PHP And MySQL For Dynamic Web Sites GFX PHP.and.My SQL.for.Dynamic.Web.Sites.Visual.Quick Pro.Guide.4th.Edition

00c%20GFX-PHP.and.MySQL.for.Dynamic.Web.Sites.Visual.QuickPro.Guide.4th.Edition

PHP.and.MySQL-libro-biblioteca.for.Dynamic.Web.Sites.Visual.QuickPro.Guide.4th.Edition

User Manual:

Open the PDF directly: View PDF .
Page Count: 726 [warning: Documents this large are best viewed by clicking the View PDF Link!]

Table of Contents
Introduction
Chapter 1 Introduction to PHP
- Basic Syntax
- Sending Data to the Web Browser
- Writing Comments
- What Are Variables?
- Introducing Strings
- Concatenating Strings
- Introducing Numbers
- Introducing Constants
- Single vs. Double Quotation Marks
- Basic Debugging Steps
- Review and Pursue
Chapter 2 Programming with PHP
- Creating an HTML Form
- Handling an HTML Form
- Conditionals and Operators
- Validating Form Data
- Introducing Arrays
- For and While Loops
- Review and Pursue
Chapter 3 Creating Dynamic Web Sites
- Including Multiple Files
- Handling HTML Forms, Revisited
- Making Sticky Forms
- Creating Your Own Functions
- Review and Pursue
Chapter 4 Introduction to MySQL
- Naming Database Elements
- Choosing Your Column Types
- Choosing Other Column Properties
- Accessing MySQL
- Review and Pursue
Chapter 5 Introduction to SQL
- Creating Databases and Tables
- Inserting Records
- Selecting Data
- Using Conditionals
- Using LIKE and NOT LIKE
- Sorting Query Results
- Limiting Query Results
- Updating Data
- Deleting Data
- Using Functions
- Review and Pursue
Chapter 6 Database Design
- Normalization
- Creating Indexes
- Using Different Table Types
- Languages and MySQL
- Time Zones and MySQL
- Foreign Key Constraints
- Review and Pursue
Chapter 7 Advanced SQL and MySQL
- Performing Joins
- Grouping Selected Results
- Advanced Selections
- Performing FULLTEXT Searches
- Optimizing Queries
- Performing Transactions
- Database Encryption
- Review and Pursue
Chapter 8 Error Handling and Debugging
- Error Types and Basic Debugging
- Displaying PHP Errors
- Adjusting Error Reporting in PHP
- Creating Custom Error Handlers
- PHP Debugging Techniques
- SQL and MySQL Debugging Techniques
- Review and Pursue
Chapter 9 Using PHP with MySQL
- Modifying the Template
- Connecting to MySQL
- Executing Simple Queries
- Retrieving Query Results
- Ensuring Secure SQL
- Counting Returned Records
- Updating Records with PHP
- Review and Pursue
Chapter 10 Common Programming Techniques
- Sending Values to a Script
- Using Hidden Form Inputs
- Editing Existing Records
- Paginating Query Results
- Making Sortable Displays
- Review and Pursue
Chapter 11 Web Application Development
- Sending Email
- Handling File Uploads
- PHP and JavaScript
- Understanding HTTP Headers
- Date and Time Functions
- Review and Pursue
Chapter 12 Cookies and Sessions
- Making a Login Page
- Making the Login Functions
- Using Cookies
- Using Sessions
- Improving Session Security
- Review and Pursue
Chapter 13 Security Methods
- Preventing Spam
- Validating Data by Type
- Validating Files by Type
- Preventing XSS Attacks
- Using the Filter Extension
- Preventing SQL Injection Attacks
- Review and Pursue
Chapter 14 Perl-Compatible Regular Expressions
- Creating a Test Script
- Defining Simple Patterns
- Using Quantifiers
- Using Character Classes
- Finding All Matches
- Using Modifiers
- Matching and Replacing Patterns
- Review and Pursue
Chapter 15 Introducing jQuery
- What is jQuery?
- Incorporating jQuery
- Using jQuery
- Selecting Page Elements
- Event Handling
- DOM Manipulation
- Using Ajax
- Review and Pursue
Chapter 16 An OOP Primer
- Fundamentals and Syntax
- Working with MySQL
- The DateTime Class
- Review and Pursue
Chapter 17 Example—Message Board
- Making the Database
- Creating the Index Page
- Creating the Forum Page
- Creating the Thread Page
- Posting Messages
- Review and Pursue
Chapter 18 Example—User Registration
- Creating the Templates
- Writing the Configuration Scripts
- Creating the Home Page
- Registration
- Activating an Account
- Logging In and Logging Out
- Password Management
- Review and Pursue
Chapter 19 Example—E-Commerce
- Creating the Database
- The Administrative Side
- Creating the Public Template
- The Product Catalog
- The Shopping Cart
- Recording the Orders
- Review and Pursue
Index
- A
- B
- C
- D
- E
- F
- G
- H
- I
- J
- K
- L
- M
- N
- O
- P
- Q
- R
- S
- T
- U
- V
- W
- X
- Y
- Z
BONUS APPENDIX: Appendix A: Installation

ptg6935296

Peachpit Press

VISUAL QUICKpro GUIDE

PHP and MySQL

for Dynamic Web Sites

Fourth Edition

LARRY ULLMAN

ptg6935296

Visual QuickPro Guide

PHP and MySQL for Dynamic Web Sites, Fourth Edition

Larry Ullman

Peachpit Press

1249 Eighth Street

Berkeley, CA 94710

510/524-2178

510/524-2221 (fax)

Find us on the Web at: www.peachpit.com

To r ep or t er ro rs , p le as e se nd a n ot e t o: e rr at a@ pe ac hp it .co m

Peachpit Press is a division of Pearson Education.

Editor: Rebecca Gulick

Copy Editor: Patricia Pane

Te ch ni cal Re vi ew er : A ns el m Br ad fo rd

Production Coordinator: Myrna Vladic

Compositor: Debbie Roberti

Proofreader: Bethany Stough

Indexer: Valerie Haynes-Perry

Cover Design: RHDG / Riezebos Holzbaur Design Group, Peachpit Press

Interior Design: Peachpit Press

Logo Design: MINE™ www.minesf.com

Notice of Rights

electronic, mechanical, photocopying, recording, or otherwise, without the prior written permission of the

publisher. For information on getting permission for reprints and excerpts, contact permissions@peachpit.com.

Notice of Liability

The information in this book is distributed on an “As Is” basis, without warranty. While every precaution has

been taken in the preparation of the book, neither the author nor Peachpit Press shall have any liability to any

person or entity with respect to any loss or damage caused or alleged to be caused directly or indirectly by the

instructions contained in this book or by the computer software and hardware products described in it.

Trademarks

Visual QuickPro Guide is a registered trademark of Peachpit Press, a division of Pearson Education. MySQL is

a registered trademark of MySQL AB in the United States and in other countries. Macintosh and Mac OS X are

registered trademarks of Apple, Inc. Microsoft and Windows are registered trademarks of Microsoft Corp. Other

product names used in this book may be trademarks of their own respective owners. Images of Web sites in

this book are copyrighted by the original holders and are used with their kind permission. This book is not

officially endorsed by nor affiliated with any of the above companies, including MySQL AB.

Many of the designations used by manufacturers and sellers to distinguish their products are claimed as

trademarks. Where those designations appear in this book, and Peachpit was aware of a trademark claim,

the designations appear as requested by the owner of the trademark. All other product names and services

identified throughout this book are used in editorial fashion only and for the benefit of such companies with no

intention of infringement of the trademark. No such use, or the use of any trade name, is intended to convey

endorsement or other affiliation with this book.

ISBN-13: 978-0-321-78407-0

ISBN-10: 0-321-78407-3

9 8 7 6 5 4 3 2 1

Printed and bound in the United States of America

ptg6935296

Dedication

Dedicated to the fine faculty at my alma mater, Northeast Missouri

State University. In particular, I would like to thank: Dr. Monica Barron,

Dr. Dennis Leavens, Dr. Ed Tyler, and Dr. Cole Woodcox, whom I also

have the pleasure of calling my friend. I would not be who I am as

a writer, as a student, as a teacher, or as a person if it were not for

the magnanimous, affecting, and brilliant instruction I received from

these educators.

Special Thanks to:

My heartfelt thanks to everyone at Peachpit Press, as always.

My gratitude to editor extraordinaire Rebecca Gulick, who makes my job

so much easier. And thanks to Patricia Pane for her hard work, helpful

suggestions, and impressive attention to detail. Thanks also to Valerie

Haynes-Perry for indexing and Myrna Vladic and Deb Roberti for laying

out the book, and thanks to Anselm Bradford for his technical review.

Kudos to the good people working on PHP, MySQL, Apache,

phpMyAdmin, MAMP, and XAMPP, among other great projects.

And a hearty “cheers” to the denizens of the various newsgroups,

mailing lists, support forums, etc., who offer assistance and advice

to those in need.

Thanks, as always, to the readers, whose support gives my job

relevance. An extra helping of thanks to those who provided the

translations in Chapter 17, “Example—Message Board,” and who

offered up recommendations as to what they’d like to see in

this edition.

Thanks to Karnesha and Sarah for entertaining and taking care of

the kids so that I could get some work done.

Finally, I would not be able to get through a single book if it weren’t

for the love and support of my wife, Jessica. And a special shout-out

to Zoe and Sam, who give me reasons to, and not to, write books!

ptg6935296

iv Tab le of Con te nt s

Table of Contents

Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . ix

Chapter 1 Introduction to PHP. . . . . . . . . . . . . . . . . . . . . 1

Basic Syntax . . . . . . . . . . . . . . . . . . . . . . . . . 2

Sending Data to the Web Browser. . . . . . . . . . . . . 6

Writing Comments. . . . . . . . . . . . . . . . . . . . . . 10

What Are Variables?. . . . . . . . . . . . . . . . . . . . . 14

Introducing Strings . . . . . . . . . . . . . . . . . . . . . 18

Concatenating Strings . . . . . . . . . . . . . . . . . . . 21

Introducing Numbers . . . . . . . . . . . . . . . . . . . . 23

Introducing Constants . . . . . . . . . . . . . . . . . . . 26

Single vs. Double Quotation Marks . . . . . . . . . . . . 29

Basic Debugging Steps . . . . . . . . . . . . . . . . . . . 32

Review and Pursue . . . . . . . . . . . . . . . . . . . . . 34

Chapter 2 Programming with PHP . . . . . . . . . . . . . . . . . 35

Creating an HTML Form . . . . . . . . . . . . . . . . . . 36

Handling an HTML Form . . . . . . . . . . . . . . . . . . 41

Conditionals and Operators . . . . . . . . . . . . . . . . 45

Validating Form Data . . . . . . . . . . . . . . . . . . . . 49

Introducing Arrays. . . . . . . . . . . . . . . . . . . . . . 54

For and While Loops . . . . . . . . . . . . . . . . . . . . 69

Review and Pursue . . . . . . . . . . . . . . . . . . . . . 72

Chapter 3 Creating Dynamic Web Sites. . . . . . . . . . . . . . 75

Including Multiple Files . . . . . . . . . . . . . . . . . . . 76

Handling HTML Forms, Revisited . . . . . . . . . . . . . 85

Making Sticky Forms . . . . . . . . . . . . . . . . . . . . 91

Creating Your Own Functions . . . . . . . . . . . . . . . 95

Review and Pursue . . . . . . . . . . . . . . . . . . . . . 110

ptg6935296

Table of Contents v

Chapter 4 Introduction to MySQL . . . . . . . . . . . . . . . . . 111

Naming Database Elements . . . . . . . . . . . . . . . 112

Choosing Your Column Types . . . . . . . . . . . . . . 1 1 4

Choosing Other Column Properties . . . . . . . . . . . 118

Accessing MySQL . . . . . . . . . . . . . . . . . . . . . 1 2 1

Review and Pursue . . . . . . . . . . . . . . . . . . . . 128

Chapter 5 Introduction to SQL. . . . . . . . . . . . . . . . . . . . 129

Creating Databases and Tables . . . . . . . . . . . . . 130

Inserting Records . . . . . . . . . . . . . . . . . . . . . 133

Selecting Data . . . . . . . . . . . . . . . . . . . . . . . 138

Using Conditionals . . . . . . . . . . . . . . . . . . . . 140

Using LIKE and NOT LIKE. . . . . . . . . . . . . . . . . 143

Sorting Query Results. . . . . . . . . . . . . . . . . . . 145

Limiting Query Results . . . . . . . . . . . . . . . . . . 147

Updating Data . . . . . . . . . . . . . . . . . . . . . . . 149

Deleting Data . . . . . . . . . . . . . . . . . . . . . . . 1 51

Using Functions . . . . . . . . . . . . . . . . . . . . . . 153

Review and Pursue . . . . . . . . . . . . . . . . . . . . 164

Chapter 6 Database Design . . . . . . . . . . . . . . . . . . . . .165

Normalization . . . . . . . . . . . . . . . . . . . . . . . 166

Creating Indexes . . . . . . . . . . . . . . . . . . . . . 179

Using Different Table Types . . . . . . . . . . . . . . . 182

Languages and MySQL . . . . . . . . . . . . . . . . . . 184

Time Zones and MySQL . . . . . . . . . . . . . . . . . 189

Foreign Key Constraints . . . . . . . . . . . . . . . . . 195

Review and Pursue . . . . . . . . . . . . . . . . . . . . 202

Chapter 7 Advanced SQL and MySQL. . . . . . . . . . . . . . . 203

Performing Joins. . . . . . . . . . . . . . . . . . . . . . 204

Grouping Selected Results . . . . . . . . . . . . . . . 214

Advanced Selections . . . . . . . . . . . . . . . . . . . 218

Performing FULLTEXT Searches . . . . . . . . . . . . 222

Optimizing Queries . . . . . . . . . . . . . . . . . . . . 230

Performing Transactions . . . . . . . . . . . . . . . . . 234

Database Encryption . . . . . . . . . . . . . . . . . . . 237

Review and Pursue . . . . . . . . . . . . . . . . . . . . 240

ptg6935296

vi Tab le of Con te nt s

Chapter 8 Error Handling and Debugging . . . . . . . . . . . . 241

Error Types and Basic Debugging . . . . . . . . . . . . 242

Displaying PHP Errors. . . . . . . . . . . . . . . . . . . 248

Adjusting Error Reporting in PHP . . . . . . . . . . . . 250

Creating Custom Error Handlers. . . . . . . . . . . . . 253

PHP Debugging Techniques . . . . . . . . . . . . . . . 258

SQL and MySQL Debugging Techniques. . . . . . . . 262

Review and Pursue . . . . . . . . . . . . . . . . . . . . 264

Chapter 9 Using PHP with MySQL . . . . . . . . . . . . . . . . . 265

Modifying the Template. . . . . . . . . . . . . . . . . . 266

Connecting to MySQL. . . . . . . . . . . . . . . . . . . 268

Executing Simple Queries . . . . . . . . . . . . . . . . 273

Retrieving Query Results . . . . . . . . . . . . . . . . 281

Ensuring Secure SQL . . . . . . . . . . . . . . . . . . . 285

Counting Returned Records . . . . . . . . . . . . . . . 290

Updating Records with PHP . . . . . . . . . . . . . . . 292

Review and Pursue . . . . . . . . . . . . . . . . . . . . 298

Chapter 10 Common Programming Techniques . . . . . . . . . 299

Sending Values to a Script . . . . . . . . . . . . . . . . 300

Using Hidden Form Inputs . . . . . . . . . . . . . . . . 304

Editing Existing Records . . . . . . . . . . . . . . . . . 309

Paginating Query Results. . . . . . . . . . . . . . . . . .316

Making Sortable Displays . . . . . . . . . . . . . . . . 323

Review and Pursue . . . . . . . . . . . . . . . . . . . . 328

Chapter 11 Web Application Development . . . . . . . . . . . . 329

Sending Email . . . . . . . . . . . . . . . . . . . . . . . 330

Handling File Uploads . . . . . . . . . . . . . . . . . . 336

PHP and JavaScript . . . . . . . . . . . . . . . . . . . . 348

Understanding HTTP Headers. . . . . . . . . . . . . . 355

Date and Time Functions . . . . . . . . . . . . . . . . . 362

Review and Pursue . . . . . . . . . . . . . . . . . . . . 366

ptg6935296

Table of Contents vii

Chapter 12 Cookies and Sessions . . . . . . . . . . . . . . . . . . 367

Making a Login Page . . . . . . . . . . . . . . . . . . . 368

Making the Login Functions . . . . . . . . . . . . . . . 371

Using Cookies . . . . . . . . . . . . . . . . . . . . . . . 376

Using Sessions. . . . . . . . . . . . . . . . . . . . . . . 388

Improving Session Security . . . . . . . . . . . . . . . 396

Review and Pursue . . . . . . . . . . . . . . . . . . . . 400

Chapter 13 Security Methods . . . . . . . . . . . . . . . . . . . . . 401

Preventing Spam . . . . . . . . . . . . . . . . . . . . . 402

Validating Data by Type. . . . . . . . . . . . . . . . . . 409

Validating Files by Type. . . . . . . . . . . . . . . . . . 414

Preventing XSS Attacks. . . . . . . . . . . . . . . . . . 418

Using the Filter Extension . . . . . . . . . . . . . . . . 421

Preventing SQL Injection Attacks . . . . . . . . . . . . 425

Review and Pursue . . . . . . . . . . . . . . . . . . . . 432

Chapter 14 Perl-Compatible Regular Expressions. . . . . . . . 433

Creating a Test Script . . . . . . . . . . . . . . . . . . . 434

Defining Simple Patterns . . . . . . . . . . . . . . . . . 438

Using Quantifiers . . . . . . . . . . . . . . . . . . . . . 441

Using Character Classes . . . . . . . . . . . . . . . . . 443

Finding All Matches . . . . . . . . . . . . . . . . . . . . 446

Using Modifiers . . . . . . . . . . . . . . . . . . . . . . 450

Matching and Replacing Patterns . . . . . . . . . . . . 452

Review and Pursue . . . . . . . . . . . . . . . . . . . . 456

Chapter 15 Introducing jQuery . . . . . . . . . . . . . . . . . . . . 457

What is jQuery? . . . . . . . . . . . . . . . . . . . . . . 458

Incorporating jQuery . . . . . . . . . . . . . . . . . . . 460

Using jQuery . . . . . . . . . . . . . . . . . . . . . . . . 463

Selecting Page Elements . . . . . . . . . . . . . . . . . 466

Event Handling. . . . . . . . . . . . . . . . . . . . . . . 469

DOM Manipulation . . . . . . . . . . . . . . . . . . . . 473

Using Ajax . . . . . . . . . . . . . . . . . . . . . . . . . 479

Review and Pursue . . . . . . . . . . . . . . . . . . . . 492

ptg6935296

viii Tab le of Con te nt s

Chapter 16 An OOP Primer . . . . . . . . . . . . . . . . . . . . . . . . 493

Fundamentals and Syntax . . . . . . . . . . . . . . . . 494

Working with MySQL . . . . . . . . . . . . . . . . . . . 497

The DateTime Class . . . . . . . . . . . . . . . . . . . . 511

Review and Pursue . . . . . . . . . . . . . . . . . . . . 518

Chapter 17 Example—Message Board . . . . . . . . . . . . . . . 519

Making the Database . . . . . . . . . . . . . . . . . . . 520

Creating the Index Page . . . . . . . . . . . . . . . . . 537

Creating the Forum Page . . . . . . . . . . . . . . . . . 538

Creating the Thread Page . . . . . . . . . . . . . . . . 543

Posting Messages . . . . . . . . . . . . . . . . . . . . . 548

Review and Pursue . . . . . . . . . . . . . . . . . . . . 558

Chapter 18 Example —User Registration. . . . . . . . . . . . . . 559

Creating the Templates . . . . . . . . . . . . . . . . . . 560

Writing the Configuration Scripts . . . . . . . . . . . . 566

Creating the Home Page . . . . . . . . . . . . . . . . . 574

Registration . . . . . . . . . . . . . . . . . . . . . . . . 576

Activating an Account. . . . . . . . . . . . . . . . . . . 586

Logging In and Logging Out . . . . . . . . . . . . . . . 589

Password Management. . . . . . . . . . . . . . . . . . 594

Review and Pursue . . . . . . . . . . . . . . . . . . . . 604

Chapter 19 Example —E-Commerce. . . . . . . . . . . . . . . . . 605

Creating the Database . . . . . . . . . . . . . . . . . . 606

The Administrative Side . . . . . . . . . . . . . . . . . 612

Creating the Public Template . . . . . . . . . . . . . . 629

The Product Catalog . . . . . . . . . . . . . . . . . . . 633

The Shopping Cart . . . . . . . . . . . . . . . . . . . . 645

Recording the Orders . . . . . . . . . . . . . . . . . . . 654

Review and Pursue . . . . . . . . . . . . . . . . . . . . 659

Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 661

BONUS APPENDIX

Appendix A Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . A1

ptg6935296

Introduction ix

Introduction

Today’s We b users exp ect exciting pages

that are updated frequently and provide

a customized experience. For them, Web

sites are more like communities, to which

they’ll return time and again. At the same

time, Web-site administrators want sites

that are easier to update and maintain,

understanding that’s the only reasonable

way to keep up with visitors’ expecta-

tions. For these reasons and more, PHP

and MySQL have become the de facto

standards for creating dynamic, database-

driven Web sites.

This book represents the culmination of my

many years of Web development experi-

ence coupled with the value of having

written several previous books on the tech-

nologies discussed herein. The focus of

this book is on covering the most important

knowledge in the most efficient manner.

It will teach you how to begin developing

dynamic Web sites and give you plenty of

example code to get you started. All you

need to provide is an eagerness to learn.

Well, that and a computer.

What Are Dynamic

Web Sites?

Dynamic Web sites are flexible and potent

creatures, more accurately described as

applications

than merely sites. Dynamic

Web sites

Respond to different parameters (for

example, the time of day or the version

of the visitor’s Web browser)

Have a “memory,” allowing for user

registration and login, e-commerce,

and similar processes

Almost always integrate HTML forms,

allowing visitors to perform searches,

provide feedback, and so forth

Often have interfaces where

administrators can manage the

site’s content

Are easier to maintain, upgrade, and

build upon than statically made sites

ptg6935296

x Introduction

Starting at the end of that statement, to

say that PHP

can be embedded into

HTML

means that you can take a standard

HTML page, drop in some PHP wherever

you need it, and end up with a dynamic

result. This attribute makes PHP very

approachable for anyone that’s done even

a little bit of HTML work.

Also, PHP is a

scripting

language, as

opposed to a

compiled

language: PHP

was designed to write Web scripts, not

stand-alone applications (although, with

some extra effort, you can now create

applications in PHP). PHP scripts run only

after an event occurs—for example, when

a user submits a form or goes to a URL

(Uniform Resource Locator, the technical

term for a Web address).

I should add to this definition that PHP is

a server-side, cross-platform technology,

both descriptions being important.

Server-

side

refers to the fact that everything PHP

does occurs on the server. A Web server

application, like Apache or Microsoft’s IIS

(Internet Information Services), is required

and all PHP scripts must be accessed

through a URL (

http://

something

). Its

There are many technologies available

for creating dynamic Web sites. The most

common are ASP.NET (Active Server

Pages, a Microsoft construct), JSP (Java

Server Pages), ColdFusion, Ruby on Rails (a

Web development framework for the Ruby

programming language), and PHP. Dynamic

Web sites don’t always rely on a database,

but more and more of them do, particularly

as excellent database applications like

MySQL are available at little to no cost.

What is PHP?

PHP originally stood for “Personal Home

Page” as it was created in 1994 by Rasmus

Lerdorf to track the visitors to his online

résumé. As its usefulness and capabilities

grew (and as it started being used in more

professional situations), it came to mean

“PHP: Hypertext Preprocessor.”

According to the official PHP Web site,

found at

www.php.net

A, PHP is a

“widely used general-purpose scripting

language that is especially suited for Web

development and can be embedded into

HTML.” It’s a long but descriptive definition,

whose meaning I’ll explain.

A The home page for PHP.

ptg6935296

Introduction xi

cross-platform nature means that PHP

runs on most operating systems, including

Windows, Unix (and its many variants), and

Macintosh. More important, the PHP scripts

written on one server will normally work on

another with little or no modification.

At the time this book was written, PHP was

at version 5.3.6 and this book does assume

you’re using at least version 5.0. Some func-

tions and features covered will require more

specific or current versions, like PHP 5.2 or

greater. In those cases, I will make it clear

when the functionality was added to PHP,

and provide alternative solutions if you have

a slightly older version of the language.

If you’re still using version 4 of PHP, you

really should upgrade. If that’s not in your

plans, then please grab the second edition

of this book instead.

More information about PHP can always be

found at PHP.net or at Zend (

www.zend.com

the minds behind the core of PHP.

Why use PHP?

Put simply, when it comes to developing

dynamic Web sites, PHP is better, faster,

and easier to learn than the alternatives.

What you get with PHP is excellent

performance, a tight integration with

nearly every database available, stability,

portability, and a nearly limitless feature

set due to its extendibility. All of this comes

at no cost (PHP is open source) and with

a very manageable learning curve. PHP is

one of the best marriages I’ve ever seen

between the ease with which beginning

programmers can start using it and the

ability for more advanced programmers to

do everything they require.

Finally, the proof is in the pudding: PHP

has seen an exponential growth in use

since its inception, and is the server-side

What Happened to PHP 6?

When I wrote the previous version of

this book,

PHP 6 and MySQL 5 for

Dynamic Web Sites: Visual QuickPro

Guide

, the next major release of PHP—

PHP 6—was approximately 50 percent

complete. Thinking that PHP 6 would

therefore be released sometime after

the book was published, I relied upon

a beta version of PHP 6 for a bit of that

edition’s material. And then…

PHP 6 died.

One of the key features planned for PHP

6 was support for Unicode, meaning that

PHP 6 would be able to work natively

with any language. This would be a

great addition to an already popular

programming tool. Unfortunately,

implementing Unicode support went

from being complicated to quite difficult,

and the developers behind the language

tabled development of PHP 6. Not all

was lost, however: Some of the other

features planned for PHP 6, such as

support for

namespaces

(an Object-

Oriented Programming concept), were

added to PHP 5.3.

At the time of this writing, it’s not clear

when Unicode support might be com-

pleted or what will happen with PHP 6.

My hunch is that PHP will be making

incremental developments along the

version 5 trunk for some time to come.

ptg6935296

xii Introduction

technology of choice on over 76 percent

of all Web sites B. In terms of all pro-

gramming languages, PHP is the fifth

META

tag, but it does require the page to be a PHP

script. If using this, it must be the first line in

the page, before any HTML.

A proxy script can only ever send to the

browser a single file (or image) at a time.

F The Web Developer Toolbar extension for Firefox includes the ability to see what headers were sent by

a page and/or server. This can be useful debugging information.

I cannot stress strongly enough that

nothing can be sent to the Web browser

before using the

header( )

function. Even

an included file that has a blank line after

the closing PHP tag will make the

header( )

function unusable.

To avoid problems when using

header( )

, you can call the

headers_sent( )

function first. It returns a Boolean value indi-

cating if something has already been sent to

the Web browser:

if (!headers_sent( )) {

// U s e t h e h e a d e r( ) function.

} else {

// D o s o m e t h i n g e l s e.

}

Output buffering, demonstrated in Chapter 17,

“Example—User Registration,” can also pre-

vent problems when using

header( )

ptg6935296

362 Chapter 11

Date and Time Functions

Chapter 5, “Introduction to SQL,”

demonstrates a handful of great date

and time functions that MySQL supports.

Naturally, PHP has its own date and time

functions. To start, there’s

date_default_

timezone_set( )

. This function is used to

establish the default time zone (which can

also be set in PHP’s configuration file).

date_default_timezone_set(tz);

The

value is a string like

America/New_

Yo r k

Pacific/Auckland

. There are too many

to list here (Africa alone has over 50), but see

the PHP manual for them all. Note that as of

PHP 5.1, the default time zone must be set,

either in a script or in PHP’s configuration

file, prior to calling any of the date and time

functions, or else you’ll see an error.

Next up, the

checkdate( )

function takes

a month, a day, and a year and returns a

Boolean value indicating whether that date

actually exists (or existed). It even takes

into account leap years. This function can

be used to ensure that a user supplied a

valid date (birth date or other):

if (checkdate(month, day, year)) { // O K!

Perhaps the most frequently used function

is the aptly named

date( )

. It returns the

date and/or time as a formatted string. It

takes two arguments:

date (format, [timestamp]);

The timestamp is an optional argument

representing the number of seconds since

the Unix Epoch (midnight on January 1,

1970) for the date in question. It allows you

to get information, like the day of the week,

for a particular date. If a timestamp is not

specified, PHP will just use the current time

on the server.

TABLE 11.4 Date( ) Function Formatting

Character Meaning Example

YYe a r a s 4 d i g i t s 2011

yYe a r a s 2 d i g i t s 11

L Is it a leap year? 1 (for yes)

n Month as 1 or 2 digits 2

m Month as 2 digits 02

F Month February

M Month as 3 letters Feb

j Day of the month

as 1 or 2 digits

d Day of the month

as 2 digits

l (lower-

case L)

Day of the week Monday

D Day of the week

as 3 letters

Mon

w Day of the week

as a single digit

0 (Sunday)

z Day of the year: 0

to 365

189

t Number of days in

the month

S English ordinal

suffix for a day,

as 2 characters

g Hour; 12-hour format

as 1 or 2 digits

G Hour; 24-hour format

as 1 or 2 digits

h Hour; 12-hour format

as 2 digits

H Hour; 24-hour format

as 2 digits

i Minutes 45

s Seconds 18

u Microseconds 1234

a am or pm am

A AM or PM PM

U Seconds since the

epoch

1048623008

e Timezone UTC

I (capital i) Is it daylight savings? 1 (for yes)

O Difference from GMT +0600

ptg6935296

Web Application Development 363

There are myriad formatting parameters

available (Table 11.4), and these can be used

in conjunction with literal text. For example,

echo date('F j, Y'); // January 26, 2011

echo date('H:i'); // 23:14

echo date('D'); // Sat

You can find the timestamp for a particular

date using the

mktime( )

function:

$stamp = mktime (hour, minute,

➝

second, month, day, year);

If called with no arguments,

mktime( )

returns the current timestamp, which is the

same as calling the

time( )

function.

Finally, the

getdate( )

function can be

used to return an array of values (Table 11.5)

for a date and time. For example,

$today = getdate( );

echo $today['month']; // October

This function also takes an optional

timestamp argument. If that argument is

not used,

getdate( )

returns information

for the current date and time.

These are just a handful of the many date

and time functions PHP has. For more, see

the PHP manual. To practice working with

these functions, let’s modify

images.php

(Script 11.4) in a couple of ways. First, the

script will show each image’s uploaded

date and time. Second, while a change is

being made to the layout, the script will

show each image’s file size, too A.

TABLE 11.5 The getdate( ) Array

Key Value Example

year year 2011

mon month 11

month month name November

mday day of the month 24

weekday day of the week Thursday

hours hours 11

minutes minutes 56

seconds seconds 47

A The revised

images.php

shows

two more pieces of

information about

each image.

ptg6935296

364 Chapter 11

To use the date and time functions :

1. Open

images.php

(Script 11.4) in your

text editor or IDE, if it is not already.

2. As the first line of code after the open-

ing PHP tag, establish the time zone

(Script 11.6):

date_default_timezone_set

➝

('A m e r i ca /N e w _Yo r k');

Before calling any of the date and time

functions, the time zone has to be

established. To find your time zone, see

www.php.net/timezones

3. Within the

foreach

loop, after getting

the image’s dimensions, calculate its

file size:

$file_size = round ( (filesize

➝

("$dir/$image")) / 1024) . "kb";

The

filesize( )

function was first used

in the

show_image.php

script. It returns

the size of a file in bytes. To calculate

the kilobytes of a file, divide this

number by 1,024 (there are that many

bytes in a kilobyte) and round it off.

4. On the next line, determine the image’s

modification date and time:

$image_date = date("F d, Y H:i:s",

➝

filemtime("$dir/$image"));

To find a file’s modification date and

time, call the

filemtime( )

function,

providing the function with the file, or

directory, to be examined. This function

returns a timestamp, which can then

be used as the second argument

to the

date( )

, which will format the

timestamp accordingly.

If you’re perplexed by what’s happening

here, you can break the code into two

steps:

$filemtime = filemtime

➝

("$dir/$image");

$image_date = date("F d, Y H:i:s ",

➝

$filemtime);

5. Change the echo statement so that it

also prints the file size and modification

date:

echo "<li><a href=\"javascript:

➝

create_window('$image_name',

➝

$image_size[0],$image_size[1])\">

➝

$image</a> $file_size

➝

($i m age _da te)</li>\n";

Both are printed outside of the

tag, so

they aren’t part of the links.

6. Save the file as

images.php

, place it in

your Web directory, and test it in your

Web browser.

The

date( )

function has some param-

eters that are used for informative purposes,

not formatting. For example,

date('L')

returns 1 or 0 indicating if it’s a leap year;

date('t')

returns the number of days in the

current month; and

date('I')

returns a 1 if

it’s currently daylight saving time.

PHP’s date functions reflect the time on

the server (because PHP runs on the server);

you’ll need to use JavaScript if you want to

determine the date and time on the user’s

computer.

In Chapter 16, you’ll learn how to use the

new

DateTime

class to work with dates and

times in PHP.

ptg6935296

Web Application Development 365

Script 11.6 This modified version of

images.php

(Script 11.4) uses PHP’s date and time functions in order to

report some information to the user.

1 <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/

xhtml1-transitional.dtd">

2 <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">

3 <head>

4 <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />

5 <title>Images</title>

6 <script type="text/javascript" charset="utf-8" src="js/function.js"></script>

7 </head>

8 <body>

9 <p>Click on an image to view it in a separate window.</p>

10 <ul>

11 <?php # Script 11.6 - images.php

12 // This script lists the images in the uploads directory.

13 // This version now shows each image's file size and uploaded date and time.

15 // Set the default timezone:

16 date_default_timezone_set ('America/New_York');

18 $dir = '.. / u p l o a d s '; // Define the directory to view.

20 $files = scandir($dir); // Read all the images into an array.

22 // Display each image caption as a link to the JavaScript function:

23 foreach ($files as $image) {

25 if (substr($image, 0, 1) != '.') { // Ignore anything starting with a period.

27 // Get the image's size in pixels:

28 $image_size = getimagesize ("$dir/$image");

30 // Calculate the image's size in kilobytes:

31 $file_size = round ( (filesize ("$dir/$image")) / 1024) . "kb";

33 // Determine the image's upload date and time:

34 $image_date = date("F d, Y H:i:s", filemtime("$dir/$image"));

36 // Make the image's name URL-safe:

37 $image_name = urlencode($image);

39 // Print the information:

40 echo "<li><a href=\"javascript:create_window('$image_name',$image_size[0],

$image_size[1])\">$image</a> $file_size ($image_date)</li>\n";

42 } // End of the IF.

44 } // End of the foreach loop.

46 ?>

47 </ul>

48 </body>

49 </html>

ptg6935296

366 Chapter 11

Review and Pursue

If you have any problems with the

review questions or the pursue prompts,

turn to the book’s supporting forum

(

www.LarryUllman.com/forums/

Review

What function is used to send email?

What are the function’s arguments?

What does the server need in order to

send email?

Does it make a difference whether

used within single or double quotation

marks?

Can you easily know for certain if, or

when, a recipient received an email

sent by PHP?

What debugging steps can you take

if you aren’t receiving any email that

should be sent from a PHP script?

How do folder permissions come into

play for handling uploaded files?

What two directories are used in

handling file uploads?

What additional attribute must be made

to the opening

form

tag in order to

handle a file upload?

What is a MIME type?

In what ways are PHP and JavaScript

alike? How are they different?

What tag is used to add JavaScript to

an HTML page?

What does the

var

keyword mean in

JavaScript?

What is the concatenation operator in

JavaScript?

What does the PHP

header( )

function do?

What do

headers already sent

error

messages mean?

What is a

proxy script

? When might a

proxy script be necessary?

What does the

readfile( )

function do?

Pursue

Create a more custom contact form.

Have the PHP script also send a more

custom email, including any other data

requested by the form.

Search online using the keywords

php

email spam filters

to learn techniques

for improving the successful delivery

of PHP-sent email (i.e., to minimize the

chances of spam filters eating legiti-

mate emails).

Make a variation on

upload_image.php

that supports the uploading of differ-

ent file types. Create a corresponding

version of

show_image.php

. Note: You’ll

need to do some research on MIME

types to complete these challenges.

Check out the PHP manual page for the

glob( )

function.

A lot of information and new functions

were introduced in this chapter. Check

out the PHP manual for some of them to

learn more.

ptg6935296

The Hypertext Transfer Protocol (HTTP)

is a

stateless

technology, meaning that

each individual HTML page is an unrelated

entity. HTTP has no method for tracking

users or retaining variables as a person

traverses a site. Without the server being

able to track a user, there can be no shop-

ping carts or custom Web-site personaliza-

tion. Using a server-side technology like

PHP, you can overcome the statelessness

of the Web. The two best PHP tools for this

purpose are

and

sessions

The key difference between cookies and

sessions is that cookies store data in the

user’s Web browser and sessions store

data on the server itself. Sessions are

generally more secure than cookies and

can store much more information. As both

technologies are easy to use with PHP and

are worth knowing, this chapter covers

both cookies and sessions. The examples

for demonstrating this information will be

a login system, based upon the existing

sitename

database.

Cookies and

Sessions

In This Chapter

Making a Login Page 368

Making the Login Functions 371

Using Cookies 376

Using Sessions 388

Improving Session Security 396

Review and Pursue 400

ptg6935296

368 Chapter 12

Making a Login Page

A login process involves just a few

components A:

A form for submitting the login

information

A validation routine that confirms the

necessary information was submitted

A database query that compares the

submitted information against the

stored information

Cookies or sessions to store data that

reflects a successful login

Subsequent pages can then have checks

to confirm that the user is logged in (to limit

access to that page or add features). There is

also, of course, a logging-out process, which

involves clearing out the cookies or session

data that represent a logged-in status.

To start all this, let’s t ake some of these

common elements and place them into

separate files. Then, the pages that require

this functionality can include the necessary

files. Breaking up the logic this way will

make some of the following scripts easier

to read and write, plus cut down on their

redundancies. You’ll define two includable

files. This first script will contain the bulk

of a login page, including the header, the

error reporting, the form, and the footer B.

A The login process.

B The login

form and page.

ptg6935296

Cookies and Sessions 369

To make a login page:

1. Begin a new PHP page in your

text editor or IDE, to be named

login_page.inc.php

(Script 12.1):

<?php # Script 12.1 -

➝

login_page.inc.php

2. Include the header:

$page_title = 'Login';

include ('includes/header.html');

This chapter will make use of the

same template system first created

in Chapter 3, “Creating Dynamic Web

Sites,” then modified in Chapter 9,

“Using PHP with MySQL.”

3. Print any error messages, if they exist:

if (isset($errors) &&

➝

!empty($errors)) {

echo '<h1>Error!</h1>

<p class="error">The following

➝

error(s) occurred:<br />';

foreach ($errors as $msg) {

echo " - $msg<br />\n";

}

echo '</p><p>Please try

➝

again.</p>';

}

continues on next page

Script 12.1 The

login_page.inc.php

script creates

the complete login page, including the form, and

reports any errors. It will be included by other

pages that need to show the login page.

1 <?php # Script 12.1 - login_page.inc.php

2 // This page prints any errors

associated with logging in

3 // and it creates the entire login page,

including the form.

5 // Include the header:

6 $page_title = 'Login';

7 include ('inclu des/header.html');

9 // Print any error messages, if they exist:

10 if (isset($errors) && !empty($errors)) {

11 echo '< h 1 > E r r o r !< / h 1 >

12 <p class="error">The following

error(s) occurred:<br />';

13 foreach ($ er rors as $msg) {

14 echo " - $msg<br />\n";

15 }

16 echo '< / p > < p > P l e a s e try again.</p>';

17 }

19 // Display the form:

20 ?><h1>Login</h1>

21 <form action="login.php" method="post">

22 <p>Email Address: <input type="text"

name="email" size="20" maxlength="60" />

</p>

23 <p>Password: <input type="password"

name="pass" size="20" maxlength="20" />

</p>

24 <p><input type="submit" name="submit"

value="Login" /></p>

25 </form>

27 <?php include ('in cludes/fo oter.html');

ptg6935296

370 Chapter 12

This code was also developed back

in Chapter 9, although an additional

isset( )

clause has been added as an

extra precaution. If any errors exist (in

the

$errors

array variable), they’ll be

printed as an unordered list C.

4. Display the form:

?><h1>Login</h1>

<form action="login.php"

➝

method="post">

<p>Email Address: <input type=

➝

"text" name="email" size="20"

➝

maxlength="60" /> </p>

<p>Password: <input type=

➝

"password" name="pass" size=

➝

"20" maxlength="20" /></p>

<p><input type="submit" name=

➝

"submit" value="Login" /></p>

</form>

The HTML form only needs two text

inputs: one for an email address and a

second for the password. The names

of the inputs match those in the

users

table of the

sitename

database (which

this login system is based upon).

C As with other scripts in this book, form errors

are displayed above the form itself.

To make it easie r to create the HTML

form, the PHP section is closed first.

The form is not sticky, but you could

easily add code to accomplish that.

5. Complete the page:

<?php include ('includes/

➝

footer.html'); ?>

6. Save the file as

login_page.inc.php

and place it in your Web directory (in

the

includes

folder, along with the files

from Chapter 3 and Chapter 9:

header.

html

footer.html

, and

style.css

The page will use a

.inc.php

extension

to indicate both that it’s an includable

file and that it contains PHP code.

It may seem illogical that this script

includes the header and footer file from within

the

includes

directory when this script will

also be within that same directory. This code

works because this script will be included

by pages within the main directory; thus the

include references are with respect to the

parent file, not this one.

ptg6935296

Cookies and Sessions 371

If you don’t call

exit( )

, the current

script will continue to run (just not in

the Web browser).

The location value in the

header( )

call

should be an absolute URL (

www.example.

com/page.php

instead of just

page.php

You can hard-code this value into every

header( )

call or, better yet, have PHP

dynamically determine it. The first function

in this next script will do just that, and then

redirect the user to that absolute URL.

The other bit of code that will be used by

multiple scripts in this chapter validates the

1. Confirm that an email address was

provided.

2. Confirm that a password was provided.

3. Confirm that the provided email

address and password match those

stored in the database (during the

registration process).

This next script will define two different

functions. The details of how each function

works will be explained in the steps

that follow.

Making the Login

Functions

Along with the login page that was stored

login_page.inc.php

, there’s a little

bit of functionality that will be common to

several scripts in this chapter. In this next

script, also to be included by other pages

in the login/logout system, two functions

will be defined.

First, many pages will end up redirecting

the user from one page to another. For

example, upon successfully logging in, the

user will be taken to

loggedin.php

. If a user

accesses

loggedin.php

and they aren’t

logged in, they should be taken to

index.

php

. Redirection uses the

header( )

function,

introduced in Chapter 11, “Web Application

Development.” The syntax for redirection is

header ('Location: http://www.

➝

example.com/page.php');

Because this function will send the browser

page.php

, the current script should be

terminated using

exit( )

immediately

after this:

header ('Location: http://www.

➝

example.com/page.php');

exit( );

ptg6935296

372 Chapter 12

To create the login functions:

1. Begin a new PHP document in your

text editor or IDE, to be named

login_functions.inc.php

(Script 12.2):

<?php # Script 12.2 -

➝

login_functions.inc.php

As this file will be included by other files,

it does not need to contain any HTML.

2. Begin defining a new function:

function redirect_user ($page =

➝

'index.php') {

The

redirect_user( )

function will

create an absolute URL that’s correct

for the site running these scripts, and

then redirect the user to that page. The

benefit of doing this dynamically (as

opposed to just hard-coding

http://

www.example.com/page.php

) is that you

can develop your code on one server

(like your own computer) and then

move it to another server without ever

needing to change this code.

The function takes one optional

argument: the final destination page

name. The default value is

index.php

3. Start defining the URL:

$url = 'http://' . $_SERVER

➝

['H TTP_ H O ST'] . d i r n a m e($_ SE R V E R

➝

['P H P_ SE LF']);

To start,

$url

is assigned the value

http://

plus the host name (which

could be either

localhost

www.

example.com

). To this is added the

name of the current directory using

the

dirname( )

function, in case the

redirection is taking place within a

subfolder.

