FRIHOST • FORUMS • SEARCH • FAQ • TOS • BLOGS • COMPETITIONS
You are invited to Log in or Register a free Frihost Account!


Php addict





michaelagustin
Hi guys, I'm just new to php. I would like to make a website which has inputs but because i am not very well in php, would you like to share your good thoughts in php? just some good ideas. hehehe! Thanks
Asap170
Well if you wanted to store user data you have something like this:

HTML PART: index.html
Code:

<html>
<head>
</head>
<body>
     <form action="store.php" name="userInfo" method="POST">
          First Name: <input type="text" name="fname"/>
          Last Name: <input type="text" name="lname"/>
          Age: <input type="text" name="age"/>
          Sex: <input type="radio" name="sex" value="male"/> Male<br />
          <input type="radio" name="sex" value="female"/> Female
          Height: <input type="text" name="height"/>
          Address: <input type="text" name="address"/>
          <input type="submit" name="submit" value="Submit"/>
     </form>
</body>
</html>


PHP PART: store.php
Code:

<?php
     // Grab the data from the user
          $name = $_POST['fname'];
          $name = $_POST['lname'];
          $age = $_POST['age'];
          $sex = $_POST['sex'];
          $height = $_POST['height'];
          $address = $_POST['address'];

     // Create MySQL information
          $host = localhost;
          $name = yourUsername;
          $pass = yourPassword;
          $dbName = yourDbName;

     // Make a MySQL connection
          mysql_connect('$host', '$user', '$pass') or die(mysql_error());
          mysql_select_db('$dbName') or die(mysql_error());

     // Insert data into a table
         $sql = "INSERT INTO People (firstName, lastName, age, sex, height, address)
              VALUES ('$fname', '$lname', '$age', '$sex', '$height', '$address')";

     // Display output
          if (!mysql_query($sql))
               {
                    die(mysql_error());
               }
                    echo "Your query has been successfully inserted to the Database: .$dbName";

?>


I am a little rusty on my mysql, but I believe that right there will let users input their data they want and when they hit submit it'll upload it to your MySQL database. Hope this is what you were looking for. Good luck.
michaelagustin
Nice buddy... I appreciate it. Moreover, I'm still looking for such more secure about php. I have a little knowledge about regular expressions and I would like extend my knowledge on it. Share your knowledge in php here... heheh! Thanks...
Fire Boar
Yeah... you've got a point there, I wouldn't use Asap170's code. Suppose you fill in the address box like this (and put normal or empty data in the others):

Code:
'); DROP TABLE People; --


Whoops! Where's all my data gone?

In case you don't see it, suppose the other fields were empty. Then the assembled query would look like this:

Code:
INSERT INTO People (firstName, lastName, age, sex, height, address) VALUES ('', '', '', '', '', ''); DROP TABLE People; --');


-- is an SQL comment, so the code will insert a row, then delete the table.
Asap170
Fire Boar wrote:
Yeah... you've got a point there, I wouldn't use Asap170's code. Suppose you fill in the address box like this (and put normal or empty data in the others):

Code:
'); DROP TABLE People; --


Whoops! Where's all my data gone?

In case you don't see it, suppose the other fields were empty. Then the assembled query would look like this:

Code:
INSERT INTO People (firstName, lastName, age, sex, height, address) VALUES ('', '', '', '', '', ''); DROP TABLE People; --');


-- is an SQL comment, so the code will insert a row, then delete the table.


Wait I don't quite understand what your trying to say. So your saying like someone in one of my fields can add that and it'll delete my table or there more to it than that?
welshsteve
I believe that would be possible yeah. You'd have to put some checks in to disallow certain characters in the address field.

This page might help - http://www.webref.eu/php-script-disallow-characters-from-field.php
Asap170
Yea well I did that like just one night I didn't copy it and that but I tottally forgot about removing slashes and that. So my bad.
Fire Boar
Asap170 wrote:
Wait I don't quite understand what your trying to say. So your saying like someone in one of my fields can add that and it'll delete my table or there more to it than that?


They could do anything really. Bypass admin logins, get user information... if your input isn't sanitized, you're in trouble. Google "SQL injection" for more information.
joostvane
When I put user data in a MySQL database I always do some checks. If it needs to be an number, I check if the input only contains numbers. I also have a function to check if an input would be a valid e-mailaddress, ...

For protection against MySQL injections I have always used the function:
Quote:
mysql_real_escape_string();


PHP.net says this would make data safe to put in a MySQL database. Do you guys do anything else? I think this is the only thing I really do.
Asap170
Fire Boar wrote:
Asap170 wrote:
Wait I don't quite understand what your trying to say. So your saying like someone in one of my fields can add that and it'll delete my table or there more to it than that?


They could do anything really. Bypass admin logins, get user information... if your input isn't sanitized, you're in trouble. Google "SQL injection" for more information.


