I was planning to just do one post with a complete dissection but I've had this sitting here for a couple of weeks and am just a little pushed for time right now, so I'll get the parts out as and when I've got a chance! I'll link all of the posts together once they're all done.

If you haven't already got it, download the Contact Form and open up the PHP 4.4 version in your own text editor, ideally with line numbers as I'll be referring to them.

Setting the variables

First off is the code to set the variables. This makes it easier for those who don't want to poke around in the PHP to find what to change.

Code Excerpt

11. // Change the $to_email to the address you want the email to be sent to
12. $to_email = "you@yourdomain.com";
13.  
14. // Change $redirect to where you want the user to be redirected to, usually a thankyou page
15. $redirect = "thankyou.html";
16.  
17. // Change the $subject to the subject of the email that you what
18. $subject = "Online contact form from your site";
19.  
20. // Specify the required fields
21. $req_fields = array("cfname", "cfemail", "cfmessage");

The first 3 variables, $to_email, $redirect and $subject, should be straightforward. The final variable is the array $req_fields. This is an array of fieldnames used in the form, which need to be checked to ensure content has been entered into each form field specified. By listing them in an array it makes it easy for the user to add more fields without having to edit the PHP lower down.

The Processing Script

The processing script is above the start of the HTML output so that if a successful email is sent the header redirect can run and redirect the user to a thank you page. The first line of the processing script checks to make sure that the form has been submitted to the page (else there's no point running the script at this point). The if statement below checks to see if the submit button has been pressed and also checks that it has a value (as the isset() function will be true if the variable tested has been created, regardless of being empty or not).

Code Excerpt

23. // this bit does the mailing
24. if (isset($_POST['cfsubmit']) && trim($_POST['cfsubmit']) != "") :

Then we specify a few functions to validate the email address supplied to ensure that it's safe and secure (I've written in the past about email header injections).

Code Excerpt

30. // check no additional lines have been added to the email field
31. function has_newlines($text) {
32. return preg_match("/(%0A|%0D|\n+|\r+)/i", $text);
33. }
34.  
35. // Check that additional headers haven't been added
36. function has_emailheaders($text) {
37. return preg_match("/(%0A|%0D|\n+|\r+)(content-type:|to:|cc:|bcc:)/i", $text);
38. }
39. // check the email is of a valid form
40. function is_valid($text) {
41. return preg_match("/^([a-z0-9\+_\-]+)(\.[a-z0-9\+_\-]+)*@([a-z0-9\-]+\.)+[a-z]{2,6}$/ix",$text);
42. }

To briefly explain these functions, the first, has_newlines, checks to see if the email address supplied spans more than one line, by detecting a \n or \r in it. It returns TRUE if any instance of a new line is found. The second, has_emailheaders, checks for the instance of a header injection and returns TRUE if anything is found. The final function checks the validity of the email address, it checks that it follows the format of how an email address should be constructed and returns TRUE if the email address provided is valid.

Next is a foreach() statement that cleans up the form data. It uses the foreach() loop as to allow this form to be flexible, ie. allowing extra fields, we cannot predetermine the fieldnames in use, so this runs through every key in the $_POST array, ie. every fieldname used in the form. On line 45 the code checks to see if the Magic Quotes setting in the php.ini file is set to on (most hosts have this on to try and combat insecure scripts, let's not get started on that debate though!), if it is then it will have had all the form content run through the addslashes() function, so we reverse that work using stripslashes(). For those asking why, first off this is a form that's going to be emailed through, so the 'security' that magic_quotes gives isn't needed in this instance, and if it was going into a database then I'd use a more secure escape method. Then on line 49 we also run the strip_tags() function, which will strip away any additional HTML added to the form. The final result is saved in an associative array called $formstuff with the key being the same as the key in the $_POST array ie. the fieldname.

