course notes for cs 1520 programming languages for web applications by john c. ramirez department of...

Course Notes for

CS 1520Programming Languages for

Web Applications

ByJohn C. Ramirez

Department of Computer ScienceUniversity of Pittsburgh

2

• These notes are intended for use by students in CS1520 at the University of Pittsburgh and no one else

• These notes are provided free of charge and may not be sold in any shape or form

• These notes are NOT a substitute for material covered during course lectures. If you miss a lecture, you should definitely obtain both these notes and notes written by a student who attended the lecture.

• Material from these notes is obtained from various sources, including, but not limited to, the following:

4 Programming the World Wide Web, various editions, by Robert W. Sebesta

4 Online documentation at: http://www.php.net and in particular the PHP Manual at http://www.php.net/manual/en/

4 PHP and MySQL Web Development, by Luke Welling and Laura Thomson (Developer's Library)

4 The Web Wizard's Guide to PHP by David A. Lash (AW)

http://www.php.net/

http://www.php.net/manual/en/

Goals of the Course

1) To understand and be able to program web servers and web clients to accomplish useful tasks4 Web servers are ubiquitous and many /

most organizations now have elaborate / interactive web sites

4 These web sites require programming on the server side • Scripts that execute on the server and

return resulting documents to the client

• For server-side scripts we will primarily utilize the PHP language

3

Goals of the Course

4 These web sites require programming on the client side• Scripts that execute locally on a user’s

machine via the web browser

• For client-side scripts we will primarily utilize the Javascript language

• We will also utilize JQuery, a library of Javascript functions that simplifies much of the client-side programming

• We may also look at an API, such as Google Maps that can be integrated into our sites

4

Goals of the Course

4 These web sites often require interaction between web servers and web clients• More and more sites contain resident client

code which accesses the server asynchronously and dynamically updates the client page

• We will utilize DOM and AJAX for this interaction

– Document Object Model– Asynchronous Javascript And XML

5

Goals of the Course

2) To examine and understand the differences in various programming languages, focusing especially on those geared toward Web programming4 Many programming languages are used for

general and Web programming• See just the previous few slides for examples

4 How do these languages differ?• Why is one better suited to a specific purpose

than another?

• Now some more fine-grained goals:

6

7

Goals of Course

• To learn and utilize the PHP language, and its applications 4 PHP syntax, constructs and basic

language features4 Using PHP for server-side embedded

scripts• Writing and processing HTML forms with PHP

• Access and utilizing system state variables

• Maintaining individual states via cookies and sessions

4 Regular expression handling in PHP4 Object-oriented features of PHP

Goals of Course

4 Using PHP for Web database access• With a MySQL database

– We will cover the very basics of using MySQL and DB development as well

– Simple database setup and querying– We will leave more interesting DB issues to

the CS 1555 course

4 Simple authentication and authorization

8

9

Goals of Course

• To learn and utilize the Javascript language in conjunction with html files4 Learning the basics of the language

• Quickly

4 Using Javascript in conjunction with DOM to add dynamic content to web pages• Ex: Doing client-side processing of forms

– Checking form input, dynamic formatting, etc.

4 Using AJAX techniques to make web apps more like stand-alone applications• Updating a web page without requiring a full

refresh

Goals of Course

• To learn and utilize the JQuery library4 Many client-side actions can be

simplified greatly utilizing JQuery rather than straight Javascript

4 JQuery has many powerful plugins

• To learn and utilize XML and how it can be used in Web applications4 Basic idea / syntax of XML4 Parsing / formatting XML documents

10

Goals of Course

• If time permits…4 To learn the basics of the Python

language• Python is growing in popularity as both a

general purpose and web programming language

4 To look at an API such as Google Maps and how it can be integrated into our sites

4 To examine mobile web apps and how they differ from traditional web apps• Content and formatting differences

11

12

Lecture 1: Getting Started

• What is assumed of you:4 You should be familiar with Java and have

used it in CS0401/4454 You are expected to know object-oriented

programming and basic event-driven programming

4 You are expected to know the basics of html

• What is not assumed of you:4 Detailed knowledge / experience with any

of the languages we will be using

13

Lecture 1: Intro. to Web Servers

• How do Web Servers work?4 Client specifies document at a specific

web address that is desired (specified by a URL)• Ex: http://www.cs.pitt.edu/

4 If the document is HTML or text, the server simply forwards it back to the client• If it is text, it is shown unaltered in the browser• If it is HTML it is rendered in the client's

browser– HTML tags are interpreted and result is shown

to the user– For info on HTML/XHTML, read Ch. 2 in the

Sebesta text

14


4 However, the requested document may be an executable script, or it may be HTML with an embedded script• The script could be written in any of many

different web scripting languages

4 In these cases, the server executes the script• If the entire document was a script, the

server simply sends the output back to the client

• If the document had an embedded script, the script sections are replaced with the output and the modified document is then sent to the client


4 Note that the client never sees the server-side script code• This is important – typically client should

not see logic / code that the server executes to process requests

• The server may be accessing files whose names should not be seen, or preprocessing data that it does not want the client to see

4 See ex1.txt4 See ex1.html4 See ex1.php

15

Lecture 1: CS 1520 Web Servers

• In order to be useful, web servers need access to the directories from which they serve and process files4 Minimally the server must have read

access, but in many cases, write access is also needed and/or useful• In case server creates / modifies files

– Ex: User submits a file– Ex: Various user data is stored / updated in a

file

• This leads to an issue for a course like CS 1520:

16


4 How do we give the server access to students’ individual directories in isolation?• For student X the server should have read/write

access to X’s directory

• However, when executing a script in X’s directory, the server should not be able to access files in the directory of some other student, Y

• Discuss

4 There are ways of doing this but they are not simple• We may utilize this later in the term

4 For now we are eliminating this issue entirely

17


• Rather than using a shared Web server, you will each use your own server

• The server you will use is XAMPP4 This is a full-featured Apache / MySQL /

PHP / Perl development environment4 It can be installed on a laptop

• If you have one

4 It can be installed on a flash drive• Makes it very portable

4 See: https://www.apachefriends.org/18

https://www.apachefriends.org/


4 You will develop your projects on your own servers, and then run them for your TA via a demonstration• You will need to bring either your laptop or

your flash drive (with the server on it) to the demonstration

4 Assignment:• Your first in-class exercise (next

Wednesday) will be to run a simple script on your own XAMPP server

• You have from now until then to get it installed on either your laptop or on a flash drive

19


4 If you are putting it on your laptop the installation is fairly straightforward

4 If you are putting it on a flash drive, you don’t actually “install” it – just download the .zip file, unzip it and run a .bat script

4 See documentation for where to put your scripts so that they will run

4 If you have any trouble with this, see your TA or me before next Wednesday!

20

Lecture 1: Intro. to HTML

• HTML is a mark-up language4 Idea is that extra characters / symbols in

the text provide information to a parser, which uses that information to render the document in a certain way• Ex:

