Accessing MySQL Using PDO

Charles Severance
www.wa4e.com

http://www.wa4e.com/code/pdo.zip
Time Browser Web Server Database Server
D
O Send MySql
M Request Apache
Parse
Response
PHP
first.php P
JavaScrip D
t
O

RRC/HTTP SQL
 Application
End Database
Software SQL
User Data Model
(PHP)

SQL

Developer
Database
Tools
DBA
(phpMyAdmin)
Multiple Ways to Access MySql
• PHP is evolving - there are three ways to access MySql
- Legacy non-OO mysql_ routines (deprecated)
- New mysqli (OO version that is similar to mysql_)
- PDO - Portable Data Objects
• A perfect topic for debate

http://php.net/manual/en/mysqlinfo.api.choosing.php
http://php.net/manual/en/mysqlinfo.api.choosing.php
 Creating a Database and User
CREATE DATABASE misc;

GRANT ALL ON misc.* TO 'fred'@'localhost' IDENTIFIED BY 'zap';

GRANT ALL ON misc.* TO 'fred'@'127.0.0.1' IDENTIFIED BY 'zap';

USE misc; (if you are at the command line)

/Applications/MAMP/Library/bin/mysql -u root -P 8889 -p

c:\xampp\mysql\bin\mysql.exe
/Applications/xampp/xamppfiles/bin/mysql -u root -p
CREATE TABLE users (
user_id INTEGER NOT NULL AUTO_INCREMENT,
name VARCHAR(128),
email VARCHAR(128),
password VARCHAR(128),
PRIMARY KEY(user_id),
Creating a
INDEX(email)
) ENGINE=InnoDB CHARSET=utf8;
Table
mysql> describe users;
+----------+------------------+------+-----+---------+----------------+
| Field | Type | Null | Key | Default | Extra |
+----------+------------------+------+-----+---------+----------------+
| user_id | int(11) | NO | PRI | NULL | auto_increment |
| name | varchar(128) | YES | | NULL | |
| email | varchar(128) | YES | MUL | NULL | |
| password | varchar(128) | YES | | NULL | |
+----------+------------------+------+-----+---------+----------------+
 Inserting a Few Records
INSERT INTO users (name,email,password) VALUES ('Chuck','[email protected]','123');
INSERT INTO users (name,email,password) VALUES ('Glenn','[email protected]','456');

mysql> select * from users;

+---------+-------+----------------+----------+
| user_id | name | email | password |
+---------+-------+----------------+----------+
| 1 | Chuck | [email protected] | 123 |
| 2 | Glenn | [email protected] | 456 |
+---------+-------+----------------+----------+
Database Connection
Hostname

misc sakai
users

http://www.wa4e.com/code/pdo.zip
 pdo.php

Database Connection
Hostname

misc sakai
PHP SQL
users
Software
id / password

3306 for xampp/linux

$pdo = new PDO('mysql:host=localhost;port=8889;dbname=misc',

'fred', 'zap');
 <?php first.php
echo "<pre>\n";
$pdo=new PDO('mysql:host=localhost;port=8889;dbname=misc',
'fred', 'zap');
$stmt = $pdo->query("SELECT * FROM users");
$rows = $stmt->fetchAll(PDO::FETCH_ASSOC);
print_r($rows);
Array(
echo "</pre>\n";?> [user_id] => 1
[name] => Chuck
[email] => [email protected]
mysql> select * from users; [password] => 123
+---------+-------+----------------+----------+ )
| user_id | name | email | password |
+---------+-------+----------------+----------+ Array(
| 1 | Chuck | [email protected] | 123 |
[user_id] => 2
| 2 | Glenn | [email protected] | 456 |
+---------+-------+----------------+----------+ [name] => Glenn
[email] => [email protected]
[password] => 456
)
<?php
$pdo = new PDO('mysql:host=localhost;port=8889;dbname=misc', second.php
'fred', 'zap');
$stmt = $pdo->query("SELECT name, email, password FROM users");
$rows = $stmt->fetchAll(PDO::FETCH_ASSOC);
echo '<table border="1">'."\n";
foreach ( $rows as $row ) {
echo "<tr><td>";
echo($row['name']);
echo("</td><td>");
echo($row['email']);
echo("</td><td>");
echo($row['password']);
echo("</td></tr>\n");
}
echo "</table>\n";?>
<table border="1">
<tr><td>Chuck</td><td>[email protected]</td><td>123</td></tr>
<tr><td>Glenn</td><td>[email protected]</td><td>456</td></tr>
</table>
 Pattern
Put database connection information in a single file and include it
in all your other files.
• Helps make sure to not to mistakenly reveal id / pw
• Don’t check it into a public source repository :)
 pdo.php 3306 for xampp/linux
<?php
$pdo = new PDO('mysql:host=localhost;port=8889;dbname=misc',
'fred', 'zap');
// See the "errors" folder for details...
$pdo->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);

