So, I'm new to PHP. I spent a lot of time today teaching myself in the ways of inserting data into SQL tables via html forms with PHP and MySQL, and retrieving said data so it can be displayed on a web page. I felt proud of myself when I had finally coded a working, though very simple system for this. Now I find out that there is newer, more secure API available and that 'mysql' functions will no longer be supported... which my noob code is full of. I've been trying to figure out how to update my code with the new API (MySQLi) for about 3 hours but everything is ending in failure, I'm just not competent enough in PHP or SQL to understand how the changes represent what was already there and working. I did manage to get a connection using the new functions, but I could not display anything like with the old ones.
I will post the code here, and hopefully someone can help me out in figuring this out because I'm just not getting it.
Here is the code that is calling the information from the database, and displaying it in simple rows.
Well, as a first cut, use the links given in the warnings on the page for each of the mysql_* functions to take you to the corresponding MySQLi function - for the most part it's a matter of replacing "mysql_foo" with "mysqli_foo". The hairiest part of that process is that the order of function arguments is reversed between mysql_query and mysqli_query.
The mysqli documentation has tons of examples. There are two big differences:
1) mysqli has two styles of usage: an object-oriented one and a procedural one. the old mysql functions were only procedural.
2) the procedural mysqli functions you can use to replace your old mysql functions require you to keep track of your database connection object -- you have to supply it whenever you want to query something.
Another thing -- and this may be a bit much to take in -- is that it is often advantageous to isolate your own code from the raw database functions offered by PHP. That is to say it's often helpful to have your code use your own functions for database access and then your functions use the appropriate database access functions. This allows you to more easily switch to a different database entirely or to upgrade to newer functions without changing all of your code. You would only need to change your own database functions.
it is often advantageous to isolate your own code from the raw database functions offered by PHP
... by creating/using what is normally referred to as a DAL - Database Abstraction Layer. (Just throwing this in the mix in case the OP is curious to learn more and wants a common keyword to search on.)
Thank you all for the input. I have just finished updating my display codes since I figure this would be more difficult then the insert action code. It is pulling the information from the database table and displaying it inside of the rows properly on the web page. My question now is, just because it is working.. did I do it right
And since this code is used to display data, do I need to include any kind of escapes like I do with the insert action code to send data to the database to protect from injection?
And since this code is used to display data, do I need to include any kind of escapes like I do with the insert action code to send data to the database to protect from injection?
Well, that's a decision to be made on your part - but since you're displaying it within an HTML page, you have to decide whether (a) it's possible for the data being displayed to contain HTML, and (b) if it does, whether you want it to be treated as HTML.
Reply With Quote
Originally Posted by sneakyimp
Bookmarks