 187finding records in, 319usort( ) function, using with arrays, 68UTC (Coordinated Universal Time)explained, 189using, 191–194UTC Offsets table, 189UTC_TIMESTAMP( ) functions, 159UTF-8 characters, increasing column size for, 188UTF-8 encoding, 2, 185, 191676 Index

Vvalidating files by type, 414–417validationblacklist, 409typecasting, 410–413whitelist, 409validation errors, reporting forms, 279validation filters, 421validation tools, using for debugging, 246$var, removing backslashes from, 44VARCHAR vs. CHAR, 117variable names, replacing, 29variable scopealtering, 109circumventing, 109global statement, 109superglobal alternative, 109variables. See also stringsadding to function definitions, 97appending to URLs, 303arrays, 14assigning values to, 14, 20assignment operator (=), 14Boolean, 14case sensitivity, 14confirming values of, 44vs. constants, 26defined, 14floating point, 14including underscore, 17integer, 14naming, 14, 17nonscalar, 14NULL, 14objects, 14omitting spaces, 17preceding with $ (dollar sign), 14predefined, 14printing, 14–15printing values of, 31scalar, 14shorthand version, 16strings, 14superglobal, 44syntactical rules, 14tracking during debugging, 260treatment of, 17typecasting, 410using, 15–17using with numbers, 24using with strings, 19version of PHP constant, 26, 33view_users.php script, 282–283, 300–302modifying, 290–291OOP example, 506–507paginating, 316–322sortable displays, 323–325Wwarnings, error reporting, 250Web applicationsdate and time functions, 362–365file uploads, 336–338file uploads with PHP, 342–347HTTP headers, 355–361PHP and JavaScript, 348–354preparing servers for uploads, 338–341sending email, 330–335Web browsersending data to, 7–9sending HTML to, 12Web pages, altering spacing in, 9Web sites, dynamic vs. static, 75. See alsodynamic Web sitesWHEN...THEN clauses, 219WHERE clause, 140–141using with indexes, 180using with UPDATE, 150while loop. See also loopsexample, 69functionality, 70white space, areas of, 9whitelist validation, 409wildcards, using with LIKE and NOT LIKE, 144WITH QUERY EXPANSION modifier, 229wordwrap( ) function, 333www.query.com, loading, 461xXHTML, resource for, 5XHTML 1.0 Transitional document, 2XML-style tags, 4XOR (and not) operator, 45, 48, 140XSS attacks, preventing, 418–420xss.php script, 419YYEAR( ) function, 159ZZ (Zulu) timeexplained, 189using, 191–194Index 677

Unlimited online access to all Peachpit, AdobePress, Apple Training and New Riders videosand books, as well as content from otherleading publishers including: O’Reilly Media,Focal Press, Sams, Que, Total Training, JohnWiley & Sons, Course Technology PTR, Classon Demand, VTC and more.no time commitment or contract required!Sign up for one month or a year.all for $19.99 a monthSign up todaypeachpit.com/creativeedge

AThanks for downloading thisbonus appendix to PHP andMySQL for Dynamic WebSites: Visual QuickPro Guide,Fourth Edition, by Larry Ullman(Peachpit Press, 2011).InstallationThere are three technical requirementsfor executing all of this book’s examples:MySQL (the database application), PHP(the scripting language), and the Webserver application (that PHP runs through).This appendix describes the installation ofthese tools on two different platforms—Windows 7 and Mac OS X. If you are usinga hosted Web site, all of this will alreadybe provided for you, but these productsare all free and easy enough to install, soputting them on your own computer stillmakes sense.After covering installation, the appendixdiscusses related issues that will be ofimportance to almost every user. First, Iintroduce how to create users in MySQL.Next, I demonstrate how to test your PHPand MySQL installation, showing techniquesyou’ll want to use when you beginworking on any server for the first time.Then, you’ll learn how to configure PHPto change how it runs. Finally, and new inthis edition of this book, I introduce how tochange the Apache Web server’s behavior,in order to address common needs.installation on WindowsAlthough you can certainly install a Webserver (like Apache, Abyss, or IIS), PHP,and MySQL individually on a Windowscomputer, I strongly recommend you usean all-in-one installer instead. It’s simplyeasier and more reliable to do so.There are several all-in-one installersout there for Windows. The two mentionedmost frequently are XAMPP(www.apachefriends.org) and WAMP(www.wampserver.com). For this appendix,I’ll use XAMPP, which runs on most versionsof Windows.Along with Apache, PHP, and MySQL,XAMPP also installs:nnnnnPEAR (PHP Extension and ApplicationRepository), a library of PHP codePerl, a very popular programminglanguagephpMyAdmin, the Web-based interfaceto a MySQL serverA mail server (for sending email)Several useful extensions

At the time of this writing XAMPP (Version1.7.4) installs PHP 5.3.5, MySQL 5.5.8,Apache 2.2.17, and phpMyAdmin 3.3.9.I’ll run through the installation process inthese next steps. Note that if you have anyproblems, you can use the book’s supportingforum (www.LarryUllman.com/forums/),but you’ll probably have more luck turningto the XAMPP site (it is their product, afterall). Also, the installer works really well andisn’t that hard to use, so rather than detailevery single step in the process, I’ll highlightthe most important considerations.To install xAMpp on Windows:1. Download the latest release of XAMPP forWindows from www.apachefriends.org.You’ll need to click around a bit to findthe download section, but eventuallyyou’ll come to an area where you canfind the download A. Then click EXE,which is the specific item you want.2. On your computer, double-click thedownloaded file in order to begin theinstallation process.3. If prompted, install XAMPP somewhereother than in the Program Files directory.A From the ApacheFriends Web site, grab thelatest installer for Windows.on FirewallsA firewall prevents communication over ports (a port is an access point to a computer). Versionsof Windows starting with Service Pack 2 of XP include a built-in firewall. You can also downloadand install third-party firewalls. Firewalls improve the security of your computer, but they may alsointerfere with your ability to run Apache, MySQL, and some of the other tools used by XAMPPbecause they all use ports.When running XAMPP, if you see a security prompt indicating that the firewall is blocking Apache,MySQL, or the like, choose Unblock or Allow, depending upon the version of Windows in use.Otherwise, you can configure your firewall manually (for example, on Windows 7, it’s done throughControl Panel > System and Security). The ports that need to be open are as follows: 80 (forApache), 3306 (for MySQL), and 25 (for the Mercury mail server). If you have any problems startingor accessing one of these, disable your firewall and see if it works then. If so, you’ll know thefirewall is the problem and that it needs to be reconfigured.Just to be clear, firewalls aren’t found just on Windows, but in terms of the instructions in thisappendix, the presence of a firewall will more likely trip up a Windows user than any other.A2 Appendix A

