<?php $DB = new conn(); $DB->connect(); // Form Vars if ($_REQUEST) { if ($_REQUEST["Action"]) { $action = $_REQUEST["Action"]; //echo $action; if ($action == "addNew") { // ALL FORM INPUTS MUST BE SANITIZED $ProductType = $DB->sanitize($_REQUEST["ProductType"]); $ProductName = $DB->sanitize($_REQUEST["ProductName"]); $ProductModel = $DB->sanitize($_REQUEST["ProductModel"]); $ProductDescription = $DB->sanitize($_REQUEST["ProductDescription"]); $sql = "INSERT INTO PRODUCTS (product_type, product_name, product_model, product_description) VALUES ('" . $ProductType . "', '" . $ProductName . "', '" . $ProductModel . "', '" . $ProductDescription . "')"; $DB->execute_nonquery($sql); header("Location: ManageProducts.php"); } } } $DB->close(); ?> <form name="theForm" method="post" action="<?php echo $_SERVER['PHP_SELF']; ?> "> <ul class="form">
$DB->connect(); $product_id = $DB->sanitize($_REQUEST["product_id"]); if (!is_numeric($product_id)) { die("Invalid Product_ID"); } // Make sure product_id is a number // Actions if (isset($_REQUEST["Action"])) { $action = $_REQUEST["Action"]; //echo $action; if ($action == "Delete") { // ALL FORM INPUTS MUST BE SANITIZED $ProductID = $DB->sanitize($_REQUEST["hProduct_ID"]); $AccessoryID = $DB->sanitize($_REQUEST["hAccessory_ID"]); $sql = "DELETE from relproducts_accessories WHERE Product_ID = " . $ProductID . " AND Accessory_ID = " . $AccessoryID; $DB->execute_nonquery($sql); //header("Location: ManageProducts.php"); } if ($action == "add") { // ALL FORM INPUTS MUST BE SANITIZED $ProductID = $DB->sanitize($_REQUEST["hProduct_ID"]); $AccessoryID = $DB->sanitize($_REQUEST["Accessory_ID"]); $sql = "DELETE from relproducts_accessories WHERE Product_ID = " . $ProductID . " AND Accessory_ID = " . $AccessoryID; $result = $DB->execute_nonquery($sql); if ($result > 0) { ?> <font color="red">Accessory already associated with this product.</font><br /><br /> <?php } $sql = "INSERT into relproducts_accessories (Product_ID, Accessory_ID) VALUES (" . $ProductID . ", " . $AccessoryID . ")"; $DB->execute_nonquery($sql); }