Month: April 2020

Picture Uploads in PHP MVC Applications

Post author By Michel
Post date April 27, 2020
No Comments on Picture Uploads in PHP MVC Applications

Basic picture file uploads are handled on the client-side by a form and on the server-side by a script moving a cached temporary file to a permanent location while recording the appropriate path information to database. In this post, we will elaborate on each of these portions.

The HTML Form

For forms to upload files correctly, 2 requirements must be met: a named file input must be included in the form and the encoding type must be appropriately. We show below an example proper form:

<form action='' method='post' enctype='multipart/form-data'>

```
  <div class='form-group'>
```
```
    <label>Picture:
```

      <input type='file' name='newPicture' class='form-control' />

```
    </label>
```
```
  </div>
```
```
  <div class='form-group'>
```
```
    <label>Description:
```

      <textarea name='description' class='form-control'></textarea>

```
    </label>
```
```
  </div>
```

  <input type='submit' name='action' value='Add picture' class='btn btn-primary' />

  <a href='/product/index' class='btn btn-secondary'>Cancel</a>

```
</form>
```

First, we see on line 1 that the enctype attribute for the form is set to multipart/form-data. This encodes the submitted form data with different parts for different data, much like an email with attachments included. If the form enctype attribute to this value, the file is simply not received by the server application.

Second, we see on line 4 an input with the type attribute set to the value file. This input also has the attribute name set to newPicture so that we may refer to it by this name in the server script.

The submit URL for this form will be the same as its calling URL.

The PHP Script

Now, a server-side script must receive the form data, check the data and save the file as appropriate:

public function addPicture($product_id){

```
  if(isset($_FILES['newPicture']) 
```

    && $_FILES['newPicture']['error'] == UPLOAD_ERR_OK){

    $info = getimagesize($_FILES['newPicture']['tmp_name']);

    $allowedTypes = [IMAGETYPE_JPEG=>'.jpg',

                     IMAGETYPE_PNG=>'.png',

                     IMAGETYPE_GIF=>'.gif'];//accept jpg, png, gif

```
    if($info === false){ // no go
```

      $this->view('product/addPicture', ['error'=>'Bad file format']);

    }else if(!array_key_exists($info[2], $allowedTypes)){ // no go

      $this->view('product/addPicture',

        ['error'=>'Not an accepted file type']);

```
    }else{
```

      //save the picture in the images folder

      $path = getcwd().DIRECTORY_SEPARATOR.'images'.DIRECTORY_SEPARATOR;

      $filename = uniqid().$allowedTypes[$info[2]];

      move_uploaded_file($_FILES['newPicture']['tmp_name'], $path.$filename);

```
 
```

      $newPicture = $this->model('Picture');

      $newPicture->product_id = $product_id;

      $newPicture->filename = $filename;

      $newPicture->description = $_POST['description'];

```
      $newPicture->create();
```

      header('location:/product/index');

```
    }
```
```
  }else{
```
```
    $this->view('product/addPicture');
```
```
  }
```
```
}
```

This method is meant to accept files associated to products in a product catalog. Therefore, on line 1, we need to pass in the product_id foreign key value for the picture record to refer to the appropriate product record.

On lines 2 and 3, we verify that the picture is indeed sent (line 2) to the receiving script without any error (line 3). If not, the script branches to line 27 and presents the submission form.

On lines 4 and 8, we extract image file information (line 4) that will allow us to validate (on line 8) that the received file is indeed an image. If not, an error message is sent to the user on line 9.

At line 10, the image information (from line 4) is used again against an image type whitelist (produced on lines 5-7). If the file is not of the proper type, an error message is sent to the user, on lines 11-12.

Finally, if all checks are good, the script continues on to lines 15-24. Lines 15, 16, 17 handle saving the file to the filesystem as follows:

Define the saving path in the OS, based on the current working directory. The file will be saved in the images folder under the server document root.
Define the file name to a random string with the extension from the whitelist defined on lines 5-7.
Move (save) the file from its temporary location to the images folder.

Lines 19-24 record the data as follows:

Get an instance of the Picture class.
Populate the product_id foreign key from the method parameter.
Populate the filename, since other computers don’t have access to the full path structure. We will use this filename later to display these pictures.
Populate the description from the form data.
Invoke Picture::create() to save the Picture record to the database.
Redirect the client side to the Product index.

Viewing the Pictures

In such an application, we simply call up all the pictures in a product detail user story with a controller method as follows:

```
public function detail($product_id){
```

  $theProduct = $this->model('Product')->find($product_id);

  $thePictures = $this->model('Picture')->getForProduct($product_id);

```
  $theProduct->pictures = $thePictures;
```

  $this->view('product/detail', $theProduct);

```
}
```

By setting the pictures to be part of the product, we are able to pass all the data as a single object to then output the picture URLs as in the following view code:

```
<?php
```
```
foreach($data->pictures as $picture){
```

  echo "<img src='/images/$picture->filename' style='max-width:100px;' />";

  echo "<a href='/product/deletePicture/$picture->picture_id' class='btn btn-danger'>Delete picture</a>";

```
}
```
```
?>
```

On line 3, we output an image element that will refer to the faved file in the images folder under the Web server document root. On line 4, we also include a delete link.

Deleting the Picture

Mistakes happen and things change, so it makes sense to be able to delete pictures from our Web application. The hyperlink form the above view calls the deletePicture method from our product controller, defined as follows:

public function deletePicture($picture_id){

  $thePicture = $this->model('Picture')->find($picture_id);

  unlink(getcwd().DIRECTORY_SEPARATOR.'images'.DIRECTORY_SEPARATOR.$thePicture->filename);

```
  $thePicture->delete();
```

  header('location:/product/detail/'.$thePicture->product_id);

```
}
```

The process is simply to find the Picture record using its primary key value, delete the associated file with the unlink instruction, and delete the picture record before redirecting back the appropriate page (here we go back to the product details.

