IntroductiontoPhp - uniroma1.itberaldi/PSD_014/slides/PHP.pdf · web page with embedded script....

Post on 14-Jul-2020

5 views 0 download

transcript

Introduction to Php

Web-based applications: main elements

HTTP PROTOCOL

CLIENT SIDE SERVER SIDE

HTTP request• An HTTP request consists of: a request method (verb), resource URL,

header fields (metadata), body (data)

• HTTP 1.1 defines 9 request methods, among which:

• GET: Retrieves the resource identified by the request URL

• HEAD: Returns the headers identified by the request URL

• POST: Sends data of unlimited length to the Web server• POST: Sends data of unlimited length to the Web server

•• PUT: Stores a resource under the request URL

• DELETE: Removes the resource identified by the request URL

• HTTP 1.0 includes only the GET, HEAD, and POST methods.

HTTP response• An HTTP response contains a result code, header fields, and a body.

• Some commonly used status codes include:

• 100: Continue

• 200: OK

• 401: the request requires HTTP authentication

• 404: the requested resource is not available• 404: the requested resource is not available

• 500: an error occurred inside the HTTP server that prevented it from

• fulfilling the request

• 503: the HTTP server is temporarily overloaded and unable to handle the

request

• For detailed information on this protocol, see the Internet RFCs: HTTP/1.0

(RFC 1945), HTTP/1.1 (RFC 2616). (http://www.rfc-editor.org/rfc.html)

Example

Example

HTTP is ‘stateless’

• Although HTTP uses the TCP protocol, it has no notion of end-

user

• For example, filling in data through multi-page forms requires

the server to keep track of which client is requesting the page.

First Name:

Second Name:

….

Location:

---:

….

First step Second step

Static web pages

HTTP PROTOCOL

•Content is pre-determined

•Web pages are static

HTTP PROTOCOL

Content

Sequence diagram

BROWSER HTTPD

Get URL

FILE

Get html fileFILE

SYSTEM

Send html file

Render html

Dynamic web pages

• Content of a page is not static

• Page content is changes based on:

– User input, form completion,etc.

– Database interaction – Database interaction

– External data sources (db, service provider)

• Server side techniques

• Client side techniques

Technique overview

• Client Side

– Script• Source code passed from the server and executed by the browser

– Compiled code • Applet (no longer used…)

• Server side• Server side

– CGI (Common Gateway Interface) • An http request triggers the execution of an independent program

• Data passed via standard input or environment variables

– Script • code executed inside the server process

• Interleaved with html code (php)

• Confined into a different page (code behind, e.g., ASP.NET)

Principle of server-side CGI programs

BROWSER HTTPD

Get URL

Send html file

CGI-process

Execute program

Build html on-the-flyFILE

SYSTEM

Read/Write

data

Client sends the request along with data (e.g., from a form)

The server lunches a process and transmits data input to the program

The program writes a html page

The web server sends the page back to the client

Send html file

Render html

Build html on-the-fly SYSTEM

Accessing a data source

BROWSER HTTPD

Get URL

Send html file

CGI-process

Execute program

Build html on-the-fly

Query

DB

Send html file

Render html

Build html on-the-fly

System level view

HTTPDCGI

PROCESS

CGI

FILE

SYSTEM

Bottlenecks

round-trip time

HTTPDCGI

PROCESS

CGI

FILE

SYSTEM

One process per request

Bottlenecks

round-trip time

HTTPD + functions..

FILE

SYSTEM

Integrate the functionality as an additional

module of the server process… (script)

BottlenecksMake the browser ‘smart’

(execute code or script)

HTTPD + functions..

FILE

SYSTEM

Integrate the functionality as an additional

module of the server process… (script)

Principle of server side scriptWEB SERVER

SCRIPT

html document

SCRIPT

Script engine

WEB Client

HTTP

• Pages are generated by a program

• A html document at the server side includes the code to be

executed (script)

• The code is delimited via special escape characters

• The web server extracts the script part from the document

• A script engine runs the code

• Web server replaces the script with the output of the

execution

• Client sees pure html (no way to access the code)

Script engine

Principle of client-side scriptWeb Client

Script engine

• html document at the client side contains the code to be

executed

• The code is delimited via special escape characters

• The client extracts the script part from the document

• Executes the code

• It can perform computation, remote communication, change

the rendering of a document

• It can access local events (mouse events,..)

Script engine

Client-side vs server-side

• Client-side

– Minimal processing on the server. Server sends

web page with embedded script. Client browser

executes the scriptexecutes the script

– Client browser may not fully support, or script

execution turned off

– Security issue (user can see the script)

– Cross-browser compatibility

• Library may help (e.g., jQuery)

Client-side vs server-side

• Server-side

– Easier to create large-scale site. Create a small set

of dynamic pages

– Poor coding programmer may open resources to – Poor coding programmer may open resources to

attack through security flaws

Introduction to PHP

• Scripting language

• Server side execution

– Code is scattered inside a html document– Code is scattered inside a html document

– The web server executes the code and produces a

simple html page.

PHP code embedding

<HTML>

<HEAD>Sample PHP Script</HEAD>

<BODY>

The following prints "Hello, World":

<?php<?php

print "Hello, World";

?>

</BODY>

</HTML>

Every time the PHP interpreter reaches a PHP open tag <?php,it runsthe enclosed code up to the delimiting ?>marker.

Can be changed, see short_open_tags INI option;

PHP code embedding

<HTML>

<HEAD>Sample PHP Script</HEAD>

<BODY>

The following prints "Hello, World":

<?php

<HTML>

<HEAD>Sample PHP Script</HEAD>

<BODY>

The following prints "Hello, World":

Hello, World

</BODY><?php

print "Hello, World"

?>

</BODY>

</HTML>

Every time the PHP interpreter reaches a PHP open tag <?php,it runsthe enclosed code up to the delimiting ?>marker.

</BODY>

</HTML>

Variables

• A variable always starts with the dollar sign $

– $a

– $A

– $1 (not allowed)

• Identifiers are case sensitive (not when referring to function)

• Variable and function can have the same name!• Variable and function can have the same name!

Types

• Basic types like in other programming languages– Boolean, Integer, Floating Point, Object,

• Main difference concerns: – string (regular expression,…)

• single quoted (variables are not replaced with their values)

• double quoted (variables are replaced with their values)• double quoted (variables are replaced with their values)

• …

– array (associative arrays)

• Other types: – null

• No type associated yet

– resource• Generic type, e.g. the result of a query

Types

• PHP uses a Weakly Typed System

• variables’ type is not declared

• PHP automatically converts the variable to the correct data

type, depending on how they are set

• $integer=10$integer=10

• $float = 10.0

• $string = “10”

Some example

$a = “fine” // $a is a string $a = 10; // $a is an integer$b = 6.3;$c = $a + $b; /* $c is a float */$d = (int)$c; // type casting ($d integer)

gettype($d); gettype($d); settype($d, double); // $d is now double$e = settype($d, double); // $d is now double

print(gettype($e)); // print boolean

if (is_int($d)) // is_type to type check

Variable variables

<?php

$name = "John";

$$name = "Registered user";

print $John; //display “Registered user”

?>?>

John

$name

Registered user

$$name (=$John)

Managing variables

• isset ()– determines whether a certain variable has already been declared by

PHP.

• unset()– “undeclares” a previously set variable, and frees any memory that was

used by it if no other variable references its value.

• empty ()– empty() may be used to check if a variable has not been declared or its

value is false.

Variable’s scope

• Names inside a function has local scope

• Script level names can be accessed through the special built-

in array $GLOBALS

$m main script

$a is only visible in the function Af’s scope

$m can be seen via $GLOBALS[m]$a

$m

function Af

function Bf

main script

$b $b is only visible in the function Bf’s scope

$a is not visible

$m can be seen via $GLOBALS[m]

Predefined System "Superglobals"

• Provide access to key runtime data elements.

• Set by and managed through web server run-

time environment and available to the script.

• Superglobals are key to form processing, • Superglobals are key to form processing,

cookies, and other techniques.

Some Superglobals

• $_GET[ ]. An array that includes all the GET variables that PHP received from the client browser.

• $_POST[ ]. An array that includes all the POST variables thatPHP received from the client browser.

• $_COOKIE[ ]. An array that includes all the cookies that PHP received from the client browser.

• $_SERVER[ ]. An array with the values of the web-server variables.

Output: echo statement

• Placing a variable outside quotes outputs the variable’s value

(line 2)

• Single quote ' sends literal string output (line 3), no variable

value substitution

• Double quote “ sends variable value (line 4)• Double quote “ sends variable value (line 4)

<?php

$a=6;

echo $a;

echo 'The var name is $a';

echo "The var contains $a";

?>

Note: no declaration (line 1)

1

2

3

4

Output: echo statement

• To achieve newlines in browser, use appropriate

tagging

• Use \ to escape (negate) the effect of the following

character character

<?php

$a=6;

echo $a;

echo 'The var name is $a'. '<br>';

echo "The var contains $a";

?>

<?php

echo "She said, \"How are you?\"";

echo "<a href=\"page.htm\">link</a>";

?>

1.3.php

1.4.php

Constant

• Unchangeable values. In all caps by convention. No $.

<?php

define('MYCONST',100);

define('NAME',"My Name");

• To output, must list constant name outside of ' and ".

• echo "Hello, ".NAME;

• Predefined system constants also exist.

• To see a complete list: print_r(get_defined_constants())

define('NAME',"My Name");

?>

Output: print_r()

• print_r() can be used to "dump" variable

output, typically for debugging of complex

structures.

<?php

print_r($_SERVER);

?>

Example

<?php

$user = (isset($_GET[‘user’]) ? $_GET[‘user’]:”” );

?>

Comments

• Multi-line comments

/* This is a multi-line comment */

• Single line comments

// This single line is commented // This single line is commented

# So is this single line

– PHP comments are distinct from HTML comments

in that PHP comments are not sent to the client

browser.

Operators

• +, -, *, /, %, ++, -- same as other languages

• Combining above with = for assignment can be done:

• +=, -=, *=, /=, %=, .=• +=, -=, *=, /=, %=, .=

• Two Comparison operators

• == (performs type conversion)

• === (no type conversion)

• ‘1’==1 � true

• ‘1’===1 �false

Input data: Form

• A form is an area that can contain form elements

• Form elements are elements that allow the user to enter information

• A form wraps input tags – text fields

– Radio buttons

– Checkboxes– Checkboxes

– Submit

• A form has a url to which sending the input data (see later)

Input tag (HTML4)

<input type="radio" name="sex" value="male"> Male <br><input type="radio" name="sex" value="female"> Female <br><br>

First name: <input type="text" name="firstname"> <br> Last name: <input type="text" name="lastname"> <br><br>

Examples

<input type="submit" name="Submit" value="go"> <br>

I have a bike: <input type="checkbox" name="vehicle" value="Bike"> <br> I have a car: <input type="checkbox" name="vehicle" value="Car"> <br>

Some nice feature from HTML5

type=“url”

type=“number”

type=“range”

type=“email”

Rendering on mobile phones

http://diveintohtml5.info

LAB

• LAB1: Write a program that echo back the number entered

• LAB2: Write a program that writes back the sign of • LAB2: Write a program that writes back the sign of the number (how to check that the input was a number?)

• LAB3: Write a program that displays the previous form and, after submission, it lists all the input data

LAB (php + ajax)

• Read data from a text input in an input form

• Ajax call to a PHP function for echoing the

character back

• What we need• What we need

– Keyboard event listener (JS function)

– AJAX request that passes the text to the script

– PHP script that echo the text back to the client

<form name="testForm">Input text: < input type="text" onkeyup="doWork();" name="inputText" id="inputText" /> Output text: <input type="text" name="outputText" id="outputText" /></form>

JS function called when key is released

In this form there is no submit button

..var request = false;..function doWork(){

var URL = "http://localhost/test.php?char=";request = new XMLHttpRequest();request.open("GET", URL+document.getElementById('inputText').value, true);

function do_it() {document.testForm.outputText.value=request.responseText;};

request.open("GET", URL+document.getElementById('inputText').value, true);request.send(null);request.onreadystatechange = do_it;}

open method used for preparing the request

send sends the requestdo_it is the event listener for the reply

<?php

echo $_GET['char'];

?>php script

Example

• TrackMe, a simple application that tracks

positions of a mobile device:

– track.html: js that sends gps position

– trackMe.php: write the coordinate to a file– trackMe.php: write the coordinate to a file

– Monitor.php: periodically reads the file and shows

the positions.

Example

track.html

Browser

.js

1

trackMe.php

2: HTTP GET

monitor.php

track.html (1/2)

<html>

<head>

<title> Track Me!</title>

</head>

<body>

<input type="text" id = "text" value="" size=100/>

<script type="text/javascript">

function done() {

document.getElementById('text').value="Tracked..";

}

track.html (2/2)

navigator.geolocation.getCurrentPosition(showPosition);

function showPosition(position) {

var lat=position.coords.latitude;

var lon=position.coords.longitude;

var URL = "http://psd.altervista.org/GEO/trackMe.php?lat="+lat+"&lon="+lon;var URL = "http://psd.altervista.org/GEO/trackMe.php?lat="+lat+"&lon="+lon;

request = new XMLHttpRequest();

request.open("GET", URL, true);

request.send(null);

request.onreadystatechange = done;

document.getElementById('text').value="Long: "+lon+" Lat: "+lat;

}

</script>

</body>

</html>

TrackMe

<?php

$lat='?';

$lon='?';

if (isset($_GET['lat'])) $lat=$_GET['lat'];

if (isset($_GET['lon'])) $lon=$_GET['lon'];

$entry=date(c).' '.$lat.' '.$lon."\n";

file_put_contents ('position.txt', $entry, FILE_APPEND);

trackMe.php

file_put_contents ('position.txt', $entry, FILE_APPEND);

?>

<head>

<meta http-equiv="refresh" content="5" >

</head>

<?php

$str=file_get_contents('position.txt');

echo nl2br($str);

?>

Monitor.php

Form submission

<form name="input" action="process.php" method="get">

browser server

get form.html

http://localhost/process.php?firstname=A&lastname=B&sex=male&vehicle=Bike&Submit=go

reply

get process.php

reply

Processing data form

html FORM

Collects

information

PHP Script

Send data

PHP Script

(form

processing) DB access

Send

.html backhtml output

of results

Creating a form

• Key elements:

– Input fields must be contained inside a form tag.

– All input fields must have a name.

– Names cannot have spaces in them. Fields should be – Names cannot have spaces in them. Fields should be

named well for clear identification.

• Form action should be URL to PHP processing

script.

• Appropriate form transmission method selected:

– GET or POST.

GET vs POST

• Name/value pairs appended in clear text to the URL of the receiving page/script.

• Each name/value pair separated by '&'. Value data automatically URL encoded.

• Names are taken from the form field names.• Names are taken from the form field names.

• GET URLs can be saved, bookmarked, etc. and used to recall the script with the same data.

• GET strings provide 'transparency' that may/may not be desired.

