43. Introduction to PHPPHP technology (click any heading below to return here)PHP, like VBScript, is a server-side scripting language, and it performs many of the same tasks as VBScript. For example, you can generate HTML code with PHP, save information to a database, program cookies, and even send email messages. PHP, unlike VBScript, is an open-source product and is extremely popular on Apache (Unix) servers worldwide. The latest release of PHP, level 7, has convinced many that PHP outruns VBScript. This statement may be true, but its chief advantages for us include its extreme popularity, wide variety of built ins, huge libraries of free source code, excellent user forums, and close similarity to JavaScript syntax. Due to the length of time you have in this course, we will not be covering MySQL. It is a popular open-source database held in high regard by the Web community. Although it is freeware, MySQL is powerful and reliable, and it is a common sidekick to PHP.
|
If you do not have ASP/IIS available on your server, then it is very likely that PHP is installed. |
When you see a PHP script on one of the course pages, highlight and copy it. Next, save the code under the suggested filename. Upload it to your Web folder, and run it from there by entering the URL into the browser address bar.
There is a small script to begin our next PHP exercise. It will confirm whether PHP is installed and will show you the version number. Hopefully, version 4 or later is installed. Our examples have been tested with version 5.
Due to the number of topics we cover in this course, there is not sufficient time to cover PHP thoroughly. There is time, however, to:
Because we will use complete examples, you be able to use some handy techniques by the time you finish this lesson.
Like VBScript and JavaScript, PHP must be coded within script tags. Below is a program for you to copy and upload to your server with the name "test.php." Once you have uploaded the file, run it to learn which version, if any, of PHP is installed.
<!DOCTYPE html> <html> <head> <html lang="en-US"> <meta charset="UTF-8" /> <title>Test PHP on the server</title> </head> <body> <?php // opening tag -- required phpinfo(); // a built-in function call (a statement) ?> // closing tag -- required </body> </html>All php statements MUST end with a semicolon.
Highlight and copy the test.php script. Next, save it and upload it to your Web folder. You may run it now, and return here to compare your output with ours. You can see this screen and the test.php results together by resizing the browser windows, or you can just cycle back and forth between them with Alt-Tab.
Always start any PHP scripting with the PHP containers <?php
and ?>
. Always end each line of the script with a semicolon.
<?php
// opening tag -- requiredphpinfo();
// a built-in function call (a statement)?>
// closing tag -- required
Most scripts prepare material for the user to see on the browser. Such scripts must send HTML markup to the browser since that is the language the browser uses to display material. Write a PHP script to create an HTML page for the browser. Here is a simple example.
<?php
print "<h3>Sending text to the browser</h3>";
print "<p>Most scripts prepare material for the user to see ...</p>";
?>
All text sent to the browser must be inside quotes. Use the print
built-in function to send the text. Most of the time you will include tags in the text for the browser to render. Always end each line with a semicolon.
Now we will have a quick review of the key points we have learned thus far. Then, we will learn how to send text containing quotes to the browser.
Review of key points:
<?php
and ?>
print " "
built-inAt times, you will want the user to see quotation marks in the text. For example, quotes must be displayed when quoting someone. Mishandled quotes cause syntax errors because PHP already expects to see a pair of quotes surrounding your print
argument. The following causes a syntax error:
<?php
print "<p>...quotes sometimes, "As I know you will" ...</p>";
?>
Internal quotes must be preceded by a slash. The slash can be used with any ambiguous character, as you will see later.
<?php
print "<p>...quotes sometimes, \"As I know you will\" ...</p>";
?>
All variables must begin with a dollar sign $ followed by an alphabetic character or underscore. For example, $FirstName, $greeting, $_count, $Total.
PHP is case-sensitive. Name your variables with upper and lowercase, and be consistent: $Firstname, $Greeting, $count, $total are not the same variables shown above.
Your first use of a variable establishes its type. Most of the time, you will begin by placing a value in the variable. The following variables are of the types string, integer and double, respectively:
$greeting = "Welcome back"
$_count = 23
$Total = 1456.75
Information you receive from a form (that is, data submitted by an HTML page to your script), may need to be molded into the appropriate data type. Numeric data sent in a text field will be a string, not an integer or a double, as you might expect. You need to coerce the type for your own script purposes to prevent errors.
PHP variables contain integers, doubles, strings, booleans, objects,
or arrays
. You have four means of controlling the type.
