Web Database Applications with PHP & MySQL

Brian Donovan contributes this review of Web Database Applications with PHP & MySQL, the most recent of several books geared toward helping people use the common Linux, Apache, MySQL and PHP combination to produce database-backed websites. Read on for the review.

Web Database Applications with PHP & MySQL
author	Hugh E. Williams and David Lane
pages	563
publisher	O'Reilly
rating	9
reviewer	Brian Donovan
ISBN	0596000413
summary	A comprehensive, tutorial-style roadmap for building data-driven web applications with PHP and MySQL.

PHP's speed of execution, gentle learning curve, and ease of development have contributed to its popularity, especially when teamed with MySQL, as a tool for building dynamic sites. Williams and Lane have written a thorough step-by-step guide to building web database applications with PHP and MySQL.

The Meat of the Book

Part I (Chpts 1-3) of Web Database Applications with PHP & MySQL (Web DB Apps) introduces the "Hugh and Dave's Online Wines" case study that's used to highlight the points made throughout the text and treats readers to the fundamentals of PHP, MySQL, and SQL - appropriate since the book assumes only some prior programming experience (not necessarily in PHP) and a general familiarity with HTML.

Chapters 4-9 (Part II) deal with the aspects of web application logic common to practically all data-driven sites : querying and writing to databases, maintaining state, and security. Chapter 4, "Querying Web Databases", includes a good explanation (Ex. 4-1) of the mechanics of connecting to and querying a MySQL db via PHP - numbered blocks of the example script correspond to sections in the accompanying text detailing what's happening at each point in the process (connect, query, retrieve results, process results, and close connection- unless you're using persistent db connections).

Chapter 5, "User-Driven Querying", explains how to pass data to PHP scripts using HTTP GET and POST. Although readers are initially shown parameters and parameter values being passed directly (as they are when register_globals is turned on in php.ini), the authors later explain why the same param:value pairs should instead be accessed through the global associative arrays $HTTP_GET_VARS and $HTTP_POST_VARS (the book was completed before the switch to $_GET and $_POST respectively with PHP 4.2.0) for security reasons. What the authors refer to as "combined scripts" (where the same script performs different functions depending on which, if any, variables in the GET or POST arrays, have been set, for example) are introduced and the reader is walked through the oft-used "next and previous links for query results" scenario.

In Chapter 6, "Writing to Web Databases", in addition to inserts, updates, and deletes, the authors explain one solution to the reload problem - i.e. where reloading a results page after some operation that alters the contents of the database has been performed (or even accessing a bookmarked url if HTTP GET was used to initiate the action) can potentially result in the operation being silently repeated or, if HTTP POST was used, the user being confronted with a big ugly "would you like to repost the data?" dialog. Locking (mostly how to make the best use of table-level locking) is also discussed in all of its glory. Chapter 7 deals with the validation of user input. The authors recommend and give an example implementation of dual server and client side validation (with JavaScript). Chapter 8 covers sessions (with and without cookies).

The chapter on security (Chapter 9, "Authentication and Security") mostly concerns user authentication. HTTP Authentication, managed HTTP Authentication (using PHP to validate encoded credentials from the HTTP Authorized header field), and handling your own authentication are considered, along with the security concerns inherent in stateful web apps - i.e., third party sites maliciously tricking browsers into coughing up cookies with login or session information for your site, session hijacking by feeding random session ids to the scripts until one corresponds to an existing session, etc. SSL is explained briefly.

The third and final section of Web DB Apps (Chpts 10-13) consists of a detailed examination of the guts of the wine store case study. Readers who find the commingling of application logic and html in the snippets of the wine store application discussed in the book distasteful will be gratified to know that, since publication, the authors have released a modified version of the "Hugh and Dave's Online Wines" code that uses the Xtemplate class (http://sourceforge.net/projects/xtpl/) to separate code from markup. Both versions are available in their entirety for download from the book website.

The five appendices, in turn, cover the installation and configuration of PHP, MySQL, and Apache on a Linux system, the architecture and workings of the Internet and Web, designing relational databases using entity-relationship modeling, how to define your own session handler prototypes and store session data in a database instead of files (the default), and provide an annotated list of PHP and MySQL resources (books, web sites, etc.).

The Good and the Bad

While it's clear that Web Database Applications with PHP & MySQL was written with the goal in mind of providing novice coders with a solid foundation for continued growth (or filling the niche of "handy reference" on the shelf of intermediate/advanced developers), the book manages to be comprehensive without patronizing the reader. I admit that I wouldn't have felt cheated if the authors had skipped the obligatory coverage of the history of the Internet, TCP/IP, and HTTP (Appendix B) in favor of, for instance, a discussion of web caching with an eye towards building cache-friendly apps, an important subject that all too gets short shrift from authors of web dev books. Also, some readers may be disappointed to find that the chapter on security doesn't relate to battening down your site against script kiddies and exploits, but that's really the sort of information that you should be getting from sites like PHP Advisory and Securiteam anyway.

