4 Querying Data
In this chapter, you extend the Anyco HR application from Chapter 3 by adding information to the Departments page. You also implement the functionality to query, insert, update, and delete employee records in a specific department.
This chapter has the following topics:
Centralizing the Database Application Logic
In this section, you will modify your application code by moving the database access logic into separate files for inclusion in the PHP application.
-
Copy the files that you completed in Chapter 3 to a new
chap4directory, and change to the newly created directory:On Windows:
mkdir c:\program files\Apache Group\Apache2\htdocs\chap4 cd c:\program files\Apache Group\Apache2\htdocs\chap4 copy ..\chap3\* .
On Linux:
mkdir $HOME/public_html/chap4 cd $HOME/public_html/chap4 cp ../chap3/* .
-
Using your preferred editor, create a file called
anyco_cn.incthat defines named constants for the database connection information. This file enables you to change connection information in one place.<?php // File: anyco_cn.inc define('ORA_CON_UN', 'hr'); // User name define('ORA_CON_PW', 'hr'); // Password define('ORA_CON_DB', '//localhost/orcl'); // Connection identifier ?>
For simplicity, the user name and password are written into this sample application code. For applications that will be deployed, coding the user name and password strings directly into your application source code is not recommended. Oracle recommends that you use a more secure technique, such as implementing a dialog that prompts the user for the user name and password.
See Oracle Database Security Guide and the documentation for your development environment for details on security features and practices.
-
Create a file called
anyco_db.incthat declares functions for creating a database connection, executing a query, and disconnecting from the database. Use the following logic, which includes some error handling that is managed by calling an additional function calleddb_error ():<?php // File: anyco_db.inc function db_connect() { // use constants defined in anyco_cn.inc $conn = oci_connect(ORA_CON_UN, ORA_CON_PW, ORA_CON_DB); if (!$conn) { db_error(null, __FILE__, __LINE__); } return($conn); } function db_do_query($conn, $statement) { $stid = oci_parse($conn, $statement); if (!$stid) { db_error($conn, __FILE__, __LINE__); } $r = oci_execute($stid, OCI_DEFAULT); if (!$r) { db_error($stid, __FILE__, __LINE__); } $r = oci_fetch_all($stid, $results, null, null, OCI_FETCHSTATEMENT_BY_ROW); return($results); } // $r is the resource containing the error. // Pass no argument or false for connection errors function db_error($r = false, $file, $line) { $err = $r ? oci_error($r) : oci_error(); if (isset($err['message'])) { $m = htmlentities($err['message']); } else { $m = 'Unknown DB error'; } echo '<p><b>Error</b>: at line '.$line.' of '.$file.'</p>'; echo '<pre>'.$m.'</pre>'; exit; } ?>
The
db_do_query()function in this example uses theoci_fetch_all()OCI8 function. Theoci_fetch_all()function accepts the following five parameters:-
$results, the output array variable containing the data returned for the query -
The
nullin the third parameter for the number of initial rows to skip is ignored. -
The
nullin the fourth parameter for the maximum number of rows to fetch is ignored. In this case, all the rows for the query are returned. For this example where the result set is not large, it is acceptable. -
The last parameter flag
OCI_FETCHSTATEMENT_BY_ROWindicates that the data in the$resultsarray is organized by row, where each row contains an array of column values. A value ofOCI_FETCHSTATEMENT_BY_COLUMNcauses theresultsarray to be organized by column, where each column entry contains an array of column values for each row. Your choice of value for this flag depends on how you intend to process the data in your logic.
