Lesson 6.4. Connect to MySQL in PHP

PDO or MySQLi

There is two main API for creating SQL queries from MySQL:

• MySQLi : My SQL improved
• PDO : PHP Data Objects

The choice of an API is questionable. In the following, we will use PDO for two reasons:

• PDO is compatible with many databases, while MySQLi is dedicated to MySQL.
• PDO allows the writing of parameterized requests. These queries separate the SQL commands fror parameters, which reduces the risk of SQL injection.

SQL injection

SQL injection is a hacking technique that exploits a flaw website security. This technique consists in injecting a malicious SQL query into a HTML form.

Assume a connection request that selects a user based his username and password:

SELECT uid FROM Users WHERE username = '(nom)' AND password = '(mot de passe)';

A login form allows a user to enter its username and password. Let's now assume that a malicious user enters Dupont'; -- as username.

The previous SQL query will become:

SELECT uid FROM Users WHERE name = 'Dupont'; -- AND password = '(mot de passe)';

In SQL, -- marks the beginning of a comment. Here, the password will not be checked: there is a risk that a hacker impersonates another user.

There are several techniques to prevent this risk. For example you may systematically escape the data entered by the user and / or use an API with parameterized queries that will separate the SQL commands from parameters. In the following, we'll study the second option.

This example is adapted from the Wikipedia page on SQL injection.

Connection

The following code allows connection to the MySQL database. Connection must be performed once and only once before any other MySQL query:

<?php
// Change for your connection data
$servername = "localhost";
$username = "username";
$password = "password";

try 
{
    $db = new PDO("mysql:host=$servername;dbname=myDB", $username, $password);
    $db->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
    echo "Connection successfull";
}
catch(PDOException $e)
{
    echo "Connection failed: " . $e->getMessage();
    die();
}
?>

You will notice that the above script contains the server address, the username and the database password. This information should never be public. You will want to make sure that no user can access it.

You will also notice the use of the PHP error handling mechanism try ... catch, which allows you to continue executing the script in case of error.

You will finally notice that the $db variable is an instance of the PDO class. If your site must access multiple databases, you must create as many instances as databases. This variable should be kept as long as you need to communicate with the database because:

• its attributes contain the connection configuration;
• its methods allow dialogue with the database.

In the rest of the course, we will assume the existence of the $db variable.

Exercice

1. Using phpMyAdmin, create a database.
2. Using phpMyAdmin, create a new MySQL user with all rights.
3. Use the above PHP code to connect to your new database.

See also

• Web development class
• Lesson 1.1. History of the Internet
• Lesson 1.2 Introduction to HTML
• Lesson 1.3. Special characters in HTML
• Lesson 1.4. Comments in HTML
• Lesson 1.5. Global structure of HTML pages
• Lesson 1.6. Hyperlinks in HTML
• Lesson 1.7. ID attribute in HTML tags
• Lesson 1.8. HTML anchors
• Lesson 1.9. Images in HTML pages
• Lesson 1.10. HTML tables
• Lesson 1.11. Most used HTML tags
• Lesson 1.12. Some advice
• Lesson 1.13. Ressources
• Lesson 2.1. Introduction to CSS
• Lesson 2.2. Inline CSS
• Lesson 2.3. Internal CSS
• Lesson 2.4. External CSS
• Lesson 2.5. CSS selectors
• Lesson 2.6. CSS colors
• Lesson 2.7. Margin and padding
• Lesson 2.8. CSS units
• Lesson 2.9. Most used CSS properties
• Lesson 3.1. History of JavaScript
• Lesson 3.2. JavaScript Hello World
• Lesson 3.3. Console.log
• Lesson 3.4. Comments in JavaScript
• Lesson 3.5. Variables in JavaScript
• Lesson 3.6. JavaScript events
• Lesson 3.7. Document Object Model (DOM)
• Lesson 3.8. Changing HTML
• Lesson 3.8. JavaScript frameworks
• Lesson 4.1. Introduction to PHP
• Lesson 4.2. PHP tags
• Lesson 4.3. PHP variables
• Lesson 4.4. isset vs empty vs is_null
• Lesson 4.5. PHP operators
• Lesson 4.6. PHP quotes
• Lesson 4.7. Tests in PHP: if .. else
• Lesson 4.8. PHP arrays
• Lesson 4.9. PHP loops
• Lesson 4.10. PHP sessions
• Lesson 5.1. HTML forms
• Lesson 5.2. HTML forms, POST or GET?
• Lesson 5.3. Input fields
• Lesson 5.4. HTML form fields
• Lesson 6.1. Introduction to MySQL
• Lesson 6.2. phpMyAdmin
• Lesson 6.3. SQL queries
• Lesson 6.5. SQL queries in PHP
• Lesson 6.6. Getting data from MySQL in PHP
• Lesson 6.7. Get last ID

---