Saturday, May 12, 2012

Connecting MySQL to PHP


This post will talk about how I connected a MySQL database to the PHP web application.

Creating a Schema

First, a schema needs to created. I did this using MySQL Workbench, however, you can execute your SQL create statements from any tool, including the command line.

The database is a simple schema, consisting of two tables.

user table. This will store the usernames and passwords. Fields are:

  • id - generated automatically. The primary key.
  • username - a string. Must be unique.
  • password - a very long string, as I plan to store hashed values.

user_score table. This will store all scores of any user who's played the game. Fields are:

  • id - generated automatically. The primary key.
  • user_id - the user's id.
  • score - a numerical value. The score attained.

A Note on Using MySQL under XAMPP in Mac OS X Lion

The version of XAMPP I'm using comes with certain security features, including not allowing remote connections. Graphical tools such as MySQL Workbench require this, so I needed to apply this fix.


The SQL code required to create the two tables is shown below:

  `user_id` int(11) NOT NULL AUTO_INCREMENT,
  `username` varchar(45) NOT NULL,
  `password` varchar(500) NOT NULL,
  PRIMARY KEY (`user_id`),
  UNIQUE KEY `user_id` (`user_id`),
  UNIQUE KEY `user_id_2` (`user_id`),
  UNIQUE KEY `username_UNIQUE` (`username`),
  KEY `user_id_3` (`user_id`)

CREATE TABLE `user_score` (
  `user_id` int(11) NOT NULL,
  `score` int(11) NOT NULL,
  PRIMARY KEY (`id`),
  UNIQUE KEY `id_UNIQUE` (`id`)

Some sample data was added to both tables.

Connecting to the Database with PHP

The next step is to connect to the database using PHP code. This is easily achieved using two simple lines.

mysql_connect("localhost", "root", "");

Executing Queries

One line is required to execute a query:

$result = mysql_query($sql);

Retrieving Results

The result of the query is stored in $result. In order to view the results, one needs to loop through the array of rows. This is fairly easy to do:

if ($result) {
 while ($row = mysql_fetch_array($result)) {
  if ($row['username'] == $u) {
   $logged_in = true;

Security Concerns

When exposing the database your users, care must be taken to avoid exposing your machine, and to avoid exposing the database.

Escaping Code

To help prevent SQL injection attacks, any user-entered strings should be sanitised using the mysql_real_escape_string() method.

Hashing Passwords

Passwords should always be hashed, in case the database is compromised. There are several ways to do this. I opted to use the SHA256 method.

$password = mysql_real_escape_string($password);
$password = hash("sha256", $password);

Closing a Database Connection

To lighten the load on the server, MySQL Database connections should always be closed after use. This is simple to achieve using the command: mysql_close().

Putting it all Together

I decided to create one common PHP file that all other scripts in the web application can use (using either require or include).


function openConnection() {
 mysql_connect("localhost", "root", "");

function closeConnection() {
 return mysql_close();

function executeQuery($sql) {
 $result = mysql_query($sql);
 return $result;

function hashPassword($password) {
 $password = mysql_real_escape_string($password);
 return hash("sha256", $password);



This brief post highlighted how to properly connect to a MySQL database, and how I'm using it in my web application.

No comments:

Post a Comment