Ok so hopefully you read this tutorial first so that you have a basic understanding of the different types of array and what we can store in them.

Built-in Array Functions

Rather than mess around coding our own functions, which so many new developers do without even looking to see if it’s already been done, PHP comes with quite a lot of built-in functions to do different things with arrays. We’re not going to look at them, just the most useful ones, but if you want to see the complete list then click here.

Basic Functions

The most basic function to do with arrays is simply array() itself which simply creates a new array, PHP is a forgiving language and therefore we don’t need actually need to declare an array, but if adhering to good practice then we use this function like this;

<?php

$my_new_array = array();

?>

This function can also be used to create a standard number-indexed array or an associative array using some parameters, here’s another example;

<?php

// example one - number index (0-4)
$my_pets = array('dog', 'cat', 'frog', 'fish', 'lizard');
echo $my_pets[0]; // will print 'dog' without the quotes

// example two - associative
$fruits = array('banana'=>'yellow', 'pear'=>'green', 'kiwi'=>'green');
echo $fruits['kiwi']; // will print 'green' without the quotes
?>

It’s simple to create arrays with many values on one line using the array() function and can come in handy at times. There are other ways for building arrays though, for example it’s possible to build a multi-dimensional array out of two standard arrays using array_combine(). We all know that a multi-dimensional array needs two things; a key and a value, so all we need is two arrays - one for keys and one for values;

<?php

$key_array = array('the', 'php', blog');
$value_array = array('guitar', 'spork', 'raptor');

$new_array = array_combine($key_array, $value_array);
echo $new_array['blog']; // will print 'raptor' without the quotes

?>

As we can see, ‘the’, ‘php’ and ‘blog’ have become keys whilst ‘guitar’, ’spork’ and ‘raptor’ (the first three things I saw looking around my room (don’t ask).

For Debugging

A great function for when you’re debugging your web application, blog or whatever in between is print_r(). If we use print($some_array) then all we’ll get is PHP printing the word ‘Array’ or similar. If we use print_r($some_array) then we get something a bit more interesting and useful for when we just can’t figure out what’s wrong with our code but we suspect it’s an array, it looks like this;

<?php

$my_array = array('knife', 'fork', 'spoon');
print_r($my_array);

?>

This code will give us an output that looks like this;

Array
(
	[0] => knife
	[1] => fork
	[2] => spoon
)

Now we can see the entire contents of our array, this works for any type of array.

Our next useful function we’re going to look at is array_key_exists(). If you haven’t already guessed what it does, it searches through a multi-dimensional array to see if a key exists, like this;

<?php

$fruits = array('banana'=>'yellow', 'pear'=>'green', 'kiwi'=>'green');

if ( array_key_exists('kiwi', $fruits) )
{
	echo 'Found a kiwi';
}

?>

The above code would print ‘Found a kiwi’ because there is a key called ‘kiwi’ in the array $fruits.

Next we have a function with use in some situations, maybe a random quote generator, or maybe an employer deciding who to fire today; array_rand(). There is no example for this function, it takes two parameters, the first one specifies the array, the second is optional and specifies how many random elements to return (default 1).

For searching through an array, we have the appropriately named array_search(), this function will search an array (second parameter) and if a value exists that matches the search then it’ll return the key. The parameters are; search value, array to search, strict. They are all self explanatory apart from strict, strict is false by default but if changed to true it will be a literal serach, meaning that ‘5′ as a string and the number 5 without quotes are different things. This function is a bit more tricky, here’s an example (without strict);

<?php

$fruits = array('banana'=>'yellow', 'pear'=>'green', 'kiwi'=>'green');
echo array_search('yellow', $fruits); // will print 'banana' without the quotes

?>

Similar to array_search() is a, for some reason more popular, function called in_array(). This function is simplistic, the first parameter is what we’re searching for and the second parameter is the array we’re searching, this function returns true or false.