$_SERVER['PHP_SELF']

refers

to the current script (which will be the

one calling this function), including the

Script 12.2 The

login_functions.inc.php

script

defines two functions that will be used by different

scripts in the login/logout process.

1 <?php # Script 12.2 - login_functions.

inc.php

2 // This page defines two functions used

by the login/logout process.

4 /* This function determines an absolute

URL and redirects the user there.

5 * The function takes one argument: the

page to be redirected to.

6 * The argument defaults to index.php.

7 */

8 function redirect_user ($page = 'index.

php') {

10 // Start defining the URL...

11 // URL is http:// plus the host name

plus the current directory:

12 $url = 'http://' . $_SERVER['HTTP_

HOST'] . dirname($_SERVER['PHP_SELF']);

14 // Remove any trailing slashes:

15 $url = rtrim($url, '/ \\');

17 // Add the page:

18 $url .= '/' . $page;

20 // Redirect the user:

21 header("Location: $url");

22 exit( ); // Quit the script.

24 } // End of redirect_user( ) function.

27 /* This function validates the form data

(the email address and password).

28 * If both are present, the database is

queried.

29 * The function requires a database

connection.

30 * The function returns an array of

information, including:

31 * - a TRUE/FALSE variable indicating

success

32 * - an array of either errors or the

database result

33 */

34 function check_login($dbc, $email = '',

$pass = '') {

36 $errors = array( ); // Initialize

error array.

code continues on next page

ptg6935296

Cookies and Sessions 373

directory name. That whole value might

/somedir/page.php

. The

dirname( )

function will return just the directory

part from that value (i.e.,

/somedir/

4. Remove any ending slashes from

the URL:

$url = rtrim($url, '/\\');

Because the existence of a subfolder

might add an extra slash (

) or

backslash (

, for Windows), the function

needs to remove that. To do so, apply

the

rtrim( )

function. By default, this

function removes spaces from the

right side of a string. If provided with

a list of characters to remove as the

second argument, it’ll chop those off

instead. The characters to be removed

are

and

. But since the backslash

is the escape character in PHP, you

need to use

to refer to a single

backslash. With this one line of code,

$url

concludes with either of these

characters, the

rtrim( )

function will

remove them.

5. Append the specific page to the URL:

$url .= '/' . $page;

Next, the specific page name is

concatenated to the

$url

. It’s preceded

by a slash because any trailing slashes

were removed in Step 4 and you can’t

have

www.example.compage.php

the URL.

This may all seem to be quite

complicated, but it’s a very effective

way to ensure that the redirection

works no matter on what server, or

from what directory, the script is being

run (as long as the redirection is taking

place within that directory).

continues on next page

Script 12.2 continued

38 // Validate the email address:

39 if (e mpty($e mail)) {

40 $errors[ ] = 'You forgot to enter

your email address.';

41 } else {

42 $e = mysqli_real_escape_

string($dbc, trim($email));

43 }

45 // Validate the password:

46 if (em pty($pass)) {

47 $errors[ ] = 'You forgot to enter

your password.';

48 } else {

49 $p = mysqli_real_escape_

string($dbc, trim($pass));

50 }

52 if (em pty($errors)) { // If

everything's OK.

54 // Retrieve the user_id and

first_name for that email/password

combination:

55 $q = "SELECT user_id, first_name

FROM users WHERE email='$e' AND

pass=SHA1('$p')";

56 $r = @mysqli_query ($d bc, $q);

// Run the query.

58 // Check the result:

59 if (mysqli_num_rows($r) = = 1) {

61 // Fetch the record:

62 $row = mysqli_fetch_array ($r,

MYSQLI_ASSOC);

64 // Return true and the record:

65 return array(true, $row);

67 } else { // Not a match!

68 $errors[ ] = 'The email address

and password entered do not

match those on file.';

69 }

71 } // End of empty($errors) IF.

73 // Return false and the errors:

74 return array(false, $errors);

76 } // End of check_login( ) function.

ptg6935296

374 Chapter 12

6. Redirect the user and complete

the function:

header("Location: $url");

exit( ); // Q uit th e sc r ip t.

} // End of redirect_user( )

➝

function.

The final steps are to send a

Location

header and terminate the execution of

the script.

7. Begin a new function:

function check_login($dbc,

➝

$email = '', $pass = '') {

This function will validate the login

information. It takes three arguments:

the database connection, which is

required; the email address, which is

optional; and the password, which is

also optional.

Although this function could access

$_ POST['e m a il']

and

$_POST['pass']

directly, it’s better if the function is

passed these values, making the

function more independent.

8. Validate the email address and password:

$errors = array( );

if (empty($email)) {

$errors[ ] = 'You forgot to

➝

enter your email address.';

} else {

$e = mysqli_real_escape_string

➝

($d b c, tri m($e m ai l));

}

if (empty($pass)) {

$errors[ ] = 'You forgot to

➝

enter your password.';

} else {

$p = mysqli_real_escape_string

➝

($d b c, tri m($pass));

}

This validation routine is similar to that

used in the registration page. If any

problems occur, they’ll be added to the

$errors

array, which will eventually be

used on the login page (see C under

“Making a Login Page”). Note that this

$errors

array is

local

to the function.

Even though it has the same name, this

is not the same

$errors

variable that

is used in the login page. Code later

in the function will return this

$errors

variable’s value, and code in the scripts

that call this function will then assign

this returned value to the proper, global

$errors

array, usable on the login page.

9. If no errors occurred, run the database

query:

if (empty($errors)) {

$q = "SELECT user_id, first_name

➝

FROM users WHERE email='$e'

➝

AND pass=SHA1('$p')";

$r = @mysqli_query ($dbc, $q);

The query selects the

user_id

and

first_

name

values from the database where

the submitted email address (from

the form) matches the stored email

address and the

SHA1( )

version of

the submitted password matches the

stored password A.

A The results of the login query, shown in the

mysql client, if the user submitted the proper email

address/password combination.

ptg6935296

Cookies and Sessions 375

12. Complete the conditional begun in

Step 9 and complete the function:

} // End of empty($errors) IF.

return array(false, $errors);

} // End of check_login( ) function.

The final step is for the function to return

a value of

false

, indicating that login

failed, and to return the

$errors

array,

which stores the reason(s) for failure.

This

return

statement can be placed

here—at the end of the function instead

of within a conditional—because the

function will only get to this point if the

return

line in Step 10 will stop the func-

tion from continuing (a function stops as

soon as it executes a

return

13. Save the file as

login_functions.

inc.php

and place it in your Web

directory (in the

includes

folder, along

with

header.html

footer.html

, and

style.css

This page will also use a

.inc.php

exten-

sion to indicate both that it’s an includ-

able file and that it contains PHP code.

As with some other includable files

created in this book (although not

login_page.inc.php

), the closing PHP

tag—

—is omitted. Doing so prevents

potential complications that can arise

should an includable file have an errant

blank space or line after the closing tag.

The scripts in this chapter include no

debugging code (like the MySQL error or

query). If you have problems with these scripts,

apply the debugging techniques outlined in

Chapter 8, “Error Handling and Debugging.”

Yo u ca n a dd name=value pairs to the

URL in a

header( )

call to pass values to the

target page:

$url .= '?name=' . u rle n co d e(value);

10. Check the results of the query:

if (mysqli_num_rows($r) = = 1) {

$row = mysqli_fetch_array ($r,

➝

MYSQLI_ASSOC);

return array(true, $row);

If the query returned one row, then

the login information was correct. The

results are then fetched into

$row

. The

final step in a successful login is to

return two pieces of information back to

the requesting script: the Boolean

true

indicating that the login was a success;

and the data fetched from MySQL.

Using the

array( )

function, both the

Boolean value and the

$row

array can

be returned by this function.

11. If no record was selected by the query,

create an error:

} else { // Not a match!

$errors[ ] = 'The email address

➝

and password entered do not

➝

match those on file.';

}

If the query did not return one row, then

an error message is added to the array.

It will end up being displayed on the

B If the user entered an email address and

password, but they don’t match the values stored in

the database, this is the result in the Web browser.

ptg6935296

376 Chapter 12

Using Cookies

Cookies are a way for a server to store

information on the user’s machine. This is

one way that a site can remember or track

a user over the course of a visit. Think of

a cookie as being like a name tag: you tell

A How cookies are

sent back and forth

between the server

and the client.

the server your name and it gives you a

sticker to wear. Then it can know who you

are by referring back to that name tag A.

In this section, you will learn how to set a

cookie, retrieve information from a stored

cookie, alter a cookie’s settings, and then

delete a cookie.

Testing for Cookies

To effectively program using cookies, you need to be able to accurately test for their presence.

The best way to do so is to have your Web browser ask what to do when receiving a cookie. In

such a case, the browser will prompt you with the cookie information each time PHP attempts

to send a cookie.

Different versions of different browsers on different platforms all define their cookie-handling

policies in different places. I’ll quickly run through a couple of options for popular Web browsers.

To set this up using Internet Explorer on Windows, choose Tools > Internet Options. Then click the

Privacy tab, followed by the Advanced button under Settings. Click “Override automatic cookie

handling” and then choose “Prompt” for First-party Cookies.

Using Firefox, you’ll want to select “ask me every time” in the “Keep until” drop-down menu. To get

to that point on Windows, choose Tools > Options > Privacy. If you are using Firefox on Mac OS X,

start by choosing Firefox > Preferences. Then, on the Privacy tab, select “Use custom settings for

history” and you’ll see the “Keep until” selector.

Unfortunately, Safari and Google Chrome do not have options to prompt you when cookies are

sent (not so far as I can see, that is, without installing extensions or plug-ins). Both do allow you

to view existing cookies, which is still a useful debugging tool.

ptg6935296

Cookies and Sessions 377

Cookies are sent via the

setcookie( )

function:

setcookie (name, value);

setcookie ('name', 'Nicole');

The second line of code will send a cookie

to the browser with a name of

name

and a

value of

Nicole

You can continue to send more cookies to

the browser with subsequent uses of the

setcookie( )

function:

setcookie ('ID', 263);

setcookie ('email', 'email@example.com');

As for the cookies name, it’s best not to

use white spaces or punctuation, and pay

attention to the exact case used.

Setting cookies

The most important thing to understand

about cookies is that they must be sent

from the server to the client prior to

any

other information

. Should the server

attempt to send a cookie after the Web

browser has already received HTML—even

an extraneous white space—an error

message will result and the cookie will not

be sent B. This is by far the most common

cookie-related error but is easily fixed. If

you see such a message:

1. Note the script and line number follow-

ing

output started at

2. Open that script and head to that line

number.

3. Remove the blank space, line, text,

HTML, or whatever that is outputted

by that line.

B The

headers already sent…

error message is all too common when creating cookies.

Pay attention to what the error message says in order to find and fix the problem.

C If the browser is set to

ask for permission when

receiving cookies, you’ll see

a message like this when a

site attempts to send one

(this is Firefox’s version of

the prompt).

ptg6935296

378 Chapter 12

To send a cookie:

1. Begin a new PHP document in your text

editor or IDE, to be named

(Script 12.3):

<?php # Script 12.3 - login.p hp

For this example, let’s make a

php

script that works in conjunction with

the scripts from Chapter 9. This script

will also require the two files created at

the beginning of the chapter.

2. If the form has been submitted, include

the two helper files:

if ($_SERVER['REQUEST_METHOD'] = =

➝

'POST') {

require ('includes/

➝

login_functions.inc.php');

require ('../mysqli_connect.php');

This script will do two things: handle the

form submission and display the form.

This conditional checks for

the submission.

Within the conditional, the script must

include both

login_functions.inc.

php

and

mysqli_connect.php

(which

was created in Chapter 9 and should

still be in the same location relative to

this script; change your code here if

your

mysqli_connect.php

is not in the

parent directory of the current directory).

I’ve chosen to use

require( )

in both

cases, instead of

include( )

, because a

failure to include either of these scripts

makes the login process impossible.

Script 12.3 Upon a successful login, the

script creates two cookies and redirects the user.

1 <?php # Script 12.3 - login.php

2 // This page processes the login form

submission.

3 // Upon successful login, the user is

redirected.

4 // Two included files are necessary.

5 // Send NOTHING to the Web browser prior

to the setcookie( ) lines!

7 // Check if the form has been submitted:

8 if ($_SERVER['REQUEST_METHOD'] = = 'POST') {

10 // For processing the login:

11 require ('includes/login_func tio ns.

inc.php');

13 // Need the database connection:

14 require ('../mysqli_co nn ec t.php');

16 // Check the login:

17 list ($ch eck, $data) = check_login($dbc,

$_POST['e mail'], $_POST['pass']);

19 if ($che ck) { // OK!

21 // Set the cookies:

22 setcookie ('user_id',

$data['user_id']);

23 setcookie ('first_name',

$data['first_name']);

25 // Redirect:

26 redirect_user('loggedin.php');

28 } else { // Unsuccessful!

30 // Assign $data to $errors for

error reporting

31 // in the login_page.inc.php file.

32 $errors = $data;

34 }

36 mysqli_close($dbc); // Close the

database connection.

38 } // End of the main submit conditional.

40 // Create the page:

41 include ('i nc lu de s/l og in _ pa ge.i nc.p h p');

42 ?>

ptg6935296

Cookies and Sessions 379

not going to be a problem as the

user_

value isn’t actually used anywhere in

the site (it’s being stored in the cookie

for demonstration purposes).

5. Redirect the user to another page:

redirect_user('loggedin.php');

Using the function defined earlier in the

chapter, the user will be redirected to

another script upon a successful login.

The specific page to be redirected to is

loggedin.php

6. Complete the

$check

conditional

(started in Step 4) and then close

the database connection:

} else {

$errors = $data;

}

mysqli_close($dbc);

$check

has a FALSE value, then the

$data

variable is storing the errors

generated within the

check_login( )

function. If so, the errors should be

assigned to the

$errors

variable,

because that’s what the code in the

script that displays the login page—

login_page.inc.php

—is expecting.

7. Complete the main submit conditional

and include the login page:

}

include ('includes/

➝

login_page.inc.php');

This

script itself primarily

performs validation, by calling the

check_login( )

function, and handles

the cookies and redirection. The

login_

page.inc.php

file contains the login page

itself, so it just needs to be included.

continues on next page

3. Validate the form data:

list ($check, $data) = check_login

➝

($d b c, $_POST['e m ai l'],

➝

$_POST['pass']);

After including both files, the

check_

function can be called. It’s

passed the database connection (which

comes from

mysqli_connect.php

), along

with the email address and the password

(both of which come from the form). As

an added precaution, the script could

confirm that both variables are set and

not empty prior to invoking the function.

This function returns an array of two

elements: a Boolean value and an array

(of user data or errors). To assign those

returned values to variables, apply the

list( )

function. The first value returned

by the function (the Boolean) will be

assigned to

$check

. The second value

returned (either the

$row

$errors

array) will be assigned to

$data

4. If the user entered the correct informa-

tion, log them in:

if ($check) { // OK!

setcookie ('user_id',

➝

$data['user_id']);

setcookie ('first_name',

➝

$data['first_name']);

The

$check

variable indicates the

success of the login attempt. If it has a

TRUE value, then

$data

contains the

user’s ID and first name. These two

values can be used in cookies.

Generally speaking, you should never

store a database table’s primary key

value, such as

$data['user_id']

, in

a cookie, because cookies can be

manipulated easily. In this situation, it’s

ptg6935296

380 Chapter 12

8. Save the file as

, place it in

your Web directory (in the same folder

as the files from Chapter 9), and load

this page in your Web browser (see B

under “Making a Login Page”).

If you want, you can submit the form

erroneously, but you cannot correctly

loggedin.php

—hasn’t been written.

Cookies are limited to about 4 KB of total

data, and each Web browser can remember a

limited number of cookies from any one site.

This limit is 50 cookies for most of the current

Web browsers (but if you’re sending out 50

different cookies, you may want to rethink

how you do things).

The

setcookie( )

function is one of the

few functions in PHP that could have differ-

ent results in different browsers, since each

browser treats cookies in its own way. Be sure

to test your Web sites in multiple browsers on

different platforms to ensure consistency.

If the first two included files send any-

thing to the Web browser or even have blank

lines or spaces after the closing PHP tag, you’ll

see a headers already sent error. This is why

neither includes the terminating PHP tag.

Accessing cookies

To retrieve a value from a cookie, you on ly

need to refer to the

$_COOKIE

superglobal,

using the appropriate cookie name as

the key (as you would with any array).

For example, to retrieve the value of the

cookie established with the line

setcookie ('username', 'Trout');

you would refer to

$_CO OKIE['us er na m e']

In the following example, the cookies set

by the

script will be accessed

in two ways. First, a check will be made

that the user is logged in (otherwise, they

shouldn’t be accessing this page). Second,

the user will be greeted by their first name,

which was stored in a cookie.

To access a cookie:

1. Begin a new PHP document in your text

editor or IDE, to be named

loggedin.php

(Script 12.4):

<?php # Script 12.4 - l oggedin.php

The user will be redirected to this page

after successfully logging in. The script

will greet the user by first name, using

the cookie.

2. Check for the presence of a cookie.

if (!isset($_COOKIE['user_id'])) {

Since a user shouldn’t be able to

access this page unless they are logged

in, check for a cookie that should have

been set (in

3. Redirect the user if they are not

logged in:

require ('includes/

➝

login_functions.inc.php');

redirect_user( );

}

If the user is not logged in, they will

be automatically redirected to the

main page. This is a simple way to

limit access to content.

4. Include the page header:

$page_title = 'Logged In!';

include ('includes/header.html');

ptg6935296

Cookies and Sessions 381

5. Welcome the user, referencing

the cookie:

echo "<h1>Logged In!</h1>

<p>You are now logged in,

➝

{$_COOKIE['first_name']}!</p>

<p><a href=\"logout.php\">Logout

➝

</a></p>";

To greet the user b y name, refer to

the

$_CO OKIE['f i rs t_ n a m e']

variable

(enclosed within curly braces to avoid

parse errors). A link to the logout page

(to be written later in the chapter) is

also printed.

6. Complete the HTML page:

include ('includes/footer.html');

7. Save the file as

loggedin.php

, place

it in your Web directory (in the same

folder as

), and test it in your

Web browser by logging in through

Since these examples use the same

database as those in Chapter 9, you

should be able to log in using the

registered username and password

submitted at that time.

continues on next page

Script 12.4 The

loggedin.php

script prints a

greeting to a user thanks to a stored cookie.

1 <?php # Script 12.4 - loggedin.php

2 // The user is redirected here from

4 // If no cookie is present, redirect the

user:

5 if (!isset($_COOKIE['user_id'])) {

7 // Need the functions:

8 require ('inclu des/login_fu nctions.

inc.php');

9 redirect_user( );

11 }

13 // Set the page title and include the

HTML header:

14 $page_title = 'Logged In!';

15 include ('includes/heade r.ht ml');

17 // Print a customized message:

18 echo "< h1 >L o g g e d In!</h1>

19 <p>You are now logged in, {$_COOKIE

['f i r s t _ n a m e']}!< /p >

20 <p><a href=\"logout.php\">Logout</a></p>";

22 include ('includes/f oote r.ht ml');

23 ?>

D If you used the correct email address and password, you’ll see this

page after logging in.

ptg6935296

382 Chapter 12

8. To see the cookies being set E and F,

change the cookie settings for your

browser and test again.

Some browsers (e.g., Internet Explorer)

will not adhere to your cookie-prompting

preferences for cookies sent over localhost.

A cookie is not accessible until the set-

ting page (e.g.,

) has been reloaded

or another page has been accessed (in other

words, you cannot set and access a cookie in

the same page).

If users decline a cookie or have their

Web browser set not to accept them, they

will automatically be redirected to the home

page in this example, even if they successfully

logged in. For this reason, you may want to let

the user know that cookies are required.

Setting cookie parameters

Although passing just the name and value

arguments to the

setcookie( )

function will

suffice, you ought to be aware of the other

arguments available. The function can take

up to five more parameters, each of which

will alter the definition of the cookie.

setcookie (name, value, expiration,

➝

path, host, secure, httponly);

The expiration argument is used to set a

definitive length of time for a cookie to

exist, specified in seconds since the

epoch

E The

user_id

cookie with a value of 1. F The

first_name

cookie with a value of

Larry

(yours will probably be different).

(the epoch is midnight on January 1, 1970).

If it is not set or if it’s set to a value of 0, the

cookie will continue to be functional until

the user closes their browser. These cook-

ies are said to last for the browser session

(also indicated in E and F).

To set a specific e xpiration time, add a

number of minutes or hours to the current

moment, retrieved using the

time( )

function. The following line will set the

expiration time of the cookie to be 30

minutes (60 seconds times 30 minutes)

from the current moment:

setcookie (name, value, time( )+1800);

The path and host arguments are used to

limit a cookie to a specific folder within a

Web site (the path) or to a specific host (

www.

example.com

192.168.0.1

). For example,

you could restrict a cookie to exist only while

a user is within the

admin

folder of a domain

(and the

admin

folder’s subfolders):

setcookie (name, value, expire,

➝

'/ a d m i n / ');

Setting the path to

will make the cookie

visible within an entire domain (Web site).

Setting the domain to

.example.com

will

make the cookie visible within an entire

domain and every subdomain (

www.

example.com

admin.example.com

➝

pages.example.com

, etc.).

ptg6935296

Cookies and Sessions 383

The secure value dictates that a cookie

should only be sent over a secure HTTPS

connection. A 1 indicates that a secure

connection must be used, and a 0 says

that a standard connection is fine.

setcookie (name, value, expire,

➝

path, host, 1);

If your site is using a secure connection,

you ought to restrict any cookies to HTTPS

as well.

Finally, added in PHP 5.2 is the

httponly

argument. A Boolean value is used to make

the cookie only accessible through HTTP

(and HTTPS). Enforcing this restriction will

make the cookie more secure (preventing

some hack attempts) but is not supported

by all browsers at the time of this writing.

setcookie (name, value, expire,

➝

path, host, secure, TRUE);

As with all functions that take arguments,

you must pass the

setcookie( )

values in

order. To skip any parameter, use

NULL

, 0,

or an empty string (don’t use

FALSE

). The

expiration and secure values are both

integers and are therefore not quoted.

To demonstrate this information, l et’s a dd

an expiration setting to the login cookies

so that they last for only one hour.

To set a cookie’s parameters:

1. Open

in your text editor

(refer to Script 12.3), if it is not already.

2. Change the two

setcookie( )

lines to

include an expiration date that’s 60

minutes away (Script 12.5):

setcookie ('user_id', $data['user_

➝

id'], time( )+3600, '/', '', 0, 0);

setcookie ('first_name',

➝

$data['first_name'],

➝

time( )+3600, '/', '', 0, 0);

continues on next page

Script 12.5 The

script now uses every

argument the

setcookie( )

function can take.

1 <?php # Script 12.5 - login.php #2

2 // This page processes the login form

submission.

3 // The script now adds extra parameters

to the setcookie( ) lines.

5 // Check if the form has been submitted:

6 if ($_SERVER['REQUEST_METHOD'] = = 'POST') {

8 // Need two helper files:

9 require ('inclu des/login_fu nctions.

inc.php');

10 require ('../m ysqli_connect.p hp');

12 // Check the login:

13 list ($check, $data) = check_login

($dbc, $_POST['em ail'], $_POST['pass']);

15 if ($che ck) { // OK!

17 // Set the cookies:

18 setcookie ('user_id', $data

['u se r _ i d'], t i m e( )+3600,

'/', '', 0, 0);

19 setcookie ('first_name', $data

['f i r s t _ n a m e'], t i m e( )+3600,

'/', '', 0, 0);

21 // Redirect:

22 redirect_user('loggedin.php');

24 } else { // Unsuccessful!

26 // Assign $data to $errors for

login_page.inc.php:

27 $errors = $data;

29 }

31 mysqli_close($dbc); // Close the

database connection.

33 } // End of the main submit conditional.

35 // Create the page:

36 include ('i nc lu d es/lo gin _ pa ge.in c.p h p');

37 ?>

ptg6935296

384 Chapter 12

With the expiration date set to

time( )

+ 3600

(60 minutes times 60 seconds),

the cookie will continue to exist for

an hour after it is set. While making

this change, every other parameter is

explicitly addressed.

For the final parameter, which accepts

a Boolean value, you can also use 0 to

represent FALSE (PHP will handle the

conversion for you). Doing so is a good

idea, as using

false

in any of the cookie

arguments can cause problems.

3. Save the script, place it in your Web

directory, and test it in your Web

browser by logging in G.

Some browsers have difficulties with

cookies that do not list every argument.

Explicitly stating every parameter—even as

an empty string—will achieve more reliable

results across all browsers.

Here are some general guidelines for

cookie expirations: If the cookie should last

as long as the user’s session, do not set an

expiration time; if the cookie should con-

tinue to exist after the user has closed and

reopened his or her browser, set an expiration

time weeks or months ahead; and if the cookie

can constitute a security risk, set an expira-

tion time of an hour or fraction thereof so that

the cookie does not continue to exist too long

after a user has left his or her browser.

For security purposes, you could set a

5- or 10-minute expiration time on a cookie and

have the cookie resent with every new page

the user visits (assuming that the cookie exists).

This way, the cookie will continue to persist as

long as the user is active but will automatically

die 5 or 10 minutes after the user’s last action.

E-commerce and other privacy-related

Web applications should use an SSL (Secure

Sockets Layer) connection for all transactions,

including the cookie.

Be careful with cookies created by scripts

within a directory. If the path isn’t specified,

then that cookie will only be available to other

scripts within that same directory.

G Changes to the

setcookie( )

parameters, like

an expiration date and time, will be reflected in the

cookie sent to the Web browser (compare with F).

Deleting cookies

The final thing to understand about using

cookies is how to delete one. While a

cookie will automatically expire when

the user’s browser is closed or when

the expiration date/time is met, often

you’ll want to manually delete the cookie

instead. For example, in Web sites that

have login capabilities, you will want to

delete any cookies when the user logs out.

Although the

setcookie( )

function can

take up to seven arguments, only one

is actually required—the cookie name. If

you send a cookie that consists of a name

without a value, it will have the same effect

as deleting the existing cookie of the same

name. For example, to create the cookie

first_name

, you use this line:

setcookie('first_name', 'Tyler');

To delete the

first_name

cookie, you

would code:

setcookie('first_name');

As an added precaution, you can also set

an expiration date that’s in the past:

setcookie('first_name', '',

➝

time( )-3600);

To demonstrate all of this, let’s add a

logout capability to the site. The link to

the logout page appears on

loggedin.php

ptg6935296

Cookies and Sessions 385

As with

loggedin.php

, if the user is

not already logged in, this page should

redirect the user to the home page.

There’s no point in trying to log out a

user who isn’t logged in!

3. Delete the cookies, if they exist:

} else {

setcookie ('user_id', '',

➝

time( )-3600, '/', '', 0, 0);

setcookie ('first_name', '',

➝

time( )-3600, '/', '', 0, 0);

}

If the user is logged in, these two

cookies will effectively delete the

existing ones. Except for the value and

the expiration, the other arguments

should have the same values as they

do when the cookies were created.

4. Make the remainder of the PHP page:

$page_title = 'Logged Out!';

include ('includes/header.html');

echo "<h1>Logged Out!</h1>

<p>You are now logged out,

➝

{$_COOKIE['first_name']}!</p>";

include ('includes/footer.html');

The page itself is also much like the

loggedin.php

page. Although it may

seem odd that you can still refer to

the

first_name

cookie (that was just

deleted in this script), it makes perfect

sense considering the process:

A. This page is requested by the client.

B. The server reads the available

cookies from the client’s browser.

C. The page is run and does its thing

(including sending new cookies that

delete the existing ones).

continues on next page

Script 12.6 The

logout.php

script deletes the

previously established cookies.

1 <?php # Script 12.6 - logout.php

2 // This page lets the user logout.

4 // If no cookie is present, redirect the

user:

5 if (!iss et($_CO OKIE['u se r_i d'])) {

7 // Need the function:

8 require ('inclu des/login_fu nctions.

inc.php');

9 redirect_user( );

11 } else { // Delete the cookies:

12 setcookie ('user_id', '', time( )-3600,

'/', '', 0, 0);

13 setcookie ('first_name', '',

time( )-3600, '/', '', 0, 0);

14 }

16 // Set the page title and include the

HTML header:

17 $page_title = 'Lo gge d Out!';

18 include ('includ es/head er.html');

20 // Print a customized message:

21 echo "< h1>L o g g e d Out!</h1>

22 <p>You are now logged out, {$_CO OKIE

['first_name']}!</p>";

24 include ('includ es/f oo ter.html');

25 ?>

As an added feature, the header file will

be altered so that a

Logout

link appears

when the user is logged in and a

link appears when the user is logged out.

To delete a cookie:

1. Begin a new PHP document in your text

editor or IDE, to be named

logout.php

(Script 12.6):

<?php # Script 12.6 - logout.php

2. Check for the existence of a

user_id

cookie; if it is not present, redirect the user:

if (!isset($_COOKIE['user_id'])) {

require ('includes/

➝

login_functions.inc.php');

redirect_user( );

ptg6935296

386 Chapter 12

Thus, in short, the original

first_name

cookie data is available to this script

when it first runs. The set of cookies

sent by this page (the delete cookies)

aren’t available to this page, so the

original values are still usable.

5. Save the file as

logout.php

and place

it in your Web directory (in the same

folder as

To create the logout link:

1. Open

header.html

(refer to Script 9.1) in

your text editor or IDE.

2. Change the fifth and final link to

(Script 12.7):

<li><?php

if ( (isset($_COOKIE['user_id']))

➝

&& (basename($_SERVER['PHP_SELF'])

➝

!= 'logout.php') ) {

echo '<a href="logout.php">

➝

Logout</a>';

} else {

echo '<a href="login.php">

➝

}

?></li>

Instead of having a permanent login link

in the navigation area, it should display a

link if the user is not logged in H or

Logout

link if the user is I. The preced-

ing conditional will accomplish just that,

depending upon the presence of a cookie.

For that condition, if the cookie is set,

the user is logged in and can be shown

the logout link. If the cookie is not set,

the user should be shown the login link.

There is one catch, however: Because the

logout.php

script would ordinarily display

a logout link (because the cookie exists

when the page is first being viewed), the

conditional has to also check that the

current page is not the

logout.php

script.

An easy way to dynamically determine the

Script 12.7 The

header.html

file now displays

either a

or a

Logout

link, depending upon

the user’s current status.

1 <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML

1.0 Strict//EN" "http://www.w3.org/TR/

xhtml1/DTD/xhtml1-strict.dtd">

2 <html xmlns="http://www.w3.org/1999/

xhtml">

3 <head">

4 <title><?php echo $page_title; ?>

</title>

5 <link rel="stylesheet" href="includes/

style.css" type="text/css"

media="screen" />

6 <meta http-equiv="content-type"

content="text/html; charset=utf-8" />

7 </head>

8 <body>

9 <div id="header">

10 <h1>Your Website</h1>

11 <h2>catchy slogan...</h2>

12 </div>

13 <div id="navigation">

14 <ul>

15 <li><a href="index.php">Home

Page</a></li>

16 <li><a href="register.

php">Register</a></li>

17 <li><a href="view_users.

php">View Users</a></li>

18 <li><a href="password.

php">Change Password</a></li>

19 <li><?php // Create a login/

logout link:

20 if ( (isset($_COOKIE['user_id']))

&& (basename($_SERVER['PHP_SELF'])

!= 'lo go ut.p hp') ) {

21 echo '<a href="logout.php">Logout

</a>';

22 } else {

23 echo '<a href="login.php">Login</a>';

24 }

25 ?></li>

26 </ul>

27 </div>

28 <div id="content"><!-- Start of the

page-specific content. -->

29

ptg6935296

Cookies and Sessions 387

When deleting a cookie, you should

always use the same parameters that set the

cookie (aside from the value and expiration,

naturally). If you set the host and path in the

creation cookie, use them again in the dele-

tion cookie.

To hammer the point home, remember

that the deletion of a cookie does not take

effect until the page has been reloaded or

another page has been accessed. In other

words, the cookie will still be available to

a page after that page has deleted it.

H The home

page with a

link.

I After the

user logs in, the

page now has a

Logout

link.

J The result after

logging out.

K This is how the

deletion cookie

appears in a Firefox

prompt (compare

with G).

current page is to apply the

basename( )

function to

$_SERVER['PHP_SELF'

3. Save the file, place it in your Web direc-

tory (within the

includes

folder), and

test the login/logout process in your

Web browser J.

To see the result of the

setcookie( )

calls in the

logout.php

script, turn on cookie

prompting in your browser K.

Due to a bug in how Internet Explorer

on Windows handles cookies, you may need

to set the host parameter to

false

(without

quotes) in order to get the logout process to

work when developing on your own computer

(i.e., through localhost).

ptg6935296

388 Chapter 12

Using Sessions

Another method of making data available

to multiple pages of a Web site is to use

sessions

. The premise of a session is that

data is stored on the server, not in the

Web browser, and a session identifier is

used to locate a particular user’s record

(the session data). This session identifier is

normally stored in the user’s Web browser

via a cookie, but the sensitive data itself—

like the user’s ID, name, and so on—always

remains on the server.

The question may arise: why use sessions

at all when cookies work just fine? First of

all, sessions are likely more secure in that

all of the recorded information is stored

on the server and not continually sent

back and forth between the server and the

client. Second, you can store more data in

a session. Third, some users reject cookies

or turn them off completely. Sessions,

while designed to work with a cookie,

can function without them, too.

Sessions vs. Cookies

This chapter has examples accomplishing the same tasks—logging in and logging out—using both

cookies and sessions. Obviously, both are easy to use in PHP, but the true question is when to use

one or the other.

Sessions have the following advantages over cookies:

They are generally more secure (because the data is being retained on the server).

They allow for more data to be stored.

They can be used without cookies.

Whereas cookies have the following advantages over sessions:

They are easier to program.

They require less of the server.

They can be made to last far longer.

In general, to store and retrieve just a couple of small pieces of information, or to store information

for a longer duration, use cookies. For most of your Web applications, though, you’ll use sessions.

To demonstrate sess ions—and to com pare

them with cookies—let’s rewrite the

previous set of scripts.

Setting session variables

The most important rule with respect to

sessions is that each page that will use

them must begin by calling the

session_

start( )

function. This function tells PHP

to either begin a new session or access an

existing one. This function must be called

before anything is sent to the Web browser!

The first time this function is used,

session_

start( )

will attempt to send a cookie

with a name of

PHPSESSID

(the default

session name) and a value of something like

a61f8670baa8e90a30c878df89a2074b

(32 hexadecimal letters, the session ID).

Because of this attempt to send a cookie,

session_start( )

must be called before

any data is sent to the Web browser, as is

the case when using the

setcookie( )

and

header( )

functions.

ptg6935296

Cookies and Sessions 389

Once the session has been started, values

can be registered to the session using the

normal array syntax, using the

$_SESSIO N

superglobal:

$_SESSIO N['key'] = value;

$_SESSIO N['na m e'] = 'Roxan ne';

$_SESSIO N['id'] = 48;

Let’s update the

script with this

in mind.

To begin a session:

1. Open

(refer to Script 12.5) in

your text editor or IDE.

2. Replace the

setcookie( )

lines (18–19)

with these lines (Script 12.8):

session_start( );

$_SESSIO N['user_ id'] =

$data['user_id'];

$_SESSIO N['first _ name'] =

$data['first_name'];

The first step is to begin the session.

Since there are no

echo

statements,

inclusions of HTML files, or even blank

spaces prior to this point in the script,

it will be safe to use

session_start( )

at this point in the script (although the

function call could be placed at the top

of the script as well). Then, two

key-

value

pairs are added to the

$_SESSIO N

superglobal array to register the user’s

first name and user ID to the session.

continues on next page

Script 12.8 This version of the

script

uses sessions instead of cookies.

1 <?php # Script 12.8 - login.php #3

2 // This page processes the login form

submission.

3 // The script now uses sessions.

5 // Check if the form has been submitted:

6 if ($_SERVER['REQUEST_METHOD'] = = 'POST') {

8 // Need two helper files:

9 require ('inclu des/login_fu nctions.

inc.php');

10 require ('../m ysqli_connect.p hp');

12 // Check the login:

13 list ($ch eck, $data) = check_login($dbc,

$_POST['e mail'], $_POST['pass']);

15 if ($che ck) { // OK!

17 // Set the session data:

18 session_start( );

19 $_SESSION['u se r_i d'] =

$data'user_id'];

20 $_ SESSIO N['fir st _na m e'] =

$data['first_name'];

22 // Redirect:

23 redirect_user('loggedin.php');

25 } else { // Unsuccessful!

27 // Assign $data to $errors for

login_page.inc.php:

28 $errors = $data;

30 }

32 mysqli_close($dbc); // Close the

database connection.

34 } // End of the main submit conditional.

36 // Create the page:

37 include ('i nc lu d es/lo gi n _ pa ge.inc.p hp');

38 ?>

ptg6935296

390 Chapter 12

3. Save the page as

, place it in

your Web directory, and test it in your

Web browser A.

Although

loggedin.php

and the header

and script will need to be rewritten, you

can still test the login script and see the

resulting cookie B. The

loggedin.php

page should redirect you back to the

home page, though, as it’s still checking

for the presence of a

$_COOKIE

variable.

Because sessions will normally send

and read cookies, you should always try to

begin them as early in the script as possible.

Doing so will help you avoid the problem of

attempting to send a cookie after the headers

(HTML or white space) have already been sent.

If you want, you can set session.auto_

start in the

php.ini

file to 1, making it unnec-

essary to use

session_start( )

on each

page. This does put a greater toll on the server

and, for that reason, shouldn’t be used without

some consideration of the circumstances.

Yo u ca n s to r e a rr a y s in s e ss i o n s ( m a k i ng

$_SESSIO N

a multidimensional array), just as

you can store strings or numbers.

A The login form remains unchanged to the

end user, but the underlying functionality now

uses sessions.

B This cookie, created by PHP’s

session_start( )

function, stores the session ID in the user’s browser.

Accessing session variables

Once a session has been started and

variables have been registered to it, you

can create other scripts that will access

those variables. To do so, each script

must first enable sessions, again using

session_start( )

This function will give the current script

access to the previously started session

(if it can read the

PHPSESSID

value stored

in the cookie) or create a new session if

it cannot. Understand that if the current

session ID cannot be found and a new

session ID is generated, none of the data

stored under the old session ID will be

available. I mention this here and now

because if you’re having problems with

sessions, checking the session ID value to

see if it changes from one page to the next

is the first debugging step.

Assuming that there was no problem

accessing the current session, to then refer

to a session variable, use

$_SESSIO N['var']

as you would refer to any other array.

ptg6935296

Cookies and Sessions 391

To access session variables:

1. Open

loggedin.php

(refer to Script 12.4)

in your text editor or IDE.

2. Add a call to the

session_start( )

function (Script 12.9):

session_start( );

Every PHP script that either sets or

accesses session variables must use

the

session_start( )

function. This line

must be called before the

header.html

file is included and before anything is

sent to the Web browser.

3. Replace the references to

$_COOKIE

with

$_SESSIO N

(lines 5 and 19 of the

original file):

if (!isset($_SESSION['user_id'])) {

and

echo "<h1>Logged In!</h1>

<p>You are now logged in,

➝

{$_SESSION['first_name']}!</p>

<p><a href=\"logout.php\">Logout

➝

</a></p>";

Switching a script from cookies to

sessions requires only that you change

uses of

$_COOKIE

$_SESSIO N

(assuming

that the same names were used).

4. Save the file as

loggedin.php

, place

it in your Web directory, and test it in

your browser C.

continues on next page

Script 12.9 The

loggedin.php

script is updated

so that it refers to

$_SESSION

and not

$_COO KIE

(changes are required on two lines).

1 <?php # Script 12.9 - loggedin.php #2

2 // The user is redirected here from

4 session_start( ); // Sta r t th e s e ssi o n.

6 // If no session value is present,

redirect the user:

7 if (!isset($_SESSION['user_id'])) {

9 // Need the functions:

10 require ('in cludes/login_fun ctions.

inc.php');

11 redirect_user( );

13 }

15 // Set the page title and include the

HTML header:

16 $page_title = 'Lo gge d In!';

17 include ('inclu des/heade r.ht ml');

19 // Print a customized message:

20 echo "<h1 >L o g g e d In!</h1>

21 <p>You are now logged in, {$_SESSION

['f i r s t _ n a m e']}!< /p >

22 <p><a href=\"logout.php\">Logout</a></p>";

24 include ('includ es/f oo ter.html');

25 ?>

C After logging in, the user is redirected to

loggedin.php

, which will

welcome the user by name using the stored session value.

ptg6935296

392 Chapter 12

5. Replace the reference to

$_COOKIE

with

$_SESSIO N

header.html

(from

Script 12.7 to Script 12.10):

if (isset($_SESSION['user_id'])) {

For the

Logout

links to function

properly (notice the incorrect link in C),

the reference to the cookie variable within

the header file must be switched over to

sessions. The header file does not need

to call the

session_start( )

function, as

it’ll be included by pages that do.

Note that this conditional does not need

to check if the current page is the logout

page, as session data behaves differently

than cookie data (I’ll explain this further in

the next section of the chapter).

6. Save the header file, place it in your

Web directory (in the

includes

folder),

and test it in your browser D.

For the Login/Logout links to work on the

other pages (

index.php

, etc.),

you’ll need to add the

session_start( )

command to each of those.

As a reminder of what I already said, if

you have an application where the session

data does not seem to be accessible from one

page to the next, it could be because a new

session is being created on each page. To

check for this, compare the session ID (the last

few characters of the value will suffice) to see

if it is the same. You can see the session’s ID

by viewing the session cookie as it is sent or

by invoking the

session_id( )

function:

echo session_id( );

Session variables are available as

soon as you’ve established them. So, unlike

when using cookies, you can assign a value

$_SESSIO N['var']

and then refer to

$_SESSIO N['var']

later in that same script.

Script 12.10 The

header.html

file now also

references

$_SESSION

instead of

$_COO KIE

1 <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML

1.0 Strict//EN" "http://www.w3.org/TR/

xhtml1/DTD/xhtml1-strict.dtd">

2 <html xmlns="http://www.w3.org/1999/xhtml">

3 <head">

4 <title><?php echo $page_title; ?>

</title>

5 <link rel="stylesheet" href="includes/

style.css" type="text/css"

media="screen" />

6 <meta http-equiv="content-type"

content="text/html; charset=utf-8" />

7 </head>

8 <body>

9 <div id="header">

10 <h1>Your Website</h1>

11 <h2>catchy slogan...</h2>

12 </div>

13 <div id="navigation">

14 <ul>

15 <li><a href="index.php">Home

Page</a></li>

16 <li><a href="register.php">

17 <li><a href="view_users.php">

View Users</a></li>

18 <li><a href="password.php">

Change Password</a></li>

19 <li><?php // Create a login/

logout link:

20 if (isset($_SESSION['user_id'])) {

21 echo '< a href="logout.php">Logout</a>';

22 } else {

23 echo '< a href="login.php">Login</a>';

24 }

25 ?></li>

26 </ul>

27 </div>

28 <div id="content"><!-- Start of the

page-specific content. -->

29

D With the header file

altered for sessions, the

proper

Logout

links will be displayed

(compare with C).

ptg6935296

Cookies and Sessions 393

Deleting session variables

When using sessions, you ought to create

a method of deleting the session data.

In the current example, this would be

necessary when the user logs out.

Whereas a cookie system only requires that

another cookie be sent to destroy the existing

cookie, sessions are slightly more demanding,

since there are both the cookie on the client

and the data on the server to consider.

To delete an indivi dual session va riable,

you can use the

unset( )

function (which

works with any variable in PHP):

unset($_SESSION['var']);

But to delete every session variable, you

shouldn’t use

unset( )

, instead, reset the

$_SESSIO N

array:

$_SESSIO N = ar ray( );

Finally, to remove all of the session data

from the server, call

session_destroy( )

session_destroy( );

Note that prior to using any of these methods,

the page must begin with

session_start( )

so that the existing session is accessed. Let’s

update the

logout.php

script to clean out the

session data.

To delete a session:

1. Open

logout.php

(Script 12.6) in your

text editor or IDE.

