HiveBrain v1.2.0
Get Started
← Back to all entries
patternphpModerate

Address book with database tables

Submitted by: @import:stackexchange-codereview··
0
Viewed 0 times
tablesaddressbookwithdatabase

Problem

This is my first time messing with PHP and I tried to put together a simple address book that when the user fills out the form it would update a database table, then display the row data on the page after submission.

It works fine, but I just want to make sure I'm headed in the right direction.

index.php:


Address Book

Address Book

    
        
            Contact name
            Email address
            Phone
            Birth Date
        
    
    
        
    

Add new contact

    
    
    
    
    
    


dbconnect.php:

// database connect
$database = mysqli_connect(
            "localhost",
            "user",
            "password",
            "database"
);


records.php:

// connects to database
include("dbconnect.php");

// targets the database table contacts
$records = mysqli_query($database,"SELECT * FROM contacts");

// pull row data from database
while($record = mysqli_fetch_array($records)) {
    echo "";
    echo "" . $record['firstName'] . " " . $record['lastName'] . "";
    echo "" . $record['email'] . "";
    echo "" . $record['phone'] . "";
    echo "" . $record['email'] . "";
    echo "";
}

mysqli_close($database);

Solution

I think there are two major issues you should address right in the beginning when you start with PHP.

Separation of Layout and Logic

This means in general that you shouldn't mix HTML and PHP code. Later this will lead you to the MVC-Pattern.

index.php

<?php
// connect to database
include("inc/dbconnect.php");

if ($_SERVER["REQUEST_METHOD"] == "POST") {
    //...
}

$result = mysqli_query($database,"SELECT * FROM contacts");

$records=array();
while($row = mysqli_fetch_array($result)) {
    $record[]=$row;
}

mysqli_close($database);

include 'template.php';


template.php


...
    
        
        
              
             ">
             
             
        
        
    
...


Prevent SQL Injection

You are passing user input directly to the query you send to the database. Wikipedia will elaborate some examples in detail and shows how queries can be manipulated.

The easies way for you to prevent this, is using PHP Data Objects and Prepared Statements. I think there is no need for going in detail here if you don't have a specific question, there are many good tutorials out there. The important part is, that the user is no longer able to change the query you send to the database.

Minor issues

  • If you only have one database connection PHP will use this connection automatically with the mysqli_ methods so you don't have to pass the $database around.



  • It is best practice to leave away the final '?>' in plain php files. This will prevent that you send any whitespace after ?> to the browser accidentally. (Important if you change the header later.)



  • echo "Everything blew up!" . mysqli_error($database); . May you should use die.

Code Snippets

<?php
// connect to database
include("inc/dbconnect.php");

if ($_SERVER["REQUEST_METHOD"] == "POST") {
    //...
}

$result = mysqli_query($database,"SELECT * FROM contacts");

$records=array();
while($row = mysqli_fetch_array($result)) {
    $record[]=$row;
}

mysqli_close($database);

include 'template.php';
<!DOCTYPE html>
<html>
...
    <tbody>
        <?php foreach ($records as $record):?>
        <tr>
             <td><?= $record['firstName']?> <?= $record['lastName']?></td>
             <td><a href="mailto:<?= $record['email']?>"><?= $record['email']?></a></td>
             <td><?= $record['phone']?></td>
             <td><?= $record['email']?></td>
        </tr>
        <?php endforeach;?>
    </tbody>
...
</html>

Context

StackExchange Code Review Q#29008, answer score: 11

Revisions (0)

No revisions yet.