The Picture Model and Database

To support all these operations, we need a Picture model similar to the following:

```
 
```
```
class Picture extends Model{
```
```
  var $product_id;
```
```
  var $filename;
```
```
  var $description;
```
```
 
```

  public function getForProduct($product_id){

    $SQL = 'SELECT * FROM Picture where product_id = :product_id';

    $stmt = self::$_connection->prepare($SQL);

    $stmt->execute(['product_id'=>$product_id]);

    $stmt->setFetchMode(PDO::FETCH_CLASS, 'Picture');

```
    return $stmt->fetchAll();
```
```
  }
```
```
 
```
```
  public function create(){
```

    $SQL = 'INSERT INTO Picture(product_id,filename,description) VALUE(:product_id,:filename,:description)';

    $stmt = self::$_connection->prepare($SQL);

    $stmt->execute(['product_id'=>$this->product_id,'filename'=>$this->filename,'description'=>$this->description]);

```
    return $stmt->rowCount();
```
```
  }
```
```
 
```
```
  public function find($picture_id){
```

    $SQL = 'SELECT * FROM Picture WHERE picture_id = :picture_id';

    $stmt = self::$_connection->prepare($SQL);

    $stmt->execute(['picture_id'=>$picture_id]);

    $stmt->setFetchMode(PDO::FETCH_CLASS, 'Picture');

```
    return $stmt->fetch();
```
```
  }
```
```
 
```
```
  public function update(){
```

    $SQL = 'UPDATE Picture SET filename = :filename,description = :description WHERE picture_id = :picture_id';

    $stmt = self::$_connection->prepare($SQL);

    $stmt->execute(['filename'=>$this->filename,'description'=>$this->description,'picture_id'=>$this->picture_id]);

```
    return $stmt->rowCount();
```
```
  }
```
```
 
```
```
  public function delete(){
```

    $SQL = 'DELETE FROM Picture WHERE picture_id = :picture_id';

    $stmt = self::$_connection->prepare($SQL);

    $stmt->execute(['picture_id'=>$this->picture_id]);

```
    return $stmt->rowCount();
```
```
  }
```
```
}
```

This model performs operations on a Picture table with the following fields:

picture_id: the automatically incremented integer primary key
product_id: the foreign key to the product table
filename: a string type to hold the short filename
description: a text type field to hold long descriptions.

Conclusion

These general guidelines are also applicable to records that are child records of a master-detail relationship. You could change the upload types by modifying the upload whitelist and replacing getimagesize with other validation mechanisms.

MVC PHP

Filtering Access to Controller Classes and Methods (before PHP 8)

Post author By Michel
Post date April 16, 2020
2 Comments on Filtering Access to Controller Classes and Methods (before PHP 8)

A feature of good routing is the possibility to enforce policies that get specified for Controller classes and methods. For this purpose, frameworks such as ASP.NET use annotations on classes and methods. We wish to replicate this in PHP, but PHP does not support annotations.

phpDoc Comments

phpDoc comments are the official means to document class and function API in PHP. These comments are delimited by /** and */ character sequences (note the opening tag has 2* characters. The usual contents should include method parameters, return values, summaries, etc. We aim to add our own annotation to this phpDoc which we will in turn use to filter user access.

Consider a simple controller class with phpDoc comments as below:

```
<?php
```
```
/**
```

HomeController will handle operations related to Item entities.

```
@accessFilter{LoginFilter}
```
```
*/
```

class HomeController extends Controller{

```
/**
```
```
Provide a listing of the Item entities
```
```
*/
```
```
  public function index(){
```
```
    //...
```
```
  }
```
```
 
```
```
  public function create(){
```
```
    //...
```
```
  }
```
```
/** 
```
```
@accessFilter{itemOwner}
```
```
*/
```
```
  public function detail($item_id){
```
```
    //...
```
```
  }
```
```
/**
```
```
@accessFilter{itemOwner}
```
```
*/
```
```
  public function edit($item_id){
```
```
    //...
```
```
  }
```
```
/**
```
```
@accessFilter{itemOwner}
```
```
*/
```
```
  public function delete($item_id){
```
```
    //...
```
```
  }
```
```
}
```
```
?>
```

In the above, we wish to apply the LoginFilter access policy to the entire class and the itemOwner policy only to Detail, Edit, and Delete methods.

ReflectionClass

For our purposes, phpDoc comments would serve no purpose without the means to efficiently extract them programatically. For this purpose, we use the ReflectionClass class, which provides an interface to all information about a selected class and its methods. Below, we extract the phpDoc comments of the class and each one of the methods:

```
<?php
```

$reflection = new ReflectionClass('HomeController');

$classDoc = $reflection->getDocComment();

$indexComment = $reflection->getMethod('index')->getDocComment();

$createComment = $reflection->getMethod('create')->getDocComment();

$detailComment = $reflection->getMethod('detail')->getDocComment();

$editComment = $reflection->getMethod('edit')->getDocComment();

$deleteComment = $reflection->getMethod('delete')->getDocComment();

```
?>
```

More specifically for our purposes, we need to extract the phpDoc comments for the specific controller and method resolved in the routing algorithm. (If you have been reading this site, I place this functionality in the App class constructor.)

Below is an example of how, given a class, method, and parameters, we should extract, parse, and resolve the filters.

private static function redirectFilters($class,$method, $params){

  $reflection = new ReflectionClass($class);

```
 
```

  $classDocComment = $reflection-&gt;getDocComment();

  $methodDocComment = $reflection-&gt;getMethod($method)-&gt;getDocComment();

```
 
```
```
  //parse and extract the filters
```

  $classFilters = self::getFiltersFromAnnotations($classDocComment);

  $methodFilters = self::getFiltersFromAnnotations($methodDocComment);

```
 
```

  $filters = array_values(array_filter(array_merge($classFilters,$methodFilters)));

```
 
```

  $redirect = self::runFilters($filters, $params);

```
  return $redirect;
```
```
}
```

First, we initialize the ReflectionClass instance for this controller class and then extract the phpDoc comments for the class and method at hand. Then, we parse the phpDoc comment to retrieve any filter annotations and assemble these from the class and method in a single array. Then we run the filters and return the first redirection URL obtained, false otherwise. So the right time to call this method is right before calling the method on the controller class, as follows:

if($redirectUrl = self::redirectFilters($this-&gt;controller, $this-&gt;method, $this-&gt;params)){

```
  header("location:$redirectUrl");
```
```
  return;
```
```
}
```
```
 
```

call_user_func_array([$this-&gt;controller, $this-&gt;method], $this-&gt;params);

For any of this to work, of course, we must actually parse the phpDoc comments to extract the filter information, run the filters, and especially have filters to run in our code.

Parsing the phpDoc Comment

We must extract information from the phpDoc comments which resemble the following:

/**
Summary.
@accessFilter{filter1,filter2, filter3}
*/

For this purpose, we propose a method as follows:

private static function getFiltersFromAnnotations($docComment){

  preg_match('/@accessFilter:{(?<content>.+)}/i', $docComment, $content);

  $content = (isset($content['content'])?$content['content']:'');

  $content = explode(',',str_replace(' ', '', $content));

```
  return $content;//this is an array
```
```
}
```

On line 2, we extract all the accessFilter contents as elements in the $content array, with the key ‘content‘.

On line 3, we set $content to the value associated to the ‘content‘ key in $content, if any, or an empty string otherwise.

On line 4, we convert the string to an array of strings, one element per filter, without space characters.