<strong>Hello There</strong>–The tags do not appear in the rendered document–The parser utilizes them to alter the appearance of the text

4 We will discuss mark-up languages in more detail when we discuss XML later in the term

21


• HTML has evolved greatly over the years4 New tags have been added4 Some obsolete tags have been

removed4 Syntax has been standardized

• The current version is HTML 54 Still not universally used4 However, recently updated browsers

should all support it for the most part

22


• Fundamentally, each HTML 5 document has the following shell:

<!DOCTYPE html>

<html>

<head> </head>

<body> </body>

</html>

•There are a LOT of other tags / attributes and variations

•See: http://dev.w3.org/html5/html-author/ – There are many other reference links as well

•We will discuss some of these in more detail later, when we focus on client-side programming

23

http://dev.w3.org/html5/html-author/


• HTML can be generated in several ways:4 Can by typed in directly, using a text editor

– Ex: TextWrangler, TextPad, vi

4 Can be generated through software– Ex: MS Word, DreamWeaver

4 Can be generated dynamically via scripts– Ex: PHP, Perl

4 In this course we will be either typing in HTML directly or generating dynamically via scripts• Ex: Using PHP or Python

24

25

Lecture 2: Intro to PHP

• What is PHP?4 Language developed by Rasmus Lerdorf

from the Apache Group4 Its primary use is for server-side scriptingserver-side scripting

• Ex: To process HTML forms

• Ex: To perform a DB query and pass on results

• Ex: To dynamically generate HTML

4 PHP scripts are often embedded within HTML documents• The server processes the HTML document,

executing the PHP segments and substituting the output within the HTML document

26


4 The modified document is then sent to the client

4 As mentioned previously, the client never sees the PHP code• The only reason the client even knows PHP is

involved is due to the file extension .php– But even this is not required if the server is

configured correctly> The server can be configured to run PHP scripts even

if the file does not have a .php extension> By default XAMPP will only execute PHP if the .php

extension is provided> Can change this with an .htaccess file> See what happens if you have PHP code without

the .php extension

27


• PHP is a HUGE language4 It is a fully functional language4 It has an incredible amount of built-in

features• Form processing

• Output / generate various types of data (not just text)

• Database access– Allows for various DBs and DB formats

• Object-oriented features– Somewhat of a loose hybrid of C++ and Java

• Huge function / class library

28


• We will look at only a small part of PHP4 There are also many tools that are already

pre-written in / for PHP• If you are building a substantial project you may

want to use some of these– Ex: http://github.com/pear– Also see http://www.php.net/sites.php

• There are also content management systems written in PHP

– Ex: http://drupal.org/ – Ex: http://wordpress.org/

• However, we may not be covering them here– We will focus on the straight PHP language

http://github.com/pear

http://www.php.net/sites.php

http://drupal.org/

http://wordpress.org/

http://wordpress.org/

Lecture 2: Intro. to PHP

• PHP Program Structure4 Or really lack thereof4 PHP, as with many scripting languages,

does not have nearly the same structural requirements as a language like Java

4 A script can be just a few lines of code or a very large, structured program with classes and objects• The complexity depends on the task at hand

4 However, there are some guidelines for incorporating PHP scripts into HTML files

29


4 When a PHP file is requested, the PHP interpreter parses the entire file• Any content within PHP delimiter tags is

interpreted, and the output substituted

• Any other content (i.e. not within PHP delimiter tags) is simply passed on unchanged

• This allows us to easily mix PHP and other content (ex: HTML)

• See:– http://us3.php.net/manual/en/language.basic-syntax.phptags.ph

p

– http://us3.php.net/manual/en/language.basic-syntax.phpmode.php

30

http://us3.php.net/manual/en/language.basic-syntax.phptags.php

http://us3.php.net/manual/en/language.basic-syntax.phptags.php

31


• Consider the following PHP file

<!DOCTYPE html><html> <head> <title>Simple PHP Example</title> </head> <body> <?php echo "<p><h1>Output</h1>"; echo "<h2>Output</h2>"; echo "<h3>Output</h3></p>"; ?> <script language="PHP"> echo "\n<b>More PHP Output</b>\n"; echo "New line in source but not rendered"; echo "<br/>"; echo "New line rendered but not in source"; </script> </body></html>

HTML 5 Document

Root HTML Tag

Document Head

DOC

BODY

PHP Code


• Now consider the resulting HTML<!DOCTYPE html>

<html>

<head>

<title>Simple PHP Example</title>

</head>

<body>

<p><h1>Output</h1><h2>Output</h2><h3>Output</h3></p>

<b>More PHP Output</b>

New line in source but not rendered<br/>New line rendered but not in source </body>

</html>

• How will it look in the browser?– Look at it in the browser!– See ex2.php

32

33


4 If we prefer to separate a PHP code segment from the rest of our script, we can write it in another file and includeinclude it• Sometimes it is easier if we "separate" the PHP code

from the straight html– We also may be using several different files, esp. if

we are using classes

• But we must tag it even if it is already within a PHP tagged segment

– Included files are not interpreted by default> Don’t necessarily have to be PHP> If we want PHP, include PHP tags within the included file

– See ex3.php– See

http://us3.php.net/manual/en/function.include.php

34


• Simple typesSimple types• See: http://us3.php.net/manual/en/language.types.php

4 boolean• TRUE or FALSE

4 integer• Platform dependent – size of one machine

word– typically 32 or 64 bits

4 float• Double precision

• We could call it a double, but since we don't declare variables (we will discuss shortly) float works

35


4 string• We have single-quoted and double-quoted

string literals– Double quoted allows for more escape

sequences and allows variables to be interpolated into the stringinterpolated into the string

– What does that mean?> Rather than outputting the name of the

variable, we output its contents, even within a quote

> We'll see an example once we define variables> Note that this is NOT done in Java> See example

• Length can be arbitrary– Grows as necessary

36


• Easy conversion back and forth between strings and numbers

– In Web applications these are mixed a lot, so PHP will implicitly cast between the types when appropriate

– This is another clear difference between PHP and Java

> Java requires explicit casting> PHP allows explicit casting if desired

– See: http://us3.php.net/manual/en/language.types.type-juggling.php

• Can be indexed – the preferred way is using square brackets

$mystring = "hello";

echo $mystring[1];

– Output here is 'e'

37


• PHP variablesPHP variables4 All PHP variables begin with the $

• Variable names can begin with an underscore

• Otherwise rules are similar to most other languages

4 Variables are dynamically typeddynamically typed• No type declarations

– Variables are BOUND or UNBOUND> Unbound variables have the value NULL

– Type information for a variable is obtained from the current bound value

– Compare this to Java


4 Implications of dynamic typing:• No “type clash” errors like in Java

int x = 3.5; // oh no!String s = 100; // argh!–Instead we have in PHP$x = 3.5; // no problem!$s = 100; // a-ok!

