將驗證添加到PDO

Question

得到了這種工作，我想如何，但我可以做些什麼更新，使其更好？

代碼：----------------------------------------

$odb = new PDO('mysql:host=localhost;dbname=db371885849', $user, $pass); 
    $odb->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION); 


     if(isset($_POST['firstname'])) { 
       $firstname = $_POST['firstname']; 
       $lastname = $_POST['lastname']; 
       $email = $_POST['email']; 

         $q = "INSERT INTO jobform(firstname, lastname, email) VALUES (:firstname, :lastname, :email);"; 
         $query = $odb->prepare($q); 
         $results = $query->execute(array(
         ":firstname" => $firstname, 
         ":lastname" => $lastname, 
         ":email" => $email 
       )); 
       } 

++++++++++++++++++++++++更新工作+++++++++++++++++++++ +++++

$odb = new PDO('mysql:host=localhost;dbname=db371885849', $user, $pass); 
    $odb->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION); 

     if(isset($_POST['firstname'])) { 
       $firstname = $_POST['firstname']; 
       $lastname = $_POST['lastname']; 
       $email = $_POST['email']; 
if (!empty($firstname)) 
{ 

         $q = "INSERT INTO jobform(firstname, lastname, email) VALUES (:firstname, :lastname, :email);"; 
         $query = $odb->prepare($q); 
         $results = $query->execute(array(
         ":firstname" => $firstname, 
         ":lastname" => $lastname, 
         ":email" => $email 
       )); 
       } else { 
      echo "not today"; 
     } 
       } 

Answer 1

if(!empty($_POST['firstname']) && !empty($_POST['lastname']) && filter_var($_POST['email'],FILTER_VALIDATE_EMAIL)) { 
      $firstname = $_POST['firstname']; 
      $lastname = $_POST['lastname']; 
      $email = $_POST['email']; 

        $q = "INSERT INTO jobform(firstname, lastname, email) VALUES (:firstname, :lastname, :email);"; 
        $query = $odb->prepare($q); 
        $results = $query->execute(array(
        ":firstname" => $firstname, 
        ":lastname" => $lastname, 
        ":email" => $email 
      )); 
     }else echo 'make an error'; 

Answer 2

PDO用於與數據庫進行通信，而不是驗證值（除了引用安全插入）。你將不得不執行驗證你與PDO啓動您的SQL查詢之前：

<?php 
if ($_SERVER["REQUEST_METHOD"] == "POST") { 
    if (
     // your empty() checks 
    ) { 
     // your query 
    } 
} 

Answer 3

看來你不需要任何驗證可言。 所以，我怎麼會做的，基於從標籤維基代碼

<?php 
if ($_SERVER["REQUEST_METHOD"] == "POST") { 
    $allowed = array('firstname', 'lastname', 'email'); 
    $sql = "INSERT INTO jobform SET ".pdoSet($fields,$values); 
    $stm = $dbh->prepare($sql); 
    $stm->execute($values); 
    header("Location: ".$_SERVER['PHP_SELF']); 
    exit; 
} 

但是，如果你想驗證用戶輸入，你會酬勞更復雜的代碼：

<? 
$allowed = array('firstname', 'lastname', 'email'); 
if ($_SERVER['REQUEST_METHOD']=='POST') { 

    $err = array(); 
    //performing all validations and raising corresponding errors 
    if (empty($_POST['firstname']) $err[] = "Firstname is required"; 
    if (empty($_POST['lastname']) $err[] = "Lastname is required"; 
    if (!filter_var($_POST['email'],FILTER_VALIDATE_EMAIL) { 
    $err[] = "Wrong email format"; 
    } 

    if (!$err) { 
    $sql = "INSERT INTO jobform SET ".pdoSet($fields,$values); 
    $stm = $dbh->prepare($sql); 
    $stm->execute($values); 
    header("Location: ".$_SERVER['PHP_SELF']); 
    exit; 
    } else { 
    // all field values should be escaped according to HTML standard 
    foreach ($_POST as $key => $val) { 
     $form[$key] = htmlspecialchars($val); 
    } 
} else { 
    foreach ($allowed as => $val) { 
     $form[$val] = ''; 
    } 
} 
include 'form.tpl.php';