Nested Arrays

Now we’re wrapping up the useful functions and we’re going to briefly look at something equally useful, nested arrays. Previously we’ve looked at single-dimensional arrays, multi-dimensional arrays and now we’re going to look at nested, nested arrays are basically a multi-dimensional array where some of the values are arrays themselves. Incase you’re confused by how many times I’ve said ‘dimensional’, here’s an example;

<?php

$nested = array('a' => 'the', 'b' => 'php', c => array('1', '2', '3'));
print_r($nested);

?>

Would give us an output a little like this;

Array
(
    [a] => the
    [b] => php
    [c] => Array
        (
            [0] => 1
            [1] => 2
            [2] => 3
        )

)

As you can imagine, nested arrays can be very useful especially for storing stuff like user data, geographic information or anything in between.

Conclusion

We’ve had a quite a long tutorial with some useful functions, or maybe it just feels like that because it takes longer to write than to read. But we’ve touched on some more advanced techniques we can use with arrays, if you’re interested in reading even more into this subject then click here for a complete list!

Hope you enjoyed this tutorial, if you have any comments or questions then leave a comment.

The concept of arrays are simple. If you create a variable to store a value, it does exactly that, stores a single value. Whether it’s an integer, string or anything in between. An array is basically a variable that can hold multiple values. Arrays have many uses, but that’s a little beyond what we’re looking at in this tutorial, we’re just trying to get to grips with them for now. Let’s look at the basic syntax for an array;

<?php

$my_array[0] = 'Red';
$my_array[1] = 'Green';
$my_array[2] = 'Blue';

?>

Here we’ve created an array that holds three different values, Red, Green and Blue respectively. These values can be referenced by their number, 0-2. An important note is that arrays are typically started from 0, so in our array which holds values 0-2, there are three values. Forgetting to count the 0 as a number in programming is often called a fencepost error (or off-by-one error). The values are accessed in the same way they are set;

<?php

// echo's 'Red and Blue' (without quotes)
echo $my_array[0] . ' and ' . $my_array[2];

?>

Using arrays in this way can have many uses, but let’s say for arguments sake (so we have something to learn) that we want to store the hex values for the colours (or ‘colors’ for those who choose to butcher the english language!), why not? Let’s have a look at two solutions, one is the bad solution using variables that you so often see in newbie projects, one is the better solution using arrays;

<?php

// messy, messy, messy!
$colour_one_name = 'Red';
$colour_one_hex = '#ff0000';
$colour_two_name = 'Green';
$colour_two_hex = '#00ff00';
$colour_three_name = 'Blue';
$colour_three_hex = '#0000ff';

// the better approach
$colours['red'] = '#ff0000';
$colours['green'] = '#00ff00';
$colours['blue'] = '#0000ff'; 

?>

As you can see, the array approach is much tidier and saves a lot of lines of code in comparison to the variable approach. Ok now we’ve learnt the basics of an array, it can hold a number and a value or a key and a value. Well what if we wanted to store something like employee details (how cliche), we’ll need a sort of… array-within-an-array scenario?…

Multi-Dimensional Arrays

Ooooh, doesn’t it sound scary? Have no fear, multi-dimensional arrays, or associative arrays, may have a big name but they’re actually very simple (and even more useful!). So let’s go back to that previous situation of employee records, of course with what we’ve learnt so far we could come up with something that could work…

<?php

$employee_one['name'] = 'Dan Walker';
$employee_one['email'] = 'dan[at]thephpblog[dot]com';
$employee_one['gender'] = 'm';
$employee_one['salary'] = 99999999; // one day....

$employee_two['name'] = 'Joe Bloggs';
$employee_two['email'] = 'joe[at]bloggs[dot]com;
$employee_two['gender'] = 'm';
$employee_two['salary'] = 20000; // one day....

?>

The above works, we’ve created two arrays, one for each employee, and filled it with data using the key and value method we learned about earlier. That’s great, but what if we wanted to create a loop that displayed all our employee names or something? Well then we’d be pretty screwed because they have different names and we’d have to recode everything every time we added a new employee! Not good! But what if we could put a key and value array inside a standard incremental array. Now you’re thinking!

