Posts Tagged ‘PHP’

Picking the first language to learn for novice programmers can be a daunting task. For many, they simply have no clear where to start, and don’t know any of the merits and drawbacks of the various choices they have. Even among experienced programmers, the debate on what new programmers should start with is long and has many different sides. In this article I will give my side.

My Perspective

Before I talk about which language people should start trying to learn first, I will discuss where I am coming from when I make that choice. The first language someone learns in my opinion should be fairly easy to develop with, and be able to give the programmer results fairly quickly. The main problem I generally see with fledgling programmers just starting out is that they get very frustrated with error messages, and in general struggle to connect the concepts they are working with to an actual useful program. I keep these things in mind when making my choice.

 

My Opinion

For new programmers, I highly recommend starting with a web development related language, namely Javascript or PHP, PHP being the first recommendation. The reason I say this is simple. PHP is a very easy language to program in. As a scripting language,  development goes much faster (no having to recompile upon changing a single line of code), and the language itself is much more forgiving. A new user doesn’t have to memorize many different syntactical rules, so all they have to focus on is understanding the concepts, and getting practice with solving problems. Also, PHP (and to an extent, Javascript) comes right out of the box with many various helper functions and algorithms that in other languages you need to either import a library, or write the function yourself. This allows novice programmers to solve problems much faster and easier. However, this comes with a drawback. A programmer who gets used to PHP having a lot of functionality built in that other languages don’t have by default may make it difficult for the programmer to migrate to different languages/platforms. On the other hand, while the programmer may become too reliant on these built in functions, they do know to some extent how to solve a similar problem with another language. The new problem becomes finding out how the other language implements the functionality used in the built in PHP function, or how to write it themselves.

The second reason I suggest PHP (or Javascript), and web development in general is because it makes using the various concepts they’ve learned in practice more rewarding. It is much easier to make an interactive GUI with PHP combined with HTML/CSS than with a programming language like C++, Java, or even Python. Because of this, its much easier to make a “cool” application even with only basic skills. Making a website where you can log in and see a welcome screen is extremely easy with PHP and HTML, but would be much more difficult for a novice in, say, C++ or Java.

 

Drawbacks

While learning PHP (or web development in general) first is not a bad idea, there are some drawbacks. One thing, which I mentioned earlier in this post, was that many novice users who use PHP may become dependent on the built in functions that aren’t available in other languages without either importing a library, or writing the code yourself. This can make transitioning to a more difficult language even harder. This type of problem isn’t unique to PHP either, but common to people who start with most scripting languages, and than transition to a more difficult, stricter language. For example, in my school, the introductory programming class used Python, while the next class (Object Oriented Programming) is taught using C++. Many of the students who go from the first class to the second struggle early in the class with the unavailability of certain functionality that they got so used to using in Python.

Another issue is bad habits that are easy to form with scripting languages. Since most scripting languages have no explicit typing, the concept of a variable with a type can be difficult to understand, especially if you have been programming for a good amount of time.

In general, since scripting languages or usually much easier than stricter programming languages, novice programmers are able to progress faster and without much frustration, but they can pick up bad habits, like the expectation of the language to provide certain functionality, or the expectation of the program to handle many things in the background that you have to set up yourself in stricter languages. The example that one may come to think of first is garbage collection, which is available in most scripting languages, and even some strict programming languages (most notable being Java), but not in, say, C++. Scripting languages also hide many of the core functionality that is inherent in the language from the user. This can create programmers who know how to do something a certain way, but have no idea of the concept behind what allows them to accomplish whatever goal they have. This makes it much harder for these programmers to solve more complex problems that require knowledge of how programs and the underlying code actually works. For example, a novice may figure out how to stop a certain PHP notice from occurring by using the notice suppression operator (the @ operator), but may have no clue why that operator actually fixes (well it doesn’t actually fix the error, but rather stops it from being reported) the error.

However, these problems can be resolved by going from learning an easy scripting language to learning a more difficult, stricter programming language like C++ (in fact, I highly recommend starting with PHP/Javascript and even MySQL if you are adventurous, and then learning C++ in depth). This way, the programmer gets the benefits of learning a very strict language like C++, where you essentially have full control over your program and therefore have to know not only how to solve problems, but why certain code and concepts solve the problem. Also, the programmer won’t be nearly as frustrated since they already have a language under their belt. The learning curve of C++ is high enough, but some of that difficulty can be mitigated if you already have practice with most or all of the basic programming concepts.

 

In short, for anyone who wishes to learn how to program and make applications, I suggest starting with web design, namely PHP (but Javascript, ASP, or any other web based language would work) because development is faster and easier for a novice programmer, and seeing the results of your knowledge and making cool, useful applications is much easier, especially if you want to incorporate some sort of GUI elements.

As a side note, since not everyone is interested in web design, or has the means to purchase a server (although you can always download software like LAMP, or WAMP to turn your computer into a local web server), other scripting languages will work as well. If you are going to go this route, I suggest Python personally.

 

If you have any questions or comments, or disagree with what I say, leave a comment below! I would love to have a discussion with someone who has a differing opinion from mine.

Out of boredom I decided to create a very simple wrapper class for mysql database management. This class, as I mentioned, is extremely simple. However, for those wishing to learn more about Object Oriented programming, and how to implement a class that is useful, this is a good place to start. Anyone wishing to learn more about OOP could take this basic class, and make it into something that is much more useful.

