Table of Contents

• Introduction to Sessions
• Starting a Session
• Storing Data in Sessions
• Retrieving Data from Sessions
• Modifying and Unsetting Session Variables
• Destroying a Session
• Session Security Best Practices
• Example: Creating a Login System with Sessions
• Troubleshooting Common Session Issues
• Summary

---

Introduction to Sessions

In web development, sessions are used to store user-specific data across multiple pages. Unlike cookies, which are stored on the client’s browser, session data is stored on the server and can be used to maintain state between page requests. This is particularly useful for applications that require user authentication, shopping carts, or any scenario where you need to track a user’s actions across different pages.

PHP provides a simple and efficient way to manage sessions through its $_SESSION superglobal. The $_SESSION array allows you to store session data that persists across multiple requests.

---

Starting a Session

Before you can use session variables in PHP, you need to start a session. This is done using the session_start() function. It should be called at the very beginning of your script, before any output is sent to the browser.

Here’s how to start a session:

<?php
session_start();
?>

• The session_start() function starts a new session or resumes an existing one. If the user has already started a session (for example, after logging in), PHP will continue using the same session for subsequent requests.

---

Storing Data in Sessions

Once a session is started, you can store user-specific data in the $_SESSION array. This data can be of any type (string, integer, array, etc.) and will persist across page loads until the session is destroyed.

For example, to store the username of a logged-in user:

<?php
session_start();
$_SESSION['username'] = 'JohnDoe';
?>

• $_SESSION['username']: This stores the username in the session data. The session variable will be available on subsequent page requests as long as the session is active.

You can store multiple session variables:

$_SESSION['user_id'] = 123;
$_SESSION['email'] = '[email protected]';

---

Retrieving Data from Sessions

To retrieve session data, simply access the $_SESSION superglobal using the key you assigned earlier.

For example, to display the username stored in the session:

<?php
session_start();
echo "Hello, " . $_SESSION['username'];
?>

If the $_SESSION['username'] variable is set, the code will display the username. If it’s not set, PHP will return a warning or notice. You can check whether a session variable is set using the isset() function:

if (isset($_SESSION['username'])) {
    echo "Hello, " . $_SESSION['username'];
} else {
    echo "No user is logged in.";
}

---

Modifying and Unsetting Session Variables

Session variables can be modified by simply reassigning new values to them:

$_SESSION['username'] = 'JaneDoe';  // Modify the session variable

If you no longer need a session variable, you can unset it using the unset() function:

unset($_SESSION['username']);  // Remove the session variable

After calling unset(), the session variable will no longer be available for the current session.

---

Destroying a Session

To completely destroy a session and remove all session data, you can use the session_destroy() function. However, calling this function does not automatically remove the session variables from the $_SESSION superglobal. To fully clear the session, you should also unset the session variables.

Here’s how to destroy a session:

<?php
session_start();  // Start the session
session_unset();  // Unset all session variables
session_destroy();  // Destroy the session
?>

• session_unset(): This function clears all session variables.
• session_destroy(): This function destroys the session and removes it from the server.

After calling these functions, the user will be logged out, and the session will be terminated.

---

Session Security Best Practices

Sessions are vulnerable to attacks such as session hijacking, session fixation, and cross-site scripting (XSS). To protect your sessions, here are some best practices:

1. Use HTTPS: Always use HTTPS for your website to ensure that session data is transmitted securely. Without HTTPS, session data can be intercepted via man-in-the-middle attacks.
2. Regenerate Session IDs: To prevent session fixation attacks (where an attacker tries to steal or fix a user’s session ID), you should regenerate the session ID periodically using session_regenerate_id().

session_start();
session_regenerate_id(true);  // Regenerate the session ID

3. Set Secure and HttpOnly Cookies: By default, PHP stores the session ID in a cookie. You can make this cookie more secure by setting the Secure and HttpOnly flags.

session_set_cookie_params([
    'secure' => true,  // Cookie will only be sent over HTTPS
    'httponly' => true,  // Cookie cannot be accessed by JavaScript
]);
session_start();

4. Limit Session Duration: Set a session timeout to limit how long a session can remain active. You can implement this by checking the session start time and comparing it to the current time.

session_start();
$timeout_duration = 3600;  // 1 hour timeout

if (isset($_SESSION['last_activity']) && (time() - $_SESSION['last_activity']) > $timeout_duration) {
    session_unset();  // Clear session variables
    session_destroy();  // Destroy the session
}

$_SESSION['last_activity'] = time();  // Update the last activity time

5. Destroy Session on Logout: Always destroy the session when the user logs out to prevent session hijacking.

session_start();
session_unset();  // Unset session variables
session_destroy();  // Destroy the session
header("Location: login.php");  // Redirect user to the login page
exit();