2. Immediately after the opening PHP line,

start the session (Script 12.11):

session_start( );

Anytime you are using sessions, you must

call the

session_start( )

function, prefer-

ably at the very beginning of a page. This

is true even if you are deleting a session.

continues on next page

Script 12.11 Destroying a session, as you would in

a logout page, requires special syntax to delete

the session cookie and the session data on the

server, as well as to clear out the

$_SESSION

array.

1 <?php # Script 12.11 - logout.php #2

2 // This page lets the user logout.

3 // This version uses sessions.

5 session_start( ); // Ac ce ss t h e

existing session.

7 // If no session variable exists,

redirect the user:

8 if (!isset($_SESSION['user_id']))

{

10 // Need the functions:

11 require ('includes/login_func tio ns.

inc.php');

12 redirect_user( );

14 } else { // Cancel the session:

16 $_ SESSIO N = ar ray( ); // Cl e ar th e

variables.

17 session_destroy( ); // D e st r o y th e

session itself.

18 setcookie ('PHPSESSID', '', time( )-3600,

'/', '', 0, 0); // D e s t r o y t h e c o o k i e .

20 }

22 // Set the page title and include the

HTML header:

23 $page_title = 'Logged Out!';

24 include ('includ es/h ead er.h tml');

26 // Print a customized message:

27 echo "< h1 >L o g ge d Out!</h1>

28 <p>You are now logged out!</p>";

30 include ('includ es/f oo te r.ht ml');

31 ?>

ptg6935296

394 Chapter 12

3. Change the conditional so that it checks

for the presence of a session variable:

if (!isset($_SESSION['user_id'])) {

As with the

logout.php

script in the

cookie examples, if the user is not cur-

rently logged in, they will be redirected.

4. Replace the

setcookie( )

lines (that

delete the cookies) with:

$_SESSIO N = ar ray( );

session_destroy( );

setcookie ('PHPSESSID', '',

➝

time( )-3600, '/', '', 0, 0);

The first line here will reset the entire

$_SESSIO N

variable as a new array,

erasing its existing values. The second

line removes the data from the server,

and the third sends a cookie to delete the

existing session cookie in the browser.

Garbage Collection

Garbage collection with respect to ses-

sions is the process of the server automat-

ically deleting the session files (where the

actual data is stored). Creating a logout

system that destroys a session is ideal, but

there’s no guarantee all users will formally

log out as they should. For this reason,

PHP includes a cleanup process.

Whenever the

session_start( )

func-

tion is called, PHP’s garbage collection

kicks in, checking the last modifica-

tion date of each session (a session is

modified whenever variables are set or

retrieved). Two settings dictate garbage

collection:

session.gc_maxlifetime

and

session.gc_probability

. The first states

after how many seconds of inactivity

a session is considered idle and will

therefore be deleted. The second setting

determines the probability that garbage

collection is performed, on a scale of

1 to 100. With the default settings, each

call to

session_start( )

has a 1 percent

chance of invoking garbage collection. If

PHP does start the cleanup, any sessions

that have not been used in more than

1,440 seconds will be deleted.

You can change these settings using the

ini_set( )

function, although be careful

in doing so. Too frequent or too probable

garbage collection can bog down the

server and inadvertently end the ses-

sions of slower users.

ptg6935296

Cookies and Sessions 395

5. Remove the reference to

$_COOKIE

the message:

echo "<h1>Logged Out!</h1>

<p>You are now logged out!</p>";

Unlike when using the cookie version of

the

logout.php

script, you cannot refer

to the user by their first name anymore,

as all of that data has been deleted.

6. Save the file as

logout.php

, place it in

your Web directory, and test it in your

browser E.

The

header.html

file only needs to

check if

$_SESSIO N['user_ id']

is set, and not

if the page is the logout page, because by the

time the header file is included by

logout.

php

, all of the session data will have already

been destroyed. The destruction of session

data applies immediately, unlike with cookies.

Never set

$_SESSIO N

equal to

NULL

and

never use

unset($_SESSION)

. Either could

cause problems on some servers.

In case it’s not absolutely clear what’s

going on, there exists three kinds of infor-

mation with a session: the session identifier

(which is stored in a cookie by default), the

session data (which is stored in a text file on

the server), and the

$_SESSIO N

array (which

is how a script accesses the session data in

the text file). Just deleting the cookie doesn’t

remove the data file and vice versa. Clear-

ing out the

$_SESSIO N

array would erase the

data from the text file, but the file itself would

still exist, as would the cookie. The three

steps outlined in this logout script effectively

remove all traces of the session.

E The logout page (now featuring sessions).

ptg6935296

396 Chapter 12

Improving Session

Security

Because important information is normally

stored in a session (you should never

store sensitive data in a cookie), security

becomes more of an issue. With sessions

there are two things to pay attention to:

the session ID, which is a reference point

to the session data, and the session data

itself, stored on the server. A malicious

Changing the Session Behavior

As part of PHP’s support for sessions, there are over 20 different configuration options you can set

for how PHP handles sessions. For the full list, see the PHP manual, but I’ll highlight a few of the

most important ones here. Note two rules about changing the session settings:

1. All changes must be made before calling

session_start( )

2. The same changes must be made on every page that uses sessions.

Most of the settings can be set within a PHP script using the

ini_set( )

function (discussed in

Chapter 8):

ini_set (parameter, new_setting);

For example, to require the use of a session cookie (as mentioned, sessions can work without

cookies but it’s less secure), use

ini_set ('session.use_only_cookies', 1);

Another change you can make is to the name of the session (perhaps to use a more user-friendly

one). To do so, call the

session_name( )

function:

session_name('YourSession');

The benefits of creating your own session name are twofold: it’s marginally more secure and it may

be better received by the end user (since the session name is the cookie name the end user will

see). The

session_name( )

function can also be used when deleting the session cookie:

setcookie (session_name( ), '', ti m e( )-3600);

If not provided with an argument, this function instead returns the current session name.

Finally, there’s also the

session_set_cookie_params( )

function. It’s used to tweak the settings

of the session cookie:

session_set_cookie_params(expire, path, host, secure, httponly);

Note that the expiration time of the cookie refers only to the longevity of the cookie in the Web

browser, not to how long the session data will be stored on the server.

person is far more likely to hack into a

session through the session ID than the

data on the server, so I’ll focus on that side

of things here (in the tips at the end of this

section I mention two ways to protect the

session data itself).

The session ID is the key to the session

data. By default, PHP will store this in a

cookie, which is preferable from a security

standpoint. It is possible in PHP to use

sessions without cookies, but that leaves

ptg6935296

Cookies and Sessions 397

the application vulnerable to

session

hijacking

: If malicious user Alice can learn

user Bob’s session ID, Alice can easily trick

a server into thinking that Bob’s session

ID is also

Alice’s

session ID. At that point,

Alice would be riding coattails on Bob’s

session and would have access to Bob’s

data. Storing the session ID in a cookie

makes it somewhat harder to steal.

One method of preventing hijacking is to

store some sort of user identifier in the

session, and then to repeatedly double-

check this value. The

HTTP_USER_

AGENT

—a combination of the browser and

operating system being used—is a likely

candidate for this purpose. This adds a layer

of security in that one person could only

hijack another user’s session if they are

both running the exact same browser and

operating system. As a demonstration of

this, let’s modify the examples one last time.

To use sessions more securely:

1. Open

(refer to Script 12.8) in

your text editor or IDE.

2. After assigning the other session

variables, also store the

HTTP_USER_

AGENT

value (Script 12.12):

$_SESSIO N['agen t'] =

➝

md5($_SERVER['HTTP_USER_AGENT']);

The

HTTP_USER_AGENT

is part of the

$_SERVER

array (you may recall using

it way back in Chapter 1, “Introduction

to PHP”). It will have a value like

Mozilla/4.0 (compatible; MSIE 8.0;

Windows NT 6.1

…).

continues on next page

Script 12.12 This final version of the

script also stores an encrypted form of the user’s

HTTP_USER_AGENT

(the browser and operating

system of the client) in a session.

1 <?php # Script 12.12 - login.php #4

2 // This page processes the login form

submission.

3 // The script now stores the HTTP_USER_

AGENT value for added security.

5 // Check if the form has been submitted:

6 if ($_SERVER['REQUEST_METHOD'] = = 'POST')

{

8 // Need two helper files:

9 require ('inclu des/login_fu nctions.

inc.php');

10 require ('../m ysqli_connect.p hp');

12 // Check the login:

13 list ($ch eck, $data) = check_login($dbc,

$_POST['e mail'], $_POST['pass']);

15 if ($che ck) { // OK!

17 // Set the session data:

18 session_start( );

19 $_SESSION['user_id'] =

$data['user_id'];

20 $_SESSION['first_ name'] =

$data['first_name'];

22 // Store the HTTP_USER_AGENT:

23 $_SESSION['a ge nt'] = m d5($_SERVER

['H T T P_ U SE R _ A G E N T']);

25 // Redirect:

26 redirect_user('loggedin.php');

28 } else { // Unsuccessful!

30 // Assign $data to $errors for

login_page.inc.php:

31 $errors = $data;

33 }

35 mysqli_close($dbc); // Close the

database connection.

37 } // End of the main submit conditional.

39 // Create the page:

40 include ('i nclu d es/l o gi n_ p age.i nc.p hp');

41 ?>

ptg6935296

398 Chapter 12

Instead of storing this value in the

session as is, it’ll be run through the

md5( )

function for added security.

That function returns a 32-character

hexadecimal string (called a

hash

)

based upon a value. In theory, no two

strings will have the same

md5( )

result.

3. Save the file and place it in your

Web directory.

4. Open

loggedin.php

(Script 12.9) in your

text editor or IDE.

5. Change the

!isset($_SESSION['user_

id'])

conditional to (Script 12.13):

if (!isset($_SESSION['agent']) OR

➝

($_SESSION['agen t'] != m d5($_SERVER

➝

['H TTP_U SER _ A G E N T']) )) {

This conditional checks two things.

First, it sees if the

$_SESSIO N['agen t']

variable is not set (this part is just as it

was before, although

agent

is being

used instead of

user_id

). The second

part of the conditional checks if the

md5( )

version of

$_SERVER['HTTP_

USER_AGENT']

does not equal the value

stored in

$_SESSIO N['agen t']

. If either

of these conditions is true, the user will

be redirected.

6. Save this file, place in your Web direc-

tory, and test in your Web browser by

logging in.

Script 12.13 This

loggedin.php

script now confirms

that the user accessing this page has the same

HTTP_USER_AGENT

as they did when they

logged in.

1 <?php # Script 12.13 - loggedin.php #3

2 // The user is redirected here from

4 session_start( ); // Start the session.

6 // If no session value is present,

redirect the user:

7 // Also validate the HTTP_USER_AGENT!

8 if (!isset($_SESSION['agent']) OR

($_SESSION['a ge nt'] != m d5($_SERVER

['H TT P_U SER _ AG EN T']) )) {

10 // Need the functions:

11 require ('includes/login_func tio ns.

inc.php');

12 redirect_user( );

14 }

16 // Set the page title and include the

HTML header:

17 $page_title = 'Lo gge d In!';

18 include ('includ es/head er.html');

20 // Print a customized message:

21 echo "< h1>L o g g e d In!</h1>

22 <p>You are now logged in, {$_SESSION

['first_name']}!</p>

23 <p><a href=\"logout.php\">Logout</a></p>";

25 include ('includes/footer.html');

26 ?>

ptg6935296

Cookies and Sessions 399

For critical uses of sessions, require

the use of cookies and transmit them over a

secure connection, if at all possible. You can

even set PHP to only use cookies by setting

session.use_only_cookies to 1.

By default, a server stores every session

file for every site within the same temporary

directory, meaning any site could theoretically

read any other site’s session data. If you are

using a server shared with other domains,

changing the session.save_path from its default

setting will be more secure. For example, it’d be

better if you stored your site’s session data in a

dedicated directory particular to your site.

The session data itself can also be stored

in a database rather than a text file. This is a

more secure, but more programming-intensive,

option. I teach how to do this in my book PHP 5

Advanced: Visual QuickPro Guide.

The user’s IP address (the network

address from which the user is connecting) is

not a good unique identifier, for two reasons.

First, a user’s IP address can, and normally

does, change frequently (ISPs dynamically

assign them for short periods of time). Second,

many users accessing a site from the same

network (like a home network or an office)

could all have the same IP address.

Preventing Session Fixation

Another specific kind of session attack

is known as

session fixation

. This

approach is the opposite of

session

hijacking

. Instead of malicious user

Alice finding and using Bob’s session

ID, she instead creates her own session

ID (perhaps by logging in legitimately),

and then gets Bob to access the site

using that session. The hope is that Bob

would then do something that would

unknowingly benefit Alice.

You can help protect against these

types of attacks by changing the session

ID after a user logs in. The

session_

regenerate_id( )

does just that, pro-

viding a new session ID to refer to the

current session data. You can use this

function on sites for which security is

paramount (like e-commerce or online

banking) or in situations when it’d be par-

ticularly bad if certain users (i.e., adminis-

trators) had their sessions manipulated.

ptg6935296

400 Chapter 12

Review and Pursue

If you have any problems with the

review questions or the pursue prompts,

turn to the book’s supporting forum

(

www.LarryUllman.com/forums/

Review

What code is used to redirect the user’s

browser from one page to the next?

What does the

headers already sent

error message mean?

What value does

$_SERVER['HTTP_ H OST']

store? What value does

$_SERVER['PHP_

SELF']

store?

What does the

dirname( )

function do?

What does the

rtrim( )

function do?

What arguments can it take?

How do you write a function that returns

multiple values? How do you call such a

function?

What arguments can the

setcookie( )

function take?

How do you reference values previ-

ously stored in a cookie?

How do you delete an existing cookie?

Are cookies available immediately after

being sent (on the same page)? Why

can you still refer to a cookie (on the

same page) after it is deleted?

What debugging steps can you take

when you have problems with cookies?

What does the

basename( )

function do?

How do you begin a session?

How do you reference values previ-

ously stored in a session?

Is session data available immediately

after being assigned (on the same page)?

How do you terminate a session?

What debugging steps can you take

when you have problems with sessions?

Pursue

If you have not already done so, learn

how to view cookie data in your Web

browser. When developing sites that

use cookies, enable the option so that

the browser prompts you when cookies

are received.

Make the login form sticky.

Add code to the handling of the

$errors

variable on the login page that uses a

foreach

loop if

$errors

is an array, or

just prints the value of

$errors

otherwise.

Modify the

redirect_user( )

function

so that it can be used to redirect the

user to a page within another directory.

Implement another cookie example,

such as storing a user’s preference in

the cookie, then base a look or feature

of a page upon the stored value (when

present).

Change the code in

logout.php

(Script

12.11) so that it uses the

session_name( )

function to dynamically set the name

value of the session cookie being deleted.

Implement another session example, if

you’d like more practice with sessions

(you’ll get more practice later in the

book, too).

Check out the PHP manual pages

for any new function introduced in

this chapter with which you’re not

comfortable.

Check out the PHP manual pages on

cookies and sessions (two separate

sections) to learn more. Also read some

of the user-submitted comments for

additional tips.

ptg6935296

The security of your Web applications is

such an important topic that it really cannot

be overstressed. Although security-related

issues have been mentioned throughout

this book, this chapter will help to fill in cer-

tain gaps, finalize other points, and teach

several new things.

The topics discussed here include: prevent-

ing spam; typecasting variables; preventing

cross-site scripting (XSS) and SQL injection

attacks; the new Filter extension; and vali-

dating uploaded files by type. This chapter

will use five discrete examples to best

demonstrate these concepts. Some other

common security issues and best practices

will be mentioned in sidebars as well.

Security

Methods

In This Chapter

Preventing Spam 402

Validating Data by Type 409

Validating Files by Type 414

Preventing XSS Attacks 418

Using the Filter Extension 421

Preventing SQL Injection Attacks 425

Review and Pursue 432

ptg6935296

402 Chapter 13

Preventing Spam

Spam is nothing short of a plague, clut-

tering up the Internet and email inboxes.

There are steps you can take to avoid

receiving spam at your email accounts,

but in this book the focus is on preventing

spam being sent through your PHP scripts.

Chapter 11, “Web Application Development,”

shows how easy it is to send email using

PHP’s

mail( )

function. The example there,

a contact form, took some information from

the user A and sent it to an email address.

Although it may seem like there’s no harm

in this system, there’s actually a big security

hole. But first, some background on what

an email actually is.

Regardless of how an email is sent, how

it’s formatted, and what it looks like when

it’s received, an email contains two parts:

a header and a body. The header includes

such information as the

and

from

addresses, the subject, the date, and more

B. Each item in the header is on its own

line, in the format

Name

value

. The body

of the email is exactly what you think it is:

the body of the email.

A A simple, standard HTML contact form.

B The raw source version of the email sent by the contact form A.

ptg6935296

Security Methods 403

There are a couple of preventive techniques

that can be applied to this contact form.

First, validate any email addresses using

regular expressions, covered in Chapter 13,

“Perl-Compatible Regular Expressions,” or

the Filter extension, discussed in just a few

pages. Second, now that you know what an

evildoer must enter to send spam (Table 13.1),

watch for those characters and strings in

form values. If a value contains anything from

that list, don’t use that value in a sent email.

(The last four values in Table 13.1 are all differ-

ent ways of creating newlines.)

In this next example, a modification of the

email script from Chapter 11, I’ll define a

function that scrubs all potentially dangerous

characters from provided data. Two new PHP

functions will be used as well:

str_replace( )

and

array_map( )

. Both will be explained in

detail in the steps that follow.

A Security Approach

The most important concept to

understand about security is that it’s not

a binary state: don’t think of a Web site

or script as being either

secure

not

secure

. Security isn’t a switch that you

turn on and off; it’s a scale that you can

move up and down. When you program,

think about what you can do to make

your site

more secure

and what you’ve

done that makes it

less secure

. Also,

keep in mind that improved security

normally comes at a cost of convenience

(both to you, the programmer, and to the

end user) and performance. Increased

security normally means more code, more

checks, and more required of the server.

When developing Web applications, the

goal is to achieve a level of security that’s

appropriate for the particular situation.

And then err on the side of being a tad

too secure, just to be prudent.

In looking at PHP’s

mail( )

function—

mail (to, subject, body [,headers]);

—you can see that one of the arguments

goes straight to the email’s body and the

rest appear in its header. To send spam to

your

address

(as in Chapter 11’s example),

all a person would have to do is enter the

spam message into the comments section

of the form A. That’s bad enough, but to

send spam to

anyone else

at the same

time, all the user would have to do is add

Bcc: poorsap@example.org

, followed

by some sort of line terminator (like a

newline or carriage return), to the email’s

header. With the example as is, this just

means entering this into the

from

value

of the contact form:

me@example.com\

nBcc:poorsap@example.org

Yo u m i gh t t h in k t h a t s af e gu a rd i ng e ve r y-

thing that goes into an email’s header

would be sufficiently safe, but as an email

is just one document, bad input in a body

can impact the header, too.

TABLE 13.1 Spam Tip-offs

Strings

content-type:

mime-version:

multipart-mixed:

content-transfer-encoding:

bcc:

cc:

to:

%0a

%0d

ptg6935296

404 Chapter 13

To prevent spam:

1. Open

email.php

(Script 11.1) in your text

editor or IDE.

To complete this sp am-purification , the

email script needs to be modified.

2. After checking for the form submission,

begin defining a function (Script 13.1):

function spam_scrubber($value) {

This function will take one argument:

a string. Normally, I would define

functions at the top of the script, or

in a separate file, but to make things

simpler, it’ll be defined within the

submission-handling block of code.

3. Create a list of really bad things that

wouldn’t be in a legitimate contact

form submission:

$very_bad = array('to:', 'cc:',

➝

'bcc:', 'co ntent-type:',

➝

'mime-version:',

➝

'multipart-mi xed:',

➝

'c o n t e n t-t r a n sf e r-e n c o d i n g:');

Any of these strings should not be

present in an honest contact form

submission (it’s possible someone

might legitimately use

to:

in their

comments, but unlikely). If any of these

strings are present, then this is a spam

attempt. To make it easier to test for

all these, they’re placed in an array,

which will be looped through (Step 4).

The comparison in Step 4 will be case-

insensitive, so each of the dangerous

strings is written in all lowercase letters.

4. Loop through the array. If a very bad

thing is found, return an empty string

instead:

foreach ($very_bad as $v) {

if (stripos($value, $v) != =

➝

false) return '';

}

Script 13.1 This version of the script can now

safely send emails without concern for spam.

Any problematic characters will be caught by

the

spam_scrubber( )

function.

1 <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML

1.0 Transitional//EN" "http://www.w3.org/

TR/xhtml1/DTD/xhtml1-transitional.dtd">

2 <html xmlns="http://www.w3.org/1999/

xhtml" xml:lang="en" lang="en">

3 <head>

4 <meta http-equiv="Content-Type"

content="text/html; charset=utf-8" />

5 <title>Contact Me</title>

6 </head>

7 <body>

8 <h1>Contact Me</h1>

9 <?php # Script 13.1 - email.php #2

10 // This version now scrubs dangerous

strings from the submitted input.

12 // Check for form submission:

13 if ($_SERVER['REQUEST_ METH OD'] = = 'POST') {

15 /* The function takes one argument: a

string.

16 * The function returns a clean

version of the string.

17 * The clean version may be either an

empty string or

18 * just the removal of all newline

characters.

19 */

20 function spam_scrubber($value) {

22 // List of very bad values:

23 $very_bad = array('to:',

'cc:', 'b cc:', 'co n te nt-t yp e:',

'mime-version:', 'm ultipart-mi xed:',

'c o n t e n t-t r a n s f e r-e n c o d i n g:');

25 // If any of the very bad strings

are in

26 // the submitted value, return an

empty string:

27 foreach ($very_bad as $v) {

28 if (stripos($value, $v) != =

false) return '';

29 }

code continues on next page

ptg6935296

Security Methods 405

The

foreach

loop will access each

item in the

$very_bad

array one at a

time, assigning each item to

. Within

the loop, the

stripos( )

function

will check if the item is in the string

provided to this function as

$value

. The

stripos( )

function performs a case-

insensitive search (so it would match

bcc:

Bcc:

bCC:

, etc.). The function

returns a Boolean TRUE if the needle

is found in the haystack (e.g., looking

for occurrences of

$value

). The

conditional therefore says that if that

function’s results do not equal FALSE

(i.e.,

was not found in

$value

), return

an empty string.

Therefore, for each of the dangerous

character strings, the first time that any

of them is found in the submitted value,

the function will return an empty string

and terminate (functions automatically

stop executing once they hit a

return

5. Replace any newline characters

with spaces:

$value = str_replace(array( "\r",

➝

"\n", "%0a", "%0d"), ' ', $value);

Newline characters, which are

represented by

%0a

, and

%0d

may or may not be problematic. A

newline character is required to send

spam (or else you can’t create the

proper header) but will also appear if

a user just hits Enter or Return while

typing in a textarea box. For this reason,

any found newlines will just be replaced

by a space. This means that the

submitted value could lose some of its

formatting, but that’s a reasonable price

to pay to stop spam.

continues on next page

Script 13.1 continued

31 // Replace any newline characters

with spaces:

32 $value = str_replace(array( "\r",

"\n", "%0a", "%0d"), ' ', $value);

34 // Return the value:

35 return trim($value);

37 } // End of spam_scrubber( )

function.

39 // Clean the form data:

40 $scrubbed = array_map

('s pa m _ sc r u bb e r', $_P OST);

42 // Minimal form validation:

43 if (!empty($scrubbed['name']) &&

!empty($scrubbed['email']) &&

!empty($scrubbed['com ments']) ) {

45 // Create the body:

46 $body = "Name: {$scrubbed

['n a m e']}\ n\n Co m m e n t s:

{$scru bb ed['co m me nts']}";

48 // Make it no longer than 70

characters long:

49 $body = wordwrap($body, 70);

51 // Send the email:

52 mail('your_email@example.com',

'Co nt act Fo r m Su b m issi o n', $b o dy,

"From: {$scrubbed['email']}");

54 // Print a message:

55 echo '< p> <e m >T h a n k you for

contacting me. I will reply some

day.</em></p>';

57 // Clear $_POST (so that the form's

not sticky):

58 $_POST = array( );

60 } else {

61 echo '< p style="font-weight: bold;

color: #C00">Please fill out the

form completely.</p>';

62 }

64 } // End of main isset( ) IF.

code continues on next page

ptg6935296

406 Chapter 13

The

str_replace( )

function looks

through the value in the third argument

and replaces any occurrences of the

characters in the first argument with the

character or characters in the second.

Or as the PHP manual puts it:

mixed str_replace (mixed $search,

➝

mixed $replace, mixed $subject)

This function is very flexible in that it

can take strings or arrays for its three

arguments (the

mixed

means it accepts a

mix of argument types). Hence, this line of

code in the script assigns to the

$value

variable its original value, with any newline

characters replaced by a single space.

There is a case-insensitive version of

this function, but it’s not necessary here,

as, for example,

is a carriage return

but

is not.

6. Return the value and complete the

function:

return trim($value);

} // End of spam_scrubber( )

➝

function.

Finally, this function returns the value,

trimmed of any leading and ending

Script 13.1 continued

66 // Create the HTML form:

67 ?>

68 <p>Please fill out this form to contact me.</p>

69 <form action="email.php" method="post">

70 <p>Name: <input type="text" name="name" size="30" maxlength="60" value="<?php if

(iss et($scru bbed['na me'])) e ch o $scru bbe d['na me']; ?>" /></p>

71 <p>Email Address: <input type="text" name="email" size="30" maxlength="80"

value="<?php if (isset($scrubbed['email'])) echo $scrubbed['email']; ?>" /></p>

72 <p>Comments: <textarea name="comments" rows="5" cols="30"><?php if

(iss et($scru bbed['co m m ents'])) ech o $scru bbe d['co m m ents']; ?></tex tar ea></p>

73 <p><input type="submit" name="submit" value="Send!" /></p>

74 </form>

75 </body>

76 </html>

spaces. Keep in mind that the function

will only get to this point if none of the

very bad things was found.

7. After the function definition, invoke the

spam_scrubber( )

function:

$scrubbed = array_map

➝

('s p a m _scr u b b e r', $_POST);

This approach is beautiful in its

simplicity! The

array_map( )

function

has two required arguments. The first

is the name of the function to call.

In this case, that’s

spam_scrubber

(without the parentheses, because

you’re providing the function’s

name

not calling the function). The second

argument is an array.

What

array_map( )

does is apply the

named function once for each array

element, sending each array element’s

value to that function call. In this script,

$_POST

has four elements—

name

comments

, and

submit

, meaning

that the

spam_scrubber( )

function

will be called four times, thanks to

array_map( )

. After this line of code,

the

$scrubbed

array will end up with

four elements:

$scrubbed['name']

will

ptg6935296

Security Methods 407

have the value of

$_ POST['na m e']

after

running it through

spam_scrubber( )

;

$scrubbed['email']

will have the same

value as

$_ POST['e m a il']

after running it

through

spam_scrubber( )

; and so forth.

This one line of code then takes an

entire array of potentially tainted

data (

$_POST

), cleans it using

spam_

scrubber( )

, and assigns the result to a

new variable. Here’s the most important

thing about this technique: from here on

out, the script must use the

$scrubbed

array, which is clean, not

$_POST

, which

is still potentially dirty.

8. Change the form validation to use this

new array:

if (!empty($scrubbed['name']) &&

➝

!empty($scrubbed['email']) &&

➝

!empty($scrubbed['co m ments']) ) {

Each of these elements could have an

empty value for two reasons. First, if the

user left them empty. Second, if the user

entered one of the bad strings in the

field C, which would be turned into an

empty string by the

spam_scrubber( )

function D.

9. Change the creation of the

$body

vari-

able so that it uses the clean values:

$body = "Name: {$scrubbed

➝

['n a m e']}\n\n C o m m e n t s:

➝

{$sc rub be d['co m me nts']}";

10. Change the invocation of the

mail( )

function to use the clean email address:

mail('your_email@example.com',

➝

'Co nta c t For m Sub m ission', $ b o dy,

➝

"From: {$scrubbed['email']}");

Remember to use your own email

address in the

mail( )

call, or you’ll

never get the message!

continues on next page

C The presence of

cc:

in the email address field

will prevent this submission from being sent in an

email D.

D The email was not sent because of the very

bad characters used in the email address, which

gets turned into an empty string by the spam

prevention function.

ptg6935296

408 Chapter 13

11. Change the form so that it uses the

$scrubbed

version of the values:

<p>Name: <input type="text"

➝

name="name" size="30"

➝

maxlength="60" value="<?php if

➝

(isset($scrubb ed['n a m e'])) ech o

➝

$scrubbed['name']; ?>" /></p>

<p>Email Address: <input

➝

type="text" name="email"

➝

size="30" maxlength="80"

➝

value="<?php if (isset

➝

($scrubb e d['em ail'])) e cho

➝

$scrubbed['email']; ?>" /></p>

<p>Comments: <textarea

➝

name="comments" rows="5"

➝

cols="30"><?php if (isset

➝

($scrubb e d['co m ments'])) echo

➝

$scrubbed['comments']; ?>

➝

</textarea></p>

12. Save the script as

email.php

, place it in

your Web directory, and test it in your

Web browser E and F.

Using the

array_map( )

function as I

have in this example is convenient but not

without its downsides. First, it blindly applies

the

spam_scrubber( )

function to the entire

$_POST

array, even to the submit button. This

isn’t harmful but is unnecessary. Second, any

multidimensional arrays within

$_POST

will

be lost. In this specific example, that’s not a

problem, but it is something to be aware of.

To prevent au tomated submi ssions to any

form, you could use a CAPTCHA test. These

are prompts that can only be understood by

humans (in theory). While this is commonly

accomplished using an image of random char-

acters, the same thing can be achieved using a

question like What is two plus two? or On what

continent is China?. Checking for the correct

answer to this question would then be part of

the validation routine.

E Although the comments field contains newline

characters (created by pressing Enter or Return),

the email will still be sent F.

F The received email, with the newlines in the

comments E turned into spaces.

ptg6935296

Security Methods 409

Validating Data

by Type

For the most part, the form validation

used in this book thus far has been rather

minimal, often just checking if a variable

has any value at all. In many situations, this

really is the best you can do. For example,

there’s no perfect test for what a valid

street address is or what a user might

enter into a comments field. Still, much of

the data you’ll work with can be validated

in stricter ways. In the next chapter,

the sophisticated concept of regular

expressions will demonstrate just that. But

here I’ll cover the more approachable ways

you can validate some data by type.

PHP supports many types of data: strings,

numbers (integers and floats), arrays, and

so on. For each of these, there’s a specific

function that checks if a variable is of that

type (Table 13.2). You’ve already seen the

is_numeric( )

function in action in earlier

chapters, and

is_array( )

is great for

continues on next page

TABLE 13.2 Type Validation Functions

Function Checks For

is_array( )

Arrays

is_bool( )

Booleans (

TRUE

FALSE

)

is_float( )

Floating-point numbers

is_int( )

Integers

is_null( )NULL

is_numeric( )

Numeric values, even as a

string (e.g.,

'20'

)

is_resource( )

Resources, like a database

connection

is_scalar( )

Scalar (single-valued)

variables

is_string( )

Strings

Two Validation Approaches

A large part of security is based upon validation: if data comes from outside of the server—from

HTML forms, the URL, cookies, it can’t be trusted. (A higher level of security also validates any

data coming from outside of the

script

, including sessions and databases.) There are two types

of validation:

whitelist

and

blacklist

. In the calculator example, we know that all values must be

positive, that they must all be numbers, and that the quantity must be an integer (the other two

numbers could be integers or floats, it makes no difference). Typecasting forces the inputs to be

numbers, and a check confirms that they are positive. At this point, the assumption is that the input

is valid. This is a whitelist approach: these values are good; anything else is bad.

The preventing spam example uses a blacklist approach. That script knows exactly which charac-

ters are bad and invalidates input that contains them. All other input is considered to be good.

Many security experts prefer the whitelist approach, but it can’t always be used. Each example will

dictate which approach will work best, but it’s important to use one or the other. Don’t just assume

that data is safe without some sort of validation.

ptg6935296

410 Chapter 13

confirming a variable is acceptable to use

in a

foreach

loop. Each function returns

TRUE if the submitted variable is of a

certain type and FALSE otherwise.

In PHP, you can even change a variable’s

type, after it’s been assigned a value. Doing

so is called

typecasting

and is accomplished

by preceding a variable’s name by the

destination type in parentheses:

$var = 20.2;

echo (int) $var; // 20

Depending upon the original and destina-

tion types, PHP will convert the variable’s

value accordingly:

$var = 20;

echo (float) $var; // 20.0

With numeric values, the conversion is

straightforward, but with other variable

types, more complex rules apply:

$var = 'trout';

echo (int) $var; // 0

In most circumstances you don’t need to

cast a variable from one type to another,

as PHP will often automatically do so as

needed. But forcibly casting a variable’s

type can be a good security measure

in your Web applications. To show how

you might use this notion, let’s create a

calculator script for determining the total

purchase price of an item A.

To use typecasting :

1. Begin a new PHP document in your

text editor or IDE, to be named

calculator.php

(Script 13.2):

<!DOCTYPE ht ml PUBLIC "-//W3C//

➝

DTD XHTML 1.0 Transitional//EN"

➝

"http://www.w3.org/TR/xhtml1/DTD/

➝

xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/

➝

1999/xhtml" xml:lang="en"

➝

lang="en">

A The HTML form takes three inputs:

a quantity, a price, and a tax rate.

Script 13.2 By

typecasting

variables, this script

more definitively validates that data is of the

correct format.

1 <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML

1.0 Transitional//EN" "http://www.w3.org/

TR/xhtml1/DTD/xhtml1-transitional.dtd">

2 <html xmlns="http://www.w3.org/1999/

xhtml" xml:lang="en" lang="en">

3 <head>

4 <meta http-equiv="Content-Type"

content="text/html; charset=utf-8" />

5 <title>Widget Cost Calculator</title>

6 </head>

7 <body>

8 <?php # Script 13.2 - calculator.php

9 // This script calculates an order total

based upon three form values.

11 // Check if the form has been submitted:

12 if ($_SERVER['REQUEST_METHOD'] = = 'POST') {

14 // Cast all the variables to a

specific type:

15 $quantity = (int) $_POST['quantity'];

16 $price = (float) $_POST['price'];

17 $tax = (float) $_POST['tax'];

19 // All variables should be positive!

20 if ( ($quantity > 0) && ($price >

0) && ($tax > 0) ) {

code continues on next page

ptg6935296

Security Methods 411

<head>

➝

content="text/html;

➝

charset=utf-8" />

<title>Widget Cost Calculator

➝

</title>

</head>

<body>

<?php # Script 13.2 -

➝

calculator.php

2. Check if the form has been submitted:

if ($_SERVER['REQUEST_METHOD'] = =

➝

'POST') {

Like many previous examples, this one

script will both display the HTML form

and handle its submission.

3. Cast all the variables to a specific type:

$quantity = (int) $_POST['quantity'];

$price = (float) $_POST['price'];

$tax = (float) $_POST['tax'];

The form itself has three text boxes A,

into which practically anything could be

typed (there’s no number type of input

for forms in HTML 4 or XHTML 1.1). But

the quantity must be an integer, and

both price and tax are acceptable as

floats (i.e., could contain decimal points).

To f orce these c o ns traints, cast ea ch

one to a specific type.

4. Check if the variables have proper values:

if ( ($quantity > 0) &&

➝

($price > 0) && ($ta x > 0) ) {

For this calculator to work, the three

variables must be specific types (see

Step 3). More importantly, they must all

be positive numbers. This conditional

checks for that prior to performing the

calculations. Note that, per the rules of

typecasting, if the posted values are

not numbers, they will be cast to 0 and

therefore not pass this conditional.

continues on next page

Script 13.2 continued

22 // Calculate the total:

23 $total = $quantity * $price;

24 $total += $total * ($tax/100);

26 // Print the result:

27 echo '< p >T h e total cost of purchasing

' . $quantity . ' widget(s) at $' .

number_format ($price, 2) . ' each,

plus tax, is $' . number_format

($total, 2) . '.< / p >';

29 } else { // Invalid submitted values.

30 echo '< p style="font-weight: bold;

color: #C00">Please enter a valid

quantity, price, and tax rate.</p>';

31 }

33 } // End of main isset( ) IF.

35 // Leave the PHP section and create the

HTML form.

36 ?>

37 <h2>Widget Cost Calculator</h2>

38 <form action="calculator.php"

method="post">

39 <p>Quantity: <input type="text"

name="quantity" size="5" maxlength="10"

value="<?php if (isset($quantity)) echo

$quantity; ?>" /></p>

40 <p>Price: <input type="text"

name="price" size="5" maxlength="10"

value="<?php if (isset($price)) echo

$price; ?>" /></p>

41 <p>Tax (%): <input type="text"

name="tax" size="5" maxlength="10"

value="<?php if (isset($tax)) echo

$tax; ?>" /></p>

42 <p><input type="submit" name="submit"

value="Calculate!" /></p>

43 </form>

44 </body>

45 </html>

ptg6935296

412 Chapter 13

5. Calculate and print the results:

$total = $quantity * $price;

$total += $total * ($tax/100);

echo '<p>The total cost of

➝

purchasing ' . $quantity . '

➝

widget(s) at $' . number_format

➝

($price, 2) . ' each, plus tax,

➝

is $' . number_format

➝

($total, 2) . '.</p>';

To calculate the to tal, first the quantity

is multiplied by the price. To apply the

tax to the total, the value of the total

times the tax divided by 100 (e.g., 6.5%

becomes .065) is then added, using the

addition assignment shortcut operator.

The

number_format( )

function is used

to print both the price and total values

in the proper format B.

6. Complete the conditionals:

} else {

echo '<p style="font-weight:

➝

bold; color: #C00">Please

➝

enter a valid quantity,

➝

price, and tax rate.</p>';

}

} // End of main isset( ) IF.

A little CSS is used to create a bold,

red error message, should there be

a problem C.

7. Begin the HTML form:

<h2>Widget Cost Calculator</h2>

<form action="calculator.php"

➝

method="post">

<p>Quantity: <input type="text"

➝

name="quantity" size="5"

➝

maxlength="10" value="<?php

➝

if (isset($quantity)) echo

➝

$quantity; ?>" /></p>

The HTML form is really simple and

posts back to this same page. The

inputs will have a sticky quality, so

the user can see what was previously

B The results of the calculation when

the form is properly completed.

C An error message is printed in bold,

red text if any of the three fields does

not contain a positive number.

ptg6935296

Security Methods 413

10. Save the file as

calculator.php

, place

it in your Web directory, and test it in

your Web browser D and E.

Yo u s h o u l d d e f i n i t e l y u s e t y p e c a s t i n g

when working with numbers within SQL queries.

Numbers aren’t quoted in queries, so if a string

is somehow used in a number’s place, there

will be an SQL syntax error. If you typecast such

variables to an integer or float first, the query

may not work (in terms of returning a record) but

will still be syntactically valid. You’ll frequently

see this in the book’s last three chapters.

As I implied, regular expressions are a

more advanced method of data validation and

are sometimes your best bet. But using type-

based validation, when feasible, will certainly

be faster (in terms of processor speed) and

less prone to programmer error (did I mention

that regular expressions are complex?).

To repeat myself, the rules of how values

are converted from one data type to another

are somewhat complicated. If you want to get

into the details, see the PHP manual.

D If invalid values are entered, such as

floats for the quantity or strings for the tax…

E …they’ll be cast into more appropriate

formats. The negative price will also keep

this calculation from being made (although

the casting won’t change that value).

entered. By referring to

$quantity

etc.

instead of

$_POST['q uan tity']

etc., the

form will reflect the value for each input

as it was typecast

8. Complete the HTML form:

<p>Price: <input type="text"

➝

name="price" size="5"

➝

maxlength="10" value="<?php

➝

if (isset($price)) echo

➝

$price; ?>" /></p>

<p>Tax (%): <input type="text"

➝

name="tax" size="5"

➝

maxlength="10" value="<?php

➝

if (isset($tax)) echo

➝

$tax; ?>" /></p>

<p><input type="submit"

➝

name="submit" value=

➝

"Calculate!" /></p>

</form>

9. Complete the HTML page:

</body>

</html>

ptg6935296

414 Chapter 13

Validating Files

by Type

Chapter 11 includes an example of handling

file uploads in PHP. As uploading files

allows users to place a more potent type

of content on your server (compared with

just the text sent via a form), one cannot

be too mindful of security when it comes to

handling them. In that particular example,

the uploaded file was validated by

checking its MIME type. Specifically, with an

uploaded file,

$_FILES['uploa d']['type']

refers to the MIME type provided by the

uploading browser. This is a good start, but

it’s easy for a malicious user to trick the

browser into providing a false MIME type. A

more reliable way of confirming a file’s type

is to use the Fileinfo extension.

Added in PHP 5.3, the Fileinfo extension

determines a file’s type (and encoding)

by hunting for “magic bytes” or “magic

numbers” within the file. For example,

the data that makes up a GIF image must

begin with the ASCII code that represents

either

GIF89a

GIF87a

; the data that

makes up a PDF file starts with

%PDF

To use Fileinfo, start by c reating a File info

resource:

$fileinfo = finfo_open(kind);

The

kind

value will be one of several

constants, indicating the type of resource

you want to create. To determine a file’s

type, the constant is

FILEINFO_MIME_TYPE

$fileinfo = finfo_open

➝

(FILEINFO_ MIME_TYPE);

Next, call the

finfo_file( )

function,

providing the Fileinfo resource and a

reference to the file you want to examine:

finfo_file($fileinfo, $filename);

This function returns the file’s MIME type

(given the already created resource), based

upon the file’s actual magic bytes.

Finally, once you’re done, you should close

the Fileinfo resource:

finfo_close($fileinfo);

This next script will use this information to

confirm that an uploaded file is an RTF (Rich

Te xt F o r ma t ) . N o te t ha t yo u ’ ll o nl y be a bl e to

test this example if you are using version 5.3

of PHP or later A. If you are using an earlier

version, you’ll need to install the Fileinfo

extension through PECL (PHP Extension

Community Library,

http://pecl.php.net

On Windows, if you are using PHP 5.3 or

later, the Fileinfo DLL file should be included

with your installation, but you may need to

enable it in your

php.ini

configuration file

(download Appendix A, “Installation” from

peachpit.com).

A If your PHP installation does not support the

Fileinfo extension, you’ll see an error message

like this one.

ptg6935296

Security Methods 415

To validate files by type:

1. Begin a new PHP script in your

text editor or IDE, to be named

upload_rtf.php

(Script 13.3):

<!DOCTYPE ht ml PUBLIC "-//W3C//

➝

DTD XHTML 1.0 Transitional//EN"

➝

"http://www.w3.org/TR/xhtml1/DTD/

➝

xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/

➝

1999/xhtml" xml:lang="en"

➝

lang="en">

<head>

➝

content="text/html;

➝

charset=utf-8" />

<title>Upload a RTF Document

➝

</title>

</head>

<body>

<?php # Script 13.3 -

➝

upload_rtf.php

2. Check if the form has been submitted:

if ($_SERVER['REQUEST_METHOD'] = =

➝

'POST') {

This same script will both display and

handle the form.

3. Check for an uploaded file:

if (isset($_FILES['upload']) &&

➝

file_exists($_FILES['upload']

➝

['t m p _ n a m e'])) {

This script first confirms that the

$_FILES['uploa d']

variable is set,

which would be the case after a form

submission. The conditional then

confirms that the uploaded file exists

(by default, in the temporary directory).

This clause prevents attempts to

validate the file’s type should the

upload have failed (e.g., because the

selected file was too large).

continues on next page

Script 13.3 Using the Fileinfo extension, this

script does a good job of confirming an uploaded

file’s type.

1 <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML

1.0 Transitional//EN" "http://www.w3.org/

TR/xhtml1/DTD/xhtml1-transitional.dtd">

2 <html xmlns="http://www.w3.org/1999/

xhtml" xml:lang="en" lang="en">

3 <head>

4 <meta http-equiv="Content-Type"

content="text/html; charset=utf-8" />

5 <title>Upload a RTF Document</title>

6 </head>

7 <body>

8 <?php # Script 13.3 - upload_rtf.php

10 // Check if the form has been submitted:

11 if ($_SERVER['REQUEST_METHOD'] = = 'POST')

{

13 // Check for an uploaded file:

14 if (isset($_FILES['upload']) && file_

exists($_FILES['upload']['tmp_name'])) {

16 // Validate the type. Should be

RTF.