Running the Filters

First and foremost, we must have filters to run. It is proposed to group these either in your routing class or a separate Filter class, as follows:

```
<?php
```
```
<?php
```
```
class Filter extends Controller{
```

  public static function itemOwner($params){

    $theItem = self::model('Item')->find($params[0]);

    if($theItem->user_id != $_SESSION['user_id']){

```
      return '/home/index';
```
```
    }else{
```
```
      return false;
```
```
    }
```
```
  }
```

  public static function LoginFilter($params){

```
    if($_SESSION['user_id'] == null){
```
```
      return '/login/index';
```
```
    }else{
```
```
      return false;
```
```
    }		
```
```
  }
```
```
}
```
```
?>
```

Each of the above methods will check conditions based on the session variables, parameters, or core functionality. For example, LoginFilter verifies if a user is logged in and returns a redirection URL otherwise, or false if the user need not be redirected. The function itemOwner compares the user id of the user logged in with the user id in the record to verify if the current user is not attempting to modify someone else’s data.

The strategy to run the filters is to run them one by one until a redirection is determined or all have been run. We then return the redirection to the calling method which will send it to the routing algorithm.

private static function runfilters($filters,$params){

```
  $redirect = false;
```
```
  $max = count($filters);
```
```
  $i = 0;
```
```
  while(!$redirect && $i < $max){
```

    if(method_exists('Filter', $filters[$i])){

      $redirect = Filter::{$filters[$i]}($params);

```
    }else{
```

      throw new Exception("No policy named $filters[$i]");

```
    }
```
```
    $i++;
```
```
  }
```
```
  return $redirect;
```
```
}
```

Conclusion

All the pieces are in place. We can now implement redirection policies and apply them to classes and methods with a simple phpDoc comment. Note that there should only be ONE phpDoc comment per class and per method, which integrates all relevant annotations, including ours: @accessFilter. Otherwise, the ReflectionClass method getDocComment will only be able to return the one before and closest to the class or method declaration.

HTML

Improving your Views

So far, we have user very minimalistic views to prove that our application works. However, if we ever want to roll out a product that will be used by anyone, it has to provide a feeling of being well-built. And if it looks bad, it does not feel well-built.

Let’s start using Bootstrap to make our views look better.

Using Bootstrap

We will start by proposing a base template for views. When you create a new view, it should automatically contain this material in order to provide the wanted look and feel:

```
<!doctype html>
```
```
<html lang="en">
```
```
  <head>
```
```
    
```
```
    <meta charset="utf-8">
```

    <meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no">

```
 
```
```
    
```

    <link rel="stylesheet" href="https://stackpath.bootstrapcdn.com/bootstrap/4.4.1/css/bootstrap.min.css" integrity="sha384-Vkoo8x4CGsO3+Hhxv8T/Q5PaXtkKtu6ug5TOeNV6gBiFeWPGFN9MuhOf23Q9Ifjh" crossorigin="anonymous">

```
 
```
```
    <title>TITLE</title>
```
```
  </head>
```
```
  <body>
```
```
    <div class='container'>
```
```
      <h1>HEADING</h1>
```
```
 
```
```
      
```

      <!-- jQuery first, then Popper.js, then Bootstrap JS -->

      <script src="https://code.jquery.com/jquery-3.4.1.slim.min.js" integrity="sha384-J6qa4849blE2+poT4WnyKhv5vZF5SrPo0iEjwBvKU7imGFAV0wwj1yYfoRSJoZ+n" crossorigin="anonymous"></script>

      <script src="https://cdn.jsdelivr.net/npm/popper.js@1.16.0/dist/umd/popper.min.js" integrity="sha384-Q6E9RHvbIyZFJoft+2mJbHaEWldlvI9IOYy5n3zV9zzTtmI3UksdQRVvoxMfooAo" crossorigin="anonymous"></script>

      <script src="https://stackpath.bootstrapcdn.com/bootstrap/4.4.1/js/bootstrap.min.js" integrity="sha384-wfSDF2E50Y2D1uUdj0O3uMBJnjuUD4Ih7YwaYd1iqfktj0Uod8GCExl3Og8ifwB6" crossorigin="anonymous"></script>

```
    </div>
```
```
  </body>
```
```
</html>
```

Buttons, submit inputs and hyperlinks

All we need to do now in integrate the proper classes on the proper elements to make them look better. The first category is that of buttons (see https://getbootstrap.com/docs/4.0/components/buttons/):

<button type="button" class="btn btn-primary">Primary</button>

<button type="button" class="btn btn-secondary">Secondary</button>

<button type="button" class="btn btn-success">Success</button>

<button type="button" class="btn btn-danger">Danger</button>

<button type="button" class="btn btn-warning">Warning</button>

<button type="button" class="btn btn-info">Info</button>

<button type="button" class="btn btn-light">Light</button>

<button type="button" class="btn btn-dark">Dark</button>

```
 
```

<button type="button" class="btn btn-link">Link</button>

The class='btn btn-BUTTONTYPE' attribute definition is what will give the button appearance to any submit input, button, or hyperlink that you want. Therefore, the following all have a button appearance:

<a href="CSTutoring.ca" class="btn btn-primary">CSTutoring.ca</a>

<button type="button" class="btn btn-secondary">Secondary</button>

<input type="submit" class="btn btn-success" value="Submit" />

Form Inputs

For forms to look adequate for a serious application, there are few modifications to make (see https://getbootstrap.com/docs/4.0/components/forms/):

```
<div class="form-group">
```

    <label for="exampleInputEmail1">Email address</label>

    <input type="email" class="form-control" id="exampleInputEmail1" aria-describedby="emailHelp" placeholder="Enter email">

    <small id="emailHelp" class="form-text text-muted">We'll never share your email with anyone else.</small>

```
  </div>
```

Two changes are essential: 1) apply class="form-group" to a div element containing the label and input elements and 2) apply class="form-control" to the input elements (except type submit that you will format as a button, as above).

Tables

Bootstrap can really help with the appearance of tables (see https://getbootstrap.com/docs/4.4/content/tables/). My preferred type is the striped table as below:

```
<table class="table table-striped">
```
```
...
```
```
</table>
```

Custom CSS and JS

In the PHP MVC application structure proposed and used in this series of posts, it is possible to use custom CSS and JS, referred through script and link elements of your views. You can simply create css and js folders under the Web server document root. The current .htaccess configuration is made to allow access to all the contained resources.

htdocs: contains index.php and the folders below
- app: contains all models, views and controllers as well as core files.
- css: add your custom CSS
- js: add your custom JavaScript

Conclusion

For data-centric applications, it doesn’t take that much to make the application look acceptable. If anything, at least take the time to apply a Bootstrap theme on your application.

Tags Bootstrap, Controller, Model, MVC, View

PHP

Arrays, Functions, Parameters and Return Values

Post author By Michel
Post date April 6, 2020
No Comments on Arrays, Functions, Parameters and Return Values

Objectives

To learn to use several PHP functions useful for Web application development.

To learn to write and use your own functions – a prelude to writing your own classes.