$variable = settype( $variable, type );
$data = ( type ) $variable;
(integer) $variable;
returns integers(string) $variable;
returns strings(double) $variable;
returns doublesThe error_reporting() function sets the error_reporting directive at runtime. PHP has many levels of errors, using this function sets that level for the duration (runtime) of your script.
error_reporting() sets PHP's error reporting level, and returns the old level. The level parameter takes on either a bitmask, or named constants. Using named constants is strongly encouraged to ensure compatibility for future versions. As error levels are added, the range of integers increases, so older integer-based error levels will not always behave as expected.
<?php error_reporting(0); // Turn off all error reporting // Report simple running errors error_reporting (E_ERROR | E_WARNING | E_PARSE); // Reporting E_NOTICE can be good too (to report uninitialized // variables or catch variable name misspellings ...) error_reporting (E_ERROR | E_WARNING | E_PARSE | E_NOTICE); // Report all errors except E_NOTICE // This is the default value set in php.ini error_reporting (E_ALL ^ E_NOTICE); // Report all PHP errors (bitwise 63 may be used in PHP 3) error_reporting (E_ALL); ?>
They are used, as in other languages, for holding lists of information conveniently under one variable name. When you need the 2nd item from an array named $score, you would use this syntax: $score[1]
. Yes, arrays begin with index number zero. But they can also be indexed with names instead of numbers. See Associative arrays below.
The size of a PHP array is provided by the count function. It returns the number of items in an array, not the index of the last item.
$size = count($score);
For simple arrays of static information, it is easiest to use a construct called array().
$student = array( "Jim", "John", "Larone" );
PHP provides another convenience for creating arrays. You can omit the index number when filling an array with information. The following builds the same numerically indexed array as in the above example.
$student[] = "Jim";
$student[] = "John";
$student[] = "Larone";
If your don't like index numbered elements in your array, use a string index instead. Associative arrays are easier than numerically index arrays to use in many cases. I find $score[11] harder to remember consistently than $score["Test5"]. Create the string names at the time you create the array.
The associative index can be a literal (print $score["Test5"];) or a variable ($index="Test5"; print $score[$index];).
Think of these data structures as you would of records and fields in tables. The first dimension of a two-dimensional array is similar to records or rows in a table, the second is similar to columns or fields in a table.
$roster[0]["name'] = "James Monroe";
$roster[0]["EID'] = "J35tr";
$roster[0]["Test1'] = 87;
$roster[0]["Test2'] = 93;
$roster[1]["name'] = "Larone Campbell";
$roster[1]["EID'] = "La912";
$roster[1]["Test1'] = 94;
$roster[1]["Test2'] = 95;
for( $i=0; $i < count($roster); $i++ ) {
print $roster[$i]['name']." ".$roster[$i]['EID']."<br />";
}
Multidimensional arrays are sometimes used to hold the results of a query, and the query results array could be placed in a session variable to provide the query information across all Web pages in a site.
There are numerous built-in PHP functions for manipulating arrays. Further information is in the PHP manual.
A function is a self-contained block of code written to perform a discrete step in your logic. Use functions freely to modularize your scripts, and build an inventory of reusable script code.
Define a function by copying the code below. The formal argument $arg
may not be necessary for your functions. The example is written to save typing time when writing HTML to the browser.
function pl ( $arg ) {
print "$arg<br />\n";
}
Calculations and string manipulations can be returned by your functions. Use the result by placing the function reference on the right of the assignment operator, or inside a statement. Here is an example.
$b = 33.6;
$c = 2;
$a = sumInt ( $b, $c ); // call on the right
pl ("<h4>Sum is =".sumInt( $b, $c)."</h4>"); // call in a statement
function sumInt( $arg1, $arg2 ) {
return intVal( $arg1) + intVal( $arg2 );
}
Global variables are those variables used outside of functions. A global variable must be either declared outside of a function or received from a form submission.
These variables are not allowed inside of functions unless invited (how you do this is described below). This rule is really nothing more than a safety measure to make you aware of the scope of any changes to these variables. The usual scripting practice is to send information into functions through formal arguments, not by using global-scope variables.
Local variables are created within a function and can be used within that function only. They are unavailable elsewhere and protected in this sense from careless change outside of the function boundary. Many languages have this feature.
Global variables may be accessed, in addition to the local variables, by making reference to them as global. Use this declaration inside a function.
global $g_data1, $g_data2;
Although single quotes are handy in other languages for placing quotes within quotes, they serve a different purpose in PHP. They signify send literally what is contained in the single quotes. In other words, there will not be an inspection and replacement of the variable names with their contents. Do not use single quotes unless you understand this concept.
