1. Accessing MySQL Using PDO
Charles Severance

2. Application Structure
Software (i.e. PHP)
Database
Data Model
End
User
SQL
SQL
Developer
Database
Tools (i.e. phpMyAdmin)
DBA

3. Multiple Ways to Access MySql
PHP is evolving - there are three ways to access MySql
Legacy non-OO mysql_ routines (deprecated)
New mysqli (OO version that is similar to mysql_)
PDO - Portable Data Objects
A perfect topic for debate

5. Creating a Database and User
CREATE DATABASE misc;
GRANT ALL ON misc.* TO IDENTIFIED BY 'zap';
GRANT ALL ON misc.* TO IDENTIFIED BY 'zap';
USE misc; (if you are in the command line)
/Applications/MAMP/Library/bin/mysql -u root -P p
/Applications/xampp/xamppfiles/bin/mysql -u root -p
c:\xampp\mysql\bin\mysql.exe

6. Creating a Table CREATE TABLE users ( id INT UNSIGNED NOT NULL
AUTO_INCREMENT KEY,
name VARCHAR(128),
VARCHAR(128),
password VARCHAR(128));
ALTER TABLE users ADD INDEX( );
Creating a Table
mysql> describe users;
| Field | Type | Null | Key | Default | Extra |
| id | int(10) unsigned | NO | PRI | NULL | auto_increment |
| name | varchar(128) | YES | | NULL | |
| | varchar(128) | YES | MUL | NULL | |
| password | varchar(128) | YES | | NULL | |

7. Inserting a Few Records
INSERT INTO users (name, ,password) VALUES
INSERT INTO users (name, ,password) VALUES
mysql> select * from users;
| id | name | | password |
| 1 | Chuck | | |
| 2 | Glenn | | |

8. Database Connection
Hostname
misc
sakai
users

9. Database Connection PHP Software Hostname id / password pdo.php
SQL
misc
sakai
users
id / password
$pdo = new PDO('mysql:host=localhost;port=8889;dbname=misc',
'fred', 'zap');
pdo.php

10. first.php <?php echo "<pre>\n";
$pdo=new PDO('mysql:host=localhost;port=8889;dbname=misc',
'fred', 'zap');
$stmt = $pdo->query("SELECT * FROM users");
while ( $row = $stmt->fetch(PDO::FETCH_ASSOC) ) {
print_r($row); }
echo "</pre>\n";?>
first.php
Array(
[id] => 1
[name] => Chuck
[ ] =>
[password] => 123 )
[id] => 2
[name] => Glenn
[ ] =>
[password] => 456
mysql> select * from users;
| id | name | | password |
| 1 | Chuck | | |
| 2 | Glenn | | |

11. <?php
$pdo = new PDO('mysql:host=localhost;port=8889;dbname=misc',
'fred', 'zap');
$stmt = $pdo->query("SELECT name, , password FROM users");
echo '<table border="1">'."\n";
while ( $row = $stmt->fetch(PDO::FETCH_ASSOC) ) {
echo "<tr><td>";
echo($row['name']);
echo("</td><td>");
echo($row[' ']);
echo($row['password']);
echo("</td></tr>\n"); }
echo "</table>\n";?>
second.php
<table border="1">
</table>

12. Pattern
Put database connection information in a single file and include it in all your other files
Helps make sure to not to mistakenly reveal id / pw
Don't check it into a public source repository :)

13. pdo.php third.php <?php
$pdo = new PDO('mysql:host=localhost;port=8889;dbname=misc',
'fred', 'zap');
// See the "errors" folder for details...
$pdo->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
third.php
Array(
[id] => 1
[name] => Chuck
[ ] =>
[password] => 123 )
[id] => 2
[name] => Glenn
[ ] =>
[password] => 456
<?php
echo "<pre>\n";
require_once "pdo.php";
$stmt = $pdo->query("SELECT * FROM users");
while ($row = $stmt->fetch(PDO::FETCH_ASSOC)){
print_r($row); }
echo "</pre>\n";?>