17 // Create the resource:

18 $fileinfo = finfo_open

(FILEINFO_MIME_TYPE);

20 // Check the file:

21 if (finfo_file($fileinfo,

$_FILES['uplo ad']['tm p _na m e']) = =

'text/rtf') {

23 // Indicate it's okay!

24 echo '< p > < e m >T h e file would be

acceptable!</em></p>';

26 // In theory, move the file over.

In reality, delete the file:

27 unlink($_FILES['upload']

['t m p _ n am e']);

29 } else { // Invalid type.

30 echo '< p style="font-weight:

bold; color: #C00">Please

upload an RTF document.</p>';

31 }

code continues on next page

ptg6935296

416 Chapter 13

4. Create the Fileinfo resource:

$fileinfo = finfo_open

➝

(FILEINFO_ MIME_TYPE);

This line, as already explained, creates

a Fileinfo resource whose specific

purpose is to retrieve a file’s MIME type.

5. Check the file’s type:

if (finfo_file($fileinfo,

➝

$_FILES['uploa d']['t m p _na m e']) = =

➝

'text/rtf') {

echo '<p><em>The file would be

➝

acceptable!</em></p>';

If the

finfo_file( )

function returns

a value of

text/rtf

for the uploaded file,

then the file has the proper type for the

purposes of this script. In that case,

a message is printed B.

6. Delete the uploaded file:

unlink($_FILES['upload']

➝

['t m p _ na m e']);

In a real-world example, the script

would now move the file over to its final

destination on the server. As this script is

simply for the purpose of validating a file’s

type, the file can be removed instead.

7. Complete the type conditional:

} else { // Invalid type.

echo '<p style="font-weight:

➝

bold; color: #C00">Please

➝

upload an RTF document.</p>';

}

Script 13.3 continued

33 // Close the resource:

34 finfo_close($fileinfo);

36 } // End of isset($_FILES['upload'])

IF.

38 // Add file upload error handling, if

desired.

40 } // End of the submitted conditional.

41 ?>

43 <form enctype="multipart/form-data"

action="upload_rtf.php" method="post">

44 <input type="hidden" name="MAX_FILE_

SIZE" value="524288" />

45 <fieldset><legend>Select an RTF

document of 512KB or smaller to be

uploaded:</legend>

46 <p><b>File:</b> <input type="file"

name="upload" /></p>

47 </fieldset>

48 <div align="center"><input

type="submit" name="submit"

value="Submit" /></div>

49 </form>

50 </body>

51 </html>

B If the selected and uploaded document has a

valid RTF MIME type, the user will see this result.

ptg6935296

Security Methods 417

<fieldset><legend>Select an RTF

➝

document of 512KB or smaller

➝

to be uploaded:</legend>

<p><b>File:</b> <input type=

➝

"file" name="upload" /></p>

</fieldset>

<div align="center"><input

➝

type="submit" name="submit"

➝

value="Submit" /></div>

</form>

The form uses the proper

enctype

attri-

bute, has a

MAX_FILE_SIZE

recommen-

dation in a hidden form input, and uses a

file input type: the three requirements for

accepting file uploads. That’s all there is

to this example (as in B and C).

11. Complete the page:

</body>

</html>

12. Save the file as

upload_rtf.php

, place

it in your Web directory, and test it in

your Web browser.

The same Fileinfo resource can be applied

to multiple files. Just close the resource after

the script is done with the resource.

C Uploaded files without the proper MIME type

are rejected.

If the uploaded file’s MIME type is not

text/rtf

, the script will print an error

message C.

8. Close the Fileinfo resource:

finfo_close($fileinfo);

The final step is to close the open Fileinfo

resource, once it’s no longer needed.

9. Complete the remaining conditionals:

} // End of isset($_FILES

➝

['u pl o a d']) IF.

} // End of the submitted

➝

conditional.

Yo u c o ul d a l so ad d de b ug g in g i n fo r m a-

tion, such as the related uploaded error

message, if an error occurs.

10. Create the form:

<form enctype="multipart/

➝

form-data" action="upload_rtf.

➝

php" method="post">

<input type="hidden" name=

➝

"MAX_FILE_SIZE" value="524288" />

ptg6935296

418 Chapter 13

Preventing XSS Attacks

HTML is simply plain text, like

<b>

, which is

given special meaning by Web browsers

(as by making text bold). Because of this

fact, your Web-site’s user could easily

put HTML in their form data, like in the

comments field in the email example.

What’s wrong with that, you might ask?

Many dynamically driven Web applications

take the information submitted by a user,

store it in a database, and then redisplay

that information on another page. Think of

a forum, as just one example. At the very

least, if a user enters HTML code in their

data, such code could throw off the layout

and aesthetic of your site. Taking this a step

further, JavaScript is also just plain text,

but text that has special meaning—

execut-

able

meaning—within a Web browser. If

malicious code entered into a form were

re-displayed in a Web browser A, it could

create pop-up windows B, steal cookies,

or redirect the browser to other sites. Such

attacks are referred to as

cross-site script-

ing

(XSS). As in the email example, where

you need to look for and nullify bad strings

found in data, prevention of XSS attacks is

accomplished by addressing any potentially

dangerous PHP, HTML, or JavaScript.

PHP includes a handful of functions for

handling HTML and other code found

within strings. These include:

htmlspecialchars( )

, which turns

, ‘, “, <, and

into an HTML

entity

format (

, etc.)

htmlentities( )

, which turns all

applicable characters into their HTML

entity format

strip_tags( )

, which removes all HTML

and PHP tags

These three functions are roughly listed in

order from least disruptive to most. Which

A The malicious and savvy user can enter HTML,

CSS, and JavaScript into textual form fields.

B The JavaScript

entered into the

comments field A

would create this

alert window when

the comments were

displayed in the

Web browser.

C Thanks to the

htmlentities( )

and

strip_

tags( )

functions, malicious code entered into a

form field A can be rendered inert.

ptg6935296

Security Methods 419

function you’ll want to use depends upon

the application at hand. To demonstrate

how these functions work and differ,

let’s just create a simple PHP page that

takes some text and runs it through these

functions, printing the results C.

To prevent XSS attacks:

1. Begin a new PHP document in your

text editor or IDE, to be named

xss.php

(Script 13.4):

<!DOCTYPE ht ml PUBLIC "-//W3C//

➝

DTD XHTML 1.0 Transitional//EN"

➝

"http://www.w3.org/TR/xhtml1/DTD/

➝

xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/

➝

1999/xhtml" xml:lang="en"

➝

lang="en">

<head>

➝

content="text/html;

➝

charset=utf-8" />

<title>XSS Attacks</title>

</head>

<body>

<?php # Script 13.4 - xss.php

2. Check for the form submission and print

the received data in its original format:

if ($_SERVER['REQUEST_METHOD'] = =

➝

'POST') {

echo "<h2>Original</h2>

➝

<p>{$_POST['data']}</p>";

To compare and cont rast what was

originally received with the result after

applying the functions, the original

value must first be printed.

3. Apply the

htmlentities( )

function,

printing the results:

echo '<h2>After htmlentities( )

➝

</h2><p>' . htmlentities($_POST

➝

['d a t a']). '</p >';

continues on next page

Script 13.4 Applying the

htmlentities( )

and

strip_tags( )

functions to submitted text can

prevent XSS attacks.

1 <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML

1.0 Transitional//EN" "http://www.w3.org/

TR/xhtml1/DTD/xhtml1-transitional.dtd">

2 <html xmlns="http://www.w3.org/1999/

xhtml" xml:lang="en" lang="en">

3 <head>

4 <meta http-equiv="Content-Type"

content="text/html; charset=utf-8" />

5 <title>XSS Attacks</title>

6 </head>

7 <body>

8 <?php # Script 13.4 - xss.php

10 if ($_SERVER['REQUEST_METHOD'] = = 'POST') {

12 // Apply the different functions,

printing the results:

13 echo "<h2> Orig ina l</h2><p>{$_PO ST

['data']}</p>";

14 echo '<h2>After htmlentities( )

</h2><p>' . htmlentities($_POST

['d a t a']). '</p>';

15 echo '<h2>After strip_tags( )

</h2><p>' . strip_tags($_POST

['d a t a']). '</p>';

17 }

18 // Display the form:

19 ?>

20 <form action="xss.php" method="post">

21 <p>Do your worst! <textarea name="data"

rows="3" cols="40"></textarea></p>

22 <div align="center"><input

type="submit" name="submit"

value="Submit" /></div>

23 </form>

24 </body>

25 </html>

ptg6935296

420 Chapter 13

To keep submitte d information f rom

messing up a page or hacking the

Web browser, it’s run through the

htmlentities( )

function. With this

function, any HTML entity will be

translated; for instance,

and

will

become

and

respectively.

4. Apply the

strip_tags( )

function,

printing the results:

echo '<h2>After strip_tags( )

➝

</h2><p>' . strip_tags($_POST

➝

['d a t a']). '</p >';

The

strip_tags( )

function completely

takes out any HTML, JavaScript, or PHP

tags. It’s therefore the most foolproof

function to use on submitted data.

5. Complete the PHP section:

}

6. Display the HTML form:

<form action="xss.php" method=

➝

"post">

<p>Do your worst! <textarea

➝

name="data" rows="3"

➝

cols="40"></textarea></p>

<div align="center"><input

➝

type="submit" name="submit"

➝

value="Submit" /></div>

</form>

The form A has only one field for the

user to complete: a textarea.

D This snippet of the

page’s HTML source

C shows the original,

submitted value, the

value after using

html_

entities( )

, and the value

after using

strip_tags( )

7. Complete the page:

</body>

</html>

8. Save the page as

xss.php

, place it in

your Web directory, and test it in your

Web browser.

9. View the source code of the page to

see the full effect of these functions D.

Both

htmlspecialchars( )

and

htmlentities( )

take an optional parameter

indicating how quotation marks should be

handled. See the PHP manual for specifics.

The

strip_tags( )

function takes

an optional parameter indicating what tags

should not be stripped.

$var = strip_tags ($var, '<p><br />');

The

strip_tags( )

function will remove

even invalid HTML tags, which may cause

problems. For example,

strip_tags( )

will

yank out all of the code it thinks is an HTML

tag, even if it’s improperly formed, like <b

I forgot to close the tag.

Unrelated to security but quite useful is

the

nl2br( )

function. It turns every return

(such as those entered into a text area) into an

HTML

<br />

tag.

ptg6935296

Security Methods 421

The function’s first argument is the variable

to be filtered; the second is the filter to

apply; and, the optional third argument is

for adding additional criteria. Table 13.3

lists the validation filters, each of which is

represented as a constant.

For example, to confirm that a variable has

a decimal value, you would use:

if (filter_var($var, FILTER_VALIDATE_

➝

FLOAT)) {

A couple of filters take an optional

parameter, the most common being the

FILTER_VALIDATE_INT

filter, which has

min_range

and

max_range

options

for controlling the smallest and largest

acceptable values. For example, this next

bit of code confirms that the

$age

variable

is an integer between 1 and 120 (inclusive):

if (filter_var($var, FILTER_VALIDATE_

➝

INT, array('min_range' => 1,

➝

'max_range' => 120))) {

To sanitize data, y ou’ll still use the

filter_var( )

function, but use one of the

sanitation filters as listed in Table 13.4.

continues on next page

TABLE 13.3 Validation Filters

Constant

FILTER_VALIDATE_BOOLEAN

FILTER_VALIDATE_EMAIL

FILTER_VALIDATE_FLOAT

FILTER_VALIDATE_INT

FILTER_VALIDATE_IP

FILTER_VALIDATE_REGEXP

FILTER_VALIDATE_URL

TABLE 13.4 Sanitization Filters

Constant

FILTER_SANITIZE_EMAIL

FILTER_SANITIZE_ENCODED

FILTER_SANITIZE_MAGIC_QUOTES

FILTER_SANITIZE_NUMBER_FLOAT

FILTER_SANITIZE_NUMBER_INT

FILTER_SANITIZE_SPECIAL_CHARS

FILTER_SANITIZE_STRING

FILTER_SANITIZE_STRIPPED

FILTER_SANITIZE_URL

FILTER_UNSAFE_RAW

Using the Filter

Extension

Earlier, this chapter introduced the concept

typecasting

, which is a good way to force

a variable to be of the right type. In the next

chapter, you’ll learn about

regular expres-

sions

, which can validate both the type of

data and its specific contents or format.

Introduced in PHP 5.2 is the Filter extension

(

www.php.net/filter

), an important tool that

bridges the gap between the relatively sim-

ple approach of typecasting and the more

complex concept of regular expressions.

The Filter extension can be used for one of

two purposes:

validating

data or

sanitizing

it. A validation process, as you know well by

now, confirms that data matches expecta-

tions. Sanitization, by comparison, alters data

by removing inappropriate characters in

order to make the data meet expectations.

The most important function in the Filter

extension is

filter_var( )

filter_var(variable, filter

➝

[,options]);

ptg6935296

422 Chapter 13

Many of the filters duplicate other

PHP functions. For example,

FILTER_

SANITIZE_MAGIC_QUOTES

is the same

as applying

addslashes( )

;

FILTER_

SANITIZE_SPECIAL_CHARS

can be used

in lieu of

htmlspecialchars( )

, and

FILTER_SANITIZE_STRING( )

can be used

as a replacement for

strip_tags( )

. The

PHP manual lists several additional flags,

as constants, that can be used as the

optional third argument to affect how each

filter behaves. As an example of applying

a sanitizing filter, this code is equivalent

to how

strip_tags( )

is used in

xss.php

(Script 13.4):

echo '<h2>After strip_tags( )</h2>

➝

<p>' . filter_var($_POST['data'],

➝

FILTER_SANITIZE_STRING) . '</p>';

If you get hooked on using the Filter

extension, you may appreciate the

consistency of being able to use it for all

data sanitization, even when functions

such as

strip_tags( )

exist.

To practice this, t he next example will

update

calculator.php

(Script 13.2) so

that it sanitizes all of the incoming data.

Remember that you need PHP 5.2 or later

to use the Filter extension. If you’re using

an earlier version of PHP, you can install

the Filter extension using PECL.

To use the Filter extension:

1. Open

calculator.php

(Script 13.2) in

your text editor or IDE.

2. Change the assignment of the

$quantity

variable to (Script 13.5):

$quantity = (isset($_POST

➝

['q u a n t it y'])) ? f i lt e r_ v a r

➝

($_P OST['quan tity'], FILTER_

➝

VALIDATE_INT, array('min_range'

➝

=> 1)) : NULL;

Script 13.5 Using the Filter extension, this script

sanitizes incoming data rather than typecasting it,

as in the earlier version of the script.

1 <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML

1.0 Transitional//EN" "http://www.w3.org/

TR/xhtml1/DTD/xhtml1-transitional.dtd">

2 <html xmlns="http://www.w3.org/1999/

xhtml" xml:lang="en" lang="en">

3 <head>

4 <meta http-equiv="Content-Type"

content="text/html; charset=utf-8" />

5 <title>Widget Cost Calculator</title>

6 </head>

7 <body>

8 <?php # Script 13.5 - calculator.php #2

9 // This version of the script uses the

Filter extension instead of typecasting.

11 // Check if the form has been submitted:

12 if ($_SERVER['REQUEST_METHOD'] = = 'POST') {

14 // Sanitize the variables:

15 $quantity = (isset($_POST

['q u a n t it y'])) ? f i lt e r_v a r($_ PO ST

['q u a n t it y'], FILT ER _VAL IDATE _ IN T,

array('min_range' => 1)) : NULL;

16 $price = (isset($_POST['price']))

? filter_var($_POST['price'],

FILTER_SANITIZE_NUMBER_FLOAT,

FILTER_FLAG_ALLOW_FRACTION) : NULL;

17 $tax = (isset($_POST['tax'])) ?

filter_var($_POST['tax'], FILTER_

SANITIZE_NUMBER_FLOAT, FILTER_FLAG_

ALLOW_FRACTION) : NULL;

19 // All variables should be positive!

20 if ( ($ quantity > 0) && ($price > 0)

&& ($tax > 0) ) {

22 // Calculate the total:

23 $total = $quantity * $price;

24 $total += $total * ($tax/100);

26 // Print the result:

27 echo '< p>T h e total cost of

purchasing ' . $quantity . '

widget(s) at $' . number_format

($price, 2) . ' each, plus tax,

is $' . number_format ($to tal, 2) .

'.< / p >';

code continues on next page

ptg6935296

Security Methods 423

This version of the script will improve

upon its predecessor in a couple of

ways. First, each POST variable is

checked for existence using

isset( )

instead of assuming the variable exists.

If the variable is not set, then

$quantity

is assigned

NULL

. If the variable is

set, it’s run through

filter_var( )

sanitizing the value as an integer

greater than 1. The sanitized value

is then assigned to

$quantity

. All of

this code is written using the ternary

operator, introduced in Chapter 10,

“Common Programming Techniques,”

for brevity’s sake. As an

if-else

conditional, the same code would be

written as:

if (isset($_POST['quantity'])) {

$quantity = filter_var($_POST

➝

['q u a n t it y'], FILTER _VALIDATE _

➝

INT, array('min_range' => 1));

} else {

$quantity = NULL;

}

3. Change the assignment of the

$price

variable to:

$price = (isset($_POST['price'])) ?

➝

filter_var($_POST['price'],

➝

FILTER_SANITIZE_NUMBER_FLOAT,

➝

FILTER_FLAG_ALLOW_FRACTION) :

➝

NULL;

This code is a repetition of that in Step 2,

except that the sanitizing filter insists

that the data be a float. The additional

argument,

FILTER_FLAG_ALLOW_

FRACTION

, says that it’s acceptable for

the value to use a decimal point.

continues on next page

Script 13.5 continued

29 } else { // Invalid submitted values.

30 echo '< p style="font-weight: bold;

color: #C00">Please enter a valid

quantity, price, and tax rate.</p>';

31 }

33 } // End of main isset( ) IF.

35 // Leave the PHP section and create the

HTML form.

36 ?>

37 <h2>Widget Cost Calculator</h2>

38 <form action="calculator.php"

method="post">

39 <p>Quantity: <input type="text"

name="quantity" size="5" maxlength="10"

value="<?php if (isset($quantity)) echo

$quantity; ?>" /></p>

40 <p>Price: <input type="text"

name="price" size="5" maxlength="10"

value="<?php if (isset($price)) echo

$price; ?>" /></p>

41 <p>Tax (%): <input type="text"

name="tax" size="5" maxlength="10"

value="<?php if (isset($tax)) echo

$tax; ?>" /></p>

42 <p><input type="submit" name="submit"

value="Calculate!" /></p>

43 </form>

44 </body>

45 </html>

ptg6935296

424 Chapter 13

4. Change the assignment of the

$tax

variable to:

$tax = (isset($_POST['tax'])) ?

➝

filter_var($_POST['tax'],

➝

FILTER_SANITIZE_NUMBER_FLOAT,

➝

FILTER_FLAG_ALLOW_FRACTION) :

➝

NULL;

This is a repetition of the code in Step 3.

5. Save the page, place it in your Web

directory, and test it in your Web

browser A and B.

The

filter_has_var( )

function

confirms if a variable with a given name exists.

The

filter_input_array( )

function

allows you to apply an array of filters to an array

of variables in one step. For details (and per-

haps to be blown away), see the PHP manual.

A Invalid values in submitted

form data…

B …will be nullified by the Filter extension (as

opposed to typecasting, which, for example,

converted the string

cat

to the number 0).

ptg6935296

Security Methods 425

Fortunately, SQL injection attacks are

rather easy to prevent. Start by validating

all data to be used in queries (and perform

typecasting, or apply the Filter extension,

whenever possible). Second, use a function

mysqli_real_escape_string( )

which makes data safe to use in queries.

This function was introduced in Chapter 9,

“Using PHP and MySQL.” Third, don’t show

detailed errors on live sites.

An alternative to using

mysqli_real_

escape_string( )

is to use

prepared

statements

. Prepared statements were

added to MySQL in version 4.1, and PHP

continues on next page

A If a site reveals a detailed error message and doesn’t properly handle problematic characters in submitted

values, hackers can learn a lot about your server.

Preventing SQL

Injection Attacks

Another type of attack that malicious users

can attempt is

SQL injection

attacks. As

the name implies, these are endeavors to

insert bad code into a site’s SQL queries.

One aim of such attacks is that they would

create a syntactically invalid query, thereby

revealing something about the script or

database in the resulting error message

A. An even bigger aspiration is that the

injection attack could alter, destroy, or

expose the stored data.

Prepared Statement Performance

Prepared statements can be more secure than running queries in the old-fashioned way, but they

may also be faster. If a PHP script sends the same query to MySQL multiple times, using different

values each time, prepared statements can really speed things up. In such cases, the query itself

is only sent to MySQL and parsed once. Then, the values are sent to MySQL separately.

As a trivial example, the following code would run 100 queries in MySQL:

$q = 'INSERT INTO counter (num) VALUES (?)';

$stmt = mysqli_prepare($dbc, $q);

mysqli_stmt_bind_param($stmt, 'i', $n);

for ($n = 1; $n <= 100; $n+ +) {

mysqli_stmt_execute($stmt);

}

Even though the query is being run 100 times, the full text is only being transferred to, and parsed

by, MySQL once. MySQL versions 5.1.17 and later include a caching mechanism that may also

improve the performance of other uses of prepared statements.

ptg6935296

426 Chapter 13

can use them as of version 5 (thanks to

the Improved MySQL extension). When not

using prepared statements, the entire query,

including the SQL syntax and the specific

values, is sent to MySQL as one long string.

MySQL then parses and executes it. With a

prepared query, the SQL syntax is sent to

MySQL first, where it is parsed, making sure

it’s syntactically valid (e.g., confirming that

the query does not refer to tables or col-

umns that don’t exist). Then the specific val-

ues are sent separately; MySQL assembles

the query using those values, then executes

it. The benefits of prepared statements are

important: greater security and potentially

better performance. I’ll focus on the security

aspect here, but see the sidebar for a dis-

cussion of performance.

Prepared statements can be created out

of any

INSERT

UPDATE

DELETE

, or

SELECT

query. Begin by defining your query,

marking

placeholders

using question

marks. As an example, take the

SELECT

query from

edit_user.php

(Script 10.3):

$q = "SELECT first_name, last_name,

➝

email FROM users WHERE user_id=$id";

As a prepared statement, this query becomes

$q = "SELECT first_name, last_name,

➝

email FROM users WHERE user_id=?";

Next,

prepare

the statement in MySQL,

assigning the results to a PHP variable:

$stmt = mysqli_prepare($dbc, $q);

At this point, MySQL will parse the query,

but it won’t execute it.

Next, you

bind

PHP variables to the query’s

placeholders. In other words, you state

that one variable should be used for the

first question mark, another variable for the

next question mark, and so on. Continuing

with the same example, you would code

mysqli_stmt_bind_param($stmt, 'i', $id);

The

part of the command indicates what

kind of value should be expected, using

the characters listed in Table 13.5. In this

case, the query expects to receive one

integer. As another example, here’s how

the login query from Chapter 12, “Cookies

and Sessions,” would be handled:

$q = "SELECT user_id, first_name

➝

FROM users WHERE email=? AND

➝

pass=SHA1(?)";

$stmt = mysqli_prepare($dbc, $q);

mysqli_stmt_bind_param($stmt, 'ss',

➝

$e, $p);

In this example, something interesting is

also revealed: even though both the email

address and password values are strings,

they are not placed within quotes

in the

query. This is another difference between a

prepared statement and a standard query.

Once the statement has been bound, you

can assign values to the PHP variables (if that

hasn’t happened already) and then execute

the statement. Using the login example,

that’d be:

$e = 'email@example.com';

$p = 'mypass';

mysqli_stmt_execute($stmt);

The values of

and

will be used when

the prepared statement is executed.

To se e t h is p r o ce s s in a c t io n , l et ’s w r i te a

script that adds a post to the

messages

table

in the

forum

database (created in Chapter 6,

“Database Design”). I’ll also use the oppor-

tunity to demonstrate a couple of the other

prepared statement-related functions.

TABLE 13.5 Bound Value Types

Letter Represents

d Decimal

i Integer

b Blob (binary data)

s All other types

ptg6935296

Security Methods 427

To use prepared statements:

1. Begin a new PHP script in your

text editor or IDE, to be named

post_message.php

(Script 13.6):

<!DOCTYPE ht ml PUBLIC "-//W3C//

➝

DTD XHTML 1.0 Transitional//EN"

➝

"http://www.w3.org/TR/xhtml1/DTD/

➝

xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/

➝

1999/xhtml" xml:lang="en"

➝

lang="en">

<head>

➝

content="text/html;

➝

charset=utf-8" />

<title>Post a Message</title>

</head>

<body>

<?php # Script 13.6 -

➝

post_message.php

2. Check for form submission and connect

to the

forum

database:

if ($_SERVER['REQUEST_METHOD'] = =

➝

'POST') {

$dbc = mysqli_connect

➝

('lo calh o s t', 'u sern a m e',

➝

'pass w o rd', 'f oru m');

Note that, for brevity’s sake, I’m

omitting basic data validation and

error reporting. Although a real site (a

more realized version of this script can

be found in Chapter 17, “Example—

Message Board”), would check that

the message subject and body aren’t

empty and that the various ID values

are positive integers, this script will still

be relatively safe, thanks to the security

offered by prepared statements.

This example will use the

forum

database, created in Chapter 6.

continues on next page

Script 13.6 This script, which represents a

simplified version of a message posting page,

uses prepared statements as a way of preventing

SQL injection attacks.

1 <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML

1.0 Transitional//EN" "http://www.w3.org/

TR/xhtml1/DTD/xhtml1-transitional.dtd">

2 <html xmlns="http://www.w3.org/1999/

xhtml" xml:lang="en" lang="en">

3 <head>

4 <meta http-equiv="Content-Type"

content="text/html; charset=utf-8" />

5 <title>Post a Message</title>

6 </head>

7 <body>

8 <?php # Script 13.6 - post_message.php

10 if ($_SERVER['REQUEST_METHOD'] = = 'POST') {

12 // Validate the data (omitted)!

14 // Connect to the database:

15 $dbc = mysqli_connect ('localh ost',

'username', 'password', 'forum');

17 // Make the query:

18 $q = 'INSERT INTO messages

(fo ru m _i d, par ent _i d, use r_ id,

subject, body, date_entered)

VALUES (?, ?, ?, ?, ?, NOW( ))';

20 // Prepare the statement:

21 $stmt = mysqli_prepare($dbc, $q);

23 // Bind the variables:

24 mysqli_stmt_bind_param($stmt,

'iiiss', $foru m_id, $parent_ id,

$user_id, $subject, $body);

26 // Assign the values to variables:

27 $forum_id = (int) $_POST['for um_id'];

28 $parent_id = (int) $_POST['parent_id'];

29 $user_id = 3; // The user_id value

would normally come from the session.

30 $subject = strip_tags($_POST['subject']);

31 $body = strip_tags($_POST['body']);

33 // Execute the query:

34 mysqli_stmt_execute($stmt);

code continues on next page

ptg6935296

428 Chapter 13

3. Define and prepare the query:

$q = 'INSERT INTO messages

➝

(foru m _ i d, par e nt_id, u ser_id,

➝

subject, body, date_entered)

➝

VALUES (?, ?, ?, ?, ?, NOW( ))';

$stmt = mysqli_prepare($dbc, $q);

This syntax has already been explained.

The query is defined, using placeholders

for values to be assigned later. Then the

mysqli_prepare( )

function sends this

to MySQL, assigning the result to

$stmt

The query itself was first used in Chapter

6. It populates six fields in the

messages

table. The value for the

date_entered

column will be the result of the

NOW( )

function, not a bound value.

4. Bind the appropriate variables and

create a list of values to be inserted:

mysqli_stmt_bind_param($stmt,

➝

'iiiss', $foru m _id, $parent_id,

➝

$user_id, $subject, $body);

$forum_id = (int)

➝

$_P OST['f or u m _i d'];

$parent_id = (int)

➝

$_POST['paren t_id'];

$user_id = 3;

$subject = strip_tags($_POST

➝

['s u b j e c t']);

$body = strip_tags($_POST['body']);

The first line says that three integers

and two strings will be used in the

prepared statement. The values will be

found in the variables to follow.

For those variables, the subject and

body values come straight from the

form B, after running them through

strip_tags( )

to remove any potentially

dangerous code. The forum ID and

parent ID (which indicates if the message

is a reply to an existing message or not)

also come from the form. They’ll be

typecast to integers (for added security,

you would confirm that they’re positive

Script 13.6 continued

36 // Print a message based upon the result:

37 if (mysqli_stmt_affected_rows($stmt)

= = 1) {

38 echo '< p >Y o u r message has been

posted.</p>';

39 } else {

40 echo '< p style="font-weight: bold;

color: #C00">Your message could

not be posted.</p>';

41 echo '<p>' . mysqli_stmt_error

($st mt) . '</p>';

42 }

44 // Close the statement:

45 mysqli_stmt_close($stmt);

47 // Close the connection:

48 mysqli_close($dbc);

50 } // End of submission IF.

52 // Display the form:

53 ?>

54 <form action="post_message.php"

method="post">

56 <fieldset><legend>Post a message:

</legend>

58 <p><b>Subject</b>: <input

name="subject" type="text" size="30"

maxlength="100" /></p>

60 <p><b>Body</b>: <textarea name="body"

rows="3" cols="40"></textarea></p>

62 </fieldset>

63 <div align="center"><input type="submit"

name="submit" value="Submit" /></div>

64 <input type="hidden" name="forum_id"

value="1" />

65 <input type="hidden" name="parent_id"

value="0" />

67 </form>

68 </body>

69 </html>

ptg6935296

Security Methods 429

mysqli_stmt_affected_rows( )

func-

tion, which works as you expect it would

(returning the number of affected rows). In

that case, a simple message is printed C.

If a problem occurred, the m

ysqli_stmt_

error( )

function returns the specific

MySQL error message. This is for your

debugging purposes, not to be used in a

live site. That being said, often the PHP

error message is more useful than that

returned by

mysqli_stmt_error( )

7. Close the statement and the database

connection:

mysqli_stmt_close($stmt);

mysqli_close($dbc);

The first function closes the prepared

statement, freeing up the resources.

At this point,

$stmt

no longer has a

value. The second function closes the

database connection.

8. Complete the PHP section:

} // End of submission IF.

continues on next page

B The simple HTML form. C If one record in the database was affected by

the query, this will be the result.

numbers after typecasting them, or you

could use the Filter extension).

The user ID value, in a real script, would

come from the session, where it would

be stored when the user logged in.

5. Execute the query:

mysqli_stmt_execute($stmt);

Finally, the prepared statement

is executed.

6. Print the results of the execution and

complete the loop:

if (mysqli_stmt_affected_rows

➝

($st m t) = = 1) {

echo '<p>Your message has been

➝

posted.</p>';

} else {

echo '<p style="font-weight:

➝

bold; color: #C00">Your message

➝

could not be posted.</p>';

echo '<p>' . mysqli_stmt_error

➝

($st m t) . '</p>';

}

The successful insertion of a

record can be confirmed using the

D Error reporting with

prepared statements

can be confounding

sometimes!

ptg6935296

430 Chapter 13

9. Begin the form:

<form action="post_message.php"

➝

method="post">

<fieldset><legend>Post a

➝

message:</legend>

<p><b>Subject</b>: <input name=

➝

"subject" type="text" size="30"

➝

maxlength="100" /></p>

<p><b>Body</b>: <textarea

➝

name="body" rows="3"

➝

cols="40"></textarea></p>

</fieldset>

The form begins with just a subject

text input and a textarea for the

message’s body.

More Security Recommendations

This chapter covers many specific techniques for improving your Web security. Here are a handful

of other recommendations:

Do your best to limit what information is requested from the user, and what the site stores. The less

information handled by the site in any way means there’s less data to worry about being stolen.

Make it your job to study, follow, and abide by security recommendations. Don’t just rely upon

the advice of one chapter, one book, or one author.

Don’t retain user-supplied names for uploaded files. You’ll see an alternative solution in

Chapter 19, “Example—E-Commerce.”

Watch how database references are used. For example, if a person’s user ID is their primary

key from the database and this is stored in a cookie (as in Chapter 12), a malicious user just

needs to change that cookie value to access another user’s account.

Don’t show detailed error messages (this point was repeated in Chapter 8, “Error Handling

and Debugging”).

Use cryptography (this is discussed in Chapter 7, “Advanced SQL and MySQL,” with respect to

the database, and in my book

PHP 5 Advanced: Visual QuickPro Guide

(Peachpit Press, 2007)

with respect to the server).

Don’t store credit card numbers, social security numbers, banking information, and the like. The

only exception to this would be if you have deep enough pockets to pay for the best security and

to cover the lawsuits that arise when this data is stolen from your site (which will inevitably happen).

Use SSL, when appropriate. A secure connection is one of the best protections a server can

offer a user.

Reliably and consistently protect every page and directory that needs it. Never assume that

people won’t find sensitive areas just because there’s no link to them. If access to a page or

directory should be limited, make sure it is.

My final recommendation is to be aware of your own limitations. As the programmer, you probably

approach a script thinking how it

should be

used. This is not the same as to how it

will be

used,

either accidentally or on purpose. Try to break your site to see what happens. Do bad things, do

the wrong thing. Have other people try to break it, too (it’s normally easy to find such volunteers).

When you code, if you assume that no one will ever use a page properly, it’ll be much more secure

than if you assume people always will.

ptg6935296

Security Methods 431

and

parent_id

values would be

determined dynamically.

11. Complete the page:

</body>

</html>

12. Save the file as

post_message.php

place it in your Web directory, and test

it in your Web browser E.

There are two kinds of prepared state-

ments. Here I have demonstrated bound param-

eters, where PHP variables are bound to a query.

The other type is bound results, where the

results of a query are bound to PHP variables.

E Selecting the most recent entry in

the

messages

table confirms that the

prepared statement (Script 13.6) worked.

Notice that the HTML was stripped out of

the post but the quotes are still present.

Preventing Brute Force Attacks

A brute force attack is an attempt to log in to a secure system by making lots of attempts in the

hopes of eventual success. It’s not a sophisticated type of attack, hence the name “brute force.”

For example, if you have a login process that requires a username and password, there is a limit

as to the possible number of username/password combinations. That limit may be in the billions

or trillions, but still, it’s a finite number. Using algorithms and automated processes, a brute force

attack repeatedly tries combinations until they succeed.

The best way to prevent brute force attacks from succeeding is requiring users to register with good,

hard-to-guess passwords: containing letters, numbers, and punctuation; both upper and lowercase;

words not in the dictionary; at least eight characters long, etc. Also, don’t give indications as to why a

saying that a username isn’t right or that the password isn’t right for that username says too much.

To stop a brute force attack in its tracks, you could also limit the number of incorrect login at tempts

by a given IP address. IP addresses do change frequently, but in a brute force attack, the same IP

address would be trying to log in multiple times in a matter of minutes. You would have to track

incorrect logins by IP address, and then, after

number of invalid attempts, block that IP address

for 24 hours (or something). Or, if you didn’t want to go that far, you could use an “incremental

delay” defense: each incorrect login from the same IP address creates an added delay in the

response (use PHP’s

sleep( )

function to create the delay). Humans might not notice or be both-

ered by such delays, but automated attacks most certainly would.

10. Complete the form:

<div align="center"><input

➝

type="submit" name="submit"

➝

value="Submit" /></div>

<input type="hidden" name=

➝

"forum_id" value="1" />

<input type="hidden" name=

➝

"parent_id" value="0" />

</form>

The form contains two fields the user

would fill out and two hidden inputs

that store values the query needs. In a

real version of this script, the

forum_id

ptg6935296

432 Chapter 13

Review and Pursue

If you have any problems with the

review questions or the pursue prompts,

turn to the book’s supporting forum

(

www.LarryUllman.com/forums/

Review

What are some of the inappropriate

strings and characters that could be

indicators of potential spam attempts?

What does the

stripos( )

function do?

What is its syntax?

What does the

str_replace( )

function

do? What is its syntax?

What does the

array_map( )

function

do? What is its syntax?

What is

typecasting

? How do you type-

cast a variable in PHP?

What function is used to move an

uploaded file to its final destination on

the server?

What is the Fileinfo extension? How is

it used?

What does the

htmlspecialchars( )

function do?

What does the

htmlentities( )

function do?

What does the

strip_tags( )

function do?

What function converts newline charac-

ters into HTML break tags?

What is the most important function in

the Filter extension? How is it used?

What are prepared statements? What

benefits might prepared statements

have over the standard method of que-

rying a database?

What is the syntax for using prepared

statements?

Pursue

If you haven’t applied the Filter func-

tion, for email validation, and the

spam_

scrubber( )

function to a contact form

used on one of your sites, do so now!

Change

calculator.php

to allow for no

tax rate.

Update

calculator.php

, from Chapter 3,

“Creating Dynamic Web Sites,” so that it

also uses typecasting or the Filter exten-

sion. (As a reminder, that calculator deter-

mined the cost of a car trip, based upon

the distance, average miles per gallon,

and average price paid per gallon.)

Modify

upload_rtf.php

so that it

reports the actual MIME type for the

uploaded file, should it not be

text/rtf

Create a PHP script that reports the

MIME type of any uploaded file.

Apply the

strip_tags( )

function to

a previous script in the book, such as

the registration example, to prevent

inappropriate code from being stored

in the database.

Apply the Filter function to the login

process in Chapter 12 to guarantee that

the submitted email address meets the

email address format, prior to using it in

a query.

Apply the Filter function, or typecast-

ing, to the

delete_user.php

and

edit_

user.php

scripts from Chapter 10.

Apply the Fileinfo extension to the

show_image.php

script from Chapter 11.

ptg6935296

Regular expressions are an amazingly

powerful (but tedious) tool available in

most of today’s programming languages

and even in many applications. Think of

regular expressions as an elaborate sys-

tem of matching patterns. You first write the

pattern and then use one of PHP’s built-in

functions to apply the pattern to a value

(regular expressions are applied to strings,

even if that means a string with a numeric

value). Whereas a string function could see

if the name

John

is in some text, a regular

expression could just as easily find

John

Jon

, and

Jonathon

Because the regular expression syntax is

so complex, while the functions that use

them are simple, the focus in this chapter

will be on mastering the syntax in little

bites. The PHP code will be very simple;

later chapters will better incorporate regu-

lar expressions into real-world scripts.

Perl-Compatible

Regular Expressions

In This Chapter

Creating a Test Script 434

Defining Simple Patterns 438

Using Quantifiers 441

Using Character Classes 443

Finding All Matches 446

Using Modifiers 450

Matching and Replacing Patterns 452

Review and Pursue 456

ptg6935296

434 Chapter 14

Creating a Test Script

As already stated, regular expressions are

a matter of applying patterns to values.

The application of the pattern to a value

is accomplished using one of a handful

of functions, the most important being

preg_match( )

. This function returns a 0

or 1, indicating whether or not the pattern

matched the string. Its basic syntax is

preg_match(pattern, subject);

The

preg_match( )

function will stop once

it finds a single match. If you need to find

all the matches, use

preg_match_all( )

That function will be discussed toward the

end of the chapter.

When providing the pattern to

preg_

match( )

, it needs to be placed within

quotation marks, as it’ll be a string.

Because many escaped characters within

double quotation marks have special

meaning (like

), I advocate using single

quotation marks to define your patterns.

Secondarily, within the quotation marks,

the pattern needs to be encased within

delimiters

. The delimiter can be any

character that’s not alphanumeric or the

backslash, and the same character must

be used to mark the beginning and end

of the pattern. Commonly, you’ll see

forward slashes used. To see if the word

cat

contains the letter

, you would code

(spoiler alert: it does):

if (preg_match('/a/', 'cat')) {

If you need to match a forward slash in the

pattern, use a different delimiter, like the

pipe (

) or an exclamation mark (

The bulk of this chapter covers all the rules

for defining patterns. In order to best learn by

example, let’s start by creating a simple PHP

script that takes a pattern and a string A and

returns the regular expression result B.

A The HTML form, which will be used for

practicing regular expressions.

B The script will print what values were used in

the regular expression and what the result was.

The form will also be made sticky to remember

previously submitted values.

ptg6935296

Perl-Compatible Regular Expressions 435

To match a pattern:

1. Begin a new PHP document in your text

editor or IDE, to be named

pcre.php

(Script 14.1).

<!DOCTYPE ht ml PUBLIC "-//W3C//

➝

DTD XHTML 1.0 Transitional//EN"

➝

"http://www.w3.org/TR/xhtml1/DTD/

➝

xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/

➝

1999/xhtml" xml:lang="en"

➝

lang="en">

<head>

➝

content="text/html;

➝

charset=utf-8" />

<title>Testing PCRE</title>

</head>

<body>

<?php // Script 14.1 - pcre.ph p

2. Check for the form submission:

if ($_SERVER['REQUEST_METHOD'] = =

➝

'POST') {

3. Treat the incoming values:

$pattern = trim($_POST['pattern']);

$subject = trim($_POST['subject']);

The form will submit two values to this

same script. Both should be trimmed,

just to make sure the presence of any

extraneous spaces doesn’t skew the

results. I’ve omitted a check that each

input isn’t empty, but you could include

that if you wanted.

continues on next page

Script 14.1 The complex regular expression syntax

will be best taught and demonstrated using this

PHP script.

1 <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML

1.0 Transitional//EN" "http://www.w3.org/

TR/xhtml1/DTD/xhtml1-transitional.dtd">

2 <html xmlns="http://www.w3.org/1999/

xhtml" xml:lang="en" lang="en">

3 <head>

4 <meta http-equiv="Content-Type"

content="text/html; charset=utf-8" />

5 <title>Testing PCRE</title>

6 </head>

7 <body>

8 <?php // Script 14.1 - pcre.php

9 // This script takes a submitted string

and checks it against a submitted pattern.

11 if ($_SERVER['REQUEST_METHOD'] = = 'POST') {

13 // Trim the strings:

14 $pattern = trim($_POST['pattern']);

15 $subject = trim($_POST['subject']);

17 // Print a caption:

18 echo "< p>T h e result of checking<br />

<b>$pattern</b><br />against<br />

$subject<br />is ";

20 // Test:

21 if (preg_match ($pattern,

$subject) ) {

22 echo 'TRUE!</p>';

23 } else {

24 echo 'FALSE!</p>';

25 }

27 } // End of submission IF.

28 // Display the HTML form.

29 ?>

30 <form action="pcre.php" method="post">

31 <p>Regular Expression Pattern:

<input type="text" name="pattern"

value="<?php if (isset($pattern)) echo

htmlentities($pattern); ?>" size="40" />

(include the delimiters)</p>

32 <p>Test Subject: <input type="text"

name="subject" value="<?php if (isset

($su bject)) echo htmlentities($subject);

?>" size="40" /></p>

33 <input type="submit" name="submit"

value="Test!" />

34 </form>

35 </body>

36 </html>

ptg6935296

436 Chapter 14

Note that if Magic Quotes is enabled

on your server, you’ll see extra

slashes added to the form data C.

To combat this, you ’ll need to app ly

stripslashes( )

here as well:

$pattern = stripslashes(trim

➝

($_P OST['pat tern']));

$subject = stripslashes(trim

➝

($_P OST['su bject']));

4. Print a caption:

echo "<p>The result of checking

➝

<br /><b>$pattern</b><br />against

<br />$subject<br />is ";

As you can see B, the form-handling

part of this script will start by printing

the values submitted.

5. Run the regular expression:

if (preg_match ($pattern,

➝

$subject) ) {

echo 'TRUE!</p>';

} else {

echo 'FALSE!</p>';

}

To test the pattern against the st ring,

feed both to the

preg_match( )

func-

tion. If this function returns 1, that means

a match was made, this condition will

be TRUE, and the word

TRUE

will be

printed. If no match was made, the

condition will be FALSE and that will

be stated D.

C With Magic Quotes enabled on your server, the

script will add slashes to certain characters, most

likely making the regular expressions fail.

D If the pattern does not match the string, this

will be the result. This submission and response

also conveys that regular expressions are case-

sensitive by default.

ptg6935296

Perl-Compatible Regular Expressions 437

conflict with the form’s “stickiness,”

each variable’s value is sent through

htmlentities( )

, too.

8. Complete the HTML page:

</body>

</html>

9. Save the file as

pcre.php

, place it in

your Web directory, and test it in your

Web browser.