If you want the user to see a variable's name, rather than its contents, then you can use single quotes, or you can simply place a slash in front of the variable name.
print "$greeting, $FirstName"; // rendered: Welcome back, Hugh
print "$greeting, \$FirstName" // rendered: Welcome back, $FirstName
/* the next two lines are described below */
$message = $greeting . ", " . '$FirstName';
print "$message"; // rendered: Welcome back, $FirstName
The syntax of comments is shown above in two forms:
Look at the $message=
line above. It illustrates the effect of single quotes, and it introduces the catenation operator, the period.
print "<h1>$greeting</h1>";
print "<p>You have visited here $_count times.</p>";
Before PHP sends the print
to the browser, it looks for any variables you coded, and substitutes their values automatically.
Here is a brief list of built-in string functions that you will need to begin authoring PHP scripts. Note that all string functions begin counting characters with zero.
Function | Example | Notes |
---|---|---|
substr | $A=substr("Web Systems",4,10)"Systems" returned | 4 is the start,10 is the length to return |
strlen | $E=strlen("PHP")3 returned | find the number of characters |
strtolower | $A=strtolower($A) | converts to lowercase |
strtoupper | $A=strtoupper($A) | converts to uppercase |
ergi | ergi($haystack,$needle) | return true or false if needle exists in haystack |
str_replace | str_replace($needle,$with,$haystack) | returns $haystack having all its values of $needle replaced with $with |
strpos | $at=strpos ($haystack,$needle,$start) | return position of needle in search beginning at start |
strrpos | $at=strrpos ($haystack,$needle,$start) | return last position of needle inhaystack search beginning at start |
explode | $array=explode($atChar,$A) | separates a string into items in an array using the atChar |
implode | $A=implode($glue,$array) | joins all items in array into onestring each separated by glue |
trim | $B=trim($B) | remove spaces before and after |
Examples of these functions are next.
<? print "<html><body><br />"; $greeting="Good to see you're back"; /* 01234567890123456789012 */ $CSV="013458789,Bill,Jones,bj@mail.panam.edu"; $PathFileName="http://www.php.net/manual/en/function.eregi.php"; $A=substr($greeting,0,3); // string positions are 0,1,2,3,.. $B=substr($greeting,0,15) . substr($greeting,16,1) . substr($greeting,18,10); $C=strrpos($PathFileName,"/"); // look for the last slash in a URL $D=substr($PathFileName,$C+1,99); // grab the file name from the URL $Data=explode(",",$CSV); // break apart the comma-separated-values into array print "1. $A"; // 1. Goo print "<br />"; print "2. $B"; // 2. Good to see your back print "<br />"; print "3. $C"; // 3. 28 print "<br />"; print "4. file name is $D"; // 4. file name is function.eregi.php print "<br />"; print "$CSV"; // 013458789,Bill,Jones,bj@mail.panam.edu print "<br />"; // array item 0 =013458789 for ($k=0; $k < count($Data); $k++) { // array item 1 =Bill print "array item $k = $Data[$k]"; // array item 2 =Jones print "<br />"; // array item 3 =bj@mail.panam.edu } print "</body></html>"; ?>
We need two pages of checkpoints for the string examples you just saw. Answer these questions by referring back to the previous page of examples. Click to check your work.
012345...
that was below $greeting could help you script substrings of $greeting.These structures are highly similar to JavaScript. Thus, only a few examples should be necessary to teach you their syntax.
if ($TotalCost >= 50) {$TotalCost = $TotalCost - $Discount; $TotalDiscounted++;
} if (strtoupper(trim($sex)) == "M"){ // notice use of functionsprint "Yes sir";
}else{ print "Yes ma'am"; }
Another form of if is the immediate or inline result. Read the following line as "if $a> $b then return 1 otherwise return 0". The benefit of this structure can be realized by the second example.
($a> $b) ? 1 : 0 ; $greet = ($sex=='f') ? "girl" : "boy"; print "Hello, $greet";
for ($k=0; $k < count($Data); $k++) { // count() returns # items
print "array item $k = $Data[$k] <br />";
}
switch ($ContactHow) { case "Telephone": print "Please enter a daytime phone number."; break; // break jumps out of switch case "E-Mail": print "Please enter your E-Mail address."; break; default: // default: is executed if no match above print "Select how you want to be contacted."; break; }
We ask the question above most often when programming scripts to receive form data. The script you name in the form
tag attribute...
<form action="http://www.site.com/form.php"...
...will be sent the named form controls (text boxes, lists, check boxes, etc). For safety, we always ask at the top of the script if one of the form controls has been defined. If not, we will not run the rest of the script because the script was run when it should not have been.