Using Some Basic PHP Functions

We examine several other useful functions including some basic numeric PHP functions, e.g.,

abs() Function

The absolute value function takes a single numerical argument and returns its absolute value. For example,

```
$x=abs(- 5);
```
```
$y=abs(42);
```
```
 
```
```
print "x=$x y=$y";
```

Will output x=5 y=42

sqrt()

The square root function takes a single numerical argument and returns its square root. For example,

```
$x= sqrt(25);
```
```
$y= sqrt(24);
```
```
 
```
```
print "x=$x y=$y";
```

Will output x=5 y=4.898979485566

round()

The round function with 1 numerical argument returns the number rounded to the nearest integer. E.g.,

```
$x=round( - 5.456);
```
```
$y=round(3.7342);
```
```
print "x=$x y=$y";
```

Will output x=-5 y=4

A 2nd argument can define the number of digits after the decimal point to round to. E.g.,

```
$x=round( - 5.456,2);
```
```
$y=round(3.7342,3);
```
```
print "x=$x y=$y";
```

would output x=-5.46 y=3.734

is_numeric()

is_numeric () is useful for determining whether a variable contains a valid number or a numeric string. It returns true in this case and false otherwise, e.g.,

```
if (is_numeric($input)) {
```
```
  print "Valid number:$input";
```
```
} else {
```
```
  print "Not a valid number:$input";
```
```
}
```

If $input == "6", the output would be Valid number:6

If $input == "Happy" the output would be Not a valid number:Happy

Testing for data types

The following functions test for different data types and return true if the variable contains data of the specified type.

is_ array(…),
is_ bool(…),
is_ callable(…),
is_ double(…),
is_ float(…),
is_ int(…),
is_ integer(…),
is_ long(…),
is_ null(…),
is_ object(…),
is_ real(…),
is_ resource(…),
is_ scalar(…),
is_ string(…).

The function string gettype(…) can be used to return the data type as a string.

rand() and srand()

The function rand() returns (pseudo)random numbers. The function srand() is used to seed the random function. Using a different seed each time the random number generator is used the first time in a program is a good way of getting a different sequence of random numbers for each program run. If the same seed is used for each run if the program, then the same sequence of numbers will be output by the random number generator, hence the term pseudo-random number generator.

Use srand() and microtime() to seed rand() and ensure it returns a random number, for example,

srand ((double) microtime () * 10000000);

```
$dice = rand(1, 6);
```
```
print "Your random dice toss is $dice";
```

The random number generated in this case can be a 1, 2, 3, 4, 5, or 6.

print, echo, and quotation marks

You don’t need to use parentheses with print(), much like echo.

Double quotes are used to delimit strings that will be parsed for variables to substitute. Therefore,

```
$x = 10;
```
```
print ("Mom, please send $x dollars.");
```

will output Mom, please send 10 dollars.

Single quotes delimit string literals that will not be parsed. Therefore,

```
$x = 10;
```
```
print ('Mom, please send $x dollars.');
```

will output Mom, please send $x dollars.

You also need double quotation marks to generate special escaped characters like \n, \r, etc.

$str = "Hi, Mom! \n"; //has an end of line

$str2 = 'Hi, Mom! \n'; //has the characters \n

echo nl2br($str); //will output an HTML <br> at the end of the string

echo nl2br($str2); //will not output an HTML <br>

The nl2br function converts newline characters to the HTML <br> element. In the case on line 4, it does not output this element, because $str2 does not contain a newline character.

Generating HTML elements

Using single or double quotation statements can be useful when generating HTML tags print ‘<font color=”blue”>’;

This above is easier to understand and actually runs slightly faster than using all double quotation marks and the backslash ( \ ) character : print “<font color= \”blue \”>”;

Function syntax

Use the following syntax to write functions. Include parentheses at the end of the function name to hold the parameter list.

```
function_name () {
```
```
  …
```
```
}
```

The following function takes 2 arguments:

```
function OutputTableRow($c1, $c2) {
```

  print "<tr><td>$c1</td><td>$c2</td></tr>";

```
}
```

Consider the following code …

```
<html>
```
```
<head>
```
```
  <title> Simple Table Function</title>
```
```
</head>
```
```
<body>
```
```
  <font color="blue" size=4>
```
```
  <table border=1>
```
```
  <?php
```

    function OutputTableRow( $col1, $col2 ) {

      print "<tr><td>$col1</td><td>$col2</td></tr>";

```
    }
```
```
    for ( $i=1; $i<=4; $i++ ) {
```
```
      $message1="Row $i Col 2";
```
```
      $message2="Row $i Col 2";
```

      OutputTableRow($message1, $message2);

```
    }
```
```
  ?>
```
```
  </table>
```
```
</body>
```
```
</html>
```

Returning Values

Your functions can return data to the calling script. Your functions can return the results of a computation, the status of a process, etc. You can use the PHP return statement to return a value to the calling script statement:

```
return $result;
```

This variable’s value will be returned to the calling script. For example

```
function getMax ( $num1, $num2 ) {
```

  // PURPOSE: returns largest of 2 numbers

  // ARGUMENTS: $num1 - 1st number, $num2 - 2nd number

  return ($num1 &gt; $num2?$num1:$num2);

```
}
```

Using External Script Files

Sometime you will want to use scripts from external files, functions and classes from libraries. PHP supports 4 related functions:

```
require("header.php");
```
```
include("trailer.php");
```
```
require_once("header.php");
```
```
include_once("trailer.php");
```

The require() function produces a fatal error if it can’t insert the specified file. The include() function produces a warning if it can’t insert the file. Ensure inclusion/requiring is done only once by using the require_once or include_once respectively instead.

These search for the file named within the string parameter and insert its PHP, HTML, or JavaScript code into the current file.

For example, might use the following as footer.php.

<hr><p>123 Elm, Montreal, Qc, H0H0H0 - 514-555-5555</p>

Can include using: <?php include("footer.php"); ?>

Sequential Arrays

Use the array() function or [] to create an array.

$students = array('Johnson', 'Jones', 'Jackson', 'Jefferson');

```
$grades = [66, 75, 85, 80];
```

Another way to create an array You can also create an array by making individual value assignments into the array variable name. E.g.,

```
$students[] = 'Johnson';
```
```
$students[] = 'Jones';
```
```
$students[] = 'Jackson';
```
```
$students[] = 'Jefferson';
```

To reference individual array items, use an array name and index pair.

```
$sports[0] = 'baseball';
```

$names = array('Alice', 'Bob', 'Carol', 'Dennis');

echo "$names[0], $names[1], $names[2], $names[3]";

By default sequential arrays start with index 0, e.g., the fourth element has index 3. Avoid referencing an item past the end of your array (for example, using $names[20] in an array that contains only four items).

