Introduction to Web Database Development in PHP

by K. Yue

1. Introduction

There are many Web server side programming platforms and languages (Server-side scripting):
- Java EE with Java, Java Servle, JSP, etc.
- .NET with C#, ASP.NET, etc.
- CGI/Perl
- PHP
- Ruby on Rails
- Cold Fusion & CFML (Cold Fusion Markup Language)
- Python with Django Web framework
Server-side scripting allows generation of dynamic Web pages to respond to varying user's needs and input.
The dynamic contents can generally be supported by:
- Files
- Local databases
- Web services and contents provided by other sites: mashing.
Different Web server-side scripting platforms usually provide various means to connect to different databases: Oracle, MS SQL server, IBM DB2, MySQL, Postgres, etc. through libraries, classes and/or functions which can:
- Generic connectivity: e.g. ODBC, JDBC, etc.
- DBMS specific connectivity: e.g. MySQL classes and functions for PHP.
We will use PHP MySQL combination in our course.
A very old introduction to embedded SQL.

2. PHP

PHP is the acronym for PHP: Hypertext Preprocessor.
- Open source
- Multiple platforms
- Active community
- Scripting language
http://www.php.net/: PHP is a widely-used general-purpose scripting language that is especially suited for Web development and can be embedded into HTML.
It looks a little like a mix between Perl and ASP.NET.
- Perl-like syntax as a scripting language.
- <?PHP ... ?> for inserting script within HTML page.
The PHP script section provides dynamic content for the Web pages.
Some resources:
- w3schools: http://www.w3schools.com/php/

PHP Language Basics

Variables start with $.
Important data types: http://php.net/manual/en/language.types.php
- Scalar: Boolean, number, strings
- Array: ordered map (of name value pairs)
- Object
Comments: // or /* */

Examples:

Dumping available variables (predefined variables, since there are no user defined variables.

<?php
var_dump(get_defined_vars());
?>

Notes:

The predefined functions provided by PHP: var_dump and get_defined_vars.

<table>
<?php
   foreach(get_defined_vars() as $arrVar => $arrValue) {
      foreach ($arrValue as $var => $value) {
         echo "<tr><td>$arrVar::$var</td><td>$value</td></tr>\n";
      }
   }
?>
</table>

Note:

$arrValue takes on array values in the inner loop.
The control structure: foreach ($array as $name => value) { }
The string using double quotes allow for variable interpretation. Special characters, such as $ and \ need to be escaped using \.

Server2.php

<table border="1">
<tr><td>Server variables</td><td>Values</ed></tr>
<?php

   foreach($_SERVER as $var => $value) {
         echo "<tr><td>$var</td><td>$value</td></tr>\n";
   }
?>
</table>

Note:

$_SERVER is a predefined variable.

Predefined Variables

A large number of predefined variables: http://www.php.net/manual/en/reserved.variables.php
Use with care:
- Platform dependent.
- Some may be deprecated.

Getting input from Web pages

Your Web applications may usually use the POST or GET methods to get user input.
A good understanding of the HTTP responses and requests is important.
HTTP Request and Response Viewers: Rex Swain's HTTP Viewer, http://web-sniffer.net/, etc. You may also install a browser plug-in, such as Live HTTP.
Using the GET method, parameter name value pairs can be included as part of the query string in the URL.
The predefined variable $_GET returns an array storing HTTP request parameters using the GET method.

Examples:

get1.php:

<table border="1">
<tr><td>GET Parameter</td><td>Values</ed></tr>
<?php

   foreach($_GET as $var => $value) {
         echo "<tr><td>$var</td><td>$value</td></tr>\n";
   }
?>
</table>

Note:

Try an URL such as ../get1.php?id=1&name=yue&grade=C

get2.php:

<?php

echo "Dear " . $_GET['name'] . ", with ID " . $_GET['id'] . ". Welcome, your grade is " . $_GET['grade'] . ".\n";
?>

For the POST method, HTTP parameters can be obtained by $_POST.