<?php

$employees[0]['name'] = 'Dan Walker';
$employees[0]['email'] = 'dan[at]thephpblog[dot]com';
$employees[0]['gender'] = 'm';
$employees[0]['salary'] = 99999999;

$employees[1]['name'] = 'Joe Bloggs';
$employees[1]['email'] = 'joe[at]bloggs[dot]com';
$employees[1]['gender'] = 'm';
$employees[1]['salary'] = 20000;

?>

Note: Notice that the salary values do not have quotes round them, that’s because they’re integers - arrays can hold different types of data just as a variable can.
Now that my friend is looking a lot cleaner. The logic is simple, $employees[0] now contains another array, as does $employees[1]. Because these arrays are nested within another array, this is where we get the name multi-dimensional array from (as if you hadn’t already guessed that).

Because we’ve done it this way we can now cycle through loops to do stuff, let’s say we want to list all our employee names, this is how we’d do it.

<?php

$employees[0]['name'] = 'Dan Walker';
$employees[0]['email'] = 'dan[at]thephpblog[dot]com';
$employees[0]['gender'] = 'm';
$employees[0]['salary'] = 99999999;

$employees[1]['name'] = 'Joe Bloggs';
$employees[1]['email'] = 'joe[at]bloggs[dot]com';
$employees[1]['gender'] = 'm';
$employees[1]['salary'] = 20000;

for ($i=0; $i<count($employees); $i++)
{
	echo $employees[$i]['name'] . '<br />';
}

?>

Would list the two employee names on different lines. You see if we use count($employees) then it counts how many values are in the top layer of our array, the first brackets. There are 2 values in this array and so the loop loops twice. It’s important to remember we start the loop from 0 because our array starts from 0.

Conclusion

Of course this has just been the basics of arrays, if you’re interested in how we could use an array like our employees one, why not take a look at my PHP MySQL class which stores its results in a multi-dimensional array.

Thanks for reading, questions and comments welcome =]

When you’re trying to get a site off the ground like a tutorial site and your hits are steadily increasing the worst thing that could happen is an unexpected period of downtime with no explanation, especially when that downtime is about 5 days long.

Recently we’ve experienced a lot of downtime thanks to our previous host, Crissic. Although it is not the job of this blog to compare and evaluate hosts, we’d heavily recommend not using Crissic and definitely using HostGator due to the quick support, cheap plans and ease of setup.

Again we apologize for all the recent downtime but hopefully this has come to an end!
The PHP Blog team

Using functions in your code should be 2nd nature in medium to large scale projects. In basic terms, a function is a block of code with a name, and a majority will take parameters/arguments and return a value(s). If you’ve done PHP before (if you’re reading this I’m guessing you have) you no doubt will have encountered functions without knowing it - here’s some you’ve probably ran into; echo(), require_once(), include_once(), die(). All of these functions are already built in to PHP and unlike other languages you don’t need to do anything before you can use them.

Basic syntax

There’s two pieces of code you need to know when using and creating functions, the code to create them and the code to call them. Let’s take a look at both.

function myFunction(/* parameters here*/)
{
	// code goes here

	// return a value (optional)
	return true;
}

This code would create a (useless) function called myFunction(), to call it in our code we’d do something like this;

myFunction(/*parameters here*/);

Obviously without the commented /*parameters here*/. As you can see, by storing a chunk of code in one location and referencing it rather than rewriting it over and over again, if we have a problem with the code we only have to edit one location rather than several. Also if we want to update the code or anything in between, we can again do it from one location. Of course, nothing makes sense without a real world example, so lets say that we have an application that needs to check if a number is even, here’s a simple way of how we’d go about that;

function is_even($number)
{
	if ($number % 2 == 0 )
	{
		return true;
	} else {
		return false;
	}
}

$myNumber = 1491823;

if ( is_even($myNumer) )
{
	echo $myNumber . ' is even!';
} else {
	echo $myNumber . ' is odd!';
}

Granted the above function won’t be the most useful one you’ll keep under your belt but the theory is there. Let’s go through it bit by bit and see what’s happening. First of all we’re creating a function called is even which takes one parameter called $number. A parameter is something you can pass into a function, it can be a number, string, variable and so on. Next up for those of you who don’t know what the % is, it shows the remainder, obviously dividing an even number in 2 will have no remainder which is how we find out what the number is. The rest of the code is self explanatory, we can use it just like any other function.

