Introduction to Advanced Server Side Issues - PHP Advanced Server Side Issues Form validation How do we validate form data? The way least we should do is pass all variables through PHP’s html special chars() function. This function will replace HTML class like < and > to their HTML version alt, >, etc. Example This is much safer now and prevents possible attackers from exploiting out code by injecting HTML or JavaScript code. If we know exactly what kind of data to expect, we can make further steps to ensure the user has entered what we want. Let’s do two more things. 1. Strip unnecessary characters from the data. 2. If quotes are escaped with a slash (\), remove that. Instead of writing the same code over and over again, we can create a function that will do all the checking for us. Note the check_input function at bottom. What it does is takes the data passed to the function, strips, unwanted characters. Required and Optional Field In the previous examples, the scripts worked fine if you didn’t enter any data. However, many times you want to make input fields required. Let’s edit check_input function from previous. if($problem. && strlen($data) == 0){ die($problem) } Return $data } Validate Email Address There is no way to be 100% sure an email is actually working unless we send an email there. What we usually do is check if the email syntax is valid. Here is a simple way to check if data entered into field named “email” is an email address without any unnecessary complication and fancy regular expressions. $email = htmlspecialchars(%_POST[‘email’]); if(!preg_match(“/([\w\-] + \@[\w\-] +)/”, $email) { die(“Email address not valid”); } Validate URL address If we have an input field named “website”, we can check for a valid URL like, $url = htmlspecialchars($_POST[‘website’]); if(!preg_match(“/∧(http?:W + ]\w\-] + \ [\w\-] +) /; $(m)) { die(“URL address not valid”); } Digit 0-9 only if(preg_match(“/\D/”, $age)) { die(“Please enter numbers only for age.”); } Letters a-z and A-Z only if(preg_match(“/[∧„a-z A-Z]/”, $text)) { die(“Please enter letters only!”]; } Anything but whitespace if(Preg_match(“/\S/”, $text)) { die(“don’t enter any space”); }
Database Connectivity in PHP Database connectivity in PHP In php, we use database to store our details. When we create a new database, we must specify the first arguments to the mysqli object(servername, Username and password). Create Connection Create Database $sql = “CREATE DATABASE myDB”; if(mysql_query($con, $sql)){ Echo “Database Created”; } else{ Echo “Error”.mysql_error($con); } Create Table The CREATE TABLE statement is used to create a table in mysql. We will create a table named “MyGuests” with 5 columns: “id”, “firstname”, “lastname”. “email” nd “reg_date”. CREATE TABLE MyGuests( id INT(6) UNSIGNED AUTO_INCREMENT.PRIMARY KEY, firstname VARCHAR(20) NOT NULL, lasrtname VARCHAR(20) NOT NULL, email VARCHAR(50), reg_date TIMESTAMP ) In PHP: // create connection first. Then, // sql to create table $sql = “CREATE TABLE MyGuests( id INT(6) UNSIGNED AUTO_INCREMENT.PRIMARY KEY, firstname VARCHAR(20) NOT NULL, lastname VARCHAR(20) NOT NULL, email VARCHAR(50), reg_date TIMESTAMP)”;
if(mysql.query($con,sql)) { echo “Table Created”; } else echo “Error”; Insert Data into Database After a database and a table have been created. We can start adding data in them. Rules: • The sql query must be quoted in php. • String values inside the sql query must be quoted. • Numeric values must not be quoted. Example //after database connection $sql = “INSERT INTO MyGuests(firstname, lastname, email) VALUES(‘John’, ‘Doe’, ‘
[email protected]’); if(mysql.query($con, $sql){ echo “New record Created”; } else{ echo “Error”.mysql_error($con); } Mysql_close($con); We can insert multiple records in mysql like, $sql = “INSERT INTO MyGuests(firstname, lastname, email) VALUES(‘John’, ‘Doe’, ‘
[email protected]’); $sql = “INSERT INTO MyGuests(firstname, lastname, email) VALUES(‘Mary’, ‘Moe’, ‘
[email protected]’); if(mysql_multi_query($con, $sql)){ Echo “New records added”; } else{ echo “Error”; } Mysql_close($con); Select Data from Database The SELECT statement is used to select data from one or more tables. SELECT column_name(s) FROM table_name Or we can use the * character to select ALL columns from a table: SELECT * FROM table_name Example: