=====
CS 328 - Week 11 Lecture 1 - 2026-04-06
=====
=====
TODAY WE WILL
=====
* announcements
* start with a dynamically-built form...
* ...and segue into intro to BIND VARIABLES to
help thwart SQL Injection!
* IF TIME: PHP and OCI: calling a stored function
* (but there was NOT time, so will discuss
next week!)
* prep for next class
=====
* should be working on Homework 9!
* deadline: 11:59 pm on Friday, April 10
* submit files OFTEN, THROUGHOUT the week!
* Should also start reading and working through the activities
in zyBooks Chapter 5 - PHP Fundamentals
* IT IS advising time for SUMMER 2026/FALL 2026!
* preregistration for SUMMER 2026 begins for
***EVERYONE*** on APRIL 13!!!
* preregistration for FALL 2026 begins at your
registration appointment in your student center
(sometime between April 13 - April 24)
=====
UPCOMING SCHEDULE
=====
* TODAY - more PHP-and-OCI
* Wednesday, April 8 - review for Exam 2 (clicker questions included!)
* Thursday, April 9
* There WILL be a Week 11 lab exercise!
* 11:59 pm Friday, April 10
* at-least-first-attempts at Homework 9 problems due
* deadline for credit for zyBooks Chapters 3, 4, 5 activities
* Monday, April 13 - more PHP-and-OCI (the newly-intro'd parts will
NOT be part of Exam 2)
* 11:59 pm Monday, April 13
* any final improved versions of problems from
Homeworks 6-9 are DUE, so that...
* 12:01 am Tuesday, April 14
* selected EXAMPLE SOLUTIONS for Homeworks 6-9
can be made reachable on Canvas, for Exam 2 study use
* Wednesday, April 15 - Exam 2, during lecture, in SH 108
* Exam 2 - Bonus must be submitted *ON CANVAS* by 3:00 pm
on Wednesday, April 15
* Thursday, April 16
* There WILL be a Week 12 lab exercise!
* (Homework 10 comes out AFTER the Week 12 Labs)
=====
* see 328lect11-1-empl-request.php to see another
postback PHP that either creates a desired form
or responds to that form when it is submitted
* note how it DYNAMICALLY builds the option elements
for its select/drop-down form widget of employee
numbers and last names --
this is a GOOD approach, since any changes to employees
(insertions, deletions, updates) require NO changes
to the PHP code building this select/drop-down form widget!
...each time this PHP is executed, it selects the CURRENT empl
table's contents and uses them to build this select/drop-down!
* BUT - if we'd like to write a query for the SELECTED
employee, we need to be CAREFUL to do so to try to
avoid SQL INJECTION
=====
SQL INJECTION
=====
...is when someone tries to inject unwanted SQL into your SQL
* $query = "select empl_last_name
from empl
where job_title = $from_client_tier";
* What if $from_client_tier contains
"'Manager' or 1=1" ?
* What if $from_client_tier contains
"'Manager' union select table_name from user_tables" ?
* also see: https://xkcd.com/327/
=====
ONE way to thwart SQL injection
=====
* ...is to avoid so-called dynamic SQL statements,
at least avoid those built using CONCATENATION,
ESPECIALLY concatenation based on data
from the client tier!
* but, in certain parts of a SQL statement --
such as a SELECT statement's WHERE clause --
you can use BIND variables to more-safely set up
a dynamic SQL statement!
* in your query string, put : followed by desired
bind-variable name for EACH bind variable you want
* after oci_parse has been done,
call oci_bind_by_name for EACH bind variable in that
statement to bind a value to that bind variable,
and THEN call oci_execute to execute it
* essentially just bind a VALUE to a bind variable --
will only allow a VALUE to be bound to it, attempts to
inject additional SQL clauses will not work;
* The above is also discussed in the posted handout
"Basics of Oracle/PHP Bind Variables",
along with today's in-class examples AND
in the PHP References page