14. Lets put some data in a database!

15. user1.php <?php require_once "pdo.php";
if ( isset($_POST['name']) && isset($_POST[' '])
&& isset($_POST['password'])) {
$sql = "INSERT INTO users (name, , password)
VALUES (:name, : , :password)";
echo("<pre>\n".$sql."\n</pre>\n");
$stmt = $pdo->prepare($sql);
$stmt->execute(array(
':name' => $_POST['name'],
': ' => $_POST[' '],
':password' => $_POST['password'])); }
?><html><head></head><body>
<p>Add A New User</p>
<form method="post">
<p>Name:<input type="text" name="name" size="40"></p>
<p> <input type="text" name=" "></p>
<p>Password:<input type="password" name="password"></p>
<p><input type="submit" value="Add New"/></p>
</form>
</body>

16. user1.php mysql> select * from users;
| id | name | | password |
| 1 | Chuck | | |
| 2 | Glenn | | |
| 3 | Fred | | YO |

17. user2.php if ( isset($_POST['name']) && isset($_POST['email'])
&& isset($_POST['password'])) {
$sql = "INSERT INTO users (name, , password)
VALUES (:name, : , :password)";
echo("<pre>\n".$sql."\n</pre>\n");
$stmt = $pdo->prepare($sql);
$stmt->execute(array(
':name' => $_POST['name'],
': ' => $_POST[' '],
':password' => $_POST['password'])); }
?>
<html>
<head></head><body><table border="1">
<?php
$stmt = $pdo->query("SELECT name, , password FROM users");
while ( $row = $stmt->fetch(PDO::FETCH_ASSOC) ) {
echo "<tr><td>";
echo($row['name']);
echo("</td><td>");
echo($row[' ']);
echo($row['password']);
echo("</td></tr>\n");
</table>
<p>Add A New User</p>
user2.php

18. Don't change data in a GET
user2del.php
<?php
require_once "pdo.php";
if ( isset($_POST['id']) ) {
$sql="DELETE FROM users WHERE id = :zip";
echo "<pre>\n$sql\n</pre>\n";
$stmt = $pdo->prepare($sql);
$stmt->execute(array(':zip'=>$_POST['id'])); }
?>
<p>Delete A User</p>
<form method="post"><p>ID to Delete:<input type="text" name="id"></p>
<p><input type="submit" value="Delete"/></p>
</form>
Don't change data in a GET

19. mysql> select * from users;
| id | name | | password |
| 1 | Chuck | | |
| 2 | Glenn | | |

20. user3.php

21. user3.php if ( isset($_POST['delete']) && isset($_POST['id']) ) {
$sql = "DELETE FROM users WHERE id = :zip";
echo "<pre>\n$sql\n</pre>\n";
$stmt = $pdo->prepare($sql);
$stmt->execute(array(':zip' => $_POST['id'])); }
?><html><head></head>
<body>
<table border="1">
<?php
$stmt = $pdo->query("SELECT name, , password, id FROM users");
while ( $row = $stmt->fetch(PDO::FETCH_ASSOC) ) {
echo "<tr><td>";
echo($row['name']);
echo("</td><td>");
echo($row[' ']);
echo($row['password']);
echo('<form method="post"><input type="hidden" ');
echo('name="id" value="'.$row['id'].'">'."\n");
echo('<input type="submit" value="Del" name="delete">');
echo("\n</form>\n");
echo("</td></tr>\n");
user3.php

22. echo('<form method="post"><input type="hidden" ');
echo('name="id" value="'.$row['id'].'">'."\n");
echo('<input type="submit" value="Del" name="delete">');
echo("\n</form>\n");
<td>YO</td>
<td><form method="post">
<input type="hidden" name="id" value="5">
<input type="submit" value="Del" name="delete">
</form></td>
</tr>
if ( isset($_POST['delete']) && isset($_POST['id']) ) {
$sql = "DELETE FROM users WHERE id = :zip";
echo "<pre>\n$sql\n</pre>\n";
$stmt = $pdo->prepare($sql);
$stmt->execute(array(':zip' => $_POST['id'])); }

