Except where otherwise noted, the contents of this presentation are © Copyright 2008 Marty Stepp, Jessica Miller, and Kevin Wallace, and are licensed under the Creative Commons Attribution 2.5 License.
mysql_connect("server", "username", "password")
FALSE
on failure
mysql_select_db("database")
FALSE
if not found
mysql_query("query")
FALSE
if query fails
mysql_fetch_array(results)
FALSE
when no more rows remain
mysql_error()
# connect to world database on local computer $db = mysql_connect("localhost", "traveler", "packmybags"); mysql_select_db("world"); # execute a SQL query on the database $results = mysql_query("SELECT * FROM Countries WHERE population > 100000000;"); # loop through each country while ($row = mysql_fetch_array($results)) { ?> <li><?= $row["name"] ?>, ruled by <?= $row["head_of_state"] ?></li> <?php } ?>
# connect to world database on local computer $db = mysql_connect("localhost", "traveler", "packmybags"); check_result($db); check_result(mysql_select_db("world")); # execute a SQL query on the database $results = mysql_query("SELECT * FROM Countries WHERE population > 100000000;"); check_result($results); # loop through each country while ($row = mysql_fetch_array($results)) { ?> <li><?= $row["name"] ?>, ruled by <?= $row["head_of_state"] ?></li> <?php } # stops the page if any MySQL error occurred function check_result($value) { if (!$value) { die("SQL error occurred: " . mysql_error()); } } ?>
|
|
|||||||||||||||||||||||||||||||||||
|
|
Write the code to allow a student to look up their grades in the 'simpsons' database, by first entering a name and password.
If the user fails to specify a correct name/password combo, display an error message.
a flaw where a user is able to inject arbitrary HTML content into your page
results.php?name=<blink>lololol</blink>
onlinebanking.php?text=<script>transferMoneyTo("Evil Kevin", 1000, "USD");</script>
htmlspecialchars
function escapes HTML characters:
$username = htmlspecialchars($_REQUEST["username"]);
a flaw where the user is able to inject arbitrary SQL commands into your query
$query = "SELECT name, ssn, dob FROM users
WHERE username = '$username' AND password = '$password'";
$query = "SELECT name, ssn, dob FROM users
WHERE username = '$username' AND password = '' OR '1'='1'";
mysql_real_escape_string
function
$username = mysql_real_escape_string($_REQUEST["username"]); $password = mysql_real_escape_string($_REQUEST["password"]); $query = "SELECT name, ssn, dob FROM users WHERE username = '$username' AND password = '$password'";