I use Bing.com lol Bing ftw
macky
read a book. that is the most good fundamentals in programming.

but of course you should be first familiar with diff. variations of attacking your forms. there is a lot of security measure

you can do to validate and sanitize the data coming from the user (input fields).

i do recommend for development:

use

mysql_real_escape_string()
preg_match using regex
strlen()
substr()
filter_var()

it's like from the most general validation to the most specific then sanitize. it is nice to know that your aware to security.
shadowozera
The only thing that i am having trouble understanding is the MySQL stuff. If anyone could point to a place that gives a great explantaion of what mySQL is and wjat it is used for that be great.
joostvane
Basicly PHP is a Hypertext Preprocessor. You have the power to make dynamic web pages. You can allow user to register an account, and login after. You can calculate stuff, make a forum with it...

But where are you going to store all that data? That's where MySQL comes in. You can use PHP to send queries to the MySQL databases by 'mysql_query($query);'. You can retrieve data from the databases, store data in it, count the rows, ... all with php commands.

I think frihost comes with a free MySQL database. First you'll have to login using Phpmyadmin and create a new table. Within the database you can create multiple tables, for example 'user' or 'logs' or ... After you created the table you can use PHP to interface with it.

I quickly did a google search and found this one: http://www.freewebmasterhelp.com/tutorials/phpmysql/1 . It's not perfect, but it is short and will give you a quick basic understanding. Once you've completed this one, search for others aswell. Before you start, make sure you got a good understanding of php and html.
shadowozera
thanks for the pointer. Im already reading up and its helping alot. THanks ^_^
debjitbiswas
Well i want to use it and i will use it thanks.
michaelagustin
Is there any wrong if my php programming style is pure object oriented? Some say that not or there are some part of php doesn't need to be implemented as object oriented.
Fire Boar
It's pretty much impossible to write PHP purely in an object-oriented way. Commands like strpos are used pretty often, and have nothing to do with objects. For "pure OOP", check out a language like Ruby.

But if all your code is in classes or template files, that's fine.
snowboardalliance
Fire Boar wrote:
It's pretty much impossible to write PHP purely in an object-oriented way. Commands like strpos are used pretty often, and have nothing to do with objects. For "pure OOP", check out a language like Ruby.

But if all your code is in classes or template files, that's fine.


I'm not sure I would say that is "not pure OOP". I mean, if you look at a similar language like c++ (not Java because Java treats everything like an object), and you have a complex object-oriented system, you will still find calls in the implementation to lower level functions. Does that really make it less "pure"?

It seems like writing your code as classes and following good design patterns is still writing object-oriented code, even if you call built-in functions like strpos.
mahirh
Fire Boar wrote:
Asap170 wrote:
Wait I don't quite understand what your trying to say. So your saying like someone in one of my fields can add that and it'll delete my table or there more to it than that?


They could do anything really. Bypass admin logins, get user information... if your input isn't sanitized, you're in trouble. Google "SQL injection" for more information.

this is why i use flat file databases , no clients needed , less vulnerable to these types of problems , you can give it more security than mysql , etc.....
michaelagustin
I have seen lot of php code in the net. It seemed they would not allow me to learn more. I bet if I will study in the book than seeing finished codes. ehehhe!
michaelagustin
PHP 5 is so great because they implemented an Object oriented. so cool to know it Smile
macky
michaelagustin wrote:
Hi guys, I'm just new to php. I would like to make a website which has inputs but because i am not very well in php, would you like to share your good thoughts in php? just some good ideas. hehehe! Thanks


the question given too much broad. Give specific one so we can share what typical ideas we have.. for forms, it's easy, you can google it.. probably i think you look for some tips and techniques instead how code it manually...
ogah
to disallow some characters in my php form i just used like this
Code:

if(ereg('<|>|@|/', $_POST['str'])){
   echo 'If you repeat use forbidden characters your IP will be banned';
   exit;
}

this code will disallow characters <, >, @ and /
Fire Boar
Bad idea. Threatening to ban a visitor's IP address is never a good way. You should establish what acceptable input is, and politely reject anything that does not conform by displaying the form again as the user filled it, but with the offending field highlighted and the problem explained.

Also, it's usually best to reject only the minimum possible... for example, if you only allow uppercase and lowercase letters and spaces for names, you alienate people with double-barrel surnames and people with accents in their name (e.g. José). If you find you'll allow a character which might mess up your SQL queries, just use escape sequences. Actually, there's really no need to do that manually - the mysql_ functions are outdated, you should be using the PDO and PDOStatement classes for all database usage. These will automatically sanitize input.
ogah
that right ban visitor's IP is not good because other visitor with same IP will banned to.
that script just example for warn the visitor that submited illegal characters
sonam
EREG is bad idea in any way. It is deprecated and I will not suggest it to anyone. This warn is for ereg on php.net:

Quote:
This function has been DEPRECATED as of PHP 5.3.0. Relying on this feature is highly discouraged.