Examples:

post1.php:

<?php
if (! array_key_exists('name', $_POST)) {

echo <<<__FORM
<form action="post1.php" method="post">
<p>Your name: <input type="text" name="name" /></p>
<p>id: <input type="text" name="id" /></p>
<p>grade: <input type="text" name="grade" /></p>
<p><input type="submit" /></p>
</form>
__FORM;

}
else {
$name = $_POST['name'];
$id = $_POST['id'];
$grade = $_POST['grade'];

echo <<<__WELCOME
Dear $name, with ID $id. Welcome, your grade is $grade.
__WELCOME;
}
?>

Note:

The use of heredocs.
The use of the function array_key_exists

3. PHP Database Programming

PHP provides both Database Abstraction Layers and Vendor Specific Database Extensions.
Example of Database Abstraction Layers:
- PDO: PHP use PDO MYSQL driver to connect to a MySQL database.
- ODBC
- Pear DB: used by the text book, deprecated.
- Pear MDB2: http://pear.php.net/package/MDB2, newer version of Pear DB.
For discussion of the relative merits of database abstraction layer, see, for example: http://ralphschindler.com/2009/07/15/database-abstraction-layers-must-live.
Examples of vendor specific extensions:
- IBM DB2
- MySQL: original PHP extension for older versions; procedural interface.
- MySQLi: improved PHP extension for version 4.1.3 or later. Benefits from http://php.net/manual/en/mysqli.overview.php:
  - Object-oriented interface
  - Support for Prepared Statements
  - Support for Multiple Statements
  - Support for Transactions
  - Enhanced debugging capabilities
  - Embedded server support
- OCI8: Oracle OCI8
- PostgreSQL
- MS SQL Server
MySQLi will be used in this class.
If you still want to use MySQL for whatever reasons:
- PHP MySQL function: http://us.php.net/manual/en/ref.mysql.php.
- Simple PHP MySQL tutorials: http://www.php-mysql-tutorial.com/wikis/mysql-tutorials/default.aspx, use PHP mysql_ functions.

4. MySQLi

MySQL improved extension: http://www.php.net/manual/en/book.mysqli.php.

Example:

<?php

/* Connect to a MySQL server
   Should be put in a separate configuration file.
*/
$conn = mysqli_connect(
            'localhost', /* MySQL server host */
            'username',        /* Username */
            'password,   /* password */
            'database');   /* The default database schema */

if (!$conn) {
   printf("Can't connect to MySQL Server. Errorcode: %s\n", mysqli_connect_error());
   exit;
}

/* Using a MySQL like procedureal style. */
/* Submit a query */
if ($result = mysqli_query($conn, 'SELECT SNUM, SNAME, SCITY, STATUS FROM Supplier')) {

   echo "<table border='1'>\n";
   echo "<tr><td>SNum</td><td>Supplier Name</td><td>City</ed><td>Status</td></tr>\n";
    /* Fetch results */
    while ( $row = mysqli_fetch_assoc($result) ){
      echo "<tr><td> " . $row['SNUM'] . "</td><td>" . $row['SNAME'] . "</td><td>" . $row['SCITY'] . "</td><td>" .
         $row['STATUS'] . "</td></tr>\n";
    }
   echo "</table>\n";
    /* Destroy the result set and free the memory used for it */
    mysqli_free_result($result);
}

mysqli_close($conn);
?>

Note:

Use a db configuration file to store connection information: it can be outside of the public web directory for added security.
Column names are case sensitive.
Usually not use * in SQL.

Example:

<?php include('dbconfig.php') ?>
<?php

/* Using a MySQL like procedureal style. */
/* Submit a query */
if ($result = mysqli_query($conn, 'SELECT SNUM, SNAME, SCITY, STATUS FROM Supplier')) {

   echo "<table border='1'>\n";
   echo "<tr><td>Supplier Num</td><td>Supplier Name</td><td>City</ed><td>Status</td></tr>\n";
    /* Fetch results */
    while ( $row = mysqli_fetch_assoc($result) ){
      echo "<tr><td> " . $row['SNUM'] . "</td><td>" . $row['SNAME'] . "</td><td>" . $row['SCITY'] . "</td><td>" .
         $row['STATUS'] . "</td></tr>\n";
    }
   echo "</table>\n";
    /* Destroy the result set and free the memory used for it */
    mysqli_free_result($result);
}

mysqli_close($conn);
?>

Using classes

Mysqli allows the uses of OO database connection.
Included classes: http://www.php.net/manual/en/book.mysqli.php
- MySQLi: a connection between PHP and MySQL
- MySQLi_STMT: prepared statement
- MySQLi_Result: SQL result
- MySQLi_Driver
- MySQLi_Warning class
MySQLi class members have procedural equivalent.