Clean up the Form Content

44. foreach ($_POST AS $key => $value) :
45. if (get_magic_quotes_gpc()) :
46. $value = stripslashes($value);
47. endif;
48.  
49. $formstuff[$key] = strip_tags($value);
50. endforeach;

Then, in another foreach() loop, we have the code which checks that the required fields (specified in the array on line 21) contain data, this runs through the required fields array, taking each fieldname one at a time. First it trims all excess white space off the field input, then it checks to see if the field's value is empty. If it is then the variable $formerror is set to TRUE and the rest of the processing won't run as per the if statement on line 61, instead the user is returned to the form to try again.

Check required fields are complete.

53. $formerror = FALSE;
54. foreach ($req_fields AS $formlabel) :
55. $value = trim($formstuff[$formlabel]);
56. if (empty($value)) :
57. $formerror = TRUE;
58. endif;
59. endforeach;
60.  
61. if (!$formerror) :

Part 2 coming soon!

First off, download the contact form, unzip it and open it in your favourite coding editor. The best version of this form requires PHP 4.4+ however I've altered the line that depends on this version so that you can use it down to version 4.0 however foreign characters will not be checked in the name. Both are contained in the download file.

This won't work straight out of the box. You'll need to edit a few lines first plus add in your surrounding HTML markup.

Edit the Basics

To get this up and running with minimal effort you need to do the following (from top down in the file).

1. Edit the $to_email variable to contain your email address. So replace 'you@yourdomain.com' with your own email address, ensuring the double quotes are still kept around the email address.
2. Edit the $redirect variable to contain the address, relative to the root, of your thank you page. So if your thank you page is found at http://www.yourdomain.com/contact/thankyou.html this value will become "contact/thankyou.html".
3. Edit the $subject variable to contain the text you want to appear in your email subject when you receive an email from the form.
4. Locate the line >!– Your Header HTML code or include goes here –< and replace it with your standard site header markup. This could be a PHP include to include the header file, or plain HTML markup.
5. Locate the line >!– Your footer HTML code or include goes here –< and replace it with your standard site footer markup. Again, this can be a PHP include or the plain HTML markup.

This should then leave you with a file that has the following sections:

• PHP Script
• HTML Header markup
• Form in the content area
• HTML Footer markup

At this point you should be able to upload this file to any PHP enabled server, view the file, complete the form and submit it. An email should then come through to your specified email account.

Advanced Options

There's two advanced options in this form. The first is to add additional fields into the form, and they'll still be picked up in the email. To do this, edit the form to include your additional form fields (checkboxes and file uploads are not supported in this form) using the following method (if you're not sure on working with forms, read up on accessible form layouts):

Form Code Excerpt

1. <div>
2. <label for="cftext">Title: </label>
3. <input type="text" name="cftext" id="cftext" size="30" value="<?php get_value('cftext') ?>" />
4. </div>

Where text makes up your input's fieldname. I would recommend keeping 'cf' at the start of all of your fieldnames as this means there is less potential for variables to clash in the PHP and it can help to reduce spam as spammers will often assume your field names are the general ones of 'name', 'email', message' etc. Title is then the value displayed on the page, so the form label.

The second advanced option is to also control your required fields. Near the top of the script there is a line:

PHP Code Excerpt

1. // Specify the required fields
2. $req_fields = array("cfname", "cfemail", "cfmessage");

This array lists the fields that are required to contain content. So if you added 3 extra fields, eg. cfurl, cftelephone and cfaddress and you want to make the telephone and address field required, but not the url field, then you can add these in by adding them to the end of the comma delimited list i.e.

PHP Code Excerpt

1. $req_fields = array("cfname", "cfemail", "cfmessage", "cftelephone", "cfaddress");

This will then check that both the telephone and address fields have content in them, however the URL field can be left blank. Of course it will be wise to add

HTML Code Excerpt

1. <em>Required</em>

After the label title and before the closing label tag, as I've done with the other required fields.