• Data available into the $_GET superglobal

GET vs POST

• Data is encoded in the page request body sent by the

browser, but not shown in the URL. Unseen to user.

• Since data not part of URL, bookmarking and reusing

URL to recall the script with the same data is not URL to recall the script with the same data is not

possible.

• Large POST packets not a problem.

• Data available into the $_POST superglobal

An example

<html><head><title>Register</title></head><body><h1>Registration</h1><form method="get" action="register.php">

<table><tr> <td>E-mail address:</td> <td> <input type='text' name='email'/></td> </tr><tr> <td>E-mail address:</td> <td> <input type='text' name='email'/></td> </tr><tr> <td>First name:</td> <td><input type='text' name='first_name'/></td> </tr><tr> <td>Last name:</td> <td><input type='text' name='last_name'/></td></tr><tr> <td>Password:</td> <td> <input type='password' name='password'/> </td></tr><tr> <td colspan='2'> <input type='submit' name='register' value='Register'/> </td> </tr>

</table></form>

</body></html>

An example

<html><head><title>Register</title></head><body><h1>Registration</h1><form method="get" action="register.php">

<table><tr> <td>E-mail address:</td> <td> <input type='text' name='email'/></td> </tr>

Processingscript

method

<tr> <td>E-mail address:</td> <td> <input type='text' name='email'/></td> </tr><tr> <td>First name:</td> <td><input type='text' name='first_name'/></td> </tr><tr> <td>Last name:</td> <td><input type='text' name='last_name'/></td></tr><tr> <td>Password:</td> <td> <input type='password' name='password'/> </td></tr><tr> <td colspan='2'> <input type='submit' name='register' value='Register'/> </td> </tr>

</table></form>

</body></html>

Input tags

http://localhost/register.php?email=PSD&first_name=Piattaforme&last_name=SW&password=Pippo&register=Register

key value

Input validation

• Never assume a form:

– is filled out completely

– Contains the type of information requested

– Has been submitted by a benign user– Has been submitted by a benign user

– Only contains the fields and values or value ranges expected

• Check all form data to verify that it is complete and valid …

• … and secure!

Input validation

• Required Fields are filled

• Type is correct

• Length is ‘reasonable’

• Structure adhere to a scheme• Structure adhere to a scheme

– Regular expression

– Check consistency

• No malicious data

– SQL injection

– Cross-site scripting

Helpful form validation functions

• Functions exist for testing data types:

• is_numeric($x), etc.,.

• isset($var)

– does $var exist?– does $var exist?

• empty($var)

– returns false unless $var contains an empty string,

0, "0", NULL, or FALSE.

Example

• How to check if first name is

correct?

$fn= $_GET[‘first_name’];

if (empty($fn) || isnumeric($fn) || strlen ($fn)<3 || strlen ($fn)>10)

die(“Not valid data…”);

Other tricky checks

• Radio buttons and check box may not be set

$ if !(isset($_GET[‘gender'])) && ($_GET[‘gender’]==‘Male’ || $_GET[‘gender’]==‘Famale’)):

die(“…”)

Other tricky checks

• Suppose you are designing a guest book, or a survey where people tell their impression

'<script language='Javascript'>alert('ALLARM!');</script>'

User authentication: naïve approach

<h1>Login</h1>

<form method=“get" action="login.php">

<table>

<tr>

<td>User name:</td> <td> <input type='text' name=‘user'/></td> </tr>

<tr>

<td>Password:</td> <td> <input type='password' name=‘pwd'/></td>

</tr>

..

<?php

$query=“SELECT login_id FROM users WHERE users=‘$user’ AND pwd=‘$pwd’ ”;

$ans = mysql_query($query)

..

?>

..

</table>

</form>

http://example.com/login?user=pippo&pwd=pippo

SQL injection

• Exploiting an application that takes data from user input and

uses it to form an SQL query without proper "sanitation".

• Let consider this…

# starts a comment

http://example.com/login?user=admin’;#

$query=“SELECT login_id FROM users WHERE users=‘$user’ AND pwd=‘$pwd’ ”;

$query=“SELECT login_id FROM users WHERE users=‘admin’; # AND pwd=‘’ ”;

# starts a comment

Conditional control structures

if (expr)statement

elseif (expr)statement

elseif (expr)statement

...else

if (expr):

statement list

elseif (expr) :

statement list

...

else :

{ statement1;

statement 2;

}

elsestatement

else :

statement list

endif;

<?php if ($num < 0): ?>

<h1>$num is negative</h1>

<?php elseif($num == 0): ?>

<h1>$num is zero</h1>

<?php else: ?>

<h1>$num is positive</h1>

<?php endif; ?>

if ($num<0)

print '<h1>$num is negative</h1>';

elseif ($num==0)

print '<h1>$num is zero</h1>';

else

print '<h1>$num is positive</h1>';

Traditional loop control structures

while (expr)

statement

while (expr) :

statement list

endwhile;

do

statement

while (expr);

for (expr, expr, …; expr, expr, …; expr, expr, …)

statementstatement

for ($i = 0; $i <= count($array); $i++) {

}

$count = count($array);

for ($i = 0; $i <= $count; $i++) {

}

Html table

<table border="1">td = table datatr = table row

<td>row 1, cell 1</td>

<td>row 1, cell 2</td>

<tr>

</table>

</tr>

<tr>

</tr>

<td>row 2, cell 1</td>

<td>row 2, cell 2</td>

Exercise

• Write a simple php program that displays the

Pitagora’s table. The size of the table is a

parameter passed through a form..