Although you don’t know the rules for

creating patterns yet, you could use any

other literal value. Remember to use

delimiters around the pattern or else

you’ll see an error message E.

Some text editors, such as BBEdit and

emacs, allow you to use regular expressions

to match and replace patterns within and

throughout several documents.

The PCRE functions all use the estab-

lished locale. A locale reflects a computer’s

designated country and language, among

other settings.

Previous versions of PHP supported

another type of regular expressions, called

POSIX. These have since been deprecated,

meaning they’ll be dropped from future ver-

sions of the language.

6. Complete the submission conditional

and the PHP block:

} // End of submission IF.

7. Create the HTML form:

<form action="pcre.php" method=

➝

"post">

<p>Regular Expression Pattern:

➝

<input type="text" name=

➝

"pattern" value="<?php if

➝

(isset($patter n)) echo

➝

htmlentities($pattern);

➝

?>" size="40" /> (include

➝

the delimiters)</p>

<p>Test Subject: <input type=

➝

"text" name="subject" value=

➝

"<?p h p if (i sse t($su b j e ct))

➝

echo htmlentities($subject);

➝

?>" size="40" /></p>

<input type="submit" name=

➝

"submit" value="Test!" />

</form>

The form contains two text boxes, both

of which are sticky (using the trimmed

version of the values). Because the

two values might include quotation

marks and other characters that would

E If you fail to wrap

the pattern in matching

delimiters, you’ll see an

error message.

ptg6935296

438 Chapter 14

Defining Simple

Patterns

Using one of PHP’s regular expression

functions is really easy, defining patterns

to use is hard. There are lots of rules for

creating a pattern. You can use these

rules separately or in combination, making

your pattern either quite simple or very

complex. To start, then, you’ll see what

characters are used to define a simple

pattern. As a formatting rule, I’ll define

patterns in bold and will indicate what the

pattern matches in

italics

. The patterns in

these explanations won’t be placed within

delimiters or quotes (both being needed

when used within

preg_match( )

), just to

keep things cleaner.

The first type of character you will use

for defining patterns is a

literal

. A literal

is a value that is written exactly as it is

interpreted. For example, the pattern a

will match the letter

, ab will match

and so forth. Therefore, assuming a case-

insensitive search is performed, rom will

match any of the following strings, since

they all contain

rom

CD-ROM

Rommel crossed the desert.

I’m writing a roman à clef.

Along with literals, your patterns will

use

meta-characters

. These are special

symbols that have a meaning beyond their

literal value (Table 14.1). While a simply

means

, the period (.) will match any

single character except for a newline (.

matches

, the underscore, a space,

etc., just not

). To match any meta-

character, you will need to escape it, much

as you escape a quotation mark to print

it. Hence \. will match the period itself.

So 1.99 matches

1.99

1B99

1299

TABLE 14.1 Meta-Characters

Character Meaning

Escape character

Indicates the beginning

of a string

Indicates the end of a string

. Any single character

except newline

Alternatives (or)

[Start of a class

] End of a class

(Start of a subpattern

) End of a subpattern

{Start of a quantifier

} End of a quantifier

(a 1 followed by any character followed

by 99) but 1\.99 only matches

1.99

Two meta-characters specify where certain

characters must be found. There is the

caret (

), which marks the beginning of

a pattern. There is also the dollar sign

(

), which marks the conclusion of a

pattern. Accordingly, ^a will match any

string beginning with an

, while a$ will

correspond to any string ending with an

Therefore, ^a$ will only match

(a string

that both begins and ends with

These two meta-characters—the caret and

the dollar sign—are crucial to

validation

as validation normally requires checking

the value of an entire string, not just the

presence of one string in another. For

example, using an email-matching pattern

without those two characters will match

any string containing an email address.

Using an email-matching pattern that

begins with a caret and ends with a dollar

sign will match a string that contains

only

a valid email address.

ptg6935296

Perl-Compatible Regular Expressions 439

Regular expressions also make use of the

pipe (

) as the equivalent of

: a|b will

match strings containing either

(Using the pipe within patterns is called

alternation

branching

). So yes|no

accepts either of those two words in their

entirety (the alternation is

not

just between

the two letters surrounding it:

and

Once you comprehend the basic symbols,

then you can begin to use parentheses

to group characters into more involved

patterns. Grouping works as you might

expect: (abc) will match

abc

, (trout) will

match

trout

. Think of parentheses as being

used to establish a new literal of a larger

size. Because of precedence rules in

PCRE, yes|no and (yes)|(no) are equivalent.

But (even|heavy) handed will match either

even handed

heavy handed

To use simple patterns:

1. Load

pcre.php

in your Web browser,

if it is not already.

2. Check if a string contains the letters

cat

To d o so , u s e t he lit e ral cat as the

pattern and any number of strings as the

subject. Any of the following would be a

match:

catalog

catastrophe

my cat left

etc. For the time being, use all lowercase

letters, as cat will not match

Cat

Remember to use delimiters around the

pattern, as well (see the figures).

continues on next page

A Looking for a cat in a string.

B PCRE performs a case-sensitive comparison

by default.

ptg6935296

440 Chapter 14

3. Check if a string starts with

cat

To have a pattern a pply to the sta rt

of a string, use the caret as the first

character (^cat). The sentence

my cat

left

will not be a match now.

4. Check if a string contains the word

color

colour

The pattern to look for the American or

British spelling of this word is col(o|ou)r.

The first three letters—

col

—must be

present. This needs to be followed by

either an

. Finally, an

is required.

If you are looking to match an exact

string within another string, use the

strstr( )

function, which is faster than regular

expressions. In fact, as a rule of thumb, you

should use regular expressions only if the task

at hand cannot be accomplished using any

other function or technique.

Yo u ca n e sc a p e a b u n c h o f ch a r a c te r s

in a pattern using

and

. Every charac-

ter within those will be treated literally (so

\Q$2.99?\E

matches $2.99?).

To match a single backslash, y ou hav e

to use

\\\\

. The reason is that matching a

backslash in a regular expression requires you

to escape the backslash, resulting in

. Then

to use a backslash in a PHP string, it also has

to be escaped, so escaping both backslashes

means a total of four.

C The caret in a pattern means that the match

has to be found at the start of the string.

D By using the pipe meta-character, the performed

search can be more flexible.

ptg6935296

Perl-Compatible Regular Expressions 441

dollar sign. Next, there are three meta-

characters that allow for multiple occur-

rences: a* will match zero or more

’s (no

’s,

aaa

, etc.); a+ matches one or

’s (

aaa

, etc., but there must

be at least one); and a? will match up to

one

(

or no

’s match). These meta-

characters all act as quantifiers in your

patterns, as do the curly braces.

Table 14.2 lists all of the quantifiers.

To match a certain quantity of a t hing, put

the quantity between curly braces ( {}),

stating a specific number, just a minimum,

or both a minimum and a maximum. Thus,

a{3} will match

aaa

; a{3,} will match

aaa

aaaa

, etc. (three or more

’s); and a{3,5}

will match just

aaa

aaaa

, and

aaaaa

(between three and five).

Note that quantifiers apply to the thing that

came before it, so a? matches zero or one

’s, ab? matches an

followed by zero

or one

’s, but (ab)? matches zero or one

’s. Therefore, to match

color

colour

you could also use colou?r as the pattern.

To use quantifiers:

1. Load

pcre.php

in your Web browser, if it

is not already.

2. Check if a string contains the letters

and

, with one or more letters in between A.

To do so, us e c.+t as the pattern and

any number of strings as the subject.

Remember that the period matches any

character (except for the newline). Each

of the following would be a match:

cat

count

coefficient

, etc. The word

doctor

would not match, as there are no letters

between the

and the

(although

doctor

would match c.*t).

3. Check if a string matches either

cat

cats

continues on next page

TABLE 14.2 Quantifiers

Character Meaning

0 or 1

0 or more

1 or more

{x}

Exactly x occurrences

{x,y}

Between x and y (inclusive)

{x,}

At least x occurrences

A The plus sign, when used as a quantifier,

requires that one or more of a thing be present.

B Yo u ca n c he c k fo r t he p l ur a l fo r m of m a ny

words by adding

to the pattern.

Using Quantifiers

Yo u ’ v e j u st se e n a n d p ra c ti c ed wi t h a

couple of the meta-characters, the most

important of which are the caret and the

ptg6935296

442 Chapter 14

When using curly braces to specify

a number of characters, you must always

include the minimum number. The maximum

is optional:

a{3}

and

a{3,}

are acceptable,

but

a{,3}

is not.

Although it demonstrates good dedica-

tion to programming to learn how to write and

execute your own regular expressions, numer-

ous working examples are available already by

searching the Internet.

To start, if you wa nt to make a n exact

match, use both the caret and the dollar

sign. Then you’d have the literal text

cat

, followed by an

, followed by a

question mark (representing 0 or 1

’s).

The final pattern—^cats?$—matches

cat

cats

but not

my cat left

I like cats

4. Check if a string ends with

.33

.333

.3333

To find a period, e scape it with a

backslash: \.. To find a three, use a

literal 3. To find a range of 3’s, use the

curly brackets (

{}

). Putting this together,

the pattern is \.3{2,4}. Because the

string should end with this (nothing else

can follow), conclude the pattern with a

dollar sign: \.3{2,4}$.

Admittedly, this is kind of a stupid

example (not sure when you’d need to

do exactly this), but it does demonstrate

several things. This pattern will match

lots of things—

12.333

varmit.3333

.33

look

.33

—but not 12.3 or

12.334

5. Match a five-digit number D.

A number can be any one of the

numbers 0 through 9, so the heart

of the pattern is (0|1|2|3|4|5|6|7|8|9).

Plainly said, this means: a number is

a 0 or a 1 or a 2 or a 3…. To make it

a five-digit number, follow this with a

quantifier: (0|1|2|3|4|5|6|7|8|9){5}. Finally,

to match this exactly (as opposed to

matching a five-digit number within a

string), use the caret and the dollar sign:

^(0|1|2|3|4|5|6|7|8|9){5}$.

This, of course, is one way to match

a United States zip code, a very

useful pattern.

C The curly braces let you dictate the acceptable

range of quantities present.

D The proper test for confirming that a number

contains five digits.

ptg6935296

Perl-Compatible Regular Expressions 443

Using Character Classes

As the last example demonstrated (D in the

previous section), relying solely upon literals

in a pattern can be tiresome. Having to write

out all those digits to match any number is

silly. Imagine if you wanted to match any

four-letter word: ^(a|b|c|d…){4}$ (and that

doesn’t even take into account uppercase

letters)! To make these common references

easier, you can use

character classes

Classes are created by placing characters

within square brackets ( [ ] ). For example,

you can match any one vowel with [aeiou].

This is equivalent to (a|e|i|o|u). Or you can

use the hyphen to indicate a range of

characters: [a-z] is any single lowercase

letter and [A-Z] is any uppercase, [A-Za-z]

is any letter in general, and [0-9] matches

any digit. As an example, [a-z]{3} would

match

abc

def

oiw

, etc.

Within classes, most of the meta-characters

are treated literally, except for four. The

backslash is still the escape, but the caret

(

) is a negation operator when used as the

first character in the class. So [^aeiou] will

TABLE 14.3 Character Classes

Class Shortcut Meaning

[0-9] \d

Any digit

[\f\r\t\n\v] \s

Any white space

[A-Za-z0-9_] \w

Any word character

[^0 -9] \D

Not a digit

[^\f \ r \t\ n\v] \S

Not white space

[^A-Z a -z 0 -9 _ ] \W

Not a word character

match any non-vowel. The only other meta-

character within a class is the dash, which

indicates a range. (If the dash is used as the

last character in a class, it’s a literal dash.)

And, of course, the closing bracket (

]

) still

has meaning as the terminator of the class.

Naturally, a class can have both ranges

and literal characters. A person’s first

name, which can contain letters, spaces,

apostrophes, and periods, could be

represented by [A-z ‘.] (again, the period

doesn’t need to be escaped within the

class, as it loses its meta-meaning there).

Along with creating your own classes, there

are six already-defined classes that have

their own shortcuts (Table 14.3). The digit and

space classes are easy to understand. The

word character class doesn’t mean “word” in

the language sense but rather as in a string

unbroken by spaces or punctuation.

Using this information, the five-digit number

(aka, zip code) pattern could more easily be

written as ^[0-9]{5}$ or ^\d{5}$. As another

example, can\s?not will match both

can not

and

cannot

(the word

can

, followed by zero

or one space characters, followed by

not

ptg6935296

444 Chapter 14

To use character classes:

1. Load

pcre.php

in your Web browser,

if it is not already.

2. Check if a string is formatted as a valid

United States zip code A.

A United States zip code always starts

with five digits (^\d{5}). But a valid zip

code could also have a dash followed

by another four digits (-\d{4}$). To

make this last part optional, use the

question mark (the 0 or 1 quantifier).

This complete pattern is then ^(\d{5})

(-\d{4})?$. To make it all clearer, the first

part of the pattern (matching the five

digits) is also grouped in parentheses,

although this isn’t required in this case.

3. Check if a string contains no spaces B.

The \S character class shortcut will match

non-space characters. To make sure that

the entire string contains no spaces, use

the caret and the dollar sign: ^\S$. If you

don’t use those, then all the pattern is

confirming is that the subject contains at

least one non-space character.

A The pattern to match a United States zip code,

in either the five-digit or five plus four format.

B The no-white-space shortcut can be used to

ensure that a submitting string is contiguous.

Using Boundaries

Boundaries

are shortcuts for helping to find, um, boundaries. In a way, you’ve already seen this:

using the caret and the dollar sign to match the beginning or end of a value. But what if you wanted

to match boundaries within a value?

The clearest boundary is between a word and a non-word. A “word” in this case is not

cat

month

zeitgeist

, but in the

shortcut sense: the letters A through Z (both upper- and lowercase), plus

the numbers 0 through 9, and the underscore. To use words as boundaries, there’s the \b shortcut.

To use non-word characters as boundaries, there’s \B. So the pattern \bfor\b matches

they’ve

come for you

but doesn’t match

force

forebode

. Therefore \bfor\B would match

force

but not

they’ve come for you

informal

ptg6935296

Perl-Compatible Regular Expressions 445

4. Validate an email address C.

The pattern ^[\w.-]+@[\w.-]+\.[A-Za-z]

{2,6}$ provides for reasonably good

email validation. It’s wrapped in the

caret and the dollar sign, so the

string must be a valid email address

and nothing more. An email address

starts with letters, numbers, and the

underscore (represented by \w), plus a

period (.) and a dash. This first block will

match

larryullman

larry77

larry.ullman

larry-ullman

, and so on. Next, all email

addresses include one and only one @.

After that, there can be any number of

letters, numbers, periods, and dashes.

This is the domain name:

larryullman

smith-jones

amazon.co

(as in

amazon.

co.uk

), etc. Finally, all email addresses

conclude with one period and between

two and six letters. This accounts for

.com

.edu

.info

.travel

, etc.

C A pretty good and reliable validation for email addresses.

I think that the zip code example is a

great demonstration as to how complex and

useful regular expressions are. One pattern

accurately tests for both formats of the zip

code, which is fantastic. But when you put

this into your PHP code, with quotes and

delimiters, it’s not easily understood:

if (preg_match ('/^(\d{5})(-\d{4})?$/',

➝

$zip)) {

That certainly looks like gibberish, right?

This email address validation pattern is

pretty good, although not perfect. It will allow

some invalid addresses to pass through (like

ones starting with a period or containing mul-

tiple periods together). However, a 100 per-

cent foolproof validation pattern is ridiculously

long, and frequently using regular expressions

is really a matter of trying to exclude the bulk

of invalid entries without inadvertently exclud-

ing any valid ones.

Regular expressions, particularly PCRE

ones, can be extremely complex. When start-

ing out, it’s just as likely that your use of them

will break the validation routines instead of

improving them. That’s why practicing like this

is important.

ptg6935296

446 Chapter 14

Finding All Matches

Going back to the PHP functions used

with Perl-Compatible regular expressions,

preg_match( )

has been used just to see

if a pattern matches a value or not. But the

script hasn’t been reporting what, exactly,

in the value did match the pattern. You

can find out this information by providing a

variable as a third argument to the function:

preg_match(pattern, subject, $match);

The

$match

variable will contain the first

match found (because this function only

returns the first match in a value). To find

every match, use

preg_match_all( )

. Its

syntax is the same:

preg_match_all(pattern, subject,

➝

$matches);

This function will return the number of

matches made, or FALSE if none were

found. It will also assign to

$matches

every

match made. Let’s update the PHP script to

print the returned matches, and then run a

couple more tests.

To report all matches:

1. Open

pcre.php

(Script 14.1) in your text

editor or IDE, if it is not already.

2. Change the invocation of

preg_match( )

to (Script 14.2):

if (preg_match_all ($pattern,

➝

$subject, $matches) ) {

There are two changes here. First, the

actual function being called is different.

Second, the third argument is provided

a variable name that will be assigned

every match.

Script 14.2 To reveal exactly what values in a

string match which patterns, this revised version

of the script will print out each match. You can

retrieve the matches by naming a variable

as the third argument in

preg_match( )

preg_match_all( )

1 <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML

1.0 Transitional//EN" "http://www.w3.org/

TR/xhtml1/DTD/xhtml1-transitional.dtd">

2 <html xmlns="http://www.w3.org/1999/

xhtml" xml:lang="en" lang="en">

3 <head>

4 <meta http-equiv="Content-Type"

content="text/html; charset=utf-8" />

5 <title>Testing PCRE</title>

6 </head>

7 <body>

8 <?php // Script 14.2 - matches.php

9 // This script takes a submitted string

and checks it against a submitted pattern.

10 // This version prints every match made.

12 if ($_SERVER['REQUEST_METHOD'] = = 'POST') {

14 // Trim the strings:

15 $pattern = trim($_POST['pattern']);

16 $subject = trim($_POST['subject']);

18 // Print a caption:

19 echo "< p>T h e result of checking<br />

<b>$pattern</b><br />against<br />

$subject<br />is ";

21 // Test:

22 if (preg_match_all ($pattern,

$subject, $matches) ) {

23 echo 'TRUE!</p>';

25 // Print the matches:

26 echo '<pre>' . print_r($matches,

1) . '</p re>';

28 } else {

29 echo 'FALSE!</p>';

30 }

32 } // End of submission IF.

code continues on next page

ptg6935296

Perl-Compatible Regular Expressions 447

3. After printing the value

TRUE

, print the

contents of

$matches

echo '<pre>' . print_r($matches,

➝

1) . '</pre>';

Using

print_r( )

to output the contents

of the variable is the easiest way to

know what’s in

$matches

(you could

use a

foreach

loop instead). As you’ll

see when you run this script, this

variable will be an array whose first

element is an array of matches made.

4. Change the form’s

action

attribute to

matches.php

<form action="matches.php"

➝

method="post">

This script will be renamed, so the

action

attribute must be changed, too.

5. Change the subject input to be a textarea:

<p>Test Subject: <textarea name=

➝

"subject" rows="5" cols="40">

➝

<?php if (isse t($subject)) echo

➝

htmlentities($subject); ?>

➝

</textarea></p>

Script 14.2 continued

33 // Display the HTML form.

34 ?>

35 <form action="matches.php"

method="post">

36 <p>Regular Expression Pattern:

<input type="text" name="pattern"

value="<?php if (isset($pattern)) echo

htmlentities($pattern); ?>" size="40" />

(include the delimiters)</p>

37 <p>Test Subject: <textarea

name="subject" rows="5"

cols="40"><?php if (isset($subject))

echo htmlentities($subject); ?>

</textarea></p>

38 <input type="submit" name="submit"

value="Test!" />

39 </form>

40 </body>

41 </html>

Being Less Greedy

A key component to Perl-Compatible regular expressions is the concept of

greediness

. By

default, PCRE will attempt to match as much as possible. For example, the pattern <.+> matches

any HTML tag. When tested on a string like

, it will actually

match that entire string, from the opening

to the closing one. This string contains three possible

matches, though: the entire string, the opening tag (from

“>

), and the closing tag (

</a >

To overrule greediness, make the match

lazy

. A lazy match will contain as little data as possible.

Any quantifier can be made lazy by following it with the question mark. For example, the pattern

<.+?> would return two matches in the preceding string: the opening tag and the closing tag. It

would not return the whole string as a match. (This is one of the confusing aspects of the regular

expression syntax: the same character—here, the question mark—can have different meanings

depending on its context.)

Another way to make patterns less greedy is to use negative classes. The pattern <[^>]+> matches

everything between the opening and closing

except for a closing

. So using this pattern would

have the same result as using <.+?>. This pattern would also match strings that contain newline

characters, which the period excludes.

continues on next page

ptg6935296

448 Chapter 14

In order to be able to enter in more

text for the subject, this element will

become a textarea.

6. Save the file as

matches.php

, place it in

your Web directory, and test it in your

Web browser.

For the first test, use for as the pattern

and

This is a formulaic test for informal

matches

. as the subject A. It may

not be proper English, but it’s a good

test subject.

For the second test, change the pattern

to for.* B. The result may surprise you,

the cause of which is discussed in the

sidebar, “Being Less Greedy.” To make

this search less greedy, the pattern could

be changed to for.*?, whose results

would be the same as those in A.

A This first test returns three matches, as the

literal text

for

was found three times.

B Because regular expressions are “greedy” by default (see the

sidebar), this pattern only finds one match in the string. That match

happens to start with the first instance of

for

and continues until the

end of the string.

ptg6935296

Perl-Compatible Regular Expressions 449

For the third test, use for[\S]*, or, more

simply for\S* C. This has the effect

of making the match stop as soon

as a white space character is found

(because the pattern wants to match

for

followed by any number of non–white

space characters).

For the final test, use \b[a-z]*for[a-z]*\b

as the pattern D. This pattern makes

use of boundaries, discussed in the

sidebar “Using Boundaries,” earlier in

the chapter.

The

preg_split( )

function will take

a string and break it into an array using a

regular expression pattern.

C This revised pattern matches strings that begin

with

for

and end on a word.

D Unlike the pattern in C, this one matches

entire words that contain

for

(

informal

here,

formal

in C).

ptg6935296

450 Chapter 14

Using Modifiers

The majority of the special characters

you can use in regular expression patterns

are introduced in this chapter. One final

type of special character is the pattern

modifier. Table 14.4 lists these. Pattern

modifiers are different than the other meta-

characters in that they are placed after the

closing delimiter.

Of these delimiters, the most important is

which enables case-insensitive searches.

All of the examples using variations on

for

(in the previous sequence of steps)

would not match the word

For

. However,

/for.*/i would be a match. Note that I am

including the delimiters in that pattern, as

the modifier goes after the closing one.

Similarly, the last step in the previous

sequence referenced the sidebar “Being

Less Greedy” and stated how for.*? would

perform a lazy search. So would /for.*/U.

The multiline mode is interesting in that

you can make the caret and the dollar sign

behave differently. By default, each applies

to the entire value. In multiline mode, the

caret matches the beginning of any line and

the dollar sign matches the end of any line.

To use modifiers:

1. Load

matches.php

in your Web browser,

if it is not already.

2. Validate a list of email addresses A.

To do so, us e /^[ \w.-]+@[\w.-]+\.[A-Za-z]

{2,6}\r?$/m as the pattern. You’ll see

that I’ve added an optional carriage

return (\r?) before the dollar sign. This

is necessary because some of the lines

will contain returns and others won’t.

And in multiline mode, the dollar sign

matches the end of a line. (To be more

flexible, you could use \s? instead.)

TABLE 14.4 Pattern Modifiers

Character Result

A Anchors the pattern to the

beginning of the string

i Enables case-insensitive mode

m Enables multiline matching

s Has the period match every

character, including newline

x Ignores most white space

UPerforms a non-greedy match

A A list of email addresses, one per line, can be

validated using the multiline mode. Each valid

address is stored in

$matches

ptg6935296

Perl-Compatible Regular Expressions 451

3. Validate a list of United States zip

codes B.

Very similar to the example in Step 2,

the pattern is now /^(\d{5})(-\d{4})?\

s?$/m. You’ll see that I’m using the

more flexible \s? instead of \r?.

You’ll also notice when you try this

yourself (or in B) that the

$matches

variable contains a lot more information

now. This will be explained in the next

section of the chapter.

To always match the start or e nd of a

pattern, regardless of the multiline setting,

there are shortcuts you can use. Within the

pattern, the shortcut

will match only the

very beginning of the value,

matches the

very end, and

matches any line end, like

in single-line mode.

If your version of PHP supports it, it’s

probably best to use the Filter extension to

validate an email address or a URL. But if you

have to validate a list of either, the Filter exten-

sion won’t cut it, and regular expressions will

be required.

B Validating a list of zip codes, one per line.

ptg6935296

452 Chapter 14

initial string. This is why B in the previous

section shows entire zip code matches in

$matches[0]

, the matching first five digits

$matches[1]

, and any matching dash

plus four digits in

$matches[2]

To practice with th is, let’s modify Script 14. 2

to also take a replacement input A.

To match and replace patterns:

1. Open

matches.php

(Script 14.2) in your

text editor or IDE, if it is not already.

2. Add a reference to a third incoming

variable (Script 14.3):

$replace = trim($_POST['replace']);

As you can see in A, the third form

input (added between the existing two)

takes the replacement value. That value

is also trimmed to get rid of any extra-

neous spaces.

If your server has Magic Quotes

enabled, you’ll again need to apply

stripslashes( )

here.

continues on page 454

Matching and

Replacing Patterns

The last subject to discuss in this chapter

is how to match and replace patterns in

a value. While

preg_match( )

and

preg_

match_all( )

will find things for you, if you

want to do a search and replace, you’ll

need to use

preg_replace( )

. Its syntax is

preg_replace(pattern, replacement,

➝

subject);

This function takes an optional fourth

argument limiting the number of

replacements made.

To replace all inst ances of

cat

with

dog

you would use

$str = preg_replace('/cat/', 'dog',

➝

'I l ike m y cat.');

This function returns the altered value

(or unaltered value if no matches were

made), so you’ll likely want to assign it

to a variable or use it as an argument to

another function (like printing it by calling

echo

). Also, as a reminder, the above is just

an example: you’d never want to replace

one literal string with another using regular

expressions, use

str_replace( )

instead.

There is a related concept to discuss

that is involved with this function:

back

referencing

. In a zip code matching

pattern—^(\d{5})(-\d{4})?$—there are two

groups within parentheses: the first five

digits and the optional dash plus four-digit

extension. Within a regular expression

pattern, PHP will automatically number

parenthetical groupings beginning at 1.

Back referencing allows you to refer to

each individual section by using

plus the

corresponding number. For example, if you

match the zip code

94710-0001

with this

pattern, referring back to

will give you

-0001

. The code

refers to the whole

A One use of

preg_replace( )

would be to

replace variations on inappropriate words with

symbols representing their omission.

ptg6935296

Perl-Compatible Regular Expressions 453

Script 14.3 To test the

preg_replace( )

function, which replaces a matched pattern in a string with another

value, you can use this third version of the PCRE test script

1 <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/

xhtml1-transitional.dtd">

2 <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">

3 <head>

4 <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />

5 <title>Testing PCRE Replace</title>

6 </head>

7 <body>

8 <?php // Script 14.3 - replace.php

9 // This script takes a submitted string and checks it against a submitted pattern.

10 // This version replaces one value with another.

12 if ($_SERVER['REQUEST_METHOD'] = = 'POST') {

14 // Trim the strings:

15 $pattern = trim($_POST['pattern']);

16 $subject = trim($_POST['subject']);

17 $replace = trim($_POST['replace']);

19 // Print a caption:

20 echo "<p>The result of replacing<br /><b>$pattern</b><br />with<br />$replace

<br />in<br />$subject<br /><br />";

22 // Check for a match:

23 if (preg_match ($pattern, $subject) ) {

24 echo preg_replace($pattern, $replace, $subject) . '</p>';

25 } else {

26 echo 'The pattern was not found!</p>';

27 }

29 } // End of submission IF.

30 // Display the HTML form.

31 ?>

32 <form action="replace.php" method="post">

33 <p>Regular Expression Pattern: <input type="text" name="pattern" value="<?php if

(isset($pattern)) echo htmlentities($pattern); ?>" size="40" /> (include the delimiters)</p>

34 <p>Replacement: <input type="text" name="replace" value="<?php if (isset($replace))

echo htmlentities($replace); ?>" size="40" /></p>

35 <p>Test Subject: <textarea name="subject" rows="5" cols="40"><?php if (isset($subject)) echo

htmlentities($subject); ?></textarea></p>

36 <input type="submit" name="submit" value="Test!" />

37 </form>

38 </body>

39 </html>

ptg6935296

454 Chapter 14

3. Change the caption:

echo "<p>The result of replacing

➝

<br /><b>$pattern</b><br />

➝

with<br />$replace<br />in

➝

<br />$subject<br /><br />";

The caption will print out all of the

incoming values, prior to applying

preg_replace( )

4. Change the regular expression

conditional so that it only calls

preg_replace( )

if a match is made:

if (preg_match ($pattern,

➝

$subject) ) {

echo preg_replace($pattern,

➝

$replace, $subject) . '</p>';

} else {

echo 'The pattern was not

➝

found!</p>';

}

Yo u c a n c a l l

preg_replace( )

without

running

preg_match( )

first. If no match

was made, then no replacement will occur.

But to make it clear when a match is or is

not being made (which is always good to

confirm, considering how tricky regular

expressions are), the

preg_match( )

function will be applied first. If it returns

a TRUE value, then

preg_replace( )

called, printing the results B. Otherwise,

a message is printed indicating that no

match was made C.

5. Change the form’s

action

attribute to

replace.php

<form action="replace.php"

➝

method="post">

This file will be renamed, so this value

needs to be changed accordingly. C If the pattern is not found within the subject,

the subject will not be changed.

B The resulting text has uses of bleep, bleeps,

bleeped, bleeper, and bleeping replaced with *****.

ptg6935296

Perl-Compatible Regular Expressions 455

6. Add a text input for the replacement

string:

<p>Replacement: <input

➝

type="text" name="replace"

➝

value="<?php if (isset($replace))

➝

echo htmlentities($replace); ?>"

➝

size="40" /></p>

7. Save the file as

replace.php

, place it in

your Web directory, and test it in your

Web browser D.

As a good example, you can turn an

email address found within some

text into its HTML link equivalent:

<a href="mailto:email@example.

com">email@example.com</a>

. The

pattern for matching an email address

should be familiar by now: ^[\w.-]+@

[\w.-]+\.[A-Za-z]{2,6}$. However,

because the email address could be

found within some text, the caret and

dollar sign need to be replaced by the

word boundaries shortcut: \b. The final

pattern is therefore /\b[\w.-]+@[\w.-]

+\.[A-Za-z]{2,6}\b/.

To refer to this ma tched email add ress,

you can refer to

(because

refers to

the entire match, whether or not paren-

theses are used). So the replacement

value would be

$0</a>

. Because HTML is involved

here, look at the HTML source code of

the resulting page for the best idea of

what happened.

Back references can even be used within

the pattern. For example, if a pattern included

a grouping (i.e., a subpattern) that would be

repeated.

I’ve introduced, somewhat quickly, the

bulk of the PCRE syntax here, but there’s

much more to it. Once you’ve mastered all

this, you can consider moving on to anchors,

named subpatterns, comments, lookarounds,

possessive quantifiers, and more.

D Another use of

preg_replace( )

is dynamically

turning email addresses into clickable links. See the

HTML source code for the full effect of the replacement.

ptg6935296

456 Chapter 14

What are the quantifiers? How do you

require 0 or 1 of a character or string?

0 or more? 1 or more? Precisely

occurrences? A range of occurrences?

A minimum of occurrences?

What are character classes?

What meta-characters still have mean-

ing within character classes?

What shortcut represents the “any digit”

character class? The “any white space”

class? “Any word”? What shortcuts rep-

resent the opposite of these?

What are boundaries? How do you

create boundaries in patterns?

How do you make matches “lazy”?

And what does that mean anyway?

What are the pattern modifiers?

What is

back referencing

? How does

it work?

Pursue

Search online for a PCRE “cheat sheet”

(PHP or otherwise) that lists all the

meaningful characters and classes.

Print out the cheat sheet and keep it

beside your computer.

Practice, practice, practice!

Review and Pursue

If you have any problems with the

review questions or the pursue prompts,

turn to the book’s supporting forum

(

www.LarryUllman.com/forums/

Review

What function is used to match a regu-

lar expression? What function is used

to find all matches of a regular expres-

sion? What function is used to replace

matches of a regular expression?

What characters can you use and not

use to delineate a regular expression?

How do you match a literal character or

string of characters?

What are meta-characters? How do you

escape a meta-character?

What meta-character do you use to bind

a pattern to the beginning of a string?

To the end?

How do you create subpatterns

(aka groupings)?

ptg6935296

New in this edition of the book is this

chapter, introducing the jQuery JavaScript

framework. As JavaScript has developed

into a more valuable language over the

past decade, its meaningful usage has

become commonplace in today’s Web

sites. Accordingly, many PHP developers

are expected to know a bit of JavaScript

as well.

Although this chapter cannot present full

coverage of JavaScript or jQuery, you’ll

learn more than enough to be able to add

to your PHP-based projects the features

that users have come to expect. In the

process, you’ll also learn some basics of

programming in JavaScript in general, and

get a sense of into what areas of jQuery

you may want to further delve.

Introducing

jQuery

In This Chapter

What is jQuery? 458

Incorporating jQuery 460

Using jQuery 463

Selecting Page Elements 466

Event Handling 469

DOM Manipulation 473

Using Ajax 479

Review and Pursue 492

ptg6935296

458 Chapter 15

What is jQuery?

In order to grasp jQuery, you must have

a solid sense of what JavaScript is. As

discussed in Chapter 11, “Web Application

Development,” JavaScript is a program-

ming language that’s primarily used to add

dynamic features to Web pages. Unlike

PHP, which always runs on the server,

JavaScript generally runs on the client

(JavaScript is starting to be used as a

server-side tool, too, although that’s still

more on the fringe). PHP, precisely because

it is server-side, is browser-agnostic for the

most part: very few things you’ll do in PHP

will have different results from one browser

to the next. Conversely, precisely because

A The home

page for the

jQuery JavaScript

framework.

B The home page

for the jQuery User

Interface library

(jQuery UI), which

works in conjunction

with jQuery.

it’s running in the Web browser, JavaScript

code often has to be customized for the

variations in browsers. For many years, this

was the bane of the Web developer: creat-

ing reliable cross-browser code. Overcom-

ing this particular hurdle is one of the many

strengths of jQuery (

www.jquery.com

A).

jQuery is a JavaScript framework, a frame-

work just being a library of code whose use

can expedite and simplify development.

The core of the jQuery framework is able

to handle all key JavaScript functionality, as

you’ll see in this chapter. But the framework

is extendable via plug-ins to provide other

features, such as the ability to create a

dynamic, paginated, sortable table of data.

In fact, a number of useful user interface

ptg6935296

Introducing jQuery 459

ways to PHP, differs in other ways, such as

how variables are created, what character is

used to perform concatenation, and so forth.

Moreover, JavaScript is an

object-oriented

language

, meaning the syntax you’ll some-

times see will be that much different than the

procedural PHP programming you’ve done

to this point (the next chapter introduces

Object-Oriented Programming—OOP—in

PHP). Because you’ll inevitably have prob-

lems—like simply omitting a semicolon, you’ll

need to know a bit about how to debug

JavaScript. For a quick introduction to that

subject, see the sidebar.

For examples of server-side JavaScript,

check out Node (

www.nodejs.org

) or Jaxer

(

www.jaxer.org

I’ve written a several-part series on

jQuery, covering many of the same topics as

this chapter. You can find the series on my

Web site (

www.LarryUllman.com

Debugging JavaScript

To this point, you may not have thought it so wonderful that PHP dumped all its errors into your

Web browser, shoving your mistakes in your face. Until now. When Web pages have JavaScript

errors, you rarely are notified. In order to debug problematic JavaScript code, the first thing you’ll

need to do is see what actual errors exist.

The first tool you’ll need when programming in JavaScript is a good Web browser. Not a good

Web browser for

users

, but a good one for

developers

. Firefox (

www.mozilla.com

) is the clear

champion in this regard, although Opera (

www.opera.com

) and Google Chrome (

www.google.com/

chrome/

) may be close seconds. By opening Firefox’s built-in error console (found under the Tools

menu), you’ll be able to see any JavaScript errors as they occur.

An added advantage that Firefox has over the other browsers is a long history of excellent third-

party extensions. In particular, Firebug and Web Developer are fantastic assets for understanding

what’s happening within the Web page. There are also extensions such as FireQuery, which add

jQuery-aware development tools to Firefox.

Before beginning this chapter, I would recommend that you download and install the latest version

of Firefox, and the aforementioned extensions (if you have not already). Running your JavaScript-

enabled Web pages in Firefox will make it easier for you to see the errors as they happen, thereby

making it that much easier to debug.

tools have been wrapped inside their own

bundle, jQuery UI (

www.jqueryui.com

B).

There are many JavaScript frameworks out

there, and in no way am I claiming jQuery is

the best. I do prefer jQuery, however, and it’s

quickly earned a place as one of the premier

JavaScript frameworks. As you’ll soon see,

jQuery has a simple, albeit cryptic, syntax,

and by using it, you can manipulate the

Document Object Model (DOM) with aplomb.

This is to say that you can easily reference

elements within an HTML page, thereby

grabbing the values of form inputs, adding or

removing any kind of HTML element, chang-

ing element properties, and so forth.

Before getting into the particulars of using

jQuery, do understand that jQuery is just a

JavaScript framework, meaning that what

you’ll actually be doing over the next several

pages is JavaScript programming. JavaS-

cript as a language, while similar in some

ptg6935296

460 Chapter 15

Incorporating jQuery

JavaScript is built into all graphical Web

browsers by default, meaning no special

steps must be taken to include JavaScript

in a Web page (users have the option of

disabling JavaScript, although statistically

few do). jQuery is a framework of code,

though; in order to use it, a Web page

must first incorporate the jQuery library.

To include any exte rnal JavaScript file in a

Web page involves the HTML

script

tag,

providing the name of the external file as

the value of its

src

attribute:

➝

javascript" charset="utf-8"></script>

The jQuery framework file will have a name

jquery-X.Y.Z.min.js

, where

X.Y.Z

the version number (1.6.1 at the time of this

writing). The

min

part of the file’s name

indicates that the JavaScript file has been

minified

Minification

is the removal of

spaces, newlines, and comments from

code. The result is code that’s barely

legible A, but still completely functional.

The benefit of minified code is that it will

load in the browser slightly faster because

it will be a marginally smaller file size.

A What the minified jQuery code looks like.

ptg6935296

Introducing jQuery 461

The following set of steps will walk you

through installing the jQuery library on

your Web server and incorporating it into

a Web page; see the sidebar for an alter-

native approach.

To incorporate jQuery:

1. Load

www.jquery.com

in your Web

browser.

2. At the top of the page, select

PRODUCTION

(it’s the default option),

and click

Download(jQuery);

Because the resulting file is just

JavaScript, it will load directly in your

Web browser A.

3. Save the page on your computer.

Most browsers offer a Save Page, Save

As, or Save Page As option. Save the

file as

jquery-X.Y.Z.min.js

, where

X.Y.Z

is the actual version number.

continues on next page

Using Hosted jQuery

This chapter recommends that you download a copy of jQuery and place it in your Web direc-

tory. Upon doing so, you just need to update the

script

tag to point to the location of the jQuery

file on your Web site. I want to mention an alternative solution, though: using a

hosted

version of

jQuery. By this, I mean that instead of using a version of the jQuery library stored on your own Web

server, you could use a version stored elsewhere online. For example, Google provides copies of

many JavaScript frameworks for public use (

http://code.google.com/apis/libraries/

). To use

Google’s copy of the jQuery library, the code would be:

➝

jquery/1.6.1/jquery.min.js" charset="utf-8"></script>

By using Google’s hosted version of jQuery, your site (i.e., your site’s visitors) will likely see a per-

formance boost, due to Google’s Content Delivery Network (CDN) and the way browsers cache

media. I’ve only chosen

not

to use the Google-provided version of jQuery in this chapter because

not all readers will have constant Internet connections and because knowing how to use local

JavaScript files is a critical skill.

B The form for downloading the current version

of jQuery.

ptg6935296

462 Chapter 15

4. Move the downloaded file to a

folder

within your Web server directory.

All of the JavaScript files to be used by

this chapter’s examples will be placed

within a subdirectory named

5. Begin a new HTML document in your

text editor or IDE, to be named

test.

html

(Script 15.1):

<!DOCTYPE ht ml PUBLIC "-//W3C//

➝

DTD XHTML 1.0 Transitional//EN"

➝

"http://www.w3.org/TR/xhtml1/DTD/

➝

xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/

➝

1999/xhtml" xml:lang="en"

➝

lang="en">

<head>

➝

content="text/html;

➝

charset=utf-8" />

<title>Testing jQuery</title>

</head>

<body>

</body>

</html>

This very first example will simply test

the incorporation and basic use of the

jQuery library.

Script 15.1 This blank HTML page shows how the jQuery library can be included.

1 <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/

xhtml1-transitional.dtd">

2 <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">

3 <head>

4 <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />

5 <title>Testing jQuery</title>

6 <script type="text/javascript" src="js/jquery-1.6.1.min.js" charset="utf-8"></script>

7 </head>

8 <body>

9

10 </body>

11 </html>

6. Within the HTML head, include jQuery:

➝

src="js/jquery-1.6.1.min.js"

➝

charset="utf-8"></script>

The

script

tag is used to include a

JavaScript file. Conventionally,

script

tags are placed within the HTML page’s

head, although that’s not required (or

always the case). The value of the

src

attribute needs to match the name and

location of your jQuery library. In this

case, the assumption is that this HTML

page is in the same directory as the

folder, created as part of Step 4.

7. Save the file as

test.html

Because this script won’t be executing

any PHP, it uses the

.html

extension.

8. If you want, load the page in your Web

browser and check for errors.

As this is just an HTML page, you

can load it directly in a Web browser,

without going through a URL. You can

then use your browser’s error console

or other development tools (see the

“Debugging JavaScript” sidebar) to

check that no errors occurred in loading

the JavaScript file.

ptg6935296

Introducing jQuery 463

executed JavaScript code references a

DOM element, the code will fail, as that

DOM element will not have been encoun-

tered by the browser at that point A. The

only reliable way to reference DOM ele-

ments is after the browser has knowledge

of the entire DOM.

In standard JavaScript, you can have code

be executed after the page is completely

loaded by referencing

window.onLoad

. In

jQuery, the preferred method is to confirm

that the Web document is

ready

$(document).ready(some_function);

As mentioned already, the jQuery syntax

can seem especially strange for the

uninitiated, so I’ll explain this in detail.

First of all, the code

$(something)

is how

elements and such within the Web browser

are selected in jQuery. In this particular

case, the item being selected is the entire

Web document. To this selection, the

ready( )

function is applied. It takes one

argument: a function to be called. Note

that the argument is a reference to the

function: its name, without quotation marks.

Separately,

some_function( )

would

have to be defined, wherein the actual

work—that which should be done when

the document is loaded—takes place.

continues on next page

A A browser reads a

Web page as the HTML

is loaded, meaning that

JavaScript code cannot

reference DOM elements

until the browser has

seen them all.

Using jQuery

Once you successfully have jQuery incor-

porated into a Web page, you can begin

using it. jQuery, or any JavaScript code,

can be written between opening and clos-

ing

script

tags:

// Ja v a S c r i p t g o e s h e r e.

</script>

(Note that in JavaScript, the double slashes

create comments, just as in PHP.)

Alternatively, you can place jQuery and

JavaScript code within a separate file, and

then include that file using the

script

tags,

just as you included the jQuery library. This

is the route to be used in this chapter, in

order to further separate the JavaScript

from the HTML.

To be clear, a We b page can hav e multiple

uses of the

script

tags, and the same

script

tag cannot both include an external

file and contain JavaScript code.

The code placed within a

script

tag

will be executed as soon as the browser

encounters it. This is often problematic,

though, as JavaScript is frequently used

to interact with the DOM: if immediately

ptg6935296

464 Chapter 15

An alternative syntax is to use an

anonymous function

, which is a function

definition without a name. Anonymous

functions are common to JavaScript

(anonymous functions are possible in

PHP, too, but not common). To create

an anonymous function, the function’s

definition is placed inline, in lieu of the

function’s name:

$(document).ready(function( ) {

// Fu n c t i o n c o d e.

