From 180b449915a55d17da222620a05f2b75659a4b72 Mon Sep 17 00:00:00 2001 From: 07jer <523492@vistacollege.nl> Date: Thu, 20 Mar 2025 09:08:35 +0100 Subject: [PATCH] Update api.php --- school-pokedex/api.php | 98 +++++++++++++++++++++++++++++++++++------- 1 file changed, 82 insertions(+), 16 deletions(-) diff --git a/school-pokedex/api.php b/school-pokedex/api.php index db239f3..4f5548a 100644 --- a/school-pokedex/api.php +++ b/school-pokedex/api.php @@ -15,71 +15,137 @@ if ($conn->connect_error) { header('Content-Type: application/json'); +// Ensure the request is using JSON +if ($_SERVER['CONTENT_TYPE'] !== 'application/json') { + echo json_encode(['error' => 'Content-Type must be application/json']); + exit; +} + $method = $_SERVER['REQUEST_METHOD']; -$request = explode('/', trim($_SERVER['PATH_INFO'],'/')); +$request = explode('/', trim($_SERVER['PATH_INFO'], '/')); switch ($method) { case 'GET': if (isset($request[0]) && is_numeric($request[0])) { $id = $request[0]; - $sql = "SELECT * FROM pokemons WHERE id=$id"; - $result = $conn->query($sql); - if ($result) { + $stmt = $conn->prepare("SELECT * FROM pokemons WHERE id = ?"); + $stmt->bind_param("i", $id); + $stmt->execute(); + $result = $stmt->get_result(); + if ($result->num_rows > 0) { echo json_encode($result->fetch_assoc()); } else { echo json_encode(['error' => 'No record found']); } + $stmt->close(); } else { $sql = "SELECT * FROM pokemons"; $result = $conn->query($sql); $pokemons = []; - while($row = $result->fetch_assoc()) { + while ($row = $result->fetch_assoc()) { $pokemons[] = $row; } echo json_encode($pokemons); } break; + case 'POST': $data = json_decode(file_get_contents('php://input'), true); + if (!isset($data['name'], $data['type'], $data['image'], $data['stats'], $data['info'])) { + echo json_encode(['error' => 'Missing required fields']); + exit; + } + $name = $data['name']; $type = $data['type']; $image = $data['image']; $stats = json_encode($data['stats']); $info = $data['info']; - $sql = "INSERT INTO pokemons (name, type, image, stats, info) VALUES ('$name', '$type', '$image', '$stats', '$info')"; - if ($conn->query($sql) === TRUE) { - echo json_encode(['id' => $conn->insert_id, 'name' => $name, 'type' => $type, 'image' => $image, 'stats' => $stats, 'info' => $info]); + + // Prepared statement to prevent SQL injection + $stmt = $conn->prepare("INSERT INTO pokemons (name, type, image, stats, info) VALUES (?, ?, ?, ?, ?)"); + $stmt->bind_param("sssss", $name, $type, $image, $stats, $info); + + if ($stmt->execute()) { + echo json_encode([ + 'id' => $conn->insert_id, + 'name' => $name, + 'type' => $type, + 'image' => $image, + 'stats' => $stats, + 'info' => $info + ]); } else { error_log("Insert error: " . $conn->error); - echo json_encode(['error' => $conn->error]); + echo json_encode(['error' => 'Failed to insert record']); } + + $stmt->close(); break; + case 'PUT': + if (!isset($request[0]) || !is_numeric($request[0])) { + echo json_encode(['error' => 'ID is required']); + exit; + } + $id = $request[0]; $data = json_decode(file_get_contents('php://input'), true); + + if (!isset($data['name'], $data['type'], $data['image'], $data['stats'], $data['info'])) { + echo json_encode(['error' => 'Missing required fields']); + exit; + } + $name = $data['name']; $type = $data['type']; $image = $data['image']; $stats = json_encode($data['stats']); $info = $data['info']; - $sql = "UPDATE pokemons SET name='$name', type='$type', image='$image', stats='$stats', info='$info' WHERE id=$id"; - if ($conn->query($sql) === TRUE) { - echo json_encode(['id' => $id, 'name' => $name, 'type' => $type, 'image' => $image, 'stats' => $stats, 'info' => $info]); + + // Prepared statement to prevent SQL injection + $stmt = $conn->prepare("UPDATE pokemons SET name=?, type=?, image=?, stats=?, info=? WHERE id=?"); + $stmt->bind_param("sssssi", $name, $type, $image, $stats, $info, $id); + + if ($stmt->execute()) { + echo json_encode([ + 'id' => $id, + 'name' => $name, + 'type' => $type, + 'image' => $image, + 'stats' => $stats, + 'info' => $info + ]); } else { error_log("Update error: " . $conn->error); - echo json_encode(['error' => $conn->error]); + echo json_encode(['error' => 'Failed to update record']); } + + $stmt->close(); break; + case 'DELETE': + if (!isset($request[0]) || !is_numeric($request[0])) { + echo json_encode(['error' => 'ID is required']); + exit; + } + $id = $request[0]; - $sql = "DELETE FROM pokemons WHERE id=$id"; - if ($conn->query($sql) === TRUE) { + + // Prepared statement to prevent SQL injection + $stmt = $conn->prepare("DELETE FROM pokemons WHERE id = ?"); + $stmt->bind_param("i", $id); + + if ($stmt->execute()) { echo json_encode(['id' => $id]); } else { error_log("Delete error: " . $conn->error); - echo json_encode(['error' => $conn->error]); + echo json_encode(['error' => 'Failed to delete record']); } + + $stmt->close(); break; + default: echo json_encode(['error' => 'Invalid request method']); break;