But hang on, let’s roll back a bit and take another look at the variables we’re using. Now something to keep in mind is that outside of the function {} we can not edit any of the variables inside, vice versa - we can not edit variables not inside the function {} from inside the function {} - not the best way to word it, so let’s move on and look at an important factor of functions…

Variable scope

Variable scope is quite a large subject and we only want to know what we need, so we won’t go too far in depth but I heavily recommend looking it up and doing some further reading, it can cause a lot of problems if you’re not knowledged in the area.

Every variable is born with its own scope, a scope is the area in which it can be used in any way. Look at this example;

function set_something()
{
	$something = 'hello world';
}

echo $something;

This would echo nothing as $something is local to the function. Variables defined inside functions are local to that function and can not be used by the main body of code as standard. However, the scope of variables can be expanded. The following two examples will work.

$myVar = 1;

function example()
{
	global $myVar;

	$myVar = $myVar + 10;
	return $myVar;
}

echo example(); // would echo 11

$myVar = 1;

function example()
{
	$GLOBALS['myVar'] = $GLOBALS['myVar'] + 10;
}

echo $myVar; // would echo 11

That’s right kids, the way functions can access variables outside their local scope is to either declare the variable as global as in example #1 or to use the superglobal - $GLOBALS. So long as the function knows to look for a variable in the global scope, we’re in business.

Whilst we’re on the subject of scope let’s quickly brush on to static scope variables and their use within functions. We know that normal variables in a function have local scope, to use variables outside the function we use the global scope, but when a function ends and returns the control to the main code again it will forget any local variables it used, what if we wanted to remember them?

Introducing the static varaible. Static variables are identical to local scope variables with the exception they will only be initialized once and will be remembered in the function. Let’s say you want a function to keep count of something, for our example let’s say we want to keep count of how many times we query a database, it’d need to look a little something like this;

$myVar = 1;

function query_count()
{
	// only initalized once
	static $count = 0;

	$count++;

	echo $count;
}

// some query here
query_count();
// some query here
query_count();
// some query here
query_count();

The above would echo 123. The static $count = 0; is the code that initializes the variable and is only executed once and ignored then on. Also for those who are wondering what the ++ means, it incremements the variable calling it by 1.

The one-line return

The return command doesn’t just return true, false or a variable, it can be used for pretty much anything.

function some_function()
{
	$some_var = $var_a + $var_b;
	return $some_var
}

Can be expressed as

function some_function()
{
	return $var_a + $var_b;
}

Just a small tip that saves time, lines of code and variables. The return function can do anything, even call other functions!

Conclusion

Well I hope you’ve got to grips with basic functionality of functions (pun?), be sure to keep a look out for part 2 where we’ll look at more in depth and advanced functions and varaibles. Any questions or suggestions let me know just below (poet?!)

SQL injection is an extremely overlooked problem, especially with how easy it is for Joe Bloggs and John Smith to setup their own website and do with it what they wish. SQL injection is the equivalent of letting any old user manipulate your database, be it for malicious purposes or not.This dangerous flaw is easy to prevent, however it is easier to overlook. Every time your website or application commits an SQL query with input that is given to it from the user, it is a possibility for SQL injection if you are not safeguarded properly. Today we’re going to learn how the SQL injection is done and how to prevent it in easy to swallow chunks, here we go…

Right, so how do you do it?

It’s much simpler than it sounds, SQL injection is simply changing the query from what it was intended to do with it what you wish, let’s skip the boring footwork and jump in head first. In order to ‘do’ SQL injection you need a vulnerable website or application, of course to demonstrate prevention and so on we need to use a language, surprise surprise the language we’ll be using today is PHP coupled with it’s wonderful brethren, MySQL. Consider this, you have a page called profile.php that when accessed properly will pull information about a certain user from your wonderfully crafted database. Let’s say the query looks like this;

mysql_query("SELECT 	first_name,
						last_name
						FROM users
						WHERE user_id = '$_GET['id']'");

Seemingly harmless, when executed properly this query will pull two fields from a table called users. In order to wreak havoc inject SQL into this query we need to perform our own query, let’s say for example; DROP TABLE users, seems only right. Obviously if we visited profile.php?id=123 then the query would look a little like this;

mysql_query("SELECT 	first_name,
						last_name
						FROM users
						WHERE user_id = '123'");

