Getting this post ready for Redo Week involved scrubbing out the rambling and rather unhelpful prose and replacing it with helpful advice. Now, my “for newbs by a newb” PHP and MySQL post will help new Web programmers out much more!
For PHP developers of both newbie and veteran status, there are always new ways in which hackers exploit our carefully-crafted scripts. We have to keep tabs on newly discovered security holes in our scripts, as well as minding how we construct our pages so that people can’t just inject a bunch of code into our websites, all so that our sites will run the way we want them to, and so our users’ data will be protected.
Thus, I bring to your attention the following 4 PHP pitfalls, which are vitally important for us to be aware of as we build our sites. (Incidentally, this post started out as a “PHP tricks” post, but when I saw just how many blog posts are out there already with that premise (and how many of them advocate unsafe code), I thought it best to research PHP security problems instead. And boy, did I ever discover some doozies!)
#4: Exposing Your Filepaths to Users
Most users won’t care much if the paths to various files on your site are easy to guess (or easily viewable in their address bars). A few users, however, may choose to take advantage of that–not just for hotlinking your images, scripts, etc., but for stealing data that is supposed to be secure! Yikes! If you’re running any kind of site with
logins and passwords, especially an e-commerce site, easily-visible filepaths are BAD!
So, how to fix this? Thankfully, there are fairly easy PHP scripts that can disguise a file’s real path on your server with variables, making it much more difficult for hackers to guess where a file is. For instance, motov.net has an example script that is only 13 short lines of PHP code!
#3: Not Securing Your Databases
As mentioned in #4, MySQL databases with logins, passwords, credit card info, etc. are very juicy targets for hackers. If you don’t build in protections for all this sensitive data, your site could end up being victimized, leaving you with very angry users!
PHP.net has a series of articles on how to design your database for better security, how to securely connect to such a database, and more. Layering database security, just like layering clothes before you go out in the cold, can really help protect your users’ data! (Also, WebmasterWorld’s forums has a post about securing database connections which may be of further use.)
#2: Leaving Your PHP Sessions Open to Hijacking
Any time you have users logging in to a site, you are most likely incorporating a PHP session ID, a unique number that tracks them around the site so they don’t have to keep logging in every time they go to a new page. Unfortunately, hackers can get hold of those numbers if they’re easily guessed or stored in an insecure location (see #3). You might not think somebody could wreak much havoc with just a PHP session ID number, but a hacker could end up stealing somebody else’s whole account with just such a number!
To keep your users’ session ID numbers safe(r), consider some of the tactics suggested on this StackOverflow topic, including SSL connections, randomly-generated ID numbers (instead of incrementally increasing numbers), and sessions that expire within shorter time frames.
#1: Leaving Your Site Vulnerable to SQL Injections
When we PHP developers, especially newbie developers like myself, write MySQL queries pointing to our databases, sometimes we forget that malicious users exist for a minute. We forget to keep our very PHP script files safe from “SQL injections”–that is, targeted code attacks that fiddle with our SQL queries just enough to dig up data from the database, rewrite it, or even delete it all!
To keep your SQL/MySQL code from being fiddled with or just plain overridden, PHP.net has an excellent reference article which explains several code tactics you can use, such as connecting to your database with a user specifically limited to the task you’re trying to complete, checking that the inputted data is the right type, etc. This StackOverflow topic about preventing SQL injections may also be helpful as you tackle this tricky issue.
All of these precautions may seem unnecessary, especially to newbie PHP developers, but these are all giant security holes that can cause us a lot more headaches and frustration (not to mention user anger). Nip these problems in the bud, and you’ll be saving yourself a lot of time and trouble later!
No matter whether you’re a veteran at using databases or a novice to the world of MySQL, there is one thing you NEVER want to encounter: a vanished database. (Especially when you’ve put a lot of work into loading that database full of content!) But if you’re facing this right now, never fear! The following article, compiled from my personal experience (and some frantic Googling) will help you attempt to restore that which seems lost.
