File "testimonial_crud.php"
Full Path: /home/ovanhxso/public_html/panel/admin/app/testimonial_crud.php
File size: 4.08 KB
MIME-type: text/x-php
Charset: utf-8
<?php
session_start();
error_reporting(0);
include '../../assets/constant/config.php';
try {
$conn = new PDO("mysql:host=$servername;dbname=$dbname", $username, $password);
$conn->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
if (isset($_POST['submit'])) {
$uploadDir = '../../assets/images/';
if (!empty($_FILES['photo']['tmp_name'])) {
$originalName = basename($_FILES['photo']['name']);
$extension = pathinfo($originalName, PATHINFO_EXTENSION);
$newName = rand(100, 999) . '.' . $extension;
$newFilePath = $uploadDir . $newName;
if (move_uploaded_file($_FILES['photo']['tmp_name'], $newFilePath)) {
$img = $newName;
// Compression Logic
// compressImage($newFilePath, $newFilePath, 75); // 75 is the compression quality
} else {
echo 'There was an error uploading the file.';
exit;
}
}
// Using prepared statements to prevent SQL injection and htmlspecialchars for user input
$stmt = $conn->prepare("INSERT INTO `testimonial`(`name1`,`designation` ,`comment`,`photo`) VALUES (:name1, :designation, :comment, :photo)");
$stmt->bindParam(':name1', htmlspecialchars($_POST['name1'], ENT_QUOTES, 'UTF-8'));
$stmt->bindParam(':designation', htmlspecialchars($_POST['designation'], ENT_QUOTES, 'UTF-8'));
$stmt->bindParam(':comment', htmlspecialchars($_POST['comment'], ENT_QUOTES, 'UTF-8'));
$stmt->bindParam(':photo', $img);
$stmt->execute();
$_SESSION['success'] = "Testimonial Added";
?>
<script>
// Redirect to ../about_seo.php
window.location.href = "../manage_testimonial.php";
</script>
<?php
}
if (isset($_POST['update'])) {
$uploadDir = '../../assets/images/';
$img = null; // Initialize image variable
// Check if the photo field is not empty
if (!empty($_FILES['photo']['tmp_name'])) {
$originalName = basename($_FILES['photo']['name']);
$extension = pathinfo($originalName, PATHINFO_EXTENSION);
$newName = rand(100, 999) . '.' . $extension;
$newFilePath = $uploadDir . $newName;
// Try to move the uploaded file
if (move_uploaded_file($_FILES['photo']['tmp_name'], $newFilePath)) {
$img = $newName; // Set new image name
} else {
echo 'There was an error uploading the file.';
exit;
}
} else {
// If no new image is uploaded, keep the existing one
$stmt = $conn->prepare("SELECT photo FROM `testimonial` WHERE id=:id");
$stmt->bindParam(':id', $_POST['id']);
$stmt->execute();
$row = $stmt->fetch(PDO::FETCH_ASSOC);
$img = $row['photo']; // Keep the current image
}
// Use prepared statements for the update query
$stmt = $conn->prepare("UPDATE `testimonial` SET `name1`=:name1, `designation`=:designation, `comment`=:comment, `photo`=:photo WHERE id=:id");
$stmt->bindParam(':name1', htmlspecialchars($_POST['name1'], ENT_QUOTES, 'UTF-8'));
$stmt->bindParam(':designation', htmlspecialchars($_POST['designation'], ENT_QUOTES, 'UTF-8'));
$stmt->bindParam(':comment', htmlspecialchars($_POST['comment'], ENT_QUOTES, 'UTF-8'));
$stmt->bindParam(':photo', $img);
$stmt->bindParam(':id', $_POST['id']);
$stmt->execute();
$_SESSION['success'] = "Testimonial Updated";
?>
<script>
// Redirect to manage_testimonial.php
window.location.href = "../manage_testimonial.php";
</script>
<?php
}
if (isset($_POST['del_id'])) {
// Using prepared statements for SQL query and htmlspecialchars for user input
$stmt = $conn->prepare("UPDATE `testimonial` SET delete_status='1' WHERE id=:id");
$stmt->bindParam(':id', htmlspecialchars($_POST['del_id'], ENT_QUOTES, 'UTF-8'));
$stmt->execute();
$_SESSION['success'] = "Testimonial Deleted";
?>
<script>
// Redirect to ../about_seo.php
window.location.href = "../manage_testimonial.php";
</script>
<?php
}
} catch (PDOException $e) {
echo "Connection failed: " . $e->getMessage();
}
?>