防止用户在php中将名称更新为空白或空格
防止用户在php中将名称更新为空白或空格
提问于 2015-12-21 08:53:52
这是我的PHP
if ($_POST['name']){
$name = mysql_real_escape_string($_POST['name']);
$uid = $user['id'];
$conn = new PDO("mysql:host=$servername;dbname=$dbname", $username, $password);
// set the PDO error mode to exception
$conn->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
$sql = "UPDATE accounts SET Name='$name' WHERE id='$uid'";
// Prepare statement
$stmt = $conn->prepare($sql);
// execute the query
$stmt->execute();
// echo a message to say the UPDATE succeeded
echo '<div style="width: 98%; max-width: 98%; border: 1px solid white; background-color: orange; color: white; vertical-align: text-top; text-align: center;">Your name has been updated!</div><br>';这是HTML
Name:</td><td><input type="text" name="name" value="<?php print_r($user['Name']); ?>" /></td></tr><tr><td>
如何编辑此项以防止用户提交空白表单或仅提交空格?有什么建议吗?
回答 2
Stack Overflow用户
发布于 2015-12-21 09:01:12
首先,为了使预准备语句能够有效地停止SQL注入,需要将它们参数化。其次,没有您应该使用的mysql_函数,也没有与PDO一起工作的函数。
下面是我将采取的方法:
if (!empty($_POST['name']) && !preg_match('/^\s*$/', $_POST['name'])){
$name = $_POST['name'];
$uid = $user['id'];
$conn = new PDO("mysql:host=$servername;dbname=$dbname", $username, $password);
// set the PDO error mode to exception
$conn->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
$sql = "UPDATE accounts SET Name=? WHERE id=?";
// Prepare statement
$stmt = $conn->prepare($sql);
// execute the query
$stmt->execute(array($name, $id));
// echo a message to say the UPDATE succeeded
echo '<div style="width: 98%; max-width: 98%; border: 1px solid white; background-color: orange; color: white; vertical-align: text-top; text-align: center;">Your name has been updated!</div><br>';
} else {
echo 'Name is not valid';
}另外,如果是$_POST,$user设置在哪里?
Stack Overflow用户
发布于 2015-12-21 08:57:42
下面是我之前做的一些函数,它们应该会有帮助:
//valadations
$errors = array();
// * presence
// use trim() so empty spaces don't count
// use === to avoid false positives
// empty() would consider "0" to be empty
function has_presence($value) {
return isset($value) && $value !== "";
}
function validate_presences($required_fields) {
global $errors;
foreach($required_fields as $field) {
$value = trim($_POST[$field]);
if (!has_presence($value)) {
$errors[$field] = fieldname_as_text($field) . " can't be blank";
}
}
}
function form_errors($errors=array()) {
$output = "";
if (!empty($errors)) {
$output .= "<div class=\"error\">";
$output .= "Please fix the following errors:";
$output .= "<ul>";
foreach ($errors as $key => $error) {
$output .= "<li>";
$output .= htmlentities($error);
$output .= "</li>";
}
$output .= "</ul>";
$output .= "</div>";
}
return $output;
}如何使用简单的验证示例:
$required_fields = array("name", "email", "username");
validate_presences($required_fields);注意:数组中的值是输入字段的名称
在您的Html中,您可以这样做:
echo form_errors($errors);注意:form_errors的ul包含包含验证错误的li
或
您可以使用trim()函数
这里是我的方法,
if ($_POST['name']){
$name = mysql_real_escape_string($_POST['name']);
$uid = $user['id'];
$conn = new PDO("mysql:host=$servername;dbname=$dbname", $username, $password);
$required_fields = array("name");
validate_presences($required_fields);
// set the PDO error mode to exception
$conn->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
if(empty($errors)) {
$sql = "UPDATE accounts SET Name='$name' WHERE id='$uid'";
// Prepare statement
$stmt = $conn->prepare($sql);
// execute the query
$stmt->execute();
// echo a message to say the UPDATE succeeded
echo '<div style="width: 98%; max-width: 98%; border: 1px solid white; background-color: orange; color: white; vertical-align: text-top; text-align: center;">Your name has been updated!</div><br>';
}页面原文内容由Stack Overflow提供。腾讯云小微IT领域专用引擎提供翻译支持
原文链接:
https://stackoverflow.com/questions/34387617
复制相关文章
相似问题
腾讯云开发者
