PHP and MySQL - Chapter 13 Review questions

What are some of the inappropriate strings and characters that could be indicators of potential spam attempts?

Strings that have special meaning to email senders such as: content-type:, mime-version:, multipart-mixed:, content-transfer-encoding: bcc:, cc:, to:, and various strings that are interpreted as newline characters: \r, \n, %0a and %0d.

What does the stripos( ) function do? What is its syntax?

The stripos function finds the numeric position of the first occurrence of needle in the haystack string. The search is case insensitive.

The syntax of the stripos() function is:

int stripos ( string $haystack , string $needle [, int $offset = 0 ] )

Full details can be obtained at The PHP manual site.

What does the str_replace( ) function do? What is its syntax?

The str_replace() returns a string or an array with all occurrences of search in subject replaced with the given replace value.

The syntax of the str_replace( ) function is:

mixed str_replace ( mixed $search , mixed $replace , mixed $subject [, int &$count ] )

The search and replace values can be provided in arrays that are used to search and replace for all entries in the arrays, the behavior is dependent on the size of the arrays relative to each other.

Full details can be obtained at The PHP manual site.

What does the array_map( ) function do? What is its syntax?

The array_map( ) function returns an array containing all of the elements of the argument array1 after applying the callback function to each array element. The callback function should accept the same number of arrays that are passed to the array_map( ) function.

The syntax of the array_map function is as follows:

array array_map ( callable $callback , array $array1 [, array $... ] )

Full details can be obtained at The PHP manual site.

What is typecasting? How do you typecast a variable in PHP?

Typecasting is a process of setting a variable's type, i.e. float, int, string. There is a lot of automatic type conversion that PHP performs depending on the context in which a variable is used.

Typecasting forces the conversion of a variable's value to the type that is specified by preceding the desired type designation in parentheses before the value which is to be type cast.

For example:

$foo = 10; // $foo is an integer
$bar = (boolean) $foo; // $bar is a boolean

$var = 20.2; // $var is a float value
echo (int) $var; // prints the value '20'

Additional details can be obtained at The PHP manual site.

What function is used to move an uploaded file to its final destination on the server?

The function that is used to move an uploaded file to its final destination is move_uploaded_file( )

Additional details can be obtained at The PHP manual site.

What is the Fileinfo extension? How is it used?

The Fileinfo extension is a PHP library that is used to determin a file's type (and encoding) by examing the file for "magic bytes" or "magic numbers" within the file. For example. a GIF image begins with the ASCII code that represents GIF89a or GIF87a; the data that makes up a PDF file starts with %PDF.

Fileinfo is used by first creating a Fileinfo resource:

$fileinfo = finfo_open(kind;)

The kind value is one of several constants that are available, and to determine a file's type, the constant is FILEINFO_MIME_TYPE.

$fileinfo = finfo_open(FILEINFO_MIME_TYPE);

Then the finfo_file() function is called, providing the created Fileinfo resource and a reference to the file that you want to examine:


The file's MIME type is returned.

Finally, the Fileinfo resource should be closed:


What does the htmlspecialchars( ) function do?

htmlspecialchars( ) is a function that converts certain characters that are significant in HTML processing into their equivalent HTML entity format. & becomes &amp;, double quote becomes &quot;, < becomes &lt;, etc.

What does the htmlentities( ) function do?

htmlentities( ) turns all appplicable characters into their HTML entity format.

What does the strip_tags( ) function do?

strip_tags( ) removes all HTML and PHP tags.

What function converts newline characters into HTML break tags?

nl2br( ) is the function that converts every return into an HTML break tag.

What is the most important function in the Filter extension? How is it used?

filter_var( ) is the most important function in the Filter extension.

There are various validation filters that are available, a number of them are to test that a variable has a value of a specific type or content, such as FILTER_VALIDATE_INT, FILTER_VALIDATE_EMAIL, etc. An example to check that a variable has a decimal value is shown next:

if (filter_var($var, FILTER_VALIDATE_FLOAT)) {

More details are available at The PHP manual site.

What are prepared statements? What benefits might prepared statements have over the standard method of querying a database?

Prepared statements are a feature that was added to MySQL in version 4.1 and PHP can use them as of version 5. The 'normal' way of generating a SQL statement is to put the entire query, with the SQL syntax and values, into one long string. It is then parsed and executed by MySQL. With a prepared statement, the SQL syntax is sent to MySQL first, it is parsed and checked for valid syntax, that it refers to tables and columns that exist, etc.) The specific values are sent separately, MySQL assembles those with the prepared query, and executes it.

The benefits of prepared statements are important: greater security and potentially better performance. The security aspect is important, and it overcomes "SQL injection" attacks by changing the way that SQL statements are constructed from user input. Normally, input to a form that is used in a SQL query is built into the SQL command that is being generated, and clever (or devious) users (or hackers) could insert additional SQL statements that would be added into the query. Prepared statements have a pre-determined action that is going to be taken. Addition of rogue SQL statements will not add to the functionality of the SQL query, but will probably have some other effects such as making an invalid query, or adding junk to the information added to the database.

What is the syntax for using prepared statements?

Prepared statements in the "mysqli" extension have a form where placeholders consisting of question marks are used in the query. For example, the query that would be built by substituting a value from the variable '$id':
$q = "SELECT first_name, last_name, email FROM users WHERE user_id=$id";

would have a question mark placed in the statements in place of the variable '$id', and then the statement is "prepared" using the function mysqli_prepare( )

$q = "SELECT first_name, last_name, email FROM users WHERE user_id=?";
$stmt = mysqli_prepare($dbc, $q);
mysqli_stmt_bind_param($stmt, 'i', $id); // the 'i' indicates an integer type