Advance web Programming Chapter 3: MySQL Date: 28 April 2014 Advance web Programming Chapter 3: MySQL Date: 28 April 2014 Dr. Mogeeb A. A. Mosleh Lab Room : MM lab Tuesday ( am)

Client/Server Environment Variables Environment variables –Provide information about execution environment Type of Web browser Type of server Details of HTTP connection –Stored as array in PHP $_ENV

PhP Form Handling Form processing –action property Where to send form data (In/Out) –method property The PHP superglobals $_GET and $_POST are used to collect form-data. Each element has unique name

Example PhP Form Handling

GET vs. POST –Both GET and POST create an array (e.g. array( key => value, key2 => value2, key3 => value3,...)). –This array holds key/value pairs, where keys are the names of the form controls and values are the input data from the user. –Both GET and POST are treated as $_GET and $_POST. –These are superglobals, which means that they are always accessible, regardless of scope - and you can access them from any function, class or file without having to do anything special. –$_GET is an array of variables passed to the current script via the URL parameters. –$_POST is an array of variables passed to the current script via the HTTP POST method

PhP Form Handling When use GET –Information sent from a form with the GET method is visible to everyone (all variable names and values are displayed in the URL). –GET also has limits on the amount of information to send (2000 characters). –GET may be used for sending non-sensitive data. When use POST –Information sent from a form with the POST method is invisible to others (all names/values are embedded within the body of the HTTP request). –has no limits on the amount of information to send. –Developers prefer POST for sending form data.

PHP Form Validation Proper validation of form data is important to protect your form from hackers and spammers. Check the input data weather user appropriate data or not. $_SERVER["PHP_SELF"] –The $_SERVER["PHP_SELF"] is a super global variable that returns the filename of the currently executing script. –$_SERVER["PHP_SELF"] sends the submitted form data to the page itself, instead of jumping to a different page. The htmlspecialchars() –The htmlspecialchars() function converts special characters to HTML entities. This means that it will replace HTML characters like with < and >. –This prevents attackers from exploiting the code by injecting HTML or Javascript code (Cross-site Scripting attacks) in forms. Big Note on PHP Form Security –The $_SERVER["PHP_SELF"] variable can be used by hackers! –If PHP_SELF is used in your page then a user can enter a slash (/) and then some Cross Site Scripting (XSS) commands to execute.

PHP Form Validation How To Avoid $_SERVER["PHP_SELF"] Exploits? $_SERVER["PHP_SELF"] exploits can be avoided by using the htmlspecialchars() function. "> Validate Form Data With PHP  The first thing we will do is to pass all variables through PHP's htmlspecialchars() function.  Strip unnecessary characters (extra space, tab, newline) from the user input data (with the PHP trim() function)  Remove backslashes (\) from the user input data (with the PHP stripslashes() function)  The next step is to create a function that will do all the checking for us.

PHP Form Validation Example: ">

PHP Forms - Required Fields

11 form.html (1 of 4) The action attribute of the form element indicates that when the user clicks Register, the form data will be posted to form.php.

12 form.html (2 of 4) A unique name (e.g., ) is assigned to each of the form’s input fields. When Register is clicked, each field’s name and value are sent to the Web server.

form.html (3 of 4)

form.html (4 of 4)

15 Fig XHTML form for gathering user input.

Form Processing and Business Logic Business logic –Confirm that valid information was entered –extract function Creates variables corresponding to each key-value pair in array Easily retrieve all values sent to PHP page –Regular expressions very helpful –Do checks on client side where possible JavaScript Conserves server resources Ending a script –die function Remember to close all HTML tags

17 form.php (1 of 4) Function ereg is called to determine whether the phone number entered by the user is valid. The expression \( matches the opening parentheses of a phone number. We access the phone field’s value from form.html by using variable $phone. The parentheses in the expression must be followed by three digits ( [0-9]{3} ), a closing parenthesis, three digits, a literal hyphen and four additional digits.

18 form.php (2 of 4) Function die terminates script execution

19 form.php (3 of 4)

20 form.php (4 of 4)

Form Processing and Business Logic Obtaining user input through forms.

