Hi,
I am reading Kevin Yank’s book ‘PHP and MYSQL Novice to Ninja’, a fantastic book for a non-ninja like me.
I am writing a simple form to populate a database, I use the CMS glfusion. The book uses the PHP extension PDO, but glfusion uses its own wrapper for example a query would be DB_query().
In the book p.124 they talk about prepared statements, where ‘prepare’ is a method of PDO.
$s = $pdo->prepare($sql);
Is the prepare method created somewhere in PDO?
How could I write this to use the DB_ wrapper?
Thanks,
Shane
I just looked through the source, and first of all the CMS doesn’t use PDO, but either mysql or mysqli, and second of all it doesn’t use prepared statements, but simply fires queries.
public function dbQuery($sql, $ignore_errors=0)
{
if ($this->_verbose) {
$this->_errorlog("DEBUG: mysqli - inside database->dbQuery");
$this->_errorlog("DEBUG: mysqli - SQL query is " . $sql);
}
// Run query
if ($ignore_errors == 1) {
$result = @$this->_db->query($sql);
} else {
$result = @$this->_db->query($sql) OR trigger_error($this->dbError($sql), E_USER_ERROR);
}
// If OK, return otherwise echo error
if ($this->_db->errno == 0 AND ($result !== FALSE)) {
if ($this->_verbose) {
$this->_errorlog("DEBUG: mysqli - SQL query ran without error");
$this->_errorlog("DEBUG: mysqli - Leaving database->dbQuery");
}
return $result;
} else {
// callee may want to supress printing of errors
if ($ignore_errors == 1) {
return FALSE;
}
if ($this->_verbose) {
$this->_errorlog("DEBUG: mysqli - SQL caused an error");
$this->_errorlog("DEBUG: mysqli - Leaving database->dbQuery");
}
}
}
(/private/system/databases/mysqli.class.php, lines 215 and onward)
It may be a nice exercise for you to write a PDO adapter for that CMS
Hi,
Thank you both for the reply.
I will take the suggestion to write a PDO adapter to be a joke, as in the range of novice to ninja I am definitely at the novice end.
I am considering not using the CMS and starting from scratch and just following the book in its entirety. But it will mean having to great login forms and handle users and css and all that which the CMS did. Although the site will have no logged in users, just a form to populate, edit and delete rows from the database. Then a pages available to all which will pull data from the database in specific user defined ways and create a pdf.
Thanks,
Shane
Honestly, if your goal is to learn, then absolutely do this yourself from scratch. Not only will you learn how to build CRUD (create, read, update, delete) queries for yourself, but in the process, you will also get to learn about PHP’s session handling, how it processes forms, and more fun stuff.
And if you do do it from scratch, my suggestion is to not follow documentation on a CMS, that will probably do more to confuse you than anything else (as is already evident). When you’re in the learning stages, you don’t want or need the confusion of some API muddling up what is going on…learn straight SQL first, then with a crash course in OOP, you’ll be able to follow along much more clearly on what glfusion is doing.
arout77,
I think you are absolutely right.
Thanks for giving me the push in this direction.
I think the benefits are that I will be able to get help easier and will properly learn how to do things.
The disadvantage is mainly that I will have to do everything myself, i.e. also write a section for people to login and the site won’t look as good.
I am committed now… it’s all or nothing!
Thanks,
Shane
Don’t worry about the design of the website – there are plenty of free templates you can download.
A couple pointers to get you started:
There are plenty of good tutorials available; here is the PHP documentation on it: http://php.net/manual/en/book.pdo.php
I’d start there, and then simply google any questions that you may come across that the manual does not answer clearly enough.
Make sure that you get prepared statements and named parameters absolutely drilled into your head, to the point it is second nature. Those are your defenses against SQL injection. They are very simple, here is an example of what your login script may look like:
// The username and password that was submitted by the login form
$username = $_POST['username'];
$password = $_POST['password'];
// Assume that $db variable is the PDO connection you created somewhere
$query = " SELECT username, password FROM users_table WHERE username = ? AND password = ? ";
$results = $db->prepare( $query );
$results->execute( array( $username, $password ) );
Note that for clarity, the above example assumes that you are storing passwords in the database unencrypted…which is something you would never, ever do. If you are using PHP 5.5 or newer, you should be using
PHP’s password_hash() function. http://php.net/manual/en/function.password-hash.php
Hi,
That’s great info to get me started, just what I need.
I am a third of the way through Novice to Ninja book already today. So I am going to complete that.
Thanks for the link on encrypting passwords in the database.
I am quite excited about this at the moment.
Thanks for getting me started,
Shane
