将验证添加到PDO中

时间:2013-05-17 10:44:48

标签: php forms pdo

让我的工作方式如何,但我可以做些什么更新才能让它变得更好?

代码:---------------------------------------- 

  $odb = new PDO('mysql:host=localhost;dbname=db371885849', $user, $pass);
  $odb->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);


        if(isset($_POST['firstname'])) {
                $firstname = $_POST['firstname'];
                $lastname = $_POST['lastname'];
                $email = $_POST['email'];

                        $q = "INSERT INTO jobform(firstname, lastname, email) VALUES (:firstname, :lastname, :email);";
                        $query = $odb->prepare($q);
                        $results = $query->execute(array(
                        ":firstname" => $firstname,
                        ":lastname" => $lastname,
                        ":email" => $email
                ));
                }

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ +++++ 

 $odb = new PDO('mysql:host=localhost;dbname=db371885849', $user, $pass);
  $odb->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);

        if(isset($_POST['firstname'])) {
                $firstname = $_POST['firstname'];
                $lastname = $_POST['lastname'];
                $email = $_POST['email'];
 if (!empty($firstname))
{

                        $q = "INSERT INTO jobform(firstname, lastname, email) VALUES (:firstname, :lastname, :email);";
                        $query = $odb->prepare($q);
                        $results = $query->execute(array(
                        ":firstname" => $firstname,
                        ":lastname" => $lastname,
                        ":email" => $email
                ));
                } else {
            echo "not today";
        }
                }

3 个答案:

答案 0 :(得分:1)

    if(!empty($_POST['firstname']) && !empty($_POST['lastname']) && filter_var($_POST['email'],FILTER_VALIDATE_EMAIL)) {
            $firstname = $_POST['firstname'];
            $lastname = $_POST['lastname'];
            $email = $_POST['email'];

                    $q = "INSERT INTO jobform(firstname, lastname, email) VALUES (:firstname, :lastname, :email);";
                    $query = $odb->prepare($q);
                    $results = $query->execute(array(
                    ":firstname" => $firstname,
                    ":lastname" => $lastname,
                    ":email" => $email
            ));
        }else echo 'make an error';

答案 1 :(得分:1)

看来你根本不需要验证。 所以,我是如何做到的,基于标签wiki的代码

<?php
if ($_SERVER["REQUEST_METHOD"] == "POST") {
    $allowed = array('firstname', 'lastname', 'email');
    $sql = "INSERT INTO jobform SET ".pdoSet($fields,$values);
    $stm = $dbh->prepare($sql);
    $stm->execute($values);
    header("Location: ".$_SERVER['PHP_SELF']);
    exit;
}

但是,如果您想验证用户输入,那么您需要使用更复杂的代码:

<?  
$allowed = array('firstname', 'lastname', 'email');
if ($_SERVER['REQUEST_METHOD']=='POST') {  

  $err = array();
  //performing all validations and raising corresponding errors
  if (empty($_POST['firstname']) $err[] = "Firstname is required";  
  if (empty($_POST['lastname'])  $err[] = "Lastname is required";  
  if (!filter_var($_POST['email'],FILTER_VALIDATE_EMAIL) {
     $err[] = "Wrong email format";
  }

  if (!$err) {  
    $sql = "INSERT INTO jobform SET ".pdoSet($fields,$values);
    $stm = $dbh->prepare($sql);
    $stm->execute($values);
    header("Location: ".$_SERVER['PHP_SELF']);
    exit;
  }  else {
    // all field values should be escaped according to HTML standard
    foreach ($_POST as $key => $val) {
      $form[$key] = htmlspecialchars($val);
    }
} else {
    foreach ($allowed as => $val) {
      $form[$val] = '';
    }
}
include 'form.tpl.php';

答案 2 :(得分:0)

PDO用于与数据库通信,而不是验证值(除了引用安全插入之外)。在使用PDO启动SQL查询之前,您必须执行验证:

<?php
if ($_SERVER["REQUEST_METHOD"] == "POST") {
    if (
        // your empty() checks
    ) {
        // your query
    }
}
相关问题
最新问题