• A variable’s type may change throughout program execution

$x = 5; // integer$x = $x + 1.5; // float$x = $x . “ dollars”; // string

38


• Perhaps intentionally but perhaps by mistake

• We have to be careful and to test types during execution

– gettype() function returns a string representation of variable’s type

$x = 5; echo(gettype($x)); // integer$x = $x + 1.5; echo (gettype($x)); // float$x = $x . “ dollars”; echo(gettype($x)); // string– is_<type>() function returns a boolean to test for

a given <type>$x = 5; $check = is_int($x); // true

$check = is_float($x); // false– Can use these tests to make decisions within a

script– See ex4.php

39


• Why is PHP dynamically typed?4 Allows for faster interpreting of the code

• Compiled code will run faster than interpreted code, but compiling itself takes time

4 Allows for easier / simpler templates / generic code• Think about generics in Java and how much

syntax they require– Much of this is due to type checking

4 For more information see:• http://en.wikipedia.org/wiki/Type_system

40

41


4 PHP programs have access to a large number of predefined variablespredefined variables• These variables allow the script access to

server information, form parameters, environment information, etc.

• Very helpful (as we will see) for determining and maintaining state information

• Ex: – $_SERVER is an array containing much

information about the server– $_POST is an array containing variables

passed to a script via HTTP POST– $_COOKIE is an array containing cookies– See ex5.php

42


• PHP Expressions and OperatorsPHP Expressions and Operators4 Similar to those in C++ / Java / Perl4 Be careful with a few operators

• / in PHP is always floating point division– To get integer division, we must cast to int$x = 15;$y = 6;echo ($x/$y), (int) ($x/$y), "<BR />";

> Output is 2.5 2

• Mixed operands can produce odd results– Values may be cast before comparing

43


– To compare strings, it is better to use the C-like string comparison function, strcmp()

> Other string functions are listed in Sebesta Table 9.3

• Even the == operator has odd behavior in PHP when operands are mixed

– Ex: Consider comparing a string and an int> Any non-numeric PHP string value will “equal” 0> Any numeric PHP string will equal the number it

represents

– Ex: Consider comparing a string and a boolean> Regular PHP string value will “equal” true> “0” string will equal false

– This behavior is consistent but confusing to the programmer and is probably best avoided

44


• An additional equality operator and inequality operator are defined

=== returns true only if the variables have the same value and are of the same type

> If casting occurred to compare, the result is false

!== returns true if the operands differ in value or in type

4 Precedence and associativity are similar to C++/Java• See

http://us2.php.net/manual/en/language.operators.precedence.php

45


• PHP Control StructuresPHP Control Structures4 Again, these are similar to those in C++ /

Java• if, while, do, for, switch are virtually identical

to those in C++ and Java

• PHP allows for an alternative syntax to designate a block in the if, while, for and switch statements

– Open the block with : rather than {– Close the block with endif, endwhile, endfor,

endswitch> Advantage to this syntax is readability> Now instead of seeing a number of close braces,

we see different keywords to close different types of control structures

46


• A nice feature of PHP is that the "control" resulting from a control structure is maintained even when you exit back to html mode

– Thus, in <?php you can branch / loop etc.– You can then exit php ?> and format in

straight html

• PHP also has the foreach loop– Similar to the Java for loop for Iterable

objects– We will look at this when we discuss arrays

• See ex6.php

47

Lecture 3: PHP Arrays

• Arrays in PHP are quite versatile• See http://php.net/manual/en/language.types.array.php

4 We can use them as we use traditional traditional arraysarrays, indexing on integer values

4 We can use them as hasheshashes • You may know hashing from CS 0445 or CS 1501,

associating a key with a value in an arbitrary index of the array

4 In either case we access the data via subscripts• In the first case the subscript is the integer index

• In the second case the subscript is the key value

4 We can even mix the two if we'd like

48


• Creating Arrays4 PHP Arrays can be created in a number of

ways• Explicitly using the array() construct• Implicitly by indexing a variable

– Since PHP has dynamic typing, you cannot identify a variable as an array except by assigning an actual array to it

– If the variable is already set to a string, indexing will have undesirable results – indexes the string!

– However, we can unset() it and then index it> We can test a variable to see if it is set (isset() and

if it is an array (is_array()) among other things– Lesson: Be careful with implicit behaviors

• Size will increase dynamically as needed

49

Lecture 3: More on PHP Arrays

• Accessing Arrays – can be done in many ways4 We can use direct access to obtain a desired

item• Good if we are using the array as a hash table or if we

need direct access for some other reason

• We provide the key and retrieve the value

4 For sequential access, the foreachforeach loop was designed to work with arrays• Iterates through the items in two different ways

foreach ($arrayvar as $key => $value)> Gives both the key and value at each iteration

foreach ($arrayvar as $value)> Gives just the next value at each iteration

50


4 How can these both be done efficiently?• PHP arrays are not implemented in the

traditional way– Ex: In Java or C++ the array is a contiguous

collection of memory locations

• PHP arrays more resemble a linked list (see Figure 9.3 in Sebesta text)

– But wouldn't this not allow direct access?

• The locations are also hashed– The "key" in PHP arrays is actually a hash

value

• So sequential access follows the linked list

• Direct access accesses via the hash value

44


• Be careful – iteration via foreach is in the order order the data has been generatedthe data has been generated, not by index order

– i.e. it follows the linked list– Thus, even arrays with identical keys and values

can have different orderings

• Items accessed in the arrays using foreach are copies of the data, not references to the data

– So changing the loop control variable in the foreach loop in PHP does NOT change the data in the original array

– To do this we must change the value using indexing

4 A regular for loop can also be used, but due to the non-sequential requirement for keys, this does not often give the best results

52


• The data in the array is not contiguous, so incrementing a counter for the next access will not work correctly unless the array index values are used in the "traditional" wayfor (int $i = 0; $i < count($A); $i++):

echo “$A[$i] <br/>”;

endfor;–We know that there are count($A) items in $A–What we do NOT know, is under which indices they are being stored

> There is no requirement that they have to start at 0 or even be integers at all

• See ex7.php


• In addition to foreach, there are other array iterators that we can use4 Ex: Using nextnext to access the array

elements• The next() function gives us the next valuenext value

in the array with each call– It movesmoves to the next item, then returnsthen returns it, so

we must get the first item with a separate call (ex: use current())

$curr = current($a1);while ($curr): echo "\$curr is $curr <br/>\n"; $curr = next($a1);endwhile;

53

54


4 Ex: Using eacheach to iterate:• The each() function returns a pair with each call

– A key key field for the current key– A valuevalue field for the current value– It returns the next (key,value) pair, then moves, so

the first item is no longer a special casewhile ($curr = each($a1)): $k = $curr["key"]; $v = $curr["value"]; echo "key is $k and value is $v <BR />\n";endwhile;