23. if ( isset($_POST['delete']) && isset($_POST['id']) ) {
$sql = "DELETE FROM users WHERE id = :zip";
echo "<pre>\n$sql\n</pre>\n";
$stmt = $pdo->prepare($sql);
$stmt->execute(array(':zip' => $_POST['id'])); }

24. Program Outline <?php require_once "pdo.php";
if ( isset($_POST['name']) && isset($_POST[' '])
&& isset($_POST['password'])) {
$sql = "INSERT INTO users (name, , password)
VALUES (:name, : , :password)";
echo("<pre>\n".$sql."\n</pre>\n");
$stmt = $pdo->prepare($sql);
$stmt->execute(array(
':name' => $_POST['name'],
': ' => $_POST[' '],
':password' => $_POST['password'])); }
if ( isset($_POST['delete']) && isset($_POST['id']) ) {
$sql = "DELETE FROM users WHERE id = :zip";
echo "<pre>\n$sql\n</pre>\n";
$stmt->execute(array(':zip' => $_POST['id']));
?>
<?php
require_once "pdo.php";I
f ( isset($_POST['name']) && isset($_POST[' '])
&& isset($_POST['password'])) {
$sql = "INSERT INTO users (name, , password)
VALUES (:name, : , :password)";
echo("<pre>\n".$sql."\n</pre>\n");
$stmt = $pdo->prepare($sql);
$stmt->execute(array(
':name' => $_POST['name'],
': ' => $_POST[' '],
':password' => $_POST['password'])); }
if ( isset($_POST['delete']) && isset($_POST['id']) ) {
$sql = "DELETE FROM users WHERE id = :zip";
echo "<pre>\n$sql\n</pre>\n";
$stmt->execute(array(':zip' => $_POST['id']));
?>
<html><head></head>
<body>
<table border="1">
$stmt = $pdo->query("SELECT name, , password, id FROM users");
while ( $row = $stmt->fetch(PDO::FETCH_ASSOC) ) {
echo "<tr><td>";
echo($row['name']);
echo("</td><td>");
echo($row[' ']);
echo($row['password']);
echo('<form method="post"><input type="hidden" ');
echo('name="id" value="'.$row['id'].'">'."\n");
echo('<input type="submit" value="Del" name="delete">');
echo("\n</form>\n");
echo("</td></tr>\n");
</table>
<p>Add A New User</p><form method="post">
<p>Name:<input type="text" name="name" size="40"></p>
<p> <input type="text" name=" "></p>
<p>Password:<input type="password" name="password"></p><
p><input type="submit" value="Add New"/></p>
</form>
</body>