Here is an example of a named form control "EmailSubmit" that will be given a value of true
to signify that the email form was run. If form.php is requested from another form, then EmailSubmit will be false, since it is not a control on any other form.
<input type="hidden" name="EmailSubmit
" value="true" />
The HTML form controls on this page will submit their named variables to form.php
, where we can check to see if the PHP script should be run. That is, was the script requested from the form we think it was? Here is the PHP logic.
if (isset($MailSubmit)) { .... ;}
Because the correct form placed "true" in EmailSubmit, we can use this clear conditional to query whether the expected form generated the request for the PHP program. |
Like other programs, PHP will run its statements in the sequence in which they are encountered. When HTML is also present, new Web authors can get confused. Add the two computers (client-server) into the picture with the two languages (if you are not confused yet).
Another type of variable definition must be introduced. Because variables can be passed in the URL, it is possible that a script expects a variable it cannot get from the URL, and a run-time error is produced. This can be avoided by using isset()
as in the conditional below.
if (!isset($_REQUEST["txtCustomer"])) { .... ;} // ask if NOT sent in URL
We learned to markup forms and assign each control (text box, list, check box, etc) a specific name. Those names are recognized by PHP.
<form name="frmNewCustomer" action="form.php
" method="get">
Enter your email address
<input type="text" name="txtCustomer" maxlength="40"/>
and Password
<input type="password" name="txtPassword" />
<input type="submit" value="Submit" />
</form>
If your form action terminates in a PHP script (form.php
for example), you can enjoy fully automatic variable names in the script.
Inside the PHP script named form.php, the two variables $txtCustomer
and $txtPassword
will be available automatically. Here is a script that looks up the customer and confirms their password.
<?php
// opening tag inform.php
$Customer = $_REQUEST["txtCustomer"]; $Password = $_REQUEST["txtPassword"]; $Record = lookup($Customer
) if ( $Record && confirmPassword ($Password
)) { // process customer }?>
If this concept is not clear, the email example script that uses forms should help.
Users can type their data into a textarea form control you provide, and they can include the Enter key to break lines. The Enter key creates a CRLF (carriage return, line feed) in the stream of data transmitted. This can cause problems.
If you are storing the transmitted data in a text file (described later), it is necessary to replace the CRLF with the HTML line break tag <br /> before you write it into the file. Otherwise only the first part of the text will be saved to file. Here is the code necessary to perform the replacement and solve the problem for one transmitted textarea field: txtArea.
$crlf = chr(13).chr(10); // storing the crlf for search/replace below
$txtArea = str_replace($crlf, "<br />", $txtArea);
Another problem will arise if the user enters an apostrophe ('). PHP will automatically add a backslash in front of the ', making your output look like this "the boy\'s toys" instead of this "the boy's toys". The following PHP function will correct this as well.
$txtArea = stripslashes( $txtArea );
Refer to the PHP strings manual for more information.
Suppose you need to send credit card approval requests via a form post. This is typical and easy enough to do without having to write scripts. However, if you want to preserve the form data entered by your user you will need to involve INTERMEDIATE scripts to update tables and/or session variables -- to preserve state.
Create the original html form with method="post" as usual. In place of the action="https://www.approvethiscard.com" insert the name of a script file you write to update tables and/or session variables, then later in the script spoof a post of the form data to approvethiscard.com.
<?php // this script shows how to 'spoof a post' // in the upper part of this script you will // need to receive some values passed by // a calling post script, then load the passed // data into session variables or tables. // note the escaped quotes around \"$var1_value\" // these preserve any blanks in the value die ("<html> <body onload='top.hiddenform.submit();'> <form name='hiddenform' action='http://www.approvethiscard.com' method='post'> <input type='hidden' name='var1' value=\"$var1_value\"> </form> </body> </html>"); ?>
Here is a logical three step process that we will use to take in email messages and send them. The sequence, or order of execution, is important.
Here is the order in which we will script the sequence. We place all operations in a single script. See the source below.
All three steps will be scripted in one PHP file, which is shown next. Our goal is to have a single PHP script do all three steps.