To examine the structure of the result array, use the PHP
var_dump()function after the query has been executed. This is useful for debugging. For example:print '<pre>'; var_dump($results); print '</pre>';
The
db_error()function accepts three arguments. The$rparameter can be false or null for obtaining connection errors, or a connection resource or statement resource to obtain an error for those contexts. The$fileand$linevalues are populated by using__FILE__and__LINE__, respectively, as the actual parameters to enable the error message to display the source file and line from which the database error is reported. This enables you to easily track the possible cause of errors.The db_
error()function calls theoci_error()function to obtain database error messages.The
db_error()function calls theisset()function before printing the message. Theisset()function checks if the message component of the database error structure is set, or if the error is unknown. -
Edit
anyco_ui.inc. To format the results of a single row from theDEPARTMENTStable query in an HTML table format, insert the following function:function ui_print_department($dept) { if (!$dept) { echo '<p>No Department found</p>'; } else { echo <<<END <table> <tr> <th>Department<br>ID</th> <th>Department<br>Name</th> <th>Manager<br>Id</th> <th>Location ID</th> </tr> <tr> END; echo '<td>'.htmlentities($dept['DEPARTMENT_ID']).'</td>'; echo '<td>'.htmlentities($dept['DEPARTMENT_NAME']).'</td>'; echo '<td>'.htmlentities($dept['MANAGER_ID']).'</td>'; echo '<td>'.htmlentities($dept['LOCATION_ID']).'</td>'; echo <<<END </tr> </table> END; } }
As noted in Chapter 3, do not prefix
END;lines with leading spaces. If you do, the rest of the document will be treated as part of the text to be printed. -
Edit the
anyco.phpfile. Include theanyco_ui.incandanyco_db.incfiles, and call the database functions to query and display information for a department with adepartment_idof 80 by using the following code. The file becomes:<?php // File: anyco.php require('anyco_cn.inc'); require('anyco_db.inc'); require('anyco_ui.inc'); $query = 'SELECT department_id, department_name, manager_id, location_id FROM departments WHERE department_id = 80'; $conn = db_connect(); $dept = db_do_query($conn, $query); ui_print_header('Departments'); ui_print_department($dept[0]); ui_print_footer(date('Y-m-d H:i:s')); ?>
-
To test the resulting changes to the application, enter the following URL in a browser window:
On Windows:
http://localhost/chap4/anyco.php
On Linux:
http://localhost/~<username>/chap4/anyco.php
The page returned in the browser window should resemble the following page:
Description of the illustration chap4_db_connect_002.gif
Writing Queries with Bind Variables
Using queries with values included in the WHERE clause may be useful for some situations. However, if the conditional values in the query are likely to change it is not appropriate to encode a value into the query. Oracle recommends that you use bind variables.
A bind variable is a symbolic name preceded by a colon in the query that acts as a placeholder for literal values. For example, the query string created in the anyco.php file could be rewritten with the bind variable :did as follows:
$query = 'SELECT department_id, department_name, manager_id, location_id FROM departments WHERE department_id = :did';
By using bind variables to parameterize SQL statements:
-
The statement is reusable with different input values without needing to change the code.
-
The query performance is improved through a reduction of the query parse time in the server, because the Oracle database can reuse parse information from the previous invocations of the identical query string.
-
There is protection against "SQL Injection" security problems.
-
There is no need to specially handle quotation marks in user input.
When a query uses a bind variable, the PHP code must associate an actual value with each bind variable (placeholder) used in the query before it is executed. This process is known as run-time binding.
To enable your PHP application to use bind variables in the query, perform the following changes to your PHP application code:
-
Edit the
anyco.phpfile. Modify the query to use a bind variable, create an array to store the value to be associated with the bind variable, and pass the$bindargsarray to thedb_do_query()function:<?php // File: anyco.php ... $query = 'SELECT department_id, department_name, manager_id, location_id FROM departments WHERE department_id = :did'; $bindargs = array(); // In the $bindargs array add an array containing // the bind variable name used in the query, its value, a length array_push($bindargs, array('DID', 80, -1)); $conn = db_connect(); $dept = db_do_query($conn, $query, $bindargs); ... ?>
In this example, the bind variable, called DID, is an input argument in the parameterized query, and it is associated with the value 80. Later, the value of the bind variable will be dynamically determined. In addition, the length component is passed as -1 so that the OCI8 layer can determine the length. If the bind variable was used to return output from the database an explicit size would be required.