The Situation: WP_Posts for Crooked Glasses Was GONE
Early on the morning of July 22nd, I was busily editing some WordPress pages after I had uploaded one of my weekly posts. The pages, however, would not save correctly–it seemed they “forgot” all the edits I made, no matter how many times I pressed the “Update” button.
About an hour later (I was working over dialup, so things were VERY slow), I tried again to update the page, only to be told “This page does not exist.” I tried navigating to the other pages I was working on–same message. Then I tried to view my blog…and was absolutely flabbergasted at what I saw.
A big fat 650-pixel-wide space of NOTHING, where all my posts should be. I logged into my WordPress site, and both the Posts and Pages counts read 0.
You can probably imagine what happened next. Over 2 years of work (work I had only limited backups of), GONE? Just like THAT?! Furious weeping, gnashing of teeth (and, admittedly, some throwing of small items across the room) ensued. I scanned through all of WordPress’ help files hosted in my dashboard, but to no avail. I had no idea what had happened, and had no idea how to fix it.
…Well, I had no idea how to fix it, until I thought of something a little outside the box.
PHPMyAdmin: The Unexpected Savior
I remembered, in between gasping for panicked breaths, that my blog was hosted on my domain, and that the databases and tables for my blog should be housed within the PHPMyAdmin bit of my host’s control panel. After all, that’s how I’d worked with databases back in the days of fanlistings and such.
Working as quickly as dialup would allow, I opened PHPMyAdmin, clicked my WordPress blog’s database name, and pulled up the “wp_posts” table from within the huge list of tables it gave me.
Immediately, I was greeted with the message that answered my question and gave me another: “This table is marked as crashed and should be repaired.”
Okay, great, it’s crashed but it can be repaired, I thought. So how do you go about DOING that?
I Googled for help (thank God for Google!), and came across a number of articles, such as this one from SiteGround, telling me to “look for a drop-down menu below the list of tables, check the one that needs repairing, and choose ‘Repair Table.'”
Selecting the database FINALLY brought up a list of the contained tables in the larger window. And there, at the bottom of the page, lay the long-sought drop-down box. HALLELUJAH! I quickly clicked the check-mark box next to “wp_posts,” then used the drop-down menu to select “Repair Table.”
One Small Caveat
The “Repair Table” solution usually works for most crashed database tables…but notice I said usually. Sometimes, a table crashes and you can’t get it repaired no matter what. :C I recommend doing backups of your work as often as possible, just in case.
Much like learning a language is for communicating with other humans, creating websites from scratch is all about communicating your design and function intentions to a browser or Web server. And to be a good web developer in this day and age, you need to be multi-lingual–speaking several different programming languages to be able to design better, sleeker and more functional websites.
But just Googling “web programming languages” or something similar brings up a whole host of options to learn, and it can be overwhelming for the beginning user. Where do you begin? Do you start learning MySQL, or Ruby on Rails? Should you take a course in HTML, or is Python the next big thing?
Thankfully, it doesn’t have to be this confusing. In this post I have culled the 5 most important Web programming languages to know–the ones which make up about 90% of most modern websites. If you’re just beginning to learn how to build websites, this article will serve as a road map.
HTML: The Skeleton of the Web
HTML is the strong, silent (and mostly invisible) foundational structure which provides you a page to look at (such as the one you’re reading from right now). It provides line breaks, breaks text up into paragraph structures, formats tables, divides page content into layers…pretty much anything that makes up your page’s most basic structure is what HTML handles best.
This should be your first Web language to learn, since so many of the other programming languages depend on it to function. Here are some excellent resources to start learning:
CSS: The Magic Styling Wand of the Web
Perfectly complementing HTML’s invisible strength, CSS takes HTML’s structure and gives it style. From giving your text just the right font choice and color to aligning each of your divided layers pixel-perfect on the screen, CSS can transform any boring old text and images into a lovely yet still functional page. There are plenty of simple CSS tricks that translate into downright amazing page effects–things you would never expect to accomplish with just a few lines of code!