Note: This class is untested. I haven’t actually ran the code, but I reviwed it to make sure any simple syntax/conceptual errors were removed.

If there is a syntax error or anything you see, leave a comment below so I can fix it!

Functionality

The class has very limited functionality. It basically provides normal mysql functionality (like querying, fetching rows, and fetching all the rows of a result set) and has a built in sanitizing function.

Improvements

This class is by no means complete or even useful. However, there are many improvements that someone could add to this that would not only make this class fairly useful, but is also great practice. Some obvious improvements could be as follows:

  • function to build and execute a query based on function parameters (like table, what to select, and where/order by statements(s)
  • an insert function that builds and executes a query based on parameters (table to insert, array of columns, and an array of corresponding values
  • stronger validation/sanitization

There are many many more things you could add to this class. A little competition for the readers: Submit your version of the class below with added features. The best/coolest class will get a free page with links/advertisement to their website (or a website of their choice)


<?php
class DB_manager {
 private $database;//database you wish to connect to
 private $username;//mysql username
 private $password;//myysql password
 private $server;//mysql server to connect to
 private $link;//variable to hold mysql connection link
 private $currentResult = false;

 private $query;

 //simple error reporting function.
 private function reportError($error){
 echo $error;
 }

 //constructor
 public function __construct($username, $password, $server="localhost"){
 $this->server = $server;
 $this->username = $username;
 $this->password = $password;
 }

 //connect
 public function connect($database){
 $this->link=mysql_connect($this->server,$this->user,$this->pass);
 //make sure we connected correctly
 if (!$this->link) {//open failed
 $this->reportError("Could not connect to server: <b>$this->server</b>.");
 }
 $this->database = $database
 if(!@mysql_select_db($this->database, $this->link)) {//no database
 $this->reportError("Could not open database: <b>$this->database</b>.");
 }
 }

 //run query q
 public function query($q){
 $this->query = $this->string_escape($q);
 $this->currentResult = mysql_query($q);
 if (!$this->currentResult){
 $this->reportError("There was an error with your query: " . mysql_error();
 $this->currentResult = false;
 return false;
 }
 return $this->currentResult;
 }
 //returns row from the result a query returned
 public function fetch_row($assoc = true){
 if (!$this->currentResult){
 $this->reportError("There is no valid result set to return data from.");
 return false;
 }

 if ($assoc)
 return mysql_fetch_assoc($this->currentResult);
 else
 return mysql_fetch_array($this->currentResult);

 }

 public function string_escape($s){
 return mysql_real_escape_string($s);
 }

 public function fetch_all($assoc = true){
 if (!$this->currentResult)
 $this->reportError("There is no valid result set to return data from.");
 return false;
 }

 $array = [];
 if ($assoc)
 while ($row = mysql_fetch_assoc($this->currentResult)){
 $array[] = $row;
 }
 }
 else {
 while ($row = mysql_fetch_array($this->currentResult)){
 $array[] = $row;
 }
 }

 return $array;
 }
}

//usage
$db = new DB_Manager('username', 'password', 'server (usually localhost');
$db->connect("databse_name");

$db->query("SELECT * FROM sometable");

$rows = $db->fetch_all();

foreach($rows as $r){
 print_r($r);
}

&nbsp;

&nbsp;

?>

If you have any questions, leave a comment!

Functions in PHP are an integral part of any PHP coder’s programming career, whether you are developing complex social applications, or are creating simple scripts for use in a basic website. However, as I have noticed in my experience as a tutor and contributor to PHP help forums, many people have some bad habits with functions. Especially new programmers, who see functions as a way to just place code they would normally copy paste, without any notion or portability or re usability. For this tutorial, you should have a basic understanding of functions, including the syntax for creating/defining one, and calling one. Before I go over best/worst practices in terms of functions, lets go over how functions work in PHP

 

Function Basics

Functions are a very basic programming concept that many people learn within a few weeks of first learning to code. In PHP, functions have the following basic structure


function function_name(argument list){
function body

return statement (if applicable)
}

//function call
function_name(passed in arguments);

Very simple right? Lets break it down

function function_name(argument list){

The first part of this line is the function keyword. This tells PHP that you are about to define a function. The function_name is the name of your function. Like a variable name, you refer to this name when calling the function. Calling a function means to invoke its code. The argument list is an optional list of variables that you give values to when you call the function. When a function needs information that is outside of its scope, then it is best to pass this information via the argument list.

function body

return statement (if applicable)

The function body is the meat of your function. It is the code that is run every time you call the function. This is probably the most important part of any function. The return statement is an optional statement that will return information back to the line that called the function. The return statement is extremely useful, and an integral part of any functions in any programming language. Some times, you may not want or need to return anything however. An example function that would return something is, say, a function that calculates the square root of a number. An example function that may not return anything would be, say, a function that outputs (IE echo or print) some HTML that goes on a web page.


function_name(passed in arguments);

This is the function call. Here is where you actually invoke the code in a function, and pass it any relevant information via the argument list. If your function returns a value, you can set a variable equal to the function call, and the value returned from the function will be assigned to the variable. Lets take a simple example shall we!