25. <html><head></head>
<body><table border="1">
<?php
$stmt = $pdo->query("SELECT name, , password, id FROM users");
while ( $row = $stmt->fetch(PDO::FETCH_ASSOC) ) {
echo "<tr><td>";
echo($row['name']);
echo("</td><td>");
echo($row[' ']);
echo($row['password']);
echo('<form method="post"><input type="hidden" ');
echo('name="id" value="'.$row['id'].'">'."\n");
echo('<input type="submit" value="Del" name="delete">');
echo("\n</form>\n");
echo("</td></tr>\n"); }
?>
</table>
<?php
require_once "pdo.php";I
f ( isset($_POST['name']) && isset($_POST[' '])
&& isset($_POST['password'])) {
$sql = "INSERT INTO users (name, , password)
VALUES (:name, : , :password)";
echo("<pre>\n".$sql."\n</pre>\n");
$stmt = $pdo->prepare($sql);
$stmt->execute(array(
':name' => $_POST['name'],
': ' => $_POST[' '],
':password' => $_POST['password'])); }
if ( isset($_POST['delete']) && isset($_POST['id']) ) {
$sql = "DELETE FROM users WHERE id = :zip";
echo "<pre>\n$sql\n</pre>\n";
$stmt->execute(array(':zip' => $_POST['id']));
?>
<html><head></head>
<body>
<table border="1">
$stmt = $pdo->query("SELECT name, , password, id FROM users");
while ( $row = $stmt->fetch(PDO::FETCH_ASSOC) ) {
echo "<tr><td>";
echo($row['name']);
echo("</td><td>");
echo($row[' ']);
echo($row['password']);
echo('<form method="post"><input type="hidden" ');
echo('name="id" value="'.$row['id'].'">'."\n");
echo('<input type="submit" value="Del" name="delete">');
echo("\n</form>\n");
echo("</td></tr>\n");
</table>
<p>Add A New User</p><form method="post">
<p>Name:<input type="text" name="name" size="40"></p>
<p> <input type="text" name=" "></p>
<p>Password:<input type="password" name="password"></p><
p><input type="submit" value="Add New"/></p>
</form>
</body>

26. Program Outline <p>Add A New User</p>
<form method="post">
<p>Name:<input type="text" name="name" size="40"></p>
<p> <input type="text" name=" "></p>
<p>Password:<input type="password" name="password"></p>
<p><input type="submit" value="Add New"/></p>
</form>
</body>
<?php
require_once "pdo.php";I
f ( isset($_POST['name']) && isset($_POST[' '])
&& isset($_POST['password'])) {
$sql = "INSERT INTO users (name, , password)
VALUES (:name, : , :password)";
echo("<pre>\n".$sql."\n</pre>\n");
$stmt = $pdo->prepare($sql);
$stmt->execute(array(
':name' => $_POST['name'],
': ' => $_POST[' '],
':password' => $_POST['password'])); }
if ( isset($_POST['delete']) && isset($_POST['id']) ) {
$sql = "DELETE FROM users WHERE id = :zip";
echo "<pre>\n$sql\n</pre>\n";
$stmt->execute(array(':zip' => $_POST['id']));
?>
<html><head></head>
<body>
<table border="1">
$stmt = $pdo->query("SELECT name, , password, id FROM users");
while ( $row = $stmt->fetch(PDO::FETCH_ASSOC) ) {
echo "<tr><td>";
echo($row['name']);
echo("</td><td>");
echo($row[' ']);
echo($row['password']);
echo('<form method="post"><input type="hidden" ');
echo('name="id" value="'.$row['id'].'">'."\n");
echo('<input type="submit" value="Del" name="delete">');
echo("\n</form>\n");
echo("</td></tr>\n");
</table>
<p>Add A New User</p><form method="post">
<p>Name:<input type="text" name="name" size="40"></p>
<p> <input type="text" name=" "></p>
<p>Password:<input type="password" name="password"></p><
p><input type="submit" value="Add New"/></p>
</form>
</body>

28. Recall HTML Injection ...

29. <form method="post">
<p><label for="guess">Input Guess</label>
<input type="text" name="guess" id="guess"
value=""><b>DIE DIE</b>" /></p>
<input type="submit"/>
</form>

30. SQL Injection
SQL injection or SQLi is a code injection technique that exploits a security vulnerability in some computer software. An injection occurs at the database level of an application (like queries). The vulnerability is present when user input is either incorrectly filtered for string literal escape characters embedded in SQL statements or user input is not strongly typed and unexpectedly executed. Using well designed query language interpreters can prevent SQL injections.