Guarantees

There are none! The form is secure to the best of my abilities. It checks against email header injection, it removes all html tags that may have been entered into the form, it checks the name entered contains just typical characters that a name would contain (including foreign characters)*, it checks your required fields contain content and it will email all details plus the user's given IP address and browser details through to your specified email address. By using less than general field names, spam should be reduced to human spam (I use this method elsewhere and rarely get any spam off my forms that's not human generated).

The form is accessible in that when you click a label title the cursor will be placed in the input box or textarea. It uses the correct markup of a fieldset and legends, and if you choose to extend the form I recommend you continue with these standards. Suggested CSS for the styling of a form and error warning is below.

Suggested CSS Code

1. ul.warning {
2. color: #c00;
3. font-weight: bold;
4. }
5.  
6. fieldset {
7. width: 500px;
8. border:none;
9. border-top: 1px solid #999;
10. padding: 10px;
11. margin-top: 10px;
12. }
13.  
14. legend {
15. font-weight: bold;
16. padding: 0 5px;
17. }
18.  
19. label {
20. width: 125px;
21. float: left;
22. text-align: right;
23. margin-right: 5px;
24. }
25.  
26. form div {
27. clear: both;
28. margin-bottom: 10px;
29. }

So give it a go and let me know what you think. Any problems or comments, post them below and I'll do my best to help out or accommodate you

* Only in the PHP 4.4+ version.

You may be wondering why I've been reading a book that's clearly for beginners. Couple of reasons. I learnt PHP when version 4 had just been released. The book I learnt from was out of date within weeks simply because of the major changes that happened, default settings etc. Whilst it was a great book to learn from there were parts that I'd either skipped (Object Oriented Programming for a start!) or just parts I'd never really grasped. Knowing how well SitePoint books are written, I decided to buy this book to give me a chance to refresh my knowledge, pick up on any changes for PHP 5 and also have an up-to-date PHP book on my shelf.

So what will this book teach you? It will teach you the basics of PHP and using MySQL. It explains how to use PHP to create dynamic webpages, how to store the content of a site in a database and retrieve that information and display it on the site. How to allow people to add to and update that content. It goes into regular expressions, the basics of PHP's file access methods, good structure using includes and more.

I recently had a chat about this book with someone who wanted to learn the basics a bit better but had looked at the free chapters of this book and got completely confused by its complexity. If anyone else has been or finds themselves in the same situation then I know where you're at. Ignore the first 2 chapters initially! The first chapter goes into how to set up PHP and MySQL on your computer. Whilst I used to do this myself now I recommend using Xampp. It's easy to install, comes with everything you need and can also be run off an external drive or USB pen drive, so you don't even need to put it on your computer! Then the second chapter of the book goes into MySQL. Again, not something you need to concern yourself with at first. So skip to chapter 3 and things shouldn't be as complex and scary!

So if you want to learn PHP then I highly recommend this book for the basics. You can get 4 free chapters from the SitePoint page or you can buy the book cheaper with free delivery from Amazon UK.

For anyone who's learnt the basics then this book is probably a good intermediate level book before stepping into the advanced stuff. The free chapters are available from their site and worth a look if nothing else. Alternatively it's available at Amazon UK as well (although for once the SitePoint price is cheaper with the current exchange rate!).

Alternatively, on this SitePoint post you have a link where you can get $10 off the book, plus a free (usually $10) PHP Reference Poster. So that would be £20 for the lot including delivery. Ack it's tempting…!

Update: The First Edition of this was the PHP Anthology Vol 1 and 2 – two books written by Harry Fuecks. SitePoint have now merged these two into one and brought on a load of new authors. I'm guessing it could be quite different in the way it's written compared to the first edition, however I'd have to compare the sample chapters to the books I have. However, if you've learnt PHP and want to progress then it's the best next step you could take

There are a couple of ways to create an array. The first is writing the whole array out in one go eg.