//function definition
function square($number){
$product = $number * $number;
return $product;
}

//function call
$five = 5;
$five_squared = square($five);

Here we see an example of a function with an argument list and a return statement. Our code simply accepts a number, and returns what its square is. In our case, the variable $five_squared will contain the value of 25 (which is the value that our function returned). Lets look at another example.

function showHTML(){
echo "<h2>Welcome to my Website!</h2>";
}

showHTML();

 

 

Here we have a function without a return statement or an argument list. This function simply shows some HTML. Functions of this type are used primarily for outputting some kind of content. Of course, the return statement and the argument list are not dependent on one another, so you can mix and match functions having an argument list and having a return statement to fit your needs.

 

Scope

In a normal PHP script, variables have a script wide scope, meaning that when you define a varible, any line after that variable definition (as long as its not part of a function or class) can access and use that variable. However, functions are discreet, stand-alone entities. Variables available inside the script are not available in a function, and variables that are part of a function (including the variables in an argument list) are not available outside of the function. To illustrate this, consider the following example

$somevar = "some value";
function test($var1, $var2){
echo $somevar;//this will fail. $somevar is not in the functions scope, and thus is not available
echo $var1 . $var2;//this is correct. $var1 and $var2 are part of the functions argument list, and thus are available in the function
$somevar = "Another value";
echo $somevar;//now this will work, as $somevar is now defined inside the functions scope. However, it will echo "Another value" rather than "some value"
//because the function uses the variable from its scope.

}//end function

echo $var1 . $var2;//this will fail, as $var1 and $var2 are part of the functions scope, not the rest of the script;
echo $somevar;//this will echo "some value".

test(4,5);//outputs the following
/*************
a PHP notice will be issued for trying to use $somevar when its not defined in the functions scope
45
Another value
*************/

 

Although the above seems like it would prevent you from accessing variables inside a function that are defined outside, there is actually a way around the scope problem. There is a keyword global in PHP that lets you essentially import a variable defined outside the scope of a function to a function. To illustrate


$var = "Hello World"

function incorrect(){
echo $var;
}

function correct(){
global $var;
echo $var;
}

incorrect();
correct();


In the above snippet, the first function call (the line: incorrect();) will fail because $var is not in the scope of the function incorrect(). However, in the function correct(), we use the global keyword, which puts the variable $var from the outside script into the function. The resulting output would be: “Hello World” (excluding the notice that would be issued from the first function.)

 

Global can be nifty, but for new programmers can become a crutch. Most experienced programmers will never use the global keyword (unless they are being lazy, or providing a quick fix that they will revisit later), as it kind of defeats the purpose of a function. A function should be a completely standalone piece of code. If you use the global keyword, you are making your function dependent on the environment it is called in. This results in your function only being usable in a very specific script, and forces a programmer to change or code pages that use this function in a specific way. This makes the function much less portable, and makes reusing the function very difficult. Usually adding the global keyword to give a function a variable that would normally be out of scope is done as a quick fix for a badly written function.

When creating a function, a programmer must always plan it out. You must first determine what information a function needs, and what information it will return. In almost every case where a programmer uses the global keyword, they could have easily passed the relevant variables value into the argument list. Lets take the example function correct() above, and rewrite it.


function correct($var){
echo $var;
}

As we see, this was a very simple change (and actually results in a smaller function!). This also makes it so that our function is much more portable and reusable. For example, with the old function (the one that uses global) if we wanted to call the correct() function more than once, and echo different things each time, before each call we would have to change the value of $var. This could result in very messy code, especially if $var (or whatever the global‘ed variable is named) is an important variable in the script. Tracking a bug with a variable that is changed so much just because it is used in a function can become tedious and frustrating. However, with our new version of correct, you simply have to change the value of the parameter in the call. Lets take a look at some code to illustrate what I mean:

function correct1($var){
echo $var;
}

function correct2(){
global $var;
echo $var;
}

//output 3 different things with correct1
correct1('Hello');
correct1("I'm outputting stuff");
correct1('weeeee');

//now output 3 different things with correct2
$var = "hello";
correct2();
$var = "I'm outputting stuff";
correct2();
$var = "weeeee";
correct2();

As you can see, the code using the first function looks much nicer, and is much clearer. For someone reading just the code that outputs the information, it is much clearer what is happening when using the first function.

 

To Return, or To Not Return

Another common place I see new programmers forming bad habits is the return statements. As a general rule of thumb, when creating functions you should always think about returning something. Of course sometimes a function just doesn’t need to return anything, but more often than not, I will see a function that by all accounts should return a value, but instead output the value you want instead. Lets take an example


function showHeader(){
echo "<h2>Some text thats part of the Header</h2>";
}

This function seems ok at first (and for all intents and purposes it is, you can apply the following concept to any function of this form). It simply outputs a Header that a programmer may want to show on multiple pages. However, what if we wanted to, say, change the header size from header 2 to header 3? Of course we could create a new function, but if instead of simply echoing the HTML we want to output, we return the string to output, we can manipulate the string. So for example

function showHeader1(){
echo "<h2>Some text thats part of the Header</h2>";
 }
function showHeader2(){
return "<h2>Some text thats part of the Header</h2>";
 }

showHeader1();//we can only output the hardcoded info that is in the function.
//however with out other function we can output like the first
echo showHeader2();
//but we can also manipulate the value if we want to
echo str_replace("h2", "h3", showHeader2());//change it from h2 to h3

This example may seem somewhat arbitrary and unnecessary, so lets take an example more relevant to fledgling developers.