---

Example: Creating a Login System with Sessions

Sessions are commonly used in login systems to track whether a user is logged in or not. Here’s a simple example:

login.php – Display Login Form

<form action="login_process.php" method="POST">
    <label for="username">Username:</label>
    <input type="text" name="username" required>
    <label for="password">Password:</label>
    <input type="password" name="password" required>
    <input type="submit" value="Login">
</form>

login_process.php – Process Login and Start Session

<?php
session_start();  // Start the session

// Hardcoded credentials (replace with database check in real-world applications)
$valid_username = 'john';
$valid_password = 'password123';

if ($_POST['username'] == $valid_username && $_POST['password'] == $valid_password) {
    $_SESSION['username'] = $_POST['username'];
    $_SESSION['logged_in'] = true;
    header("Location: welcome.php");
    exit();
} else {
    echo "Invalid credentials.";
}

welcome.php – Display Welcome Message

<?php
session_start();
if (isset($_SESSION['logged_in']) && $_SESSION['logged_in'] == true) {
    echo "Welcome, " . $_SESSION['username'];
} else {
    echo "You must log in first.";
}
?>

logout.php – Destroy Session on Logout

<?php
session_start();
session_unset();
session_destroy();
header("Location: login.php");
exit();

---

Troubleshooting Common Session Issues

1. Session Not Starting: If session_start() isn’t working, ensure that no output (including whitespace) is sent before it. Outputting anything before session_start() will cause an error.
2. Session Variables Not Being Saved: Check if your session is configured correctly and that cookies are being sent. You can use phpinfo() to check session settings.
3. Session Timeout Issues: If sessions are timing out too quickly or not at all, verify your session.gc_maxlifetime and session.cookie_lifetime settings in your php.ini file.

---

Summary

In this module, we explored how to use sessions in PHP to store user-specific data across page requests. We discussed starting a session, storing and retrieving data, modifying session variables, and destroying sessions. We also highlighted security best practices such as regenerating session IDs, using HTTPS, and setting secure cookies. Finally, we created a simple login system using sessions and examined troubleshooting tips.

Table of Contents

• Introduction to File Uploads
• Setting Up the HTML Form for File Upload
• PHP File Upload Handling
  • Checking for File Upload Errors
  • Validating File Types and Sizes
  • Moving the Uploaded File
• Securing File Uploads
• Image Handling with PHP
  • Resizing Images
  • Cropping Images
  • Converting Image Formats
• Working with Image Libraries in PHP (GD Library and ImageMagick)
• Example: Uploading and Resizing an Image
• Best Practices for File Uploads and Image Handling
• Summary

---

Introduction to File Uploads

Handling file uploads is a common feature in web development. Whether it’s allowing users to upload profile pictures, documents, or other files, PHP offers an easy-to-use mechanism to handle file uploads. The $_FILES superglobal is used to access the uploaded files and allows developers to perform tasks like validation, saving, and moving the files to specific directories.

However, working with file uploads requires careful attention to security, as improperly handled file uploads can result in vulnerabilities like arbitrary file uploads or malicious code execution.

---

Setting Up the HTML Form for File Upload

Before handling file uploads in PHP, you need to create an HTML form that allows users to select files. The form should have the enctype="multipart/form-data" attribute to indicate that the form will contain file data.

Here’s an example of an HTML form that allows users to upload an image:

<form action="upload.php" method="POST" enctype="multipart/form-data">
    <label for="file">Select a file:</label>
    <input type="file" name="file" id="file">
    <input type="submit" value="Upload">
</form>

• action="upload.php": Specifies the PHP file that will handle the file upload.
• enctype="multipart/form-data": Tells the browser to encode the form data as multipart/form-data, which is required for file uploads.

---

PHP File Upload Handling

Once the form is submitted, the file data will be available in the $_FILES superglobal in PHP. This superglobal contains information about the file, such as its name, temporary location, size, and error code.

Checking for File Upload Errors

Before proceeding with the file upload, it’s essential to check if there were any errors during the file upload process. The $_FILES['file']['error'] key stores any upload errors.

if ($_FILES['file']['error'] !== UPLOAD_ERR_OK) {
    echo "Error: Unable to upload file.";
    exit;
}

Here are the possible error codes:

• UPLOAD_ERR_OK (0): The file uploaded successfully.
• UPLOAD_ERR_INI_SIZE (1): The uploaded file exceeds the upload_max_filesize directive in php.ini.
• UPLOAD_ERR_FORM_SIZE (2): The uploaded file exceeds the MAX_FILE_SIZE directive specified in the form.
• UPLOAD_ERR_PARTIAL (3): The file was only partially uploaded.
• UPLOAD_ERR_NO_FILE (4): No file was uploaded.
• UPLOAD_ERR_NO_TMP_DIR (6): Missing a temporary folder.
• UPLOAD_ERR_CANT_WRITE (7): Failed to write the file to disk.