Array indices can be whole numbers or a variable.

```
$i =3;
```

$classes = array('Math', 'History', 'Science', 'Pottery');

```
$oneclass = $classes[$i - 1];
```

print "$classes[$i] $oneclass $classes[1] $classes[0]";

This code outputs Pottery Science History Math

Changing arrays values: You can change values in an array as follows:

```
$scores = array(75, 65, 85, 90);
```
```
$scores[3] = 95;
```

$average = ($scores[0] + $scores[1] + $scores[2] + $scores[3]) / 4;

```
print "average=$average";
```

The output of the above PHP segment is average=80.

Explicitly-Set Indices

Below, we assign the value of 65 to the item with index 2, 85 to index 1.

$scores = array(1=&gt;75, 2=&gt;65, 3=&gt;85);

```
$scores[] = 100;
```

print "$scores[1] $scores[2] $scores[3] $scores[4]";

Assign the value of 85 to the item with index 3. Add item with value 100 to the end of the array. The above outputs 75 65 85 100.

Loops and Sequential Arrays

Looping statements can be used to iterate through arrays

$courses = array ('Perl', 'PHP', ' C','Java ', 'Pascal', 'Cobol', 'Visual Basic');

for ($i=0; $i < count($courses); $i++) {

```
  echo "$courses[$i] ";
```
```
}
```

The above repeats 7 times, with $i equal to 0, 1, 2, 3, 4, 5, and 6. The above outputs: Perl PHP C Java Pascal Cobol Visual Basic .

The foreach loop

PHP supports the foreach statement as another way to iterate through arrays.

$courses = array('Perl', 'PHP', 'C', ' Java','Pascal ', 'Cobol', 'Visual Basic');

```
foreach ($courses as $item){
```
```
  print ("$item ");
```
```
}
```

The above outputs Perl PHP C Java Pascal Cobol Visual Basic .

Sorting data

For example the following code segment outputs
1 11 55 91 99 119 911 .

$courses = array (91, 55, 11, 1, 99, 911, 119);

```
sort($courses);
```
```
foreach ($courses as $item) {
```
```
  print "$item ";
```
```
}
```

Arrays and User Input

Consider an example script that enables end-user to select multiple items from a checklist. Suppose the form inputs are generated as follows:

```
<form action='' method='post'>
```
```
<?php
```

$topics = ['animals', 'cars', 'cooking', 'furniture'];

```
foreach($topics as $topic){
```

  echo "<input type='checkbox' name='pref[]' value='$topic' />$topic";

```
}
```
```
?>
```
```
...
```
```
</form>
```

Suppose you are receiving the previous form as follows:

```
$pref = $_POST["prefer"];
```

If the user selected the second and fourth checkbox items on the previous form, then $pref[] would be an array of two items:

$pref[0], would have a value of cars, and
$pref[1] would have a value of furniture.

Adding and Deleting Items

array_shift() removes an item from the beginning of an array.
array_pop() removes an item from the end of an array.
array_unshift() adds an item to the beginning of an array.
array_push() adds an item to the end of an array.

Useful Array Functions

Use max() and min() to find the largest and smallest number in an array.

$grades = array (99, 100, 55, 91, 65, 22, 16);

```
$big=max($grades);
```
```
$small=min($grades);
```
```
print "max=$big min=$small";
```

The above would output: max=100 min=16.

Use array_sum () to return a sum of all numerical values. For example,

```
$grades = array (25, 100, 50, 'N/A');
```
```
$total= array_sum ($grades);
```
```
print "Total=$total";
```

The above would output: Total=175

PHP will try to convert character to numerical values when it can. For example,

$grades = array ('2 nights', '3days', 50, '1 more day');

```
$total=array_sum($grades);
```
```
print "total=$total";
```

Instead of generating an error message, this code outputs total=56.

Associative Arrays

PHP also supports arrays with string – value indices called associative arrays. For example, the following code creates an associative array with three items.

```
$instructor['Science'] = 'Smith';
```
```
$instructor['Math'] = 'Jones';
```
```
$instructor['English'] = 'Jackson';
```

Use the array() function or [] along with the => operator to create an associative array, e.g.,

$months = array( 'Jan'=&gt;31, 'Feb'=&gt;28, 'Mar'=&gt;31, 'Apr'=&gt;30, 'May'=&gt;31, 'Jun'=&gt;30, 'Jul'=&gt;31, 'Aug'=&gt;31, 'Sep'=&gt;30, 'Oct'=&gt;31, 'Nov'=&gt;30, 'Dec'=&gt;31 );

Use syntax similar to sequential arrays to access items: Enclose the index in square brackets.

```
$days = $months['Mar'];
```

Note that you can’t fetch indices by using data values, as in the following example:

```
$mon = $months[28]; //no can do
```

This syntax is incorrect because associative arrays can fetch data values only by using indices (not the other way around). This is the case for all arrays…

Multidimensional lists

Some data is best represented using a list of list or a multidimensional list, e.g.,

```
$inventory=array (
```

  'AC1000'=&gt;array('Part'=&gt;'Hammer', 'Count'=&gt;122, 'Price'=&gt;12.50),

  'AC1001'=&gt;array('Part'=&gt;'Wrench', 'Count'=&gt;5, 'Price'=&gt;5.00),

  'AC1002'=&gt;array('Part'=&gt;'Hand Saw', 'Count'=&gt;10, 'Price'=&gt;10.00),

  'AC1003'=&gt;array('Part'=&gt;'Screw Driver', 'Count'=&gt;222, 'Price'=&gt;3.00)

```
);
```

$inventory[‘AC1000’][‘Part’] has the value Hammer, $inventory[‘AC1001’][‘Count’] has the value 5, and $inventory[‘AC1002’][‘Price’] has the value 10.00.

MVC PHP

Intro to PDO

PDO – PHP Data Objects – is a database access layer providing a uniform method of access to multiple database management systems. PDO does not account for database-specific syntax, but can allow for the process of switching databases and platforms to be fairly painless, simply by switching a connection string.

Database Support

The extension can support any database for which a PDO driver has been written. To find out which drivers you have, run the following command:

```
print_r(PDO::getAvailableDrivers());
```

Connecting

Different databases may have slightly different connection methods. Below, the method to connect to MySQL databases is shown:

```
$host = 'localhost';
```
```
$dbname = 'application';
```
```
$user = 'app_account';
```
```
$pass = 'app_account_pass';
```
```
try {   # MySQL with PDO_MYSQL
```

  $DBH = new PDO("mysql:host=$host;dbname=$dbname", $user, $pass);

```
}
```
```
catch(PDOException $e) {
```
```
    echo $e->getMessage();
```
```
}
```

Take note of the try/catch block – you should always wrap your PDO operations in a try/catch, and use the exception mechanism. $DBH stands for ‘database handle’.

You can close any connection by setting the handle to null.

```
# close the connection
```
```
$DBH = null;
```

You can get more information on database-specific options and/or connection strings for other databases from PHP.net.