Wink

Sonam
ogah
if you don't want to use ereg, you can use strstr, preg_match or oter regex Smile
therimalaya
I'm also a PHP student. I recently started PHP class. What i learn in this period is that anyone who has just started should know how to organize document is more important than to learn complex coding. For instance, If I need database connection, or if i need some query to execute, make a list of functions in a file and include that file in your required page. By simply calling that function with required parameter, you can easily accomplish you job more systematically. In next reply i'll share some of them. As i'm just a student and have started learning PHP, they might not be much professional.
therimalaya
The Following are some functions example which i've created to get help in my own purposes, but they really help me not to do the work fast but also in effective and systematic way.
Code:
<?php
include("include/dbConnect.php");

This function gives a Drop Down Option list for HTML, where you need to show the option with values that is driven from database.
Code:

function getOption($rsSql,$colName)
{   
   $sResult=mysql_query($rsSql) or die("Could Not Fetch Records");   
   while ($s_Office = mysql_fetch_array($sResult))
   {
      echo("<option value='".$s_Office["$colName"]."'>".$s_Office["$colName"]."</option>");
   }
}

The following function returns the list of years from whenever you need to show in drop down option of select tag.
Code:
function getDateDrop()
{
   $j=2009;
   while($j<=gmdate('Y'))
   {
      echo("<option value='$j'>$j</option>");
      $j++;
   }
}

Similarly, this is for month drop down.
Code:
function getMonthDrop()
{
   $i=1;
   while($i<=12)
   {
      echo ("<option value='".gmdate('F',gmmktime(0,0,0,$i,gmdate('d'),gmdate('Y')))."'>".gmdate('F',gmmktime(0,0,0,$i,gmdate('d'),gmdate('Y')))."</option>");
      $i++;
   }   
}

The following function eco out the list of records with the given query from the matching columns. The code is very useful in filling up the table with the data in database.
Code:
function recordList($query,$colName)
{
   $rs=mysql_query($query) or die("Can not make Query");
   while($row=mysql_fetch_array($rs))
   {
      echo($row["$colName"]);
   }
}
?>
codersfriend
very useful tutorial... Laughing
have you tried in w3schools Smile
ogah
sonam wrote:
EREG is bad idea in any way. It is deprecated and I will not suggest it to anyone. This warn is for ereg on php.net:

Quote:
This function has been DEPRECATED as of PHP 5.3.0. Relying on this feature is highly discouraged.


Wink

Sonam
can you explain what the meaning of depracated?
im so confuse with that word.
in PHP 5.5 or 5.6 mysql also depracated, see this
sonam
ogah wrote:
can you explain what the meaning of depracated?
im so confuse with that word.
in PHP 5.5 or 5.6 mysql also depracated, see this


This means if you use this function in your code on PHP5 will give error E_DEPRECATED on your site. I was find few hosting with two different PHP system (4 and 5) and you can call 5 with .php5 extension. Normal .php extension call PHP4.

Idea of deprecated mysql extension is really stupid. There are million sites what use mysql extension.
Twisted Evil

Here is fast solution for evolution time but bad idea for long time.
Code:
ini_set('error_reporting', E_ALL  ^ E_DEPRECATED);


Sonam
kacsababa
I think most devs should migrate to a better extension then the old MySQL extension anyway (mysqli, or a non-vendor specific abstraction).
Fire Boar
ogah wrote:
in PHP 5.5 or 5.6 mysql also depracated, see this


Alleluia! This is really good news - PHP's mysql extension is perhaps the most commonly used "bad idea". It definitely needs to be deprecated, as soon as possible. I've been encouraging people for years to avoid using the mysql_ functions, preferring instead PDO or mysqli, and now hopefully people will actually be forced to do it. I don't get why people will insist on using these dated methods.


Oh, and @ogah, a definition of deprecated in the context of programming languages is: An obsolete function, method or class which is retained only for backward compatability with older code. It may be removed entirely in a later version of the language. When a method is deprecated, there is usually another recommended approach to the same problem, often more efficient.
ogah
thanks Fire Boar, now I understand
Related topics
http://tuvanonline.com/library/index.php
PHP-Nuke platium?
PHP Write to line
Anyone good with PHP-NUKE?
PHP safety?
req: PHP to list files in directory, and link to them
php admin and mysql admin console
Mysql And PHP HELP PLZ
Great php editor
Script php about gallery
File upload with PHP, Build an upload database for your site
[php scripts ] phpweather&email
Including With PHP
Am I a soda addict ?
Reply to topic    Frihost Forum Index -> Scripting -> Php and MySQL

FRIHOST HOME | FAQ | TOS | ABOUT US | CONTACT US | SITE MAP
© 2005-2011 Frihost, forums powered by phpBB.