B Select what additional installation optionsyou want.You shouldn’t install it in the ProgramFiles directory because of a permissionsissue on some versions of Windows. Irecommend installing XAMPP in yourroot directory (e.g., C:\).Wherever you decide to install theprogram, make note of that location,as you’ll need to know it severalother times as you work through thisappendix.4. If you want, create Desktop and StartMenu shortcuts B.5. Continue through the remainingprompts, reading them and pressingEnter/Return to continue.6. After the installation process has doneits thing C, click Yes to start the controlpanel.continues on next pageC The installation of XAMPP is complete!InstallationA3

7. To start, stop, and configure XAMPP,use the XAMPP control panel D.8. As needed, using the control panel,start Apache, MySQL, and Mercury.Apache has to be running for everychapter in this book. MySQL must berunning for about half of the chapters.Mercury is the mail server that XAMPPinstalls. It needs to be running in orderto send email using PHP (see Chapter 11,“Web Application Development”).9. Immediately set a password for the rootMySQL user.How you do this is explained later inthe appendix.D The XAMPP control panel, used to managethe software.The XAMPP control panel’s variousadmin links will take you to different Webpages (on your server) and other resources E.See the “PHP Configuration” sectionto learn how to configure PHP by editing thephp.ini file.Your Web root directory—where yourPHP scripts should be placed in order to testthem—is the htdocs folder in the directorywhere XAMPP was installed. Followingthese installation instructions, this wouldbe C:\xampp\htdocs.E The Web-based splash page for XAMPP, linkedfrom the control panel.When starting the XAMPP Control Panelusing XAMPP 1.7.4 on a 64-bit version of Windows7, I consistently saw an error messageabout a “Status Check Failure.” I never figuredout the cause, but the error didn’t preventXAMPP from being completely usable.A4 Appendix A

Xnstallation on Mac oS xAlthough Mac OS X comes with Apachebuilt in, and installing MySQL is not thathard, I recommend that beginners takea more universally foolproof route anduse the all-in-one MAMP installer (www.mamp.info). It’s available in both free andcommercial versions, is very easy to use,and won’t affect the Apache server builtinto the operating system.Along with Apache, PHP, and MySQL,MAMP also installs phpMyAdmin, the Webbasedinterface to a MySQL server, alongwith lots of useful PHP extensions. As ofthis writing, MAMP (Version 1.9.6.1) installsboth PHP 5.2.13 and 5.3.2, in additionto MySQL 5.1.44, Apache 2.0.63, andphpMyAdmin 3.2.5.I’ll run through the installation process inthese next steps. If you have any problems,you can use the book’s supporting forum(www.LarryUllman.com/forums/), butyou’ll probably have more luck turning tothe MAMP site (it is their product, after all).Also, the installer works really well and isn’tthat hard to use, so rather than detail everysingle step in the process, I’ll highlight themost important considerations.To install MAMp on Mac oS x:1. Download the latest release of MAMPfrom www.mamp.info.On the front page, click Downloads, andthen click Download: MAMP & MAMPPRO 1.9.6.1 A. (As new releases ofMAMP come out, the link and filenamewill obviously change accordingly.)The same downloaded file is used forboth products. In fact, MAMP Pro isjust a nicer interface for controlling andcustomizing the same MAMP software.continues on next pageA Download MAMP from this page at www.mamp.info.InstallationA5

2. On your computer, double-click thedownloaded file in order to mount thedisk image B.3. Copy the MAMP folder from the diskimage to your Applications folder.If you think you might prefer thecommercial MAMP PRO, copy thatfolder as well (again, it’s an interface toMAMP, so both folders are required).MAMP PRO comes with a free 14-daytrial period.Whichever folder you choose, notethat you must place it within theApplications folder. It cannot go in asubfolder or another directory on yourcomputer.4. Open the /Applications/MAMP (or /Applications/MAMP PRO) folder.5. Double-click the MAMP (or MAMP PRO)application to start the program C.It may take just a brief moment to startthe servers, but then you’ll see a resultlike that in C for MAMP or D forMAMP PRO.When starting MAMP, a start pageshould also open in your default Webbrowser E. Through this page you canview the version of PHP that’s running,as well as how it’s configured, andinterface with the MySQL databaseusing phpMyAdmin.With MAMP PRO, you can access thatsame page by clicking the WebStartbutton D.B The contents of the downloaded MAMPdisk image.C The simple MAMP application, used to controland configure Apache, PHP, and MySQL.D The MAMP PRO application, used to controland configure Apache, PHP, MySQL, and more.A6 Appendix A

E The MAMP Web start page.6. To start, stop, and configure MAMP, usethe MAMP or MAMP PRO application Cor D.There’s not much to the MAMPapplication itself (which is a good thing),but if you click Preferences, you cantweak the application’s behavior F, setthe version of PHP to run, and more.MAMP PRO also makes it easy to createdifferent virtual hosts (i.e., differentsites; discussed separately later inthis appendix), adjust how Apache isconfigured and runs, use dynamic DNS,change how email is sent, and more.7. Immediately change the password forthe root MySQL user.How you do this is explained later inthe appendix.Personally, I appreciate how great MAMPalone is, and that it’s free. I also don’t likespending money, but I’ve found the purchaseof MAMP PRO to be worth the relatively littlemoney it costs.F These options dictate what happens when youstart and stop the MAMP application.See the “PHP Configuration” sectionto learn how to configure PHP by editing thephp.ini file.MAMP also comes with a Dashboardwidget you can use to control the Apacheand MySQL servers.Your Web root directory—where yourPHP scripts should be placed in order to testthem—is the htdocs folder in the directorywhere MAMP was installed. For a standardMAMP installation without alteration, thiswould be Applications/MAMP/htdocs.G MAMP allows you to change where the Webdocuments are placed.You may want to change the ApacheDocument Root G to the Sites directory inyour home folder. By doing so, you assure thatyour Web documents will be backed up alongwith your other files (and you are performingregular backups, right?).InstallationA7

