You need to get data safely updated from a web page to a MySQL table in your database
You need to sanitize that data from user input and protect against SQL injections.
The following simple example will show you how to accomplish that.
These are the ingredients you will need:
- A MySQL database
- A table to store the data in the above database
- The credentials to above (the host location, username and password)
- Which you can use to create a connection in your PHP page
- A form with fields to input the data
- A way to sanitize the data
- Safely update the data
What if you don’t have all of the above set-up?
Don’t worry at the end will be a link to example PHP source code along with the SQL statements to create the database and table.
PHP PDO (PHP Data Objects) makes it very easy to UPDATE data from your table.
First, to connect to the database with PDO is very simple:
$dbh = new PDO('mysql:host=localhost;dbname='. $db_name, $db_username, $db_password);
The above line creates a connection and stores it in the $dbh variable as an object
That variable can then be used to save the data using an UPDATE statement:
$stmt = $dbh->prepare('UPDATE makes SET make = :make WHERE id = :id');
This prepares a statement which we can then bind the make parameters safely too, protecting against SQL injections.
We use PHP’s filer_input() function to santize the data coming from the input fields POSTed to the server from our form:
$id = filter_input(INPUT_POST, 'id', FILTER_SANITIZE_NUMBER_INT);
$make = filter_input(INPUT_POST, 'make', FILTER_SANITIZE_STRING);
Then using the bindParam() function we can bind the $id variable into the statement:
$stmt->bindParam(':id', $id, PDO::PARAM_INT);
Then the $make variable can also be bound to the prepared statement:
$stmt->bindParam(':make', $make, PDO::PARAM_STR);
Then the statement is executed to run the prepared SQL statement, resulting in the record being updated in the table:
These are the key lines to connect to the database. Sanitize the data and UPDATE the data in the database.
Of course the above code lines don’t show the HTML need to make the form and input fields.
You can find that here on github as a simple PHP PDO CRUD Demo. Please download / fork the code and try it out.
The demo is a simple CRUD example of using PHP, PDO and MySQL to display a list of car makes
This post is a part of a series, you can read more about viewing the data with PDO here