CSS should be your second language to learn, as it builds on HTML knowledge while extending HTML’s capabilities of displaying Web content properly. Here are some resources to study CSS (both how it works and what it looks like when done right):
PHP: The Workhorse of the Web
Many of the websites you see today, like this one, are made possible with PHP–it’s literally everywhere, even though none of its code appears when you click “View Source.” The reason its code does not appear is because PHP is a server-side language, meaning that everything it does is tied to having a conversation with the server (that’s the thing that holds all your web pages, images, etc.).
PHP acts as a go-between for your browser (Internet Explorer, Mozilla Firefox, Google Chrome, or similar programs) and the server, asking questions of the server and delivering appropriate responses back to the browser in the form of a displayed page. (Ever searched for anything using a site’s search box? PHP was likely powering the search!)
PHP should be your fourth language to learn, since it is the most widely used of all the server-side languages, yet still deals with outputting data in HTML/CSS forms. Here are some excellent resources to help you learn PHP:
MySQL: The Librarian of the Web
If you’ve got data to store, search through, and access, MySQL can handle it quite ably–it’s a programming language built to make, search, and access online databases on a server. The only trouble is, it doesn’t actually display the data on its own. So, quite often you’ll see PHP and MySQL being taught side-by-side; PHP code can “talk” to the MySQL database and retrieve results.
Still, you need to know how MySQL works in order to build a PHP script that can communicate with it. (Believe me, if you don’t know how MySQL works, you’re going to be VERY frustrated trying to build a successful PHP code to work with a MySQL database!) Here are a few sites to start your MySQL learning:
(Fun fact: Most formally-trained programmers pronounce MySQL as “my sequel.” I, however, being relatively untrained, mentally pronounce it “my skwul” despite trying to train myself otherwise. LOL!)
These five Web programming languages may look scary, but if you take them one language at a time, mastering each before you move on, you will find that things become much easier to understand. And, once you understand these five, you will have a great basis of knowledge on which to build even further programming know-how. I hope this little “road map” serves you well!
My current experience with PHP and MySQL has not been all tiptoeing through tulips. More often, it’s slashing my way through somebody else’s jungle-y code, trying desperately to understand how each part of the code functions, why even the smallest comma or space throws everything off, etc.
I’ve struggled with various projects in the last few years, mostly working on getting PHP to display results from a MySQL database. One of those projects is this very blog, which is now working beautifully after a few false starts. The other, a Magic: the Gathering trades database, never would find search results the way it was supposed to despite hours of debugging and reworking. (I finally got tired of struggling with it and screaming at it after about a YEAR–I was never so happy to hit the Delete button in my entire life.)
The Problem I Face (and What Most Newbie Programmers Face)
The bottom line is that PHP and MySQL are two of the more logic-based, technical Web programming languages out there. It has been far more difficult to teach myself PHP and MySQL than it was to teach myself HTML and CSS, because the vocabulary is so different, and the syntax is hard to read. From this newbie’s perspective, some of PHP and most of MySQL just hasn’t made sense at all; it’s just dollar signs and semicolons everywhere, and thus debugging it is a lost cause (as I discovered).
More experienced programmers might ask, “Well, why not just Google it and learn from tutorials?” There’s a problem with most tutorials available on the Internet; they are simply not written for actual programming newbies. They contain far too many technical words that are not easily defined–terms that someone with experience would know right away, but which a complete newb to programming would be confused by.
But Never Fear! Help Is On the Way!
Thankfully, after much, MUCH searching, I have discovered a few simpler, well-paced and fully-explained tutorials available to PHP and MySQL newbs like myself:
- Webmonkey’s PHP Tutorial for Beginners (ignore the bit about installing a server on your computer)
- PHP 101: PHP for the Absolute Beginner
- MySQL Tutorials @ Tizag.com
- MySQL Syntax @ Tizag.com
- MySQL Intro @ W3Schools
In some of these tutorials, I have found long-searched answers to some of the most basic MySQL and PHP questions I’ve had–questions which undermined any knowledge I tried to take in. With those now answered, I think I’m finally on my way to understanding. Check them out, and see if these careful explanations work for you!