Part 5 - Server side Using databases with PHP Flashcards

Question

Syntax: $mysqli -> prepare(query) Param: $mysqli - the database object/connection Query - the sql query we wish to have prepared

Answer 1

what is the syntax and params of the method **prepare()**

Answer 2

points include: a)Each one of these will store data that represents a single entity such as "employee" b)entities that share a relationship can be linked together using primary keys which can make for more complex data structures

Answer 3

Syntax for results object property: $result->num_rows Param: $result - the results object we want to find the number of rows it contains

Answer 4

describe the SQL clause **ORDER BY**

Answer 5

give an example using the SQL WHERE clause that will **return any rows where the column lastname has the value doe**

Answer 6

we should never perform this action because this information can be used to a malicious user's advantage. They could gain knowledge about your application that helps them form an attack

Answer 7

We should consider this class of data as untrusted because it is possible that the data was not "cleaned" before it was stored. If malicious JavaScript code was stored in the database and sent to the user, then a JavaScript attack could occur. Therefore to make this data safe, we must escape any HTML output to the user to prevent this type of attack

Answer 8

describe the PHP method **Fetch_assoc() **

Answer 9

**During production** what should be done with errors

Answer 10

code example: `$database->query($create_sql);`

Answer 11

code: `$database = mysqli_connect($database_host, $database_user, $database_password);`

Answer 12

these database activities include: 1. creating tables 2. adding tables 3. modifying table structure

Answer 13

these database activities include: 1. **C**reate 2. **R**ead 3. **U**pdate 4. **D**elete these day to day activities are also known as **CRUD**

Answer 14

types of data that would be suitable for this include: 1. Document database, key/value storage, graph database 2. Unstructured data or data that has no clear relationships

Answer 15

these keywords are used to make searches more specific and add further conditions Example: ``` WHERE lastname = 'Doe' AND firstname = 'John' WHERE lastname = 'Doe' OR firstname = 'John' ```

Answer 16

this method can be used to fetch one row from a results object and then returns it as an indexed array. This can be most effectively used in a loop to extract every row from a results object and look at any particular column of that row

Answer 17

Why should we **treat data from the user as untrusted**

Answer 18

Syntax: INSERT INTO table (v1, v1, v1) VALUES (v2, v2, v2) Parameters: table: specifies the name of the table that you want to insert new data into. v1: specifies the columns of the table that you want to populate with new data. v2: specifies the actual data that will be values within the new row. Example: ``` INSERT INTO users (first_name, last_name, email) VALUES ('John', 'Doe', 'john.doe@example.com') ```

Answer 19

at this step of creating a prepared statement we use the prepare() method to prepare the stament what this means is that we are sending it to the database which will then read and prepare it and understand that this is legitimate SQL that will have unexecutable values added later Example: `$stmt = $database->prepare($sql);`

Answer 20

describe the SQL statement **SHOW TABLES**

Answer 21

Definition: This occurs when an attacker submits malicious data to a database through an application, causing the database to execute unintended and potentially harmful SQL statements. Example: 1. The user sends an SQL statement to the server instead of the expected data, such as their name. 2. The input from the user is combined with an already written SQL statement, such as an INSERT statement, and is placed as a value that will be stored in the database. 3. When the statement is executed, the database cannot differentiate between the legitimate SQL and the injected SQL, and goes on to execute the injected SQL. 4. The database is now compromised and has been a victim of an SQL injection attack. Note: Using prepared statements and other security measures can help prevent SQL injection attacks.

Answer 22

what is the syntax and params of the method **query()**

Answer 23

syntax: $stmt->execute(); Param: **$stmt** - an already prepared and bound statement.

Answer 24

name 3 activities that are carried out on a database on a day to day basis

Answer 25

what are the 4 steps to create a **prepared statement**

Answer 26

We should treat this data as untrusted because the user is able to send us any data they like, whether it is a GET or a POST request, and not just what we expect. This means that when data is received by a PHP script and held in its superglobal variables, this data cannot be trusted and should never be used directly. By treating this data as untrusted, we can mitigate against SQL injection attacks

Answer 27

Syntax: `$stmt->bind_param(types, vars)` Params: **$stmt** - an already prepared statement object **Types** - A string that contains one or more characters which specify the types for the corresponding bind variables **Vars** - the values we wish to replace the placeholders note: number of types and vars must match placeholders and types must match the type of vars Return: Returns true on success or false on failure.