For seasoned developers, this could be the book that you wish you'd had when you started out building web database apps and data-driven sites. Keeping a copy around for reference, especially if you frequently jump back and forth between projects in different languages/environments, also might be helpful - for those occasions when you need of a quick refresher in PHP/MySQL dev. Moreover, if you find yourself in the position of having to mentor junior developers (or helping non-coder friends) tasked with building or maintaining PHP/MySQL-based sites or apps, then lending them your copy or recommending that they buy their own could save you quite a bit of time and frustration.

Table of Contents

• Preface
• Part I
• • Chapter 1. Database Applications and the Web
  • Chapter 2. PHP
  • Chapter 3. MySQL and SQL
• Part II
• • Chapter 4. Querying Web Databases
  • Chapter 5. User-Driven Querying
  • Chapter 6. Writing to Web Databases
  • Chapter 7. Validation on the Server and Client
  • Chapter 8. Sessions
  • Chapter 9. Authentication and Security
• Part III
• • Chapter 10. Winestore Customer Management
  • Chapter 11. The Winestore Shopping Cart
  • Chapter 12. Ordering and Shipping at the Winestore
  • Chapter 13. Related Topics
• Appendix A. Installation Guide
• Appendix B. Internet and Web Protocols
• Appendix C. Modeling and Designing Relational Databases
• Appendix D. Managing Sessions in the Database Tier
• Appendix E. Resources
• Index

---

You can purchase Web Database Applications with PHP & MySQL from bn.com. Slashdot welcomes readers' book reviews -- to submit yours, read the book review guidelines, then hit the submission page.

Re:don't need a book

[Pi Kapp 142]

I disagree, lots of people who are beginners would not know where to begin when trying to use PHP or MySQL. The documentation is great if you already have a basic understanding of what is going on, otherwise it is like Latin to y ou. Examples of what can be done lets you see why certain things are set up the way they are for a given language.

Re:Using PHP and MySQL for a website...

[LetterJ]

Of course. Because we know that EVERY website gets 100s of simultaneous connections per second. As a matter of fact, all websites NEED 3-tier load balanced solution with an enterprise database in order to pull SELECT * FROM content WHERE id = $content_id out of that database 100 times per day.

Real Programmers Learn By Doing

[kzinti]

And I'll say it again. The best way to learn php is through the php website.

I've said it before and I'll say it again: the best way to learn a language is by using it. Sit down at a computer with the manuals and start slinging code. You can't really learn a language by reading a book or going to a class. Real programmers learn by doing.

If you want to supplement your programming with a book or tutorial, fine, but keep your fingers on the keyboard. If you want to run sample programs, fine, but experiment and play with them. Change them, tweak them, go off on your own tangents. Better yet: throw out the tutorial as soon as you can write "hello world" and try to write some program of your own design. Keep the language and library references handy, because you'll need to refer to them often, but let your imagination and curiousity be your guide. Explore. Play. Learn. Real programmers learn by doing.

What I tell you three times is true.

--Jim

Transactions?

[rochlin]

Does this book include anything on transaction processing?

Since transactions are a relatively new part of MySQL (and so, presumably new to PHP's interface to MySQL), a good part of the value of a new book on the subject of PHP/MySQL website building would relate to that new feature (which would also help with the double-entry problems mentioned in the review).

So, does the book cover this topic or not? I can't tell from this review.

Re:I've said it before

[dimer0]

That's like saying that reading the dictionary is the best way to learn to speak English.

You need something that puts pieces together, puts things in perspective, gives you a 10,000 mile high view and drills down into certain aspects of what it's trying to cover. .

Just being devil's advocate. I learn from source code. After that, I hit websites that dive deep into the subjects (like the main php site), and finally I'll take a college course (community college, mostly) on the subject just to get it on paper that I know it.

Big problem with most PHP Books

[saberworks]

The biggest problem with all the PHP books out there is that they don't talk about software design or good coding practice. They show you some syntax and some functions and leave you on your way. Most do not discuss things like database abstraction, HTML templates, or even object-oriented programming. Without thought to design considerations such as these, most PHP programs end up being hacks full of HTML code mixed with PHP code mixed with native database calls. This might be well and good for a small script on a personal site, but when you're talking about a commercial-grade application, you really need to have all this separate. You can't expect someone to learn PHP just to change the design of their web site which uses your PHP scripts.