third.php Array(
[user_id] => 1
[name] => Chuck
[email] => [email protected]
<?php [password] => 123
require_once "pdo.php"; )
echo "<pre>\n"; Array(
$stmt = $pdo->query("SELECT * FROM users"); [user_id] => 2
$rows = $stmt->fetchAll(PDO::FETCH_ASSOC); [name] => Glenn
[email] => [email protected]
print_r($rows); [password] => 456
echo "</pre>\n";?> )
Let’s Put Some Data
in a Database!
<?php
require_once "pdo.php";
if ( isset($_POST['name']) && isset($_POST['email'])
&& isset($_POST['password'])) {
$sql = "INSERT INTO users (name, email, password)
VALUES (:name, :email, :password)";
echo("<pre>\n".$sql."\n</pre>\n");
$stmt = $pdo->prepare($sql);
$stmt->execute(array(
':name' => $_POST['name'],
':email' => $_POST['email'],
':password' => $_POST['password']));
}
?><html><head></head><body>
<p>Add A New User</p>
<form method="post">
<p>Name:<input type="text" name="name" size="40"></p>
<p>Email:<input type="text" name="email"></p>
<p>Password:<input type="password" name="password"></p>
<p><input type="submit" value="Add New"/></p>
</form>
</body> user1.php
 user1.php

mysql> select * from users;

+---------+-------+----------------+----------+
| user_id | name | email | password |
+---------+-------+----------------+----------+
| 1 | Chuck | [email protected] | 123 |
| 2 | Glenn | [email protected] | 456 |
| 3 | Sally | [email protected] | 123 |
| 4 | Fred | [email protected] | YO |
+---------+-------+----------------+----------+
 if ( isset($_POST['name']) && isset($_POST['email'])
&& isset($_POST['password'])) {
$sql = "INSERT INTO users (name, email, password)
user2.php
VALUES (:name, :email, :password)";
echo("<pre>\n".$sql."\n</pre>\n");
$stmt = $pdo->prepare($sql);
$stmt->execute(array(
':name' => $_POST['name'],
':email' => $_POST['email'],
':password' => $_POST['password']));
}
$stmt = $pdo->query("SELECT name, email, password FROM users");
$rows = $stmt->fetchAll(PDO::FETCH_ASSOC);
?>
<html>
<head></head><body><table border="1">
<?php
foreach ( $rows as $row ) {
echo "<tr><td>";
echo($row['name']);
echo("</td><td>");
echo($row['email']);
echo("</td><td>");
echo($row['password']);
echo("</td></tr>\n");
}
?>
</table>
<p>Add A New User</p>
<?php
require_once "pdo.php";

if ( isset($_POST['user_id']) ) {
$sql="DELETE FROM users WHERE user_id = :zip";
echo "<pre>\n$sql\n</pre>\n";
$stmt = $pdo->prepare($sql);
$stmt->execute(array(':zip'=>$_POST['user_id']));
}
?>
<p>Delete A User</p>
<form method="post"><p>ID to Delete:
<input type="text" name="user_id"></p>
<p><input type="submit" value="Delete"/></p>
</form>

user2del.php
<?php
require_once "pdo.php";

if ( isset($_POST['user_id']) ) {
$sql="DELETE FROM users WHERE user_id = :zip";
echo "<pre>\n$sql\n</pre>\n";
$stmt = $pdo->prepare($sql);
$stmt->execute(array(':zip'=>$_POST['user_id']));
}
?>
<p>Delete A User</p>
<form method="post"><p>ID to Delete:
<input type="text" name="user_id"></p>
<p><input type="submit" value="Delete"/></p>
</form>