Array Code

1. $testarr = array("Bob", "Sally", "John", "Pete", "David", "Jane");

This is fine if you can create the array with one line, however as your PHP progresses you'll find you use an array to capture data from say a form submission. So an efficient way of doing this, and another way which you can create an array, looping or otherwise, is

Array Code

1. $testarr = array();
2. $testarr[] = "Bob";
3. $testarr[] = "Sally";
4. $testarr[] = "John";
5. $testarr[] = "Pete";
6. $testarr[] = "David";
7. $testarr[] = "Jane";

Note the first line initialises the array. This is for security to ensure that nothing has been passed into the array eg. via the URL, that we don't want in there.

With this array you can use it in a variety of functions and uses. For a full list of the functions available read the Arrays page on PHP.net. Examples of usage are

• Re-sort the list and display in alphabetical order.
• Compare a variable to the array to see if the variable exists within the array.

To simply list the content of an array you can either do the quick and easy method using print_r()

Array Code

1. print_r($testarr);

Or you could do it a little neater using the foreach loop.

Foreach Loop Code

1. foreach ($testarr AS $key => $value) :
2. echo "Item ".$key.": ".$value;
3. endforeach;

substr() – This returns a section of the string which you control with the start and length or end values. This is handy if
you just want to display a short excerpt of a longer description. There are many uses of this but without going into too
much detail they won't necessarily make sense at present.

For using the function you have several options:
1. substr("abcdef", 2) – this would output 'cdef' ie. it outputs everything after the first 2 characters.
2. substr("abcdef", 1, 3) – this would output 'bcd' ie. the pointer starts at position 1 (bearing in mind the letter 'a' is
currently in position 0) and then print 3 characters.
3. substr("abcdef", 0, -1) – this would output 'abcde' ie. the pointer starts at position 0 and outputs all until the pointer
is minus one character from the end.
4. substr("abcdef", -2) – this would output 'ef' ie. the last two characters regardless of knowing the length of the string

str_replace() – This takes an existing character or string, along with the replacement string and searches the given string
for any existance of the string to replace. Okay that sounded confusing! Much easier with a few examples:

Array Code

1. str_replace("a", "b", "Mary had a little lamb"); // would produce 'Mbry hbd b little lbmb'
2. str_replace(" & ", " &amp; ", "You & I"); // would produce 'You & I' which is valid markup for XHTML Strict
3. str_replace(" ", "%20", "http://www.domain.com/contact us.htm"); // unfortunately a lot of people believe that spaces in urls are fine to use when they really aren't. This is one way to clean them up in your links.

explode() – This allows you to choose a character in a string and split the string up into an array, where each bit in the
original string started and/or ended with the chosen character. For example

Array Code

1. $string = explode("-", "Item 1-Item 2-Item 3");
2.  
3. // $string now contains 3 items
4. print $string[0]; // would give 'Item 1'
5. print $string[1]; // would give 'Item 2'
6. print $string[2]; // would give 'Item 3'

So those are the 3 functions I use day in day out. Mainly they're used on their own but at times can be combined to produce the desired output for a string.

I figured that I write it so often on forums to people wanting to learn PHP that I'd list out some recommended reading (including free stuff) here, with the low down on each. They're mainly free chapters but my argument is to get the free chapters and surely anyone can make up their mind after 150+ pages as to whether the book's worthwhile to buy!! I've linked to the full book on Amazon as well, in case anyone takes my review for granted and just wants to buy the book

Build Your Own Database Driven Website Using PHP & MySQL – Kevin Yank

This book is from SitePoint which I have to say produces some of the best books out there and offers 4 free chapters on virtually all of their books for you to download. That's over 150 pages for free! The free chapters are very worthwhile for anyone who wants to get PHP up and running on their own computer. It devotes the first chapter to installing Apache, PHP and MySQL for Windows, Linux and Mac OS X. It then teaches you how to develop your own content management system whilst explaining the various parts of PHP and MySQL as you go along. I own this book myself and find it very easy to read. The current release is also updated to work for PHP 5 as well.
Free Chapters from SitePoint
Buy from Amazon UK