Exceptions and PDO

PDO can use exceptions to handle errors, which means anything you do with PDO should be wrapped in a try/catch block. You can force PDO into one of three error modes by setting the error mode attribute on your newly created database handle. Here’s the syntax:

$DBH->setAttribute( PDO::ATTR_ERRMODE, PDO::ERRMODE_SILENT );

$DBH->setAttribute( PDO::ATTR_ERRMODE, PDO::ERRMODE_WARNING );

$DBH->setAttribute( PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION );

No matter what error mode you set, an error connecting will always produce an exception, and creating a connection should always be contained in a try/catch block.

PDO::ERRMODE_SILENT

This is the default error mode. If you leave it in this mode, you’ll have to check for errors in the way you’re probably used to if you used the mysql or mysqli extensions. The other two methods are more ideal for DRY programming.

PDO::ERRMODE_WARNING

This mode will issue a standard PHP warning, and allow the program to continue execution. It’s useful for debugging.

PDO::ERRMODE_EXCEPTION

This is the mode you should want in most situations. It fires an exception, allowing you to handle errors gracefully and hide data that might help someone exploit your system. Here’s an example of taking advantage of exceptions:

```
# connect to the database
```
```
try {
```

  $DBH = new PDO("mysql:host=$host;dbname=$dbname", $user, $pass);

  $DBH->setAttribute( PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION );

  $DBH->prepare('DELECT name FROM people');

```
  # Typed DELECT instead of SELECT!
```
```
}
```
```
catch(PDOException $e) {
```
```
  echo "Error!";
```

  file_put_contents('PDOErrors.txt', $e->getMessage(), FILE_APPEND);

```
}
```

There’s an intentional error in the select statement; this will cause an exception. The exception sends the details of the error to a log file, and displays a friendly (or not so friendly) message to the user.

Insert and Update

Inserting new data, or updating existing data is one of the more common database operations. Using PDO, this is normally a two-step process. Everything covered in this section applies equally to both UPDATE and INSERT operations.

Here’s an example of the most basic type of insert:

```
# STH means "Statement Handle"
```

$sql = "INSERT INTO person(first_name) VALUES('Alice')";

```
$stmt = $DBH->prepare($sql);
```
```
$stmt->execute();
```

You could also accomplish the same operation by using the exec() method, with one less call. In most situations, you’re going to use the longer method so you can take advantage of prepared statements. Even if you’re only going to use it once, using prepared statements will help protect you from SQL injection attacks.

Prepared Statements

Using prepared statements will help protect you from SQL injection. A prepared statement is an SQL statement that can be executed multiple times just by changing the data and running the statement. It has the added advantage of automatically making the data used in the placeholders safe from SQL injection attacks, as part of the preparation. You use a prepared statement by including placeholders in your SQL. Here are three examples: one without placeholders, one with unnamed placeholders, and one with named placeholders.

# no placeholders - vulnerable to SQL Injection!

$STH = $DBH->prepare("INSERT INTO person(first_name, addr, city) VALUES($name, $addr, $city)");

```
# unnamed placeholders
```

$STH = $DBH->prepare("INSERT INTO person(first_name, addr, city) VALUES(?, ?, ?)");

```
# named placeholders
```

$STH = $DBH->prepare("INSERT INTO person(first_name, addr, city) VALUES(:name, :addr, :city)");

You want to avoid the first method; it’s here for comparison. The choice of using named or unnamed placeholders will affect how you set data for those statements.

Unnamed Placeholders

Hint: read this only to understand how trrible this technique actually is. For a better technique see the following sections.

```
# unnamed placeholders
```

$stmt = $DBH->prepare("INSERT INTO person(first_name, addr, city) VALUES(?, ?, ?)");

```
 
```

# assign variables to each place holder, indexed 1-3

```
$stmt->bindParam(1, $first_name);
```
```
$stmt->bindParam(2, $address);
```
```
$stmt->bindParam(3, $city);
```
```
 
```
```
# insert one row
```
```
$first_name = "Alice"
```
```
$address = "123 Elm";
```
```
$city = "Montreal";
```
```
$stmt->execute();
```
```
 
```

# insert another row with different values

```
$first_name = "Bob"
```
```
$address = "124 Elm";
```
```
$city = "Montreal";
```
```
$stmt->execute();
```

There are two steps here. First, we assign variables to the various placeholders (lines 2-4). Then, we assign values to those placeholders and execute the statement. To send another set of data, just change the values of those variables and execute the statement again.

Does this seem a bit unwieldy for statements with a lot of parameters? It is. However, if your data is stored in an array, there’s an easy shortcut:

```
# the data we want to insert
```

$data = ['Cathy', '125 Elm', 'Montreal'];

$stmt = $DBH->prepare("INSERT INTO person(first_name, addr, city) VALUES(?,?,?);

```
$stmt->execute($data);
```

The data in the array applies to the placeholders in order. $data[0] goes into the first placeholder, $data[1] the second, etc. However, if your array indexes are not in order, this won’t work properly, and you’ll need to re-index the array.

Named Placeholders

You could probably guess the syntax, but here’s an example:

# the first argument is the named placeholder name - notice named

# placeholders always start with a colon.

```
$stmt->bindParam(':name', $name);
```

You can use a shortcut here as well, but it works with associative arrays. Here’s an example:

```
# the data we want to insert
```

$data = ['first_name'=>'Cathy', 'address'=>'125 Elm', 'city'=>'Montreal'];

```
# the shortcut!
```

$stmt = $DBH->prepare("INSERT INTO person(first_name, address, city) value (:first_name, :address, :city)");

```
$stmt->execute($data);
```

The keys of your array do not need to start with a colon, but otherwise need to match the named placeholders. If you have an array of arrays you can iterate over them, and simply call the execute with each array of data.

Another nice feature of named placeholders is the ability to insert objects directly into your database, assuming the properties match the named fields. Here’s an example object, and how you’d perform your insert:

```
# a simple object
```
```
class person {
```
```
  public $first_name;
```
```
  public $address;
```
```
  public $city;
```
```
 
```

  function __construct($fname,$addy,$city){

```
    $this->first_name = $fname;
```
```
    $this->address = $addy;
```
```
    $this->city = $city;
```
```
  }
```
```
  # etc ...
```
```
}
```
```
 
```

$newPerson = new person('Johnny','125 Elm','Montreal');

```
# here's the fun part:
```

$stmt = $DBH->prepare("INSERT INTO person(first_name, address, city) VALUE(:first_name, :address, :city)");

```
$stmt->execute((array)$newPerson);
```

By casting the object to an array in the execute, the attribute names are mapped to keys and the values are set from each attribute.