– This function may be preferable to next() if it is possible that FALSE or an empty string or 0 could be in the array

> The loop on the previous slide will stop for any of those values

55


• Both of these iteration functions operate similar to the Iterator interface in Java

– Iterate through the data in the collection without requiring us to know how that data is actually organized

– However, unlike in Java, if the array is changed during the iteration process, the current iteration is NOT invalidated

> Since new items are always added at the "end" of the array (from an iterator’s point of view) adding a new item during an iteration does not cause any data validity problems

> However, we need to be careful if doing this – can lead to an infinite iteration

56

Lecture 3: Sorting PHP Arrays

• There are various predefined sort functions in PHP4 sort (rsort for reverse)

• Sorts arrays of numbers numerically

• Sorts arrays of strings alphabetically

• If mixed, the strings count as 0 compared to numbers

• Reindexes array so that keys start at 0 and increment from there

4 asort• Same as sort but retains the original key

values (arsort for reverse)

Lecture 3: Sorting PHP Arrays

• PHP uses Quicksort to sort arrays4 This means that PHP sorting is NOT STABLE4 What does it mean for a sort to be STABLE?

• Given equal keys K1 and K2, their relative order before and after the sort will be the same

4 Due to data movement during partition, Quicksort is not stable• Implications?

• If we want stability, we will have to do it ourselves– See Web for some solutions

4 See ex8.php

57

58

Lecture 3: Two-dimensional Arrays

• Array values can be any legal PHP type4 This includes the array type, and allows

for arbitrary dimensional arrays4 We may think of them as "arrays of

arrays"4 It seems odd but once you know the

array syntax it follows quite naturally$a[0] = array(1,2,3,4);$a[1] = array(5,6,7,8);$a[2] = array(9,10,11,12);

59

Lecture 3: Two-dimensional Arrays

• In fact Java 2-D arrays are implemented in a similar way

– Although in Java they must be homogeneous

4 We can also use "normal" indexing for 2-D PHP arrays• Keep in mind that the key values are still

arbitrary, so we need to be careful

• The standard nested i, j loops that work in Java and C++ may not be appropriate here

– They will only work if we use the arrays in the "normal" way consistently

• More general access can be done via iterators or recursive functions – we will see this soon

• See ex9.php

60

Lecture 4: Functions and Parameters

• General syntax:function name ( params ){ // statements // optional return statement}

4 Parameters are optional4 Note that there is no return type in the

header• If no return statement is used, the function

will return NULL• If return is done, type could be anything

4 Cannot overload function names• Dynamic typing does not allow for

disambiguation

61


4 By default, parameters are passed by valueby value• Formal parameter is a copycopy of the actual

parameter

• Changes to formal parameter do not affect the actual parameter

4 If we add an ampersand before the formal parameter, we change it to pass by by referencereference• Like in C++, but not an option in Java

• Formal parameter is another nameanother name for the actual parameter

• Changes to the formal parameter also change the actual parameter

62

Lecture 4: Value vs. Reference Parameters

• Let's discuss this a bit4 Java has only value parametersvalue parameters

• This means we cannot alter the data stored stored in the actual parameterin the actual parameter within the function

• However, in many cases the data passed into the function is itself a referenceitself a reference

– This allows us to change the object that the reference refers to, but we cannot reassign the reference to a new object

X

data in object

can changethis

(mutate)

referencecannot change

this

63


4 Reference parametersReference parameters allow the data in the object to be changed• Assuming the parameter is a reference to

an object

4 They also allow the reference to be reassigned so that the actual parameter can reference a different object

X

oldobject

can changethis

(mutate)

referencecan also bereassigned

newobject


4 Implications:• In Java we can alter objects, including the

contents of arrays, via parameters– However, the argument itself (either a

primitive value or a reference) cannot change

– If we want to reassign a variable within a method what can we do?

> Use instance variables> Pass them in via an array (i.e. hack)

• In PHP we CAN reassign a reference with a function if we want

– Be careful if you choose to do this> Avoid inadvertent changes to arguments

64

65


4 Variables within functions by default are local to the function• Like method variables in Java or automatic

variables in C++

• We can use the global declaration to state that a variable used in a function is a global rather than a local variable

4 See ex10.php

66

Lecture 4: More on Functions

• PHP Function names can be stored in variables and called through the variables4 This allows the function that is used to be

determined dynamically (at run time)4 Can be handy if different functions need to

be called in different situations

• PHP functions can have default arguments4 If no actual parameter is supplied the

default value is used

• See ex11.php

67

Lecture 4: PHP Files

• Using files in PHP is fairly straightforward4 Can open a file for reading, writing, append,

and a couple variations of reading+writing• Note 1: Files are not covered in the Sebesta text

• Note 2: You may have to set some permissions on your file system to allow your server write access to files

• There are a few different ways to access files in PHP4 Many C file functions are almost identical in

PHP• Ex: fopen, fseek, fscanf, fgetc, fgets

• See the manual for complete list

68


• Opening files4 Typically we use fopen() to open a file

for either reading or writing$fp = fopen(<filename>, <mode>);

• Where <filename> is the path/name of a file that is accessible to the server

• Where <mode> specifies how the file will be accessed

– Ex: "r" read only"r+" read/write with pointer at beginning

» The above modes require the file to already exist

69


"w" write only

"w+" write / read, truncating previous file length to 0

– For the above modes, the server will attempt to create the file if it does not exist.

– Also "a" and "a+" for append modes

• Reading from files4 For text files, we can read different amounts

per read depending on our requirements• Read a single character at a time• Read the entire file into a single string• Read the lines of the file into an array of strings

4 Can also read binary data if necessary• Ex: images, audio, etc.

70


4 PHP allows all of these with various functions• Look at the options in the manual• See:

http://php.net/manual/en/ref.filesystem.php

• Writing to files4 Most commonly done with fwrite4 Again see manual for details

• Very Simple Example:4 See readwrite.php

Lecture 4: Debugging Note

• Many situations that produce compilation or run-time errors in Java will not do so in PHP

• Ex: Accessing a variable that has no value:$count = $count + 1;

• Ex: Reading a file that does not exist:$data = file(“nonexistentfile.txt”);

4 However, these situations will produce warnings, which we can elect to see or not see in the returned web page• We can determine whether these warnings

(and actual errors) are seen or not via .htaccess files

71

Lecture 4: Debugging Note

• These are configuration files that allow per directory configuration options for the server

• For example the settings:php_value display_errors 1

php_value display_startup_errors 1– will send PHP warnings back to the client browser

• And the settings:php_value display_errors 0

php_value display_startup_errors 0– will hide the warnings from the user

• Note: In some installations these cause problems for the server – if these cause an error in your server don’t use them