Simple enough, this query will fetch the first name and last name of a user who has an ID of 123. Obviously not the best designed query as it’d be better to limit the amount of results etc but that is beyond the scope of this tutorial. Now let’s say we change profile.php?id=123 to profile.php?id=DROP TABLE users. The query that is executed now looks something like this;

mysql_query("SELECT 	first_name,
						last_name
						FROM users
						WHERE user_id = 'DROP TABLE users'");

Pretty useless. All this query is doing is what’s intended of it and searching for a record where the user_id is set to DROP TABLE users. To actually make our command execute, we need to ‘escape’ the friendly SQL query and insert our own query, I’d like to introduce the single quote ( ‘ ). When you search for a string using SQL, in order to prevent the string from interfering with the query, it is wrapped in a set of single quotes. If we use a single quote in our query it suddenly becomes a little more interesting. Let’s try ‘DROP TABLE users.

mysql_query("SELECT 	first_name,
						last_name
						FROM users
						WHERE user_id = ''DROP TABLE users'");

What we have done is made it so that the string to search for is simply blank, by using a single quote we have closed the string and we are now inside the actual query, exciting isn’t it? If you were to execute the above query all you’d receive back would be an error (although this varies depending on the PHP configuration). ‘Great’ I hear you saying, but one of the golden rules when trying to exploit something is learning to love error messages. One of the quickest ways to find out whether a site can be exploited is to slap a single quote in a few of the $_GET variables and see if you receive an error message. If you do then it’s likely there’s a gaping hole for you to destroy report to the local administrator. Of course this isn’t always true, depending on many factors and should only be used as a quick first resort to check for vulnerability.

So we have an error message, awesome, we can manipulate the SQL query! Now the reason the above query didn’t work is because it is read as a single command to execute, we’re executing a SELECT command to select records from a database, shoving a DROP TABLE command in half way through isn’t going to be expected and therefore it’s going to cause a problem. The way we get round this is to close the SELECT command in order to inject our own SQL. The way to properly end a command in SQL is the same as with most languages, with a semi-colon, so all we need to do is end the previous command and then begin our own. One thing we need to remember is that the query we’re ending mustn’t cause an error because if it does then the error will stop the query and our command won’t be reached. Let’s inject.

mysql_query("SELECT 	first_name,
						last_name
						FROM users
						WHERE user_id = ''; DROP TABLE users'");

We inserted ‘; DROP TABLE users. What we did was inserted an apostrophe to close the string followed by a semi-colon to end the query that’s searching for the user, as far as anyone is concerned the first command in this query is valid, the second one however is not. Why? Because after our command there is a single apostrophe lingering from the first command where we injected. Uh oh. Our command won’t be executed because there’s an error in it now. Another hurdle that can be jumped, essentially we need to ignore everything after what we’ve injected, we don’t care about it. In order to ignore the rest we have to use an SQL comment signified by two hyphens (–). Once two hyphens are read, the rest of the query is simply ignored and what we have is a successful command, before we comment out the rest of the query however, we need to end our command with the semi-colon. All in all our query now looks like this.

mysql_query("SELECT 	first_name,
						last_name
						FROM users
						WHERE user_id = ''; DROP TABLE users;--'");

Voila, you’ve just upset a database administrator somewhere, congratulations. Now one thing we should touch on is getting around basic PHP/MySQL authorization with SQL injection.

Correct login OR 1=1?

Some (very) weak PHP login scripts that use a MySQL database use the actual query to check authorization rather than querying the database and then doing some playing with the results. Here’s an example of an extremely weak query;

myqsl_query("SELECT 	user_id
						FROM users
						WHERE username = '".$username."' AND password = '".$password."'");

Now the reason people might use this query for authorization is that when the username and password specified are found in the database the above query will return TRUE, well actually it’ll return the user_id but for our example we’ll just assume that the PHP code just checks for any returned value. If the user isn’t found, the query will evaluate theoretically to FALSE. With this information in mind we already know that in order to get round this authorization, what we need is the query to return true - we can do this with some more SQL injection.