 

Say we have a system where we output users comments. Assume we have a function called getComment($id) which returns the comment of a specific user (who has a User ID of $id). Of course you must assume we have the correct database structure. Now assume we have another function called showComment($id) which outputs the comment from the specific user. Now, when simply outputting the comment, both would preform the same. However, what if we wanted to only show the first 500 characters? Or if we wanted to convert all the HTML characters in the comment into the html entities via the htmlentities function. With the showComment function, we would have to change the function itself to achieve this (which may result in this change breaking another part of your website). However, with getComment, since it returns a string, we can choose to simply output the returned value, or further manipulate it (with substr or htmlentities with the examples given above)

 

Of course, I could talk about proper use of functions for days, but the problems I discussed above are the most common problems I see

In my previous post (which you can reach here: http://blackscorner.me/2011/09/29/strings-and-interpolation-a-love-story-part-1/) I discussed interpolation in PHP.  Apart from professing my love for PHP’s implementation of interpolation (+1 poet points to me!), I showed some examples of its uses, and compared that to the equivalent statements using concatenation. However, besides novice PHP coders, intermediate coders and above usually know about interpolation (whether or not they know it goes by that name). However, many intermediate coders (and some advanced!) don’t know the full capabilities of PHP’s interpolation implementation. The examples I showed in the previous post only show one part of the story! There are actually two different syntax’s for interpolation in PHP, simple (which was shown in the previous example) and complex (which I will discuss in this article).

Lets take a look at an example of simple syntax just to refresh our memory (coders are notoriously forgetful!):

$var = "variable";

echo "I am a $var";

A lot of coders wrongly assume that this is the only form of interpolation available in PHP, and thus conclude that if you want to use, say, an element in an array, or an attribute of an object, you have to use concatenation. When given a scenario in which you want to use an array element in a string, many would write the following:


$arr = array("element1", "element2", "element3");
echo "the value at index 1 is: " . $arr[1];

However, PHP can interpolate the element $arr[1] using simple syntax! The above echo statement is equivalent to the following:

echo "The value at index 1 is: $arr[1]";

The same goes for associative arrays! So the following is also valid:


$assoc = array("key1" => "value1", "key2" => "value2");
echo "The value of the array at the key 'key1' is: $assoc[key1]";

Notice the lack of single quotes around the associative array’s key. As I said earlier, you can also use simple syntax to interpolate an objects attributes (or properties). Obviously the property in question has to be public. The following illustrates what I mean:

class foo {
public $var;
function __construct(){
$var = "World!";
     }
}
$foo = new foo();
//the following statements are equivalent
echo "Hello " . $foo->var;
echo "Hello $foo->var";
Here are some more examples for clarification (taken from the PHP manual)
<?php
$juices = array("apple", "orange", "koolaid1" => "purple");

echo "He drank some $juices[0] juice.".PHP_EOL;
echo "He drank some $juices[1] juice.".PHP_EOL;
echo "He drank some juice made of $juice[0]s.".PHP_EOL; // Won't work
echo "He drank some $juices[koolaid1] juice.".PHP_EOL;

class people {
public $john = "John Smith";
public $jane = "Jane Smith";
public $robert = "Robert Paulsen";

public $smith = "Smith";
}

$people = new people();

echo "$people->john drank some $juices[0] juice.".PHP_EOL;
echo "$people->john then said hello to $people->jane.".PHP_EOL;
echo "$people->john's wife greeted $people->robert.".PHP_EOL;
echo "$people->robert greeted the two $people->smiths."; // Won't work
?>
Awesome right! But thats not all! Not even close. PHP also has complex syntax (which I mentioned above). Despite what you may think, its not called complex syntax because it is in itself complex, but rather because it allows you to interpolate complex expressions. To use complex notation, you must use curly brackets ({ and }) to surround your expression you want interpolated. The PHP manual describes complex notations functionality as follows:
Any scalar variable, array element or object property with a string representation can be included via this syntax. Simply write the expression the same way as it would appear outside the string, and then wrap it in { and }. Since { can not be escaped, this syntax will only be recognized when the $ immediately follows the {. Use {\$ to get a literal {$.
Lets look at an example shall we! This will show improper use of complex syntax, then 2 examples of correct use. I will use a simple variable here.
<?php
$great = 'fantastic';

