Newbie - need guidance

Hi all,

so I started watching some videos about PHP and mysql, installed XAMP and started practicing. I learned variables, outputting to screen, if statements, for/while loops and I am currently looking into classes and OOP. I built my first mini website, focusing more on functionality than graphic design (will fix that later). Then while browsing different PHP resources I learned that mysql has now been deprecated and that mysqli should be used instead. I now have to modify all the queries. Then I started wondering what else have I been learning that it’s not correct or outdated? For example, should I create a separate dbconnect.php that takes care of connecting to the db instead of adding this info into the html page? And should this file be stored in a protected directory on the server? Is it ok to write queries into an html page to extract and display data from a db and if not, how is it done safely? There is so much to learn about PHP security that i feel like one should dedicated a whole month just for that, before even starting to write any code. What is the best learning path for someone that is just starting?

Actually web security can take up years to figure out, it’s a really complicated matter.

And congrats on learning something instead of just sitting on the computer playing games or something! Seems like you’ve come a pretty long way on yourself, which is great

[hr]

Mysql has been deprecated, 10 years ago Mysqli and PDO were introduced. I prefer using PDO but either will do just fine. Just remember that just switching isn’t enough, you need to modify the queries so you use so-called parameterized queries.

This means changing statements like this:[php]"SELECT * FROM users WHERE id = “.mysql_real_escape_string($_GET[‘id’]).” AND active = 1;[/php]

into:[php]"SELECT * FROM users WHERE id = ? AND active = 1;[/php]

And then bind the variable to the statement afterwards. This means the SQL server can parse the statement safely without any user input, effectivly taking care of any possibility to do SQL injections. So you no longer need to escape data!

[hr]

It has become popular to move the php files out of the public dir on your web server. This means that interesting files will never be publically available, and PHP source code will not be disclosed if the server software somehow messes up and stops using the PHP engine (outputs files as plain text).

This gives you a directory structure like this

/app /config config.php /controllers indexController.php /models Message.php /views /default home.php bootstrap.php /public /css site.css bootstrap.js /js app.js bootstrap.js jquery.js /img logo.png favicon.ico index.php

note: index.php must be in public dir, but it should be used to just load the bootstrap file which is in a directory somewhere outside the public scope. A bootstrap file has nothing to do with Twitter Bootstrap though, it’s just a file that sets up the environment, loading configs, setting up db, setting up autoloading, etc.

[hr]

Lastly it’s considered good practice to seperate logic and view. So do your PHP logic in one file, then load a view (template) file that just display the data. This separation makes is very easy to maintain later on as the app grows. Some logic will always sneak into the view though, but I try to limit it to loops, if (userLoggedIn), etc.

Just want to add that there are plenty of ways to put you php off the beaten path (other directories), it’s up to you one how you go about doing it. I say as long as it is organized then your set to go, but how JimL setup the php is probably one of the best ways of doing it. As for security the main thing I go by is this “Why should I reinvent the wheel when there are people out there that do this for a living”. By this I mean I use libraries (such as a password hashing library) that other people that I know have written, this serves as two things for me. One I pretty sure that it is secure for it was written by an expert(s) and two it frees me up to do the coding that I really want to do (writing a cms, php dynamic photo gallery, etc…). Then there is knowing php code that is secure and that just usually entails using code that ISN’T depreciated and taking full advantage of the new php functions/methods. Just my .02 cents.

True, the modularity introduced by packagist/composer is awesome and let you easily add components to your application.

And “dont roll your own crypto” has much truth in it

Ok Jim, thank you for taking the time to explain. I am amazed at the amount of tutorials and videos out there that are still teaching the old stuff. And Strider, thanks for the tips and your time as well.
So what do you guys suggest would be my next step? I mean how would I go from basic PHP (variables, functions, etc…) to learning MySQLi and/or PDO? Should I still study the old material (MySQL queries) and then learn how to convert to MySQLi / PDO or should I just learn the new material instead? Are there any video tutorials for beginners (I tend to learn better when the info is presented visually). I kind of feel lost at the moment.

Basically to make a modern web app you need to know

[ul][li]some server side language, in this case PHP[/li]
[li]how to set up and use a database, MySQL is common[/li]
[li]how to perform operations on that database (PHP -> mysqli or PDO)[/li]
[li]HTML[/li]
[li]Javascript[/li]
[li]CSS[/li][/ul]

You can definitely find tutorials on PHP/PDO on youtube, just try skipping to the middle somewhere and see if they do queries like this

“SELECT * FROM users WHERE id = ?” or “SELECT * FROM users WHERE id = :id”

If so you’re good to go (y)

Thanks Jim,

I’m going to look into PDO first because it makes PHP DB Platform independent, as opposed to mysqli.

My first attempt at using PDO:

http://www.phphelp.com/forum/general-php-help/newbie-review-of-a-small-section-of-code-and-questions/