Security and Configuration Needs 0:00So now, I want to talk just a little bit about security and configuration. So as I noted at the end of the last episode, we're hard-coding all of this stuff. It doesn't make it very flexible, it's not configurable, and worse, we don't have a password in this case, but in real life you would, and I just don't want my password right within here. I don't trust it, I don't want necessarily other people to be able to access this password. If anything goes wrong on my server and an error page displays, I don't want people to gain access to this, because if they see that, they have access to your database, and all sorts of craziness could go on at that point. Creating a Config File 0:31because if they see that, they have access to your database, and all sorts of craziness could go on at that point. So what might be an alternative? Well, what if we did this? What if we had a dedicated configuration file in our project? And here, this can just return an array for any configurable items in our project. So for example, our database section, well, that will be an array itself. So remember your learning, this is an associative array, and now database2 will be an associative array. Okay, so now, yeah, here is where we could define what the name of our database is.and now database2 will be an associative array. Okay, so now, yeah, here is where we could define what the name of our database is. And then down the line, if you have to change the name of the database, you don't have to hunt down where you reference this, you open one file and you update it to the new database name. Good. All right, so what else? Well, we need the username for the database, ours is root. We need the password, it's nothing for now. What else?We need the password, it's nothing for now. What else? Let's go back here. Well, we need our connection. So why don't we do this? Let's say connection, and I'm just going to paste that portion in. And then we also need some options here, and we'll talk about that in just a minute. I'll default that to an empty array. Okay, so think about it. All of our private configuration is now stored within this one file Refactoring Connection to Config 1:43Okay, so think about it. All of our private configuration is now stored within this one file that we can lock down and keep safe. Now, in our connection file, rather than hard coding this, we can just say, yeah, give me the config. I'm going to require database configuration in order to do my job. So now, we can update this like so. Let me rewrite this from scratch. So we want our config connection. So notice, we are just going to assume that what we pass into the method is this array.So we want our config connection. So notice, we are just going to assume that what we pass into the method is this array. So first, we want the connection or the DSN, and then we will concatenate, so we're at this point. So we will concatenate a semicolon, and then the database name. So if we go back, we store that as name. Next, we're on to the username. So config username. So yeah, notice we're not hard coding these values anymore. We're just referencing variables that will be passed in from somebody else.So yeah, notice we're not hard coding these values anymore. We're just referencing variables that will be passed in from somebody else. All right, we need the password. And then finally, the fourth argument that we don't have here would be any PDO options that you want to specify, and we will do that in a minute. Okay, so I get rid of the hard-coded scary passwords, and I replace them with simple configuration items. But now, this is not going to work. So if I give this a refresh, it's going to fail. Missing argument one for connection make. Passing Config in Bootstrap 3:02So if I give this a refresh, it's going to fail. Missing argument one for connection make. So now, we've specified that in order for connection, this object or class to do its job, it depends upon a configuration array. So we need to make sure that our bootstrap file passes that in. Passes that in. Let's do this. Require config.php. And that is going to return an array. So we could say config, and then we could reference config database.And that is going to return an array. So we could say config, and then we could reference config database. Does that make sense? So here, one more time. Give me this whole array. But we're not interested in all of that. We just want to pass the database section. So that's why we're saying config. And now, I just want everything associated with this key, which means that there will be passed to the make method.And now, I just want everything associated with this key, which means that there will be passed to the make method. Like so. Connection receives that, and then fetches items directly off of that subarray. So now, if we come back and give this a refresh, it works. Once again, we've made a good refactor. Now, even outside of security, it's just good to make these sorts of things configurable. So what if somebody else is using this project, you built it for them, and they're uploading it to a new database where they have their own password, and they're trying to say, well, how do I change the database password?and they're uploading it to a new database where they have their own password, and they're trying to say, well, how do I change the database password? Well, now you don't have to say, well, hunt down the connection file in this folder, and this folder, and this folder. You just say, yeah, open up your user configuration, and change your password to whatever it happens to be. And now, behind the scenes, everything will work. So like in this case, it's not going to work, right? Because it's the wrong password. The correct password is, in this case, no password. Adding PDO Error Options 4:39Because it's the wrong password. The correct password is, in this case, no password. But now, what about the options to finish up this episode? Well, imagine this. In our index file, imagine that we select all from a table that does not exist. Right now, we're really not going to get much feedback. So notice it's empty. Pretty hard to debug. So why don't we specify some options for what should happen in these sorts of scenarios? All right.So why don't we specify some options for what should happen in these sorts of scenarios? All right. In our config file, I'm going to say PDO. And if it runs into any kind of error, the mode that I want to use is error mode exception. So if I come back and refresh this, now we get more feedback that we can report. So for example, if I pull up this little note here on PHP's website, error reporting. So if we set it to error mode silent, all we want are the error codes to be set. If we set it to warning, we want to raise a warning. And if we set it to exception, we want to automatically throw those exceptions.If we set it to warning, we want to raise a warning. And if we set it to exception, we want to automatically throw those exceptions. So that means if we come back and you wanted to use warnings to be thrown, run it again, and now we can see any warning that it provides. Good stuff to know. And it'll give you more feedback as you develop. So now let's come back, bring this back to what we had before, refresh, and everything's working. But we're making lots of good improvements. Okay. Wrap-up and Next Steps 6:04But we're making lots of good improvements. Okay. In the next episode, I know this isn't the most fun stuff in the world, thinking about database connections and query builders. As you'll find in real life, there is tooling that will do so much of this work for you. So you don't always have to worry about that for every project. But it's good to have a basic understanding of how the pieces fit together. So I promise we're going to move into something a bit more fun in the next episode.