// Won't work, outputs: This is { fantastic}
echo "This is { $great}";
// Works, outputs: This is fantastic
echo "This is {$great}";
echo "This is ${great}";
?>
Of course you can also use complex notation with object properties and array elements as I did above with simple syntax
<?php
echo "This square is {$square->width} centimeters broad.";
echo "This works: {$arr['key']}";</div>
?>
Notice that I used single quotes in the array element example. Complex syntax is the only place you can use single quoted array keys, as opposed to simple syntax which, as shown above, can’t have the single quotes (if you are curious why this is, leave a comment and ill try to get back to you).  Where complex syntax really shines though, is its ability to interpolate more complex expressions than simple object propertys or array elements. For example, say you are taking advantage of PHP’s variable variables (link will be below). Assume you have a function called getName() which returns the name of the variable you want to access. You can do
<?php
function getName(){ return 'var'; }
//note single quotes and thus lack of interpolation
$var = 'value of $var';

echo "This is the value of the var named by
the return value of getName(): {${getName()}}";
//output: This is the value of the var named by the return value of getName(): value of $var
//of course, if the function is a method of some class, you can also do this:
$object = new Some_Class_With_getName_Method();
echo "This is the value of the var named by the return value of \$object->getName(): {${$object->getName()}}";
?>
Unfortunately, you can’t interpolate just the return value from a function. So the following won’t work:
<?php
// Won't work, outputs: This is the return value of getName(): {getName()}
echo "This is the return value of getName(): {getName()}";
?>
Unfortunately, since PHP depends on the variable sigil ($) to proceed the opening curly bracket to use complex syntax, interpolating functions is impossible. But PHP’s ability to interpolate many things really makes it an amazing language. What is truly unfortunate is that many programmers are unaware of how far PHP’s capabilities go! Most know about simple syntax, but many are unaware of the power of complex syntax.
Here are a bunch more examples (from the PHP manual) of things that will and won’t work with complex syntax so you can get an idea of its use.
<?php
// Show all errors
error_reporting(E_ALL);

$great = 'fantastic';

// Won't work, outputs: This is { fantastic}
echo "This is { $great}";

// Works, outputs: This is fantastic
echo "This is {$great}";
echo "This is ${great}";

// Works
echo "This square is {$square->width}00 centimeters broad.";

// Works, quoted keys only work using the curly brace syntax
echo "This works: {$arr['key']}";

// Works
echo "This works: {$arr[4][3]}";

// This is wrong for the same reason as $foo[bar] is wrong  outside a string.
// In other words, it will still work, but only because PHP first looks for a
// constant named foo; an error of level E_NOTICE (undefined constant) will be
// thrown.
echo "This is wrong: {$arr[foo][3]}";

// Works. When using multi-dimensional arrays, always use braces around arrays
// when inside of strings
echo "This works: {$arr['foo'][3]}";

// Works.
echo "This works: " . $arr['foo'][3];

echo "This works too: {$obj->values[3]->name}";

echo "This is the value of the var named $name: {${$name}}";

echo "This is the value of the var named by the return value of getName(): {${getName()}}";

echo "This is the value of the var named by the return value of \$object->getName(): {${$object->getName()}}";

// Won't work, outputs: This is the return value of getName(): {getName()}
echo "This is the return value of getName(): {getName()}";
?>
<?php
class foo {
var $bar = 'I am bar.';
}

$foo = new foo();
$bar = 'bar';
$baz = array('foo', 'bar', 'baz', 'quux');
echo "{$foo->$bar}\n";
echo "{$foo->$baz[1]}\n";
?>
<?php
 class foo {
 var $bar = 'I am bar.';
 }$foo = new foo();
 $bar = 'bar';
 $baz = array('foo', 'bar', 'baz', 'quux');
 echo "{$foo->$bar}\n";
 echo "{$foo->$baz[1]}\n";
 ?>
<?php
// Show all errors.
error_reporting(E_ALL);

class beers {
const softdrink = 'rootbeer';
public static $ale = 'ipa';
}

$rootbeer = 'A & W';
$ipa = 'Alexander Keith\'s';

// This works; outputs: I'd like an A & W
echo "I'd like an {${beers::softdrink}}\n";

// This works too; outputs: I'd like an Alexander Keith's
echo "I'd like an {${beers::$ale}}\n";
?>
Well I hope you enjoyed reading about string interpolation as much as I enjoyed writing about it. PHP really is an amazing language, and touches like this are what really set it apart from other languages, and is what’s key to PHP’s wide success.
Links of Interest
Part 1:
String Parsing (Go here for a full explanation of the examples I posted, as well as comments and discussion about it):
Simple Syntax:
Variable Variables:

I am a frequent forum goer to the website http://www.phpfreaks.com/ (My username is Mikesta707), and one thing I see a lot from PHP novices is a question like

Hey, I am trying to echo a string, but it doesn’t look right. I’m using a variable and but instead of its value all I see is the php code! my code looks like

$str = "Poop";

echo 'I have to take a $str';

please halp!

Now, anyone who has uses PHP at an intermediate level or higher will tell this hypothetical novice to either use double quotes, or concatenate. The solutions would be as follows


$str = "Poop";

echo "I have to take a $str";//double quotes

echo 'I have to take a ' . $str;//concatenation

And of course, their error will be fixed, and they can go on their merry way, or post about another problem they have. In addition to the above solutions, one could also use heredoc syntax, but that is generally reserved for multi-line strings and can be a little complex for a new programmer. Many forum posters wouldn’t bother even mentioning it.

Anyways, what many posters fail to do in these cases, is explain why what they wrote failed. As a result of this, even people who know to use double quotes or concatenate will often not really know why you have to do that, beyond “uh.. just because man.”  In my experience as a forum poster for phpfreaks, I see a solution that concatenates rather than using double quotes more frequently, and this produces a very interesting effect.