Answer 28

what is the syntax of the SQL statement **CREATE TABLE**

Answer 29

Syntax for SQL statement: SELECT columns FROM table Param Columns - a comma separated list of columns we would like to select Table - the table we would like to selct columns from

Answer 30

Syntax for PHP method: $mysqli_result -> fetch_assoc() Param: $mysqli_result - the results object we would like to exract rows from

Answer 31

what is the syntax, params and return of the PHP MySQLi function **mysqli_connect()**

Answer 32

using PHP write a string query that will show all the tables in the database and then execute the query on the database

Answer 33

after executing an SQL SELECT statement what type of data could we expect returned from the database

Answer 34

name 2 **benefits of data only existing once inside a relational database**

Answer 35

name 6 generic steps of how we make an intercation with a database

Answer 36

Using the `$database` object, execute the SQL query held in the variable `$create_sql` against the database

Answer 37

describe the property **Affected_rows**

Answer 38

describe the SQL statement **SHOW COLUMNS**

Answer 39

code example: ``` // Iterate through each row in the result set while ($row = $result->fetch_assoc()) { // Output the first name, last name, and email of each user echo '

firstname: ' . $row['firstname'] . '

'; echo '

lastname: ' . $row['lastname'] . '

'; echo '

email: ' . $row['email'] . '

'; } ```

Answer 40

for this type of SQL statement we would expect the database to return a table like structure in which we can access its rows and columns using a script such as PHP

Answer 41

Syntax: ``` CREATE TABLE table_name ( column1 datatype options, column2 datatype options, column3 datatype options, .... ); ```

Answer 42

How do we **report and display all errors in PHP**

Answer 43

describe the PHP MySQLi function **mysqli_connect()**

Answer 44

What is **error handling**

Answer 45

describe **SQL injection**

Answer 46

using PHP Echo a html paragraph of format **“row count: {rows}”** Where {rows} is the number of rows in the results object $result

Answer 47

what is the syntax for the SQL statement **DROP TABLE**

Answer 48

Create an array named tables and using the results object $row place the first column of every row in the tables array

Answer 49

these 1.Will a)Protect data values from SQL injection 2.Will not a)Protect column names from SQL injection b)Protect SQL keywords from SQL injection

Answer 50

this is deciding what the application should do when an error occurs

Answer 51

Syntax ommitted: mysqli_connect(host, username, password) Param: @param host Specifies a host name or an IP address @param username specifies the database username @param password specifies the database password Return: An object representing the connection to the database server

Answer 52

what is the syntax, params and return of the PHP MySQLi method **select_db()**

Answer 53

what is the syntax and params of the PHP method **execute()**

Answer 54

write the PHP MySQLi code that will **Connect to a database server and create a database object**

Answer 55

this is used so that we can prepare an SQL query for execution. This carries speed and security advantages. On execution it will return A statement object on success. FALSE on failure

Answer 56

example: ``` // Check the value of the 'sort' key in the $data array if ($data['sort'] == 'firstname') { // If the value is 'firstname', set the $sort variable to 'firstname' $sort = 'firstname'; } if ($data['sort'] == 'lastname') { // If the value is 'lastname', set the $sort variable to 'lastname' $sort = 'lastname'; } // Additional code goes here // Use the $sort and $order variables to dynamically specify the column and order in an SQL ORDER BY clause ORDER BY $sort $order ```

Answer 57

give 2 points regarding the **tables in a reational database**

Answer 58

to achieve this in PHP, we can use the following code: ``` error_reporting(0); ini_set('display_errors', 0); ``` notes: 1. The `error_reporting()` function sets which PHP errors are reported. The argument 0 turns off error reporting 2. The `ini_set()` function is used to set values of PHP's configuration settings. Passing the argument ('display_errors', 0) disables error reporting for this script."