Array

• The key is optional, and when it’s not specified, the key is automatically assigned one more than the largest previous

integer key (starting with 0).

array([key =>] value, [key =>] value, ...)

• There are three different kind of arrays:– Numeric array - An array with a numeric ID key

– Associative array - An array where each ID key is associated with a value

– Multidimensional array - An array containing one or more arrays

Examples

1. array(1, 2, 3)

2. array(0 => 1, 1 => 2, 2 => 3)

3. array ("name" => "John", "age" => 28)

4. array(1 => "ONE", "TWO", "THREE")

5. array(1 => "ONE", 2 =>"TWO", 3 => "THREE")

6. array (array ("name" => "John", "age" => 28), array ("name" =>

"Barbara", "age" => 67))"Barbara", "age" => 67))

1 and 2 are same, 4 and 5 are same, 6 is a nested array

Examples

$arr1 = array(1, 2, 3);

$arr2[0] = 1;

$arr2[1] = 2;

$arr2[2] = 3;

Array([0] => 1[1] => 2[2] => 3)

print_r($arr1)

)

$arr1 = array("name" => "John", "age" =>28);

$arr2["name"] = "John";

$arr2["age"] = 28;

if ($arr1 == $arr2) {

print '$arr1 and $arr2 are the same';

}

$arr1 and $arr2 are the same

Traversing

• $key contains the currently iterated value’s key

• & if present allows to modify the array

• $value contains the value

foreach($array as [$key =>] [&] $value)

$players = array ("John", "Barbara", "Bill", "Nancy");

print "The players are:<br>";

foreach ($players as $key => $value) {

print "#$key = $value<br>";

}

The players are:

#0 = John

#1 = Barbara

#2 = Bill

#3 = Nancy

More on iterations

• The data in the array is not contiguous, so incrementing a counter for the next access will not work correctly unless the array index values are used in the "traditional" way

• We can also use other iterators such as nextnext and eacheachto access the array elementsto access the array elements

– next gives us the next valuenext value with each call• It movesmoves to the next item, then returnsthen returns it, so we must get the first

item with a separate call (ex: use current())

$curr = current($a1);while ($curr):

echo "\$curr is $curr <BR />\n";$curr = next($a1);

endwhile;

More on iterations: each

• each returns an array of two items:

– A keykey field for the current key

– A valuevalue field for the current value

– It returns the next (key,value) pair, then moves, so the first item is no longer a special case

while ($curr = each($a1)):$k = $curr["key"];$v = $curr["value"]; $v = $curr["value"]; echo "key is $k and value is $v <BR />\n";

endwhile;

– This function may be preferable to next() if it is possible that FALSE or an empty string or 0

could be in the array

• The loop on the previous slide will stop for any of those values

Exercise

• Format the output of the players as a html table

Exercise<?php

$players = array ("John", "Barbara", "Bill", "Nancy");

print 'The players are<br><table border="1">';

foreach ($players as $key => $value)

{

print '<tr><td>'."$key".'</td><td>'."$value".'</td></tr>';print '<tr><td>'."$key".'</td><td>'."$value".'</td></tr>';

}

print '</table>'

?>

concat double quoted to replace $key with its value

Array related functions

Example

LAB (tris)

Tris as a Service

Goal

• Design a simple application for the tic-tac-toe

game that allows to play

– One user against the computer

– Two players– Two players

• Use a ‘Web API’ based approach for gluing the

game (decide and control who can move, etc.)

1 Player: Simplest solution

• Player maintains a table representing the state

of the game

• It performs an AJAX call for sending the state

of the table (JSON). The call returns back the of the table (JSON). The call returns back the

next move

Architecture

AJAX call

Filetto.php

AJAX call

TRIS.phpFiletto.php

SERVER

CLIENT0

8

Cells labeled fron 0 to 8

2 players

• More complex: login(?), synchronization, store the state

TRIS SERVICE1. Initialize

Player 1Player 2

1. Wait for my turn

2. Update the local state

3. Make the move

2 players

• Possible solution: A service with 4 operations for initialization,

get the next turn, return the last move, update the last move

TRIS SERVICE1. Initialize

Player 1Player 2

1. Wait for my turn

2. Update the local state

3. Make the move getTurnreadwrite

turn.txt

move.txt

2 players: client sidemoveEnabled= false; //disable onClick event handler

T = [] // initialize the table

getTurn; //periodically poll the service

if not your turn then getTurn else moveEnabled=true

read; //service callread; //service call

update_local_state; //local computation

check_win(); //local computation

make_the_move; //respond to the onClick event

check_win();

moveEnabled=false

write; //service call

2 players: service side

init:

turn=0; //write into a file

move=-1;

read:

return move;

write (mv,player):

if (player==turn):

move=mv;

turn=(turn+1)%2

*:

return ‘error’;