72


• Flocking files• See http://php.net/manual/en/function.flock.php

4 The flock() function is called to restrict access to files (when necessary) to one “user” at a time• If each “user” calls flock() prior to accessing a

file pointer to the same file, only one will be allowed to access it at a time

4 Why do we need this?• Multiple users frequently access the same

server

• Server typically spawns a separate process for each user

73

74


4 These processes can execute in pseudo-parallel or in actual parallel depending on how the server is configured

4 Consider the following scenario for process P1:

– Read a file into an array– Update a value in the array– Write the array back to the file

4 What if process P2 writes to the file between P1's reading and writing?

4 If used correctly, flock() can prevent this problem• See flock.php


4 Note: This issue is difficult to test with localhost server access• Practically speaking we can only submit one

request at a time

• However an online server can be accessed via many clients, with many coinciding processes

• See demo of flock.php on cs1520.cs.pitt.edu

75

76

Lecture 5: CGI and Scripts

• CGI - Common Gateway Interface• http://en.wikipedia.org/wiki/

Common_Gateway_Interface• http://tools.ietf.org/html/rfc3875

4 Interface for Web servers that interact with browsers, utilizing scripting languages and the HTTP (HyperText Transfer Protocol)

4 Used to allow data interaction between clients and server scripts• Ex. Extracting data sent via HTTP requests

and passing to scripts• Scripts can then use this data as input and

act on it

77


4 Two best known HTTP methods: GET and POST• GET

– appends user input to URL and requests corresponding document

– server parses URL - first part is a program that it invokes, second part is parameters passed along

Ex. http://cs1520.cs.pitt.edu/~nomad/php/bogus.php?arg1=wacky

– Recommended usage for safe and idempotent requests

> I dem WHAT?> Isn’t superman idempotent?

– Safe:> For retrieval only – has no side effects on the server

– Idempotent:> Making N > 1 identical requests has the same effect

as making only 1 request

– See: http://www.w3.org/Protocols/rfc2616/rfc2616-sec9.html

Lecture 4: GET and POST

• POST– sends data as a stream to script program– more suitable for large amounts of data– arguments are not shown in address but are

still extracted and processed by server– Used for requests that may alter / update

the server> i.e. NOT safe and NOT idempotent> Ex: update a database> Ex: submit a payment

78

79


• GET and POST are often used within HTML formsforms4 User enters data into form and then

SUBMITSSUBMITS it4 Browser processes form and passes

choices and information to the url specified

4 Server invokes appropriate script utilizing requested method, extracting submitted data• Most scripting languages (including PHP) have

predefined ways to easily extract this data

• This data is used as input to the script

80


4 Results are sent back to browser and displayed in the Web browser

4 See getpost.html and getpost.php

• Since scripts are executed by the server and can access files on the server4 It is prudent for a webmaster to be

cautious about the scripts placed onto the server

4 For example many servers will only execute “approved” scripts placed into an approved directory

81

4 Also, using a production server for a class slows it and increases the probability of down-time

4 Yet we need to be able to work on scripts on a full-fledged web server

4 For these reasons we are using individual XAMPP servers for each student

4 We may also use cs1520.cs.pitt.edu later in the term• If so details on how to set up your files will

be discussed at that time


82

Lecture 5: Processing Forms with PHP

• Using PHP with forms is fairly simple4 When forms are submitted the server

executes the php script, returning the resulting html• Remember that some of the file is unchanged,

since it may not have an embedded php script within it

• Server can be set to that the form variables can be accessed directly by simply using the $ sign

• However, it is better to access the variables from the $_POST array (or the $_GET array)

– The form element name is the key into the array– Discuss and see getpost.php

83

Lecture 5: Processing Forms with PHP

4 We can also use PHP to create forms• However, it is really just HTML that we are using

• We can "interleave" the PHP and html to get the desired overall result, or we can have PHP output the appropriate HTML tags

• So if you don't know it yet – learn some HTML– See Chapter 2 in Sebesta

4 See ex12.php, ex12b.php – note many comments!• Note how the script interacts with the data file

– It will show as many rows in the table as there are lines in the file

• Note how the PHP and html are interleaved

84

Lecture 5: Maintaining State

• HTTP is a stateless protocolstateless protocol4 It is simply defines how clients and

servers communicate with each other over the Web

4 Yet with many Web applications, maintaining state is important• Ex: When a customer logs into a site such

as Amazon, he/she may go through multiple pages

– We may want to keep track of the user him / her self (authentication information)

– We may want to keep track of what he / she has been doing

Lecture 5: Maintaining State

4 State can be maintained in various ways and in various places• Ex: We can store information on the server

or on the client

• We will examine several of these throughout the rest of the term

• One way of maintaining state is via CookiesCookies

• http://en.wikipedia.org/wiki/HTTP_cookie http://en.wikipedia.org/wiki/HTTP_cookie

85

86

Lecture 5: Cookies

• Cookies – what are they?4 Small pieces of information (up to 4K)

initially sent by the server to the client and stored on the client machine

4 When client next connects to a server, it sends cookies from that server back to it

4 Information about the client can then be extracted by the server• If no cookie, server can create a new cookie for

the client and send it with the response

• However, browsers can disable cookies– Can cause problems if server is dependent upon

them

87

Lecture 5: Cookies

4 Cookie format:• Name:Name: name of the cookie – typically used

to extract / examine the cookie

• Value:Value: contents of the cookie – seems like a simple value but can be an array if generated correctly

• Domain:Domain: domain of the server that is to receive the cookie – actual domain of server must match domain stored in the cookie

– Idea is that other servers cannot look at all of your cookies to see what you have

– If not explicitly set in the cookie, it is the full domain of the server that created the cookie

88

Lecture 5: Cookies

• Expires:Expires: When cookie will expire– Timestamp: Very specific format is required,

but we can use function calls to make it easier

• Path:Path: Path in server from which cookie can be sent

– If not specified it is the full path from where cookie was set

• Secure:Secure: Does cookie require secure server using https

– Default is no

89

Lecture 5: Sending Cookies to Client

4 Cookies are sent with the HTTP header of an html file:• Set-Cookie: oreo=Count Chocula;

domain=.chocolate.com;path=/cgi/bin;expires=Thu, 08-Jun-2015, 16:15:00 GMT;

– Must be set PRIOR to any html tags (since it is sent with the header)

• If not sent with HTTP header will not be interpreted as a cookie

• If client does not accept cookies it will just discard them

– We can send a cookie and test to see if client accepts cookies

90

Lecture 5: Cookies in PHP

• Cookies in PHP are fairly easy to use:4 setcookie() function is called to create a cookie

that will be sent to the client• See http://php.net/manual/en/function.setcookie.php

• As always with cookies, they must be sent with the http header

– Thus, you should determine and set any cookies in PHP mode prior to using any html (or even simple text)

4 $_COOKIE array contains the cookies received back from the client machine• Cookies sent to client by server previously

