Question: Attached you have a final version of the crud script with the insert section included. Your job is to add security to this. This includes
Attached you have a final version of the crud script with the insert section included. Your job is to add security to this. This includes using PDO's prepared statements and making sure the script data comes from the same script.
(contactcrud.php)
if ($_POST['submit'] == 'Submit'){ //insert data!!!! if (!$idtoupdate){ /*this could be if (empty($idtoupdate)) if (!isset($idtoupdate)) if ($idtoupdate == '') */ //if no idtoupdate $inssql = $dbh->prepare("insert into contacts (fullname,email,phone) values ('$fullname','$email','$phone')"); echo "Your record has been inserted!"; $inssql->execute(); header("location: crud.php?message=insert"); } // print_r($inssql->errorInfo()); }
//delete if ($deleteid){ $delsql= $dbh->prepare("delete from contacts where id = '$deleteid'"); $delsql->execute(); }
if ($idtoupdate){ //IMPORTANT must have where statement of entire database will update to the new data!!!! $upsql = $dbh->prepare("update contacts set fullname = '$fullname',email='$email',phone='$phone' where id = '$idtoupdate'");//update fullname $upsql->execute(); //exit }
//need to display our results so that we see what's working and what's in our database!!! $selsql = $dbh->prepare("select id,fullname from contacts"); $selsql->execute(); while ($row = $selsql->fetch()){ //outputs fullname echo $row['fullname']; //output links to delete with confirmation popup! echo 'Delete'; //now output a link that lets them edit with editid !!!! echo ' Edit '; //delete fullname ---------> }
if (isset($editid)){ $getupsql = $dbh->prepare("select fullname,email,phone from contacts where id = '$editid'"); $getupsql->execute(); $row = $getupsql->fetch(); $upfullname = $row['fullname']; $upemail = $row['email']; $upphone = $row['phone']; }
?>
Step by Step Solution
There are 3 Steps involved in it
Get step-by-step solutions from verified subject matter experts