Example:

<?php

/* Connect to a MySQL server
   Should be put in a separate configuration file.
*/
$mysqli = new mysqli('localhost', 'username', 'password', 'database');

if (mysqli_connect_errno()) {
   printf("Can't open MySQL connection. Error code: %s\n", mysqli_connect_error());
   exit;
}
/* Using an OO style. */
/* Submit a query */

if ($result = $mysqli->query('SELECT SNUM, SNAME, SCITY, STATUS FROM Supplier')) {

   echo "<table border='1'>\n";
   echo "<tr><td>SNum</td><td>Supplier Name</td><td>City</ed><td>Status</td></tr>\n";
    /* Fetch results */
    while ( $row = $result->fetch_assoc() ){
      echo "<tr><td> " . $row['SNUM'] . "</td><td>" . $row['SNAME'] . "</td><td>" . $row['SCITY'] . "</td><td>" .
         $row['STATUS'] . "</td></tr>\n";
    }
   echo "</table>\n";
    /* Destroy the result set and free the memory used for it */
    $result->close();
}

$mysqli->close();
?>

Note:

$mysqli and $result refer to objects.

Using Prepared Statements

Use placeholder (?) in SQL statement and bind them in order to variables.
The PHP MySQL prepared statement class: http://www.php.net/manual/en/class.mysqli-stmt.php.
Commonly used methods:
- mysqli_stmt mysqli::prepare (string $query)
- bool mysqli_stmt::bind_param ( string $types , mixed &$var1 [, mixed &$... ] )
  - Number of characters in $types must mach the number of binding variables that follow.
  - Meaning of characters:
    - i: integer
    - d:double
    - s:string
    - b:blob and will be sent in packets
  - Note the bridging between MySQL types and PHP types.
- bool mysqli_stmt::bind_result ( mixed &$var1 [, mixed &$... ] )
- bool mysqli_stmt::store_result ( void )
- int mysqli_stmt_num_rows ( mysqli_stmt $stmt )
- bool mysqli_stmt::fetch ( void )

Example:

<?php include('dbconfig.php') ?>

<?php

/* Primitive program: Get HTTP parameters */
if (!array_key_exists('city', $_GET)) {
   echo "Please specify the city name with the URL parameter city.";
   exit;
}
$icity = $_GET['city'];
if (!array_key_exists('status', $_GET)) {
   echo "Please specify the minimum status with the URL parameter status.";
   exit;
}
$istatus = $_GET['status'];

if ($stmt = $mysqli->prepare("SELECT SNUM, SNAME, SCITY, STATUS FROM Supplier WHERE SCITY = ? and Status >= ?")) {
   $stmt->bind_param('ss', $icity, $istatus);

   /* execute prepared statement */
   $stmt->execute();

   $stmt->bind_result($snum, $sname, $city, $status);
   $stmt->store_result();
   if ($stmt->num_rows > 0) {
      echo"<p>Result: Suppliers in $icity with status > $istatus:</p>\n";

      echo "<table border='1'>\n";
      echo "<tr><td>Supplier Num</td><td>Supplier Name</td><td>City</td><td>Status</td></tr>\n";

       /* fetch values */
      while ($stmt->fetch()) {
            echo "<tr><td> " . $snum . "</td><td>" . $sname . "</td><td>" . $city .
                  "</td><td>" . $status . "</td></tr>\n";
      }
      echo "</table>\n";
    /* Destroy the result set and free the memory used for it */
      $stmt->free_result();
   }
}
else {
   echo "No result for $icity with status > $istatus.\n";
}

$mysqli->close();
?>

Notes:

No ; at the end of the SQL statement within prepared statement.
bind_param should be called before execute.
store_result() should be called before to ensure that num_rows is ready.

Some advantages of prepared statements:

Prevents SQL injection.
Separate data from query: potentially more readable.
Possible faster SQL processing: parse SQL statement only once: good for reusing many times.
'b' mode allows raw binary data in packets

Some disadvantages of prepared statements:

Initial performance cost of preparing the statement before executing it.
There are limitations on when parameters can be used In general, parameters are limited to DML (SELECT, INSERT, DELETE, etc) and not in DDL (DROP TABLE, etc). They cannot be used for column names. Check for yourself.

Conclusions:

Prepared statements should be preferred in general.