• Associative array allows access of cookies by name

91

Lecture 5: Cookies in PHP

4 Thus, to maintain state a server can:• Send the client a cookie the first time the

client connects to the server

• Receive and update / modify the cookie as client navigates the site

– Or send additional cookies

• Use the presence and / or value of cookies to discern information about the client

– Ex: A repeat customer – time of last visit– Ex: A current customer – last request or last

page visited

4 We will look at an example soon

92

Lecture 6: Session Tracking

• Cookies allow us to maintain statemaintain state, but are somewhat clumsy to program4 To keep detailed state information we

probably need many cookies and we must store a lot of information within them• Each cookie is only 4K and Value field is simple

4 Cookies are good for keeping track of return visitors

4 For keeping state within a "current" visit, there are better ways• PHP allows session trackingsession tracking which can simplify

and streamline the process of maintaining state

93


• Idea:4 When user first logs into (or simply

visits) a site, a session is started and a unique, random ID is assigned to that user

4 ID is stored in a cookie (on client) or on the URL, but state information (session variables) is stored on the server

4 Any accesses by the same client with the same session ID are recognized and the session variables can be retrieved and used• From any .php script – multiple scripts can be

used in the same session

94


4 In other words, the session variables are a pool of semi-permanent data stored on the server• A separate pool is associated with each client

• Through the session ids the pools can be distinguished and accessed appropriately

• Arbitrary information can be stored for each client

4 When session is finished (client logs out or browser is closed) the session variables are cleared and the session ID is disposed of


• Syntax4 Session tracking can be automatically

turned on (with a server setting)4 If not the programmer must explicitly

start a session in each script using session_start()• This should be done at the beginning of the

script, prior to any regular html tags

• It must be done in any script in which the session variables are to be accessed

• See ex5.php to note that session tracking is NOT automatically on in our server

95

96


• During a session, session variables are accessed by scripts through the $_SESSION array

– Arbitrary values can be stored there

• Implementation4 Be default PHP uses cookies to

implement sessions• However, they are used behind the scenes,

so programmer does not have to deal with the particulars

• Session ID is embedded within a cookie4 Can also insert the session ID into the

URL if you prefer (ex: client doesn’t accept cookies)

97


• Issues:4 Session tracking in itself is not a secure

process• Session id is the key to obtaining the

information, so it must be protected

• If we use a secure server (using SSL) we ensure that the ids are not sent as plain text

4 For more information:• See: http://www.php.net/manual/en/intro.session.php

4 For example of using session tracking and cookies, see• ex13.php for simple example

• usesession.php for a bit more complex handout

98

Lecture 6: Mail

• Many web apps require mail to be sent4 PHP has a built-in mail function:mail ($receiver, $subject, $message, $extras)4 All arguments are strings

• $extras allows additional information to be passed– Ex: From, Cc, Bcc

• See mail() in the PHP manual

4 This should work in a production server4 However, it relies on the web server having

the ability to actually send the mail• This may not be the case for your XAMPP servers

Lecture 6: Mail

4 There is an alternative that we can use, which will utilize a mail server that you already have access to• Ex: Pitt Mail or GMail

4 However, it is not standard PHP but rather an add on• It is called PHPMailer and is fairly widely used

• To download it see:– https://github.com/Synchro/PHPMailer

• You will need to install this onto your system– Demonstrating this will be Weekly In-class

Exercise 3 (Wed. June 3)

• See mail.php and sendmail.php

99

Lecture 6: OOP PHP

• PHP is an object-oriented language• See: http://us.php.net/manual/en/language.oop5.php

4 Has classes + objects4 Has inheritance and method overriding

• However, the dynamic typing of PHP variables does not give it quite the same type of polymorphism as Java

– The reference type always matches the object type

4 Object syntax is more like C++ than Java• Uses the scope resolution operator for parent

class access

• Uses the “arrow” operator for field / method access

100

Lecture 6: OOP PHP

4 PHP objects can have instance variables and instance methods• Like Java (more or less) we can restrict

visibility by using– private

> Only visible within class of variable’s declaration

– protected> Visible within class of variable’s declaration,

plus any subclasses

– public> Visible anywhere

• Unlike Java we do not have implicit access to instance variables from within objects

– To access we must use “this” for explicit access

101

Lecture 6: OOP PHP

class Foo

{

private $x;

public function setX($data)

{

$this->x = $data;

}

public function getX()

{

return $this->x;

}

...

}

• See what happens if you just use $x

102

Lecture 6: OOP PHP

4 PHP also has a lot of functions to help with OOP• Some are particularly useful for the Web

environment in which PHP is used

• Ex: __autoload()– Can automatically include class files for any

classes used in a PHP script> We don’t have to explicitly include each file> We don’t have to worry about including a file

multiple times

– Note the name: prefixed with two underscores> There are several useful functions with this

notation> Ex: __construct(), __destruct(), __toString()

103

Lecture 6: OOP PHP

• These are called “magic methods”– Mostly because they are called implicitly in

some way or another– PHP programmer may define the method

bodies but does not explicitly call them– For more information see:

> http://php.net/manual/en/language.oop5.magic.php

– See ex14.php, Foo.php and SubFoo.php

• Ex: serialize(), unserialize()– Allow serialization and deserialization of PHP

objects> This is good if we want to save an object into

a file or a cookie and then later restore it> See usesession-oop.php and User.php

104

Lecture 7: OOP PHP

4 PHP OOP definitely has differences from Java OOP• However, there is extensive documentation

on it so avail yourselves of it

4 Ex: Interfaces and Polymorphism• Since PHP variables are dynamically typed,

we never have to cast objects to store them

• See ex15.php and class files

4 Why use it (or when to use it)?• When scripts get larger / more complex

• To interact with some predefined resources– Ex: a MySQL database

105

Lecture 7: Sorting Instability

• As we mentioned previously, the default sort() method in PHP is unstable4 This does not really matter when sorting

simple types4 However, when sorting complex types such

as objects, we can have issues:• Original data is in order on Field A

• We sort the data on Field B

• Objects which are equal on Field B, may not have the original order based on Field A

4 To obtain stability we will have to write our own sort method

106

Lecture 7: Sorting Stability

• Or, more likely, use code that someone else has written!

4 See unstable.php

107

108

Lecture 8: Flat Files vs. DB Files

4 So far, our PHP examples have used regular text files• Often called FLAT FILES

4 These have a certain advantage, since we can edit the files easily and can read them without any special software

4 However, they have many disadvantages as well• It is difficult to "update" the data in a file

without rewriting the entire file– How to change data in the middle of the file?