PHP and MySQL Web Development

This is a later version of the book I learnt from. It starts with the basics of PHP and doesn't jump straight into MySQL until you have a good understanding of PHP basics which I think is a good way to learn. I sat and read 500 pages of this book in a week and haven't looked back. Whilst the version I have now is outdated and not really used, they have since released 2 further versions so the current Version 3 is most likely up to date, but still a worthwhile book to try.
Sample Chapter
Buy from Amazon UK

The PHP Anthology: Object Oriented PHP Solutions – Harry Fuecks

Another book from SitePoint, this PHP book is for the more advanced user that already has an understanding of PHP and MySQL. The subject goes into the world of Object Oriented Programming, explaining about classes, how to use them and how they can speed up your scripts and let you write more efficient code. The books also explore more advanced programming methods and requirements such as parsing, generating bar charts and graphs, watermarking images, creating more efficient error handling methods and much more. I own both of these books however I'm still on Vol 1 at present. It is definitely for the advanced user and must be read without distractions!
Free Chapters from SitePoint
Buy from Amazon UK

Php|architect's Guide to PHP Security

Anyone who's seriously considering creating PHP sites and possibly working as a PHP developer professionally, and even for their own projects, needs to be reading this book. Explaining about security, how to prevent injections, attacks and hacks on your code it's a must for anyone who wants to ensure their site is absolutely secure. I've seen (and secured) a lot of code that people naively assumed would be safe when in fact it isn't. If you don't want your sites compromised then I recommend this book for reading and keeping for reference.
Buy from Amazon UK

Sample Chapters

The following are just links to sample chapters from various bookstores. I've not read any of these books and so cannot offer a review, but for anyone who can't neccessarily afford to pay out for a book right now, these sample chapters between them may give you a reasonable amount of information and help too.

Learning PHP and MySQL
PHP in a Nutshell
Learn PHP 5
PHP Cookbook
Web Database Applications with PHP and MySQL
Programming PHP
Advanced PHP Programming Sample 1
Advanced PHP Programming Sample 2

Online Resources

Practical PHP Programming – by Paul Hudson

Email Code

1. <?php mail("test@yourdomain.com", "This is a quick test", "testing 1 2 3", "From: test@yourdomain.com"); ?>

I also suggested the from address must be a valid email address on the server, as the server may have security in place to prevent it being sent from a non server address. Also, after this morning, I've discovered that even a valid email address could have DNS issues with some servers, so if one doesn't work, try another too!

Anyhow, he came back to me and said the mail function worked fine, so I FTP'd in and took a look at the code. At first glance it seemed fine enough. Pretty shabby PHP but nothing giving a reason for it not to work. I took a look at the web page again and then noticed it wasn't picking up the to and from email addresses. A second, more serious look made me notice the script assumed that Registered Globals were on, a major no no as a lot of servers have the default installation of PHP which switches them off, or servers deliberately ensure they're off for security. So I ran through, updated the variables to use the $_POST array and voila, it worked.

So for future reference, if you want to write PHP code, write it properly from the beginning! Don't assume options such as registered globals are available to you. Using $_GET, $_POST, $_FILE etc will work fine regardless of whether registered globals are on or off, and it's far more secure to use this method.

Also whilst talking about portable PHP…

Use proper opening tags ie. <?php and not just <?.

Don't assume Magic Quotes are on, and to be honest, if they are, reverse their work and use a more secure method.

At least if you cover these portability issues, then when things don't work as planned you can rule them out as issues and turn to other options.

Direct SQL Command Injection is a technique where an attacker creates or alters existing SQL commands to expose hidden data, or to override valuable ones, or even to execute dangerous system level commands on the database host. This is accomplished by the application taking user input and combining it with static parameters to build a SQL query.

