You have to ensure that all variables which should be used for database access has been passed. If any required variable is missing, show an error message and exit (don't perform any database operations then).
Depending on your requirements it might be also necessary to check for empty variables or valid content.
Note also that your current code creates variables of different types: A boolean
FALSE
if the parameter does not exist and a string otherwise (which might be an empty string if the parameter is empty).
We can not tell you which paramaters are required and which are optional for the different tasks. Only you can know that. But for creating a new recordset most - if not all - are usually required while for showing existing recordsets only a few might be required.
If your form supports multiple operations (like add, view, delete), you have to check first for that (assuming here passed as 'operation') and then for the required parameters:
if (isset( $_POST['operation'] )) {
if ($_POST['operation'] === 'view') {
if (isset($_POST['student_id'])) {
view_by_id();
}
else if (isset($_POST['first_name']) && isset($_POST['last_name'])) {
view_by_name();
}
}
else if ($_POST['operation'] === 'add')
{
add();
}
} else {
}
I have used functions in my above example because that makes the code better readable. Add the parameter checks on top of the functions. The functions may also return a status value.
For viewing by ID and deleting you need only the unique ID:
function delete()
{
if (!isset($_POST['student_id'])) {
}
else if ($_POST['student_id'] === '') {
}
else if (!is_numeric($_POST['student_id'])) {
}
else {
$id = intval($_POST['student_id']);
}
}