Validating File Types and Sizes

To ensure that users upload only specific file types (such as images or PDFs) and that the files are not too large, you should validate the file’s MIME type and size. For example, to validate that the uploaded file is an image and its size does not exceed 2MB, you can use:

$allowed_types = ['image/jpeg', 'image/png', 'image/gif'];
$file_type = $_FILES['file']['type'];
$file_size = $_FILES['file']['size'];
$max_size = 2 * 1024 * 1024; // 2MB in bytes

if (!in_array($file_type, $allowed_types)) {
    echo "Error: Invalid file type.";
    exit;
}

if ($file_size > $max_size) {
    echo "Error: File size exceeds the limit.";
    exit;
}

Moving the Uploaded File

Once the file is validated, you can move it from the temporary directory (where PHP stores uploaded files temporarily) to a permanent location on the server using the move_uploaded_file() function:

$target_dir = "uploads/";
$target_file = $target_dir . basename($_FILES['file']['name']);

if (move_uploaded_file($_FILES['file']['tmp_name'], $target_file)) {
    echo "The file has been uploaded successfully.";
} else {
    echo "Error: There was a problem uploading the file.";
}

• $_FILES['file']['tmp_name']: The temporary location of the uploaded file.
• move_uploaded_file(): Moves the file to the specified target directory.

---

Securing File Uploads

Handling file uploads securely is vital to prevent malicious files from being uploaded to your server. Here are a few best practices to ensure secure file uploads:

1. Rename Files: To avoid conflicts with existing files and reduce the risk of executing malicious files, rename the uploaded file before saving it.

$unique_name = uniqid() . '_' . basename($_FILES['file']['name']);
$target_file = $target_dir . $unique_name;

2. Check File Extensions: In addition to checking MIME types, also validate the file extension to ensure the file is of the correct type.

$allowed_extensions = ['jpg', 'jpeg', 'png', 'gif'];
$file_extension = pathinfo($file_name, PATHINFO_EXTENSION);

if (!in_array(strtolower($file_extension), $allowed_extensions)) {
    echo "Error: Invalid file extension.";
    exit;
}

3. Limit Upload Size: Always set limits on the file size to prevent users from uploading excessively large files. This can be done by checking the $_FILES['file']['size'] or by adjusting the upload_max_filesize and post_max_size settings in your php.ini.
4. Store Files Outside the Web Root: To prevent malicious files from being accessed directly via the web, store uploaded files outside the web root or restrict access to them using .htaccess.

---

Image Handling with PHP

PHP offers built-in libraries to manipulate images, such as the GD Library and ImageMagick. These libraries allow you to perform various operations on images, such as resizing, cropping, and converting formats.

Resizing Images

Here’s how to resize an image using the GD Library:

$image = imagecreatefromjpeg($target_file);
$new_width = 200;
$new_height = 200;
$resized_image = imagecreatetruecolor($new_width, $new_height);

imagecopyresampled($resized_image, $image, 0, 0, 0, 0, $new_width, $new_height, imagesx($image), imagesy($image));
imagejpeg($resized_image, "resized_" . basename($target_file));
imagedestroy($image);
imagedestroy($resized_image);

• imagecreatefromjpeg(): Creates an image resource from a JPEG file.
• imagecreatetruecolor(): Creates a blank true-color image.
• imagecopyresampled(): Resizes the original image.
• imagejpeg(): Outputs the resized image.

Cropping Images

To crop an image using the GD Library:

$image = imagecreatefromjpeg($target_file);
$cropped_image = imagecrop($image, ['x' => 50, 'y' => 50, 'width' => 200, 'height' => 200]);

if ($cropped_image !== FALSE) {
    imagejpeg($cropped_image, "cropped_" . basename($target_file));
}
imagedestroy($image);
imagedestroy($cropped_image);

Converting Image Formats

To convert an image from one format to another, you can use PHP’s imagepng() or imagegif() functions:

$image = imagecreatefromjpeg($target_file);
imagepng($image, "converted_image.png");
imagedestroy($image);

---

Working with Image Libraries in PHP

While the GD Library is the default in PHP, you can also use ImageMagick, a powerful image manipulation library. To use ImageMagick, install it and enable the imagick extension in your php.ini. Then, you can perform advanced image operations like:

$image = new Imagick('image.jpg');
$image->resizeImage(200, 200, Imagick::FILTER_LANCZOS, 1);
$image->writeImage('resized_image.jpg');
$image->destroy();

---

Example: Uploading and Resizing an Image

Here’s a complete example that allows users to upload an image, validate it, and resize it:

if ($_SERVER['REQUEST_METHOD'] == 'POST' && isset($_FILES['file'])) {
    $file = $_FILES['file'];
    $target_dir = "uploads/";
    $target_file = $target_dir . basename($file['name']);
    
    // Check file size and type
    if ($file['size'] > 2 * 1024 * 1024) {
        echo "Error: File is too large.";
        exit;
    }

    if (!in_array($file['type'], ['image/jpeg', 'image/png', 'image/gif'])) {
        echo "Error: Invalid file type.";
        exit;
    }
    