Concatenation is simple enough, and easy to rationalize the use of without wondering why you were wrong. Without knowing about the use of double quotes (or simply not realizing), one may naturally assume, after having the above problem and being told to concatenate, that they can’t put variables inside strings.

This is half correct, as it is true with single quotes, but incorrect in terms of double quotes. This can lead an overall assumption that if you want to create a string that is composed partly of one or more variables, then you must always concatenate. Over the years I have worked with quite a few developers who have been looking over my shoulder while I am writing some code, and told me, “Hey, you gotta concatenate there!” or something along those lines when using double quotes. Usually this will come with the look of quiet satisfaction at having corrected (or thinking they corrected) a fellow coder’s mistake.

Unfortunately, because of this assumption many people miss out on one of my favorite features of PHP called Interpolation,  as well as having a somewhat faulty understanding of how strings work in PHP. For those who don’t know, interpolation is defined by Wikipedia as the following:

The process of evaluating an expression or string literal containing one or more variables, yielding a result in which the variables are replaced with their corresponding values in memory. It is a specialized instance of concatenation.

Now this basically means that when you put a variable inside of a string, PHP does a sort of replace, where the name of the variable (say, $str) is replaced with its value (say, “Poop”). PHP supports interpolation, but only when using double quotes or the heredoc string syntax. To take a simple example:

//The following are all equivalent
$n = "Mike";
echo "Hi i'm $n";//interpolation
echo 'Hi i\'m ' . $n;//concatenation
echo <<<EOT
Hi i'm $n
EOT;//heredoc syntax

As I said earlier, Interpolation is one of my favorite attributes of PHP. Interpolation isn’t supported in many languages (Perl, Tcl, Ruby and most unix shells are the others). PHP uses a sigil, or a symbol attached to a variable to show its a variable (and not a global constant), unlike many languages (including C, C++, C#, java, javascript, etc.) so interpolation is possible. Interpolation really makes creating strings that would be complex or look ugly in other languages easy and clean. Lets compare two strings, one in PHP and one in C++/C#/Java/ect…


//assume we have created 3 variables, $a $b and $c in PHP, and a b and c in C++

//PHP string
$str = "The first 3 letters of the alphabet are $a $b and $c";

//equivalent string in C++/C#/java/etc...
//assume we have the proper header includes
string str = "The first 3 letters of the alphabet are " + a + " " + b + " and " + c;

As you can see, the PHP version is much easier on the eyes, and much nicer to write! Of course, most languages that don’t support interpolation have a specialized form of interpolation in function form using string formatting (for example, printf() from C/Lisp).

To sum things up, I absolutely love interpolation, and think its one of the most amazing features of PHP. Its a very simple feature, but elegant at the same time, and extremely useful. Out of all of PHP’s amazing features, I know that I use this one the most. I love interpolation so much actually, that I plan on writing a part 2 to this post very soon. It will probably be a tad bit shorter, but will have some good information.

Part 2: [Click me]

Links of Interest:

String parsing (Interpolation):
http://www.php.net/manual/en/language.types.string.php#language.types.string.parsing

Single quotes:
http://www.php.net/manual/en/language.types.string.php#language.types.string.syntax.single

Double quotes:
http://www.php.net/manual/en/language.types.string.php#language.types.string.syntax.double

Heredoc:
http://www.php.net/manual/en/language.types.string.php#language.types.string.syntax.heredoc

Interpolation (Wikipedia):
http://en.wikipedia.org/wiki/Variable_(computer_science)#Interpolation

I few weeks ago I wrote a tutorial on how to validate your PHP variables. That is the precursor to this post (You can read it here: http://blackscorner.me/2011/07/28/when-and-how-to-validate-your-php-variables/) in which I explain the basics of validating your PHP variables that you get for use with MySQL (or other SQLs) queries.

In order to get the most out of this tutorial, you will need to be familiar with the following

  • The subjects discussed in the precursor post
  • basic SQL queries
  • using MySQL or other SQLs and PHP together
  • Escape characters (for example how is ‘ different from \’)

Whats The Point?

You may wonder why we need to go through all of this sanitation nonsense in the first place. Well when using SQLs, like MySQL along with user input (Like say storing some information that they gave the website via a form), your site could be vulnerable to what is called a SQL injection. SQL injections, and how they work is a pretty broad topic (one beyond the scope of this post), but they basically consist of a user injecting bad SQL into your query to make it do something you don’t want. Lets take a very basic example:

Lets say that we have a user login system, and the query we use to make sure the login details is correct is:

SELECT * FROM user_table WHERE username=’$username’ AND password=’$password’

Assume that $username and $password are defined earlier in the script. Now if we don’t validate the script, a malicious user can enter something like:

‘ OR 1=1 —

Now, that may seem like a useless string, but now lets look at what our query looks like

SELECT * FROM user_table WHERE username=” OR 1=1 — 

Now the rest after — doesn’t matter because the — operator basically tells SQL to ignore everything after it. It is kind of like commenting out a line of code in PHP. Now what will happen is that 1=1 is always true, so the query will be true, and return a row from your table. The first row specifically in our case with the query above. This would allow a user to access someones account without the proper username and password. If you are unlucky, the admin account (if there is one) may be the first account (since its usually the first account created), and now the malicious user has access to administrative powers. Bad news

So How do we Stop them?