<!DOCTYPE html> <html> <head> <html lang="en-US"> <meta charset="UTF-8" /> <title>WebSys: Web systems development</title> <meta name="author" content="Hugh Poynor" /> <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" /> </head> <body> <form name="frmEmail" method="get" action="mail.php"> <table border="0" cellspacing="0" cellpadding="5"> <colgroup style="text-align:right" span="1"></colgroup> <tr><td style="text-align:right">To Email Address:</td> <td><input type="text" name="MailTo" size="50"></td></tr> <tr><td style="text-align:right">From Email Address:</td> <td><input type="text" name="MailFrom" size="50"></td></tr> <tr><td style="text-align:right">Subject:</td><td> <input type="text" name="Subject" size="50"></td></tr> <tr><td style="text-align:right">Message:</td>< td><textarea name="Body" rows="6" cols="40"></textarea></td></tr> <tr><td colspan="2" style="padding:12px 0px 8px 0px;text-align:center"> <input type="hidden" name="EmailSubmit" value="true"> <input type="submit" name="submit" value="Send"></td></tr> </table> </form> <script>document.frmEmail.MailTo.focus()</script> <?php if( isset($_REQUEST["EmailSubmit"]) ){ $MailSubmit = $_REQUEST["EmailSubmit"]; $ToAddr = $_REQUEST["MailTo"]; $MailSubject = $_REQUEST["Subject"]; $MailBody = $_REQUEST["Body"]; $FromAddr = $_REQUEST["MailFrom"]; } if (isset($MailSubmit)) { if ($ToAddr) { if (mail($ToAddr, $MailSubject, $MailBody, "From: <$FromAddr>")) { print ("<strong>Your email to ". $ToAddr. " has been sent!</strong>"); } else { print ("<strong>Your email encountered a system error!</strong>"); } } else { print ("<strong>Please enter the recipient's email address!</strong>"); } } ?>
Most email we receive is plain text, but you may have received email that had colorful graphics and looked as good as a printed brochure or a Web page. It was a Web page. This part of the PHP lesson describes how to use the built in mail() function to send Web pages as e-mail.
mail($MailTo, $Subject, $Body, $Headers)
The last argument, $Headers, can contain several arguments if they are separated by \n\r (new line). This argument allows us to signify to the email client program that HTML is stored in the $Body. Here are some popular arguments you may use in $Headers. If you want to send attachments or need further information, read the PHP Manual on mail().
$Headers .= "From: Your name <name@mail.edu>"."\r\n";
$Headers .= "Cc: personX@mail.edu"."\r\n";
// must be exact (Cc:)$Headers .= "Bcc: personZ@mail.edu"."\r\n";
// must be exact (Bcc:)$Headers .= "Content-Type: text/html; charset=iso-8859-1"."\r\n";
A short HTML page example follows.
$Subject = 'Web page inside email';
$Body = '<html>........ use double quotes in markup
...</html>';
$Headers = "From: Morgan Law <author@BooksbyMorganLaw.com>"."\r\n";
$Headers .= "Content-Type: text/html; charset=iso-8859-1"."\r\n";
mail($ToAddr, $Subject, $Body, $Headers);
// note: $ToAddr is derived from the text box below, not in this code.
// the $ToAddr can include the recipients name, see next line
// script this: $ToAddr = "Jimmy Cricket <" . $ToAddr . ">\r\n";
Construct an HTML table and have it sent to the user's Excel client. This is another way of "downloading" data with a server script. It is more direct that sending XML or comma-delimited data. It DOES require the user to have an up-to-date version of Excel. Try it out.
<?php header("Content-type: application/vnd.ms-excel"); header("Content-Disposition: attachment; filename=\"test.xls\""); ?> <!DOCTYPE html> <html> <head> <html lang="en-US"> <meta charset="UTF-8" /> <title>Load Excel from a PHP script</title> <meta name="author" content="Hugh Poynor, PhD Ph.D." /> </head> <body> <table border="1" > <colgroup span="1" style='text-align:right'></colgroup> <colgroup span="1"></colgroup> <colgroup span="1" style='text-align:right'></colgroup> <tr><th>Qty</th><th>Item</th><th>Total</th></tr> <tr><td>3</td><td>Small wigits</td><td>23.00</td></tr> <tr><td>1</td><td>Medium wigits</td><td>9.00</td></tr> <tr><td>7</td><td>Large wigits</td><td>221.00</td></tr> </table> </body> </html>
The imaginary CNN news piece will be rewritten daily as fresh stories break. We want a CNN department to place all the markup for the small "On CNN TV" region in a text file on the Web server. The larger page will contain many other regions and their content as well.
The small text file will be called newsanalysis.txt
, and it will contain all the HTML markup and content necessary to fit into the allotted space on the large page. Here is that markup in the text file and how it looks when rendered alone.
<img style="float:left" src="images/web-wolf_blitzer.jpg"
alt="Wolf head" width="66" height="51" border="0" />
<a href="#" style="color:blue;font-weight:bold">
Wolf Blitzer Reports:</a><br />
Operation Anaconda: mission accomplished?<br />
Or will al Queda rise to fight again? Join Wolf Blitzer
in the "War Room." <strong>(7p.m. E.T.)</strong>
The PHP source file below opens and reads newsanalysis.txt
after a server connection is made. Then, it writes the contents of the file (which is HTML) to the page. It is a standard practice to mix PHP and HTML on a PHP page. We have colored the HTML green to make it clearer.