user2del.php
mysql> select * from users;
+---------+-------+----------------+----------+
| user_id | name | email | password |
+---------+-------+----------------+----------+
| 1 | Chuck | [email protected] | 123 |
| 2 | Glenn | [email protected] | 456 |
| 3 | Sally | [email protected] | 123 |
+---------+-------+----------------+----------+
user3.php
if ( isset($_POST['delete']) && isset($_POST['user_id']) ) {
$sql = "DELETE FROM users WHERE user_id = :zip";
echo "<pre>\n$sql\n</pre>\n";
$stmt = $pdo->prepare($sql);
$stmt->execute(array(':zip' => $_POST['user_id']));
}
$stmt = $pdo->query("SELECT name, email, password, user_id FROM users");
$rows = $stmt->fetchAll(PDO::FETCH_ASSOC);
?><html><head></head>
<body>
<table border="1">
<?php
foreach ( $rows as $row ) {
echo "<tr><td>";
echo($row['name']);
echo("</td><td>");
echo($row['email']);
echo("</td><td>");
echo($row['password']);
echo("</td><td>");
echo('<form method="post"><input type="hidden" ');
echo('name="user_id" value="'.$row['user_id'].'">'."\n");
echo('<input type="submit" value="Del" name="delete">');
echo("\n</form>\n");
echo("</td></tr>\n");
user3.php
}
echo('<form method="post"><input type="hidden" ');
echo('name="user_id" value="'.$row['user_id'].'">'."\n");
echo('<input type="submit" value="Del" name="delete">');
echo("\n</form>\n");

<tr><td>Fred</td><td>[email protected]</td>
<td>YO</td>
<td><form method="post">
<input type="hidden" name="user_id" value="5">
<input type="submit" value="Del" name="delete">
</form></td>
</tr>

if ( isset($_POST['delete']) &&
isset($_POST['user_id']) ) {
$sql = "DELETE FROM users WHERE user_id = :zip";
echo "<pre>\n$sql\n</pre>\n";
$stmt = $pdo->prepare($sql);
$stmt->execute(array(':zip' => $_POST['user_id']));
}
if ( isset($_POST['delete']) && isset($_POST['user_id']) ) {
$sql = "DELETE FROM users WHERE user_id = :zip";
echo "<pre>\n$sql\n</pre>\n";
$stmt = $pdo->prepare($sql);
$stmt->execute(array(':zip' => $_POST['user_id']));
}
<?php

require_once "pdo.php";
if ( isset($_POST['name']) && isset($_POST['email'])
&& isset($_POST['password'])) {
Program
$sql = "INSERT INTO users (name, email, password)
VALUES (:name, :email, :password)";
echo("<pre>\n".$sql."\n</pre>\n");
Outline
$stmt = $pdo->prepare($sql);
$stmt->execute(array(
':name' => $_POST['name'],
':email' => $_POST['email'],
<?php
require_once "pdo.php";I
f ( isset($_POST['name']) && isset($_POST['email'])
&& isset($_POST['password'])) {

':password' => $_POST['password']));

$sql = "INSERT INTO users (name, email, password)
VALUES (:name, :email, :password)";
echo("<pre>\n".$sql."\n</pre>\n");
$stmt = $pdo->prepare($sql);

}
$stmt->execute(array(
':name' => $_POST['name'],
':email' => $_POST['email'],
':password' => $_POST['password']));
}
if ( isset($_POST['delete']) && isset($_POST['user_id']) ) {
$sql = "DELETE FROM users WHERE user_id = :zip";
echo "<pre>\n$sql\n</pre>\n";

if ( isset($_POST['delete']) && isset($_POST['user_id']) ) {

$stmt = $pdo->prepare($sql);
$stmt->execute(array(':zip' => $_POST['user_id']));
}
?>

$sql = "DELETE FROM users WHERE user_id = :zip";

<html><head></head>
<body>
<table border="1">
<?php

echo "<pre>\n$sql\n</pre>\n";
$stmt = $pdo->query("SELECT name, email, password, user_id FROM users");
while ( $row = $stmt->fetch(PDO::FETCH_ASSOC) ) {
echo "<tr><td>";
echo($row['name']);

$stmt = $pdo->prepare($sql);
echo("</td><td>");
echo($row['email']);
echo("</td><td>");
echo($row['password']);

$stmt->execute(array(':zip' => $_POST['user_id']));

echo("</td><td>");
echo('<form method="post"><input type="huser_idden" ');
echo('name="user_id" value="'.$row['user_id'].'">'."\n");
echo('<input type="submit" value="Del" name="delete">');

}
echo("\n</form>\n");
echo("</td></tr>\n");
}
?>

$stmt = $pdo->query("SELECT name, email, password, user_id FROM users");

</table>
<p>Add A New User</p><form method="post">
<p>Name:<input type="text" name="name" size="40"></p>
<p>Email:<input type="text" name="email"></p>

$rows = $stmt->fetchAll(PDO::FETCH_ASSOC);
<p>Password:<input type="password" name="password"></p><
p><input type="submit" value="Add New"/></p>
</form>
</body>

?>
<html><head></head>
<body><table border="1">
<?php
foreach ( $rows as $row ) {
echo "<tr><td>";
echo($row['name']);
echo("</td><td>");
echo($row['email']);
echo("</td><td>"); <?php
require_once "pdo.php";I

echo($row['password']); f ( isset($_POST['name']) && isset($_POST['email'])