Well, removing all vulnerabilities from your site is almost impossible (as cyber security is an ever changing field) but protecting from SQL injections is pretty straight forward. PHP has a function made just for stopping the kind of attack you see above, but before we start using it on anything and everything we have to be aware of a few things. First, the magic quotes setting for PHP. Nowadays it is usually turned off, and it is recommended that it be turned off. What this setting does is when turned off, it automatically escapes all strings. This is a dangerous action because it is sort of like a 1 size fits all glove for sanitation that has terrible effects depending on the data. You want to sanitize SQL versus HTML vs. bbcode differently. However, if it is on in your system, you can do the following.

if (get_magic_quotes_gpc()==1){
 //its on, lets undo what happened
 //do this for all variables
 $_POST['username'] = stripslashes($_POST['username']);
 $_POST['password'] = stripslashes($_POST['password']);
 //the rest of the post variables you are gonna use.

Now of course it would just be easier to turn this setting off in your php.ini. Consult the manual for details on turning this setting off. The stripslashes() function basically does is remove all the slashes that PHP adds in order to escape the data. PHP adds backslashes before single and double quotes. As you should know, escaping slashes lets you add them to strings that are delimited by them!

 

Now the second thing I need to mention is that we need to consider what type of data we are using. If we are using string data (like usernames, passwords, etc.) then we should escape the string to prevent our basic SQL injection from happening. If it is number data, we should just convert whatever they entered into a number so we don’t have to worry about escaping it. (Entering a string where a number should be in a query will break the script, and may even show an error message that gives the attacker more information about your system. So lets go over each different scenario.

Strings:

For strings, PHP provides a very useful function called mysql_real_escape_string(). It accepts a string as a parameter and and returns the string escaped in such a way to make it safe from basic SQL injections like the one above. So lets give a code example and see what would happen if the attacker tried the simple SQL injection.


//assume we have turned off magic quotes.

$username = mysql_real_escape_string($_POST['username']);
$password = mysql_real_escape_string($_POST['password']);

$query = "SELECT * FROM user_table WHERE username='$username' AND password='$password'";
//rest of login stuff below

Now lets see what our injected query would look like

SELECT * FROM user_table WHERE username=’\’ or 1=1 –‘ AND password=”

Here we see that our escape string function made the ‘ that originally broke our query harmless, and this will not let them login as you would expect. Awesome right!

Numbers

Now  if you are expecting the user to enter in a number into the query, we should whatever they enter into a number. So that even if they enter some malicious text, it will be converted to a harmless number. Now assuming we want an integer number, we can easily do something like


$area_code = intval($_POST['area_code']);

//rest of code

Now, if you need a float number, you can use the floatval function instead of intval()!

 

Now What?

Well, we have sanitized some stuff, but not everthing! What if we are getting some information that we will show on our users profile page (like a description or a bio). In fields like these, the user can enter any HTML they want, and could even enter malicious HTML/Javascript or include malicious HTML/Javascript from another site. This is known as Cross Site Scripting (XSS) and is a very real threat to many websites. Now, the most basic way to stop this is to turn all html into html entities. That way, even if they enter HTML, it becomes harmless. HTML entities are special characters that represent HTML characters that you don’t won’t to be interpreted as HTML. For example, the less than sign (<) This can be used to show a mathematical inequality, but in HTML it denotes the beginning of an HTML tag (like <a for example). When you want to show the less than sign without the browser trying to interpret it as HTML, you use HTML entities.

PHP provides a function that converts all HTML special characters into their respective entities called, you guessed it! htmlentities(). Now lets show an example


$bio = htmlentities($_POST['bio']);

Now if the user enters some HTML, it will instead be harmless html entities.

Now, if we want to remove the HTML outright, there is also a function for that. We can use the strip_tags() function which will remove all tags. We can also specify tags to exclude from removal, which would allow you to allow users to enter links, or text formatting tags, but not other tags. For example


$bio = strip_tags($_POST['bio']);//remove all html tags
//or
$Bio = strip_tags($_POST['bio'], "<p><a>");//allow links and paragraph tags

 

And thats it for basic validation! After reading this and the previous article, you should be able to add some basic security to your website! Now there is much more to the website security field than just this, but following these simple steps should allow you to protect your site against most basic attacks. Here are some links to the functions used

 

mysql_real_escape_string(): http://php.net/manual/en/function.mysql-real-escape-string.php

htmlentities(): http://php.net/manual/en/function.htmlentities.php

intval()/floatval(): http://php.net/manual/en/function.intval.php  http://www.php.net/manual/en/function.floatval.php

string_tags(): http://php.net/manual/en/function.strip-tags.php

 

 

 

In this tutorial I will be giving a basic introduction into PHP’s arrays. I will discuss how PHP implements them, how they differ and are similar to other languages, and basic use and functionality. Before you start learning, you should be familiar with the following

  • Basic PHP syntax
  • Variable use
  • Basic programming concepts (if statements, looping, etc.)

Basics

PHP arrays behave much like Vectors from C++, Lists from C#, Hash tables, associative arrays, etc. the syntax for creating one is very simple. There is a PHP function called array() which will return the array you would like based on what you specify in the argument list. Consider the following

 

$array1 = array();//this will create an empty array.