    // Move the file
    if (move_uploaded_file($file['tmp_name'], $target_file)) {
        // Resize image
        $image = imagecreatefromjpeg($target_file);
        $new_width = 200;
        $new_height = 200;
        $resized_image = imagecreatetruecolor($new_width, $new_height);
        imagecopyresampled($resized_image, $image, 0, 0, 0, 0, $new_width, $new_height, imagesx($image), imagesy($image));
        imagejpeg($resized_image, "resized_" . basename($target_file));
        imagedestroy($image);
        imagedestroy($resized_image);
        echo "Image uploaded and resized successfully.";
    } else {
        echo "Error: There was a problem uploading the file.";
    }
}

---

Best Practices for File Uploads and Image Handling

1. Validate File Types and Sizes: Always validate the file type and size before processing the file.
2. Rename Uploaded Files: Use a unique name to avoid overwriting existing files.
3. Secure File Upload Directory: Store uploaded files outside the web root or restrict access to them.
4. Use Libraries for Image Manipulation: The GD Library and ImageMagick offer powerful tools for manipulating images.
5. Limit File Permissions: Set the appropriate file permissions on uploaded files to prevent unauthorized access.

---

Summary

In this module, we explored how to handle file uploads in PHP, including setting up the HTML form, checking for upload errors, validating file types and sizes, and securing file uploads. We also delved into image handling, including resizing, cropping, and converting image formats using PHP’s GD Library and ImageMagick. With these techniques, you can create secure, efficient file upload systems and manipulate images on your website.

Table of Contents

• What Is Form Validation?
• What Is Data Sanitization?
• Why Are Validation and Sanitization Important?
• Types of Form Validation
  • Client-side Validation vs. Server-side Validation
  • Validation Techniques in PHP
  • Common Validation Rules
• What Is Data Sanitization?
• How to Sanitize Form Data in PHP
• Validation and Sanitization in Action
  • Example 1: Validating a Registration Form
  • Example 2: Sanitizing User Input
• Best Practices for Form Validation and Sanitization
• Summary

---

What Is Form Validation?

Form validation is the process of ensuring that the data provided by the user in an HTML form meets specific requirements before it is processed. It helps ensure that the data is correct, complete, and within the expected format. For example, you might want to ensure that an email address is in a valid format or that a password meets a minimum length.

Form validation can be performed on both the client-side (using JavaScript) and the server-side (using PHP), with server-side validation being essential for security.

---

What Is Data Sanitization?

Data sanitization refers to the process of cleaning or filtering input data to remove any unwanted or potentially harmful content. The goal is to ensure that user input doesn’t cause issues in your application, such as breaking HTML structure, executing harmful code (like JavaScript or SQL), or causing unexpected behavior.

While validation checks whether the data is in the correct format, sanitization ensures that the data is safe to use by removing or encoding characters that could pose security risks.

---

Why Are Validation and Sanitization Important?

Both form validation and data sanitization are critical to the security, usability, and functionality of web applications.

Security

One of the biggest security risks in web development is SQL injection and cross-site scripting (XSS) attacks. These attacks exploit user input fields to inject malicious code into the application, potentially compromising data or performing unintended actions. Validating and sanitizing input prevents these types of attacks by ensuring that only safe and well-formed data is processed.

Usability

Proper validation helps improve user experience by providing immediate feedback if the input is incorrect or incomplete. It can prevent users from submitting incomplete forms or data in the wrong format.

Data Integrity

Sanitization ensures that only valid data is entered into the database. It can clean up unwanted characters, remove extra whitespace, and ensure the data adheres to the desired format.

---

Types of Form Validation

There are two main types of form validation:

Client-side Validation vs. Server-side Validation

• Client-side validation occurs in the browser (using JavaScript) before the form is submitted. It provides immediate feedback to users and can reduce the load on the server by catching common errors.
• Server-side validation occurs on the server (using PHP). It is the more secure approach since it ensures that even if an attacker bypasses client-side validation, the server will still validate the input before processing it.

While client-side validation can improve the user experience, it should never be relied upon as the sole method of validation. Server-side validation is essential for ensuring the security and integrity of the data.

---

Validation Techniques in PHP

PHP provides several built-in functions for form validation, including:

Checking Required Fields

To ensure that a field is not left empty, you can use PHP’s empty() function:

if (empty($_POST['username'])) {
    echo "Username is required.";
}

Validating Email Addresses

To check if an email address is valid, you can use PHP’s filter_var() function with the FILTER_VALIDATE_EMAIL filter:

if (!filter_var($email, FILTER_VALIDATE_EMAIL)) {
    echo "Invalid email format.";
}

Validating Numbers

If you need to validate that a field contains only numbers, use filter_var() with the FILTER_VALIDATE_INT filter:

if (!filter_var($age, FILTER_VALIDATE_INT)) {
    echo "Please enter a valid number for age.";
}

Validating URLs

To validate URLs, use filter_var() with the FILTER_VALIDATE_URL filter:

if (!filter_var($website, FILTER_VALIDATE_URL)) {
    echo "Invalid URL format.";
}

Regular Expressions for Custom Validation

For more complex validation, regular expressions (regex) can be used. For example, you can validate a phone number with a custom regex pattern:

if (!preg_match("/^[0-9]{10}$/", $phone)) {
    echo "Invalid phone number format.";
}

---

What Is Data Sanitization?