Functions

• Any valid PHP code may appear inside a user-

defined function, even other function…

• Functions need not be defined before they are

referencedreferenced

• Call-by-reference, call-by-value, default value,

variable-length argument, lambda-style

function

Parameter passing

function function_name (arg1, arg2, arg3, …)

{

statement list

}

function square($n)

{

$n = $n*$n;

}

function square(&$n)

{

$n = $n*$n;

}

parameter by-value

… by-reference

Default value

function makeAcoffee ($type=“espresso”)

{

return “Making a cup of $type”;

}

echo makeAcoffee();

echo MakeAcoffee(“French”)

• The default value must be a constant

• Default arguments should be on the right side of any non-default

argument

echo MakeAcoffee(“French”)

Variable-length argument list

function foo(){

$numargs = func_num_args();echo "Number of arguments: $numargs\n";

}

foo(1, 2, 3);foo(1, 2, 3);

Variable function

• If a variable name has parentheses appended to it, PHP looks for a function with that name and executes it

function foo() {echo “in foo()<br>”;}function foo() {echo “in foo()<br>”;}

$func = ‘foo’;

$func(); #call foo()

Static variables

function do_something()

{

static $first_time = true;

if ($first_time) {

// Execute this code only the first time the function is called

......

$first_time=false;

}

// Execute the function's main logic every time the function is called

...

}

Array_map

• Applies a callback function to the elements of the given arrays

<?php

function Double($a){return 2*$a;};function Double($a){return 2*$a;};

$in = range(1,5);

$out = array_map("Double",$in);

print_r($out);

?>

• Other interesting functions (see manual):

• array_walk

• array_reduce

• …

Code inclusion control structures

include file_name;

include_once file_name;

require file_name; require: stop if not available

include only once

include URL; if allow_url_fopen is set

require file_name;

require_once file_name;

require: stop if not available

include $_SERVER["DOCUMENT_ROOT"] . "/myscript.php";

include "http://www.example.org/example.php";

Persistency

• Cookie, Session

– Per browser data storage, no cross-browser data

exchange

• File, DB

much more with HTML5!

• File, DB

– Site level persistence storage

Cookie

• A cookie is sent in the http header and it is stored at the client side (browser) until its lifetime

• A browser can disable cookie storage

• A cookie is a name=value pair (text up to 4096 bytes)

• A cookie is bounded to the domain that generated it

• Permanent cookie (with lifetime) or session cookie• Permanent cookie (with lifetime) or session cookie

Cookie

• A cookie is sent in the http header and it is stored at the client side (browser) until its lifetime

• A browser can disable cookie storage

• A cookie is a name=value pair (text up to 4096 bytes)

• A cookie is bounded to the domain that generated it

• Permanent cookie (with lifetime) or session cookie• Permanent cookie (with lifetime) or session cookie

Set-Cookie: TRY=THIS IS A COOKIE; expires=Thu,19-May-2012 00:00:00 GMT;path = /; domain=.dis.uniroma1.it

Cookie: TRY=THIS IS A COOKIE

http header sent from the server to the client Header sent from the client to the server

Inspecting http header

• Browsers can install plug-in to inspect http

headers

• For example, liveHTTPHeader for firefox

Cookie in PHP

<?phpob_start(); ?>

Output must be buffered

?><html><head><title>Cookie example</title></head><body><?phpsetcookie(MyCookie,'ciao')?></body></html>

set a cookie (see documentation)

Cookie in PHP

• Cookie can be accesed via superglobal

variable, $_COOKIE

<?php

print_r($_COOKIE);

?>

Example

• Implement a simple counter using Cookie

Solution

<?php

ob_start();

?>

<HTML>

<HEAD> <TITLE>COUNTER</TITLE> </HEAD>

<BODY>

<form method=“post" action="counter.php">

<table>

<tr><td colspan='2'> <input type='submit' value='Inc' name='inc'/> </td></tr>

<tr><td colspan='2'> <input type='submit' value='Dec'name='dec'/></td></tr>

</table>

</form>

Solution

<?php

if (!isset($_COOKIE[C])):

print "Counter=0";

setcookie(C,0);

else:

$Counter = $_COOKIE[C];

if (isset($_POST[inc])): $Counter++; endif;if (isset($_POST[inc])): $Counter++; endif;

if (isset($_POST[dec])): $Counter--; endif;

print "Counter=$Counter";

setcookie(C,$Counter);

endif;

?>

</BODY>

</HTML>

Tic Tac Toe

Player

arrives

Player

entersDisplay

Form

P=P1, enters for the first time

P=P1, returns, P2 not entereddisplay “Wait”

Set Cookie P1

display “Wait”

Index SYNC

arrives

P=P2

P=P1, returns, P2 entered

P = Player

P1 = First Player that arrives

P2 = Second Player

redirect

Set Cookie P2

redirect

Display

Form

Tic Tac Toe

PLAY

moveDisplay new view

PLAY

Update the view

Check winner

Session

• A PHP session allows for storing information locally

at the server on a per session basis

– Session data path is specified in the session.save_path of

php.ini

– Data session can be stored in a database – Data session can be stored in a database

• PHP generates a session ID and sends it out as a

cookie with name PHPSESSIONID

• The client sends the session ID each time it interacts

again with the same site

Example

<?php

session_start();

?>

create the id and an empty _SESSION

array, stored at the server side

cookie

cookie’s content

Access to a private area

• Session can be used to protect a page

• When trying to access a page, check if

authorization is set…

• If not, redirect to a login page and then back • If not, redirect to a login page and then back

to the page…

• ..otherwise just continue..