&& isset($_POST['password'])) {
$sql = "INSERT INTO users (name, email, password)
VALUES (:name, :email, :password)";

echo("</td><td>"); echo("<pre>\n".$sql."\n</pre>\n");
$stmt = $pdo->prepare($sql);
$stmt->execute(array(
':name' => $_POST['name'],

echo('<form method="post"><input type="hidden" '); }

':email' => $_POST['email'],
':password' => $_POST['password']));

if ( isset($_POST['delete']) && isset($_POST['user_id']) ) {

echo('name="user_id" value="'.$row['user_id'].'">'."\n"); $sql = "DELETE FROM users WHERE user_id = :zip";

echo "<pre>\n$sql\n</pre>\n";
$stmt = $pdo->prepare($sql);
$stmt->execute(array(':zip' => $_POST['user_id']));

echo('<input type="submit" value="Del" name="delete">'); }

?>
<html><head></head>
<body>

echo("\n</form>\n"); <table border="1">

<?php
$stmt = $pdo->query("SELECT name, email, password, user_id FROM users");
while ( $row = $stmt->fetch(PDO::FETCH_ASSOC) ) {

echo("</td></tr>\n"); echo "<tr><td>";

echo($row['name']);
echo("</td><td>");
echo($row['email']);

} echo("</td><td>");
echo($row['password']);
echo("</td><td>");
echo('<form method="post"><input type="huser_idden" ');

?> echo('name="user_id" value="'.$row['user_id'].'">'."\n");

echo('<input type="submit" value="Del" name="delete">');
echo("\n</form>\n");
echo("</td></tr>\n");

</table> }
?>
</table>
<p>Add A New User</p><form method="post">
<p>Name:<input type="text" name="name" size="40"></p>
<p>Email:<input type="text" name="email"></p>
<p>Password:<input type="password" name="password"></p><
p><input type="submit" value="Add New"/></p>
</form>
</body>
 Program
Outline
<p>Add A New User</p>
<form method="post">
<p>Name:<input type="text" name="name" size="40"></p> <?php

<p>Email:<input type="text" name="email"></p>

require_once "pdo.php";I
f ( isset($_POST['name']) && isset($_POST['email'])
&& isset($_POST['password'])) {
$sql = "INSERT INTO users (name, email, password)

<p>Password:<input type="password" name="password"></p>

VALUES (:name, :email, :password)";
echo("<pre>\n".$sql."\n</pre>\n");
$stmt = $pdo->prepare($sql);
$stmt->execute(array(

<p><input type="submit" value="Add New"/></p>

':name' => $_POST['name'],
':email' => $_POST['email'],
':password' => $_POST['password']));
}

</form>
if ( isset($_POST['delete']) && isset($_POST['user_id']) ) {
$sql = "DELETE FROM users WHERE user_id = :zip";
echo "<pre>\n$sql\n</pre>\n";
$stmt = $pdo->prepare($sql);

</body>
$stmt->execute(array(':zip' => $_POST['user_id']));
}
?>
<html><head></head>
<body>
<table border="1">
<?php
$stmt = $pdo->query("SELECT name, email, password, user_id FROM users");
while ( $row = $stmt->fetch(PDO::FETCH_ASSOC) ) {
echo "<tr><td>";
echo($row['name']);
echo("</td><td>");
echo($row['email']);
echo("</td><td>");
echo($row['password']);
echo("</td><td>");
echo('<form method="post"><input type="huser_idden" ');
echo('name="user_id" value="'.$row['user_id'].'">'."\n");
echo('<input type="submit" value="Del" name="delete">');
echo("\n</form>\n");
echo("</td></tr>\n");
}
?>
</table>
<p>Add A New User</p><form method="post">
<p>Name:<input type="text" name="name" size="40"></p>
<p>Email:<input type="text" name="email"></p>
<p>Password:<input type="password" name="password"></p><
p><input type="submit" value="Add New"/></p>
</form>
</body>
SQL Injection
Recall HTML Injection ...
<form method="post">
<p><label for="guess">Input Guess</label>
<input type="text" name="guess" id="guess"
value=""><b>DIE DIE</b>" /></p>
<input type="submit"/>
</form>
 SQL Injection
SQL injection or SQLi is a code injection technique that exploits a
security vulnerability in some computer software. An injection occurs
at the database level of an application (like queries). The vulnerability
is present when user input is either incorrectly filtered for string literal
escape characters embedded in SQL statements or user input is not
strongly typed and unexpectedly executed. Using well-designed query
language interpreters can prevent SQL injections.