$array2 = array("item1", "item2", "item3");//this will create a numeric zero based array
echo $array2[1];//Output: item1

//the array function also supports setting up your own kay value pairs.
$array3 = array("key1" => "value1",  "key2", "value2");//this is an example if an associative array
echo $array3['key1'];//Output: value1

Pretty easy right? The key difference between the first 2 arrays and the last array is the keys you use to extract the values in the array. The first two are known as numeric arrays, since they use numeric keys (or in PHP terms, offsets). The last array used string keys, and is known as an associative array. Now you may be wondering when you would want to use one type versus the other. Well obviously this depends entirely on the context of your program, but I will give some examples of when one may be more useful than the other.

Lets say we have an array of all 50 states, and their capitals. Now we could use a numeric array, but then we, as the programmer, would have to remember which position each individual capitol is when we needed to use it. However, with an associative array, we can use the keys as the state name, and the values as the capitol. This makes it much easier to get a specific states capitol because we won’t have to remember or look back to see where, say, Connecticut’s capitol is located in the array. Consider the following

//numeric array
$capitols = array("Hartford", "Albany", ...etc);//this would be a numeric array

echo "The capitol of North Dakota is: " . $capitols[??];// hmm which offset is it? There are so many I don't quite remember and have to look it up in the arrays definition

//or we could do this
$capitols = array("Connecticut" => "Hartford", "New York" => "Albany", ... etc.);//

echo "The capitol of Tennessee is: " . $capitols['Tennessee'];//Now there is no doubt as to where the capitol of Tennessee is located in the array

Adding/Updating our array

Adding things to a PHP array is even simpler than making one. There are a few different ways of doing this. The most basic way is tothe use the square bracker ([]) operator with a new key and some value. Consider the following


$numeric_array = array("value0", "value1");
$numeric_array[2] = "value2";
//we dont actually need to add them in order. The following is valid and will execute
$numeric_array[17] = "value3";

$associative_array = array("key0" => "value0", "key1"=> "value1");
$associative_array['key2'] = "value2";

Easy peasy! Now there is also a third way to add things to an array. The syntax is to use empty square brackets along with the assignment operator. This syntax is mostly used with numeric arrays, because it adds the value to the next available numeric offset. Consider the following

$numeric_array = array("value0", "value1");
$numeric_array[] = "value2";//value2 is set to the value of $numeric_array[2] since 2 is the next available offset.

You can use the above with an associative array, but it would add the value at the key 0 (assuming it is a pure associative array). This is perfectly valid code, but now instead of having an associative array, you have a hybrid array. There isn’t anything inherently wrong with this, and hybrid arrays certainly have their place, but in general it makes the most sense to use this syntax with numeric arrays.

 

Now what?

Well now that we have an array, what can we do with it. Besides the obvious use of arrays, PHP comes with a bunch of different functions and constructs that make using arrays awesome and very worthwhile. You should already know about for loops, but PHP also provides a foreach loop (like what Java or C# has) which can iterate through an array. The syntax is fairly simple. There are two types. The simplest type is as follows:

foreach($array as $value)

What this does is inside the for loops code block, $value takes on each different value in the array as the loop iterates though. So if our array had the values: value1, value2, value3, value4 then $value would contain value1 in the first iteration, then value2 in the second, and so on. The second type is the same and is as follows:

foreach($array as $key => $value)

As I said, this iterates through each value in the array in the order they were added, but also sets $key to each key at that specific value. For numeric arrays, $key would be 0, 1, 2, etc.. in order (assuming you have an ordered numeric array). This type is especially useful with associative arrays since you may not know the exact order of the array, but you need to do a different line of code depending on the key.

Now, I mentioned functions earlier, and you can look at the whole list of array functions that PHP provides here: http://php.net/manual/en/ref.array.php

 

The ones I find myself using the most I will discuss below. Make sure you read the manual entry for each function (Link provided) as there are quite a few code examples and notes about the usage of these functions

count($array): This function returns the size of the array provided in the argument list. Very useful for determining the size of an array that is build dynamically.

sort($array): This sorts an array from lowest to highest. If you have string values, they are sorted lexicograhically by default, but provides certain flags as an optional parameter which allows you to specifiy how it should sort the array (numerically, strings, etc.).

shuffle($array): This function randomizes the order of the array provided in the argument list. This function is very useful when you want to print or otherwise use the array you created in a random order.

in_array($needle, $haystack): This function looks through the array ($haystack) and returns whether or not the value specified ($needle) in inside of the array. This function is extremely useful, and I find myself using it all the time. An example of usage would be when you are trying to see if one variable is equal to one of any number of different values. Instead of using the equality operator (==) many times chained together with ors (||), you can put all the values you are testing in an array, and use the in_array function.

 

Now, this guide is a very simplistic introduction to PHP arrays, and there are many many more functions and uses for arrays. Perhaps I will write a more advanced tutorial on array usage at a later date.

Some useful links you may want to check out:

The list of PHP’s array functions: http://php.net/manual/en/ref.array.php
The PHP manual entry for arrays: http://php.net/manual/en/language.types.array.php
A Tizag.com tutorial on PHP arrays: http://www.tizag.com/phpT/arrays.php
A website for all things PHP. They have some of the best PHP help forms, and I am a staff member here:  http://www.phpfreaks.com