我有一张提交用户数据的表单。 它的验证目前存在缺陷,我正在寻找最好的方法 纠正它。
表单包含3个文本字段,1个单选按钮& 3下拉列表。
代码:
$titleError = "";
$durationError = "";
$directorError = "";
$certError = "";
$dateError = "";
//Array with all the possible error messages so far:
$errors = array("title"=>"Title is required",
"duration"=>"Title duration is required",
"durationCheck"=>"Duration must be an integer value",
"director"=>"Title Director is required",
"directorCheck"=>"Director must be an alphabetic value",
"certification"=>"Title certification is required",
"date"=>"Invalid date"
);
if (isset($_POST['submit'])){
$submit = ($_POST['submit']);
$title = $_POST['title'];
$duration = $_POST['duration'];
$director = $_POST['director'];
//If any of the (title, duration, director) are empty or if any of the (day, month, year) are unchanged or if the cert isn't set i.e radio button checked
//This if will make sure that all the fields are filled before submitting, however if all fields ARE filled it will of course bypass the checks inside the statement. Meaning the checks inside are only carried out when the user misses an input.
if (empty($title) || empty($duration) || empty($director) || !isset($_POST['cert']) || ($_POST['day'] == "DD") || ($_POST['month'] == "MM") || ($_POST['year'] == "YYYY")){
if (empty($title)) { $titleError =$errors['title'];}
if (empty($duration)) { $durationError = $errors['duration'];} else if (!is_int($duration)) {$durationError = $errors['durationCheck']; }
if (empty($director)) {$directorError = $errors['director'];} else if (!ctype_alpha($director)) {$directorError = $errors['directorCheck']; }
if (empty($_POST['cert'])) {$certError = $errors['certification'];}
if (($_POST['day'] == "DD") || ($_POST['month'] == "MM") || ($_POST['year'] == "YYYY")) {$dateError = $errors['date'];}
} else {
//Check if duration entered is an integer
//if (is_int($duration) && ctype_alpha($director))
$cert = $_POST['cert'];
$day = $_POST['day'];
$month = $_POST['month'];
$year = $_POST['year'];
$day = convertToTwoDigit($day);
$month = convertToTwoDigit($month);
$date = $year."/".$month."/".$day;
echo "<br>Title: ".$title."</br>"."Duration: ".$duration."</br>"."Director: ".$director."</br>"."Cert: ".$cert."</br>Relesed on: ".$date;
//Add values into database:
if ($insert = $db->query("
INSERT INTO titles (cert, filmtitle, releaseDate, filmDuration, director) VALUES ('$cert', '$title', '$date', '$duration', '$director')
")){
echo "You have added a film";
} else {
echo "Error adding";
}
}
}
答案 0 :(得分:0)
您的验证逻辑确实存在缺陷。您检查是否存在所有值,并仅在缺少其中一个值时进行验证!
看到问题?您需要验证是否所有这些都存在。
在您的情况下,更简单的解决方案是依次处理每个字段:
<?php
// this is very procedural, but that's another matter
// somewhere to store errors as you find them
$errors = array();
if (!isset($_POST['var1')) {
$errors[] = 'Var 1 missing';
} else {
// validate - lets pretend it must be a positive integer greater than 10
$var1 = $_POST['var1'];
if (!is_numeric($var1) || $var1 < 0 || $var1 > 10) {
$errors[] = 'Var 1 out of range';
}
}
// next one
if (!isset($_POST['var2')) {
$errors[] = 'Var 2 missing';
} else {
// validate - lets pretend it must be the char 'a', 'b' or 'c'
$var2 = $_POST['var2'];
if ($var2 !== 'a' && $var2 !== 'b' && $var2 !== 'c') {
$errors[] = 'Var 2 out of range';
}
}
//etc...
// $errors will be empty if everything was fine
if (empty($errors) {
// do stuff with the validated vars
} else {
// send the errors back to the user
}