Re:Real Programmers Learn By Doing

[mooman]

Better yet: throw out the tutorial as soon as you can write "hello world" and try to write some program of your own design.

This strategy works fine if you never want to be any better than a good programmer (at least in that particular language). Learning by doing is great for getting started but leaves you a far cry from being someone that I'd want to hire.

As someone who has been through close to a dozen different languages, I've come to realize that the syntax is one of the easier things to pick up when learning a new language. What you need guidance on is about best practices in your new language.

It's the old "when all you have is a hammer, everything looks like a nail" dilemma. Just because the using lists is a convenient data structure in, say, ColdFusion, doesn't mean it should be what you reach for first in "language X". This is especially true when maker bigger leaps from compiled to scripted languages (what? Verbose comments slows things down??) and procedural to object-oriented languages. Some of the (sorry, I gotta say it) paradigm shifts are key to writing optimized code in the new language. And you'll never grasp those through trial and error.

So while I'll agree on the point that you have to have some hands-on to master a language, I'll strenuously object to the idea that hands-on can replace a good book (or other training source).

Re:Real Programmers Learn By Doing

[Jason Earl]

I agree wholeheartedly that it is important to learn the best practices of any given language. Syntax is easy to learn, but knowing the syntax to a programming language doesn't make you a good programmer any more than being able to write and spell makes you Shakespeare.

That being said, the PHP manuals are an excellent piece of work. It is my opinion that they are largely responsible for the popularity of PHP. I have used web development systems that I feel are superior to PHP, but I have yet to see anything that is both as easy to use as PHP and as well documented. Between the PHP manual, the PHP mailing lists, and the vast wealth of freely available example PHP code, I just don't see the added value of a book. The manual is more than enough to teach you the syntax, the tutorial will get you started on the correct path, and lurking on the mailing list is as likely as anything to teach you to use PHP properly. If you really get stuck, chances are good that you can examine a working example from some other production quality product.

Other option: openACS

[Cirkit]

I'd like to recommend the excellent openACS [openacs.org] toolkit. Not PHP and not MySQL (ick), but a mighty fine, totally open source toolkit for building communities, e-commerce, etc. PostgreSQL rocks, or if you're feeling spendy, it also supports Oracle.

The best thing about the openACS toolkit is that you can have a functional db-backed site up in no time. No need to re-invent the wheel. :)

Re:I *hate* DB programming in PHP!

[pi_rules]

A database abstraction layer was used which made all the difference. I used dal [sourceforge.net], which is a nice object-oriented layer that only involves changing a single line of code to change different databases.

Personally, it sounds to me like your company's problem was bad design (not allowing for expansion) rather than php.

Thank you! I am absolutely sick of developers blaming PHP for being bad at switching databases because they didn't built their app properly. PHP lets you get right down to the raw nitty gritty DB specific stuff -- which is nice, but you really shouldn't ever be using those UNLESS you are writing a wrapper, or really don't care about database independence. I really wish the php.net official manuals would warn new developers of this.

The very fact that this book targets PHP and MySQL sort of ticks me off too -- why not PHP and DB wrappers? Why MySQL of all things too? It's horrid (sorry) ... for large scale sites IMHO.

Re:Big problem with most PHP Books

[eddy the lip]

The biggest problem with all the PHP books out there is that they don't talk about software design or good coding practice.

Agreed. I recently had to jump into the PHP pool, so went search for books on exactly this. I've been doing web development with perl for something like five years, know a couple other languages fairly well, and dabble in another few. So syntax and learning the language weren't an issue - I just wanted to know what the best way to use this tool was.

After spending the better part of a day researching and perusing PHP books I settled on that New Riders title, Advanced Web Development with PHP or something (don't have the book handy, I probably got the title wrong). It was written by a couple of core developers, had some stuff on the back on developing PHP itself, and a sample application or two.

Unfortunately, the book really lacked focus. No best practices were extrapolated from the example code, and only the vaguest nods toward larger architectural issues were given. It wasn't entirely useless, and it did smooth out one or two learning bumps, but it wasn't worth the cover price.

This seems to be a common unfilled niche, at least in web-related development books - titles aimed at the experienced developer who wants to get up to speed on a new tool fast, with a minimum of "this is what a TCP/IP stack is" or "here's how you use a for loop". I don't know, maybe it's because it's harder to write a good book dealing with larger, real word issues, than it is to just reprint the function reference.

Re:Book has a missleading title

[ceejayoz]

Correct me if I'm wrong, but isn't an e-commerce application usually a "web database application"? Have you managed to make an e-commerce site that doesn't use a database?

The techniques learned from making an e-commerce site can be applied to just about any database-based site.