Managing MySQL usersOnce you’ve successfully installed MySQL,you can begin creating MySQL users. AMySQL user is a fundamental securityconcept, limiting access to, and influenceover, stored data. Just to clarify, yourdatabases can have several different users,just as your operating system might. ButMySQL users are different from operatingsystem users. While learning PHP andMySQL on your own computer, you don’tnecessarily need to create new users,but live production sites need to havededicated MySQL users with appropriatepermissions.The initial MySQL installation comes withone user (named root) with no passwordset (except when using MAMP, which sets adefault password of root). At the very least,you should create a new, secure passwordfor the root user after installing MySQL.After that, you can create other users withmore limited permissions. As a rule, youshouldn’t use the root user for normal, dayto-dayoperations.I’ll walk you through both of theseprocesses over the next couple of pages.Note that if you’re using a hosted server,they’ll likely create the MySQL users foryou. These instructions require use ofeither the command-line mysql client orphpMyAdmin. If you don’t know how toaccess either of these on your computer,quickly read the Accessing MySQL sectionof Chapter 4, “Introduction to MySQL.”Setting the root user passwordWhen you install MySQL, no value—or nosecure password—is established for theroot user. This is certainly a security riskthat should be remedied before you beginto use the server (as the root user hasunlimited powers).You can set any user’s password using eitherphpMyAdmin or the mysql client, so long asthe MySQL server is running. If MySQL isn’tcurrently running, start it now using the stepsoutlined earlier in the appendix.Second, you must be connected to MySQLas the root user in order to be able tochange the root user’s password.To assign a password to the rootuser via the MySQL client:1. Connect to the MySQL client.See Chapter 4 for detailed instructions,if needed.2. Enter the following command, replacingthepassword with the password youwant to use A:SET PASSWORD FOR 'root'@'➝ localhost' = PASSWORD➝ ('thepassword');Keep in mind that passwords inMySQL are case-sensitive, so Kazanand kazan aren’t interchangeable.The term PASSWORD that precedes theactual quoted password tells MySQL toencrypt that string. And there cannotbe a space between PASSWORD andthe opening parenthesis.A Updating the root user’spassword using SQL withinthe MySQL client.A8 Appendix A

3. Exit the MySQL client:exit4. Test the new password by logging in tothe MySQL client again.Now that a password has been established,you need to add the -p flag tothe connection command. You’ll see anEnter password: prompt, where youenter the just-created password.To assign a password to theroot user via phpMyAdmin:1. Open phpMyAdmin in your Web browser.See the preceding set of steps fordetailed instructions.2. On the home page, click the Privileges tab.You can always click the home icon, in theupper-left corner, to get to the home page.3. In the list of users, click the Edit Privilegesicon on the root user’s row B.4. Use the Change Password form C,found farther down the resulting page,to change the password.5. Change the root user’s password inphpMyAdmin’s configuration file,if necessary.The result of changing the rootuser’s password will likely be thatphpMyAdmin is denied access tothe MySQL server. This is becausephpMyAdmin, on a local server, normallyconnects to MySQL as the rootuser, with the root user’s passwordhard-coded into a configuration file.After following Steps 1–4, find theconfig.inc.php file in the phpMyAdmindirectory—likely /Applications/MAMP/bin/phpMyAdmin (Mac OS Xwith MAMP) or C:\xampp\phpMyAdmin(Windows with XAMPP). Open that filein any text editor or IDE and change thisnext line to use the new password:$cfg['Servers'][$i]['password']➝ = 'the_new_password';Then save the file and reloadphpMyAdmin in your Web browser.B The list of MySQL users, as shown in phpMyAdmin.C The form for updatinga MySQL user’s passwordwithin phpMyAdmin.InstallationA9

Creating users and privilegesAfter you have MySQL successfully upand running, and after you’ve establisheda password for the root user, you can addother users. To improve the security of yourdatabases, you should always create newusers to access your databases rather thanusing the root user at all times.The MySQL privileges system wasdesigned to ensure proper authority forcertain commands on specific databases.This technology is how a Web host, forexample, can let several users access severaldatabases without concern. Each userin the MySQL system can have specificcapabilities on specific databases fromspecific hosts (computers). The root user—the MySQL root user, not the system’s—hasthe most power and is used to createsubusers, although subusers can be givenrootlike powers (inadvisably so).When a user attempts to do somethingwith the MySQL server, MySQL firstchecks to see if the user has permissionto connect to the server at all (based onthe username, the user’s host, the user’spassword, and the information in the mysqldatabase’s user table). Second, MySQLchecks to see if the user has permissionto run the specific SQL statement on thespecific databases—for example, to selectdata, insert data, or create a new table.Table A.1 lists most of the various privilegesyou can set on a user-by-user basis.There are a handful of ways to set usersand privileges in MySQL, but I’ll start bydiscussing the GRANT command. Thesyntax goes like this:GRANT privileges ON database.* TO➝'username'@'hostname' IDENTIFIED BY➝'password';For the privileges aspect of this statement,you can list specific privileges fromTable A.1, or you can allow for all of themby using ALL (which isn’t prudent). Thedatabase.* part of the statement specifieswhich database and tables the user canwork on. You can name specific tablesusing the database.tablename syntax orallow for every database with *.* (again,not prudent). Finally, you can specify theusername, hostname, and a password.The username has a maximum length of16 characters. When creating a username,be sure to avoid spaces (use the underscoreinstead), and note that usernamesare case-sensitive.TABLe A.1 MySQL PrivilegesPRIVILEGESELECTINSERTUPDATEDELETEINDEXALTERCREATEDROPRELOADSHUTDOWNPROCESSFILEGRANTREVOKEALLOWSRead rows from tables.Add new rows of data to tables.Alter existing data in tables.Remove existing data from tables.Create and drop indexes intables.Modify the structure of a table.Create new tables or databases.Delete existing tables ordatabases.Reload the grant tables (andtherefore enact user changes).Stop the MySQL server.View and stop existing MySQLprocesses.Import data into tables fromtext files.Create new users.Remove users’ permissions.A10 Appendix A

