| System: Linux in-mum-web1642.main-hosting.eu 5.14.0-611.42.1.el9_7.x86_64 #1 SMP PREEMPT_DYNAMIC Tue Mar 24 05:30:20 EDT 2026 x86_64 Current Path : /home/u323559503/domains/purplelimonada.com/public_html/panel/admin/app/ |
| Current File : /home/u323559503/domains/purplelimonada.com/public_html/panel/admin/app/testimonial_crud.php |
<?php
session_start();
include '../../assets/constant/config.php';
try {
$conn = new PDO("mysql:host=$servername;dbname=$dbname", $username, $password);
$conn->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
if (isset($_POST['submit'])) {
$uploadDir = '../../assets/images/';
if (!empty($_FILES['photo']['tmp_name'])) {
$originalName = basename($_FILES['photo']['name']);
$extension = pathinfo($originalName, PATHINFO_EXTENSION);
$newName = rand(100, 999) . '.' . $extension;
$newFilePath = $uploadDir . $newName;
if (move_uploaded_file($_FILES['photo']['tmp_name'], $newFilePath)) {
$img = $newName;
// Compression Logic
// compressImage($newFilePath, $newFilePath, 75); // 75 is the compression quality
} else {
echo 'There was an error uploading the file.';
exit;
}
}
// Using prepared statements to prevent SQL injection and htmlspecialchars for user input
$stmt = $conn->prepare("INSERT INTO `testimonial`(`name1`,`designation` ,`comment`,`photo`) VALUES (:name1, :designation, :comment, :photo)");
$stmt->bindParam(':name1', htmlspecialchars($_POST['name1'], ENT_QUOTES, 'UTF-8'));
$stmt->bindParam(':designation', htmlspecialchars($_POST['designation'], ENT_QUOTES, 'UTF-8'));
$stmt->bindParam(':comment', htmlspecialchars($_POST['comment'], ENT_QUOTES, 'UTF-8'));
$stmt->bindParam(':photo', $img);
$stmt->execute();
$_SESSION['success'] = "success";
header("location:../manage_testimonial.php");
}
if (isset($_POST['update'])) {
// Similar improvements for file upload handling
if (!empty($_FILES['photo']['tmp_name'])) {
$file_extension = pathinfo(htmlspecialchars($_FILES["photo"]["name"], ENT_QUOTES, 'UTF-8'), PATHINFO_EXTENSION);
$new_filename = uniqid() . '.' . $file_extension;
$filepath = "../../assets/images/" . $new_filename;
if (move_uploaded_file($_FILES["photo"]["tmp_name"], $filepath)) {
$img = $new_filename;
// Compression Logic
// compressImage($filepath, $filepath, 75); // 75 is the compression quality
@unlink("../../assets/images/" . $_POST['old_photo_img']);
}
} else {
$img = $_POST['old_photo_img'];
}
// Using prepared statements for SQL query and htmlspecialchars for user input
$stmt = $conn->prepare("UPDATE `testimonial` SET `name1`=:name1, `designation`=:designation, `comment`=:comment, `photo`=:photo WHERE id=:id");
$stmt->bindParam(':name1', htmlspecialchars($_POST['name1'], ENT_QUOTES, 'UTF-8'));
$stmt->bindParam(':designation', htmlspecialchars($_POST['designation'], ENT_QUOTES, 'UTF-8'));
$stmt->bindParam(':comment', htmlspecialchars($_POST['comment'], ENT_QUOTES, 'UTF-8'));
$stmt->bindParam(':photo', $img);
$stmt->bindParam(':id', $_POST['id']);
$stmt->execute();
$_SESSION['update'] = "update";
header("location:../manage_testimonial.php");
}
if (isset($_POST['del_id'])) {
// Using prepared statements for SQL query and htmlspecialchars for user input
$stmt = $conn->prepare("UPDATE `testimonial` SET delete_status='1' WHERE id=:id");
$stmt->bindParam(':id', htmlspecialchars($_POST['del_id'], ENT_QUOTES, 'UTF-8'));
$stmt->execute();
$_SESSION['delete'] = "delete";
header("location:../manage_testimonial.php");
}
} catch (PDOException $e) {
echo "Connection failed: " . $e->getMessage();
}
function compressImage($source, $destination, $quality)
{
$info = getimagesize($source);
if ($info['mime'] == 'image/jpeg') {
$image = imagecreatefromjpeg($source);
imagejpeg($image, $destination, $quality);
} elseif ($info['mime'] == 'image/png') {
$image = imagecreatefrompng($source);
imagepng($image, $destination, round(9 - ($quality / 10))); // PNG quality ranges from 0 to 9
}
}