创建一个表单以正确使用 PDO POST 到 MySQL? [英] Creating a Form to POST into MySQL using PDO properly?
问题描述
我正在尝试使用 PDO 包装器类,一般来说,作为良好实践,为了防止 SQL 注入的适当安全性.尝试学习填写表单以 POST 到 MySQL 的干净基本要素.
I'm trying to use a PDO Wrapper Class and in general for proper security against SQL injections as good practice. Trying to learn the clean bare essentials for filling out a form to POST into MySQL.
因此,我的表单一度将数据插入到 MySQL 表中,但在提交后刷新时做了多条记录.然后我研究了一种更简洁的方法来编写处理器,但现在无法将其插入表中.不确定处理器和class.db.php"文件之间是否存在差异?
So, at one point my form was inserting data into the MySQL table, but was doing multiple records on refresh after submit. Then I researched a cleaner way to write the processor but am now having trouble making it insert into the table. Not sure if maybe there is a discrepancy between the Processor and the "class.db.php" file?
我已经搜索了很多操作方法",但在一致的答案中没有成功.试图了解我做错了什么,希望得到最佳实践的答案.我所看到的一切都在地图上.
I've searched a lot for "how-to's" having no success in a consistent answer. Trying to understand what I'm doing wrong, desiring an answer of best practice. Everything I've seen is all over the map.
这是我所在的位置:作为参考,我首先从这里开始 http://webdevelopingcat.com/php-mysql-tutorial-for-beginners-inserting-rows-with-pdo/
Here's where I'm at: For reference I started here first http://webdevelopingcat.com/php-mysql-tutorial-for-beginners-inserting-rows-with-pdo/
然后在文档的顶部,如果您使用 google,https://code.google.com/p/php-pdo-wrapper-class/ 项目,用于类实现的基础.
Then at top of the document I'm Including if you google, the https://code.google.com/p/php-pdo-wrapper-class/ project for a basis of class implementation.
<?php
include("class.db.php");
$version = "1.0.2";
$released = "December 9, 2010";
?>
然后是正文中的一个简单形式.
Then a simple form within the body.
<?php
if ( empty( $_POST ) ){
?>
<form name='registration' action='success.php' method='POST'/>
<label for 'FName'>First Name: </label>
<input type="text" name="FName" />
<label for 'LName'>Last Name: </label>
<input type="text" name="LName" />
<label for 'Age'>Age: </label>
<input type="number" name="Age" />
<label for 'Gender'>Gender: </label>
<input type="text" name="Gender" />
<button type="submit">Submit</button>
</form>
最后,表单处理器也在正文中.
Finally the form processor also within the body.
<?php
} else {
//process the form here
//
// Connect to database
$db = new db("mysql:host=localhost;dbname=pdodb", "root", "root");
$form = $_POST;
$first = $form[ 'FName' ];
$last = $form[ 'LName' ];
$myage = $form[ 'Age' ];
$gen = $form[ 'Gender' ];
$sql = "INSERT INTO mytable ( FName, LName, Age, Gender ) VALUES ( :first, :last, :myage, :gen )";
$query = $db->prepare( $sql );
$query->execute( array( ':first'=>$first, ':last'=>$last, ':myage'=>$myage, ':gen'=>$gen ) );
}
?>
手动方式有效.引用了 culttt.com 的帖子:prevent-php-sql-injection-with-pdo-prepared-statements
The MANUAL way works. Referenced culttt.com post about: prevent-php-sql-injection-with-pdo-prepared-statements
// Create array of data to insert
$insert = array(
"FName" => "John",
"LName" => "Doe",
"Age" => 26,
"Gender" => "male"
);
// Insert the array into the table
$db->insert("mytable", $insert);
推荐答案
您的表单正在发布到 success.php,因此请确保插入代码在 success.php 文件中:
Your form is posting to success.php, so make sure that the insert code is in the success.php file:
<?php
// Get POST data
$first = (!empty($_POST['FName']) ? $_POST['FName'] : '');
$last = (!empty($_POST['LName']) ? $_POST['LName'] : '');
$myage = (!empty($_POST['Age']) ? $_POST['Age'] : '');
$gen = (!empty($_POST['Gender']) ? $_POST['Gender'] : 0);
try {
// Connect to db
$db = new db('mysql:dbname=pdodb;host=localhost', 'root', 'root');
$db->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
// Set SQL
$sql = 'INSERT INTO mytable (FName, LName, Age, Gender) VALUES (:first, :last, :myage, :gen)';
// Prepare query
$query = $db->prepare($sql);
// Execute query
$query->execute(array(':first' => $first, ':last' => $last, ':myage' => $myage, ':gen' => $gen));
} catch (PDOException $e) {
echo 'Error: ' . $e->getMessage();
}
谢谢,
安德鲁
这篇关于创建一个表单以正确使用 PDO POST 到 MySQL?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