While validation ensures that input matches a specific format, sanitization ensures that the input is free from malicious content and is safe to use. Common forms of sanitization include removing unwanted characters (such as HTML tags) and encoding special characters to prevent XSS attacks.

PHP provides several functions for sanitizing input:

• Sanitizing Strings: Use filter_var() with the FILTER_SANITIZE_STRING filter to remove HTML tags and unwanted characters:

$clean_string = filter_var($user_input, FILTER_SANITIZE_STRING);

• Sanitizing Email Addresses: Use filter_var() with the FILTER_SANITIZE_EMAIL filter to sanitize email addresses:

$clean_email = filter_var($email, FILTER_SANITIZE_EMAIL);

• Sanitizing URLs: Use filter_var() with the FILTER_SANITIZE_URL filter to sanitize URLs:

$clean_url = filter_var($url, FILTER_SANITIZE_URL);

• Sanitizing Numbers: Use filter_var() with the FILTER_SANITIZE_NUMBER_INT filter to remove non-numeric characters:

$clean_number = filter_var($number, FILTER_SANITIZE_NUMBER_INT);

---

How to Sanitize Form Data in PHP

Sanitizing form data is an essential step before storing it in the database or using it in your application. Always sanitize user input to prevent malicious content, such as JavaScript or SQL injection, from causing harm.

Here’s an example of sanitizing and validating form data in PHP:

<?php
// Assume form data is submitted via POST
$username = $_POST['username'];
$email = $_POST['email'];
$age = $_POST['age'];

// Validate and sanitize username
if (empty($username)) {
    echo "Username is required.";
} else {
    $username = filter_var($username, FILTER_SANITIZE_STRING);
}

// Validate and sanitize email
if (!filter_var($email, FILTER_VALIDATE_EMAIL)) {
    echo "Invalid email format.";
} else {
    $email = filter_var($email, FILTER_SANITIZE_EMAIL);
}

// Validate and sanitize age
if (!filter_var($age, FILTER_VALIDATE_INT)) {
    echo "Invalid age.";
} else {
    $age = filter_var($age, FILTER_SANITIZE_NUMBER_INT);
}

// Proceed with storing or processing the sanitized data
?>

In this example:

• We first validate the data (checking if it’s empty or in the correct format).
• We then sanitize the data to remove any unwanted characters that could pose security risks.

---

Validation and Sanitization in Action

Example 1: Validating a Registration Form

Let’s walk through an example of a basic user registration form with validation and sanitization:

<?php
// User registration form validation
if ($_SERVER['REQUEST_METHOD'] == 'POST') {
    $username = $_POST['username'];
    $email = $_POST['email'];
    $password = $_POST['password'];

    // Validate username (not empty)
    if (empty($username)) {
        echo "Username is required.<br>";
    }

    // Validate email format
    if (!filter_var($email, FILTER_VALIDATE_EMAIL)) {
        echo "Invalid email format.<br>";
    }

    // Sanitize input
    $username = filter_var($username, FILTER_SANITIZE_STRING);
    $email = filter_var($email, FILTER_SANITIZE_EMAIL);

    // Further processing, e.g., store in database
}
?>

Example 2: Sanitizing User Input

Here’s an example of sanitizing user input before displaying it on the web page:

<?php
// Sanitize user input to prevent XSS
$user_input = $_POST['user_input'];
$sanitized_input = htmlspecialchars($user_input, ENT_QUOTES, 'UTF-8');
echo $sanitized_input;
?>

In this case, we use htmlspecialchars() to prevent any special characters from being interpreted as HTML or JavaScript, which is critical for preventing cross-site scripting (XSS) attacks.

---

Best Practices for Form Validation and Sanitization

1. Always Use Server-Side Validation: Client-side validation improves user experience, but server-side validation is a must for security.
2. Sanitize Input Before Storing It: Always sanitize user input before inserting it into the database to prevent SQL injection and other malicious attacks.
3. Use Filter Functions: Leverage PHP’s built-in filter_var() function for data sanitization and validation.
4. Provide User Feedback: Let users know immediately if there is an issue with their input so they can correct it before submission.
5. Never Trust User Input: Treat all user input as untrusted, even if it passes client-side validation.