Verifying a Username and Password Private website –Only accessible to certain individuals –Encrypt username and password data when sending, storing and retrieving for increased security Implementing password checking –Login information stored in file fopen function Read, write, append modes –Store data using fputs \n newline character –Close files when done fclose function

Verifying a Username and Password Implementing password checking, cont. –Trim newline character chop function –Split string into substrings given a certain delimiter split function –If username/password match list, allow access

password.html (1 of 4)

password.html (2 of 4) Form data is posted to password.php.

password.html (3 of 4)

Verifying a Username and Password XHTML form for obtaining a username and password.

28 password.php (1 of 7) Variable names, when preceded by the logical negation operator ( ! ), return true if they are empty or set to 0. This checks if a user has submitted a form without specifying a username or password. Function fieldsBlank is called if the user has submitted an incomplete form to notify the user that all form fields must be completed. Function isset tests whether the user has pressed the New User button, indicating that a new user must be added. To add a new user, we open the file password.txt in append mode and assign the file handle that is returned to variable $file.

29 password.php (2 of 7) Print an error message and terminate script execution if the file cannot be opened. Function fputs writes the name and password to the text file.. Function userAdded is called to print a message to the user to indicate that the username and password were added to the file.

30 password.php (3 of 7) Before entering the while loop, variable $userVerified is set to 0. The while loop executes as long as the there are more lines in the file to read and variable $userVerified is still 0 or empty. Function fgets reads a line from the text file. The result is assigned to variable $line. Function chop removes the newline character from the end of the line. Function split is called to separate the string at the specified delimiter (in this case, a comma). The resulting array is stored in array $field. The username entered by the user is tested against the one returned in the text file (stored in the first element of the array). If they match, variable $userVerified is set to 1. Function checkPassword is called to verify the user’s password. Variable $PASSWORD and array $field are passed to the function. If function checkPassword returns true, function accessGranted is called to notify the client that permission has been granted. Otherwise, function wrongPassword is called.

31 password.php (4 of 7) After the while loop has executed, function fclose is called to close the file. If variable $userVerified has not been set to a value other than 0, function accessDenied is called to notify the client that access has been denied. Function checkPassword compares the user’s password to the password in the file. If they match, true is returned, whereas false is returned if they do not.

32 password.php (5 of 7) Function userAdded prints a message to the client indicating that the user has been added. Function accessGranted prints a message to the client indicating that permission has been granted.

33 password.php (6 of 7) Function wrongPassword prints a message to the client indicating that the password is invalid. Function accessDenied prints a message to the client indicating that access has been denied.

34 password.php (7 of 7) Function fieldsBlank prints a message to the client indicating that all form fields have not been completed.

Verifying a Username and Password Fig Verifying a username and password.

36 password.txt (1 of 1)

PHP Database ODBC ODBC is an Application Programming Interface (API) that allows you to connect to a data source (e.g. an MS Access database). Create an ODBC Connection With an ODBC connection, you can connect to any database, on any computer in your network, as long as an ODBC connection is available. Here is how to create an ODBC connection to a MS Access Database: 1.Open the Administrative Tools icon in your Control Panel. 2.Double-click on the Data Sources (ODBC) icon inside. 3.Choose the System DSN tab. 4.Click on Add in the System DSN tab. 5.Select the Microsoft Access Driver. Click Finish. 6.In the next screen, click Select to locate the database. 7.Give the database a Data Source Name (DSN). 8.Click OK.

PHP Database ODBC Connecting to an ODBC The odbc_connect() function is used to connect to an ODBC data source. The function takes four parameters: the data source name, username, password, and an optional cursor type. The odbc_exec() function is used to execute an SQL statement. Retrieving Records The odbc_fetch_row() function is used to return records from the result-set. This function returns true if it is able to return rows, otherwise false. Retrieving Fields from a Record The odbc_result() function is used to read fields from a record. This function takes two parameters: the ODBC result identifier and a field number or name.

PHP Database ODBC

How to Create Login Page in PHP/MySQL Creating Database and user table