-
Edit the
anyco_db.incfile. Modify thedb_do_query()function to accept a$bindvarsarray variable as a third parameter. Call theoci_bind_by_name()OCI8 call to associate the PHP values supplied in$bindvarsparameter with bind variables in the query. The function becomes:function db_do_query($conn, $statement, $bindvars = array()) { $stid = oci_parse($conn, $statement); if (!$stid) { db_error($conn, __FILE__, __LINE__); } // Bind the PHP values to query bind parameters foreach ($bindvars as $b) { // create local variable with caller specified bind value $$b[0] = $b[1]; // oci_bind_by_name(resource, bv_name, php_variable, length) $r = oci_bind_by_name($stid, ":$b[0]", $$b[0], $b[2]); if (!$r) { db_error($stid, __FILE__, __LINE__); } } $r = oci_execute($stid, OCI_DEFAULT); if (!$r) { db_error($stid, __FILE__, __LINE__); } $r = oci_fetch_all($stid, $results, null, null, OCI_FETCHSTATEMENT_BY_ROW); return($results); }
The binding is performed in the
foreachloop before theoci_execute()is done.For each entry in
$bindvarsarray, the first element contains the query bind variable name that is used to create a PHP variable of the same name; that is,$$b[0]takes the value DID in$b[0]and forms a PHP variable called$DIDwhose value is assigned from the second element in the entry.The
oci_bind_by_name()function accepts four parameters: the$stidas the resource, a string representing the bind variable name in the query derived from the first element in the array entry, the PHP variable containing the value to be associated with the bind variable, and the length of the input value. -
To test the results of the preceding modifications, save the
anyco.phpandanyco_db.incfiles and enter the following URL:On Windows:
http://localhost/chap4/anyco.php
On Linux:
http://localhost/~<username>/chap4/anyco.php
The page returned in the browser window should resemble the following page:
Description of the illustration chap4_db_connect_003.gif
Navigating Through Database Records
Adding navigation through the database records requires several important changes to the application logic. The modifications require the combination of:
-
Including an HTML form to provide Next and Previous navigation buttons to step through database records.
-
Detecting if the HTTP request for the page was posted by clicking the Next or Previous button.
-
Tracking the last row queried by using the HTTP session state. A PHP session is started to maintain state information for a specific client between HTTP requests. The first HTTP request will retrieve the first data row and initialize the session state. A subsequent request, initiated with navigation buttons, combined with the session state from a previous HTTP request, enables the application to set variables that control the next record retrieved by the query.
-
Writing a query that returns a subset of rows based on a set of conditions whose values are determined by the application state.
To add navigation through database rows, perform the following steps:
-
Edit the
anyco_ui.incfile. Add Next and Previous navigation buttons to the Departments page. Change theui_print_department()function to append a second parameter called$posturlthat supplies the value for the form attributeaction. After printing the</table>tag include HTML form tags for the Next and Previous buttons:<?php // File: anyco_ui.inc ... function ui_print_department($dept, $posturl) { ... echo <<<END </tr> </table> <form method="post" action="$posturl"> <input type="submit" value="< Previous" name="prevdept"> <input type="submit" value="Next >" name="nextdept"> </form> END; } } ?>
-
Edit the
anyco.phpfile. To detect if the Next or Previous button was used to invoke the page and track the session state, call the PHP functionsession_start(), and create a function namedconstruct_departments():Move and modify the database access logic into a new
construct_departments()function, which detects if navigation has been performed, manages the session state, defines a subquery for the database access layer to process, and connects and calls a functiondb_get_page_data(). The file becomes:<?php // File: anyco.php require('anyco_cn.inc'); require('anyco_db.inc'); require('anyco_ui.inc'); session_start(); construct_departments(); function construct_departments() { if (isset($_SESSION['currentdept']) && isset($_POST['prevdept']) && $_SESSION['currentdept'] > 1) { $current = $_SESSION['currentdept'] - 1; } elseif (isset($_SESSION['currentdept']) && isset($_POST['nextdept'])) { $current = $_SESSION['currentdept'] + 1; } elseif (isset($_POST['showdept']) && isset($_SESSION['currentdept'])) { $current = $_SESSION['currentdept']; } else { $current = 1; } $query = 'SELECT department_id, department_name, manager_id, location_id FROM departments ORDER BY department_id asc'; $conn = db_connect(); $dept = db_get_page_data($conn, $query, $current, 1); $deptid = $dept[0]['DEPARTMENT_ID']; $_SESSION['currentdept'] = $current; ui_print_header('Department'); ui_print_department($dept[0], $_SERVER['SCRIPT_NAME']); ui_print_footer(date('Y-m-d H:i:s')); } ?>