http://en.wikipedia.org/wiki/SQL_injection
 SQL Injection
This code does it all in a select instead of a prepare/execute
pattern, but it is prone to SQL Injection – where and why?

if ( isset($_POST['email']) && isset($_POST['password']) ) {

$e = $_POST['email'];
$p = $_POST['password'];
$sql = "SELECT name FROM users
WHERE email = '$e'
AND password = '$p'";
$stmt = $pdo->query($sql);
login1.php
What Could Go Wrong?

login1.php
if ( isset($_POST['email']) && isset($_POST['password']) ) {
$e = $_POST['email'];
$p = $_POST['password'];
$sql = "SELECT name FROM users
WHERE email = '$e'
AND password = '$p'";
$stmt = $pdo->query($sql);

login1.php
http://xkcd.com/327/
 Use Prepared Statements Properly
if ( isset($_POST['email']) && isset($_POST['password']) ) {
echo("Handling POST data...\n");
$sql = "SELECT name FROM users
WHERE email = :em AND password = :pw";
echo "<pre>\n$sql\n</pre>\n";
$stmt = $pdo->prepare($sql);
$stmt->execute(array( login2.php
':em' => $_POST['email'],
':pw' => $_POST['password']));
$row = $stmt->fetch(PDO::FETCH_ASSOC);

When the statement is executed, the placeholders get replaced with the actual
strings and everything is automatically escaped!
 PDO Error Handling:
What Could Go Wrong?
$pdo->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_WARNING);

$stmt = $pdo->prepare("SELECT * FROM users where user_id = :xyz");

$stmt->execute(array(":xyz" => $_GET['user_id']));
$row = $stmt->fetch(PDO::FETCH_ASSOC);
if ( $row === false ) {
echo("<p>user_id not found</p>\n");
} else {
echo("<p>user_id found</p>\n");
}

errors/error0.php
$pdo->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_WARNING);

$stmt = $pdo->prepare("SELECT * FROM users where user_id = :xyz");

$stmt->execute(array(":pizza" => $_GET['user_id']));
$row = $stmt->fetch(PDO::FETCH_ASSOC);
if ( $row === false ) {
echo("<p>user_id not found</p>\n");
} else {
echo("<p>user_id found</p>\n");
}

errors/error1.php
http://php.net/manual/en/pdo.error-handling.php
$pdo->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
$stmt = $pdo->prepare("SELECT * FROM users where user_id = :xyz");
$stmt->execute(array(":pizza" => $_GET['user_id']));
$row = $stmt->fetch(PDO::FETCH_ASSOC);
if ( $row === false ) {
echo("<p>user_id not found</p>\n");
} else {
echo("<p>user_id found</p>\n");
}

errors/error2.php
$pdo->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
try {
$stmt = $pdo->prepare("SELECT * FROM users where user_id = :xyz");
$stmt->execute(array(":pizza" => $_GET['user_id']));
} catch (Exception $ex ) {
echo("Exception message: ".$ex->getMessage());
return;
}
$row = $stmt->fetch(PDO::FETCH_ASSOC);

errors/error3.php
$pdo->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
try {
$stmt = $pdo->prepare("SELECT * FROM users where user_id = :xyz");
$stmt->execute(array(":pizza" => $_GET['user_id']));
} catch (Exception $ex ) {
echo("Internal error, please contact support");
error_log("error4.php, SQL error=".$ex->getMessage());
return;
}
$row = $stmt->fetch(PDO::FETCH_ASSOC);

errors/error4.php
 Where do error_log()s go?
When in doubt, look at PHPInfo...
 Where do error_log()s go?
• File Paths:
- /Applications/MAMP/logs/php_error.log
- c:\xampp\php\logs\php_error_log

• Open the log file and scroll to the bottom

• Watch the log actively

- On Mac / Linux use: tail -f filename
- Windows: http://ophilipp.free.fr/op_tail.htm
 Summary
• Making database connections

• Doing database operations

• SQL security (a.k.a. we love PDO prepared statements)

• Exploring errors...
 Acknowledgements / Contributions
These slides are Copyright 2010- Charles R. Severance (www.dr- Continue new Contributors and Translators here
chuck.com) as part of www.wa4e.com and made available under a
Creative Commons Attribution 4.0 License. Please maintain this
last slide in all copies of the document to comply with the
attribution requirements of the license. If you make a change, feel
free to add your name and organization to the list of contributors on
this page as you republish the materials.

Initial Development: Charles Severance, University of Michigan

School of Information

Insert new Contributors and Translators here including names and

dates