The hostname is the computer from whichthe user is allowed to connect. This couldbe a domain name, such as www.example.com, or an IP address. Normally, localhost isspecified as the hostname, meaning that theMySQL user must be connecting from thesame computer that the MySQL databaseis running on. To allow for any host, use thehostname wildcard character (%):GRANT privileges ON database.*➝ TO 'username'@'%' IDENTIFIED BY➝'password';But that is also not recommended. Whenit comes to creating users, it’s best to beexplicit and confining.The password has no length limit butis also case-sensitive. The passwordsare encrypted in the MySQL database,meaning they can’t be recovered in a plaintext format. Omitting the IDENTIFIED BY'password' clause results in that user notbeing required to enter a password (which,once again, should be avoided).As an example of this process, you’ll createtwo new users with specific privileges on anew database named temp. Keep in mindthat you can only grant permissions to userson existing databases. This next sequencewill also show how to create a database.To create new users:1. Log in to the MySQL client as a root user.Use the steps explained in Chapter 4 todo this, if you don’t already know. Youmust be logged in as a user capable ofcreating databases and other users.2. Create the temp database:CREATE DATABASE temp;Creating a database is quite easy, usingthe preceding syntax. This commandwill work as long as you’re connectedas a user with the proper privileges.3. Create a user that has basic-levelprivileges on the temp database D:GRANT SELECT, INSERT, UPDATE,➝ DELETEON temp.* TO'webuser'@'localhost'IDENTIFIED BY 'BroWs1ng';The generic webuser user can browsethrough records (SELECT from tables)and add (INSERT), modify (UPDATE),or DELETE them. The user can onlyconnect from localhost (from the samecomputer) and can only access thetemp database.continues on next pageD Creating a user that can perform basic tasks on one database.InstallationA11

4. Apply the changes E:FLUSH PRIVILEGES;The changes just made won’t takeeffect until you’ve told MySQL toreset the list of acceptable users andprivileges, which is what this commanddoes. Forgetting this step and thenbeing unable to access the databaseusing the newly created users is acommon mistake.Any database whose name begins withtest_ can be modified by any user who haspermission to connect to MySQL. Therefore,be careful not to create a database named thisway unless it truly is experimental.The REVOKE command removes usersand permissions.E Don’t forget this step before youtry to access MySQL using the newlycreated users.Creating users in phpMyAdminTo create users in phpMyAdmin, startby clicking the Privileges tab on thephpMyAdmin home page. On thePrivileges page, click Add A New User.Complete the Add A New User form todefine the user’s name, host, password,and privileges. Then click Go. Thiscreates the user with general privilegesbut no database-specific privileges.On the resulting page, select thedatabase to apply the user’s privilegesto and then click Go. On the next page,select the privileges this user shouldhave on that database, and then clickGo again. This completes the processof creating rights for that user on thatdatabase. Note that this process allowsyou to easily assign a user differentrights on different databases.Finally, click your way back to thePrivileges tab on the home page andthen click the reload the privileges link.A12 Appendix A

Testing Your installationNow that you’ve installed everything andcreated the necessary MySQL users, youshould test the installation. Two quick PHPscripts can be used for this purpose. In alllikelihood, if an error occurred, you wouldalready know it by now, but these steps willallow you to perform tests on your (or anyother) server before getting into complicatedPHP, or PHP and MySQL, programming.The first script being run is phpinfo.php. Itboth tests if PHP is enabled and shows aton of information about the PHP installation.As simple as this script is, it is one ofthe most important scripts PHP developersever write, in my opinion, because it providesso much valuable knowledge.The second script will serve two purposes.It will first see if support for MySQL hasbeen enabled. If not, you’ll need to see thenext section of this chapter to change that.The script will also test if the MySQL userhas permission to connect to a specificMySQL database.Script A.1 The phpinfo.php script tests andreports upon the PHP installation.1 A The information for this server’s PHP configuration.To test pHp:1. Create the following PHP documentin a text editor or IDE (Script A.1):The phpinfo( ) function returns theconfiguration information for a PHPinstallation in a table. It’s the perfecttool to test that PHP is working properly.You can use almost any application tocreate your PHP script as long as it cansave the file in a plain text format.2. Save the file as phpinfo.php.You need to be certain that the file’sextension is just .php. Be careful whenusing Notepad on Windows, as it willsecretly append .txt. Similarly, TextEditon Mac OS X wants to save everythingas .rtf.3. Place the file in the proper directory onyour server.What the proper directory is dependsupon your operating system and yourWeb server. If you are using a hostedsite, check with the hosting company.For Windows users who installedXAMPP, the directory is called htdocsand is within the XAMPP directory. ForMac OS X users who installed MAMP,the default directory is called htdocs,found within the MAMP folder.4. Test the PHP script by accessing it inyour Web browser A.Run this script in your Web browserby going to http://your.url.here/phpinfo.php. On your own computer,this may be something like http://localhost/phpinfo.php (Windows withXAMPP) or http://localhost:8888/phpinfo.php (Mac OS X with MAMP).InstallationA13

To test pHp and MySQL:1. Create a new PHP document in yourtext editor or IDE (Script A.2):This script will attempt to connect tothe MySQL server using the usernameand password just established in thisappendix.2. Save the file as mysqli_test.php, placeit in the proper directory for your Webserver, and test it in your Web browser.If the script was able to connect, theresult will be a blank page. If it could notconnect, you should see an error messagelike B. Most likely this indicates aproblem with the MySQL user’s privilegesor the provided information (seethe preceding section of this chapter).If you see an error like in C, this meansthat PHP does not have MySQL supportenabled. See the next section of thischapter for the solution.For security reasons, you should notleave the phpinfo.php script on a live serverbecause it gives away too much information.Script A.2 The mysqli_test.php script tests forMySQL support in PHP and if the proper MySQLuser privileges have been set.1 B The script was not able to connect to theMySQL server.C The script was not able to connect to theMySQL server because PHP does not have MySQLsupport enabled.If you run a PHP script in your Webbrowser and it attempts to download the file,then your Web server is not recognizing thatfile extension as PHP. Check your Apache (orother Web server) configuration to correct this.PHP scripts must always be run from aURL starting with http://. They cannot be rundirectly off a hard drive (as if you had openedit in your browser).If a PHP script cannot connect to a MySQLserver, it is normally because of a permissionsissue. Double-check the username, password,and host being used, and be absolutely certainto flush the MySQL privileges.A14 Appendix A