});

Because the need to execute code when

the browser is ready is so common, this

whole construct is often simplified in

jQuery to just:

$(function( ) {

// Fu n c t i o n c o d e.

});

The syntax is unusual, especially the

});

at the end, so be mindful of this as

you program. As with any programming

language, incorrect JavaScript syntax will

make the code inoperable.

To test jQuery, t his nex t sequence of s teps

will create a JavaScript alert once the

document is ready B. After you have this

simple test working, you can safely begin

using jQuery more practically.

To use jQuery:

1. Create a new JavaScript document in

your text editor or IDE, to be named

test.js

(Script 15.2):

// S c r i p t 1 5.2 - t e s t.js

A JavaScript file has no

script

tags—

those are in the HTML document—or

other opening tags. You can just begin

entering JavaScript code. Again, a

double slash creates a comment.

B This JavaScript alert is created once jQuery

recognizes that the Web document is ready in

the browser.

Script 15.2 This simple JavaScript file creates an

alert to test successful incorporation and use of

the jQuery library.

1 // Script 15.2 - test.js

2 // This script is included by test.html.

3 // This script just creates an alert to

test jQuery.

5 // Do something when the document is

ready:

6 $(function( ) {

8 // Alert!

9 alert('Ready!');

11 });

ptg6935296

Introducing jQuery 465

Assuming that the

test.js

JavaScript

file is placed in the same directory

as the jQuery library, with the same

relative location to

test.html

, this code

will successfully incorporate it.

6. Save the HTML page and test it in your

Web browser B.

If you do not see the alert window, you’ll

need to debug the JavaScript code.

Technically, in OOP, a function is called

a method. For the duration of this chapter,

I’ll continue to use the term “function” as it’s

likely to be more familiar to you.

The code

$( )

is shorthand for calling the

jQuery( )

function.

jQuery’s “ready” status is slightly dif-

ferent than JavaScript’s

onLoad

: the latter

also waits for the loading of images and other

media, whereas jQuery’s ready status is trig-

gered by the full loading of the DOM.

Script 15.3 The updated test HTML page loads a new JavaScript file.

1 <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/

xhtml1-transitional.dtd">

2 <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">

3 <head>

4 <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />

5 <title>Testing jQuery</title>

6 <script type="text/javascript" src="js/jquery-1.6.1.min.js" charset="utf-8"></script>

7 <script type="text/javascript" src="js/test.js" charset="utf-8"></script>

8 </head>

9 <body>

10

11 </body>

12 </html>

2. Create an alert when the document

is ready:

$(function( ) {

alert('Ready!');

});

This is just the syntax already explained,

with a call to

alert( )

in place of the

Function code.

comment shown earlier.

The

alert( )

function takes a string as

its argument, which will be used in the

presented alert box B.

3. Save the file as

test.js

, in your Web

server’s

directory.

4. Open

test.html

(Script 15.1), in your

text editor or IDE.

The next step is to update the HTML

page so that it includes the new

JavaScript file.

5. After including the jQuery library, include

the new JavaScript file (Script 15.3):

➝

src="js/test.js" charset="utf-8">

➝

</script>

ptg6935296

466 Chapter 15

Selecting Page

Elements

Once you’ve got basic jQuery functionality

working, the next thing to learn is how to

select page elements. Being able to do so

will allow you to hide and show images or

blocks of text, manipulate forms, and more.

Yo u ’ v e a l re a dy se e n h o w t o s el e ct t he We b

document itself:

$(document)

. To select

other page elements, use

CSS selectors

place of

document

#something

selects the element with an

value of

something

.something

selects every element with

class

value of

something

selects every element of

something

type (e.g.,

selects every

paragraph)

Those three rules are more than enough

to get you started, but know that unlike

document

, each of these gets placed

A The Widget Cost Calculator as an HTML form.

within quotation marks. For example,

the code

$('a')

selects every link and

$('#caption')

selects the element with

value of

caption

. By definition, no

two elements in a single Web page should

have the same identifying value, thus to

reference individual elements on the page,

#something

is the easiest solution.

These rules can be combined as well:

$('img.landscape')

selects every

image with a

class

landscape

$('#register input')

selects every

input element found within an element

that has an

For the next jQuery example, a

JavaScript-driven version of the Widget

Cost Calculator form, similar to the one

developed in Chapter 13, “Security

Methods,” will be developed. In these next

few steps, the HTML page will be created,

with the appropriate elements, classes, and

unique identifiers to be easily manipulated

by jQuery A.

ptg6935296

Introducing jQuery 467

The CSS file also defines two significant

classes—

error

and

errorMessage

, to be

manipulated by jQuery later in the chap-

ter. The first turns everything red; the

second italicizes text (but the class will be

more meaningful as a way of identifying

a group of similar items). In time, you’ll

see how these classes are used.

4. Change the second

script

tag so that it

references

calculator.js

, not

test.js

➝

src="js/calculator.js"

➝

charset="utf-8"></script>

The JavaScript for this example will go

calculator.js

, to be written subse-

quently. It will be stored in the same

folder as the other JavaScript documents.

continues on next page

Script 15.4 In this HTML page is a form with three textual inputs for performing a calculation.

1 <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/

xhtml1-transitional.dtd">

2 <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">

3 <head>

4 <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />

5 <title>Widget Cost Calculator</title>

6 <link rel="stylesheet" href="css/style.css" type="text/css" media="screen" />

7 <script type="text/javascript" src="js/jquery-1.6.1.min.js" charset="utf-8"></script>

8 <script type="text/javascript" src="js/calculator.js" charset="utf-8"></script>

9 </head>

10 <body>

11

12 <h1>Widget Cost Calculator</h1>

13 <p id="results"></p>

14 <form action="calculator.php" method="post" id="calculator">

15 <p id="quantityP">Quantity: <input type="text" name="quantity" id="quantity" /></p>

16 <p id="priceP">Price: <input type="text" name="price" id="price" /></p>

17 <p id="taxP">Tax (%): <input type="text" name="tax" id="tax" /></p>

18 <p><input type="submit" name="submit" id="submit" value="Calculate!" /></p>

19 </form>

20 </body>

21 </html>

To create the HTML form :

1. Open

test.html

(Script 15.3) in your

text editor or IDE, if it is not already.

Since this file is already jQuery-enhanced,

it’ll be easiest to just update it.

2. Change the page’s title (Script 15.4):

<title>Widget Cost Calculator

➝

</title>

3. After the page title, incorporate a CSS file:

➝

style.css" type="text/css"

➝

media="screen" />

To m ake the f o rm a bit more a t tr active,

some CSS code will style it. You can find

the CSS file in the book’s corresponding

downloads at

www.LarryUllman.com

ptg6935296

468 Chapter 15

5. Within the HTML body, create an empty

paragraph and begin a form:

<h1>Widget Cost Calculator</h1>

<form action="calculator.php"

➝

method="post" id="calculator">

The paragraph with the

results

but no content will be used later in the

chapter to present the results of the

calculations. It has a unique

value,

for easy reference. The form, too, has

a unique

value. The form, in theory,

would be submitted to

calculator.php

(a separate script, not actually written in

this chapter), but that submission will be

interrupted by JavaScript.

6. Create the first form element:

<p id="quantityP">Quantity: <input

➝

type="text" name="quantity"

➝

id="quantity" /></p>

Each form input, as originally written in

Chapter 13, involved the textual prompt,

the element itself, and a paragraph

surrounding both. To the paragraph and

form input, unique

values are added.

Note that I tend to use “camel-case”

style names—

quantityP

—in object-

oriented languages such as JavaScript.

This approach just better follows OOP

conventions (conversely, I would use

quantity_p

in procedural PHP code).

7. Create the remaining two form elements:

<p id="priceP">Price: <input

➝

type="text" name="price"

➝

id="price" /></p>

<p id="taxP">Tax (%): <input

➝

type="text" name="tax"

➝

id="tax" /></p>

8. Complete the form and the HTML page:

<p><input type="submit"

➝

name="submit" id="submit"

➝

value="Calculate!" /></p>

</form>

</body>

</html>

The submit button also has a unique

, but that’s for the benefit of the CSS;

it won’t actually be referenced in the

JavaScript.

9. Save the page as

calculator.html

and

load it in your Web browser A.

Even though the second JavaScript

file,

calculator.js

, has not yet been

written, the form is still loadable.

jQuery has its own additional, custom

selectors, allowing you to select page

elements in more sophisticated ways. For

examples, see the jQuery manual.

ptg6935296

Introducing jQuery 469

all actually the names of functions being

called on the selection. These functions

take one argument: a function to be called

when the event occurs on that selection.

Commonly, the function to be invoked is

written inline, anonymously. For example,

to handle the event of any image being

moused-over, you would code:

$('img').mouseover(function( ) {

// D o t h i s!

});

This construct should look familiar, as

test.js

assigns an event handler that

listens for the

ready

event occurring on the

Web document.

Let’s take this new information and apply

it to the HTML page already begun. At

this point, an event listener can be added

to the form so that its submission can be

handled. In this particular case, the form’s

three inputs will be minimally validated,

the total calculation will be performed, and

the results of the calculation displayed

in an alert A. In order to do all this, you

need to know one more thing: to fetch the

values entered into the textual form inputs

requires the

val( )

function. It returns the

value for the selection, as you’ll see in

these next steps.

Event Handling

JavaScript, like PHP, is often used to respond

to events. Differently, though, events in

JavaScript terms are primarily user actions

within the Web browser, such as:

Moving the cursor over an image or

piece of text

Clicking a link

Changing the value of a form element

Submitting a form

To handle events in JavaScript, yo u apply

event listener

(also called an

event

handler

) to an element, which is to say, you

tell JavaScript that when A event happens

to B element, the C function should be

called. In jQuery, event listeners are

assigned using the syntax

selection.eventType(function);

The

selection

part would be like

$('.something')

$('a')

: whatever

element or elements to which the event

listener should be applied. The

eventType

value will differ based upon the selec-

tion. Common values are

change

focus

mouseover

click

submit

, and

select

different events can be triggered by differ-

ent HTML elements. In jQuery, these are

A The calculations are displayed using an alert

box (for now).

ptg6935296

470 Chapter 15

To handle the form submission:

1. Open

test.js

in your text editor or IDE:

Since the

test.js

file already has the

proper syntax for executing code when

the browser is ready, it’ll be easiest and

most foolproof to start with it.

2. Remove the existing

alert( )

call

(Script 15.5).

All of the following code will go in place

of the original

alert( )

3. In place of the

alert( )

call, add an

event handler to the form’s submission:

$('#calculator').submit(function( ) {

}); // En d o f f o r m s u b m i s s i o n.

The selector grabs a reference to the

form, which has an

value of

calcula-

tor

. To this selection the

submit( )

func-

tion is applied, so that when the form is

submitted, the inline anonymous func-

tion will be called. Because the syntax

can be so tricky, my recommendation

is to add this block of code, and then

write the contents of the anonymous

function—found in the following steps—

secondarily. Note that this and the

following code goes within the existing

$(document).ready( ) { }

block.

4. Within the new anonymous function,

initialize four variables:

var quantity, price, tax, total;

In JavaScript, the

var

keyword is used

to declare a variable. It can also declare

multiple variables at once, if separated

by commas. Note that variables in

JavaScript do not have an initial dollar

sign, like those in PHP.

Script 15.5 This JavaScript file is included by

calculator.html

(Script 15.4). Upon submission

of the form, the form’s values are validated and

a calculation performed.

1 // Script 15.5 - calculator.js

2 // This script is included by

calculator.html.

3 // This script handles and validates the

form submission.

5 // Do something when the document is

ready:

6 $(function( ) {

8 // Assign an event handler to the form:

9 $('#calculator').submit(function( ) {

11 // Initialize some variables:

12 var quantity, price, tax, total;

14 // Validate the quantity:

15 if ($('#q uan tity').val( ) > 0) {

17 // Get the quantity:

18 quantity = $('#quantity').val( );

20 } else { // Invalid quantity!

22 // Alert the user:

23 alert('Please enter a valid

quantity!');

25 }

27 // Validate the price:

28 if ($('#price').val( ) > 0) {

29 price = $('#price').val( );

30 } else {

31 alert('Please enter a valid

price!');

32 }

34 // Validate the tax:

35 if ($('#tax').val( ) > 0) {

36 tax = $('#tax').val( );

37 } else {

38 alert('Please enter a valid

tax!');

39 }

code continues on next page

ptg6935296

Introducing jQuery 471

5. Validate the quantity:

if ($('#quantity').val( ) > 0) {

quantity = $('#quantity').val( );

} else {

alert('Please enter a valid

➝

quantity!');

}

For each of the three form inputs, the

value needs to be a number greater

than zero. The value entered can be

found by calling the

val( )

function on

the selected element. If the returned

value is greater than zero, then the

value is assigned to the local variable

quantity

. Otherwise, an alert box

indicates the problem to the user B.

This is admittedly a tedious use of

alerts; you’ll learn a smoother approach

in the next section of the chapter.

6. Repeat the validation for the other two

form inputs:

if ($('#price').val( ) > 0) {

price = $('#price').val( );

} else {

alert('Please enter a valid

➝

price!');

}

if ($('#tax').val( ) > 0) {

tax = $('#tax').val( );

} else {

alert('Please enter a valid

➝

tax!');

}

continues on next page

Script 15.5 continued

41 // If appropriate, perform the

calculations:

42 if (quantity && price && tax) {

44 total = quantity * price;

45 total += total * (tax/100);

47 // Display the results:

48 alert('The total is $' + total);

50 }

52 // Return false to prevent an

actual form submission:

53 return false;

55 }); // End of form submission.

57 }); // End of document ready.

B If a form element does not have a positive

numeric value, an alert box indicates the error.

ptg6935296

472 Chapter 15

7. If all three variables have valid values,

perform the calculations:

if (quantity && price && tax) {

total = quantity * price;

total += total * (tax/100);

This code should be fairly obvious by

now: it looks almost exactly as it would

in PHP, save for the lack of dollar signs

in front of each variable’s name.

8. Report the total:

alert('The total is $' + total);

Again, a crude alert window will be

used to display the results of the

calculation A. As you can see in

this code, the plus sign performs

concatenation in JavaScript.

9. Complete the conditional begun in

Step 7 and return the value

false

}

return false;

Having the function return

false

prevents the form from actually being

submitted to the script that’s identified

as the form’s

action

10. Save the page as

calculator.js

(in the

folder) and test the calculator in your

Web browser.

Note that if you already had

calculator.html

loaded in your Web

browser, you’ll need to refresh the

browser to load the updated JavaScript.

There are many jQuery plug-ins

specifically for validating forms, but I

wanted to keep this simple (and explain

core JavaScript concepts in the process).

It is possible to format numbers in

JavaScript, for example, so they always

contain two decimals, but it’s not easily done.

For this reason, and because I didn’t want to

detract from the more important information

being covered, the results of the calculation

may not always look as good as they should.

With jQuery, if the browser supports it,

the JavaScript code will perform the calcula-

tions. If the user has JavaScript disabled, or

if she or he is using a really old browser, the

JavaScript will not take effect and the form

will be submitted as per usual (here, to the

non-existent

calculator.php

ptg6935296

Introducing jQuery 473

Another way to impact the DOM is to

change the CSS classes that apply to

a selection. The

addClass( )

function

applies a CSS class and

removeClass( )

removes one. The following code adds the

emphasis

class to a specific blockquote

and removes it from all paragraphs:

$('#blockquoteID').addClass

➝

('e m p h a si s');

$('p').removeClass('emphasis');

The

toggleClass( )

function can be used

to toggle the application of a class to

a selection.

The already mentioned functions generally

change the

properties

of the page’s

elements, but you can also change the

contents

of those elements. In the previous

section, you used the

val( )

function, which

returns the value of a form element. But

when provided with an argument,

val( )

assigns a new value to that form element:

$('#something').val('cat');

Similarly, the

html( )

function returns the

HTML contents of an element and

text( )

returns the textual contents. Both functions

can also take arguments used to assign

new HTML and text, accordingly.

continues on next page

DOM Manipulation

One of the most critical uses of JavaScript

in general, and jQuery in particular, is

manipulation of the DOM: changing, in any

way, the contents of the Web browser. Nor-

mally, DOM manipulation is manifested by

altering what the user sees; how easily you

can do this in jQuery is one of its strengths.

Once you’ve selected the element or

elements to be manipulated, applying

any number of jQuery functions to the

selection will change its properties. For

starters, the

hide( )

and

show( )

functions

…um…hide and show the selection. Thus,

to hide a form (perhaps after the user has

successfully completed it), you would use:

$('#actualFormId').hide( );

The

toggle( )

function, when called, will

hide a visible element and show a hidden

one (i.e., it toggles between those two

states). Note that these functions neither

create nor destroy the selection (i.e., the

selection will remain part of the DOM,

whether it’s visible or not).

Similar to

show( )

and

hide( )

are

fadeIn( )

and

fadeOut( )

. These functions

also reveal or hide the selection, but do so

with a bit of effect added in.

ptg6935296

474 Chapter 15

Let’s use all this information to finish off the

widget cost calculator. A few key changes

will be made:

Errors will be indicated by applying the

error

class

Errors will also be indicated by hiding

or showing error messages A

The final total will be written to the

page B

Alerts will not be used

There are a couple of ways of showing and

hiding error messages. The simplest, to be

implemented here, is to manually add the

messages to the form, and then toggle their

visibility using JavaScript. Accordingly, these

steps begin by updating the HTML page.

To manipulate the DOM:

1. Open

calculator.html

in your text edi-

tor or IDE, if it is not already.

2. Between the quantity form element and

its closing paragraph tag, add an error

message (Script 15.6):

<p id="quantityP">Quantity:

➝

<input type="text"

name="quantity" id="quantity" />

➝

<span class="errorMessage"

➝

id="quantityError">Please enter

➝

a valid quantity!</span></p>

Now following the input is a textual

error, which also has a unique

. The

span containing the error also uses the

errorMessage

class. This impacts the

message’s formatting, thanks to the

external CSS document, and makes it

easier for jQuery to globally hide all error

messages upon first loading the page.

A Error messages are now displayed next to the

problematic form inputs.

B The results of the calcula-

tions are now displayed above

the form.

ptg6935296

Introducing jQuery 475

3. Repeat Step 2 for the other two

form inputs:

<p id="priceP">Price: <input

➝

type="text" name="price"

➝

id="price" /><span class=

➝

"errorMessage" id="priceError">

➝

Please enter a valid price!

➝

</span></p>

<p id="taxP">Tax (%): <input

➝

type="text" name="tax"

➝

id="tax" /><span class=

➝

"errorMessage" id="taxError">

➝

Please enter a valid tax!

➝

</span></p>

4. Save the file.

5. Open

calculator.js

in your text editor

or IDE, if it is not already.

continues on next page

Script 15.6 The updated HTML page has hardcoded error messages beside the key form inputs.

1 <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/

xhtml1-transitional.dtd">

2 <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">

3 <head>

4 <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />

5 <title>Widget Cost Calculator</title>

6 <link rel="stylesheet" href="css/style.css" type="text/css" media="screen" />

7 <script type="text/javascript" src="js/jquery-1.6.1.min.js" charset="utf-8"></script>

8 <script type="text/javascript" src="js/calculator.js" charset="utf-8"></script>

9 </head>

10 <body>

11

12 <h1>Widget Cost Calculator</h1>

13 <p id="results"></p>

14 <form action="calculator.php" method="post" id="calculator">

15 <p id="quantityP">Quantity: <input type="text" name="quantity" id="quantity" />

<span class="errorMessage" id="quantityError">Please enter a valid quantity!</span>

</p>

16 <p id="priceP">Price: <input type="text" name="price" id="price" />

<span class=

"errorMessage" id="priceError">Please enter a valid price!</span>

</p>

17 <p id="taxP">Tax (%): <input type="text" name="tax" id="tax" />

<span class="errorMessage"

id="taxError">Please enter a valid tax!</span>

</p>

18 <p><input type="submit" name="submit" id="submit" value="Calculate!" /></p>

19 </form>

20 </body>

21 </html>

ptg6935296

476 Chapter 15

6. Remove all existing

alert( )

calls

(Script 15.7).

7. Before the submit event handler, hide

every element with the

errorMessage

class:

$('.errorMessage').hide( );

The selector grabs a reference to any

element of any type that has a class of

errorMessage

. In the HTML form, this

applies only to the three

span

tags.

8. In the

clause code after assigning

a value to the local

quantity

variable,

remove the

error

class and hide the

error message:

$('#quantityP').removeClass

➝

('e r r o r');

$('#quantityError').hide( );

As you’ll see in Step 9, when the

user enters an invalid quantity, the

quantity paragraph (with an

value of

quantityP

) will be assigned the

error

class and the quantity error message

(i.e.,

#quantityError

) will be shown. If the

user entered an invalid quantity, but then

entered a valid one, those two effects

must be undone, using this code here.

In the case that an invalid quantity was

never submitted, the quantity paragraph

will not have the

error

class and the

quantity error message will still be hid-

den. In situations where jQuery is asked

to do something that’s not possible,

such as hiding an already hidden ele-

ment, jQuery just ignores the request.

9. If the quantity is not valid, add the error

class and show the error message:

$('#quantityP').addClass('error');

$('#quantityError').show( );

This is the converse of the code in Step 8.

Note that it goes within the

else

clause.

Script 15.7 Using jQuery, the JavaScript code now

manipulates the DOM instead of using

alert( )

calls.

1 // Script 15.7 - calculator.js #2

2 // This script is included by calculator.

html.

3 // This script handles and validates the

form submission.

5 // Do something when the document is

ready:

6 $(function( ) {

8 // Hide all error messages:

9 $('.errorMessage').hide( );

11 // Assign an event handler to the

form:

12 $('#calculator').submit(function( ) {

14 // Initialize some variables:

15 var quantity, price, tax, total;

17 // Validate the quantity:

18 if ($('#q uantity').val( ) > 0) {

20 // Get the quantity:

21 quantity = $('#quantity').val( );

23 // Clear an error, if one

existed:

24 $('#quantityP').removeClass

('e r r o r');

26 // Hide the error message, if

it was visible:

27 $('#quantityError').hide( );

29 } else { // Invalid quantity!

31 // Add an error class:

32 $('#quantityP').addClass

('e r r o r');

34 // Show the error message:

35 $('#quantityError').show( );

37 }

code continues on next page

ptg6935296

Introducing jQuery 477

10. Repeat Steps 8 and 9 for the price,

making that

if-else

read:

if ($('#price').val( ) > 0) {

price = $('#price').val( );

$('#priceP').removeClass

➝

('e r r o r');

$('#priceError').hide( );

} else {

$('#priceP').addClass('error');

$('#priceError').show( );

}

11. Repeat Steps 8 and 9 for the tax,

making that

if-else

read:

if ($('#tax').val( ) > 0) {

tax = $('#tax').val( );

$('#taxP').removeClass('error');

$('#taxError').hide( );

} else {

$('#taxP').addClass('error');

$('#taxError').show( );

}

12. After calculating the total, within the

same

clause, update the

results

paragraph:

$('#results').html('The total is

➝

<b>$' + total + '</b>.');

Instead of using an alert box, the total

message can just be written to the HTML

page dynamically. One way of doing

so is by changing the text or HTML

of an element on the page. The page

already has an empty paragraph for this

purpose, with an

value of

results

. To

change the text found within the para-

graph, one would apply the

text( )

func-

tion. To change the HTML found within

the paragraph, use

html( )

instead.

continues on next page

Script 15.7 continued

39 // Validate the price:

40 if ($('#price').val( ) > 0) {

41 price = $('#price').val( );

42 $('#priceP').removeClass

('e r r o r');

43 $('#priceError').hide( );

44 } else {

45 $('#priceP').addClass

('e r r o r');

46 $('#priceError').show( );

47 }

49 // Validate the tax:

50 if ($('# tax').val( ) > 0) {

51 tax = $('#tax').val( );

52 $('#taxP').removeClass

('e r r o r');

53 $('#taxError').hide( );

54 } else {

55 $('#taxP').addClass('error');

56 $('#taxError').show( );

57 }

59 // If appropriate, perform the

calculations:

60 if (quantity && price && tax) {

62 total = quantity * price;

63 total += total * (tax/100);

65 // Display the results:

66 $('#results').html('The total

is <b>$' + total + '</b>.');

68 }

70 // Return false to prevent an

actual form submission:

71 return false;

73 }); // End of form submission.

75 }); // End of document ready.

ptg6935296

478 Chapter 15

13. Save the page as

calculator.js

(in the

folder) and test the calculator in your

Web browser.

Again, remember that you must reload

the HTML page (because both the HTML

and the JavaScript have been updated).

jQuery will not throw an error if you

attempt to select page elements that don’t

exist. jQuery will also not throw an error if

you call a function on non-existent elements.

In JavaScript, as in other OOP lan-

guages, you can “chain” function calls

together, performing multiple actions at one

time. This code reveals a previously hidden

paragraph, adds a new class, and changes

its textual content, all in one line:

$('#pId').show( ).a ddClass('t h i sClass').

➝

text('Hello, world!');

Yo u ca n c ha n g e th e a t tr i b u te s o f a

selection using the

attr( )

function. Its first

argument is the attribute to be impacted; the

second, the new value. For example, the fol-

lowing code will disable a submit button by

adding the property

disabled="disabled"

$('#submitButtonId').attr('disabled',

➝

'd i s a b l e d');

Yo u ca n a dd , m o ve , o r r e m o ve e l e me n t s

using the

prepend( )

append( )

remove( )

and other functions. See the jQuery manual

for specifics.

ptg6935296

Introducing jQuery 479

Using Ajax

Along with DOM manipulation, another

key use of JavaScript and jQuery is

Ajax

The term Ajax was first coined in 2005,

although browser support was mixed

for years. Come 2011, Ajax is a standard

feature of many dynamic Web sites, and its

straightforward use is supported by all the

major browsers. But what is Ajax?

Ajax can mean many things, involving several

different technologies and approaches, but at

the end of the day, Ajax is simply the use of

JavaScript to perform a server-side request

unbeknownst to the user. In a standard

request model, which is to say pretty much

every other example in this book, the user

may begin on, say,

. Upon sub-

mission of the form, the browser will be taken

to perhaps

, where the actual

form validation is done, the registration in the

database takes place, and the results are dis-

played A. (Even if the same PHP script both

displays and handles a form, the standard

request model requires two separate and

overt requests of that same page.)

continues on next page

A A standard client-server request model, with the browser constantly reloading

entire Web pages.

ptg6935296

480 Chapter 15

With the Ajax model, the form submission

will be

hijacked

by JavaScript, which will

in turn send the form data to a server-side

PHP script. That PHP script does whatever

validation and other tasks necessary, and

then returns only data to the client-side

JavaScript, indicating the results of the

operation. The client-side JavaScript then

uses the returned data to update the Web

page B. Although there are more steps,

the user will be unaware of most of them,

and be able to continue interacting with the

Web page while this process takes place.

Incorporating Ajax into a Web site results

in an improved user experience, more simi-

lar to how desktop applications behave.

Secondarily, there can be better perfor-

mance, with less data being transmitted

B With Ajax, server requests are made behind the scenes, and the Web browser can be

updated without reloading.

back and forth (e.g., an entire second page

of HTML, like

, does not need to

be transmitted).

You already know much of the information

required for performing Ajax transactions:

form validation with JavaScript, form vali-

dation with PHP, and using JavaScript to

update the DOM. The last bit of knowledge

you need is how to perform the actual

Ajax request using jQuery. Over the next

several pages, you’ll create the HTML form,

the server-side PHP script, and the inter-

mediary JavaScript, all for the sake of han-

dling a login form. In order to shorten and

simplify the code a bit, I’ve cut a couple

of corners, but I’ll indicate exactly when I

do so, and every cut will be in an area you

could easily flesh out on your own.

ptg6935296

Introducing jQuery 481

Creating the Form

The login form simply needs two inputs:

one for an email address and another

for a password C. The form will use the

same techniques for displaying errors and

indicating results as

calculator.html

To create the form:

1. Begin a new PHP document in your text

editor or IDE, to be named

(Script 15.8):

<!DOCTYPE ht ml PUBLIC "-//W3C//

➝

DTD XHTML 1.0 Transitional//EN"

➝

"http://www.w3.org/TR/xhtml1/DTD/

➝

xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/

➝

1999/xhtml" xml:lang="en"

➝

lang="en">

<head>

continues on next page

C The login form.

D Error messages are revealed beside each

form element.

Script 15.8 The login form has one text input for the email address, a password input, and a submit button.

Other elements exist to be manipulated by jQuery.

1 <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/

xhtml1-transitional.dtd">

2 <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">

3 <head>

4 <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />

5 <title>Login</title>

6 <link rel="stylesheet" href="css/style.css" type="text/css" media="screen" />

7 <script type="text/javascript" src="js/jquery-1.6.1.min.js" charset="utf-8"></script>

8 <script type="text/javascript" src="js/login.js" charset="utf-8"></script>

9 </head>

10 <body>

11

12 <h1>Login</h1>

13 <p id="results"></p>

14 <form action="login.php" method="post" id="login">

15 <p id="emailP">Email Address: <input type="text" name="email" id="email" /><span

class="errorMessage" id="emailError">Please enter your email address!</span></p>

16 <p id="passwordP">Password: <input type="password" name="password" id="password" /><span

class="errorMessage" id="passwordError">Please enter your password!</span></p>

17 <p><input type="submit" name="submit" id="submit" value="Login!" /></p>

18 </form>

19 </body>

20 </html>

ptg6935296

482 Chapter 15

➝

content="text/html;

➝

charset=utf-8" />

<title>Login</title>

➝

href="css/style.css"

➝

type="text/css" media=

➝

"screen" />

This will actually be a PHP script, not just

an HTML file. The page uses the same

external CSS file as

calculator.html

2. Incorporate the jQuery library and a

second JavaScript file:

➝

src="js/jquery-1.6.1.min.js"

➝

charset="utf-8"></script>

➝

src="js/login.js" charset=

➝

"utf-8"></script>

The page will use the same jQuery

library as

calculator.html

. The page-

specific JavaScript will go in

Both will be stored in the

folder, found

in the same directory as this script.

3. Complete the HTML head and begin

the body:

</head>

<body>

<h1>Login</h1>

Within the body, before the form, is an

empty paragraph with an

results

to be dynamically populated with

jQuery later E.

E Upon successfully logging

in, the form will disappear and

a message will appear just

under the header.

4. Create the form:

<form action="login.php"

➝

method="post" id="login">

<p id="emailP">Email Address:

➝

<input type="text" name=

➝

"email" id="email" /><span

➝

class="errorMessage"

➝

id="emailError">Please enter

➝

your email address!</span></p>

<p id="passwordP">Password:

➝

<input type="password"

➝

name="password" id="password" />

<span class="errorMessage"

➝

id="passwordError">Please

➝

enter your password!</span></p>

<p><input type="submit"

➝

name="submit" id="submit"

➝

value="Login!" /></p>

</form>

This form is quite similar to that in

calculator.html

. Both form elements

are wrapped within paragraphs that

have unique

values, making it easy

for jQuery to apply the

error

class when

needed. Both elements are followed by

the default error message, to be hidden

and shown by jQuery as warranted.

5. Complete the HTML page:

</body>

</html>

6. Save the page as

and load

in your Web browser.

Remember that this is a PHP script,

so it must be accessed through a URL

(

http://something

ptg6935296

Introducing jQuery 483

Creating the Server-Side Script

The previous sequence of steps goes

through creating the client side of the

process: the HTML form. Next, I’m going to

skip ahead and look at the server side: the

PHP script that handles the form data. This

script has to do two things:

1. Validate the submitted data.

2. Return a string indicating the results.

For simplicity’s sake, the PHP script will

merely compare the submitted values

against hardcoded ones, but you could

easily modify this code to perform a

database query instead.

In terms of the Ajax process, the impor-

tant thing is that this PHP script only ever

returns a single string F, without any HTML

or other markup G. This is mandatory, as

the entire output of the PHP script is what

the JavaScript performing the Ajax request

will receive. And, as you’ll see in the Java-

Script for this example, the PHP script’s out-

put will be the basis for the error reporting

and DOM manipulation to be performed.

F The results of the server-side PHP script when a proper request is made.

G The HTML source of the server-side PHP script shows that the only output is

a simple string, without any HTML at all.

ptg6935296

484 Chapter 15

To handle the Ajax request:

1. Begin a new PHP document in your

text editor or IDE, to be named

login_ajax.php

(Script 15.9):

<?php # Script 15.9 -

➝

login_ajax.php

Again, this script is not meant to be

executed directly, so it contains no HTML.

2. Validate that an email address and a

password were received in the URL:

if (isset($_GET['email'],

➝

$_GET['passw o rd'])) {

A GET request will be made of this script,

hence, the first thing the code does is

confirm that both an email address and

a password were passed to it.

3. Validate that the submitted email

address is of the proper syntax:

if (filter_var($_GET['email'],

➝

FILTER_VALIDATE_EMAIL)) {

Using the Filter extension, the provided

email address is also checked for basic

syntax. If your version of PHP does not

support the Filter extension, you can

use a regular expression here instead

(see Chapter 14, “Perl-Compatible

Regular Expressions”).

4. If the submitted values are correct,

indicate success:

if ( ($_GET['email'] = =

➝

'e m ail@exa m ple.c o m') &&

➝

($_GET['pass w o rd'] = =

➝

'testpass') ) {

echo 'CORRECT';

As already said, this code just compares

the submitted values against two static

strings. You could easily swap out this

code for a database query, like those in

Chapter 12, “Cookies and Sessions.” At

this point you could also set a cookie

Script 15.9 This PHP script will receive the

Ajax request from JavaScript. It performs some

validation and returns simple strings to indicate

the results.

1 <?php # Script 15.9 - login_ajax.php

2 // This script is called via Ajax from

3 // The script expects to receive two

values in the URL: an email address and

a password.

4 // The script returns a string

indicating the results.

6 // Need two pieces of information:

7 if (isset($_GET['email'], $_GET['passw ord'])) {

9 // Need a valid email address:

10 if (filter_var($_GET['em ail'], FILTER_

VALIDATE_EMAIL)) {

12 // Must match specific values:

13 if ( ($_GET['em ail'] = = 'e mail@

example.com') && ($_GET['passw ord']

= = 'testpass') ) {

15 // Set a cookie, if you want,

or start a session.

17 // Indicate success:

18 echo 'CORRECT';

20 } else { // Mismatch!

21 echo 'INCORRECT';

22 }

24 } else { // Invalid email address!

25 echo 'INVALID_EMAIL';

26 }

28 } else { // Missing one of the two

variables!

29 echo 'INCOMPLETE';

30 }

32 ?>

ptg6935296

Introducing jQuery 485

Creating the JavaScript

The final step is to create the JavaScript that

interrupts the form submission, sends the

data to the server-side PHP script, reads the

PHP script’s results, and updates the DOM

accordingly. This is the “glue” between the

client-side HTML form and the server-side

PHP. All of the JavaScript form validation and

DOM manipulation will be quite similar to

what you’ve already seen in this chapter. Two

new concepts will be introduced, though.

First, you’ll need to know how to create

generic object

in JavaScript. In this

particular case, one object will represent

the data to be sent to the PHP script and

another will represent the options for the

Ajax request. Here is how you create a

new object in JavaScript:

var objectName = new Object( );

The next chapter gets into OOP in more

detail, but understand now that this just

creates a new variable of type

Object

The capital letter “O”

Object

is a blank

template in JavaScript (being an object-

oriented language, most variables in

JavaScript are objects of some type).

Once you’ve created the object, you

can add values to it using the syntax:

objectName.property = value;

If you’re new to JavaScript or OOP, it may

help to think of the generic object as being

like an indexed array, with a name and a

corresponding value.

The second new piece of information is the

usage of jQuery’s

ajax( )

function. This func-

tion performs an Ajax request. It takes as its

lone argument the request’s settings. Being

part of the jQuery library, it’s invoked like so:

$.ajax(settings);

That’s the basic premise; the particulars will

be discussed in detail in the following code.

or begin a session (although see the

following tip for the “gotchas” involved

with doing so).

Most importantly, the script simply

echoes the word

CORRECT

, without

any other HTML (F and G).

5. Complete the three conditionals:

} else {

echo 'INCORRECT';

}

} else {

echo 'INVALID_EMAIL';

}

} else {

echo 'INCOMPLETE';

}

These three

else

clauses complete the

conditionals begun in Steps 2, 3, and

4. Each simply prints a string indicating

a certain status. The JavaScript associ-

ated with the login form, to be written

next, will take different actions based

upon each of the possible results.

6. Complete the PHP page:

7. Save the file as

login_ajax.php

, and

place it in the same folder of your Web

directory as

It’s important that the two files are in

the same directory in order for the Ajax

request to work.

It’s perfectly acceptable for the server-

side PHP script in an Ajax process to set

cookies or begin a session. Keep in mind,

however, that the page in the Web browser

has already been loaded, meaning that page

cannot access cookies or sessions created

after the fact. You’ll need to use JavaScript

to update the page after creating a cookie

or starting a session, but subsequent pages

loaded in the browser will have full access to

cookie or session data.

ptg6935296

486 Chapter 15

To perform an Ajax request:

1. Begin a new JavaScript file in your text

editor or IDE, to be named

(Script 15.10):

// S c r i p t 1 5.1 0 - l o g i n.j s

2. Add the jQuery code for handling the

“ready” state of the document:

$(function( ) {

});

The JavaScript needs to start with this

code, in order to set the table once the

Web browser is ready. Because of the

complicated syntax, I think it’s best to

add this entire block of code first and

then place all of the subsequent code

within the curly braces.

3. Hide every element that has the

errorMessage

class:

$('.errorMessage').hide( );

The selector grabs a reference to any

element of any type that has a

class

errorMessage

. In the HTML form,

this applies only to the three

span

tags.

Those will be hidden by this code as

soon as the DOM is loaded.

4. Create an event listener for the form’s

submission:

$('#login').submit(function( ) {

});

This code is virtually the same as that in

the calculator form. All of the remaining

code will go within these curly brackets.

5. Initialize two variables:

var email, password;

These two variables will act as local

representations of the form data.

Script 15.10 The JavaScript code in this file performs

an Ajax request of a server-side script and updates

the DOM based upon the returned response.

1 // Script 15.10 - login.js

2 // This script is included by login.php.

3 // This script handles and validates the

form submission.

4 // This script then makes an Ajax

request of login_ajax.php.

6 // Do something when the document is

ready:

7 $(function( ) {

9 // Hide all error messages:

10 $('.errorMessage').hide( );

12 // Assign an event handler to the form:

13 $('#login').submit(function( ) {

15 // Initialize some variables:

16 var email, password;

18 // Validate the email address:

19 if ($('#em ail').val( ).leng th >= 6) {

21 // Get the email address:

22 email = $('#email').val( );

24 // Clear an error, if one existed:

25 $('#emailP').removeClass('error');

27 // Hide the error message, if

it was visible:

28 $('#emailError').hide( );

30 } else { // Invalid email address!

32 // Add an error class:

33 $('#emailP').addClass('error');

35 // Show the error message:

36 $('#emailError').show( );

38 }

code continues on next page

ptg6935296

Introducing jQuery 487

6. Validate the email address:

if ($('#email').val( ).le n g t h >= 6) {

email = $('#email').val( );

$('#emailP').removeClass

➝

('e r r o r');

$('#emailError').hide( );

The calculator form validated that all of

the numbers were greater than zero,

which isn’t an appropriate validation for

the login form. Instead, the conditional

confirms that the string length of the

value of the email input is greater than

or equal to 6 (six characters being the

absolute minimum required for a valid

email address, such as

a@b.cc

). You

could also use regular expressions in

JavaScript to perform more stringent

validation, but I’m trying to keep this

simple (and the server-side PHP script

will validate the email address as well,

as you’ve already seen).

If the email address value passes the

minimal validation, it’s assigned to the

local variable. Next, the

error

class is

removed from the paragraph, in case it

was added previously, and the email-

specific error is hidden, in case it was

shown previously.

7. Complete the email address

conditional:

} else {

$('#emailP').addClass('error');

$('#emailError').show( );

}

This code completes the conditional

begun in Step 6. The code is the same

as that used in

calculator.html

, adding

the error class to the entire paragraph

and showing the error message D.

continues on next page

Script 15.10 continued

40 // Validate the password:

41 if ($('# passw ord').val( ).le ng th > 0) {

42 password = $('#password').val( );

43 $('#passwordP').removeClass

('er ror');

44 $('#passwordError').hide( );

45 } else {

46 $('#passwordP').addClass

('er ror');

47 $('#passwordError').show( );

48 }

50 // If appropriate, perform the

Ajax request:

51 if (email && password) {

53 // Create an object for the

form data:

54 var data = new Object( );

55 data.email = email;

56 data.password = password;

58 // Create an object of Ajax

options:

59 var options = new Object( );

61 // Establish each setting:

62 options.data = data;

63 options.dataType = 'text';

64 options.type = 'get';

65 options.success = function

(response) {

67 // Worked:

68 if (response = = 'CORRECT') {

70 // Hide the form:

71 $('#login').hide( );

code continues on next page

ptg6935296

488 Chapter 15

8. Validate the password:

if ($('#password').val( ).l e n g t h >

➝

0) {

password = $('#password').val( );

$('#passwordP').removeClass

➝

('e r r o r');

$('#passwordError').hide( );

} else {

$('#passwordP').addClass

➝

('e r r o r');

$('#passwordError').show( );

}

Script 15.10 continued

73 // Show a message:

74 $('#results').removeClass('error');

75 $('#results').text('You are now logged in!');

77 } else if (response = = 'INCORRECT') {

78 $('#results').text('The submitted credentials do not match those on file!');

79 $('#results').addClass('error');

80 } else if (response = = 'INCOMPLETE') {

81 $('#results').text('Please provide an email address and a password!');

82 $('#results').addClass('error');

83 } else if (response = = 'INVALID_EMAIL') {

84 $('#results').text('Please provide your email address!');

85 $('#results').addClass('error');

86 }

88 }; // En d of success.

89 options.url = 'login_ajax.php';

91 // Perform the request:

92 $.ajax(options);

94 } // End of email && password IF.

96 // Return false to prevent an actual form submission:

97 return false;

99 }); // End of form submission.

100

101 }); // End of document ready.

For the password, the minimum length

would likely be determined by the

registration process. As a placeholder,

this code just confirms a positive

string length. Otherwise, this code

is essentially the same as that in the

previous two steps.

9. If both values were received, store

them in a new object:

if (email && password) {

var data = new Object( );

data.email = email;

data.password = password;

ptg6935296

Introducing jQuery 489

is the default, so it does not need to be

assigned here, but the code is being

explicit anyway.

To be c l e ar, b e ca u s e o f t h e n a m e o f t he

properties in the

data

object—

and

password

—and because of the

type

value of

get

, the

login_ajax.php

script will receive

$_GET['e m ai l']

and

$_G ET['p ass w or d']

. If you were to change

the names of the properties in

data

, or

the value of

options.type

, the server-

side PHP script would receive the Ajax

data in different superglobal variables.

11. Begin defining what should happen

upon a successful Ajax request:

options.success = function

➝

(resp onse) {

}; // End o f success.

The

success

property defines what the

JavaScript should do when the Ajax

query works. By “work,” I mean that the

JavaScript is able to perform a request

of the server-side page and receive

a result. For what should

actually

happen, an anonymous function is

assigned to this property. In this step,

the anonymous function is defined

and the assignment line is completed.

The code in subsequent steps will go

between these curly brackets.

As you can see, the anonymous func-

tion takes one argument: the response

from the server-side script, assigned

to the

response

variable. As already

explained, the response received by

the JavaScript will be the entirety of

whatever is outputted by the PHP script.

continues on next page

The premise behind this code was

explained before these steps. First a

new, generic object is created. Then

a property of that object named

is created, and assigned the value

of the email address. Finally, a prop-

erty named

password

is created, and

assigned the value of the entered pass-

word. If it helps to imagine this code in

PHP terms, the equivalent would be:

$data = array( );

$data['email'] = $email;

$data['password'] = $password;

10. Create a new object for the Ajax options,

and establish the first three settings:

var options = new Object( );

options.data = data;

options.dataType = 'text';

options.type = 'get';

Here, another generic object is created.

Next, a property named

data

is assigned

the value of the

data

object. This

property of the

options

object stores

the data being passed to the PHP script

as part of the Ajax request.

