How to display information from a database within a web page
Archive - Originally posted on "The Horse's Mouth" - 2010-11-07 08:54:40 - Graham EllisAre you displaying data that's held in an SQL database from within your own PHP program for the first time? Perhaps you have access to a database that's setup / implemented through a standard open source application such as phpBB, the Simple Machines Forum, or Movable Type or be a colleague?
Here are the steps you'll need to take
1. Learn the principle
Reading data from a database is rather like reading data from a file. Just as you have lots of files on your computer, each of which can provide a stream of data, so you potentially have lots of databases / tables / requests that could provide you with streams of data. So the first things you need to do are
a) Establish a connection to whatever's providing the data from the database
b) Switch to the particular area of the database server that contains the data you want
c) Issue a query telling it exactly what you want
The query will return a "query handle" to you - that's rather like a file handle so you can then ...
d) Read back a row of data from the result set and do whatever you want with it
e) Keep repeating the previous item ( d) ) until you run out of data
2. Hand crank it
Use the mysql program that's supplied with the database to work out the actual commands needed to run the query that you want to do, and record them carefully (cut and paste is marvellous!)
Example:
./bin/mysql -h192.168.200.199 -uwellho -pPashwurd
use wellho;
select * from placelib;
gives headings and data ...
| place | postcode | extras | distance | osref | pid |You are then in a position to ...
3. Automate it
Translate the commands into function calls in your PHP; if you're using MySQL, those will be either mysqli_ or mysql function calls - later on you'll want to go via a wrapper level to make your code portable across database engines, but not at first!
Example:
mysql_connect("192.168.200.199","wellho","Pashwurd");
mysql_select_db("wellho");
mysql_query("select * from placelib where place like '%$hunt_slashed%'");
while ($row = mysql_fetch_assoc($qh)) { ... }4. Consider the security
Having got your basic query working, consider the following very carefully:
a) Do you need to protect incoming user data from a form as you insert it into a query (see stripslashes, addslashes and mysql_real_escape_string to ensure that NULL, \ and quote characters don't get passed through and leave you open to having your user cause you to generate invalid SQL ... or (worse) to modify the SQL so that it includes a malicious subcommand (this is known as an injection attack)
b) If you're handling user inputs as part of a WHERE clause, do you need to take special action to handle any user input special characters such as % and _ which the LIKE operator will see as "wildcards", but your user may wish to match exactly? If you're using RLIKE in MySQL, you'll need to make similar consideration of the regular expression wild card characters
c) Do any of the data strings returned from the database query need to be tidied up before they're passed on to the browser - if the data may have & or < characters in it, for example, you'll need to call htmlspecialchars or htmlentities.
d) Are the results you get really suitable for passing back to the user, or are there fields that (s)he should not know about or will cause some sort of security leak. Is it possible for a tiny query to generate a huge result set that reveals most of a prised database to anyone who wants to see it? Be very careful not to report data from private / deleted unpubliched rows of your table. And conversely ...
e) If the user is to be given no results at all (because nothing matches!), please consider giving some feedback to highlight that fact, rather than leaving him/her staring at a blank box and wondering what went wrong.
My complete example - with each of those security issues dealt with enough to make my script strong enough to be published on the server - is [here].
Example written during last week's PHP course. More detailed aspects of MySQL, including the vital database design and security aspects, are covered on our MySQL course.