<html><head><style type="text/css">
div.newsanalyst { font-family:verdana,sans-serif; font-size:8pt;
line-height:120%;width:337px;height:55px;border:1px silver solid}
</style></head><body>
<div class="newsanalyst">
<?php
$f = "../db/newsanalysis.txt";
$fs = fopen( $f, "r");
$news = fgets( $fs, 9999 ); // read one line from file
while (!feof($fs)) { // loop required to read more than one line
print $news; // write to the page
$news = fgets( $fs, 9999 ); // read one line from file
} // close loop
print $news; // write to the page
fclose ( $fs );
?>
</div></body></html>
For a real page of news stories this process would be repeated many times, once for each region on the news page, and the source code above would need to open and read many text files.
Parallel code for ASP can be found in the ASP lesson.
Note if you are operating on a Unix server: the files you write to (newsanalysis.txt in the example below) must be set to allow the writes. Until you change the Remote File Permissions with chmod (or an equivalent utility) to allow the file to be written into your PHP script will throw an error.
The PHP source file below writes into newsanalysis.txt
after a server connection is made. It pulls the information from
the html form named news.html
and story.php
then
writes it into the newsanalysis.txt
text file. We have colored the HTML green to make it clearer.
<html><head><title>News Story</title></head>
<body><h3>Enter in News story</h3>
<form name="frmnews" method="post" action="story.php">
<table border="0" cellspacing="0" cellpadding="5">
<tr><td>Story :</td><td><textarea name="newStory" rows="5" cols="50">
</textarea></td></tr>
<tr><td colspan="2" align="center">
<input type="submit" value="submit"> </td></tr>
</table></form></body></html>
<?php
$story = $_REQUEST["newStory"];
$f = "../db/newsanalysis.txt";
$fs = fopen( $f, "w"); //the w denotes writing (file mode)
fwrite ( $fs, "$story\r\n");
fclose ( $fs );
?>
Here is a summary of all the File modes for the fopen( ) function.
Modes | Meaning |
---|---|
r | Read mode - Open for reading, beginning from start of file |
r+ | Read mode - Open the file for reading and writing, beginning form the start of file |
w | Write mode - Open the file for writing, beginning from start of file. If the file already exists, delete the existing contents. If it does not exist, try and create it |
w+ | Write mode - Open the file for writing and reading, beginning from the start of the file. If the file already exists, delete the existing contents. If it does not exist, try and create it. |
a | Append mode - Open for appending (writing) only, starting from the end of the existing contents, if any. If it does not exists try and create it |
a+ | Append mode - Open the file for appending (writing) and reading, starting from the end of the existing contents, if any. If it does not exist, try and create it |
The PHP source file below uploads files from one directory to another. In this example, we are uploading a text file for a news article. I have written both the html form called up.html
and the php file named upload.php.
For security reasons, file uploads can be restricted in the php.ini located in the server directory. For uploads to work you must turn PHP safe mode off and turn on register_globals. It is recommended to have some restrictions on who is allowed to upload files to the
server. Some ASP installations, such as the McCombs Business School, do not allow file uploads. Other server installations may not support your requests for changing any of their PHP security levels.
<html><head>
<title>Upload new files</title>
</head><h1>Upload new news files</h1>
<form enctype="multipart/form-data" action="upload.php"method="post">
<input type="hidden" name="MAX_FILE_SIZE" value="200000">
Upload This File: <input name="userfile" type="file">
<input type="submit" value="Submit" />
</form></body></html>
<head><title>Uploading....<title></head>
<body><h1>Uploading file....</h1>
<?php
$filename = $_FILES['userfile']['tmp_name'];
$realname = $_FILES['userfile']['name'];
if ($_FILES['userfile']['size'] == 0)
{echo "Problem: File is of zero length"; exit;}
if ($_FILES['userfile']['type'] != "text/plain")
{echo "Problem: file not plain text"; exit;}
if (is_uploaded_file($filename))
{copy($_FILES['userfile']['tmp_name'], ".\\news\\".$realname);
echo ("<b> File successfully copied! </b>");
} else {
echo "Possible file upload attack:
filename ".$_FILES['userfile']['name'].".";
}
?>
</body><head>
Let's continue to study text files. Text files are easy to use, easy to understand, and cheap. As long as we have fewer than about 200 records, text files will be sufficient to meet our needs for storage and retrieval.