---

Summary

In this module, we discussed the importance of form validation and data sanitization in PHP. We covered techniques for validating various types of user input, including emails, numbers, and custom formats using regular expressions. We also explored methods for sanitizing input to prevent XSS and SQL injection attacks. Finally, we provided practical examples of validating and sanitizing form data in PHP.

Table of Contents

• What Are Prepared Statements?
• Why Use Prepared Statements?
  • Security: Preventing SQL Injection
  • Performance Benefits
• Understanding the Structure of Prepared Statements
  • Steps Involved in Using Prepared Statements
• How to Use Prepared Statements in PHP with MySQLi
  • Creating a Prepared Statement for Insertion
  • Creating a Prepared Statement for Selection
  • Creating a Prepared Statement for Update
  • Creating a Prepared Statement for Deletion
• Binding Parameters
  • What Are Bound Parameters?
  • Types of Bound Parameters in MySQLi
• Error Handling with Prepared Statements
• Summary

---

What Are Prepared Statements?

Prepared statements are a feature of MySQLi (and other database drivers) that allow you to safely execute SQL queries by separating the query structure from the data being inserted, updated, or retrieved. This approach helps secure your application against SQL injection attacks, a common vulnerability when user input is directly included in SQL queries.

In a typical SQL query, data and query structure are combined in a single string. This can be dangerous when the data comes from an untrusted source, such as a user’s input. For example, without prepared statements, a query like the following could be easily exploited:

$sql = "SELECT * FROM users WHERE email = '" . $_POST['email'] . "'";

If an attacker submits a malicious email address, such as ' OR 1=1 --, it can alter the query’s behavior, potentially exposing sensitive data.

Prepared statements address this issue by allowing you to define placeholders for data, ensuring that user input is treated only as data and never as part of the SQL query structure.

---

Why Use Prepared Statements?

Security: Preventing SQL Injection

The most critical reason for using prepared statements is security. By separating the query structure from the user input, prepared statements ensure that user data is never directly executed as part of the SQL query. This prevents SQL injection attacks.

For example, if an attacker tries to insert a string like '; DROP TABLE users; --, the database will treat it as data, not as part of the SQL query, keeping your database safe.

Performance Benefits

Prepared statements also offer performance benefits, especially when executing the same query multiple times with different data. The SQL query structure is sent to the database server only once, and subsequent executions of the query only send the data to be inserted or updated. This can reduce the workload on the database server and increase efficiency, particularly in high-traffic applications.

---

Understanding the Structure of Prepared Statements

A prepared statement involves the following steps:

1. Prepare: The SQL query is sent to the database with placeholders for the values.
2. Bind: The actual values are bound to the placeholders.
3. Execute: The query is executed with the bound values.
4. Close: The prepared statement is closed when it is no longer needed.

Prepared statements typically consist of placeholders that are marked with a question mark (?) where the actual data will be inserted later.

---

How to Use Prepared Statements in PHP with MySQLi

Let’s dive into the process of using prepared statements in PHP with MySQLi for various operations like inserting, selecting, updating, and deleting data.

Creating a Prepared Statement for Insertion

Here’s how you can safely insert data into the database using a prepared statement:

<?php
// Database credentials
$servername = "localhost";
$username = "root";
$password = "";
$dbname = "sample_db";

// Create connection
$conn = new mysqli($servername, $username, $password, $dbname);

// Check connection
if ($conn->connect_error) {
    die("Connection failed: " . $conn->connect_error);
}

// Prepare and bind
$stmt = $conn->prepare("INSERT INTO users (name, email) VALUES (?, ?)");
$stmt->bind_param("ss", $name, $email);

// Set parameters and execute
$name = "John Doe";
$email = "[email protected]";
$stmt->execute();

echo "New record created successfully";

// Close statement and connection
$stmt->close();
$conn->close();
?>

In this example:

• The prepare() method prepares the SQL query with placeholders (?) for the name and email fields.
• The bind_param() method binds the actual data to the placeholders. The first argument, "ss", indicates that both name and email are strings.

Creating a Prepared Statement for Selection

To safely select data from the database, use a prepared statement as follows:

<?php
// Prepare and bind
$stmt = $conn->prepare("SELECT id, name, email FROM users WHERE id = ?");
$stmt->bind_param("i", $id);

// Set parameters and execute
$id = 1;
$stmt->execute();

// Bind result variables
$stmt->bind_result($id, $name, $email);

// Fetch the result
if ($stmt->fetch()) {
    echo "id: " . $id . " - Name: " . $name . " - Email: " . $email;
} else {
    echo "No user found.";
}

// Close statement and connection
$stmt->close();
$conn->close();
?>

In this example:

• The bind_param() method binds the id to the placeholder.
• The bind_result() method binds the columns of the result set to variables.
• The fetch() method fetches the result, making it available for display.

