=====
CS 328 - Week 11 Lecture 1 - 2026-04-06
=====

=====
TODAY WE WILL
=====
*   announcements
*   start with a dynamically-built form...
*   ...and segue into intro to BIND VARIABLES to
    help thwart SQL Injection!
*   IF TIME: PHP and OCI: calling a stored function
    *   (but there was NOT time, so will discuss
        next week!)
*   prep for next class

=====
*   should be working on Homework 9!
    *   deadline: 11:59 pm on Friday, April 10

    *   submit files OFTEN, THROUGHOUT the week!
    
*   Should also start reading and working through the activities
    in zyBooks Chapter 5 - PHP Fundamentals

*   IT IS advising time for SUMMER 2026/FALL 2026!
    *   preregistration for SUMMER 2026 begins for 
        ***EVERYONE*** on APRIL 13!!!

    *   preregistration for FALL 2026 begins at your
        registration appointment in your student center
	(sometime between April 13 - April 24)

=====
UPCOMING SCHEDULE
=====
*   TODAY - more PHP-and-OCI

*   Wednesday, April 8 - review for Exam 2 (clicker questions included!)

*   Thursday, April 9
    *   There WILL be a Week 11 lab exercise!

*   11:59 pm Friday, April 10
    *   at-least-first-attempts at Homework 9 problems due

    *   deadline for credit for zyBooks Chapters 3, 4, 5 activities

*   Monday, April 13 - more PHP-and-OCI (the newly-intro'd parts will
    NOT be part of Exam 2)

*   11:59 pm Monday, April 13
    *   any final improved versions of problems from 
        Homeworks 6-9 are DUE, so that...

*   12:01 am Tuesday, April 14
    *   selected EXAMPLE SOLUTIONS for Homeworks 6-9
        can be made reachable on Canvas, for Exam 2 study use

*   Wednesday, April 15 - Exam 2, during lecture, in SH 108
    *   Exam 2 - Bonus must be submitted *ON CANVAS* by 3:00 pm
        on Wednesday, April 15

*   Thursday, April 16
    *   There WILL be a Week 12 lab exercise!

*   (Homework 10 comes out AFTER the Week 12 Labs)

=====
*   see 328lect11-1-empl-request.php to see another
    postback PHP that either creates a desired form
    or responds to that form when it is submitted

    *   note how it DYNAMICALLY builds the option elements
        for its select/drop-down form widget of employee
	numbers and last names --

	this is a GOOD approach, since any changes to employees
	(insertions, deletions, updates) require NO changes
	to the PHP code building this select/drop-down form widget!
	
	...each time this PHP is executed, it selects the CURRENT empl
	   table's contents and uses them to build this select/drop-down!

    *   BUT - if we'd like to write a query for the SELECTED
        employee, we need to be CAREFUL to do so to try to
	avoid SQL INJECTION

=====
SQL INJECTION
=====
...is when someone tries to inject unwanted SQL into your SQL

*   $query = "select empl_last_name
              from empl
	      where job_title = $from_client_tier";

    *   What if $from_client_tier contains
        "'Manager' or 1=1" ?

    *   What if $from_client_tier contains
        "'Manager' union select table_name from user_tables" ?

*   also see: https://xkcd.com/327/

=====
ONE way to thwart SQL injection
=====
*   ...is to avoid so-called dynamic SQL statements,
    at least avoid those built using CONCATENATION,
    
    ESPECIALLY concatenation based on data
    from the client tier!

*   but, in certain parts of a SQL statement --
    such as a SELECT statement's WHERE clause --
    you can use BIND variables to more-safely set up
    a dynamic SQL statement!

    *   in your query string, put : followed by desired
        bind-variable name for EACH bind variable you want

    *   after oci_parse has been done,
        call oci_bind_by_name for EACH bind variable in that
	statement to bind a value to that bind variable,

	and THEN call oci_execute to execute it

        *   essentially just bind a VALUE to a bind variable --
	    will only allow a VALUE to be bound to it, attempts to
	    inject additional SQL clauses will not work;

    *   The above is also discussed in the posted handout
        "Basics of Oracle/PHP Bind Variables",
	along with today's in-class examples AND
	in the PHP References page