将验证添加到PDO

Question

得到了这种工作，我想如何，但我可以做些什么更新，使其更好？

代码：----------------------------------------

$odb = new PDO('mysql:host=localhost;dbname=db371885849', $user, $pass); 
    $odb->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION); 


     if(isset($_POST['firstname'])) { 
       $firstname = $_POST['firstname']; 
       $lastname = $_POST['lastname']; 
       $email = $_POST['email']; 

         $q = "INSERT INTO jobform(firstname, lastname, email) VALUES (:firstname, :lastname, :email);"; 
         $query = $odb->prepare($q); 
         $results = $query->execute(array(
         ":firstname" => $firstname, 
         ":lastname" => $lastname, 
         ":email" => $email 
       )); 
       } 

++++++++++++++++++++++++更新工作+++++++++++++++++++++ +++++

$odb = new PDO('mysql:host=localhost;dbname=db371885849', $user, $pass); 
    $odb->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION); 

     if(isset($_POST['firstname'])) { 
       $firstname = $_POST['firstname']; 
       $lastname = $_POST['lastname']; 
       $email = $_POST['email']; 
if (!empty($firstname)) 
{ 

         $q = "INSERT INTO jobform(firstname, lastname, email) VALUES (:firstname, :lastname, :email);"; 
         $query = $odb->prepare($q); 
         $results = $query->execute(array(
         ":firstname" => $firstname, 
         ":lastname" => $lastname, 
         ":email" => $email 
       )); 
       } else { 
      echo "not today"; 
     } 
       } 

Answer 1

if(!empty($_POST['firstname']) && !empty($_POST['lastname']) && filter_var($_POST['email'],FILTER_VALIDATE_EMAIL)) { 
      $firstname = $_POST['firstname']; 
      $lastname = $_POST['lastname']; 
      $email = $_POST['email']; 

        $q = "INSERT INTO jobform(firstname, lastname, email) VALUES (:firstname, :lastname, :email);"; 
        $query = $odb->prepare($q); 
        $results = $query->execute(array(
        ":firstname" => $firstname, 
        ":lastname" => $lastname, 
        ":email" => $email 
      )); 
     }else echo 'make an error'; 

Answer 2

PDO用于与数据库进行通信，而不是验证值（除了引用安全插入）。你将不得不执行验证你与PDO启动您的SQL查询之前：

<?php 
if ($_SERVER["REQUEST_METHOD"] == "POST") { 
    if (
     // your empty() checks 
    ) { 
     // your query 
    } 
} 

Answer 3

看来你不需要任何验证可言。 所以，我怎么会做的，基于从标签维基代码

<?php 
if ($_SERVER["REQUEST_METHOD"] == "POST") { 
    $allowed = array('firstname', 'lastname', 'email'); 
    $sql = "INSERT INTO jobform SET ".pdoSet($fields,$values); 
    $stm = $dbh->prepare($sql); 
    $stm->execute($values); 
    header("Location: ".$_SERVER['PHP_SELF']); 
    exit; 
} 

但是，如果你想验证用户输入，你会酬劳更复杂的代码：

<? 
$allowed = array('firstname', 'lastname', 'email'); 
if ($_SERVER['REQUEST_METHOD']=='POST') { 

    $err = array(); 
    //performing all validations and raising corresponding errors 
    if (empty($_POST['firstname']) $err[] = "Firstname is required"; 
    if (empty($_POST['lastname']) $err[] = "Lastname is required"; 
    if (!filter_var($_POST['email'],FILTER_VALIDATE_EMAIL) { 
    $err[] = "Wrong email format"; 
    } 

    if (!$err) { 
    $sql = "INSERT INTO jobform SET ".pdoSet($fields,$values); 
    $stm = $dbh->prepare($sql); 
    $stm->execute($values); 
    header("Location: ".$_SERVER['PHP_SELF']); 
    exit; 
    } else { 
    // all field values should be escaped according to HTML standard 
    foreach ($_POST as $key => $val) { 
     $form[$key] = htmlspecialchars($val); 
    } 
} else { 
    foreach ($allowed as => $val) { 
     $form[$val] = ''; 
    } 
} 
include 'form.tpl.php';