The second setting is the data type

expected back from the server-side

request. As the PHP script

login_ajax.

php

returns (i.e., prints) a simple string,

the value here is

text

. The

dataType

setting impacts how the JavaScript

will attempt to work with the returned

response: it needs to match what the

actual server response will be.

The

type

setting is the type of request

being made, with

get

and

post

being

the two most common. A GET request

ptg6935296

490 Chapter 15

12. Within the anonymous function created

in Step 11, if the server response equals

CORRECT

, hide the form and update

the page:

if (response = = 'CORRECT') {

$('#login').hide( );

$('#results').removeClass

➝

('e r r o r');

$('#results').text('You are now

➝

logged in!');

When the user submits the correct

credentials—

email@example.com

and

testpass

login_ajax.php

will return

the string

CORRECT

. In that case, the

JavaScript will hide the entire login

form and assign a string to the

results

paragraph, indicating such E. Because

incorrect submissions may have added

the

error

class to this paragraph (see

Step 13), that class is also removed here.

13. If the server response equals

INCORRECT

, indicate an error:

} else if (response = =

➝

'INCO RRECT') {

$('#results').text('The submitted

➝

credentials do not match

➝

those on file!');

$('#results').addClass('error');

When the user submits a password and

a syntactically valid email address, but

does not provide the correct specific

values, the server-side PHP script will

return the string

INCORRECT

. In that

case, a different string is assigned to the

results

paragraph and the

error

class is

applied to the paragraph as well H.

H The results upon providing invalid login credentials.

ptg6935296

Introducing jQuery 491

16. Complete the conditional begun in Step

9 and return

false

} // End of email && password IF.

return false;

If the

and

password

variables do

not have TRUE values, no Ajax request

is made (i.e., that conditional has no

else

clause). Finally, the value

false

is returned here to prevent the actual

submission of the form.

17. Save the page as

(in the

folder) and test the login form in your

Web browser.

As a debugging tip, it often helps to run

the server-side script directly F, to confirm

that it works (e.g., that it doesn’t contain a

parse or other error).

The Firefox Firebug extension can reveal

the details about Ajax requests made by a

Web page I.

The Opera Web browser has a built-in

tool named Dragonfly, which is also an excel-

lent development resource.

Because JavaScript can be disabled by

users, you can never rely strictly upon Java-

Script form validation. You must always also

use server-side PHP validation in order to

protect your Web site.

14. Add clauses for the other two possible

server responses:

} else if (response = =

➝

'INCO M PLETE') {

$('#results').text('Please

➝

provide an email address and

➝

a password!');

$('#results').addClass('error');

} else if (response = =

➝

'INVALID_EM AIL') {

$('#results').text('Please

➝

provide your email address!');

$('#results').addClass('error');

}

These are repetitions of the code in

Step 13, with different messages. This is

the end of the code that goes within the

success

property’s anonymous function.

15. Add the

url

property and make the

request:

options.url = 'login_ajax.php';

$.ajax(options);

The

url

property of the Ajax object

names the actual server-side script to

which the request should be sent. As

long as

and

login_ajax.php

are in the same directory, this reference

will work.

Finally, after establishing all of the request

options, the request is performed.

I Thanks to the Firebug extension, you can see what transpires in a behind-

the-scenes Ajax request.

ptg6935296

492 Chapter 15

Review and Pursue

If you have any problems with the

review questions or the pursue prompts,

turn to the book’s supporting forum

(

www.LarryUllman.com/forums/

Review

What is JavaScript? How does

JavaScript compare to PHP?

What is jQuery? What is the relationship

between jQuery and JavaScript?

How is an external JavaScript file

incorporated into an HTML page? How

is JavaScript code placed within the

HTML page itself?

Why is it important to wait until the

entire DOM has been loaded in order

to execute JavaScript code that

references DOM elements?

Why are unique identifiers in the

DOM necessary?

In jQuery, how do you select elements

of a given tag type? How do you select

elements that have a certain class? How

do you select a specific element?

In jQuery, how do you add an event

listener to a page element (or elements)?

What

an event listener?

Why must you reload HTML pages after

altering its JavaScript?

What are some of the jQuery functions

one can use to manipulate the DOM?

What is Ajax? Why is Ajax a “good thing”?

Why must an HTML page that performs

a server-side request be loaded through

a URL?

How do you create a generic object

in JavaScript?

What impact does the Ajax request’s

type

property have? What impact do the names

of the properties in the

data

object have?

Pursue

Head to the jQuery Web site and start

perusing the jQuery documentation.

Check out jQuery UI and what it can do

for your Web pages.

Use the jQuery documentation, or sim-

ply search online, for some of jQuery’s

plug-ins. Attempt to use one or more of

them in a Web page.

Once you feel comfortable with the Ajax

process, search online for information

about performing Ajax requests using

JSON

(JavaScript Object Notation) or

XML

(eXtensible Markup Language)

to represent the data transmitted back

to the JavaScript.

See what happens when you reference

a DOM element in JavaScript before the

entire DOM has been loaded. Witnessing

this should help you recognize what’s

happening when you inevitably and

accidentally fail to wait until the browser

is ready before referencing the DOM.

Update

calculator.js

so that the

results

paragraph is initially cleared

upon each form submission. By doing

so, the results of previous submissions

won’t be shown upon subsequent

invalid submissions.

Modify

login_ajax.php

so that it uses

a database to confirm successful login.

Modify

login_ajax.php

so that it sends

a cookie or begins a session. Create a

secondary PHP script that accesses the

created cookie or session.

Modify

so that it also performs

the login validation, should the user have

JavaScript disabled. Hint: This is simpler

than you might think—just use PHP to

handle the form submission (in the same

file) as if JavaScript were not present at all.

ptg6935296

PHP is somewhat unusual as a language

in that it can be used both

procedurally

as most of this book demonstrates, and

as an

Object-Oriented Programming

(OOP) language. There are merits to both

approaches, and one ought to be familiar

with each as well (eventually).

Unfortunately, mastery of OOP requires lots of

time and information: my

PHP 5 Advanced:

Visual QuickPro Guide

(Peachpit Press)

spends 150 pages on the subject! Still, one

of the great things about OOP is that you

can

use

it without fully

knowing

it. You’ll

see what this means shortly.

In this chapter, which is new to this edition

of the book, is a primer for OOP in PHP.

Some of the examples will replicate proce-

dural ones already shown in the book, in

order to best compare and contrast the two

approaches. Various sidebars and tips will

mention other uses of OOP in PHP, many of

which will not have procedural equivalents.

An OOP Primer

In This Chapter

Fundamentals and Syntax 494

Working with MySQL 497

The DateTime Class 511

Review and Pursue 518

ptg6935296

494 Chapter 16

Fundamentals

and Syntax

If you’ve never done any Object-Oriented

Programming before, both the concept

and the syntax can be quite foreign. Simply

put, all applications, or scripts, involve

taking actions

with information

: validating

it, manipulating it, storing it in a database,

and so forth. Philosophically, procedural

programming is written with a focus on the

actions: do this, then this, then this; OOP is

data-centric, focusing more on the kinds of

information being used.

OOP Fundamentals

OOP begins with the definition of a

class

which is a template for a particular type

of data: an employee, a user, a page of

content, and so forth. A class definition

contains both variables and functions.

Syntactically, a variable in a class definition

is called an

attribute

property

, and

a function in a class definition is called

OOP vs. Procedural

Discussions as to the merits of OOP vs. procedural programming can quickly escalate to verbal

wars, with each side fiercely advocating for their approach. PHP is somewhat unique in that you

have a choice (by comparison, C is strictly a procedural language and Java object-oriented). In

my opinion, each programming style has its strengths and weaknesses, but neither is “better”

than the other.

Procedural programming is arguably faster to learn and use, particularly for smaller projects. But

procedural code can be harder to maintain and expand, especially in more complicated sites, and

has the potential to be buggier.

Code written using OOP, on the other hand, may be easier to maintain, specifically on larger proj-

ects, and may be more appropriate in team environments. But OOP is harder to master, and when

not done well, is that much more challenging to remedy.

In time, you’ll naturally come up with your own opinions and preferences. The real lesson, to me, is

to take advantage of the fact that PHP allows for both syntaxes, and not to limit yourself to just one

style regardless of the situation.

ptg6935296

An OOP Primer 495

OOP Syntax in PHP

So let’s say someone has gone through

the process of designing and defining

Car

class. Most classes are not used

directly; rather, you create an

instance

that class—a specific variable of the class’s

type. That instance is called an

object

. In

PHP, an instance is created using the

new

keyword:

$obj = new ClassName( );

$mine = new Car( );

Whereas the code

$name = 'Larry'

creates a variable of type string, the

above code creates a variable of type

Car

Everything that’s part of

Car

’s definition—

every property (i.e., variable) and method

(i.e., function)—is now embedded in

$mine

Behind the scenes (i.e., in the class defini-

tion), a special method called the

con-

structor

is automatically invoked when a

new object of that type is generated. The

constructor normally provides whatever

initial setup would be required by the sub-

sequent usage of that object. For example,

the

MySQLi

class’s constructor establishes

a connection to the database and the

DateTime

class’s constructor creates a

reference to an exact date and time (both

the

MySQLi

and

DateTime

classes will be

explicitly used in this chapter).

If the constructor takes arguments, like any

function can, those may be provided when

the object is created:

$mine = new Car('Honda', 'Fit', 2008);

Once you have an object, you reference

its properties (i.e., variables) and call its

methods (i.e., functions) using the syntax

object_name->member_name

$mine->color = 'Purple';

$mine->start( );

continues on next page

method

. Combined, the attributes and

methods are the

members

of the class.

As a theoretical example, you might have

a class called

Car

. Note that class names

conventionally begin with an uppercase

letter. The properties of a

Car

would

include

make

model

year

odometer

, and

so forth: all information that can be known

about a car. A

Car

’s properties can be set,

changed, and retrieved, and the values

of the properties distinguish

this

Car

from

that

Car

. A

Car

’s methods—the things that

the car can do—would include:

start( )

drive( )

park( )

, and

turnOff( )

. These

actions are common to all

Car

In the introduction to this chapter, I stated

that you can

use

OOP without really

knowing

it. By that I mean that it’s very

easy, and common enough, to use an

existing class definition for your own

needs. In fact, the reusability of code—

particularly code created by others—is

one of the key benefits of OOP. What

actually takes a lot of effort, at least to do

it right, is to master the design process:

understanding what members to define

and, more importantly, how to implement

sophisticated OOP concepts such as:

Inheritance

Access control

Overriding methods

Scope resolution

Abstraction

And so on

When you’re interested in learning how

to properly create your own classes, you

can look into these subjects in my

PHP 5

Advanced: Visual QuickPro Guide

, among

other resources, but in this chapter, let’s

focus on using existing classes instead of

creating your own custom ones.

ptg6935296

496 Chapter 16

The first line (theoretically) assigns the

value

Purple

to the object’s

color

prop-

erty. The second line invokes the object’s

start( )

method. As with any function

call, the parentheses are required. If the

method takes arguments, those can be

provided, too:

$mine->drive('Forward');

Sometimes you’ll use an object’s

properties as you would any other variable:

$mine->odometer += 20;

echo "My car currently has $mine->

➝

odometer miles on it.";

If an object’s method returns a value, the

method can be invoked in the same man-

ner as any function that returns a value:

// T h e f i l l( ) method takes a number of

// g a l l o n s b e i n g a d d e d a n d r e t u r n s

// h o w f u l l t h e t a n k i s:

$tank = $mine->fill(8.5);

And that’s really enough to know about

OOP in order to start using it. As you’ll

see, the examples over the next few

pages will replicate functionality explained

earlier in the book, so that the contrasting

approaches to the same end result should

help you better understand what’s going on.

In documentation, you’ll see the

ClassName:: method_name( )

syntax.

This is a way of specifying to which class

a method belongs.

One of the major changes in PHP 5.3

is support for namespaces. Namespaces,

in layman’s terms, provide a way to group

multiple class definitions under a single title.

Namespaces are useful for organizing code, as

well as preventing conflicts (e.g., differentiat-

ing between my

Car

class and your

Car

class).

Classes can also have their own con-

stants, just as they have their own variables

and functions. Class constants are normally

used without an instance of that class, as in:

echo ClassName::CONSTANT_NAME;

OOP in PHP has changed dramatically

from PHP 3 to PHP 4 to PHP 5. The syntax

discussed in this chapter will only work with

PHP 5 and above.

More OOP Classes

There are more OOP classes defined in PHP than just those illustrated in this chapter, although

I think the

MySQLi

and

DateTime

classes are the two most obviously accessible and usable. The

largest body of classes can be found in the

Standard PHP Library

(SPL), built into PHP as of ver-

sion 5.0, and greatly expanded in version 5.3.

The SPL provides high-end classes in several categories: exception handling,

iterators

(loops that can

work on any collection of data), custom data types, and more. The SPL is definitely for more advanced

PHP programmers and is most beneficial for otherwise strongly or entirely OOP-based code.

There are several good classes defined for internationalization purposes, too (

www.php.net/intl

These classes define some of the functionality originally intended as part of the now-defunct PHP 6,

including the ability to sort words, format numbers, and so forth, in a manner customized to the

given

locale

(a locale is a combination of the language, cultural habits, and other unique choices

for a region).

ptg6935296

An OOP Primer 497

Creating a Connection

As with the procedural approach, creating

a connection is the first step in interacting

with MySQL when using object notation.

With the

MySQLi

class, a connection is

established when the object is instantiated

(i.e., when the object is created), by pass-

ing the appropriate connection values to

the constructor:

$mysqli = new MySQLi(hostname,

➝

username, password, database);

Even though this is OOP, you would use

the same MySQL values as you would

when programming procedurally, or when

connecting to MySQL using the command-

line client or other interface.

If a connection could not be made, the

connect_error

property will store the

reason why A:

if ($mysqli->connect_error) {

echo $mysqli->connect_error;

}

Unfortunately, that approach was buggy

(or just plain broken) in versions of PHP

prior to 5.2.9, so you’ll see this

kludge

(an

unseemly fix) in the PHP manual instead:

if (mysqli_connect_error( )) {

echo mysqli_connect_error( );

}

continues on next page

Working with MySQL

Just as you can write PHP code in both

procedural and object-oriented styles,

the MySQL Improved extension can

similarly be used either way to interact

with a database. Chapter 9, “Using PHP

with MySQL,” introduced the basics of the

procedural approach. As a comparison,

this chapter will run through the same

functionality using OOP.

There are three defined classes that you

will use herein:

MySQLi

, the primary class, provides

a database connection, a querying

method, and more.

MySQLi_Result

, is used to handle

the results of

SELECT

queries (among

others).

MySQLi_STMT

is for performing prepared

statements (introduced in Chapter 13,

“Security Methods”).

For each, I’ll explain the basic usage and

walk you through an example script. For

a full listing of all the possibilities—all the

properties and methods of each class—see

the PHP manual.

A A MySQL connection error.

ptg6935296

498 Chapter 16

If you are not using PHP 5.2.9 or later,

you’ll have to use this last bit of code in

your own scripts.

Next, you should establish the character set:

$mysqli->set_charset(charset);

$mysqli->set_charset('utf8');

At this point, you’re ready to execute your

queries, to be covered next.

After executing the queries, call the

close( )

method to close the database connection:

$mysqli->close( );

To be extra tidy, y ou ca n delete the

object, too:

unset($mysqli);

To practice this, l et’s w rite a P HP script that

connects to MySQL. As the subsequent

two scripts will be updates of scripts from

Chapter 9, and will use the same template

as Chapter 9, you’ll want to place these

next three scripts in the same Web directo-

ries you used for Chapter 9.

To make an OOP MySQL connection:

1. Begin a new PHP script in your text edi-

tor or IDE, to be named

mysqli_oop_

connect.php

(Script 16.1):

<?php # Script 16.1 -

➝

mysqli_oop_connect.php

This script will largely follow the same

approach as

mysqli_connect.php

Chapter 9. It will contain no HTML.

Script 16.1 This script creates a new

MySQLi

object,

through which database interactions will take place.

1 <?php # Script 16.1 - mysqli_oop_

connect.php

2 // This file contains the database

access information.

3 // This file also establishes a

connection to MySQL,

4 // selects the database, and sets the

encoding.

5 // The MySQL interactions use OOP!

7 // Set the database access information

as constants:

8 DEFINE ('DB_USER', 'username');

9 DEFINE ('DB_PASSW ORD', 'password');

10 DEFINE ('DB_ HOST', 'localhost');

11 DEFINE ('DB_NAME', 'site name');

13 // Make the connection:

14 $mysqli = new MySQLi(DB_HOST,

DB_USER, DB_PASSWORD, DB_NAME);

16 // Verify the connection:

17 if ($mysqli->connect_error) {

18 echo $mysqli->connect_error;

19 unset($mysqli);

20 } else { // Establish the encoding.

21 $mysqli->set_charset('utf8');

22 }

ptg6935296

An OOP Primer 499

5. If a connection was made, establish

the encoding:

} else {

$mysqli->set_charset('utf8');

}

Remember that the encoding used to

communicate with MySQL needs to

match the encoding set by the HTML

pages and by the database.

6. Save the script as

mysqli_oop_

connect.php

As with most files in this book that are

meant to be included by other scripts,

this one omits the closing PHP tag.

7. Ideally, place the file outside of the Web

document directory.

Because the file contains sensitive

MySQL access information, it ought to

be stored securely. If you can, place it

in the directory immediately above or

otherwise outside of the Web directory

(see Chapter 9 for particulars).

Again, the following two scripts will

use the template that Chapter 9 used,

so you should store this connection

script in the same directory as

mysqli_

connect.php

from Chapter 9.

continues on next page

2. Set the database connection param-

eters as constants:

DEFINE ('DB_USER', 'username');

DEFINE ('DB_PASSWORD', 'password');

DEFINE ('DB_HOST', 'localhost');

DEFINE ('DB_NAME', 'sitename');

As always, you’ll need to change

the particulars to be correct for

your server. As with Chapter 9, this

chapter’s examples will make use

of the

sitename

database.

3. Create a

MySQLi

object:

$mysqli = new MySQLi(DB_HOST,

➝

DB_USER, DB_PASSWORD, DB_NAME);

This is the syntax already explained,

using the constants as the values to

be passed to the constructor.

4. If an error occurred, show it:

if ($mysqli->connect_error) {

echo $mysqli->connect_error;

unset($mysqli);

If the

MySQLi

object’s

connect_error

property has a value, it means that the

script could not establish a connection to

the database. In that case, the connec-

tion error is displayed A, and the object

variable is unset, since it’s useless.

Remember that if you’re using a version

of PHP prior to 5.2.9 (and you do know

what, exact, version you’re using, cor-

rect?), you’ll need to change this code to:

if (mysqli_connect_error( )) {

echo mysqli_connect_error( );

unset($mysqli);

ptg6935296

500 Chapter 16

8. Temporarily place a copy of the sc ript

within the Web directory and run it in

your Web browser.

In order to test the script, you’ll want

to place a copy on the server so that

it’s accessible from the Web browser

(which means it must be in the Web

directory). If the script works properly,

the result should be a blank page.

If you see an

Access denied…

similar message A, it means that the

combination of username, password,

and host does not have permission to

access the particular database.

9. Remove the temporary copy from the

Web directory.

Yo u ca n u se

print_r( )

to learn about,

and debug, objects in PHP code B:

echo '<pre>' . print_r($mysqli, 1) .

➝

'< / p r e >';

B Using

print_r( )

on an object, perhaps wrapped within preformatted tags

to make its output easier to read, reveals the object’s many property names

and values.

Since the

$mysqli

object is unset if no

connection is made, any script that needs it

can be written to test for a successful connec-

tion by just using:

if (isset($mysqli)) { // Do whatever.

For brevity sake, this test is omitted in subse-

quent scripts, but know it’s possible.

The MySQLi constructor takes two more

arguments: the port to use and the socket.

When running MAMP or XAMPP (see Appen-

dix A, “Installation” which you can download

from peachpit.com), you may need to provide

the port.

The

MySQLi::character_set_name( )

method returns the current character set. The

MySQLi::get_charset( )

method returns the

character set, collation, and more.

You can change the database used by

the current connection via the

select_db( )

method:

$mysqli->select_db(dbname);

ptg6935296

An OOP Primer 501

generated primary key value via the

insert_id

property:

$id = $mysqli->insert_id;

If the query just executed was an

UPDATE

INSERT

, or

DELETE

, you can retrieve the

number of affected rows—how many rows

were updated, inserted, or deleted—from

the

affected_rows

property:

echo "$mysqli->affected_rows rows

➝

were affected by the query.";

The last thing to know, before executing

any queries, is how to

sanctify

data used

in the query. To do so, apply the

real_

escape_method( )

to a string variable

beforehand:

$var = $mysqli->real_escape_

➝

string($var);

This is equivalent to invoking

mysqli_

real_escape_string( )

, and prevents

apostrophes and other problematic

characters from breaking the syntax of the

SQL command.

Using all this information, the next set of

steps will rewrite

(Script 9.5)

from Chapter 9, using OOP.

Executing Simple Queries

Once you’ve successfully established a

connection to the MySQL server, you can

begin using the

MySQLi

object to query the

database. For that, call the appropriately

named

query( )

method:

$mysqli->query(query);

Its lone argument is the SQL command to

be executed, which I normally assign to a

separate variable beforehand:

$q = 'SELECT * FROM tablename';

$mysqli->query($q);

Yo u c a n t es t f o r t h e q ue r y’s e r r o r -f r ee

execution by using the method call as

a condition:

if ($mysqli->query($q)) { // Worked!

Alternatively, you can check the

error

property C:

if ($mysqli->error) { // Did not

➝

work!

echo $mysqli->error;

}

If the query just executed was an

INSERT

you can retrieve the automatically

C A problem with a query results in a MySQL error.

ptg6935296

502 Chapter 16

To execute simple queries:

1. Open

(Script 9.5) in your

text editor or IDE.

2. Change the inclusion of the MySQL

connection script to (Script 16.2):

require ('../mysqli_oop_connect.php');

Assuming that

mysqli_oop_connect.

php

is in the directory above this one,

this code will work. If your directory

structure differs, change the reference

to the file accordingly.

3. Change each use of

mysqli_

real_escape_string( )

to:

$mysqli->real_escape_string( )

$fn = $mysqli->real_escape_string

➝

(tr im($_POST['first _nam e']));

$ln = $mysqli->real_escape_string

➝

(tr im($_POST['last _nam e']));

$e = $mysqli->real_escape_string

➝

(tr im($_POST['email']));

$p = $mysqli->real_escape_string

➝

(tr im($_POST['pass1']));

Four pieces of data—all strings,

naturally—are escaped for added

protection in the query. Because the

script now uses the MySQL Improved

extension using an object-oriented

approach, these four lines should

be changed.

4. Update how the query is executed

(line 52 of the original script):

$mysqli->query($q);

To execute a query on the database

using OOP, call the object’s

query( )

method, providing it with the query to

be run.

Script 16.2 This updated version of the registration

script uses the MySQL Improved extension via OOP.

1 <?php # Script 16.2 - register.php

2 // This script performs an INSERT query

to add a record to the users table.

3 // This is an OOP version of the script

from Chapter 9.

5 $page_title = 'Register';

6 include ('inclu des/header.html');

8 // Check for form submission:

9 if ($_SERVER['REQUEST_METHOD'] = = 'POST') {

11 require ('../mysqli_oop_connect.php');

// C o n n e c t t o t h e d b.

13 $errors = array( ); // Initialize an

error array.

15 // Check for a first name:

16 if (e mpty($_POST['first_ nam e'])) {

17 $errors[ ] = 'You forgot to enter

your first name.';

18 } else {

19 $fn = $mysqli->real_escape_

string(trim($_POST['first_name']));

20 }

22 // Check for a last name:

23 if (empty($_POST['last_nam e'])) {

24 $errors[ ] = 'You forgot to enter

your last name.';

25 } else {

26 $ln = $mysqli->real_escape_

string(trim($_POST['last_name']));

27 }

29 // Check for an email address:

30 if (empty($_POST['em ail'])) {

31 $errors[ ] = 'You forgot to enter

your email address.';

32 } else {

33 $e = $mysqli->real_escape_

string(trim($_POST['email']));

34 }

36 // Check for a password and match

against the confirmed password:

37 if (!e m p ty($_ PO ST['p ass1'])) {

code continues on next page

ptg6935296

An OOP Primer 503

Script 16.2 continued

38 if ($_POST['pass1'] != $_POST

['p ass2']) {

39 $errors[ ] = 'Your password

did not match the confirmed

password.';

40 } else {

41 $p = $mysqli->real_escape_

string(trim($_POST['pass1']));

42 }

43 } else {

44 $errors[ ] = 'You forgot to enter

your password.';

45 }

47 if (empty($er rors)) { // If

everything's OK.

49 // Register the user in the

database...

51 // Make the query:

52 $q = "INSERT INTO users

(first_na me, last_name, email,

pass, registration_date) VALUES

('$fn', '$ln', '$e', SHA1('$p'),

NOW( ) )";

54 // Execute the query:

55 $mysqli->query($q);

57 if ($mysqli->affected_rows = =

1) { // If it ran OK.

59 // Print a message:

60 echo '< h1 >T h a n k you!</h1>

61 <p>You are now registered. In

Chapter 12 you will actually be

able to log in!</p><p><br /></p>';

63 } else { // If it did not run OK.

65 // Public message:

66 echo '< h 1 > S y s t e m Error</h1>

67 <p class="error">You could not

be registered due to a system

error. We apologize for any

inconvenience.</p>';

69 // Debugging message:

70 echo '<p>' . $mysqli->error .

'< b r /> < b r /> Q u e r y : ' . $ q .

'< / p >';

Script 16.2 continued

72 } // End of if ($r) IF.

74 $mysqli->close( ); // Close the

database connection.

75 unset($mysqli);

77 // Include the footer and quit the

script:

78 include ('inclu des/foote r.ht ml');

79 exit( );

81 } else { // Report the errors.

83 echo '< h 1 > E r r o r !< / h 1 >

84 <p class="error">The following

error(s) occurred:<br />';

85 foreach ($er rors as $msg) {

// Print each error.

86 echo " - $msg<br />\n";

87 }

88 echo '< / p > < p > P l e a s e try again.

</p><p><br /></p>';

90 } // End of if (em pty($errors)) IF.

92 $mysqli->close( ); // Close the

database connection.

93 unset($mysqli);

95 } // End of the main Submit conditional.

96 ?>

code continues on next page

5. Change the confirmation of the query’s

execution to read (originally line 53):

if ($mysqli->affected_rows = = 1) {

The previous version of the script used

the result variable to confirm that the

query worked:

if ($r) {

Here, the conditional more formally

asserts that the number of affected

rows equals 1.

continues on next page

ptg6935296

504 Chapter 16

6. Update the debugging error message

to use the object (line 66 of the

original script):

echo '<p>' . $mysqli->error .

➝

'< b r /> < b r /> Q u e r y: ' . $ q .

➝

'< / p >';

Instead of invoking the

mysqli_

error( )

function, the

error

property

of the object will store the database

reported problem C.

7. Finally, change both instances where

the database connection is closed to:

$mysqli->close( );

unset($mysqli);

The first line closes the connection. The

second line removes the variable from

existence. This step frees up the used

memory and while not obligatory, is a

professional touch.

The original script closed the database

connection in two places; make sure

you update both.

8. Save the script, place it in your Web

directory, and test it in your Web

browser D.

Script 16.2 continued

97 <h1>Register</h1>

98 <form action="register.php" method="post">

99 <p>First Name: <input type="text" name="first_name" size="15" maxlength="20" value="<?php if

(isset($_POST['first_na me'])) echo $_POST['first_name']; ?>" /></p>

100 <p>Last Name: <input type="text" name="last_name" size="15" maxlength="40" value="<?php if

(isset($_POST['last_nam e'])) echo

$_POST['last_ name']; ?>" /></p>

101 <p>Email Address: <input type="text" name="email" size="20" maxlength="60" value="<?php if

(isset($_POST['email'])) echo $_POST['email']; ?>" /> </p>

102 <p>Password: <input type="password" name="pass1" size="10" maxlength="20" value="<?php if

(isset($_POST['pass1'])) echo $_POST['pass1']; ?>" /></p>

103 <p>Confirm Password: <input type="password" name="pass2" size="10" maxlength="20" value="<?php

if (isset($_POST['pass2'])) echo $_POST['pass2']; ?>" /></p>

104 <p><input type="submit" name="submit" value="Register" /></p>

105 </form>

106 <?php include ('in cludes/fo oter.html'); ?>

D If all of the code was updated as appropriate,

the registration script should work as it did before.

ptg6935296

An OOP Primer 505

be treated as an associative array (

MYSQLI_

ASSOC

), an indexed array (

MYSQLI_NUM

), or

both (

MYSQLI_BOTH

is the

default value.

When you have multiple records to fetch,

you can do so using a loop:

while ($row = $result->fetch_array

➝

(MYSQLI_NUM)) {

// U s e $ r o w .

}

With that code,

$row

within the loop

will be an array, meaning you access

individual columns using either

$row[0]

$row['column']

(assuming you’re using

the appropriate constant). If you’re really

enjoying the OOP syntax, you can use the

fetch_object( )

method instead, thereby

creating an object instead of an array:

$q = 'SELECT user_id, first_name

➝

FROM users';

$result = $mysqli->query($q);

while ($row = $result->fetch_

➝

object( )) {

// U s e $ r o w -> u s e r _ i d

// U s e $ r o w ->f i r s t _ n a m e

}

Once you’re done with the results, you

should free the resources they required:

$result->free( );

Let’s take this information to update

view_users.php

(Script 9.6).

Fetching Results

The previous section demonstrated how

to execute “simple” queries, which is how

I categorize queries that don’t return rows

of results. When executing

SELECT

queries,

the code is a bit different, as you have

to handle the query’s results. First, after

establishing the

MySQLi

object, you run the

query on the database using the

query( )

method. If the query is expected to return a

result set, assign the results of the method

invocation to another variable:

$q = 'SELECT * FROM tablename';

$result = $mysqli->query($q);

The

$result

variable will be an object

of type

MySQLi_Result

: just as some

functions return a string or an integer,

MySQLi::query( )

will return a

MySQLi_

Result

object. Its

num_rows

property will

reflect the number of records in the query

result:

if ($result->num_rows > 0) {

➝

// H a n d l e t h e r e s u l t s.

If you have only one row returned by the

query, you can just call the

fetch_array( )

method to get it:

$row = $result->fetch_array( );

This method, like the procedural

mysqli_

fetch_array( )

counterpart, takes a

constant as an optional argument to

indicate whether the returned row should

ptg6935296

506 Chapter 16

To retrieve query results:

1. Open

view_users.php

(Script 9.6) in

your text editor or IDE.

2. Change the inclusion of the MySQL

connection script to (Script 16.3):

require ('../mysqli_oop_connect.php');

Again, the path needs to be correct for

your setup.

3. Change the execution of the query to

(originally line 14):

$r = $mysqli->query($q);

Regardless of the type of query being

executed, the same

MySQLi::query( )

method is called. Here, though, the

results of executing the query are

assigned to a new variable, which will

be an object of type

MySQLi_Result

For brevity, I’m calling this variable just

, but you can use the more formal

$result

, if you’d prefer.

4. Alter how the number of returned rows

is determined to (line 17 of the original

script):

$num = $r->num_rows;

The result object’s

num_rows

property

reflects the number of records returned

by the query. This value is assigned to

the variable

$num

, as before.

Note that this is a

property

, not

method

(it’s

$r->num_rows

, not

$r->num_rows( )

5. Change the

while

loop to read:

while ($row = $r->fetch_object( )) {

The change here is that the

MySQLi_

Result

object’s

fetch_object( )

function is called instead of invoking

mysqli_fetch_array( )

Script 16.3 The

MySQLi

and

MySQLi_Result

classes are used in this script to fetch records

from the database.

1 <?php # Script 16.3 - view_users.php

2 // This script retrieves all the records

from the users table.

3 // This is an OOP version of the script

from Chapter 9.

5 $page_title = 'View the Current Users';

6 include ('inclu des/header.html');

8 // Page header:

9 echo '< h 1 > R e g i s t e r e d Users</h1>';

11 require ('../mysqli_oop_connect.php');

// C o n n e c t t o t h e d b.

13 // Make the query:

14 $q = "SELECT CONCAT(last_name, ', ',

first_name) AS name, DATE_FORMAT

(registration_date, '%M %d, %Y')

AS dr FROM users ORDER BY

registration_date ASC";

15 $r = $mysqli->query($q); // Run the

query.

17 // Count the number of returned rows:

18 $num = $r->num_rows;

20 if ($nu m > 0) { // If it ran OK, display

the records.

22 // Print how many users there are:

23 echo "<p >T h e r e are currently $num

registered users.</p>\n";

25 // Table header.

26 echo '< t a b l e align="center"

cellspacing="3" cellpadding="3"

width="75%">

27 <tr><td align="left"><b>Name</b>

</td><td align="left"><b>Date

Registered</b></td></tr>

28 ';

30 // Fetch and print all the records:

31 while ($row = $r->fetch_object( )) {

32 echo '<tr><td align="left">' .

$row->name . '</td><td align=

"left">' . $row->dr . '</td></tr>

33 ';

34 }

code continues on next page

ptg6935296

An OOP Primer 507

6. Within the

while

loop, change how

each column’s value is printed:

echo '<tr><td align="left">' .

➝

$row->name . '</td><td align=

➝

"left">' . $row->dr . '</td></tr>

Since the

$row

variable is now an

object, object notation, instead of array

notation, must be used to refer to the

columns in each row:

$row->name

and

$row->dr

instead of

$row['name']

and

$row['dr']

7. Change how the resources are freed:

$r->free( );

unset($r);

To free the memory taken by the

returned results, call the

MySQLi_Result

object’s

free( )

method. Furthermore,

since that object won’t be used

anymore in the script, it can be unset.

8. Update how the database connection

is closed:

$mysqli->close( );

unset($mysqli);

9. Save the script, place it in your Web

directory, and test it in your Web

browser E.

The real benefit of using the

fetch_

object( )

method is that you can have the

results fetched as a particular type of object.

For example, say you have defined a

Car

class

in PHP and a script fetches all of the stored

information about cars from the database. In

the PHP script, each record can be fetched as

an object of

Car

class type. By doing so, you’ll

have created a PHP

Car

object, whose data is

populated from the database record, but can

still invoke the methods of the

Car

class.

E The object-oriented version of

view_users.php

(Script 16.3) looks the same as the original pro-

cedural version.

Script 16.3 continued

36 echo '< / t a b l e >'; // Close the table.

38 $r->free( ); // Fr e e u p t h e

resources.

39 unset($r);

41 } else { // If no records were returned.

43 echo '< p class="error">There are

currently no registered users.</p>';

45 }

47 // Close the database connection.

48 $mysqli->close( );

49 unset($mysqli);

51 include ('in cludes/fo oter.html');

52 ?>

ptg6935296

508 Chapter 16

Prepared Statements

Chapter 13 introduced another way of execut-

ing queries: using

prepared statements

. Pre-

pared statements can offer improved security,

and possibly even better performance, over

the standard approach to running queries.

Naturally, you can execute prepared state-

ments using the MySQL Improved extension

as objects. The steps are the same: after

creating a

MySQLi

object (and therefore a

connection to the database), you

Prepare the query

Bind the parameters

Execute the query

In actual code that looks like:

$q = 'INSERT INTO tablename (this,

➝

that) VALUES (?, ?)';

$stmt = $mysqli->prepare($q);

$stmt->bind_param('si', $this, $that);

$this = 'Larry';

$that = 234;

$stmt->execute( );

The

MySQLi::prepare( )

method returns

an object of type

MySQLi_STMT

. That object

has a few key properties:

affected_rows

stores how many rows

were affected by the statement, nor-

mally applicable to

INSERT

UPDATE

, and

DELETE

queries.

num_rows

reflects the number of records

in the result set for a

SELECT

query.

insert_id

stores the automatically

generated ID value for the previous

INSERT

query.

error

represents any error that might

have occurred.

Once you’re done executing the prepared

statement, you should close the statement:

$stmt->close( );

Let’s apply this information by updating

post_message.php

(Script 13.6). This is

a stand-alone script that uses the

forum

database and isn’t, in Chapter 13 or this

chapter, tied to any other scripts.

To execute prepared statements:

1. Open

post_message.php

(Script 13.6) in

your text editor or IDE.

2. Change the creation of the database

connection to (Script 16.4):

$mysqli = new MySQLi('localhost',

➝

'user name', 'password', 'foru m');

$mysqli->set_charset('utf8');

The previous version of the script did

not use a separate connection script,

and neither will this one. Make sure

your values are correct for connecting

to the

forum

database on your server.

3. Alter the preparation of the query to

read (line 21 of the original script):

$stmt = $mysqli->prepare($q);

The

MySQLi::prepare( )

method pre-

pares a statement, taking the query as its

lone argument. It returns an object of type

MySQLi_STMT

, assigned to

$stmt

here.

4. Change the binding of parameters to:

$stmt->bind_param('iiiss',

➝

$forum_id, $parent_id, $user_id,

➝

$subject, $body);

This code change is simply from

mysqli_stmt_bind_param($stmt…

$stmt->bind_param(…

The method’s first

argument is an indicator of the data types

to follow. The subsequent arguments are

the PHP variables to which the query’s

placeholders are bound.

5. Update the execution of the statement to:

$stmt->execute( );

continues on page 510

ptg6935296

An OOP Primer 509

Script 16.4 In this version of a script from Chapter

13, the

MySQLi_STMT

class is used to execute a

prepared statement.

1 <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML

1.0 Transitional//EN" "http://www.w3.org/

TR/xhtml1/DTD/xhtml1-transitional.dtd">

2 <html xmlns="http://www.w3.org/1999/

xhtml" xml:lang="en" lang="en">

3 <head>

4 <meta http-equiv="Content-Type"

content="text/html; charset=utf-8" />

5 <title>Post a Message</title>

6 </head>

7 <body>

8 <?php # Script 16.4 - post_message.php

9 // This is an OOP version of the script

from Chapter 13.

11 if ($_SERVER['REQUEST_METHOD'] = = 'POST') {

13 // Validate the data (omitted)!

15 // Connect to the database:

16 $mysqli = new MySQLi('localhost',

'userna m e', 'passw ord', 'for um');

17 $mysqli->set_charset('utf8');

19 // Make the query:

20 $q = 'INSERT INTO messages (foru m _id,

parent_id, user_id, subject, body,

date_entered) VALUES (?, ?, ?, ?, ?,

NOW( ))';

22 // Prepare the statement:

23 $stmt = $mysqli->prepare($q);

25 // Bind the variables:

26 $stmt->bind_param('iiiss',

$forum_id, $parent_id, $user_id,

$subject, $body);

28 // Assign the values to variables:

29 $forum_id = (int) $_POST['for um_id'];

30 $parent_id = (int) $_POST['parent_id'];

31 $user_id = 3; // The user_id value

would normally come from the session.

32 $subject = strip_tags($_POST

['subject']);

33 $body = strip_tags($_POST['body']);

35 // Execute the query:

36 $stmt->execute( );

Script 16.4 continued

38 // Print a message based upon the

result:

39 if ($stmt->affected_rows = = 1) {

40 echo '< p >Y o u r message has been

posted.</p>';

41 } else {

42 echo '< p style="font-weight: bold;

color: #C00">Your message could

not be posted.</p>';

43 echo '<p>' . $stmt->error . '</p>';

44 }

46 // Close the statement:

47 $stmt->close( );

48 unset($stmt);

50 // Close the connection:

51 $mysqli->close( );

52 unset($mysqli);

54 } // End of submission IF.

56 // Display the form:

57 ?>

58 <form action="post_message.php"

method="post">

60 <fieldset><legend>Post a message:

</legend>

62 <p><b>Subject</b>: <input

name="subject" type="text" size="30"

maxlength="100" /></p>

64 <p><b>Body</b>: <textarea name="body"

rows="3" cols="40"></textarea></p>

66 </fieldset>

67 <div align="center"><input

type="submit" name="submit"

value="Submit" /></div>

68 <input type="hidden" name="forum_id"

value="1" />

69 <input type="hidden" name="parent_id"

value="0" />

71 </form>

72 </body>

73 </html>

ptg6935296

510 Chapter 16

6. Change the conditional that tests the

success to:

if ($stmt->affected_rows = = 1) {

To con f i rm t he s uc c e ss o f a n

INSERT

query, check the number of affected

F The HTML form for posting a new message.

G The new message has been successfully

stored in the database.

Outbound Parameters

As in Chapter 13, the

post_message.php

script is a demonstration of using

inbound

parameters: associating placeholders in

a query with PHP variables. You can also

use

outbound

parameters: binding the

values returned by a query to PHP vari-

ables. To start, you prepare the query:

$q = 'SELECT this, that FROM

➝

tablename';

$stmt = $mysqli->prepare($q);

Then you bind the returned rows to

variables:

$stmt->bind_result($this, $that);

Next, you call the

MySQLi_STMT::fetch( )

method, most likely as part of a

while

loop:

while ($stmt->fetch( )) {

}

Within the

while

loop,

$this

and

$that

will store each record’s returned columns.

Outbound parameters don’t offer added

security, like inbound parameters, or

necessarily better performance, but if

you have a query that uses prepared

statements, it would make sense to use

both inbound and outbound parameters.

For example, take a login query:

SELECT user_id, first_name

➝

FROM users WHERE email='?' AND

➝

pass=SHA1('?')

You would use inbound parameters to

represent the submitted email address

and password but use outbound param-

eters for the retrieved user ID and first

name from that same query.

rows, here referencing the

affected_

rows

property of the

MySQLi_STMT

object.

7. Change the error reporting to use:

echo '<p>' . $stmt->error . '</p>';

At this point in the script, an error would

most likely be because of something like

using a duplicate value for a column that

must be unique. If there was a syntacti-

cal error in the query, that would be in

$mysqli->error

after preparing the query.

8. Update how the statement is closed:

$stmt->close( );

unset($stmt);

9. Alter how the database connection

is closed:

$mysqli->close( );

unset($mysqli);

10. Save the script, place it in your Web

directory, and test it in your Web

browser F and G.

ptg6935296

An OOP Primer 511

Exceptions are a topic not previously

introduced. Whereas procedural code may

generate errors, objects

throw exceptions

(yes, it’s said that they’re

thrown

). When

you get further along with OOP, you’ll learn

how to use

try…catch

blocks to “catch”

and handle thrown exceptions.

The

DateTime

constructor takes an

optional second argument, which is the

time zone to use. If not provided, the

default time zone for that PHP installation

applies. You can also change the time zone

after the fact, using

setTimezone( )

. Note

that both the

setTimezone( )

method, and

the constructor, take

DateTimeZone

objects

as arguments, not strings:

$tz = new DateTimeZone('America/

➝

New_York');

$dt->setTimezone($tz);

Once you have a

DateTime

object, you

can manipulate its value by adding and

subtracting time periods. One way to do

so is the

modify( )

method:

$dt->modify('+1 day');

$dt->modify('-1 month');

$dt->modify('next Thursday');

The values you can provide to the method

are quite flexible, and correspond to

those that are usable in the

strtotime( )

function (which converts a string to a

timestamp; see the PHP manual for details).

The

add( )

method is used to add a time

period to the represented date and time.

continues on next page

A Attempting to

create a

DateTime

object with an invalid

date or time results in

an exception.

The DateTime Class

Added in version 5.2 of the language is the

DateTime

class. An alternative to the date-

and time-related functions introduced in

Chapter 11, “Web Application Development,”

the

DateTime

class packages together all the

functionality you might need for manipulat-

ing dates and times. It’s especially useful for

converting and comparing dates and times.

To begin, create a new

DateTime

object:

$dt = new DateTime( );

If created without providing any arguments to

the constructor, the generated

DateTime

argu-

ment will represent the current date and time.

To cr e a t e a r e p re s e n ta t i o n o f a sp e c i fi c d a te

and time, provide that as the first argument:

$dt = new DateTime('2011-04-20');

$dt = new DateTime('2011-04-20 11:15');

There are many acceptable formats for

specifying the date and time, detailed in

the PHP manual. You can also establish the

date or time after creating the object using

the

setDate( )

and

setTime( )

methods.

The

setDate( )

method expects to receive,

in order, the desired year, month, and day.

