Skip to main content
PHP Backend Development Tutorial
CHAPTER 08 Beginner

Building CRUD Applications in PHP

Updated: May 14, 2026
30 min read

# CHAPTER 8

Building CRUD Applications in PHP

1. Introduction

Every web application you use—Facebook, Amazon, Wikipedia—is essentially a massive CRUD application. CRUD is the acronym that defines the four fundamental operations a backend developer must perform on a database: Create, Read, Update, and Delete. In this chapter, we will build a complete CRUD workflow using PHP, MySQL, and the critical security feature known as Prepared Statements.

2. Learning Objectives

By the end of this chapter, you will be able to:
  • Define the CRUD paradigm.
  • Write SQL queries for INSERT, SELECT, UPDATE, and DELETE.
  • Use PDO Prepared Statements to absolutely prevent SQL Injection.
  • Build a functional backend admin dashboard.

3. Beginner-Friendly Explanation

Think of your database table as a digital address book.
  • Create: Adding a new friend's phone number to the book.
  • Read: Looking up a friend's phone number to call them.
  • Update: Changing a friend's number when they get a new phone.
  • Delete: Erasing a friend's number from the book.
Every complex app is just CRUD. Facebook? You *Create* a post, *Read* your feed, *Update* your profile, and *Delete* a comment.

4. The Hacker Threat: SQL Injection

Before we build CRUD, we must secure it. If you insert user data directly into an SQL query like this: "SELECT * FROM users WHERE name = '" . $_POST['username'] . "'" A hacker can type ' OR '1'='1 into the username field. This alters the raw SQL command, forcing the database to give the hacker access to every account on the server. This is SQL Injection, the most common web hack in history.

5. The Solution: Prepared Statements

Prepared Statements act like a secure shipping container. Instead of mixing user data directly into the SQL code, you put a "placeholder" (?) in the code. You send the SQL structure to the database first. Then, you send the user's data separately. The database knows the data is *only* data, and will never execute it as code.

6. CREATE (Insert Data)

Let's securely insert a new user from an HTML form.
php
12345678910111213141516 
<?php
require &#039;db.php';

// Assume form was submitted via POST
$name = $_POST[&#039;name'];
$email = $_POST[&#039;email'];

// 1. Prepare the SQL structure with placeholders (?)
$sql = "INSERT INTO users (name, email) VALUES (?, ?)";
$stmt = $pdo->prepare($sql);

// 2. Execute and pass the user data securely into the placeholders
$stmt->execute([$name, $email]);

echo "User created successfully!";
?>

7. READ (Fetch Data)

We want to read a specific user's data based on their ID.
php
123456789101112 
<?php
$user_id = 5; // e.g., $_GET['id']

$sql = "SELECT name, email FROM users WHERE id = ?";
$stmt = $pdo->prepare($sql);
$stmt->execute([$user_id]);

// Fetch a single row as an associative array
$user = $stmt->fetch(PDO::FETCH_ASSOC);

echo "Name: " . $user[&#039;name'];
?>

8. UPDATE (Modify Data)

A user wants to change their email address.
php
123456789101112 
<?php
$new_email = "new_email@test.com";
$user_id = 5;

$sql = "UPDATE users SET email = ? WHERE id = ?";
$stmt = $pdo->prepare($sql);

// Order of variables in the array MUST match the order of the ? placeholders
$stmt->execute([$new_email, $user_id]);

echo "Profile updated!";
?>

9. DELETE (Remove Data)

Deleting a record. *Warning: Always include a WHERE clause, or you will delete the entire table!*
php
123456789 
<?php
$user_id_to_delete = 12;

$sql = "DELETE FROM users WHERE id = ?";
$stmt = $pdo->prepare($sql);
$stmt->execute([$user_id_to_delete]);

echo "User deleted permanently.";
?>

10. Best Practices

  • Soft Deletes: In enterprise applications, we rarely use the DELETE command. Instead, we add a column to the database called isdeleted (set to 0). When a user deletes an item, we use an UPDATE command to set isdeleted = 1. The item disappears from the website, but the data is safely preserved in the database for legal/recovery reasons.

11. Common Mistakes

  • Trusting the UI: A developer might build an "Admin Dashboard" with a "Delete User" button, assuming only Admins can see the button. However, if a hacker figures out the URL (delete.php?id=5), they can bypass the dashboard and trigger the script directly. You must always verify authorization *inside* the PHP script before executing CRUD actions.

12. Exercises

  1. 1. Explain how a Prepared Statement completely prevents an SQL Injection attack.

13. MCQs with Answers

Question 1

What does the acronym CRUD stand for in backend development?

Question 2

When writing SQL queries that include user input, what is the required method to prevent SQL Injection attacks?

14. Interview Questions

  • Q: Walk me through the four operations of CRUD and provide the corresponding SQL keyword for each.
  • Q: Explain the mechanics of a SQL Injection attack. How do Prepared Statements separate the SQL logic from the user data to neutralize this threat?

15. FAQs

Q: Can I use named placeholders instead of question marks? A: Yes! PDO allows named placeholders like VALUES (:name, :email). Then, in the execute array, you use [':name' => $name, ':email' => $email]. This is often easier to read when dealing with massive forms containing 20+ fields.

16. Summary

In Chapter 8, we learned the beating heart of all software: CRUD. By mastering INSERT, SELECT, UPDATE, and DELETE, you can build any application from a blog to a social network. More importantly, we learned that combining user input directly with SQL is a catastrophic security failure. By making PDO Prepared Statements a mandatory habit, you ensure your database remains impenetrable to SQL injection.

17. Next Chapter Recommendation

Our app can save data, but it can't remember who the user is as they click from page to page. Proceed to Chapter 9: PHP Sessions and Cookies to fix this.

Finish this Chapter

Save your progress on your learning path and prepare for coding interview challenges.

Previous Chapter Working with MySQL Databases
Next Chapter User Authentication and Login Systems

Discussion

Join the discussion

Log in or create a free account to participate.

Sort: ·

Explore More

📖 Related Tutorials 6

Related Quizzes 6

🎥 Related Videos 1

🗺️ Related Roadmaps 1