So what does this mean? When you have a form on a page requesting user input and then use this input in MySQL queries you must not rely on what the user has entered. 99% of the time when you ask a user for their username and password, they will enter this. However along comes someone who wants to crack your system, suddenly you won't be receiving a username and password through the form but most likely code aimed to inject extra operations into your MySQL query. Perhaps it's easier to understand by way of example. My own logins usually accept a username and password from a form. The usual method is to accept a username and password and then run a SELECT statement to count the number of records that contain both the username and password. If the result is zero then the username and/or password is of course incorrect. A loosely written PHP script could be:

Insecure code to control user login

1. $sql = mysql_query("SELECT COUNT(*) FROM users WHERE username = '".$_POST['username']."' AND password = '".$_POST['password']."'");
2. $count = mysql_fetch_row($sql);
3. if ($count[0] == 0) {
4. // user/password combo incorrect
5. $errormsg = "Your Username and/or Password are incorrect. Please try again";
6. } else {
7. // user/password combo correct proceed with login
8. header("Location:http://www.domain.com/secret/logged-in.php");
9. exit;
10. }

As you can see from the above, the user input from the $_POST array is entered straight into the query. Oh and

Insecure code to control user login

1. $username = $_POST['username'];
2. $password = $_POST['password'];
3. $sql = mysql_query("SELECT COUNT(*) FROM users WHERE username = '".$username."' AND password = '".$password."'");
4. …

is no different

So how can this be an issue? Well, all of your registered users will most likely enter their username and password. No issue there. Your MySQL statement would look like this:

SQL Statement

1. SELECT COUNT(*) FROM users WHERE username = 'sarah' AND password = 'sunshine'

However, a visitor wanting to crack your system could enter the following information:

username: sarah
password: ' or '1'='1

Which would give:

SQL Injection Code

1. SELECT COUNT(*) FROM users WHERE username = 'sarah' AND password = " or '1' = '1'

The above would return the total number of records in the table. So going by the very loosely written PHP script above, the if statement of

IF Statement

1. if ($count[0] == 0) {
2. …
3. } else {
4. …
5. }

would provide a value from $count[0] to be above zero (providing there were records in the table), thus giving someone a login without a proper username or password.

Okay so yes, the example is a highly unsecure example, but it does happen. Plenty of people believe that providing there is no direct link to a file on a server, it won't be found out. Trouble is it can be. So pulling the above example apart the first steps security would be

1. Ensure all restricted pages check that the member is logged in by using cookies or sessions or both.
2. Switch the if statement to ensure that only one record is found and allow the user to log in from that, otherwise assume the username/password is wrong and prevent the login.
3. Escape the user entered data.

At this point I'll briefly mention Magic Quotes which is a setting in the php configuration file that can be set to on or off. If set to on then it will escape all user entered data, using the same method as the function addslashes(). It was introduced due to the amount of people who don't escape their user entered data, however it causes nightmares for most PHP developers and is even stated on the PHP.net site that most developers will choose to turn it off, preferring to escape the data when required. However on most shared hosting it's not necessarily easy to do this as you have no control over the php.ini file, so the best way is to check to see if Magic Quotes are on, clean the variable if they are (using stripslashes() function) and then escape the variable. The function that I use (courtesey of Khalid is:

escapeString Function

1. function escapeString($string) {
2. if (get_magic_quotes_gpc()) $string = stripslashes($string);
3. return mysql_real_escape_string($string);
4. }

Here this function uses the mysql_real_escape_string() built in function. The function will add a backslashes to the beginning of any of the characters \x00, \n, \r, \, ', " and \x1a. This will protect you from any SQL injections thus protecting your database.

However don't be fooled into thinking that when I say "user entered data" that I just mean text inputs. Going back to the site I secured last week the original developers had not thought about a couple of issues, which could be have been used in conjunction with one another and allowed someone to wreak havoc on the site or in the database. Considering the site accepted money this is even more important to ensure its security. What was wrong?