The
ifandelseifconstruct at the start of theconstruct_departments()function is used to detect if a navigation button was used with an HTTP post request to process the page, and tracks if thecurrentdeptnumber is set in the session state. Depending on the circumstances, the variable$currentis decremented by one when the previous button is clicked,$currentis incremented by one when the Next button is clicked, otherwise$currentis set to the current department, or initialized to one for the first time through.A query is formed to obtain all the department rows in ascending sequence of the
department_id. TheORDER BYclause is an essential part of the navigation logic. The query is used as a subquery inside thedb_get_page_data()function to obtain a page of a number of rows, where the number of rows per page is specified as the fourth argument to thedb_get_page_data()function. After connecting to the database,db_get_page_data()is called to retrieve the set of rows obtained for the specified query. Thedb_get_page_data()function is provided with the connection resource, the query string, a value in$currentspecifying the first row in the next page of data rows required, and the number of rows per page (in this case one row per page).After
db_get_page_data()has been called to obtain a page of rows, the value of$currentis stored in the application session state.Between printing the page header and footer, the
ui_print_department()function is called to display the recently fetched department row. Theui_print_department()function uses$_SERVER['SCRIPT_NAME']to supply the current PHP script name for the$posturlparameter. This sets the action attribute in the HTML form, so that each Next or Previous button click calls theanyco.phpfile. -
Edit the
anyco_db.incfile. Implement thedb_get_page_data()function to query a subset of rows:// Return subset of records function db_get_page_data($conn, $q1, $current = 1, $rowsperpage = 1, $bindvars = array()) { // This query wraps the supplied query, and is used // to retrieve a subset of rows from $q1 $query = 'SELECT * FROM (SELECT A.*, ROWNUM AS RNUM FROM ('.$q1.') A WHERE ROWNUM <= :LAST) WHERE :FIRST <= RNUM'; // Set up bind variables. array_push($bindvars, array('FIRST', $current, -1)); array_push($bindvars, array('LAST', $current+$rowsperpage-1, -1)); $r = db_do_query($conn, $query, $bindvars); return($r); }
The structure of the query in the
db_get_page_data()function enables navigation through a set (or page) of database rows.The query supplied in
$q1is nested as a subquery inside the following subquery:SELECT A.*, ROWNUM AS RNUM FROM $q1 WHERE ROWNUM <= :LAST
Remember that the query supplied in
$q1retrieves an ordered set of rows, which is filtered by its enclosing query to return all the rows from the first row to the next page size ($rowsperpage) of rows. This is possible because the OracleROWNUMfunction (or pseudocolumn) returns an integer number starting at 1 for each row returned by the query in$q1.The set of rows, returned by the subquery enclosing query
$q1, is filtered a second time by the condition in the following outermost query:WHERE :FIRST <= RNUM
This condition ensures that rows prior to the value in
:FIRST(the value in$current) are excluded from the final set of rows. The query enables navigation through a set rows where the first row is determined by the$currentvalue and the page size is determined by the$rowsperpagevalue.The
$currentvalue is associated with the bind variable called:FIRST.The expression$current+$rowsperpage-1sets the value associated with the:LASTbind variable. -
To test the changes made to your application, save the changed files, and enter the following URL in your Web browser:
On Windows:
http://localhost/chap4/anyco.php
On Linux:
http://localhost/~<username>/chap4/anyco.php
When you request the
anyco.phppage, the firstDEPARTMENTtable record, the Administration department, is displayed:
Description of the illustration chap4_db_nagivation_001.gif
-
To navigate to the next department record (Marketing), click Next:
Description of the illustration chap4_db_nagivation_002.gif
-
To navigate back to the first department record (Administration), click Previous:
Description of the illustration chap4_db_nagivation_003.gif
You may continue to test and experiment with the application by clicking Next and Previous to navigate to other records in the DEPARTMENTS table, as desired.
