Question
I have the following script which I need to secure. I need to add parametric binding to it. Along using PDO's prepared statements and making
I have the following script which I need to secure. I need to add parametric binding to it.
Along using PDO's prepared statements and making sure the script data comes from the same script. (which I believe I did it right already)
(contactcrudsecured.php)
//Error error_reporting(0);
//Security conditions if(isset($_POST['fullname']) && isset($_POST['email']) && isset($_POST['email']) && isset($_GET['deleteid']) && isset($_POST['idtoupdate']) && isset($_GET['editid']) && isset($_POST['submit'])) {
//Create new PDO
$dbh = new PDO('mysql:host=localhost;dbname=test', 'root', '');
//Full name
$fullname = $_POST['fullname'];
$email = $_POST['email'];
//Phone
$phone = $_POST['phone'];
//Deleted
$deleteid = $_GET['deleteid'];
//Uptodate
$idtoupdate = $_POST['idtoupdate'];
//If edit is clicked
$editid = $_GET['editid'];
//If condition satisfies
if ($_POST['submit'] == 'Submit')
{ //If condition satisfies if (!$idtoupdate) { //Prepare
$inssql = $dbh->prepare("insert into contacts (fullname,email,phone) values ('$fullname','$email','$phone')");
//Echo
echo "Your record has been inserted!";
//Execute
$inssql->execute();
//Header
header("location: crud.php?message=insert"); } }
//If condition satisfies if ($deleteid) { //Delete $delsql= $dbh->prepare("delete from contacts where id = '$deleteid'"); //Execute $delsql->execute(); }
//If condition satisfies if ($idtoupdate)
{
//Prepare
$upsql = $dbh->prepare("update contacts set fullname = '$fullname',email='$email',phone='$phone' where id = '$idtoupdate'");
//Exit
$upsql->execute();
} //Prepare $selsql = $dbh->prepare("select id,fullname from contacts");
//Execute $selsql->execute();
//Loop
while ($row = $selsql->fetch()) { //Full name echo $row['fullname']; //Output link echo ''; //Output echo ' Edit '; }
//If condition satisfies if (isset($editid)) { //Prepare $getupsql = $dbh->prepare("select fullname,email,phone from contacts where id = '$editid'"); //Execute $getupsql->execute(); //Fetch $row = $getupsql->fetch(); //Full name $upfullname = $row['fullname']; //Email $upemail = $row['email']; //Phone $upphone = $row['phone']; } } ?>
Step by Step Solution
There are 3 Steps involved in it
Step: 1
Get Instant Access to Expert-Tailored Solutions
See step-by-step solutions with expert insights and AI powered tools for academic success
Step: 2
Step: 3
Ace Your Homework with AI
Get the answers you need in no time with our AI-driven, step-by-step assistance
Get Started
Database Concepts
Authors: David Kroenke
4th Edition
0136086535, 9780136086536
