Hi and welcome to the third post about PHP.

Today I am going to talk about forms and database communication in PHP, and how easy it is.

HTML form is a simple way to get user inputted data from a web page, and the basic syntax is something like this:

<form action="php_form_1.php" method="post">
 <table>
  <tr><td>Username:</td><td><input type="text" name="username"></td></tr>
  <tr><td>Password:</td><td><input type="password" name="password"></td></tr>
 </table>
 <input type="submit" value="Login">
</form>

And PHP receives this information on a superglobal array $_GET or $_POST with the input name as associative key.

To just get and display the information from the form, here is an example on how to do it:

Name is: <?php echo $_POST["username"]; ?><br>
Password is: <?php echo $_POST["password"]; ?>

NOTE: If the form is sending the inputs as GET, they’ll be on the $_GET array only. Same thing for method=”POST”.

So to create a basic user validation can be something like:

<?php
 if ($_POST["username"] == "Adam" && $_POST["password"] == "pass") {
  echo "Welcome " . $_POST["username"] . ".";
 } else {
  echo "Invalid username and/or password.";
 }
?>

As a matter of security, it is very important to avoid getting user input and setting straight as HTML, which would allow a script to be sent to the DOM.

To validate the input, we can use some functions from the PHP library.

function test_input($data) {
 $data = htmlspecialchars($data);
 return $data;
}

The function htmlspecialchars() will convert special characters that affects the HTML tags. It will still be displayed to the user with it’s original special characters.

Example:

<?php
 echo htmlspecialchars("<b>test</b>");
?>

Will be converted into:

&lt;b&gt;test&lt;/b&gt;

And displayed as:

<b>test</b>

And our user validation will now be something like this:

<?php
  $username = test_input($_POST["username"]);
  $password = test_input($_POST["password"]);
 if ($_POST["username"] == "Adam" && $_POST["password"] == "pass") {
  echo "Welcome " . $_POST["username"] . ".";
 } else {
  echo "Login failed";
 }
 function test_input($data) {
  $data = htmlspecialchars($data);
  return $data;
 }
?>

So, what about trying to connect to a database and do the check with more than one username/password?

For this demo I am using a database on my web server located on localhost with username = root and password = password.

To connect to the database, we use the command mysqli:

<?php
 $servername = "localhost";
 $dbusername = "root";
 $dbpassword = "password";
 $dbname = "users";

 // Create connection
 $conn = new mysqli($servername, $dbusername, $dbpassword, $dbname);
 // Check connection
 if ($conn->connect_error) {
  die("Connection failed: " . $conn->connect_error);
 }

I am using a new function here called die(), who is equivalent to exit(), and is used for error handling.

This connects to my database named “users”, and I can then send a SQL command

$sql = "SELECT username, password FROM users";
$result = $conn->query($sql);

The result set is returned in the array $result, which we can use for checking our username and password

$valid = false;
 // check if any result was returned
 if ($result->num_rows > 0) {
  // loop through the results
  while($row = $result->fetch_assoc()) {
   if ($row["username"] == $username && $row["password"] == $password) {
    echo "Welcome " . $_POST["username"] . ".";
    $valid = true;
   }
  }
 }
 if ($valid == false) {
  echo "Login failed";
 }
 // close connection
 $conn->close();

So a complete form login page to check for username and password will be

<?php
 $username = test_input($_POST["username"]);
 $password = test_input($_POST["password"]);
 
 $servername = "localhost";
 $dbusername = "root";
 $dbpassword = "password";
 $dbname = "users";

 // Create connection
 $conn = new mysqli($servername, $dbusername, $dbpassword, $dbname);
 // Check connection
 if ($conn->connect_error) {
  die("Connection failed: " . $conn->connect_error);
 } 
 
 $sql = "SELECT username, password FROM users";
 $result = $conn->query($sql);
 
 $valid = false;
 // check if any result was returned
 if ($result->num_rows > 0) {
  // loop through the results
  while($row = $result->fetch_assoc()) {
   if ($row["username"] == $username && $row["password"] == $password) {
    echo "Welcome " . $_POST["username"] . ".";
    $valid = true;
   }
  }
 }
 if ($valid == false) {
  echo "Login failed";
 }
 // close connection
 $conn->close();
 
 function test_input($data) {
  $data = htmlspecialchars($data);
  return $data;
 }
?>

An important fact is that “$result = $conn->query($sql)” can be used for any SQL command, like SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, call <procedure>, etc.

Well, that’s all for this post. See you next time!

 

References: w3schools and MySQLtutorial.