patternphpModerate
Address book with database tables
Viewed 0 times
tablesaddressbookwithdatabase
Problem
This is my first time messing with PHP and I tried to put together a simple address book that when the user fills out the form it would update a database table, then display the row data on the page after submission.
It works fine, but I just want to make sure I'm headed in the right direction.
It works fine, but I just want to make sure I'm headed in the right direction.
index.php:
Address Book
Address Book
Contact name
Email address
Phone
Birth Date
Add new contact
dbconnect.php:// database connect
$database = mysqli_connect(
"localhost",
"user",
"password",
"database"
);records.php:// connects to database
include("dbconnect.php");
// targets the database table contacts
$records = mysqli_query($database,"SELECT * FROM contacts");
// pull row data from database
while($record = mysqli_fetch_array($records)) {
echo "";
echo "" . $record['firstName'] . " " . $record['lastName'] . "";
echo "" . $record['email'] . "";
echo "" . $record['phone'] . "";
echo "" . $record['email'] . "";
echo "";
}
mysqli_close($database);Solution
I think there are two major issues you should address right in the beginning when you start with PHP.
Separation of Layout and Logic
This means in general that you shouldn't mix HTML and PHP code. Later this will lead you to the MVC-Pattern.
index.php
template.php
Prevent SQL Injection
You are passing user input directly to the query you send to the database. Wikipedia will elaborate some examples in detail and shows how queries can be manipulated.
The easies way for you to prevent this, is using PHP Data Objects and Prepared Statements. I think there is no need for going in detail here if you don't have a specific question, there are many good tutorials out there. The important part is, that the user is no longer able to change the query you send to the database.
Minor issues
Separation of Layout and Logic
This means in general that you shouldn't mix HTML and PHP code. Later this will lead you to the MVC-Pattern.
index.php
<?php
// connect to database
include("inc/dbconnect.php");
if ($_SERVER["REQUEST_METHOD"] == "POST") {
//...
}
$result = mysqli_query($database,"SELECT * FROM contacts");
$records=array();
while($row = mysqli_fetch_array($result)) {
$record[]=$row;
}
mysqli_close($database);
include 'template.php';template.php
...
">
...
Prevent SQL Injection
You are passing user input directly to the query you send to the database. Wikipedia will elaborate some examples in detail and shows how queries can be manipulated.
The easies way for you to prevent this, is using PHP Data Objects and Prepared Statements. I think there is no need for going in detail here if you don't have a specific question, there are many good tutorials out there. The important part is, that the user is no longer able to change the query you send to the database.
Minor issues
- If you only have one database connection PHP will use this connection automatically with the mysqli_ methods so you don't have to pass the
$databasearound.
- It is best practice to leave away the final '?>' in plain php files. This will prevent that you send any whitespace after
?>to the browser accidentally. (Important if you change the header later.)
echo "Everything blew up!" . mysqli_error($database);. May you should usedie.
Code Snippets
<?php
// connect to database
include("inc/dbconnect.php");
if ($_SERVER["REQUEST_METHOD"] == "POST") {
//...
}
$result = mysqli_query($database,"SELECT * FROM contacts");
$records=array();
while($row = mysqli_fetch_array($result)) {
$record[]=$row;
}
mysqli_close($database);
include 'template.php';<!DOCTYPE html>
<html>
...
<tbody>
<?php foreach ($records as $record):?>
<tr>
<td><?= $record['firstName']?> <?= $record['lastName']?></td>
<td><a href="mailto:<?= $record['email']?>"><?= $record['email']?></a></td>
<td><?= $record['phone']?></td>
<td><?= $record['email']?></td>
</tr>
<?php endforeach;?>
</tbody>
...
</html>Context
StackExchange Code Review Q#29008, answer score: 11
Revisions (0)
No revisions yet.