小贝子编程

使用PHP进行表单和SQL验证



当用户点击保存时,检查数据是否成功插入记录到表中,并相应地显示正确的消息。若表单为空,则应显示错误消息,并且数据库不应有任何记录。

//SAVE
if (isset($_POST['SAVE'])) {
$Name = $_POST['name'];
$City = $_POST['city'];
$query = "Insert Into Info Values('$Name','$City')";
$result = mysqli_query($con, $query) or die ("query is failed" . mysqli_error($con));
$Name = '';
$City = '';
if(mysqli_affected_rows($con)>0) {
echo "record is saved";
}else {
echo "record is not saved";
}

我只能通过php进行验证。我不确定我这样做是否正确。到目前为止,我可以在表单上获得"记录已保存"消息,但如果表单为空,则无法获得后者。它只是在我的数据库中做了一个空记录。

未测试代码:

if (!isset($_POST['SAVE'], $_POST['name'], $_POST['city'])) {  // avoid Notices
echo "Missing required submission data";
} elseif (!strlen(trim($_POST['name']))) {  // validate however you wish
echo "Name data is not valid";  // explain however you wish
} elseif (!strlen(trim($_POST['city']))) {  // validate however you wish
echo "City data is not valid";  // explain however you wish
} elseif (!$con = new mysqli("localhost", "root", "", "db")) {  // declare and check for a falsey value
echo "Connection Failure"; // $con->connect_error <-- never show actual error details to public
} elseif (!$stmt = $con->prepare("INSERT INTO Info VALUES (?,?)")) {
echo "Error @ prepare"; // $con->error;  // don't show to public
} elseif (!$stmt->bind_param("ss", $_POST['name'], $_POST['city'])) {
echo "Error @ bind";  // $stmt->error;  // don't show to public
} elseif (!$stmt->execute()) {
echo "Error @ execute";  // $stmt->error;  // don't show to public
} else {
echo "Insert Successful"; 
}

提交数据的验证条件确保这些值不为空,并且它们不完全由空白字符组成。如果您希望进一步完善验证要求,只需更新条件即可。

如果您想简单地确保$_POST['name']$_POST['city']不为空,您可以将前三个条件替换为

if (empty($_POST['SAVE']) || empty($_POST['name']) || empty($_POST['city'])) {
echo "Submission data is missing/invalid";
}...

如果您不使用预先准备好的语句,那么像Paul O'Malley这样的名称值将破坏您的查询。更糟糕的是,如果有人想尝试运行一些注入攻击,那么您的查询很容易受到攻击。

不需要检查affected_rows()。如果查询执行中没有错误消息,那么INSERT查询就是成功的。

以上建议都是我敦促大家采纳的最佳做法。

仅检查isset($_POST['SAVE'])告诉是否设置了"SAVE"。它不会告诉您字段是否有值。

要在PHP中进行验证,请使用以下内容:

if (isset($_POST['SAVE'])) {
$Name = $_POST['name'];
$City = $_POST['city'];
if ($Name && $City)
{
//...
//code to insert data into the database goes here
//...
if(mysqli_affected_rows($con)>0) {
echo "record is saved";
}else {
echo "record is not saved (error saving)";
}
} else {
echo "record is not saved (input was empty)";
}
}

关键是if ($Name && $City)检查。

或者,如果您想依靠mysql拒绝插入空白值,请确保mysql表中的字段不可为null,然后更改代码的这一部分:(但这将把验证转移到mysql(

$Name = $_POST['name']?$_POST['name']:null;
$City = $_POST['city']?$_POST['city']:null;

相关内容

最新更新


热门标签:

javascript python java c# php android html jquery c++ css ios sql mysql arrays asp.net json python-3.x ruby-on-rails .net sql-server django objective-c excel regex ruby linux ajax iphone xml vba spring asp.net-mvc database wordpress string postgresql wpf windows xcode bash git oracle list vb.net multithreading eclipse algorithm macos powershell visual-studio image forms numpy scala function api selenium