Note:
If you navigate past the last record in theDEPARTMENTS table, an error will occur. Error handling is added in Adding Error Recovery in Chapter 5.ROWNUM vs ROW_NUMBER()
If you were writing a PHP function with a hard coded query, the ROW_NUMBER() function may be a simpler alternative for limiting the number of rows returned. For example, a query that returns the last name of all employees:
SELECT last_name FROM employees ORDER BY last_name;
could be written to select rows 51 to 100 inclusive as:
SELECT last_name FROM SELECT last_name, ROW_NUMBER() OVER (ORDER BY last_name R FROM employees) where R BETWEEN 51 AND 100;
Extending the Basic Departments Page
The Departments page is extended to include the following additional information:
-
The name of the manager of the department
-
The number of employees assigned to the department
-
The country name identifying the location of the department
The additional information is obtained by modifying the query to perform a join operation between the DEPARTMENTS, EMPLOYEES, LOCATIONS, and COUNTRIES tables.
To extend the Departments page, perform the following tasks:
-
Edit the
anyco_ui.incfile. Modify theui_print_department()function by replacing the Manager ID and Location ID references with the Manager Name and Location, respectively, and insert a Number of Employees field after Department Name. Make the necessary changes in the table header and data fields. The function becomes:function ui_print_department($dept, $posturl) { if (!$dept) { echo '<p>No Department found</p>'; } else { echo <<<END <table> <tr> <th>Department<br>ID</th> <th>Department<br>Name</th> <th>Number of<br>Employees</th> <th>Manager<br>Name</th> <th>Location</th> </tr> <tr> END; echo '<td>'.htmlentities($dept['DEPARTMENT_ID']).'</td>'; echo '<td>'.htmlentities($dept['DEPARTMENT_NAME']).'</td>'; echo '<td>'.htmlentities($dept['NUMBER_OF_EMPLOYEES']).'</td>'; echo '<td>'.htmlentities($dept['MANAGER_NAME']).'</td>'; echo '<td>'.htmlentities($dept['COUNTRY_NAME']).'</td>'; echo <<<END </tr> </table> <form method="post" action="$posturl"> <input type="submit" value="< Previous" name="prevdept"> <input type="submit" value="Next >" name="nextdept"> </form> END; } } -
Edit the
anyco.phpfile. Replace the query string inconstruct_departments()with:$query = "SELECT d.department_id, d.department_name, substr(e.first_name,1,1)||'. '|| e.last_name as manager_name, c.country_name, count(e2.employee_id) as number_of_employees FROM departments d, employees e, locations l, countries c, employees e2 WHERE d.manager_id = e.employee_id AND d.location_id = l.location_id AND d.department_id = e2.department_id AND l.country_id = c.country_id GROUP BY d.department_id, d.department_name, substr(e.first_name,1,1)||'. '||e.last_name, c.country_name ORDER BY d.department_id ASC";
The query string is enclosed in double quotation marks to simplify writing this statement, which contains SQL literal strings in single quotation marks.
-
Save the changes to your files, and test the changes by entering the following URL in a Web browser:
On Windows:
http://localhost/chap4/anyco.php
On Linux:
http://localhost/~<username>/chap4/anyco.php
The Web page result should resemble the following output:
Description of the illustration chap4_enhance_dept_001.gif