Configuring pHpOne of the benefits of installing PHP onyour own computer is that you can configureit however you prefer. How PHP runsis determined by the php.ini configurationfile, which is normally created whenPHP is installed.Changing PHP’s behavior is very simpleand will most likely be required at somepoint in time. Just a few of the things you’llwant to consider adjusting arennnWhether or not display_errors is onThe default level of error reportingSupport for the Improved MySQLExtension functionsnSMTP values for sending emailsWhat each of these means—if you don’talready know—is covered in the book’schapters and in the PHP manual. But forstarters, I would highly recommend that youmake sure that display_errors is on and thatyou set error reporting to its highest level.Changing PHP’s configuration is reallysimple. The short version is: edit thephp.ini file and then restart the Webserver. But because many different problemscan arise, I’ll cover configuration inmore detail. If you are looking to enablesupport for an extension, like the MySQLfunctions, the configuration is more complicated(see the sidebar).enabling extension SupportMany PHP configuration options can be altered by just editing the php.ini file. But enabling(or disabling) an extension—in other words, adding support for extended functionality—requiresmore effort. To enable support for an extension for just a single PHP page, you can use thedl( ) function. To enable support for an extension for all PHP scripts requires a bit of work.Unfortunately, for Unix and Mac OS X users, you’ll need to rebuild PHP with support for thisnew extension (a process that’s not for the faint of heart). Windows users have it easier:First, edit the php.ini file (see the steps in this section), removing the semicolon before theextension you want to enable. For example, to enable Improved MySQL Extension support,you’ll need to find the line that says;extension=php_mysqli.dlland remove that semicolon.Next, find the line that sets the extension__dir and adjust this for your PHP installation. Assumingyou installed PHP using XAMPP into C:\xampp, then your php.ini file should sayextension_dir = "C:/xampp/php/ext"This tells PHP where to find the extension.Next, make sure that the actual extension file, php_mysqli.dll in this example, exists in theextension directory.Save the php.ini file and restart your Web server. If the restart process indicates an error findingthe extension, double-check to make sure that the extension exists in the extension_dir and thatyour pathnames are correct. If you continue to have problems, search the Web or use the book’scorresponding forum for assistance.InstallationA15

To alter pHp’s configuration:1. In your Web browser, execute a scriptthat invokes the phpinfo( ) function.The phpinfo( ) function, discussed inthe previous section of the appendix(see A), reveals oodles of informationabout the PHP installation.2. In the browser’s output, search forLoaded Configuration File A.The value next to this text is thelocation of the active configuration file.This will be something like C:\xampp\php\php.ini or / /Applications/MAMP/conf/php5.3/php.ini. Your servermay have multiple php.ini files on it,but this is the one that counts.If there is no value for the LoadedConfiguration File, your server has noactive php.ini file. In that case, you’llneed to download the PHP sourcecode, from www.php.net, to find asample configuration file.3. Open the php.ini file in any text editor.If you go to the directory listed andthere’s no php.ini file there, you’ll needto download this file from the PHP Website (it’s part of the PHP source code).4. Make any changes you want, keepingin mind the following:> Comments are marked using a semicolon.Anything after the semicolonis ignored.> Instructions on what most of the settingsmean are included in the file.> The top of the file lists general informationwith examples. Do not changethese values! Change the settingswhere they appear later in the file.A Use a phpinfo( ) scriptto confirm the active PHPconfiguration file to be edited.A16 Appendix A

enabling MailThe PHP mail( ) function works only ifthe computer running PHP has accessto sendmail or another mail server. Oneway to enable the mail( ) function isto set the smtp value in the php.inifile (for Windows only). This approachworks, for example, if your Internetprovider has an SMTP address you canuse. Unfortunately, you can’t use thisvalue if your ISP’s SMTP server requiresauthentication.For Windows, there are also a numberof free SMTP servers, like Mercury. It’sinstalled along with XAMPP, or youcan install it yourself if you’re not usingXAMPP.Mac OS X comes with a mail serverinstalled—postfix and/or sendmail—thatneeds to be enabled. Search Google forinstructions on manually enabling yourmail server on Mac OS X.Alternatively, you can search some ofthe PHP code libraries to learn howto use an SMTP server that requiresauthentication.> For safety purposes, don’t changeany original settings. Just commentthem out (by preceding the line witha semicolon) and then add the new,modified line afterward.> Add a comment (using the semicolon)to mark what changes you made andwhen. For example:; display_errors = Off; Next line added by LEU08/28/2011display_errors = On5. Save the php.ini file.6. Restart your Web server.You do not have to restart the entirecomputer, just the Web servingapplication (Apache, IIS, etc.). How youdo this depends upon the applicationbeing used, the operating system, andthe installation method. Windows userscan use the XAMPP Control Panel.Mac OS X users can use the MAMPControl Panel. Unix users can normallyjust enter apachectl graceful in aTerminal window.7. Rerun the phpinfo.php script to makesure the changes took effect.If you edit the php.ini file and restartthe Web server but your changes don’t takeeffect, make sure you’re editing the properphp.ini file (you may have more than oneon your computer).MAMP PRO on Mac OS X uses a templatefor the php.ini file that must be editedwithin MAMP PRO itself. To change the PHPsettings when using MAMP PRO, select File >Edit Template > PHP X.X.X php.ini.InstallationA17