A file named fruit.txt
holds a list of fruit. Visitors to the Web page are expected to choose from a pull down list on an HTML page. To make the example clearer, only the list appears on the page.
|
This example uses PHP to read fruit.txt and to insert the records into the pull down list. It then sends the page to the browser. Source code for this example follows.
Parallel code for ASP can be found in the ASP lesson.
Here is the PHP source code for the pull down list of fruit. HTML markup has been color-coded green to distinguish it from the PHP script.
<html><body>
<form name="frmExample" method="get" action="">
<select name="fruit">
<?php
$TheFile = fopen ("../db/fruits.txt", "r");
if($TheFile){
$Fruit = strval(fgets($TheFile, 4096));
while (!feof ($TheFile)) {
print "<option>" . $Fruit . "</option>";
$Fruit = strval(fgets($TheFile, 4096));
}
print "<option>" . $Fruit . "</option>";
fclose ($TheFile);
}
?>
</select> <input type='submit' value='submit' />
</form></body></html>
Parallel code for ASP can be found in the ASP lesson.
Here is the HTML and PHP code to populate or write into fruit.txt
text file. It pulls the information from
the html form named fruit.html
and addfruit.php
then
writes it into the fruit.txt
text file. We have colored the HTML green to make it clearer.
<html><head>
<title>Fruit</title>
</head><h1>Add another fruit</h1>
<form name = "frmfruit" action = "addfruit.php"
method = "post">
<table border="0" cellspacing="0" cellpadding="5">
<tr><td>Fruit :</td><td><input type="text" name="Newfruit"></td></tr>
<tr><td colspan="2" align="center"><input type="submit" value="submit" </td></tr>
</table></form></body></html>
<html><body>
<?php $Fruit = $_REQUEST["Newfruit"]; $TheFile = fopen ("../db/fruits.txt", "a"); fwrite( $TheFile, "$Fruit\n\r"); fclose ( $TheFile ); ?> The Fruit has been added</body></html>
With htmlentities() all characters which have HTML character entity equivalents are translated into these entities. Examples:
& is converted to & < is converted to < > is converted to >
With html_entity_decode() all HTML entities are converted to their applicable characters. Examples:
& is converted to & < is converted to < > is converted to >
Data entered in HTML forms can be a problem when it contains quotes. Two examples of form data entered by visitors that cause file/database issues are as follows.
Johnny O'Reilly William "Billy" Wang
The solution is a function to escape the quotes before storing in file/database, and another function to strip the escape sequence from the stored form data before you re-use it to display on a Web page.
The addslashes() function adds backslashes (the escape character) before characters that need to be quoted in database queries etc. These characters are single quote ('), double quote ("), backslash (\) and NUL (the NULL byte).
The stripslashes() function strips off backslashes. (\' becomes ' and so on.) Double backslashes (\\) are made into a single backslash (\).
$name = addslashes($_GET['names']); // write $name to file or db ... // get $name from file or db print stripslashes($name);
Now we will see how a tilde-delimited text file (if it were comma-delimited it is called CSV by Microsoft) can be used to hold employee records and show them in a table on a Web page.
You can use any character to act as the delimiter or seperator, but the delimiter character should be something that certainly not occur in the input. I chose the "~".
The fields of data are ID, FirstName, LastName, HireDate, ReviewDate, Salary, Sex and IsSelected. You will see how to read the records as text and split them into elements of an array. The array is coded $rec[], so $rec[3] is the element that holds HireDate.
1~James~Carlile~2/2/2001~10/13/2001~23200.00~M~1 2~Andrew~Frank~2/9/1997~2/9/1999~46276.92~M~1 3~Janet~Lydell~6/25/1994~6/25/1999~68674.72~F~0 4~Margo~ONiell~11/16/1994~11/16/1999~56834.25~F~0 5~Edward~Jones~11/17/1998~11/17/1999~62088.20~M~1 6~Harry~Jones~9/22/1978~10/1/1999~43920.23~M~1 7~Jimmy~Smith~2/24/2000~2/24/2001~55703.70~M~0 8~Hugh~Poynor~9/12/1989~9/30/1999~28923.08~M~1 9~Edward~Smith~3/6/2000~2/24/2001~25000.00~M~1
Parallel code for ASP can be found in the ASP lesson.