Answer 59

this PHP method is used to execute a prepared statement on a database

Answer 60

describe the PHP method **bind_param()**

Answer 61

Why shouldn't we **output the actual error message to the user**

Answer 62

name 3 activities that are NOT carried out on a database on a day to day basis

Answer 63

what is the syntax and parameters of the property **affected rows**

Answer 64

in general terms of a relational databse (not mitigating attacks... etc) **how should data values be stored**

Answer 65

in 7 steps describe the steps/flow of 1. getting data from a user 2. writing/reading from database 3. sending data back to the user

Answer 66

describe step 3 of creating prepared statements **Bound our SQL statement**

Answer 67

describe the following code: ``` if (!$database->select_db($database_name)) { code } ```

Answer 68

this PHP MySQLi function is used to create a connection with a database server

Answer 69

this is used so that we can be more specific about the results the database will return

Answer 70

Syntax of PHP method: `$mysqli_result -> fetch_row()` Param: $mysqli_result - the results object that was returned by an sql query

Answer 71

describe the SQL keyword **LIKE**

Answer 72

code example: ``` $tables = []; // list of names of tables in database // Read each row as an array indexed by numbers while ($row = $result->fetch_row()) { // Put the first item in each row into the tables array $tables[] = $row[0]; } ```

Answer 73

describe the SQL clause **WHERE**

Answer 74

the pitfall of these is that they only protect the column values of a statement and not the keywords or table names this means that if we want dynamic selection of keywords and table names by the user then we need another method to ensure the data from the user is not malicious

Answer 75

This sql statement is used so that we can delete an entire table and with it all of its data

Answer 76

at this step of creating prepared statements Binding variables to the place holders of the prepared statement example: `$stmt->bind_param('sss', $data['firstname'], $data['lastname'], $data['email']);` note: the variables will most likely be user input such as that from a form

Answer 77

what is the syntax and params of the results object property **num_rows**

Answer 78

in 4 steps describe how the following may occur **SQL injection attack**

Answer 79

code example: ``` $sql = "SHOW TABLES"; $result = $database->query($sql); ```

Answer 80

what is the syntax, params and return value of the PHP method **bind_param()**

Answer 81

using the SQL clause ORDER BY write the statement that will **Order the selected data in descending order using the lastname column **

Answer 82

describe step 1 of creating prepared statements **Write our SQL statement**

Answer 83

describe the SQL statement **DROP TABLE**

Answer 84

to achieve this in PHP, we can use the following code: ``` error_reporting(E_ALL); ini_set('display_errors', 1); ``` notes: 1. The `error_reporting()` function sets which PHP errors are reported. The argument E_ALL will report all errors 2. The `ini_set() `function is used to set values of PHP's configuration settings. Passing the argument ('display_errors', 1) allows errors to be displayed for this script."

Answer 85

give 3 points regarding a **relational databse**

Answer 86

describe the PHP MySQLi method **select_db()**

Answer 87

for this type of SQL statement we would expect the database to return an integer representing the number of affected rows

Answer 88

using the SQL WHERE clause and the LIKE keyword write the statement that will **Will return any rows where the last_name column holds a value d anywhere in the entry**

Answer 89

these are formed using PHP methods and is a method that allows us to mitigate SQL injection attacks.

Answer 90

This class of data is data from the user and data that comes out of the database

Answer 91

This is used to get a list of current tables in the database. When querying a database using this statement a results object will be returned that has columns and rows. In this case there is only one column being the name of the table and a row for each table in the database

Answer 92

describe the fllowing property of a results object **num_rows**

Answer 93

this SQL statement is used to insert a new row of data into a given table

Answer 94

this is data that is returned from a database in the form of a table with columns and rows using methods such as fetch_row() we can collect the data we would like and hold it in arrays or variables

Answer 95

What values should we set in a script and use comparisons on the user's data and our own values to protect against SQL injection attacks

Answer 96

**During development ** where should errors be outputted?

Answer 97

The first step in creating a prepared statement is to write the SQL statement that you want to execute. Example: `$sql = "INSERT INTO users (first_name, last_name, email) VALUES (?, ?, ?)";` note: The placeholders ? are used to indicate where data will be inserted into the statement. this data comes from the user and is untrusted

Answer 98

this PHP method is used to fetch a row of data from a results object and then return the row as an associative array where 1. the key is the column name 2. and the value is the associated value for the key this is useful where we would like to retain column name information instead of knowing just the values of the column

Answer 99

points include: 1.Makes use of SQL 2.Makes use of many tables 3.Suited for large data that is related to each other

Answer 100

generic steps include: 1.Connect to the database server. 2.Select a specific database to use. 3.Construct an SQL instruction (also known as a ‘query’) as a string. 4.Execute the SQL query. 5.If the query is such that data is to be returned, then collect the data into a variable (such as for display in a dynamic web page) and return it to the web page. 6.Close the connection (this happens automatically when PHP execution is completed).