Configuring ApacheNew in this edition of this book is thissection, providing an introduction toconfiguring the Apache Web server.Like PHP, Apache is an open-sourcetechnology, and has become a dominantforce in Web technologies. If you installedeither XAMPP or MAMP on your computer,you now have a functional version ofApache. If you’re using a hosted Web site,more than likely you’re being provided withApache there as well.Once Apache with support for PHP hassuccessfully been installed, many PHPprogrammers never think twice about theWeb server. But as you continue to learnabout Web development, picking up a bitmore knowledge of Apache is a logicalnext step.The most common reasons you’ll need toknow more about Apache include beingable to do the following:nnnnCreate virtual hostsAdd Secure Sockets Layer (SSL)supportProtect directoriesEnable URL rewritesThese, and other changes to Apache’sbehavior, can be made in two ways: byediting the primary configuration file or bycreating directory-specific files. The primaryconfiguration file is httpd.conf, foundwithin a conf directory, and it dictates howthe entire Apache Web server runs. An.htaccess file (pronounced “H-T access”)is placed within the Web directories and isused to affect how Apache behaves withinjust that folder and subfolders.Generally speaking, it’s preferred to makechanges in the httpd.conf file, as this fileonly needs to be read by the Web servereach time the server is started. Conversely,.htaccess files must be read by the Webserver once for every request to thatwhich an.htaccess file might apply. Forexample, if you have www.example.com/somedir/.htaccess, any request to www.example.com/somedir/whatever requiresreading the .htaccess file, as well asreading an .htaccess file that might existin www.example.com/. On the other hand,in shared hosting environments, individualusers are not allowed to customize theentire Apache configuration, but maybe allowed to use .htaccess to makechanges that only affect their sites.Over the next few pages, I’ll explain someof the fundamentals for working withthese two types of files. In the process,you’ll learn how to perform some standardApache customizations.To be safe, I’d recommend makinga backup copy of your original Apacheconfiguration file, before pursuing any ofthe subsequent edits.In this book, I cannot adequately explainhow to enable HTTPS (HTTP over an SSL) asthe key component—obtaining and installingan SSL certificate varies too much from oneperson and server to the next. Look onlinefor specific details, or post a message in mysupport forums (www.LarryUllman.com/forums/), if you need assistance. If you havea hosted account wherein you want to enableSSL, speak with your hosting company.A18 Appendix A

Creating Virtual HostsWhen you install Apache on a computer,Apache is set up to serve one Web site,such as www.example.com. For the Web sitebeing served, Apache associates a hostname(and/or an IP address) with a directoryon the server, called the Web documentroot. When a user visits www.example.com,Apache provides files from that site’sdirectory A.But Apache can easily be configured toserve several different sites, all hosted onthe same computer, by creating virtual hosts.After establishing one or more virtual hosts,Apache will know that when a user makesa request of www.example.com, documentsfrom X directory should be served, butrequests of www.example.net should bepointed to the documents from Y directory B.Understand that setting up virtual hostsdoes not, in fact, make www.example.com or www.example.net a valid domainname, accessible over the Internet.Accomplishing that requires use of DNS(Domain Name System), a much morecomplicated subject. You can, however,use virtual hosts to create different hostsfor your own development projects onyour home computer, as explained in thefollowing sequence.A The Web server associates a URL or hostname with a directoryor file on the computer.B Thanks to virtual hosts, different directories on the computer can beassociated with different hostnames.InstallationA19

To create a virtual host:1. Open httpd.conf in any text editoror IDE.If you’re using XAMPP on Windows,the file to open is C:\xampp\apache\conf\httpd.conf (assuming XAMPPis installed in the root of the C drive). Ifyou’re using MAMP on Mac OS X, thefile to open is /Applications/MAMP/conf/apache/httpd.conf. Note that ifyou’re using MAMP Pro, virtual hostsare created within that application’scontrol panel.2. At the very end of the configurationfile, add:NameVirtualHost 127.0.0.1Virtual hosts are conventionally definedat the end of the configuration file (or in aseparate configuration file, to be includedby this one). This line says that Apacheshould watch for named virtual hosts(as opposed to IP address-based virtualhosts) on the 127.0.0.1 IP address. This isa special IP address, always equating tolocalhost (i.e., this same computer).Depending upon your server, this linemay already be present in the configurationfile, but prefaced by a #, whichmakes it a comment (i.e., renders it ineffectual).In that case, just remove the #.3. On the next line, add:The VirtualHost tags are used tocreate a new virtual host. For eachopening tag, there needs to be aclosing one. Within the opening tag,the IP address or hostname to watchfor is identified, here: 127.0.0.1. Thisvalue needs to match that used on theNameVirtualHost line.The rest of the virtual host definitionwill go between these opening andclosing tags.4. Within the virtual host tags, add:DocumentRoot /path/to/folderServerName servernameThe DocumentRoot directive indicatesthe Web root directory for the virtualhost: in other words, where the actualfiles for this site can be found. OnXAMPP on Windows, this value mightbe C:/xampp/htdocs/something. OnMAMP on Mac OS X, this value mightbe /Applications/MAMP/htdocs/something.The ServerName is where you put thehostname: what you’ll enter into thebrowser to access this site.As an example, if you wanted to createa virtual host for the forums site fromChapter 17, “Example—Message Board,”you could create a new folder withinhtdocs, called forums, and copy all ofthe applicable scripts there. Then youwould use C:/xampp/htdocs/forumsor /Applications/MAMP/htdocs/forums as the DocumentRoot value.For the ServerName value, I would usesomething meaningful, such as forums.local: a local version of a forums site.A20 Appendix A

5. Add a second virtual host for localhost C:DocumentRoot "C:/xampp/htdocs"ServerName localhostThe previous set of steps created a newvirtual host, but in the process, the oneoriginal Web site (localhost, the defaultfor your own computer) will becomeunusable. The fix is to create anothervirtual host for that site.6. Save the configuration file.7. Restart Apache.Any changes to the configuration file willnot take effect until the Web server isrestarted. You can restart Apache usingthe XAMPP or MAMP control panel.If there is an error in the configurationfile, Apache will not be able to start andyou’ll need to check the error logs tofind out why.Note that you can’t access the virtualhost using your browser yet, as you stillneed to update your computer’s listof hosts.The default Apache configuration file,httpd.conf, has comments in it indicatingwhat each section of code does. You canbrowse through it to learn some things aboutconfiguring Apache.The DocumentRoot value, or any valuein the httpd.conf file, must be quoted if itcontains spaces.The definition of a virtual host can containother directives, but I’m trying to introducethese fundamental Apache concepts assimply as possible.It’s actually preferable to have Apacheonly listen for activity on a specific port,commonly 80. In that case, the virtual hostsconfiguration would startNameVirtualHost 127.0.0.1:80But as MAMP on Mac OS X, and XAMPP,depending upon possible conflicts, don’talways use port 80, I’m using code that’smost foolproof.On a full-scale Web server, it’s preferableto create multiple configuration files, whichwill then be read and used by the primaryconfiguration file. On your own personalcomputer, without too much customization,a single configuration file is fine.C The new directives added to the end of theApache configuration file.InstallationA21