109


• Concurrent access of the file is tricky– We use FLOCK to lock out the file, but even

that only works when used consistently– We also often FLOCK a file for a long period

of time to prevent corruption – limiting access to the file for that time

> Even if we really need to lock only part of the file

• Access can be slow, especially if the data is large

• Access privileges must be implemented by the programmer

110


4 An alternative is to use a DATABASE to store our data• Most common databases now are relational

databases– We have data stored in tables and relate the

data from one table to that of another

• Access is faster than flat files

• Queries to obtain specific sets of data can be done using a well-defined query language

• User has random access to data

• Concurrent access handling is built in

• Access privileges are built-in

111

Lecture 8: Database Definitions

• Some definitions / notions we will be using4 Database

• The overall collection of data – may consist of many tables

4 Table• An individual "relation" in the relational database

– Relates keys to values

• Table Column– An attribute in the table

• Table Row– An entity in the table– Typically has a value for each column

112


• Key– An attribute that uniquely identifies an entity

> Ex: SSN for a student at Pitt

• Foreign Key– Key used to relate data in one table with

data in another table> Ex: PSID may be key to a student table> May also be a foreign key in a table for a

given course

• Schema– A set of table designs that determine a

database– Does not yet include the data – simply

shows how it will be structured in the database

113


4 Relationships -- how do data in different tables relate?• One to oneOne to one

– An entity in a table corresponds to a single entity in another table

– The relationship is typically established using a foreign key for one or both entities

> Ex: If we have a table for Student_Info and a table for Academic_History, there is a one-to-one relationship between them

• One to manyOne to many– An entity in a table corresponds to 1 or more

entities in another table

114


> Ex: If the table for Academic_History has an entry for each term, the relationship now becomes one student to many terms

• Many to manyMany to many– Multiple entities in one table correspond to multiple

entities in another table– This relationship is often defined by a separate table,

which in fact changes it into 2 one to many relationships

> Ex: Tables Student_Info and Courses_Taken have a many to many relationship, since a student can take many courses and each course can be taken by many students

> However, if we create a new table Student_Courses, we can have each entity be a pair: Student_Id, Course_id

> Now Student_Info has a one to many relationship with Student_Courses, and so does Courses_Taken

115

Lecture 8: Database Theory?

4 There is a lot of database theory about how to best create a schema• Best modeling the data you are storing

• Storing it most efficiently

• Designing most efficient queries

4 We will leave most of this to the Database course• Take CS 1555

• Here we are more concerned with the fundamentals, and for using MySQL through PHP and a Web interface

116

Lecture 8: Getting Started with MySQL

• First we need access4 Typically this is done by the site administrator4 Since you are using your own servers, you are

the administrators!4 This can be done in several ways:

• XAMPP comes with phpMyAdmin– This is accessed via the Web Server and allows you

to access / modify the DB through a Web interface

• XAMPP also comes with a mysql program– This allows command line access to the MySQL

server

• You can use either of these to initialize your DB

• Let’s try a simple example with both– See handouts and demo


• The mysql program also allows you to run batch commands using the “source” command

– Be careful if you do this!

4 Note: The root MySQL account in XAMPP initially has no password• If others will have access to your site, you

need to add one!

• There are other security holes in XAMPP that you should address if it will be shared

• To address / fix these, go to the XAMPP home page on your system:

http://localhost/– Click on "English" and then click on the

Security link for more information

117


• There is a lot of info available for MySQL4 For MySQL home page, see:

http://www.mysql.com

4 For docs, see: http://dev.mysql.com/doc/refman/5.0/en/

• There are many versions in the doc site – depends on your version of MySQL

4 Googling various issues you may have is also helpful

118

119

Lecture 8: Setting up a DB

• As mentioned before, first we should develop a schemaschema for our database

• Once that is done satisfactorily, we need to set up our tables and initialize the DB4 Can be done fairly simply using a script

in conjunction with one or more flat files• The nice thing here is that the flat files are

needed only for initialization

• Once the database is set up, we use it exclusively

120

Lecture 8: PHP MySQL Basics

4 To set up our DB, we need to issue some MySQL commands• Allow us to create tables and add data to them

• Some valid MySQL commands are shown in Chapter 13 of the Sebesta text

– Ex: create table, insert into, select

4 We will use these MySQL commands through PHP scripts• In PHP, there are several ways of accessing a

MySQL DB

• Older installations used procedural access with the mysql_xxx() suite of functions

Lecture 8: PHP MySQL Basics

• Newer versions of PHP allow object-oriented access using mysqli

– This is how we will be accessing our DB– Note:

> Text uses mysqli commands but via the older procedural access

> This works but oo access is nicer so we will be accessing it that way

– We will initially create a mysqli object which connects us to the server

– Then we access the db via methods in the object

121

122

Lecture 8: Setting up a DB

4 Thus it is important to know both• The correct MySQL syntax to manipulate /

access the database– More info in Chapter 13 of Sebesta and

http://dev.mysql.com/doc/refman/5.0/en/index.html

• The correct PHP syntax to connect to and query using its MySQL objects and functions

– More info in Section 13.5 and– http://www.php.net/manual/en/mysql.php

> Overview

– http://www.php.net/manual/en/book.mysqli.php> Object-oriented access using mysqli

123

Lecture 8: MySQL Commands to Set Up a DB

• Some example commands4 DROP TABLE

CREATE TABLE• Allows us to delete a table or create a new

table in our DB schema

• We can specify the name and properties of each of the fields (columns) within the new table

4 INSERT INTO• Allows us to insert entries (rows) into a table

• Column values are provided positionally based on the order established when the table was created

124

Lecture 8: PHP MySQL Commands

• First we must connect to the DB (via PHP)4 We do this by creating a new mysqli object:

$db = new mysqli(<server>,<user>,<pass>,<db>);– Where <server> is the mysql server we are connecting

to– <user> is the account on the server– <pass> is the password for the account– <db> is the database that we want to access

•Since our Webserver and PHP server are on the same host, we can use ‘localhost’ (or 127.0.0.1) for the host

•For simplicity, in our accounts the <user> and <db> values will always be the same

– Not required though

125


• Once we have connected to our database and created our mysqli object we can operate on it4 There are many methods available in the

mysqli class4 The method we will use the most is query()

• This will pass an arbitrary query string to the database

• The return value depends on the nature of the query

• If the query fails – the boolean false is returned


• If the query succeeds– Commands such as INSERT, UPDATE,

CREATE, etc will return true to indicate that they succeeded

> Ex: The new row was added to the table> Ex: The current row was modified as specified

– Commands such as SELECT and SHOW will return a mysqli_result object

> Idea in this case is that there is data that is returned from the query

> The mysqli_result object gives us access to this data through its methods

> We will look more at this class and its methods soon when we look at some queries

126

127

Lecture 8: PHP Commands to Set Up a DB

• For example, let’s create a new table called “CD” with a field for an id number, a title and an artist4 The id number will be the primary key

• Must be unique for each row / entry

• We will then insert a few CDs into our table4 See setCDs.php4 Then see carsdata.html

• Don’t let the name fool you – you can do an arbitrary query from this web form

128

Lecture 9: Another Simple Example

• There is also a nice example in the text – let’s talk about this one a bit4 Four tables:

• Corvettes – stores basic information about the cars

• States – associates an id with each state name

• Equipment – associates an id with each equipment value

• Corvettes_Equipment – “helper” table to connect Corvettes to Equipment

– Corvettes.Vette_id is one to many with Corvettes_Equipment.Equip

4 See text files

129

Lecture 9: Another Simple Example

– Corvettes_Equipment.Vette_id is many to one with Equipment.Equip_id

> Together they effectively make Corvettes.Vette_id and Equipment.Equip_id many to many

– States is not really necessary> Just “clean” up Corvettes table

• The setup.php script creates these tables– Look at it (see comments especially)

Lecture 9: Joins

4 Once these tables are set up, we need to extract information via queries• These often involve a “joinjoin” of two or more tables

– Relating data in one table to data in another to get a new set of entities

4 Relational databases allow for many variations of joins:• Ex: INNER JOIN, CROSS JOIN, NATURAL JOIN, LEFT

JOIN, RIGHT JOIN

• To learn more about these, other variations and their differences, take the CS 1555 course!