Firstly they were storing the user's id and password in cookies. Not necessarily a problem however they were then taking the raw data from the cookies and using it to query the database. Cookies can be edited therefore must be escaped. Then some user entered data was being escaped (but not as securely as the function above will do) but other data wasn't. The site had even had a security update before me and there was still an emerging pattern. When a page had some secured data on it, the unsecured data wasn't secured because the form variables were from checkboxes, radio buttons or a select list. I admit, when I first start out writing PHP I figured that this information couldn't be tampered with therefore didn't require securing. However take a normal form that's there for people to complete and the details go into a database. A questionnaire for example. Plenty of input boxes, radio buttons, check boxes and select lists. The form is submitted to perhaps the same page or another page. We know full well that another completely unrelated site could submit to that php script as well. Take the same form names, which are plain to see in the HTML source, but then instead of a radio button having a prespecified value suddenly someone could submit to the processing script a radio button with their own value.

The simple rule is, never trust data that could have been tampered with. If it's coming from $_GET, $_POST, $_COOKIE or even $_SERVER (after all if the user agent or http referrer can be altered who knows what it would be altered to?) then escape it. These are the 4 I deal with, if there are any further global arrays that should be escaped feel free to add to this list.

For people who use ASP, this Site Point article will be of use.

So to get PHP to work with MySQL you need to first of all tell PHP how to connect to it. In configuring phpMyAdmin (alternatively if you're using it online) you should have a username and password. 9/10 times you'll connect as well to the host "localhost". Unless you're running MySQL on a different server this should be fine for you. So to test your connection details create a file with the following code:

[source:php]< ?php
// first we need to connect to the database
mysql_connect("localhost", "username", "password") or die("Error connecting to MySQL: ".mysql_error());
?>
[/source]

This is a simple connection to test your host, username and password. You need to run mysql_connect() once on a page, when you need to connect to a database. I say once on a page as it doesn't have to be at the start of the page, it can be run when it's first needed, however I seriously advise against running the function more than once in a page else your visitors will start to use up the MySQL connections allowed and you will overload the MySQL server (and your host won't be too happy!). I tend to run the connection at the top of any page that requires it so that I know it's run and I don't have to run it again during the page code. Of course in the code above you need to replace username and password with your own preset username and password for MySQL.

To explain the die() function. This will run if there is an error. If the first function is not successful then it will kill the script dead in its tracks. I've added in a short string so you realise where the error occurs (on a page with many mysql queries etc it can be like finding a need in a haystack!) along with the use of another function mysql_error(). This function prints out the error returned by MySQL to help you debug your code.

If the host, username and password are correct then you shouldn't see an error. In fact you shouldn't see anything if it works, just a blank screen. If you do get an error then you will have to check the username and password are correct and that your host is correct too. MySQL connections are automatically closed when the page has been parsed, executed and displayed, so don't worry, there's no connections being left open here

Once that's working you want to ensure you can select a database and query a table, so to expand on the above:

[source:php]< ?php
// first we need to connect to the database
mysql_connect("localhost", "username", "password") or die("Error connecting to MySQL: ".mysql_error());
// then select the database
mysql_select_db("mydb") or die("Error selecting database: ".mysql_error());
// now query the database
$sql = mysql_query("SELECT * FROM content") or die("Error connecting to table: ".mysql_error());
?>
[/source]

So the above, as the comments say, first connects to MySQL, then it selects which database to use using the mysql_select_db() function. Finally it uses the mysql_query() function with the most basic form of the SELECT statement to retrieve all content from the database and store it in the variable $sql. At this point the script doesn't really do anything productive so what you need to do is extend it further.