updating Your Computer’s HostsThe previous sequence of steps createda virtual host in Apache, allowing you toaccess, in this example, the forums Web siteby going to http://forums.local in yourWeb browser. There is a catch, however:if you were to enter that URL into yourbrowser, the browser would attempt to findforums.local on the Internet, and would beunable to do so D. To solve this dilemma,you need to tell your browser(s) that forums.local can be found on your computer.This is done by modifying your operatingsystem’s hosts file, per these directions.To update your computer’s hosts:1. Open your computer’s hosts file in anytext editor or IDE.This is the only tricky part of this process:finding and opening the hostsfile. On Mac OS X and Unix, the hostsfile is /etc/hosts (there’s no file extension),where / refers to the computer’sroot directory. On Mac OS X, /etc is ahidden directory, making hosts a hiddenfile. There are three easy ways offinding this file:> Use your editing application to openit directly, if the application is capableof opening hidden files.> In the Finder, select Go > Go ToFolder, and enter /etc in the prompt Eto open the /etc directory in theFinder. Then drag the hosts file ontothe editing application in the Dock.> Use the Terminal to find and openthe file.D The error that Internet Explorer displays whenit can’t find the local virtual host.E The Finder’s Go > Go to Folder option can beused to access hidden directories.A22 Appendix A

F You can open Notepad in administrator modein order to edit system files.G The forums site, available locally through theURL http://forums.local.On Windows, baring a nonstandardinstallation, the file in question is C:\Windows\System32\drivers\etc\hosts. Unfortunately, you may havepermissions issues in trying to editthis file. I had good luck by openingNotepad in administrator mode (rightclickon Notepad in the Start Menuto be given this option F), and thenopening the file within Notepad.2. At the very end of the file, add:127.0.0.1 forums.localThis associates the name forums.localwith the IP address 127.0.0.1, which is tosay the same computer.3. Save the file.4. Load http://forums.local in your Webbrowser G.Repeat these two sequences of steps—creating the virtual host in Apache and addingthe host to your hosts file—any time you wantto create a new Web site project with its ownassociated hostname.using .htaccess FilesAs already stated, all Apache configurationcan actually be accomplished withinthe httpd.conf file. In fact, doing so ispreferred. But the configuration file is notalways available for you to edit, so it’sworth also knowing how to use .htaccessfiles to change how a site functions.An .htaccess file is just a plain-text file,with the name .htaccess (again, no fileextension, and the initial period makesthis a hidden file). When placed within aWeb directory, the directives defined in the.htaccess file will apply to that directoryand its subdirectories.continues on next pageInstallationA23

A common hang-up when using .htaccessfiles is that permission has to be granted toallow .htaccess to make server behaviorchanges. Depending upon the installationand configuration, Apache, on the strictestlevel of security, will not allow .htaccessfiles to change Apache behavior. This isaccomplished with code like the following,in httpd.conf:AllowOverride NoneThe Directory directive is used withinhttpd.conf to modify Apache’s behaviorwithin a specific directory. In the abovecode, the root directory (/) is the target,meaning that Apache will not allowoverrides—changes—made within anydirectories on the computer at all. Prior tocreating .htaccess files, then, the mainconfiguration file must be set to allowoverrides in the applicable Web directory(or directories).The AllowOverride directive takes one ormore flags indicating what, specifically, canbe overridden:nnnnnnnAuthConfig, for using authorization andauthenticationFileInfo, for performing redirects andURL rewritingIndexes, for listing directory contentsLimit, for restricting access to thedirectoryOptions, for setting directory behavior,such as the ability to execute CGIscripts or to index folder contentsAllNoneSetting the Default Directory pageCommonly, Web browsers make requests without specifying a file, such as www.example.com/or www.example.com/folder/. In these cases, Apache must make a decision as to what to do.Historically, Apache provides an index.htm or index.html file, if one exists in the directory. If noindex file exists, and if directory browsing is allowed by the server, Apache will instead reveal a listof files in the directory (this is not secure, but you’ve no doubt seen this online before).The applicable directive to tell Apache what to do in these situations is DirectoryIndex.Following it, you list the file to use as the folder’s index, with multiple options placed in orderof preference. For example, the following will attempt to load index.htm, then index.html,if index.htm does not exist, then index.php, if index.html does not exist:DirectoryIndex index.htm index.html index.phpSimilarly, the ErrorDocument directive tells Apache what file to provide when a server erroroccurs. Its syntax isErrorDocument error_code /page.htmlThe error code value comes from the server status codes, such as 401 (Unauthorized),403 (Forbidden), and 500 (Internal Server Error). For each code you can dictate what pageshould be served. Note that you’ll want to provide an absolute path to the error files(i.e., start them with /, which is the Web root directory).A24 Appendix A

For example, to allow AuthConfig andFileInfo to be overridden within the forumsdirectory (just created), the httpd.conf fileshould include:AllowOverride AuthConfig FileInfoAs long as this code comes after anyAllowOverride None block, an .htaccessfile in the forums directory will be able tomake some changes to Apache’s behaviorwhen serving files from that directory (andits subdirectories).To allow .htaccess overrides:1. Open httpd.conf in any text editoror IDE.2. Within the VirtualHost tag for the sitein question, add:The Directory tag is how youcustomize Apache behavior within aspecific directory or its subdirectories.Within the opening tag, provide anabsolute path to the directory inquestion, such as C:\xampp\htdocs\somedir or /Applications/MAMP/htdocs/somedir.3. Within the Directory tags, add H:AllowOverride AllThis is a heavy-handed solution, butwill do the trick. On a live, publiclyavailable server, you’d want to be morespecific about what exact settingscan be overridden, but on your homecomputer, this won’t be a problem.4. Save the configuration file.5. Restart Apache.The Directory directive does not haveto go within the VirtualHost tag for theinvolved site, but it makes sense to place itthere.If a directory is not allowed to overridea setting, the .htaccess file will justbe ignored.Anything accomplished within an.htaccess file can also be achieved usinga Directory tag within httpd.conf.H The updated virtual hosts configuration,now allowing for overrides within the forumsWeb directory.InstallationA25