Creating a Prepared Statement for Update

Updating records with prepared statements is also simple:

<?php
// Prepare and bind
$stmt = $conn->prepare("UPDATE users SET email = ? WHERE id = ?");
$stmt->bind_param("si", $email, $id);

// Set parameters and execute
$email = "[email protected]";
$id = 1;
$stmt->execute();

echo "Record updated successfully";

// Close statement and connection
$stmt->close();
$conn->close();
?>

Here, the bind_param() method binds the email and id values to the placeholders. The first argument "si" indicates that email is a string and id is an integer.

Creating a Prepared Statement for Deletion

To delete records, use the following approach:

<?php
// Prepare and bind
$stmt = $conn->prepare("DELETE FROM users WHERE id = ?");
$stmt->bind_param("i", $id);

// Set parameters and execute
$id = 1;
$stmt->execute();

echo "Record deleted successfully";

// Close statement and connection
$stmt->close();
$conn->close();
?>

This example deletes the user with the specified id from the users table.

---

Binding Parameters

What Are Bound Parameters?

Bound parameters are the actual values that replace the placeholders (?) in the SQL query. Binding parameters ensures that user input is treated as data, not executable code, thereby preventing SQL injection.

Types of Bound Parameters in MySQLi

When binding parameters, the first argument passed to bind_param() specifies the type of the data:

• “i”: Integer
• “d”: Double (for floating-point numbers)
• “s”: String
• “b”: Blob (binary data)

For example, if you’re binding an integer and a string, you would use "is".

---

Error Handling with Prepared Statements

Error handling is essential to ensure that your application can handle any issues with the database operations gracefully. For instance, you can check if the prepare() or execute() functions return false, indicating an error:

if ($stmt === false) {
    echo "Error in statement preparation: " . $conn->error;
}

if ($stmt->execute() === false) {
    echo "Error in statement execution: " . $stmt->error;
}

You can also configure MySQLi to report errors more explicitly:

mysqli_report(MYSQLI_REPORT_ERROR | MYSQLI_REPORT_STRICT);

This ensures that MySQLi throws exceptions on errors, which can be caught and handled properly in your application.

---

Summary

In this module, we introduced prepared statements in PHP with MySQLi, covering their importance in preventing SQL injection and improving performance. We walked through the process of using prepared statements for insertion, selection, updating, and deletion. Additionally, we discussed binding parameters and the types of parameters used in prepared statements, along with error handling to ensure smooth execution.

Table of Contents

• What Are CRUD Operations?
• Setting Up the Database for CRUD Operations
• Creating Data in MySQL (Create)
  • Inserting Data Using MySQLi
  • Prepared Statements for Inserting Data
• Reading Data from MySQL (Read)
  • Selecting Data Using MySQLi
  • Fetching Data: Associative, Numeric, and Both Types
  • Handling No Data Returned
• Updating Data in MySQL (Update)
  • Updating Records with MySQLi
  • Prepared Statements for Updates
• Deleting Data from MySQL (Delete)
  • Deleting Records with MySQLi
  • Prepared Statements for Deleting Data
• Error Handling in CRUD Operations
• Summary

---

What Are CRUD Operations?

CRUD stands for Create, Read, Update, and Delete—the four basic operations for managing data in a database. These operations are fundamental to database management systems and are crucial for developing dynamic web applications.

1. Create: Insert new data into a database.
2. Read: Retrieve data from a database.
3. Update: Modify existing data in the database.
4. Delete: Remove data from the database.

In this module, we’ll explore how to implement each of these operations in PHP using the MySQLi extension, ensuring efficient and secure interaction with your MySQL database.

---

Setting Up the Database for CRUD Operations

Before we start with CRUD operations, ensure you have a MySQL database with a table ready for these operations. For this module, we’ll use a table named users with the following structure:

CREATE DATABASE sample_db;
USE sample_db;

CREATE TABLE users (
    id INT AUTO_INCREMENT PRIMARY KEY,
    name VARCHAR(255) NOT NULL,
    email VARCHAR(255) NOT NULL
);

This table will be used for all CRUD operations. If you haven’t already set up the database, please do so before proceeding.

---

Creating Data in MySQL (Create)

The Create operation allows us to insert new data into the database. We can use the INSERT INTO SQL statement to achieve this.

Inserting Data Using MySQLi

To insert data into the users table, use the following example:

<?php
// Database credentials
$servername = "localhost";
$username = "root";
$password = "";
$dbname = "sample_db";

// Create connection
$conn = new mysqli($servername, $username, $password, $dbname);

// Check connection
if ($conn->connect_error) {
    die("Connection failed: " . $conn->connect_error);
}

// Insert data
$sql = "INSERT INTO users (name, email) VALUES ('Jane Doe', '[email protected]')";

if ($conn->query($sql) === TRUE) {
    echo "New record created successfully";
} else {
    echo "Error: " . $sql . "<br>" . $conn->error;
}

// Close connection
$conn->close();
?>

In this code:

• The query() method executes the INSERT INTO SQL query.
• If the query is successful, a success message is displayed.