31. SQL Injection This code is prone to SQL Injection - where? login1.php
if ( isset($_POST[' ']) && isset($_POST['password']) ) {
$e = $_POST[' '];
$p = $_POST['password'];
$sql = "SELECT name FROM users
WHERE = '$e'
AND password = '$p'";
$stmt = $pdo->query($sql);
login1.php
Note: For PHP < 5.4 – this might not fail, actually – look up "stripslashes"

32. What Could Go Wrong?
login1.php

33. Does not actually work in mysql because ; is disabled

34. if ( isset($_POST['email']) && isset($_POST['password']) ) {
$e = $_POST[' '];
$p = $_POST['password'];
$sql = "SELECT name FROM users
WHERE = '$e'
AND password = '$p'";
$stmt = $pdo->query($sql);
login1.php

35. Use Prepared Statements Properly
login2.php
if ( isset($_POST[' ']) && isset($_POST['password']) ) {
echo("Handling POST data...\n");
$sql = "SELECT name FROM users
WHERE = :em AND password = :pw";
echo "<pre>\n$sql\n</pre>\n";
$stmt = $pdo->prepare($sql);
$stmt->execute(array(
':em' => $_POST[' '],
':pw' => $_POST['password']));
$row = $stmt->fetch(PDO::FETCH_ASSOC);
When the statement is executed, the placeholders get replaced with the actual strings and everything is automatically escaped!

36. Errors: What Could Go Wrong?

37. if ( !isset($_GET['id']) ) die('id=1 GET parameter required');
$pdo->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_WARNING);
$stmt = $pdo->prepare("SELECT * FROM users where id = :xyz");
$stmt->execute(array(":xyz" => $_GET['id']));
$row = $stmt->fetch(PDO::FETCH_ASSOC);
if ( $row === false ) {
echo("<p>id not found</p>\n");
} else {
echo("<p>id found</p>\n"); }
errors/error0.php

38. $pdo->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_WARNING);
$stmt = $pdo->prepare("SELECT * FROM users where id = :xyz");
$stmt->execute(array(":pizza" => $_GET['id']));
$row = $stmt->fetch(PDO::FETCH_ASSOC);
if ( $row === false ) {
echo("<p>id not found</p>\n");
} else {
echo("<p>id found</p>\n"); }
errors/error1.php

40. $pdo->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_WARNING);
$stmt = $pdo->prepare("SELECT * FROM users where id = :xyz");
$stmt->execute(array(":pizza" => $_GET['id']));
$row = $stmt->fetch(PDO::FETCH_ASSOC);
if ( $row === false ) {
echo("<p>id not found</p>\n");
} else {
echo("<p>id found</p>\n"); }
errors/error1.php

41. $pdo->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
$stmt = $pdo->prepare("SELECT * FROM users where id = :xyz");
$stmt->execute(array(":pizza" => $_GET['id']));
$row = $stmt->fetch(PDO::FETCH_ASSOC);
if ( $row === false ) {
$_SESSION['error'] = 'Bad value for id';
header( 'Location: index.php' ) ;
return; }
errors/error2.php

42. $pdo->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
try {
$stmt = $pdo->prepare("SELECT * FROM users where id = :xyz");
$stmt->execute(array(":pizza" => $_GET['id']));
} catch (Exception $ex ) {
echo("Exception message: ".$ex->getMessage());
return; }
$row = $stmt->fetch(PDO::FETCH_ASSOC);
errors/edit3.php

43. $pdo->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
try {
$stmt = $pdo->prepare("SELECT * FROM users where id = :xyz");
$stmt->execute(array(":pizza" => $_GET['id']));
} catch (Exception $ex ) {
echo("Exception message: ".$ex->getMessage());
error_log("error4.php, SQL error=".$ex->getMessage());
return; }
$row = $stmt->fetch(PDO::FETCH_ASSOC);
errors/edit4.php

44. Where do error_log()'s go?
When in doubt look at PHPInfo

45. Where do error_log()'s go?
File Paths:
/Applications/MAMP/logs/php_error.log
c:\xampp\php\logs\php_error_log
Open the log file and scroll to the bottom
Watch the log actively
On Mac / Linux use: tail -f filename
Windows: (mTail)