Example<?php

ob_start();

session_start();

?>

<?php

if (!(isset($_SESSION['auth'])&&($_SESSION['auth']=='ok’)))

{

$url = $_SERVER['PHP_SELF'];

header("location: login.php?url=$url");

}

auth not set

get this url..

redirect to login

}

?>

<?php

//check login…

$_SESSION['auth']='ok';

$url=$_GET['url'];

header(“location: $url");

?>

Included in example.php

login.php

set auth

get original url

redirect back

http://localhost/example.php

http://localhost/login?url=example.php

http://localhost/example.php

Example: shopping cart

• Simple example

• User can login…

• User can select/deselect items…

• …then check out…• …then check out…

login.php index.php

cookie ‘uid’ not set

success / set cookie ‘uid’

LAB-1login failure

register.php logout.php

click on logoutunset cookie ‘uid’

passwd DBwant to register

done

SQLite / SQLite3

• Light and fast, shipped with php5

• No dedicated servers are required

• Procedural and object oriented APIs

• Cons: Lock mechanism is not very efficient

Open/create a dbresource sqlite_open ( string $filename [, int $mode [, string &$error_message ]] )

Opens a SQLite database or creates the database if it does not exist.

<?phpif ($db = sqlite_open("SIMPLE.DB",0666,&$error))

<?php$db = new SQLiteDatabase("SIMPLE.DB", &$error);if ($db = sqlite_open("SIMPLE.DB",0666,&$error))

print("DB OPENED...."."\n");else

die($error);?>

SIMPLE.DB

$db = new SQLiteDatabase("SIMPLE.DB", &$error);if ($db)

echo “DB OPENED....";else

die($error);?>

Create a table

$create_query = "CREATE TABLE PRODUCTS (id integer primary key,description,quantity integer

Sql statment

Two types: integer and text

Executes a result-less query against a given database

bool queryExec ( string $query [, string &$error_msg ] )

id description quantity

quantity integer)";$db->queryExec($create_query);

db

PRODUCTS

Two types: integer and text(similar to varchar)

Insert a row

$query = "INSERT INTO PRODUCTS (id,description,quantity) VALUES (1,'DVD',1)";$db->queryExec($query);

id Description quantity

1 DVD 1

db

PRODUCTS

Update/delete

$db->queryexec('DELETE FROM PRODUCTS WHERE id=2');

$db->queryexec('UPDATE PRODUCTS SET id=19 WHERE id=4');

Fetch results

query fetch, fetch all,

SQLiteResult

seek rewind, current…

unbufferedquery

SQLiteUnbuffered

forward only, much faster

Fetch results$q = "SELECT * FROM PRODUCTS;";

$qr = $db->query($q); //Executes a query against a given database and returns a result handle

$r = $qr->fetchAll();//Fetches all rows from a result set as an array of arrays

foreach ($r as $entry) {

echo $entry['id'].' '.$entry['description'].' '.$entry['quantity'].'<br>';

}

1 DVD 1

LAB /Project (shopping cart 2)

• PRODUCT table

– View content

– Insert items

– Delete items – Delete items

• Password DB

– User registration

– User authentication

Login Form

• http://www.html-form-guide.com/php-

form/php-registration-form.html

OO Model

• An OO program is a collection of objects

• Every object is an instance of a class

• An object has properties

• An object has a set of methods • An object has a set of methods

Constructor

• Unified constructor name

• __construct()

class MyClass {

function __construct() {function __construct() {

echo "Inside constructor";

}

}

Destructor

• __destruct()• Called when an object is

destroyed (no more reference)

class MyClass {

function __destruct()

{

print "An object of type MyClass is being

destroyed\n";

}

}}

$obj = new MyClass();

$obj = NULL;

An object of type MyClass is being destroyed

Copying objects

class MyClass {

public $var = 1;

}

obj1object

$obj1 = new MyClass();

$obj2 = $obj1;

obj2

$obj2 = $obj1;

$obj2->var = 2;

print $obj1->var; //print 2

$obj1 = new MyClass();

$obj2 = clone $obj1;

$obj2->var = 2;

print $obj1->var; //print 1

obj1 object

obj2 object

Access protection of member variables

class MyDbConnectionClass {

public $queryResult;

protected $dbHostname = "localhost";

private $connectionHandle;

// ...