Answer 101

using PHP Using the results object $result get each row as an associative array and for each row echo its key and value

Answer 102

during this time errors should be outputted to a file in a secure area, the user should be given a message stating that an error has occurred, and the application should be stopped using a function such as die()

Answer 103

this is the wild card symbol in SQL and is used with the LIKE keyword LIKE 'd%' - would find any record that starts with the letter ‘d’ LIKE '%d' - would find any record that ends with the letter ‘d’. LIKE '%d%' would find any record that has the letter ‘d’ in the value

Answer 104

describe the SQL statement **INSERT INTO**

Answer 105

name 2 types of **data that would be suitable inside a Non-relational database (NoSQL database)**

Answer 106

describe step 4 of creating prepared statements **Execute the prepared and bound statement**

Answer 107

in PHP how do we call the methods and properties of an object

Answer 108

Syntax: `DROP TABLE table_name`

Answer 109

this Is where a user submits data to the database that is an SQL query and is then succsefull in having that query executed by the database. this can have devastating effects such as extracting, modifying data creating or deleting tables

Answer 110

approaches include: 1.Relational database 2.Non-relational database (NoSQL database)

Answer 111

outline what prepared statements 1. will 2. will not protect

Answer 112

Syntax: $database->affected_rows Parameters: $database: the database object that you are querying. example: ``` // Execute an INSERT query on the database object $result = $database->query("INSERT INTO users (first_name, last_name, email) VALUES ('John', 'Doe', 'john.doe@example.com')"); // Check if the query was successful if ($database->affected_rows > 0) { // If at least one row was affected, output a success message echo "New record created successfully"; } else { // If no rows were affected, output an error message echo "Error: " . $database->error; } ```

Answer 113

What data should **always be considered untrustworthy**

Answer 114

when storing data values in a relational database. that value should only exist once if it is required in another table then it should be accessed by using primary keys

Answer 115

what is the syntax of the SQL statement **SHOW COLUMNS**

Answer 116

what is the syntax and params of the PHP method **fetch_row()**

Answer 117

describe step 2 of creating prepared statements **Prepare the statement**

Answer 118

within php we use the "->" operator this differs from other languages that mostly use dot notation

Answer 119

How can we **protect against SQL injection when using dynamic column names or keywords that are recieved from the user in an SQL statement?**

Answer 120

code example: `echo '

row count: ' . $result->num_rows . '

';`

Answer 121

describe the PHP method **fetch_row()**

Answer 122

what is the syntax and params of the PHP method **fetch_assoc()**

Answer 123

Syntax (Object oriented style): $mysqli -> select_db(name) Param: $mysqli - a variable holding a database object Name - the name of the database we wish to have access to Return: TRUE on success. FALSE on failure

Answer 124

steps/flow of this process includes: 1.create a HTML form that the user can fill in 2.validate form data in a web browser 3.submit data to a web server 4.validate the received data again on a web server 5.add data to a database table 6.read data from a database table 7.present data as a HTML table.

Answer 125

syntax of method: $mysqli -> query(query) params: $mysqli - a databse object Query - Specifies the SQL query string

Answer 126

this SQL keyword can be used with the where clause and gives us a less strict rule to match

Answer 127

what is a **prepared statement**

Answer 128

describe the SQL keywords **AND, OR**

Answer 129

code example: `WHERE lastname = 'Doe'`

Answer 130

this property is a property of the mysqli class in PHP, which represents a connection to a database. It returns the number of rows affected by the last query that was executed on the database connection.

Answer 131

code example: `ORDER BY lastname DESC`

Answer 132

steps include: 1.Write our SQL statement 2.Prepare our SQL statemnt 3.Bound our SQL statemnt 4.Execute the prepared and bound SQL statement

Answer 133

describe the PHP method **execute()**

Answer 134

what is a **result object**

Answer 135

name 2 **approcahes to creating a databse **

Answer 136

write the PHP MySQLi code that will **connect to a database that we specify and check whether it was successful or not**

Part 5 - Server side Using databases with PHP Flashcards

(160 cards)