48. CRUD!

49. CRUD Pattern When we store things in database tables we generally need
Create - Insert a new row
Read - Read existing row(s)
Update - Change some values of a record
Delete - Delete a record
So far we have done 3/4 of CRUD

50. Our Program is a little Ugly
Usually we create several screens
Add new row
View all rows (paging)
View single row
Edit single row
Delete a row

51. Five Separate Files index.php - Main list and links to other files
add.php - Add a new entry
delete.php - Delete an entry
edit.php - Edit existing
view.php (if index.php needs a detail view)

52. index.php <?php require_once "pdo.php"; session_start(); ?>
<html><head></head>
<body>
if ( isset($_SESSION['error']) ) {
echo '<p style="color:red">'.$_SESSION['error']."</p>\n";
unset($_SESSION['error']); }
if ( isset($_SESSION['success']) ) {
echo '<p style="color:green">'.$_SESSION['success']."</p>\n";
unset($_SESSION['success']);
echo('<table border="1">'."\n");

53. index.php echo('<table border="1">'."\n");
$stmt = $pdo->query("SELECT name, , password, id FROM users");
while ( $row = $stmt->fetch(PDO::FETCH_ASSOC) ) {
echo "<tr><td>";
echo($row['name']);
echo("</td><td>");
echo($row[' ']);
echo($row['password']);
echo('<a href="edit.php?id='.htmlentities($row['id']).'">Edit</a> / ');
echo('<a href="delete.php?id='.htmlentities($row['id']).'">Delete</a>');
echo("\n</form>\n");
echo("</td></tr>\n"); }
?>
</table>
<a href="add.php">Add New</a>

54. <tr><td>Chuck</td><td>csev@umich
<a href="edit.php?id=1">Edit</a> /
<a href="delete.php?id=1">Delete</a></td></tr>
<a href="edit.php?id=2">Edit</a> /
<a href="delete.php?id=2">Delete</a></td></tr>

55. add.php <?php require_once "pdo.php"; session_start();
if ( isset($_POST['name']) && isset($_POST[' '])
&& isset($_POST['password'])) {
$sql = "INSERT INTO users (name, , password)
VALUES (:name, : , :password)";
$stmt = $pdo->prepare($sql);
$stmt->execute(array(
':name' => $_POST['name'],
': ' => $_POST[' '],
':password' => $_POST['password']));
$_SESSION['success'] = 'Record Added';
header( 'Location: index.php' ) ;
return; }
?>
<p>Add A New User</p>
<form method="post">
<p>Name:<input type="text" name="name"></p>
<p> <input type="text" name=" "></p>
<p>Password:<input type="password" name="password"></p>
<p><input type="submit" value="Add New"/>
<a href="index.php">Cancel</a></p>
</form>
add.php

56. if ( isset($_POST['name']) && isset($_POST['email'])
&& isset($_POST['password'])) {
$sql = "INSERT INTO users (name, , password)
VALUES (:name, : , :password)";
$stmt = $pdo->prepare($sql);
$stmt->execute(array(
':name' => $_POST['name'],
': ' => $_POST[' '],
':password' => $_POST['password']));
$_SESSION['success'] = 'Record Added';
header( 'Location: index.php' ) ;
return;
if ( isset($_SESSION['success']) ) {
echo '<p style="color:green">'.$_SESSION['success']."</p>\n";
unset($_SESSION['success']); }