<html><body>
<table border='1' cellspacing='0' cellpadding='5'
width="440" style="border-collapse:collapse;
font-family:sans-serif;">
<tr style="background-color:gainsboro"><th colspan="2">
Employee</th><th>Sex</th>
<th>Hired</th><th>Salary</th></tr>
<colgroup>
<col span="2" align="left" />
<col span="1" align="center" />
<col span="2" align="right" />
<?php
$oddColor='whitesmoke';
$evenColor='azure';
$ID=0; $FirstName=1; $LastName=2; $HireDate=3;
$ReviewDate=4; $Salary=5; $Sex=6; $IsSelected=6;
$TheFile = fopen ("../db/Employee.txt", "r");
if($TheFile){
$row = 0;
$Employee = strval(fgets($TheFile, 4096));
while (!feof ($TheFile)) {
$rec = explode("~",$Employee);
if($row % 2 == 0) {
$rowStart = "<tr style='background-color:".$evenColor."'><td>"; }
else {
$rowStart = "<tr style='background-color:".$oddColor."'><td>"; }
print $rowStart;
print $rec[$FirstName]. "</td><td>" ;
print $rec[$LastName]. "</td><td>" ;
print $rec[$Sex]. "</td><td>" ;
print $rec[$HireDate]. "</td><td>" ;
print "$".$rec[$Salary]. "</td></tr>";
$row++;
$Employee = strval(fgets($TheFile, 4096));
}
fclose ($TheFile);
}
?>
</table></body></html>
Parallel code for ASP can be found in the ASP lesson.
If your goal is to show the contents of a large html table in a scrolling format then use an iframe which has the scrolling attribute. Place the table in an html file by itself, named myTable.html. Markup an iframe in your main page like this:
<iframe src='myTable.html' scrolling="yes" width='?' height='?' > </iframe>
If you need to fill the html table with data from a database then you must use PHP (or ASP, Perl) to rewrite myTable.html and insert fields from the database into the html table data cells. To insure that the most recent data is reflected in myTable.html use the meta tags shown in the source below. The example source code was used to fill an html table from a MySQL table with names of people who planned to attend a picnic. People signed up (RSVP) on a Web page and the listing (table) of people planning to attend the picnic was immediately refreshed to show their names.
The steps not shown here are: (1) Use html to take in form data (people attending the picnic), and (2) Use PHP/MySQL to add the form data to a picnic table.
// Use PHP/MySQL to read the picnic table and create an html table function picnicTable(){ openDB(); $sql=" SELECT * FROM picnic ;"; $table = " <html> <head> <meta http-equiv='Pragma' content='no-cache'> <meta http-equiv='expires' content='0'> </head> <body> <table border='1'> "; $table .= ""; if( !$result = @ mysql_query($sql) ) die("SQL err ".$sql); while ($f = @ mysql_fetch_array($result)) { $table .= " <tr> <td>".$f[0]."</td> <td>".$f[1]."</td> </tr> "; } $table .= " </table> </body> </html> "; // open html file and rewrite contents. // the html file will be the source of an iframe. $fs = @fopen( "picnicTable.html", "w+"); @fwrite ( $fs, $table."\r\n"); @fclose ( $fs ); }
Just as PHP can write HTML pages, it can also write XML pages. It is necessary to specify the MIME type (called content-type in HTTP headers) for this to work properly. The first line of a *.php file that is scripting XML/XSLT must be as follows below. The remainder of the script would contain your markup and php mixed.
<?php
header('Content-Type: text/xml');
?>
XSLT can sort and filter XML data files as described in the lesson on XSLT. This makes XML very well suited for placing data on Web pages. However the users view of the data is limited without server-side scripting because XSLT, like HTML, marks up static pages. Scripting introduces a manner of controlling XSLT for the purpose of user customization. Here is an example of an XSLT tag for starting an ascending sort on AUTHOR.
<xsl:for-each select='CATALOG/CD' order-by='+ AUTHOR'>
Here is the same XSLT tag written by PHP with a variable introduced to control the sort order and the data column.
<?php
$OrderBy = "- YEAR" // a descending sort on year
echo"<xsl:for-each select='CATALOG/CD' order-by='$OrderBy'>"
?>
The example below is based on the same XML and XSLT file technology used in the CD catalog example from the lesson on XSLT where users are presented with a static table showing a CD Catalog. Both the XML and XSLT files must be converted to PHP files. Our PHP-script users will be able to change the order of the sort and the data field that controls sorting of the catalog.
Security issues, like bug issues, surface on a production site when there is too little planning during development. Prevent bugs by checking for division by zero, for the availablity of accurate/complete data, whether previous steps have been invoked, and so on protects your logic from abending due to out-of-range data or out-of-sequence processing. The same good sense helps your security thinking.
Introduction to secure PHP programming.