Prepared Statements for Inserting Data

To enhance security and avoid SQL injection attacks, it’s recommended to use prepared statements for inserting data.

<?php
// Create connection
$conn = new mysqli($servername, $username, $password, $dbname);

// Check connection
if ($conn->connect_error) {
    die("Connection failed: " . $conn->connect_error);
}

// Prepare and bind
$stmt = $conn->prepare("INSERT INTO users (name, email) VALUES (?, ?)");
$stmt->bind_param("ss", $name, $email);

// Set parameters and execute
$name = "Jane Doe";
$email = "[email protected]";
$stmt->execute();

echo "New record created successfully";

// Close connection
$stmt->close();
$conn->close();
?>

Using prepared statements ensures that user input is safely handled, making it resistant to SQL injection.

---

Reading Data from MySQL (Read)

The Read operation retrieves data from the database. We use the SELECT SQL query to fetch data from the table.

Selecting Data Using MySQLi

To read data from the users table, use the following query:

<?php
$sql = "SELECT id, name, email FROM users";
$result = $conn->query($sql);

if ($result->num_rows > 0) {
    // Output data of each row
    while($row = $result->fetch_assoc()) {
        echo "id: " . $row["id"]. " - Name: " . $row["name"]. " - Email: " . $row["email"]. "<br>";
    }
} else {
    echo "0 results";
}

$conn->close();
?>

In this code:

• The query() method executes the SELECT query.
• The fetch_assoc() method returns each row as an associative array.

Fetching Data: Associative, Numeric, and Both Types

You can fetch data in different formats:

• Associative: Fetches data as an associative array (column names as keys).
• Numeric: Fetches data as a numeric array (column indexes as keys).
• Both: Fetches data as both an associative and numeric array.

// Fetch associative and numeric
$row = $result->fetch_array(MYSQLI_BOTH);
echo "id: " . $row[0] . " - Name: " . $row["name"] . "<br>";

Handling No Data Returned

When no data is found, it’s important to handle that case. In the example above, we used if ($result->num_rows > 0) to check if any rows were returned. If no rows are found, we print “0 results”.

---

Updating Data in MySQL (Update)

The Update operation modifies existing data in the database. To update data, we use the UPDATE SQL query.

Updating Records with MySQLi

Here’s an example of how to update a record in the users table:

<?php
$sql = "UPDATE users SET email='[email protected]' WHERE id=1";

if ($conn->query($sql) === TRUE) {
    echo "Record updated successfully";
} else {
    echo "Error: " . $sql . "<br>" . $conn->error;
}

$conn->close();
?>

This code updates the email address of the user with id=1.

Prepared Statements for Updates

To prevent SQL injection, use prepared statements when updating data:

<?php
// Prepare and bind
$stmt = $conn->prepare("UPDATE users SET email=? WHERE id=?");
$stmt->bind_param("si", $email, $id);

// Set parameters and execute
$email = "[email protected]";
$id = 1;
$stmt->execute();

echo "Record updated successfully";

// Close connection
$stmt->close();
$conn->close();
?>

Prepared statements ensure that the data is handled securely and efficiently.

---

Deleting Data from MySQL (Delete)

The Delete operation removes data from the database. To delete a record, we use the DELETE SQL query.

Deleting Records with MySQLi

Here’s an example of how to delete a record:

<?php
$sql = "DELETE FROM users WHERE id=1";

if ($conn->query($sql) === TRUE) {
    echo "Record deleted successfully";
} else {
    echo "Error: " . $sql . "<br>" . $conn->error;
}

$conn->close();
?>

This code deletes the user with id=1 from the users table.

Prepared Statements for Deleting Data

Again, to ensure security, use prepared statements for deletion:

<?php
// Prepare and bind
$stmt = $conn->prepare("DELETE FROM users WHERE id=?");
$stmt->bind_param("i", $id);

// Set parameter and execute
$id = 1;
$stmt->execute();

echo "Record deleted successfully";

// Close connection
$stmt->close();
$conn->close();
?>

Using prepared statements with deletion operations reduces the risk of SQL injection.

---

Error Handling in CRUD Operations

Error handling is crucial for identifying and troubleshooting issues in your application. In PHP, we use the error property of MySQLi to display errors when executing queries.

For example:

if ($conn->query($sql) === FALSE) {
    echo "Error: " . $conn->error;
}

To enable more detailed error reporting, you can configure MySQLi to throw exceptions on errors:

mysqli_report(MYSQLI_REPORT_ERROR | MYSQLI_REPORT_STRICT);

This ensures that errors are raised as exceptions, making it easier to catch and handle them.

---

Summary

In this module, we covered the four basic CRUD operations—Create, Read, Update, and Delete—using MySQLi in PHP. We discussed both procedural and object-oriented approaches to perform these operations securely, with an emphasis on using prepared statements to prevent SQL injection.