57. delete.php Don't alter data in a GET. <?php require_once "pdo.php"
;session_start();
if ( isset($_POST['delete']) && isset($_POST['id']) ) {
$sql = "DELETE FROM users WHERE id = :zip";
$stmt = $pdo->prepare($sql);
$stmt->execute(array(':zip' => $_POST['id']));
$_SESSION['success'] = 'Record deleted';
header( 'Location: index.php' ) ;
return; }
$stmt = $pdo->prepare("SELECT name, id FROM users where id = :xyz");
$stmt->execute(array(":xyz" => $_GET['id']));
$row = $stmt->fetch(PDO::FETCH_ASSOC);
if ( $row === false ) {
$_SESSION['error'] = 'Bad value for id';
echo "<p>Confirm: Deleting ".htmlentities($row['name'])."</p>\n";
echo('<form method="post"><input type="hidden" ');
echo('name="id" value="'.$row['id'].'">'."\n");
echo('<input type="submit" value="Delete" name="delete">');
echo('<a href="index.php">Cancel</a>');
echo("\n</form>\n");
?>
delete.php
Don't alter data in a GET.

58. if ( isset($_POST['delete']) && isset($_POST['id']) ) {
$sql = "DELETE FROM users WHERE id = :zip";
$stmt = $pdo->prepare($sql);
$stmt->execute(array(':zip' => $_POST['id']));
$_SESSION['success'] = 'Record deleted';
header( 'Location: index.php' ) ;
return; }
if ( isset($_SESSION['success']) ) {
echo '<p style="color:green">'.$_SESSION['success']."</p>\n";
unset($_SESSION['success']);}

59. edit.php <?php require_once "pdo.php"; session_start();
if ( isset($_POST['name']) && isset($_POST[' '])
&& isset($_POST['password']) && isset($_POST['id']) ) {
$sql = "UPDATE users SET name = :name,
= : , password = :password
WHERE id = :id";
$stmt = $pdo->prepare($sql);
$stmt->execute(array(
':name' => $_POST['name'],
': ' => $_POST[' '],
':password' => $_POST['password'],
':id' => $_POST['id']));
$_SESSION['success'] = 'Record updated';
header( 'Location: index.php' ) ;
return; }
$stmt = $pdo->prepare("SELECT * FROM users where id = :xyz");
$stmt->execute(array(":xyz" => $_GET['id']));
$row = $stmt->fetch(PDO::FETCH_ASSOC);
if ( $row === false ) {
$_SESSION['error'] = 'Bad value for id';
edit.php

60. edit.php $n = htmlentities($row['name']);
$e = htmlentities($row[' ']);
$p = htmlentities($row['password']);
$id = htmlentities($row['id']);
echo <<< _END
<html><head></head><body>
<p>Edit User</p>
<form method="post">
<p>Name:<input type="text" name="name" value="$n"></p>
<p> <input type="text" name=" " value="$e"></p>
<p>Password:<input type="text" name="password" value="$p"></p>
<input type="hidden" name="id" value="$id">
<p><input type="submit" value="Update"/>
<a href="index.php">Cancel</a></p>
</form>
</body>
_END
edit.php

61. edit.php if ( isset($_POST['name']) && isset($_POST['email'])
&& isset($_POST['password']) && isset($_POST['id']) ) {
$sql = "UPDATE users SET name = :name,
= : , password = :password
WHERE id = :id";
$stmt = $pdo->prepare($sql);
$stmt->execute(array(
':name' => $_POST['name'],
': ' => $_POST[' '],
':password' => $_POST['password'],
':id' => $_POST['id']));
$_SESSION['success'] = 'Record updated';
header( 'Location: index.php' ) ;
return; }
edit.php

62. Summary Making database connections Doing database operations
SQL security (a.k.a. we love PDO prepared statements)
Exploring errors...
A multi-file CRUD application with redirect

63. Acknowledgements / Contributions
Continue new Contributors and Translators here
These slides are Copyright Charles R. Severance ( as part of and made available under a Creative Commons Attribution 4.0 License. Please maintain this last slide in all copies of the document to comply with the attribution requirements of the license. If you make a change, feel free to add your name and organization to the list of contributors on this page as you republish the materials.
Initial Development: Charles Severance, University of Michigan School of Information
Insert new Contributors and Translators here including names and dates
Note from Chuck. Please retain and maintain this page as you remix and republish these materials. Please add any of your own improvements or contributions.