Selecting Data

Data is obtained via the ->fetch(), a method of your statement handle. Before calling fetch, it’s best to tell PDO how you’d like the data to be fetched. You have the following options:

PDO::FETCH_ASSOC: returns an array indexed by column name
PDO::FETCH_BOTH (default): returns an array indexed by both column name and number
PDO::FETCH_BOUND: Assigns the values of your columns to the variables set with the ->bindColumn() method
PDO::FETCH_CLASS: Assigns the values of your columns to properties of the named class. It will create the properties if matching properties do not exist
PDO::FETCH_INTO: Updates an existing instance of the named class
PDO::FETCH_LAZY: Combines PDO::FETCH_BOTH/PDO::FETCH_OBJ, creating the object variable names as they are used
PDO::FETCH_NUM: returns an array indexed by column number
PDO::FETCH_OBJ: returns an anonymous object with property names that correspond to the column names

In reality, there are three which will cover most situations: FETCH_ASSOC, FETCH_CLASS, and FETCH_OBJ. In order to set the fetch method, the following syntax is used:

```
$stmt->setFetchMode(PDO::FETCH_ASSOC);
```

You can also set the fetch type directly within the ->fetch() method call.

FETCH_ASSOC

This fetch type creates an associative array, indexed by column name. This should be quite familiar to anyone who has used the mysql/mysqli extensions. Here’s an example of selecting data with this method:

# can use the query() method when no input in the statement

$tmt = $DBH->query('SELECT first_name, address, city from person');

```
# setting the fetch mode
```
```
$stmt->setFetchMode(PDO::FETCH_ASSOC);
```
```
while($rec = $stmt->fetch()) {
```
```
  echo $rec['first_name'] . "<br>";
```
```
  echo $row['address'] . "<br>";
```
```
  echo $row['city'] . "<br>";
```
```
}
```

The while loop will continue to go through the result set one row at a time until complete.

FETCH_OBJ

This fetch type creates an object of std class for each row of fetched data. Here’s an example:

```
# creating the statement
```

$stmt = $DBH->query('SELECT first_name, address, city from person');

```
# setting the fetch mode 
```
```
$stmt->setFetchMode(PDO::FETCH_OBJ);
```
```
# showing the results
```
```
while($row = $stmt->fetch()) {
```
```
  echo $row->first_name . "<br>";
```
```
  echo $row->address . "<br>";
```
```
  echo $row->city . "<br>";
```
```
}
```

FETCH_CLASS

Important note: when using this fetch mode, the properties of your object are set BEFORE the constructor is called. Therefore, you can use the constructor to modify and hide the data as required for your application.

This fetch method allows you to fetch data directly into a class of your choosing. When you use FETCH_CLASS, the properties of your object are set before the constructor is called. Read that again, it’s important. If properties matching the column names don’t exist, those properties will be created (as public) for you.

This means if your data needs any transformation after it comes out of the database, it can be done automatically by your object as each object is created.

As an example, imagine a situation where the address needs to be partially obscured for each record. We could do this by operating on that property in the constructor. Here’s an example:

```
class obscure_person {
```
```
  public $first_name;
```
```
  public $address;
```
```
  public $city;
```
```
  public $notes;
```
```
  function __construct($notes = ''){
```

    $this->address = preg_replace('/[a-z0-9]/i', '*', $this->address);

```
    $this->notes = $notes;
```
```
  }
```
```
}
```

As data is fetched into this class, the address has all its lowercase a-z letters and digits 0-9 replaced by the character *. Now, using the class and having that data transformation occur is completely transparent:

$stmt = $DBH->query('SELECT first_name, address, city from person');

$stmt->setFetchMode(PDO::FETCH_CLASS, 'obscure_person');

```
while($obj = $STH->fetch()) {
```

  echo "Obscure $obj->first_name lives at $obj->address";

```
}
```

If the address was ‘123 Elm,’ you’d see ‘*** ***’ as your output. Of course, there may be situations where you want the constructor called before the data is assigned. PDO can also accommodate this by adding PDO::FETCH_PROPS_LATE as follows:

$stmt->setFetchMode(PDO::FETCH_CLASS | PDO::FETCH_PROPS_LATE, 'obscure_person');

Now, when you repeat the previous example with this fetch mode the address will NOT be obscured, since the constructor was called before the properties were assigned.

Finally, if you really must, you can pass arguments to the constructor when fetching data into objects with PDO:

$stmt->setFetchMode(PDO::FETCH_CLASS, 'secret_person', ['data']);

If you must pass different data to the constructor for each object, you can set the fetch mode inside the fetch method:

```
$i = 0;
```

while($rowObj = $stmt->fetch(PDO::FETCH_CLASS, 'obscure_person', [$i])) {

```
  // operations
```
```
  $i++;
```
```
}
```

Some Other Helpful Methods

While this isn’t meant to cover everything in PDO (it’s a huge extension!) there are a few more methods you’ll want to know in order to do basic things with PDO.

```
$DBH->lastInsertId();
```

The lastInsertId() method of PDO (not PDOStatement) will return the last inserted primary key value for this connection.

$DBH->exec('DELETE FROM person WHERE 1');

```
$DBH->exec("SET time_zone = '-8:00'");
```

The exec() method is used for operations that cannot return data other than the number of affected rows.

```
$safe = $DBH->quote($unsafe);
```

The quote() method quotes strings so they are safe to use in queries. This is your fallback if you’re not using prepared statements.

```
$rows_affected = $stmt->rowCount();
```

The rowCount() method returns an integer indicating the number of rows affected by an operation.

HTML MVC PHP

Deeper in Models

In this post, we will explore more database transactions in model classes with the previous Item class example. We will also create views that can support these operations.

SQL DML (Data Modification Language) are these operations that we must implement in our model classes. They comprise all CRUD (Create, Read, Update, Delete) operations, i.e., respectively INSERT, SELECT, UPDATE, and DELETE.

Create

We add a create method to the Item model class as follows:

public function create(){
  $SQL = 'INSERT INTO Item(name) VALUES (:name)';
  $stmt = self::$_connection->prepare($SQL);
  $stmt->execute(['name'=>$this->name]);
  return self::$_connection->lastInsertId();
}

In the above, we first define the SQL command we will use, with a named placeholder, :name. We then get PDO to prepare the statement; the use of prepared statements has many advantages including reusability and SQL-injection prevention (this happens later).

Next, we run the prepared statement with the execute method. The parameter is an array ([...]) containing a dictionary of values for this statement, i.e., if there is a :name placeholder in the SQL, then there must be a name key-value pair in this dictionary. The execute method will take all this data and sanitize it, preventing any special character that could be used to perform SQL injection. In other words, if you are using prepared statements in all your models such that all data is passed into the statements through the execute method, then you have been diligent in preventing SQL injection.

The final step in the create method is to return the primary key value assigned to the created record. This value is fetched by PDO’s lastInsertId() method.