We know that the database has the fields rowid, firstname, surname, address and postcode. So we use these to retrieve data from the result in the $sql variable as below:

[source:php]< ?php
// first we need to connect to the database
mysql_connect("localhost", "username", "password") or die("Error connecting to MySQL: ".mysql_error());
// then select the database
mysql_select_db("mydb") or die("Error selecting database: ".mysql_error());
// now query the database
$sql = mysql_query("SELECT * FROM content") or die("Error connecting to table: ".mysql_error());
// now display the information using a while loop
while ($rowdetail = mysql_fetch_array($sql)) {
print "

Name: ".$rowdetail['firstname']." ".$rowdetail['surname']."
\n";
print "Address: ".$rowdetail['address']."
\n";
print "Postcode: ".$rowdetail['postcode']."\n";
print "

This will then produce a list of results along the lines of

Name: John Smith
Address: 1 New Street, Any Town, Some County, England
Postcode: NS1 3FG

---

Name: Mary Jones
Address: 22 Wood Road, London, Greater London
Postcode: W4 3KF

---

So how does it work? The while loop, as explained previously, runs whilst the condition is true. So in this instance it is saying whilst there is a row to 'fetch' then run the following set of statements. To retrieve the table row details I've used this line:

[source:php]$rowdetail = mysql_fetch_array($sql)[/source]

As explained on the PHP.net site, mysql_fetch_array() Returns an array that corresponds to the fetched row and moves the internal data pointer ahead. It stores the details into the array variable $rowdetail. The array indexes are then defined by the fieldnames of the table. As you can see the print statements then just print the information out using each index. Once all statements are executed it then repeats until all rows have been displayed.

This is the most straightforward method of database retrieval. You can display the information and also choose which information you like as you like (in this case I didn't bother using the rowid). It can be displayed in an XHTML table, a list or however you wish.

So what else can you do with the SELECT statement? Well there are plenty of options available. I'll only touch on the basics and advance as and when required. So options available at this point are:

[source:sql]
// select all rows and details with no conditions
SELECT * FROM content
// select just the firstname and surname
SELECT firstname, surname FROM content
// select all rows where the surname is Jones
SELECT * FROM content WHERE surname LIKE 'Jones'
// select all rows where the surname contains "Mac" – here we use the wildcard % to match part of a string
SELECT * FROM content WHERE surname LIKE '%Mac%'
// select all rows and put in alphabetical order of the surname
SELECT * FROM content ORDER BY surname ASC
// select just the first 5 rows of the table
SELECT * FROM content LIMIT 5
// select just the first 3 rows of the table after the first 2 (so rows 3-5)
SELECT * FROM content LIMIT 2, 3
// select rows where the firstname contains sam and the surname contains mac
SELECT * FROM content WHERE firstname LIKE '%sam%' AND surname LIKE '%mac%'
// now put a whole select statement together
SELECT firstname, surname FROM content WHERE surname LIKE '%mac%' ORDER BY firstname ASC LIMIT 30
[/source]

using the previous PHP example, if you only want to retrieve one record from the table then you do not need to use the while loop but just the mysql_fetch_array() function on it's own ie.

[source:php]
< ?php
// first we need to connect to the database
mysql_connect("localhost", "username", "password") or die("Error connecting to MySQL: ".mysql_error());
// then select the database
mysql_select_db("mydb") or die("Error selecting database: ".mysql_error());
// now query the database
$sql = mysql_query("SELECT * FROM content WHERE surname LIKE '%mac%' LIMIT 1") or die("Error connecting to table: ".mysql_error());
// save information into the array $rowdetail
$rowdetail = mysql_fetch_array($sql);
// print the information out on the page
print "

Name: ".$rowdetail['firstname']." ".$rowdetail['surname']."
\n";
print "Address: ".$rowdetail['address']."
\n";
print "Postcode: ".$rowdetail['postcode']."\n";
?>
[/source]

As you can see the above is virtually the same except that you only need to retrieve an array once so there is no requirement for the While loop.

That's probably the most used MySQL statement in web page development. It may not seem like it now but that statement is all you usually need to use on a typical database driven web site.