我得到了这个工作如何我想要的,但我可以做什么更新,以使它更好?
代码 : ----------------------------------------
$odb = new PDO('mysql:host=localhost;dbname=db371885849', $user, $pass);
$odb->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
if(isset($_POST['firstname'])) {
$firstname = $_POST['firstname'];
$lastname = $_POST['lastname'];
$email = $_POST['email'];
$q = "INSERT INTO jobform(firstname, lastname, email) VALUES (:firstname, :lastname, :email);";
$query = $odb->prepare($q);
$results = $query->execute(array(
":firstname" => $firstname,
":lastname" => $lastname,
":email" => $email
));
}
++++++++++++++++++++++++ 更新工作 ++++++++++++++++++++++++++
$odb = new PDO('mysql:host=localhost;dbname=db371885849', $user, $pass);
$odb->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
if(isset($_POST['firstname'])) {
$firstname = $_POST['firstname'];
$lastname = $_POST['lastname'];
$email = $_POST['email'];
if (!empty($firstname))
{
$q = "INSERT INTO jobform(firstname, lastname, email) VALUES (:firstname, :lastname, :email);";
$query = $odb->prepare($q);
$results = $query->execute(array(
":firstname" => $firstname,
":lastname" => $lastname,
":email" => $email
));
} else {
echo "not today";
}
}
if(!empty($_POST['firstname']) && !empty($_POST['lastname']) && filter_var($_POST['email'],FILTER_VALIDATE_EMAIL)) {
$firstname = $_POST['firstname'];
$lastname = $_POST['lastname'];
$email = $_POST['email'];
$q = "INSERT INTO jobform(firstname, lastname, email) VALUES (:firstname, :lastname, :email);";
$query = $odb->prepare($q);
$results = $query->execute(array(
":firstname" => $firstname,
":lastname" => $lastname,
":email" => $email
));
}else echo 'make an error';
看起来根本不需要验证。那么,我是如何做到的呢?基于标签wiki
的代码<?php
if ($_SERVER["REQUEST_METHOD"] == "POST") {
$allowed = array('firstname', 'lastname', 'email');
$sql = "INSERT INTO jobform SET ".pdoSet($fields,$values);
$stm = $dbh->prepare($sql);
$stm->execute($values);
header("Location: ".$_SERVER['PHP_SELF']);
exit;
}
<?
$allowed = array('firstname', 'lastname', 'email');
if ($_SERVER['REQUEST_METHOD']=='POST') {
$err = array();
//performing all validations and raising corresponding errors
if (empty($_POST['firstname']) $err[] = "Firstname is required";
if (empty($_POST['lastname']) $err[] = "Lastname is required";
if (!filter_var($_POST['email'],FILTER_VALIDATE_EMAIL) {
$err[] = "Wrong email format";
}
if (!$err) {
$sql = "INSERT INTO jobform SET ".pdoSet($fields,$values);
$stm = $dbh->prepare($sql);
$stm->execute($values);
header("Location: ".$_SERVER['PHP_SELF']);
exit;
} else {
// all field values should be escaped according to HTML standard
foreach ($_POST as $key => $val) {
$form[$key] = htmlspecialchars($val);
}
} else {
foreach ($allowed as => $val) {
$form[$val] = '';
}
}
include 'form.tpl.php';
PDO用于与数据库通信,而不是验证值(除了为安全插入引用它们之外)。在使用PDO启动SQL查询之前,必须先执行验证:
<?php
if ($_SERVER["REQUEST_METHOD"] == "POST") {
if (
// your empty() checks
) {
// your query
}
}