Secure PHP Development- P22

Secure PHP Development- P22: Welcome to Secure PHP Development: Building 50 Practical Applications. PHPhas come a long way since its first incarnation as a Perl script. Now PHP is a powerfulWeb scripting language with object-oriented programming support. Slowlybut steadily it has entered the non-Web scripting arena often reserved for Perl andother shell scripting languages. Arguably, PHP is one of the most popular Web platforms.
Nội dung trích xuất từ tài liệu:
Secure PHP Development- P2276 Part II: Developing Intranet Solutions // Dump the contents of the DBI object to // see what it contains. echo “”; print_r($dbi); echo “”; ?> Here, $dbi is an instance of the DBI object created from class.DBI.php. The constructor method has to be passed a database URL which has the following syntax: database_type://username:password↓tabase_host/database_name The $DB_URL variable was set to create a database URL that pointed to a MySQL database (mysql) named mydb on host called localhost The data- base can be accessed using the root user account and foobar password. The DBI() method sets the DB URL passed to itself as db_url member variable and calls the connect() method to connect to the given data- base. The constructor sets the fetch mode to DB_FETCHMODE_OBJECT, which allows us to fetch database rows as objects. ◆ connect(): By default, the DBI() constructor method calls the connect() function directly to establish the connection, so you don’t need to. con- nect() connects to the database specified in db_url member variable of the object. It sets a member variable dbh to the database handle object created by the DB::connect() method, which is found in the PEAR DB package. connect also sets a member variable called connected to Boolean TRUE or FALSE and returns that value. ◆ disconnect(): The disconnect() function disconnects the DBI object from the database. The terminate() function in PHPApplication class (class. PHPApplication.php) calls the disconnect() function if the applica- tion is connected to a database. See terminate() function in PHPApplication class for details. ◆ query(): This function performs a SQL query on the connected database. The result of the query is stored in a result object called $result. If the query returns SQL error(s), a member variable called $this->dbi->error is set to the error message and null is returned. Chapter 4: Architecture of an Intranet Application 77If the query is successful, it returns the result object. The result object canbe used to fetch rows. For example, the test_query.php script tries to fetchdata from a table called PROD_TBL using a database URL such asmysql://root:foobar@localhost/products.78 Part II: Developing Intranet Solutions // Setup the database URL $DB_URL = ‘mysql://root:foobar@localhost/products’; // Create a DBI object that connects to the // database URL $dbi = new DBI($DB_URL); if (! $dbi->isConnected()) { echo “Connection failed for $DB_URL”; exit; } // Create a SQL statement to fetch data $statement = ‘SELECT ID, NAME FROM PROD_TBL’; // Execute the statement using DBI query method $result = $dbi->query($statement); // If the result of query is NULL then show // database error message if ($result == NULL) { echo “Database error:” . $dbi->getError() . “\n”; // Else check if there are no data available or not } else if (! $result->numRows()){ echo “No rows found.”; // Now data is available so fetch and print data } else { echo “ID\tNAME”; while ($row = $result->fetchRow()) { echo $row->ID, “\t”, $row->NAME, “”; } echo “”; } ?> Chapter 4: Architecture of an Intranet Application 79 The SQL statement SELECT ID, NAME FROM PROD_TBL is stored in $statement variable and passed to the DBI::query() method. The result is tested first for null. If the result is null, the database error is printed using the DBI::getError() method. If there are no database errors, the next check is made to see if there are any rows using the numRow() method from the $result object. If there are no rows, an appropriate message is printed. If there are data in the returned $result object, the result is printed in a loop using the fetchRow() method. The row data is fetched in $row object. The $row->DATA_FIELD method is used to get the data for each field. For example, to retrieve the NAME field data, the $row->NAME value is accessed.◆ quote(): This is a utility function that puts a pair of single quotes around a string to protect the string from being passed without quotation. Here’s an example in which the $name field is single-quoted using $this->dbi- >quote($name) call: 80 Part II: Developing Intranet Solutions // Insert the path in the PHP include_path so that PHP // looks for our PEAR, PHPLIB and application framework // classes in these directories ini_set( ‘include_path’, ‘:’ . $PATH . ‘:’ . ini_get(‘include_path’)); // Now load the DB.php class from PEAR require_once ‘DB.php’; // Now load our DBI class from application framework require_once(‘class.DBI.php’); // Setup the database URL $DB_URL = ‘mysql://root:foobar@localhost/foobar’; // Create a DBI object that connects to the // database URL $dbi = new DBI($DB_URL); if (! $dbi->isCo ...