We now focus on the view used to create this record. We create a view, /app/view/home/create.php that will be used for data entry by the user, as follows:

<html>
  <head><title>Create an Item</title></head>
  <body>
    <h1>Create an Item</h1>
    <form action='' method='post'>
      <label>Name:<input type='text' name='name' /></label><br />
      <input type='submit name='action' value='Create' /> <a href='/home/index'>Cancel</a>
    </form>
  </body>
</html>

The form is submitted to the same URL from which it was called. This way, we can write the instructions to call the view and to add the record in the same controller method in HomeController:

public function create(){
  if(isset($_POST['action'])){
    $newItem = $this->model('Item');
    $newItem->name = $_POST['name'];
    $newItem->create();
    header('location:/Home/index');
  }else{
    $this->view('home/create');
  }
}

The create method is written in two branches, the first if the submit button named action is pressed. We instantiate an Item object and initialize its name attribute (its only attribute) before calling the create() method to store it. Finally, we send the browser headers to redirect to the /Home/index URL for the application, which will display the list of items. The user can also navigate back to the list of items by blicking Cancel.

Read

We now focus on a detail-view feature for the records. Bear in mind that this is especially useful in cases where records hold many fields. We first add a find(…) method to the model class:

public function find($item_id){
  $SQL = 'SELECT * FROM Item WHERE item_id = :item_id';
  $stmt = self::$_connection->prepare($SQL);
  $stmt->execute(['item_id'=>$item_id]);
  $stmt->setFetchMode(PDO::FETCH_CLASS, 'Item');
  return $stmt->fetch();
}

In contrast with the get() method we wrote in An Introduction to Models, the SQL includes a WHERE clause to choose the record based on the primary key value and this value is passed in the call to the execute() method. Finally, the is returned after a call to fetch() such that the single matching record is returned as an object, without being placed in an array.

To display the record, we build a detail view, /app/views/home/detail.php which should include all record fields in the display:

<html>
  <head><title>Item Details</title></head>
  <body>
    <h1>Item Details</h1>
    <dl>
      <dt>Name:</dt>
      <dd><?=$data->name ?></dd>
    </dl>
<a href='/home/index'>Back to list</a>
  </body>
</html>

Above, we are assuming the single record is passed to the view and that the name attribute is displayed by the <?=expression ?> tags which are shorthand for <?php echo expression; ?>.

We complete this part with method detail in HomeController as follows:

public function detail($item_id){
  $theItem = $this->model('Item')->find($item_id);
  $this->view('home/detail', $theItem);
}

On the first line, we invoke the method to find the wanted record and store it in $theItem, which is then passed to the newly-created view on the following line.

Update

Another important part of a data-centric Web application is the ability to modify data. In a MySQL database, this is done through UPDATE SQL statements, as in the following update method added to the Item model.

public function update(){
  $SQL = 'UPDATE Item 
          SET name = :name 
          WHERE item_id = :item_id';
  $stmt = self::$_connection->prepare($SQL);
  $stmt->execute(['name'=>$this->name,
                  'item_id'=>$this->item_id]);
  return $stmt->rowCount();
}

First we write a proper SQL UPDATE statement with named placeholders where the data is meant to go. Then we prepare the statement and execute it with the needed data, from the object. Finally, we return the rowCount as feedback about how many rows were modified.

The view to support this process must allow data entry from the user AND have the data entry fields prepopulated with the existing record field values. We add the view /app/views/home/edit.php as follows:

<html>
  <head><title>Edit an item</title></head>
  <body>
    <h1>Edit an item</h1>
    <form action='' method='post'>
      <label>Name:<input type='text' name='name'
           value='<?= $data->name ?>' /></label><br />
      <input type='submit name='action' value='Save' /> <a href='/home/index'>Cancel</a>
    </form>
  </body>
</html>

For the view to work properly, it must receive the record as its $data parameter. We put all this together in the HomeController edit method, as follows:

public function edit($item_id){
  $theItem = $this->model('Item')->find($item_id);
  if(isset($_POST['action'])){
    $theItem->name = $_POST['name'];
    $theItem->update();
    header('location:/Home/index');
  }else{
    $this->view('home/edit', $theItem);
  }
}

This method is very similar to create, in that it handles displaying a form, processes the submitted data, and redirects back to the list of all items. The distinctions are that edit operates on an existing record and thus must find and present it in the view prior to calling for updates with the user input. Naturally, if a user clicks the Cancel hyperlink, they navigate back to the index method, so this case need not be addressed here.

Delete

To complete the basic data management for the Item table, we must have the ability to delete records. We will implement the Item model class delete method as follows:

public function delete(){
  $SQL = 'DELETE FROM Item WHERE item_id = :item_id';
  $stmt = self::$_connection->prepare($SQL);
  $stmt->execute(['item_id'=>$this->item_id]);
  return $stmt->rowCount();
}

It is easy to also implement this method to take the item_id as a parameter and forego using the actual object attributes.

The pattern to process this request is familiar by now, but in a nutshell: define the DELETE statement with an :item_id placeholder; prepare the statement; execute the statement with the data to replace the placeholders; and return the number of rows affected by the change.

To make this process go smoothly, there are two possibilities: with or without a deletion confirmation view. We write a deletion confirmation view /app/views/home/delete.php as follows:

<html>
  <head><title>Delete an item</title></head>
  <body>
    <h1>Delete an item</h1>
    <form action='' method='post'>
      <label>Name:<input type='text' name='name'
        value='<?= $data->name ?>' disabled />
        </label><br />
      <input type='submit name='action' value='Delete' /> <a href='/home/index'>Cancel</a>
    </form>
  </body>
</html>

So the user will click on the Delete button to confirm deletion and the Cancel link to cancel the deletion.

To complete the deletion implementation, we add the delete method to the HomeController as follows:

public function delete($item_id){
  $theItem = $this->model('Item')->find($item_id);
  if(isset($_POST['action'])){
    $theItem->delete();
    header('location:/Home/index');
  }else{
    $this->view('home/delete', $theItem);
  }
}

In the above, we only handle the cases when the method is called with or without the action button being clicked. These cases happen upon submitting the form and navigating to delete, respectively.

Tying it All Together

The only aspect missing from this application is the set of hyperlinks that allow navigation. Since all views have links back to /home/index and since all methods redirect to /home/index as well, the links to go to access create, detail, update, and delete methods must be implemented in the view for the index method of the HomeController class; we modify it as follows:

<html>
<head><title>Item List</title></head>
<body>
<h1>List of items</h1>
<a href='/home/create/'>Add an item</a>
<table>
<tr><th>Name</th><th>Actions</th></tr>
<?php
  foreach($data['items'] as $item){
    echo "<tr><td>$item->name</td><td>
      <a href='/home/detail/$item->item_id'>Details</a>
      <a href='/home/edit/$item->item_id'>Modify</a>
      <a href='/home/delete/$item->item_id'>Delete</a>
      </td></tr>";
  }
?>
</table>
</body>
</html>

Notice the hyperlinks all lead to URLs which will be used to invoke controller methods with their parameters. The controller methods will, in turn, call the appropriate views and process the responses to finally redirect as appropriate.