Assuming that the above query is used in the PHP code, we need to inject something that will make the query return true (or a value) no matter what credentials we supply. Well first we need to break into this query, there are two possibilities here; username and password, we’re going to use username. Now we know where we’re going to break into the query we need to make it return true, what will always return true?… 1=1. We need to tell MySQL to evaluate 1=1 rather than the username and password, to do that we’re going to use a little boolean algebra and use OR. Let’s see what this looks like with the username field injected;

myqsl_query("SELECT 	user_id
						FROM users
						WHERE username = '' OR 1=1;--' AND password = '".$password."'");

By inserting a single quote, we escape from the username comparison and we’re now in the SQL query as we’ve previously learned. The next thing we do is insert an OR clause, this checks to see if the username is blank OR 1=1 and of course we then need to end this command and comment out the rest. Voila.

Now it’s all well and good being able to conduct SQL injection, but now it’s time to move on to the more important matter…

Countering SQL injection

It’s important to understand how the attackers will attempt to use SQL injection to attack your website in order to understand where the threats/weaknesses lie so we can use this knowledge to secure these flaws. You might be expecting paragraph upon paragraph of information on countering this threat but in reality you can protect yourself against it easily.

As with all input that PHP uses, it should be sanitized to ensure it can not interfere where it shouldn’t. The obvious method for protection is to simply remove all single quotes from a string or simply display an error if they are used, but this can cause problems when you apply it to a website that needs to display single quotes such as a review website or forum where you need to use words like can’t and don’t etc.

Note: It’s important to remember that the great thing about PHP is people can solve things in their own way, everyone has their own preferred method for countering SQL injection and this just happens to be the way I’ve chosen to convey to you.

Escaping characters

In order to use certain characters safely in a query, we need to escape them. This means prepending then evil character with a backslash, so ‘ becomes \’ and for extra safety, \ becomes \\. Now finding all the evil characters and putting backslashes in front of them might seem a bit of a chore, but PHP has a few handy functions that can help us. One of the most common is the addslashes() and stripslashes() functions. It is as simple as it sounds, addslashes() will add slashes before your evil characters and stripslashes() will take them away. Simple as that. Here’s a quick example;

$evil_name = "dan' OR 1=1;--";
$password = "abc123"
mysql_query("SELECT 	*
			FROM users
			WHERE username='".addslashes($evil_name)."' AND password='".addslashes($password)."'");

This query should now be safe to run as the quotes in the original name have been escaped, the username now looks like this: dan\’ OR 1=1′– which is not harmful to our query. Although there are many methods in which to prevent SQL injection, we’re just going to look at one more function provided by PHP and that’s mysql_real_escape_string(). This function has a little sister called mysql_escape_string(), the difference is that mysql_real_escape_string() takes into account the current character set used in the connection to the database. Using the same method as above, the query would look like this;

$evil_name = "dan' OR 1=1;--";
$password = "abc123"
mysql_query("SELECT 	*
			FROM users
			WHERE username='".mysql_real_escape_string($evil_name)."' AND mysql_real_escape_string ='".addslashes($password)."'");

Another safe query successfully executed on the database.

Conclusion

We’ve learnt today that SQL injection is a major threat if not dealt with correctly and dealing with it isn’t at all hard and is only overlooked by developers who are either not knowledgable in this area or those who are just plain lazy. There are exceptions (human error) when skilled developers forget to apply SQL injection countering and this is why still today flaws exist on millions of sites (as a small example i found one in the United Nations website which was exploited a few months later by turkish hackers).

Remember that all input from users can’t be trusted, and you have to treat everything you use as another possibility for a bad guy to find their way in, don’t get caught out. I hope you enjoyed this tutorial, the first tutorial on this blog, any questions etc are welcome using the comments form below, or by sending me an email at [dan] [at-symbol] thephpblog[dot]com

Basically we’re aiming to cover all aspects of PHP coding that the common developer will run in to, we’ll also aim to teach you new techniques and styles to improve your codes efficiency, style and overall effectiveness.

Stay tuned!

With the launch of The PHP Blog we’ll aim to deliver 1-2 tutorials a week and as time progresses we’ll aim to expand our staff force and bring you more weekly updates, thanks for reading and we hope you stay tuned