• We will focus on just a few of the possibilities

130

131

Lecture 9: Joins

4 INNER JOIN (or cartesian product, or CROSS JOIN)• Associates each row in one table with each row

in the other> Note: Technically, an INNER JOIN is not equivalent

to a CROSS JOIN – the INNER JOIN requires the tables to have some matching data -- however, in MySQL they are equivalent

• If table T1 had R1 rows and table T2 had R2 rows, the cross join will have R1x R2 rows

– For example, a join of the Corvettes and States tables

• This is the default join in MySQL, and syntactically can be done in several different ways

Lecture 9: Joins

4 Implicit vs explicit4 Explicit:Explicit:

• SELECT * FROM Corvettes INNER JOIN States

• SELECT * FROM Corvettes JOIN States

4 ImplicitImplicit• SELECT * FROM Corvettes, States

4 Clearly, in most cases this is not what we really want• Rather, we want certain rows in one table

that relate to certain rows in the other table in a certain way

132

133

Lecture 9: Joins

4 We can achieve this with an equi-join• In an equi-join, we add equality testing

conditions to the join that only some of the rows in the full join table meet

– For example in the Corvettes and States tables– We can either match fields in one table to those

in another or we can match fields in either table to a specific value. For example:

SELECT * FROM Corvettes, States WHERE Corvettes.State = States.State_id

SELECT * FROM Corvettes, States WHERE Corvettes.State = States.State_id AND States.State = 'California‘

− We can also use the other syntax variations

Lecture 9: Joins

• Technically, an equi-join requires all conditions to be equality tests

– Allows for some efficiency improvements

• However, the restrictions given in the WHERE clause can be arbitrary

– Any relational expression that we’d like to use when comparing data in the tables

• The more restrictions we have, the fewer records will be returned

– Note, however, that having fewer returned records does not necessarily imply that the query took less time to be done!

– Take CS 1555!

134

135

Lecture 9: Joins

4 Generally a MySQL join is specified in the select command (this version is somewhat simplified):SELECT items FROM tables

[WHERE condition][GROUP BY group_type][HAVING where_definition][ORDER BY order_type][LIMIT limit criteria]

• [] values are optional

• More than one table gives us a join

• The WHERE condition restricts the join

136

Lecture 9: Accessing the DB

4 We do these queries using MySQL commands• Our access can be very general if we'd like

– See carsdata.html and access_cars.php– BE CAREFUL with these files on your accounts

> Allow user to make arbitrary changes to DB> This type of script would not be available on a

production server

• Let’s try a few queries:– Find all cars since 1995 (inclusive) that have

automatic transmission, also showing their state– Find out how many cars are from each state in the

list– Find all cars from California, sorted by mileage

137


• More often the access is restricted, based on the needs of the site that we are developing

– User of the site doesn't even know that MySQL is being used

– Simply enters information into a form as we'd expect and the processing of the form is done via a MySQL database

– Queries are designed based on what information is needed

– Access is similar in nature to that used to set up DB

138


• For example:4 User logs into a website by typing id and

password• Ids and passwords are stored in a DB and a

query is done to determine if the user is valid

• New users are added to the DB

4 Let's talk a bit about this from a security standpoint• Assume DB XDB X is storing ids and passwords for

System Y System Y

• Assume DB X becomes compromised

139


• We'd like this to NOT also compromise System Y

• How can we handle this?– Rather than storing passwords in plaintext,

we instead store a hashed version of the password

> The function hash() allows several different hash algorithms to be used

– These are one way mappings of the one way mappings of the password password using sophisticated hashing techniques

> Since they are one way, we cannot (easily) reproduce the password from the hashed versions

– But don’t we need the actual password?> Not usually

140


• Ex: – When logging into System Y user types

password, P'– Hashed version of actual password P, hash(P) is

stored in the DB– System Y retrieves hash(P) from the DB and

compares it with hash(P')– If hash(P) == hash(P’), the password is valid;

otherwise it is not– Note that obtaining hash(P) by breaking into the

DB will not give away actual passwords> Since login system requires user to enter P, not

hash(P)

• Q: How can we tell if hashed passwords are being used on a given system?

141


4 Let's look at a detailed example:– setquotes.php, ex17.php, ex17b.php,

ex17c.php

4 Script ex17.php is the "initial script"• Session variables are used to prevent users

from going directly to ex17b.php or ex17c.php

• Idea is that access is granted each step of the way and if you start in the middle it will be detected

4 Take a look at the files and read the comments very carefully• There is a lot of information in there!

Lecture 10: SQL Injection

4 We have mentioned security a few times now

4 The most important thing to realize as a Web developer / administrator is that hackers are always trying / finding new / unusual ways to attack you

4 Ex: SQL Injection (http://en.wikipedia.org/wiki/SQL_injection) • One common use of a DB is to search based on

input from the user– Ex: Enter name of person you wish to find

• A dangerous assumption is that the user will always enter a legitimate search string

142


4 SQL syntax is such the user can actually enter SQL code into a search string thereby circumventing the original intent of the query• In some cases, the user can actually be

destructive, changing the DB itself

4 Ex: Consider the following MySQL query in a PHP script:$query = "select * from Movies where Movie_name = '$movie'";

– Assume $movie was extracted from a POST submission

• The intent is that the user will enter a movie name

• What if the user enters SQL syntax?– Let's try it!

143


4 In some systems the problem can be much worse, due to allowance of cascading SQL statements in a query• Ex user input:' or '1'; drop table Movies; select * from Movies where '1' = '1

• Oh no!– Note that this depends on the user knowing

the table name – but it can often be guessed– Also it depends on system allowing multiple

statements in a query – MySQL does not but some do

• See ex18.php

4 http://xkcd.com/327/ 144

Lecture 11

• Exam One

145

course notes for cs 1520 programming languages for web applications by john c. ramirez department of...

Documents

web programming

web applications

web clients

web browser

php language

web database access

mysql web development

php access