The

setTime( )

method takes the hour, min-

ute, and optional seconds, as its arguments:

$dt = new DateTime( );

$dt->setDate(2001, 4, 20);

$dt->setTime(11, 15);

The

DateTime

object will only allow you to

establish valid dates and times, throwing

exception

for invalid ones A:

$dt = new DateTime('2011-13-42');

ptg6935296

512 Chapter 16

It takes as its lone argument an object of

type

DateInterval

$di = new DateInterval(interval);

$dt->add($di);

There’s a specific notation used to set the

interval, always starting with the letter

for “period.” After that, add an integer and

a period designator:

, for years;

, for

months;

, for days;

, for weeks;

, for

hours;

, for minutes; and

, for seconds.

Yo u m a y w o n d e r h o w t h e l e t t e r

can

represent both months and minutes: this

is possible because hours, minutes, and

seconds should also be preceded by a

, for

time. These characters should be combined

in order from largest to smallest (i.e., from

years to seconds). Here are some examples:

n P3W

represents three weeks

n P2Y3M

represents two years and

three months

n P2M3DT4H18M43S

represents

two months, three days, four hours,

18 minutes, and 43 seconds

The

sub( )

method functions just the same

add( )

, but subtracts the time period

from the object:

$di = new DateInterval('P2W');

➝

// 2 w e e k s

$dt->sub($di);

B A simple form for entering two dates, with the

format specified. C If two valid dates are submitted, with the ending

date being after the starting date, the dates are

displayed again, along with the calculated interval.

The

diff( )

method returns a

DateInterval

object that reflects the amount of time

between two

DateTime

objects:

$diff = $dt->diff($dt2);

The

DateInterval

class defines several

properties for representing the calculated

interval:

for years,

for months,

for days,

for hours,

for minutes,

for seconds,

and

days

, which also represents days.

The last

DateTime

class method you should

be familiar with is

format( )

, which returns the

represented date formatted as you want it:

echo $dt->format(format);

For the formatting, you can use the same

characters as the

date( )

function, covered

in Chapter 11.

To demonstrate all of this informa tion, this

next script will perform a task needed by

many Web sites: allow the user to enter

two dates to create a range B. This script

will perform top-quality validation of the

submitted dates, and calculate the number

of days between them C. The information

presented could easily be applied to, say,

a hotel registration system or the like. The

script will use much of the information

just presented, and even do a straight

comparison of two

DateTime

objects, a

feature possible since PHP 5.2.2.

ptg6935296

An OOP Primer 513

To use the DateTime class:

1. Begin a new PHP script in your text edi-

tor or IDE, to be named

datetime.php

starting with the HTML (Script 16.5):

<!DOCTYPE ht ml PUBLIC "-//W3C//

➝

DTD XHTML 1.0 Transitional//EN"

➝

"http://www.w3.org/TR/xhtml1/DTD/

➝

xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/

➝

1999/xhtml" xml:lang="en"

➝

lang="en">

<head>

➝

content="text/html;

➝

charset=utf-8" />

<title>DateTime Usage</title>

2. Add a splash of CSS:

➝

media="screen">

body {

font-family: Verdana, Arial,

➝

Helvetica, sans-serif;

font-size: 12px;

margin: 10px;

}

label { font-weight: bold; }

.error { color: #F00; }

</style>

Only the

error

class here is significant in

terms of the functionality. It will format

error messages in red text.

3. Complete the head and begin the body

and the PHP section:

</head>

<body>

<?php # Script 16.5 - dateti m e.php

continues on page 515

Script 16.5 Emulating common date selection

functionality, this script accepts and validates

two dates.

1 <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML

1.0 Transitional//EN" "http://www.w3.org/

TR/xhtml1/DTD/xhtml1-transitional.dtd">

2 <html xmlns="http://www.w3.org/1999/

xhtml" xml:lang="en" lang="en">

3 <head>

4 <meta http-equiv="Content-Type"

content="text/html; charset=utf-8" />

5 <title>DateTime Usage</title>

6 <style type="text/css" media="screen">

7 body {

8 font-family: Verdana, Arial,

Helvetica, sans-serif;

9 font-size: 12px;

10 margin: 10px;

11 }

12 label { font-weight: bold; }

13 .error { color: #F00; }

14 </style>

15 </head>

16 <body>

17 <?php # Script 16.5 - datetime.php

19 // Set the start and end date as today

and tomorrow by default:

20 $start = new DateTime( );

21 $end = new DateTime( );

22 $end->modify('+1 day');

24 // Default format for displaying dates:

25 $format = 'm/d/Y';

27 // This function validates a provided

date string.

28 // The function returns an array--month,

day, year--if valid.

29 function validate_date($date) {

31 // Break up the string into its parts:

32 $date_array = explode('/', $date);

34 // Return FALSE if there aren't 3 items:

35 if (cou nt($date_ array) != 3) return

false;

code continues on next page

ptg6935296

514 Chapter 16

Script 16.5 continued

37 // Return FALSE if it's not a valid date:

38 if (!c h e ck da te($ d at e_ a r r ay[0], $date_array[1], $date_array[2])) return false;

40 // Return the array:

41 return $date_array;

43 } // End of validate_date( ) function.

45 // Check for a form submission:

46 if (isset($_POST['star t'], $_POST['end'])) {

48 // Call the validation function on both dates:

49 if ( (list($sm, $sd, $sy) = validate_date($_POST['start'])) && (list($em, $ed, $ey) =

validate_date($_POST['end'])) ) {

51 // If it's okay, adjust the DateTime objects:

52 $start->setDate($sy, $sm, $sd);

53 $end->setDate($ey, $em, $ed);

55 // The start date must come first:

56 if ($star t < $end) {

58 // Determine the interval:

59 $interval = $start->diff($end);

61 // Print the results:

62 echo "< p>T h e event has been planned starting on {$start->format($for m at)} and ending

on {$en d->for mat($form at)}, which is a period of $interval->days day(s).</p>";

64 } else { // End date must be later!

65 echo '< p class="error">The starting date must precede the ending date.</p>';

66 }

68 } else { // An invalid date!

69 echo '< p class="error">One or both of the submitted dates was invalid.</p>';

70 }

72 } // End of form submission.

74 // Show the form:

75 ?>

76 <h2>Set the Start and End Dates for the Thing</h2>

77 <form action="datetime.php" method="post">

79 <p><label for="start_date">Start Date:</label> <input type="text" name="start_date"

value="<?php echo $start->format($format); ?>" /> (MM/DD/YYYY)</p>

80 <p><label for="end_date">End Date:</label> <input type="text" name="end_date" value="<?php

echo $end->format($format); ?>" /> (MM/DD/YYYY)</p>

82 <p><input type="submit" value="Submit" /></p>

83 </form>

84 </body>

85 </html>

ptg6935296

An OOP Primer 515

DateTime

object) as its lone argument.

The string will be the user-submitted

value, something like

08/02/2011

. The

first thing the function does is break

up the string into its three separate

parts—month, day, and year—using the

explode( )

function. The resulting array

is assigned to the

$array

variable.

8. If the array does not contain three

elements, return

false

if (count($array) != 3) return

➝

false;

The first thing the function does is confirm

that it has exactly three discrete values

to work with, representing a month, day,

and year. If the array does not contain

three elements, the function returns the

value

false

to indicate an invalid date.

The

explode( )

line in Step 7 and this

line invalidates any submitted value that

doesn’t fit the pattern

X/Y/Z

(although

that could still be

cat/dog/zebra

Note that normally I would recom-

mend always using curly brackets in

conditionals, but I’ve made this code as

short as possible by omitting them, and

keeping the entire construct on a single

line. Also remember that as soon as a

function executes a

return

statement,

the function is exited.

9. If the provided date isn’t a valid date,

return

false

if (!checkdate($array[0],

➝

$array[1], $array[2])) return

➝

false;

Similar to Step 8, this code invokes PHP’s

checkdate( )

function to confirm that the

provided date actually exists. If the date

does not exist, such as

13/43/2011

, the

function again returns

false

continues on next page

4. Create two

DateTime

objects:

$start = new DateTime( );

$end = new DateTime( );

Whether the form has been submitted

or not, two

DateTime

objects are

first created, both of which will be

instantiated using the current date and

time. Subsequently, one or both objects

will be assigned new values.

5. Add one day to the end date:

$end->modify('+1 day');

By default, when the page is first

loaded, the form will be preset with

today as the starting date and tomorrow

as the ending date. To determine the

ending date, simply modify the object’s

current value, adding one day.

Using the

DateInterval

object and the

DateTime::add( )

method, the same

thing can be done like so:

$day = new DateInterval('P1D');

$end->add($day);

6. Establish the default format for dis-

played dates:

$format = 'm/d/Y';

The script will display a formatted

version of the date in four places.

Assigning the preferred format—

MM/DD/YYYY

—to a variable makes

it easier to change later, if desired.

7. Begin defining a function:

function validate_date($date) {

$array = explode('/', $date);

Both submitted dates will need to be

validated in a couple of ways, and

whenever you have repeating code in a

script or application, defining a function

to execute that code may make sense.

This function takes a date string (not a

ptg6935296

516 Chapter 16

10. Return the date array and complete

the function:

return $array;

} // End of validate_date( )

➝

function.

If the provided date is of the correct

format and corresponds to an existing

date, the array of date elements is

returned by the function.

11. If the form has been submitted, validate

the user-submitted values:

if (isset($_POST['start'],

➝

$_POST['end'])) {

if ( (list($sm, $sd, $sy) =

➝

validate_date($_POST['start']))

➝

&& (list($em, $ed, $ey) =

➝

validate_date($_POST['end'])) ) {

If the two variables are set, meaning the

form has been submitted, both are run

through the

validate_date( )

function.

If that function returns

FALSE

for either

date, this conditional will be

FALSE

. If the

function returns an array for both dates,

assigned to corresponding month, day,

and year variables, then the results can

be determined and displayed.

12. Reset the dates to the user-submitted

dates:

$start->setDate($sy, $sm, $sd);

$end->setDate($ey, $em, $ed);

Because the provided dates are valid at

this point, both objects can be updated

to represent the user-entered dates. To

do so, the

setDate( )

method is invoked,

providing it with the individual values.

13. If the end date comes after the start date,

calculate the interval between them:

if ($start < $end) {

$interval = $start->diff($end);

Just as you can compare two num-

bers to see if one is greater than or

less than the other, you can compare

two

DateTime

objects. If the end date

does come later, then the difference

between the two dates is calculated by

invoking the

diff( )

method on one

object and providing the other as its

argument. The result is assigned to the

$interval

variable, which will be an

object of type

DateInterval

14. Print the results:

echo "<p>The event has been

➝

planned starting on {$start->

➝

format($format)} and ending on

➝

{$end->format($format)}, which

➝

is a period of $interval->days

➝

day(s).</p>";

Finally, the results are displayed C.

As you can see, it’s possible to invoke

object methods within quotation marks,

thereby printing the output of that

function call, but you have to wrap

the whole construct in curly brackets.

Referencing attributes, such as

$interval->days

, does not require

the curly brackets.

15. Complete the conditionals begun in

Steps 11 and 13:

} else { // End date must be

➝

later!

echo '<p class="error">The

➝

starting date must precede

➝

the ending date.</p>';

}

} else { // An invalid date!

echo '<p class="error">One or

➝

both of the submitted dates

➝

was invalid.</p>';

}

The first

else

clause applies if both

dates are valid, but the end date does

ptg6935296

An OOP Primer 517

18. Complete the form and the HTML page:

<p><input type="submit"

value="Submit" /></p>

</form>

</body>

</html>

19. Save the script as

datetime.php

, place

it in your Web directory, and test it in

your Web browser.

If, when you run this script, you see

an exception about relying upon the

system’s time zone setting, invoke

date_default_timezone_set( )

as explained in Chapter 11, prior to

creating the

DateTime

objects.

The

DateTime::getTimestamp( )

method returns the Unix timestamp for the

represented date and time.

Internally, the

DateTime

class represents

the dates and times as a 64-bit number, mean-

ing it can represent dates from approximately

292 billion years ago to 292 billion years

from now.

Several constants in the

DateTime

class

represent common date-time formats, such as

DateTime::COOKIE

The

DateTime

methods are also

represented in procedural versions.

D The result if the provided starting date actually

follows the entered ending date.

E The result if either submitted date does not

correspond to a valid date.

not follow the start date D. The second

else

clause applies if either of the sub-

mitted dates does not pass the

vali-

date_date( )

test. In this case, both

dates will retain the default settings E.

16. Complete the form submission condi-

tional, close the PHP block, and begin

the HTML form:

} // End of form submission.

<h2>Set the Start and End Dates

➝

for the Thing</h2>

<form action="datetime.php"

➝

method="post">

17. Create the two inputs for the dates:

<p><label for="start">Start

➝

Date:</label> <input type="text"

➝

name="start" value="<?php echo

➝

$start->format($format); ?>" />

➝

(MM/DD/YYYY)</p>

<p><label for="end">End Date:

➝

</label> <input type="text"

➝

name="end" value="<?php echo

➝

$end->format($format); ?>" />

➝

(MM/DD/YYYY)</p>

For each input, the value is preset by

calling the

format( )

method of the

associated object. The required format

that the date needs to be entered in is

also indicated in parentheticals.

ptg6935296

518 Chapter 16

Review and Pursue

If you have any problems with the

review questions or the pursue prompts,

turn to the book’s supporting forum

(

www.LarryUllman.com/forums/

Review

What is a

class

? What is a

method

What are variables defined within

classes called?

What is an object? How do you create

an object in PHP? How do you call an

object’s methods?

What is a

constructor

What is the syntax for creating a

MySQLi

object?

How do you execute any kind of query

using

MySQLi

How do you make string data safe to

use in a query, when using

MySQLi

Hint: there are two answers.

How do you check for, and display, a

MySQLi

error?

How do you fetch the results of

SELECT

queries using the

MySQLi

(and other)

objects? What is the difference between

using

MySQLi_Result::fetch_array( )

and

MySQLi_Result::fetch_object( )

How do you execute a prepared

statement using the

MySQLi

and

MySQLi_STMT

classes?

What syntax is used to create a new

DateTime

object? What are the two

ways you can set the object’s date

and/or time?

What is an

exception

Pursue

When you’re interested in learning

more about OOP, consider reading a

book or tutorial on the generic subject

of OOP, without respect to any given

programming language.

Check out the PHP manual’s documen-

tation on OOP in PHP (

www.php.net/oop

Revisit Chapter 9 if you’re unclear as

to the need to apply

real_escape_

string( )

to string data used in queries.

Rewrite some of the other scripts from

Chapter 9, “Using PHP with MySQL,”

and Chapter 10, “Common Program-

ming Techniques,” using

MySQLi

Read through the full documentation for

the

DateTime

class in the PHP manual

(

www.php.net/datetime

Learn about the

strtotime( )

function in the PHP manual

(

www.php.net/strtotime

If you want a big challenge, apply the

information presented in the previous

chapter, along with the jQuery UI

Datepicker

tool, to create two nice,

JavaScript date selectors for the

datetime.php

script.

ptg6935296

The functionality of a message board (aka

a forum) is really rather simple: a post can

either start a new topic or be in response

to an existing one; posts are added to a

database and then displayed on a page.

That’s really about it. Of course, sometimes

implementing simple concepts can be

quite hard!

To make this exa mple even more excit-

ing and useful, it’s not going to be just a

message board but rather a

multilingual

message board. Each language will have

its own forum, and the key elements—

navigation, prompts, introductory text,

etc.—will be language-specific.

In order to focus on the most important

aspects of this Web application, this chap-

ter omits some others. The three glaring

omissions will be: user management, error

handling, and administration. This shouldn’t

be a problem for you, though, as the next

chapter goes over user management and

error handling in great detail. As for the

administration, you’ll find some recommen-

dations at the chapter’s end.

Example—

Message Board

In This Chapter

Making the Database 520

Creating the Index Page 537

Creating the Forum Page 538

Creating the Thread Page 543

Posting Messages 548

Review and Pursue 558

ptg6935296

520 Chapter 17

Making the Database

The first step, naturally, is to create the

database. A sample message board

database A is developed in Chapter 6,

“Database Design.” Although that database

is perfectly fine, a variation on it will be used

here instead B. I’ll compare and contrast

the two to better explain the changes.

To start, the

forums

table is replaced with a

languages

table. Both serve the same pur-

pose: allowing for multiple forums. In this

new database, the topic—

PHP and MySQL

for Dynamic Web Sites

—will be the same

in every forum, but each forum will use a

different language. The posts will differ

in each forum (this won’t be a translation

A The model for the

forum

database developed in Chapter 6.

B The revised model for the forum database to be used in this chapter.

of the same forum in multiple languages).

The

languages

table stores the name

of a language in its own alphabet and in

English, for the administrator’s benefit (this

assumes, of course, that English is the

administrator’s primary language).

The

threads

table in the new database

acts like the

messages

table in the old

one, with one major difference. Just as

the old

messages

table relates to

forums

threads

relates to the

languages

and

users

tables (each message can only be in one

forum and by one user; each forum can

have multiple messages, and each user

can post multiple messages). However, this

threads

table will only store the subject, not

the message itself. There are a couple of

ptg6935296

Example—Message Board 521

Those three tables provide the bulk of the

forum functionality. The database also needs

users

table. In this version of the forum,

only registered users can post messages,

which I think is a really, really, really good

policy (it cuts way down on spam and hack

attempts). Registered users can also have

their default language (from the

languages

table) and time zone recorded along with

their account information, in order to give

them a more personalized experience. A

combination of their username and pass-

word would be used to log in.

The final table,

words

, is necessary to

make the site multilingual. This table will

store translations of common elements:

navigation links, form prompts, headers,

and so forth. Each language in the site will

have one record in this table. It’ll be a nice

and surprisingly easy feature to use. Argu-

ably, the words listed in this table could

also go in the

languages

table, but then

the implication would be that the words

are also related to the

threads

table, which

would not be the case.

That’s the thinking behind this new data-

base design. You’ll learn more as you create

the tables in the following steps. As with

the other examples in this book, you can

also download the SQL necessary for this

chapter—the commands suggested in these

steps, plus more—from the book’s corre-

sponding Web site (

www.LarryUllman.com

C How the relationship

among messages was

indicated using the older

database schema.

reasons for this change. First, having a sub-

ject repeat multiple times with each reply

(replies, in my experience, almost always

have the same subject anyway) is unneces-

sary. Second, the same goes for the

lang_id

association (it doesn’t need to be in each

reply as long as each reply is associated

with a single thread). Third, I’m changing

the way a thread’s hierarchy will be indi-

cated in this database (you’ll see how in the

next paragraph), and changing the table

structures helps in that regard. Finally, the

threads

table will be used every time a user

looks at the posts in a forum. Removing the

message bodies from that table will improve

the performance of those queries.

Moving on to the

posts

table, its sole

purpose is to store the actual bodies of

the messages associated with a thread. In

Chapter 6’s database, the

messages

table

had a

parent_id

column, used to indicate

the message to which a new message was

a response. It was hierarchical: message 3

might be the starting post; message 18 might

be a response to 3, message 20 a response

to 18, and so on C. That version of the data-

base more directly indicated the responses;

this version will only store the thread that a

message goes under: messages 18 and 20

both use a

thread_id

of 3. This alteration will

make showing a thread much more efficient

(in terms of the PHP and MySQL required),

and the date/time that each message was

posted can be used to order them.

ptg6935296

522 Chapter 17

To make the database:

1. Access your MySQL server and set the

character set to be used for communi-

cating D:

CHARSET utf8;

I’ll be using the mysql client in the

figures, but you can use whatever

interface you’d like. The first step,

though, has to be changing the

character set to UTF-8 for the queries

to come. If you don’t do this, some of

the characters in the queries will be

stored as gibberish in the database

(see the sidebar “Strange Characters”).

Note that if you’re using phpMyAdmin,

you’ll need to establish the character

set in its configuration file.

Strange Characters

If, when you’re implementing this

chapter’s example, you see strange

characters—boxes, numeric codes,

or question marks instead of actual

language characters—there might be

several reasons why. When this hap-

pens, the underlying issue is one of

mismatching encodings

(or, in data-

base terms,

character sets

A computer’s ability to display a charac-

ter depends on both the file’s encoding

and the characters (i.e., fonts) supported

by the operating system. This means

that every PHP or HTML page must use

the proper encoding. Secondarily, the

database in MySQL must use the proper

encoding (as indicated in the steps for

creating the database). Third, and this

can be a common cause of problems,

the communication between PHP

and MySQL must also use the proper

encoding. I address this issue in the

mysqli_connect.php

script (see the first

tip). Finally, if you use the mysql client,

phpMyAdmin, or another tool to populate

the database, that interaction must use

the proper encoding, too.

D In order to use Unicode data in queries, you need to change the character set used to

communicate with MySQL.

ptg6935296

Example—Message Board 523

the

CHARACTER SET utf8

clause to each

table definition (Steps 3 through 7).

3. Create the

languages

table F:

CREATE TABLE languages (

lang_id TINYINT UNSIGNED NOT NULL

➝

AUTO_INCREMENT,

lang VARCHAR(60) NOT NULL,

lang_eng VARCHAR(20) NOT NULL,

PRIMARY KEY (lang_id),

UNIQUE (lang)

);

This is the simplest table of the bunch.

There won’t be many languages repre-

sented, so the primary key (

lang_id

) can

be a

TINYINT

. The

lang

column is defined

a bit larger, as it’ll store characters in

other languages, which may require

more space. This column must also be

unique. Note that I don’t call this column

“language,” as that’s a reserved keyword

in MySQL (actually, I

could

still call it that,

and you’ll see what would be required to

do that in Step 7). The

lang_eng

column

is the English equivalent of the language

so that the administrator can easily see

which languages are which.

continues on next page

E Creating and

selecting the database

for this example. This

database uses the

UTF-8 character set,

so that it can support

multiple languages.

F Creating the

languages

table.

2. Create a new database E:

CREATE DATABASE forum2 CHARACTER

➝

SET utf8;

USE forum2;

So as not to muddle things with the

tables created in the original

forum

database (from Chapter 6), a new

database will be created.

If you’re using a hosted site and cannot

create your own databases, use the

database provided for you and select

that. If your existing database has

tables with these same names—

words

languages

threads

users

, and

posts

rename the tables (either the existing or

the new ones) and change the code in

the rest of the chapter accordingly.

Whether you create this database from

scratch or use a new one, it’s very

important that the tables use the UTF-8

encoding, in order to be able to sup-

port multiple languages (see Chapter

6 for more). If you’re using an existing

database and don’t want to potentially

cause problems by changing the char-

acter set for all of your tables, just add

ptg6935296

524 Chapter 17

4. Create the

threads

table G:

CREATE TABLE threads (

thread_id INT UNSIGNED NOT NULL

➝

AUTO_INCREMENT,

lang_id TINYINT(3) UNSIGNED NOT

➝

NULL,

user_id INT UNSIGNED NOT NULL,

subject VARCHAR(150) NOT NULL,

PRIMARY KEY (thread_id),

INDEX (lang_id),

INDEX (user_id)

);

The

threads

table contains four

columns and relates to both the

languages

and

users

tables (through

the

lang_id

and

user_id

foreign keys,

respectively). The

subject

here needs

to be long enough to store subjects in

multiple languages (characters take up

more bytes in non-Western languages).

G Creating the

threads

table. This table stores the topic subjects

and associates them with a language (i.e., a forum).

H Creating the

posts

table, which links to both threads and users.

The columns that will be used in joins

and

WHERE

clauses—

lang_id

and

user_id

—are indexed, as is

thread_id

(as a primary key, it’ll be indexed).

5. Create the

posts

table H:

CREATE TABLE posts (

post_id INT UNSIGNED NOT NULL

➝

AUTO_INCREMENT,

thread_id INT UNSIGNED NOT NULL,

user_id INT UNSIGNED NOT NULL,

message TEXT NOT NULL,

posted_on DATETIME NOT NULL,

PRIMARY KEY (post_id),

INDEX (thread_id),

INDEX (user_id)

);

The main column in this table is

mes-

sage

, which stores each post’s body.

Two columns are foreign keys, tying

into the

threads

and

users

tables. The

ptg6935296

Example—Message Board 525

For the sake of brevity, I’m omitting

some of the other columns you’d put

in this table, such as registration date,

first name, and last name. For more on

creating and using a table like this, see

the next chapter.

In my thinking about this site, I expect

users will select their preferred lan-

guage and time zone when they

personalized experience. They can also

have a username, which will be dis-

played in posts (instead of their email

address). Both the username and the

email address must be unique, which is

something you’d need to address in the

registration process.

continues on next page

I Creating a bare-bones version of the

users

table.

posted_on

column is of type

DATETIME

but will use UTC (Coordinated Universal

Time, see Chapter 6). Nothing special

needs to be done here for that, though.

6. Create the

users

table I:

CREATE TABLE users (

user_id MEDIUMINT UNSIGNED NOT

➝

NULL AUTO_INCREMENT,

lang_id TINYINT UNSIGNED NOT NULL,

time_zone VARCHAR(30) NOT NULL,

username VARCHAR(30) NOT NULL,

pass CHAR(40) NOT NULL,

email VARCHAR(60) NOT NULL,

PRIMARY KEY (user_id),

UNIQUE (username),

UNIQUE (email),

INDEX login (username, pass)

);

ptg6935296

526 Chapter 17

7. Create the

words

table J:

CREATE TABLE words (

word_id TINYINT UNSIGNED NOT NULL

➝

AUTO_INCREMENT,

lang_id TINYINT UNSIGNED NOT NULL,

title VARCHAR(80) NOT NULL,

intro TINYTEXT NOT NULL,

home VARCHAR(30) NOT NULL,

forum_home VARCHAR(40) NOT NULL,

`language` VARCHAR(40) NOT NULL,

logout VARCHAR(30) NOT NULL,

new_thread VARCHAR(40) NOT NULL,

subject VARCHAR(30) NOT NULL,

body VARCHAR(30) NOT NULL,

submit VARCHAR(30) NOT NULL,

posted_on VARCHAR(30) NOT NULL,

posted_by VARCHAR(30) NOT NULL,

replies VARCHAR(30) NOT NULL,

latest_reply VARCHAR(40) NOT NULL,

post_a_reply VARCHAR(40) NOT NULL,

PRIMARY KEY (word_id),

UNIQUE (lang_id)

);

J Creating the

words

table, which stores

representations of

key words in different

languages.

This table will store different

translations of common elements used

on the site. Some elements—

home

forum_home

language

logout

, and

new_thread

—will be

the names of links. Other elements—

subject

body

submit

—are used on the

page for posting messages. Another

category of elements are those used

on the forum’s main page:

posted_on

posted_by

replies

, and

latest_reply

Some of these will be used multiple

times in the site, and yet, this is still an

incomplete list. As you implement the

site yourself, you’ll see other places

where word definitions could be added.

Each column is of

VARCHAR

type, except

for

intro

, which is a body of text to be

used on the main page. Most of the

columns have a limit of 30, allowing

for characters in other languages that

require more bytes, except for a handful

of columns that might need to be bigger.

For each column, its name implies the

value to be stored in that column. For

one—

language

—I’ve used a MySQL

ptg6935296

Example—Message Board 527

For each, the native and English word

for that language is stored K.

9. Populate the

users

table L:

INSERT INTO users (lang_id,

➝

time_zone, username, pass,

➝

email) VALUES

(1, 'A m er i ca/N e w _Yo r k',

➝

'troutster', SHA1('password'),

➝

'e m ail @ e xa m p l e.c o m'),

(7, 'Eu rope/Berlin', 'Ute',

➝

SHA1('pa24word'),

➝

'e m ail 1@ e xa m pl e.co m'),

(4, 'Eu r o pe/O s l o', 'Si lje',

➝

SHA1('2kll13'),

➝

'e m ail 2@ e xa m pl e.co m'),

(2, 'A m eric a/Sa o _Pa ulo', 'Jo ã o',

➝

SHA1('fJDLN34'),

➝

'e m ail 3@ e xa m p l e.c o m'),

(1, 'Pa c if ic/Auckl a n d', 'k iw i',

➝

SHA1('conchord'),

➝

'kiwi@exam ple.org');

continues on next page

K The populated

languages

table, with each language

written in its own alphabet.

L A few users are

added manually,

as there is no

registration process

in this site (but

see Chapter 18,

“Example—User

Registration,”

for that).

keyword, simply to demonstrate how

that can be done. The fix is to surround

the column’s name in backticks so that

MySQL doesn’t confuse this column’s

name with the keyword “language.”

8. Populate the

languages

table:

INSERT INTO languages (lang,

➝

lang_eng) VALUES

('E n g l ish', 'En g l ish'),

('Po r t u gu ê s', 'P o r t u guese'),

('Fra n ç ais', 'Fr e nch'),

('N o rsk', 'N o r w e g i a n'),

('Ro m ania n', 'Ro m a n i a n'),

(' ', ' G r e e k '),

('D e u tsc h', 'G e r m an'),

('S r p s k i', 'Se r b i a n'),

(' ', 'J a p a n e s e'),

('N e derl a nds', 'Du tch');

This is just a handful of the languages

the site will represent thanks to some

assistance provided me (see the

sidebar “A Note on Translations”).

ptg6935296

528 Chapter 17

Because the PHP scripts will show the

users associated with posts, a couple

of users are necessary. A language and

a time zone are associated with each

(see Chapter 6 for more on time zones

in MySQL). Each user’s password will be

encrypted with the

SHA1( )

function.

10. Populate the

words

table:

INSERT INTO words VALUES

(NULL, 1, 'PHP and MySQL for

➝

Dynamic Web Sites: The Forum!',

➝

'< p > W e l c o m e t o o u r s i t e ....

➝

please use the links above...

➝

blah, blah, blah.</p>\r\n

➝

<p>Welcome to our site....please

➝

use the links above...blah,

➝

blah, blah.</p>', 'Home',

➝

'Foru m Ho m e', 'Lan gua ge',

➝

'Register', 'Login', 'Logout',

➝

'New Thread', 'Subject', 'Body',

➝

'Sub m it', 'Poste d on', 'Posted

➝

by', 'Replies', 'Latest Reply',

➝

'Post a Reply');

These are the words associated with

each term in English. The record has a

lang_id

of 1, which matches the

lang_id

for English in the

languages

table. The

SQL to insert words for other languages

into this table is available from the

book’s supporting Web site.

This chapter doesn’t go through the

steps for creating the

mysqli_connect.

php

page, which connects to the database.

Instead, just copy the one from Chapter

9, “Using PHP with MySQL.” Then change

the parameters in the script to use a valid

username/password/hostname combination

to connect to the forum2 database.

As a reminder, the foreign key in one

table should be of the exact same type and size

as the matching primary key in another table.

A Note on Translations

Several readers around the world were

kind enough to provide me with transla-

tions of key words, names, message

subjects, and message bodies. For their

help, I’d like to extend my sincerest

thanks to (in no particular order): Angelo

(Portuguese); Iris (German); Johan

(Norwegian); Gabi (Romanian); Darko

(Serbian); Emmanuel and Jean-François

(French); Andreas and Simeon (Greek);

Darius (Filipino/Tagalog); Olaf (Dutch);

and Tsutomu (Japanese).

If you know one of these languages, you

may see linguistic mistakes made in this

text or in the corresponding images. If

so, it’s almost certainly my fault, having

miscommunicated the words I needed

translated or improperly entered the

responses into the database. I apologize

in advance for any such mistakes but

hope you’ll focus more on the database,

the code, and the functionality. My

thanks, again, to those who helped!

ptg6935296

Example—Message Board 529

captions, the prompts, and even the menus

need to appear in their language B.

The instructions for making the database

show how this is accomplished: by storing

translations of all key words in a table. The

header file, therefore, needs to pull out

all these key words so that they can be

used as needed. Secondarily, this header

file will also show different links based

upon whether the user is logged in or not.

Adding just one more little twist: if the

user is on the forum page, viewing all the

threads in a language, the user will also be

given the option to post a new thread C.

The template itself uses CSS for some

formatting (there’s not much to it, really).

You can download all these files from

the book’s supporting Web site (

www.

LarryUllman.com

A The basic layout and

appearance of the site.

B The home page

viewed in French

(compare with A).

C The same home page as in A,

but with an added link allowing the

user to start a new thread.

Writing the Templates

This example, like any site containing lots

of pages, will make use of a template to

separate out the bulk of the presentation

from the logic. Following the instructions

laid out in Chapter 3, “Creating Dynamic

Web Sites,” a header file and a footer file

will store most of the HTML code. Each

PHP script will then include these files to

make a complete HTML page A. But this

example is a little more complicated.

One of the goals of this site is to serve

users in many different languages. Accom-

plishing that involves not just letting them

post messages

in their native language but

making sure they can use the

whole site

their native language as well. This means

that the page title, the navigation links, the

ptg6935296

530 Chapter 17

To make the template:

1. Begin a new document in your text

editor or IDE, to be named

header.html

(Script 17.1):

<?php # Script 17.1 - h ea der.ht ml

header ('Content-Type: text/html;

➝

charset=UTF-8');

As this script will need to do a fair

amount of data validation and retrieval,

it starts with a PHP block. The script

also indicates to the Web browser its

encoding—UTF-8, using the

header( )

function. The idea of setting the

encoding via a

header( )

function call

was mentioned in a tip in Chapter 11,

“Web Application Development.”

2. Start a session:

$_SESSIO N['user_ id'] = 1;

$_SESSIO N['user_tz'] = 'Am erica/

➝

New_York';

// $_ S ESSIO N = a r r a y( );

To track users afte r they log in, the site

will use sessions. Since the site doesn’t

have registration and login functionality

in this chapter, two lines can virtually

would come from a database, but they’ll

be set here for testing purposes. To

virtually log the user out, uncomment

the third line.

3. Include the database connection:

require ('../mysqli_connect.php');

As with many other examples in this

book, the assumption is that the

mysqli_

connect.php

script is stored in the

directory above the current one, outside

of the Web root. If that won’t be the case

for you, change this code accordingly.

Script 17.1 The

header.html

file begins the

template. It also sets the page’s encoding, starts

the session, and retrieves the language-specific

key words from the database.

1 <?php # Script 17.1 - header.html

2 /* This script...

3 * - starts the HTML template.

4 * - indicates the encoding using header( ).

5 * - starts the session.

6 * - gets the language-specific words

from the database.

7 * - lists the available languages.

8 */

10 // Indicate the encoding:

11 header ('Content-Ty pe: text/html;

charset=UTF-8');

13 // Start the session:

14 session_start( );

16 // For testing purposes:

17 $_SESSION['user_id'] = 1;

18 $_SESSION['user_tz'] = 'A m e r ic a/ N e w _Yo r k';

19 // For logging out:

20 //$_SESSION = array( );

22 // Need the database connection:

23 require ('../m ysqli_con nect.ph p');

25 // Check for a new language ID...

26 // Then store the language ID in the

session:

27 if ( isset($_GET['lid']) &&

28 filter_var($_GET['lid'], FILTER_

VALIDATE_INT, array('min_range' => 1))

29 ) {

30 $_SESSION['lid'] = $_GET['lid'];

31 } elseif (!iss et($_ SESSIO N['l id'])) {

32 $_SESSION['lid'] = 1; // Default.

33 }

35 // Get the words for this language:

36 $q = "SELECT * FROM words WHERE lang_id

= {$_SESSIO N['lid']}";

37 $r = mysqli_query($dbc, $q);

38 if (mysqli_num_rows($r) = = 0) { //

Invalid language ID!

40 // Use the default language:

41 $_SESSION['lid'] = 1; // Default.

code continues on next page

ptg6935296

Example—Message Board 531

4. Determine the language ID:

if ( isset($_GET['lid']) &&

filter_var($_GET['lid'],

➝

FILTER_VALIDATE_INT,

➝

array('min_range' => 1))

) {

$_SESSIO N['li d'] = $_GET['l id'];

} elseif (!isset($_SESSION['lid'])) {

$_SESSIO N['li d'] = 1; // D efault.

}

Next, the language ID value (abbrevi-

ated

lid

) needs to be established. The

language ID controls what language is

used for all of the site elements, and it

also dictates the forum to be viewed.

The language ID could be found in the

session, after retrieving that informa-

tion upon a successful login (because

the user’s language ID is stored in the

users

table). Alternatively, any user can

change the displayed language on the

fly by submitting the language form

in the navigation links (see A). In that

case, the submitted language ID needs

to be validated as an integer greater

than 1: easily accomplished using the

Filter extension (see Chapter 13, “Secu-

rity Approaches”). If you’re not using a

version of PHP that supports the Filter

extension, you’ll need to use typecast-

ing here instead (again, see Chapter 13).

The second clause applies if the

page did not receive a language ID

in the URL and the language ID has

not already been established in the

session. In that case, a default language

is selected. This value corresponds to

English in the

languages

table in the

database. You can change it to any

ID that matches the default language

you’d like to use.

continues on next page

code continues on next page

Script 17.1 continued

42 $q = "SELECT * FROM words WHERE

lang_id = {$_SESSION['lid']}";

43 $r = mysqli_query($dbc, $q);

45 }

47 // Fetch the results into a variable:

48 $words = mysqli_fetch_array($r,

MYSQLI_ASSOC);

50 // Free the results:

51 mysqli_free_result($r);

52 ?>

53 <!DOCT YPE html PUBLIC "-//W3C//DTD XHTML

1.0 Transitional//EN"

54 "http://www.w3.org/TR/xhtml1/DTD/

xhtml1-transitional.dtd">

55 <html xmlns="http://www.w3.org/1999/xhtml"

xml:lang="en" lang="en">

56 <head>

57 <meta http-equiv="content-type"

content="text/html; charset=utf-8" />

58 <title><?php echo $words['title']; ?>

</title>

59 <style type="text/css" media="screen">

60 body { background-color: #ffffff; }

62 .content {

63 background-color: #f5f5f5;

64 padding-top: 10px; padding-right:

10px; padding-bottom: 10px;

padding-left: 10px;

65 margin-top: 10px; margin-right:

10px; margin-bottom: 10px;

margin-left: 10px;

66 }

68 a.navlink:link { color: #003366;

text-decoration: none; }

69 a.navlink:visited { color: #003366;

text-decoration: none; }

70 a.navlink:hover { color: #cccccc;

text-decoration: none; }

72 .title {

73 font-size: 24px; font-weight:

normal; color: #ffffff;

74 margin-top: 5px; margin-bottom:

5px; margin-left: 20px;

ptg6935296

532 Chapter 17

5. Get the keywords for this language:

$q = "SELECT * FROM words WHERE

➝

lang_id = {$_SESSION['lid']}";

$r = mysqli_query($dbc, $q);

The next step in the header file is to

retrieve from the database all of the

key words for the given language.

6. If the query returned no records, get the

default words:

if (mysqli_num_rows($r) = = 0) {

$_SESSIO N['li d'] = 1;

$q = "SELECT * FROM words WHERE

➝

lang_id = {$_SESSION['lid']}";

$r = mysqli_query($dbc, $q);

}

It’s possible, albeit unlikely, that

$_SESSIO N['li d']

does not equate to

a record from the

words

table. In that

case the query would return no records

(but run without error). Consequently,

the default language words must

now be retrieved. Notice that neither

this block of code, nor that in Step 5,

actually fetches the returned record.

That will happen, for both potential

queries, in Step 7.

7. Fetch the retrieved words into an array,

free the resources, and close the PHP

section:

$words = mysqli_fetch_array($r,

➝

MYSQLI_ASSOC);

mysqli_free_result($r);

After this point, the

$words

array repre-

sents all of the navigation and common

elements in the user’s selected lan-

guage (or the default language).

Calling

mysqli_free_result( )

isn’t necessary, but makes for tidy

programming. code continues on next page

Script 17.1 continued

75 padding-top: 5px; padding-bottom:

5px; padding-left: 20px;

76 }

77 </style>

78 </head>

79 <body>

81 <table width="90%" border="0"

cellspacing="10" cellpadding="0"

align="center">

83 <tr>

84 <td colspan="2" bgcolor="#003366"

align="center"><p class="title"><?php

echo $words['title']; ?></p></td>

85 </tr>

87 <tr>

88 <td valign="top" nowrap="nowrap"

width="10%"><b>

89 <?php // Display links:

91 // Default links:

92 echo '< a href="index.php"

class="navlink">' . $words['home'] .

'< /a > < b r />

93 <a href="forum.php" class="navlink">' .

$words['forum_home'] . '< /a > < b r />';

95 // Display links based upon login status:

96 if (isset($_SESSION['user_id'])) {

98 // If this is the forum page, add a

link for posting new threads:

99 if (basename($_SERVER['PHP_SELF']) = =

'foru m.php') {

100 echo '< a href="post.php"

class="navlink">' . $words['new_

thread'] . '< / a > < b r />';

101 }

102

103 // Add the logout link:

104 echo '< a href="logout.php"

class="navlink">' . $words['logout'] .

'< /a > < b r />';

105

106 } else {

107

ptg6935296

Example—Message Board 533

8. Start the HTML page:

<!DOCTYPE ht ml PUBLIC "-//W3C//DTD

➝

XHTML 1.0 Transitional//EN"

"http://www.w3.org/TR/xhtml1/DTD/

➝

xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/

➝

1999/xhtml" xml:lang="en"

➝

lang="en">

<head>

➝

content="text/html;

➝

charset=utf-8" />

<title><?php echo

$words['title']; ?></title>

Note that the encoding is also indicated

in a

Directory

directive is used within

httpd.conf

to modify Apache’s behavior

within a specific directory. In the above

code, the root directory (

) is the target,

meaning that Apache will not allow

overrides—changes—made within any

directories on the computer at all. Prior to

creating

.htaccess

files, then, the main

configuration file must be set to allow

overrides in the applicable Web directory

(or directories).

The

AllowOverride

directive takes one or

more flags indicating what, specifically, can

be overridden:

n AuthConfig

, for using authorization and

authentication

n FileInfo

, for performing redirects and

URL rewriting

n Indexes

, for listing directory contents

n Limit

, for restricting access to the

Directory

tags, add H:

AllowOverride All

This is a heavy-handed solution, but

will do the trick. On a live, publicly

available server, you’d want to be more

specific about what exact settings

can be overridden, but on your home

computer, this won’t be a problem.

4. Save the configuration file.

5. Restart Apache.

The

Directory

directive does not have

to go within the

VirtualHost

tag for the

involved site, but it makes sense to place it

there.

If a directory is not allowed to over-

ride a setting, the

.htaccess

file will just

be ignored.

Anything accomplished within an

.htaccess

file can also be achieved using

Directory

tag within

httpd.conf

H The updated virtual hosts configuration,

now allowing for overrides within the forums

Web directory.

For example, to allow

AuthConfig

and

FileInfo

to be overridden within the forums

directory (just created), the

httpd.conf

file

should include:

AllowOverride AuthConfig FileInfo

</Directory>

As long as this code comes after any

AllowOverride None

block, an

.htaccess

file in the

forums

directory will be able to

make some changes to Apache’s behavior

when serving files from that directory (and

its subdirectories).

To allow .htaccess overrides :

1. Open

httpd.conf

in any text editor

or IDE.

2. Within the

VirtualHost

tag for the site

in question, add:

</Directory>

The

Directory

tag is how you

customize Apache behavior within a

specific directory or its subdirectories.

Within the opening tag, provide an

ptg6935296

A26 Appendix A

Protected Directories

A common use of an

.htaccess

file is to

protect the contents of a directory. There

are two possible scenarios:

Denying all access

Restricting access to authorized users

Strange as it may initially sound, there

are plenty of situations in which files and

folders placed in the Web directory should

be made unavailable. For example, you

could create an

includes

directory that

has sensitive PHP scripts or an

uploads

directory for storing uploaded files. In both

cases, the contents of the directory would

not be meant for direct access, but rather

PHP scripts in other directories would

reference that content as needed. To deny

all access to a directory, place the code in

Script A.3 in an

.htaccess

file in that folder

(comments indicate what each line does).

Again, this code just prevents direct

access to that directory’s contents via a

Web browser. A PHP script could still use

include( )

require( )

readfile( )

, and

PHP And MySQL For Dynamic Web Sites GFX PHP.and.My SQL.for.Dynamic.Web.Sites.Visual.Quick Pro.Guide.4th.Edition

00c%20GFX-PHP.and.MySQL.for.Dynamic.Web.Sites.Visual.QuickPro.Guide.4th.Edition

PHP.and.MySQL-libro-biblioteca.for.Dynamic.Web.Sites.Visual.QuickPro.Guide.4th.Edition

Navigation menu

Versions of this User Manual:

Views

Navigation