protected DirectoriesA common use of an .htaccess file is toprotect the contents of a directory. Thereare two possible scenarios:n Denying all accessn Restricting access to authorized usersStrange as it may initially sound, thereare plenty of situations in which files andfolders placed in the Web directory shouldbe made unavailable. For example, youcould create an includes directory thathas sensitive PHP scripts or an uploadsdirectory for storing uploaded files. In bothcases, the contents of the directory wouldnot be meant for direct access, but ratherPHP scripts in other directories wouldreference that content as needed. To denyall access to a directory, place the code inScript A.3 in an .htaccess file in that folder(comments indicate what each line does).Again, this code just prevents directaccess to that directory’s contents via aWeb browser. A PHP script could still useinclude( ), require( ), readfile( ), andother functions to access that content.In fact, the show_image.php script fromChapter 11 does exactly that: acting as aproxy script to display an image storedoutside of the Web document root (i.e.,otherwise unavailable in the Web browser).There are a couple of ways of restrictingaccess to authorized users, with the mod_auth module being the most basic andcommon. This module creates prompts inthe browser wherein the user can enter heror his credentials I. Apache will comparethose credentials to those stored in a fileon the server, allowing or denying accessaccordingly. It’s not hard to use mod_auth,but you have to invoke a secondaryApache tool to create the credentials file.If you want to pursue this route, just do asearch online for Apache mod_auth.Apache will not display .htaccess filesin the Web browser, by default, which is asmart security approach.When creating .htaccess files, makesure your text editor or IDE is not secretlyadding a .txt extension. Notepad, forexample, will do this. You can confirm thishas happened if you can load www.example.com/.htaccess.txt in your Web browser. InNotepad, you can prevent the added extensionby quoting the file name and saving it astype “All files”.Script A.3 This code, in an .htaccess file, willdeny all access to the contents of a directory,and its subdirectories.1 # Disable directory browsing:2 Options All -Indexes34 # Prevent folder listing:5 IndexIgnore *67 # Prevent access to any file:8 9 Order Allow,Deny10 Deny from all11 I This prompt, as displayed in Internet Exploreron Windows, is generated by Apache to limitaccess to authenticated users.A26 Appendix A

enabling uRL RewritingThe final topic to be discussed in thisappendix is how to perform URL rewriting.URL rewriting has gained attention aspart of the overbearing focus on SearchEngine Optimization (SEO), but URLrewriting has been a useful tool for years.With a dynamically driven site, like ane-commerce store, a value will often bepassed to a page in the URL to indicatewhat category of products to display,resulting in URLs such as www.example.com/category.php?id=23. The PHP script,category.php, would then use the value of$_GET['id'] to know what products to pullfrom the database and display. (There areoodles of similar examples in this book.)With URL rewriting applied, the URLshown in the browser, visible to the enduser, and referenced in search engineresults, can be transformed into somethingmore obviously meaningful, such aswww.example.com/category/23/ or,better yet, www.example.com/category/garden+gnomes/. Apache, via URLrewriting, takes the more user-friendly URLand parses it into something usable by thePHP scripts. This is made possible by theApache mod_rewrite module. To use it,the .htaccess file must first check for themodule and turn on the rewrite engine:RewriteEngine onAfter enabling the engine, and beforethe closing IfModule tag, you add rulesdictating the rewrites. The syntax is:RewriteRule match rewriteFor example, you could do the following(although it’s not a good use of mod_rewrite):RewriteRule somepage.php otherpage.phpPart of the complication with performingURL rewrites is that Perl-CompatibleRegular Expressions (PCRE) are neededto most flexibly find matches. If you’renot already comfortable with regularexpressions, you’ll need to read Chapter14, “Perl-Compatible Regular Expressions,”to follow the rest of this material.For example, to treat www.example.com/category/23 as if it were www.example.com/category.php?id=23, you would havethe following rule:RewriteRule ^category/([0-9]+)/?$➝ category.php?id=$1The initial caret (^) says that the expressionmust match the beginning of the string.After that should be the word category,followed by a slash. Then, any quantity ofdigits follows, concluding with an optionalslash (allowing for both category/23 andcategory/23/). The dollar sign closes thematch, meaning that nothing can follow theoptional slash. That’s the pattern for theexample match (and it’s a simple pattern atthat, really).The rewrite part is what will actuallybe executed, unbeknownst to the Webbrowser and the end user. In this line,that’s category.php?id=$1. The $1 is abackreference to the first parentheticalgrouping in the match (e.g., 23). Thus,www.example.com/category/23 is treatedby the server as if the URL was actuallywww.example.com/category.php?id=23.continues on next pageInstallationA27

This is the underlying premise withmod_rewrite. Unfortunately, masteringmod_rewrite requires mastery, or nearmastery, of PCRE, which can be daunting.If you want to practice this, you can takethe simple example just explained andapply it to any of the examples in the bookin which a value is passed in the URL.For example, in Chapter 10, “CommonProgramming Techniques,” a user ID ispassed in the URL to delete_user.php andedit_user.php. Both could be transformedinto “prettier” URLs, such as www.example.com/delete/45/ or www.example.com/edit/895/.As always, search online for moreinformation on this subject, should yoube interested, and post a question in thesupporting forums (www.LarryUllman.com/forums/) if you run into problems.Changing pHp’s ConfigurationIf PHP is running as an Apache module,you can also change how PHP runswithin specific directories using anApache .htaccess file. The directivesto use are php_flag and php_value:php_flag item valuephp_value item valueThe php_flag directive is for any settingthat has an on or off value; php_value isfor any other setting. For example:php_flag display_errors onphp_value error_reporting 30719Note that you cannot use PHP constants,such as E_ALL for the highest level oferror reporting, as this code is withinApache configuration files, not withinPHP scripts.(You can also change how PHP runs byediting the httpd.conf file, but if you’regoing to make a global server changethat requires a restart of Apache anyway,you might as well just edit the PHPconfiguration file instead).A28 Appendix A

Join thePeachPitAffiliAte teAm!You love our books and youlove to share them with your colleagues andfriends...why not earn some $$ doing it!If you have a website, blog or even a Facebook page,you can start earning money by putting a Peachpitlink on your page.If a visitor clicks on that link and purchases somethingon peachpit.com, you earn commissions* on all sales!Every sale you bring to our site will earn you acommission. All you have to do is post an ad andwe’ll take care of the rest.ApplY And get stArted!It’s quick and easy to apply.To learn more go to:http://www.peachpit.com/affiliates/*Valid for all books, eBooks and video sales at www.Peachpit.com