328lab07-2-projected


CS 328 - Week 7 Labs - 3:00 pm lab - 2016-03-04

*   continuing with PHP intro -- and PHP and forms;

*   recall: when you submit a form whose action
    is a .php document,

    the PHP Preprocessor provides to that PHP document
    either a $_GET or $_POST superglobal associative array,

    where the keys are the names in the name=value pairs from
    the form, and the value for each name key is
    that value for that form control at the time the
    form was submitted

    (you get this in a $_GET array if method="get",
    and in a $_POST array if method="post")

*   remember: NEVER trust user-provided input!

    ...DECIDE, based on what you're doing, WHAT
    is the appropriate way to protect yourself
    and your system and your program etc.

    *   you might use a built in function such as:
        (these are demo'd in looky.php)

        strip_tags - expects a string, returns that string with
                     any angle-bracket markup REMOVED
                     (removing angle-bracket-style tags)

        htmlspecialchars - expects a string, returns that string
                     with each special HTML character replaced with
                     its display-only equivalent

                     e.g., replaces '<' with '&lt;';

        htmlentities - goes even farther than 
	               htmlspecialchars,
		       (from the PHP manual)
		       "convert[s] ALL applicable
		       characters to HTML entities"

                       (I'm assuming "HTML entities" are
		       <, >, &, etc.)

    *   there isn't a one-size-fits-all
        answer to this --

	BUT, often, if you want to display user-provided input,
	you might find htmlspecialchars or
	htmlentities to be good choices for sanitizing
	it first;

	if you are storing things in a database,
	and the user really should be entering
	any tags in what they are entering,
	strip_tags might be a better choice;

	...etc.! THINK as you choose;
 
==========
*   ASIDE: a useful pair of functions:
    isset() and array_key_exists()

    *   there's an attempt to demo these in show-checked.php

    *   PHP *does* have a special value of NULL

        (the absence of an object)

    *   isset -
        expects a variable (or expression) as its argument

        (from PHP manual):
        "Determine if a variable is set and is not NULL"

    *   array_key_exists 
        expects the desired key and the array to check
	   as its arguments

        (from PHP manual):
        "Checks if the given key or index exists in
        the array"

    *   make sure you can see the difference --

        and note the following, also from the PHP manual:
	
        "isset does not return TRUE for array keys
        that correspond to a NULL value,
	while array_key_exists does"

    *   IF your goal is to see IF an array key exists
        in an array,
	USE array_key_exists!

==========
*   PHP's foreach loop

    a way to loop over a collection (such as an array)
    and loop over all of its elements

    foreach ($collection as $temp_var)
    {
        statements that can use $temp_var;
    }

    *   demo'd in show-checked.php

==========
*   FOR DEBUGGING:   print_r

    this is for debugging, because you can't really
    sanitize its output...

    expects an (associative?) array,
    and outputs the keys AND contents of that array

    *   demo'd in show-checked.php

==========    
*   PHP has MANY libraries and things for
    working with different DBMSs;

    ...we are HAPPENING to use:

    OCI - Oracle Call Interface

    ...because it DOES work from PHP on nrs-projects
    for connecting to HSU's Oracle student database!

    *   BUT the basic steps are likely the same
        even across different application-tier
	languages;

*   those basic steps:
    *   need to set up a CONNECTION STRING

        $db_conn_str = "(DESCRIPTION = (ADDRESS = 
                                (PROTOCOL = TCP)
                                (HOST = cedar.humboldt.edu)
                                (PORT = 1521))
                           (CONNECT_DATA = (SID = STUDENT)))";

    *   try to log into Oracle:

        $conn = oci_connect($username, $password, $db_conn_str);

        if ($conn === FALSE)
        {
            require_once("failure_footer.txt");
            exit;
        }

	...if get here, I connected!

    *   set up an Oracle statement, and execute it:

        $empl_query = "select hiredate, salary, commission ".
                      "from empl";

        $stmt = oci_parse($conn, $empl_query);
        oci_execute($stmt, OCI_DEFAULT);

    *   looping through the results:

        *   oci_fetch($stmt) gives you access to the next
	    row in the result (you must call it to
	    access the 1st row, also...)

            *   it returns FALSE if there IS no next row

        *   oci_result lets you grab the value from a particular
	    column in the current row

        <?php
        while (oci_fetch($stmt))
        {
            $curr_empl_name = oci_result($stmt, "EMPL_LAST_NAME");
            $curr_hiredate = oci_result($stmt, "HIREDATE");
	    $curr_salary = oci_result($stmt, "SALARY");
	    $curr_commission = oci_result($stmt, "COMMISSION");

            if ($curr_commission === NULL)
            {
                $curr_commission = "no commission";
            }

	    ...
        }

    *   when done with a statement, FREE that statement!

        oci_free_statement($stmt);

        when done with your connection, CLOSE YOUR CONNECTION!!!

        oci_close($conn);

*   above in demo'd in try-oracle.php --

    LET ME KNOW a.s.a.p. if this example STOPS working...!
    (could be an Oracle-related problem, or an nrs-projects-related
    problem, for example...!)