}}

class MyFooDotComDbConnectionClass extends MyDbConnectionClass {

protected $dbHostname = "foo.com";

}

Exampleclass Person {

private $name;

function setName($name)

{

$this->name = $name;

}

function getName()

{

return $this->name;

}

};

$judy = new Person();

$judy->setName("Judy");

$joe = new Person();

$joe->setName("Joe");

print $judy->getName() . "\n"; //print Judy

print $joe->getName(). "\n"; //print Joe

Static properties class MyUniqueIdClass {

static $idCounter = 0;

public $uniqueId;

function __construct()

{

self::$idCounter++;

$this->uniqueId = self::$idCounter;

self: refer to the current class

$this->uniqueId = self::$idCounter;

}

}

$obj1 = new MyUniqueIdClass();

print $obj1->uniqueId ; //print 1

$obj2 = new MyUniqueIdClass();

print $obj2->uniqueId ; //print 2

POLYMORPHISM

• Single class inheritance

– like Java

• Multiple interface implementations

– Final keyword – Final keyword

class Child extends Parent {

...

}

class A implements B, C, ... {

...

}

interface I1 extends I2, I3, ... {

...

}

<?php

class Auth {

function Auth()

{

mysql_connect('localhost', 'user', 'password');

mysql_select_db('my_own_bookshop');

}

public function addUser($email, $password)

{

$q = '

INSERT INTO users(email, passwd)

VALUES (“ '. $email. ‘ ", “ '. sha1($password).‘ ")

';

mysql_query($q);

}

public function authUser($email, $password)

{

$q = '

SELECT * FROM users

WHERE email=“ '. $email. ' "

AND passwd =“ '. sha1($password). ' "

';

$r = mysql_query($q);$r = mysql_query($q);

if (mysql_num_rows($r) == 1) {

return TRUE;

} else {

return FALSE;

} } }

?>

Reflection

• Allows to have class information at run-time

• Just an example

<?php

class C {

function F()

{

print "Hello, World\n";

}

}

ReflectionClass::export("C");

?>

- Constants [0] { }

- Static properties [0] { }

- Static methods [0] { }

- Properties [0] { }

- Methods [1] {

Method [ public method F ]

PHP Communicationstring file_get_contents ( string $filename [ …])

Reads entire file into a string

<?php/* Identical to above, explicitly naming FILE scheme */$localfile = file_get_contents("file:///home/bar/foo.txt");

/* Read remote file from www.example.com using HTTP */$httpfile = file_get_contents("http://www.example.com/foo.txt");

/* Read remote file from www.example.com using HTTPS */$httpsfile = file_get_contents("https://www.example.com/foo.txt");

/* Read remote file from ftp.example.com using FTP */$ftpfile = file_get_contents("ftp://user:pass@ftp.example.com/foo.txt");

/* Read remote file from ftp.example.com using FTPS */$ftpsfile = file_get_contents("ftps://user:pass@ftp.example.com/foo.txt");?>

Example

• Flickr is a web site that allows to share

personal photos

• Free account for 90 days

• API with different formats• API with different formats

– Request: REST,XML-RPC,SOAP

– Reply: REST,XML-RPC,SOAP,JSON,PHP

Flickr’s application end-points

• http://api.flickr.com/services/rest/

• http://api.flickr.com/services/soap/

• http://api.flickr.com/services/xmlrpc/

• http://api.flickr.com/services/upload/ • http://api.flickr.com/services/upload/

• http://api.flickr.com/services/replace/

http://api.flickr.com/services/rest/?method=...&name=value...

end-point-type

REST format is the simplest way; it uses the HTTP POST method

CLIENT SERVER

Reply, different format: REST,XML-RPC,SOAP,JSON,PHP

PHP_Serial

Example of API call

flickr.photos.getInfo

api_key (Mandatory)

Your API application key.

In Parameters:

Your API application key.

photo_id (Mandatory)

The id of the photo to get information for.

secret (optional)

The secret for the photo.

If the correct secret is passed then permissions checking is skipped, unless photo is shared.

Out Parameters:

info with different format…

Example of reply

An example: invoking a REST end-point from PHP code

$param = array('api_key' => 'e568d81ac2ac47e943673641e037be8 c','method' => 'flickr.photos.getInfo','photo_id' => '11111','format' => 'php_serial',);

$encoded_params = array();

Parameters

urlencode

•Reply in php serial format

foreach ($param as $k => $v)

$encoded_params [ ] = urlencode($k).'='.urlencode($v);

$url = "http://api.flickr.com/services/rest/?".implode('&',$encoded_params);

http://api.flickr.com/services/rest/?api_key=e568d81ac2ac47e943673641e037be8&method=flickr.photos.getInfo&photo_id=11111&format=php_serial

$url

•non-alphanumeric as %

sign two hex digits

•spaces as plus (+) signs.

•Join array elements with

a string,

•& used as glue string

implode

urlencode

Serializationstring serialize ( mixed $value )

Generates a storable

representation of a value

mixed unserialize ( string $str )

Creates a PHP value from

a stored representation

$ans = file_get_contents($url);

$ans_obj = unserialize($ans);

if ($ans_obj['stat']=='ok') {

echo $ans_obj['photo']['id'].'<br>';

echo $ans_obj['photo']['title'] ['_content'];

Invoke method

Transform

format into an

associative array

echo $ans_obj['photo']['description']['_content'];

echo $ans_obj['photo']['dates']['taken'];

}