使用PHP进行表单和SQL验证

Question

When user clicks on the Save, check whether the data is successfully inserted record to the table, and display a proper message accordingly. If forms are empty then the error message should be shown and database should not have any record.

//SAVE

if (isset($_POST['SAVE'])) {
    $Name = $_POST['name'];
    $City = $_POST['city'];
    $query = "Insert Into Info Values('$Name','$City')";
    $result = mysqli_query($con, $query) or die ("query is failed" . mysqli_error($con));
    $Name = '';
    $City = '';
    if(mysqli_affected_rows($con)>0) {
        echo "record is saved";
    }else {
        echo "record is not saved";
    }

I can only do validation through php. I am not sure if I am doing this right. So far I can get the "record is saved" message on my form, but I cannot get the latter if the form are empty. It just make an empty record in my database.

Answer 1

Checking isset($_POST['SAVE']) only tells you if "SAVE" is set. It does not tell you if the fields have values.

To do the validation in PHP, use something like the following:

if (isset($_POST['SAVE'])) {
    $Name = $_POST['name'];
    $City = $_POST['city'];
    if ($Name && $City)
    {
       //...
       //code to insert data into the database goes here
       //...

       if(mysqli_affected_rows($con)>0) {
          echo "record is saved";
       }else {
          echo "record is not saved (error saving)";
       }
    } else {
       echo "record is not saved (input was empty)";
    }
}

The key being the if ($Name && $City) check.

Alternately, if you want to rely on mysql to reject the insert on blank values, then make sure the fields in the mySql table are not nullable and then change this part of your code: (but this would be moving the validation to MySql)

$Name = $_POST['name']?$_POST['name']:null;
$City = $_POST['city']?$_POST['city']:null;

Answer 2

Untested Code:

if (!isset($_POST['SAVE'], $_POST['name'], $_POST['city'])) {  // avoid Notices
    echo "Missing required submission data";
} elseif (!strlen(trim($_POST['name']))) {  // validate however you wish
    echo "Name data is not valid";  // explain however you wish
} elseif (!strlen(trim($_POST['city']))) {  // validate however you wish
    echo "City data is not valid";  // explain however you wish
} elseif (!$con = new mysqli("localhost", "root", "", "db")) {  // declare and check for a falsey value
    echo "Connection Failure"; // $con->connect_error <-- never show actual error details to public
} elseif (!$stmt = $con->prepare("INSERT INTO Info VALUES (?,?)")) {
    echo "Error @ prepare"; // $con->error;  // don't show to public
} elseif (!$stmt->bind_param("ss", $_POST['name'], $_POST['city'])) {
    echo "Error @ bind";  // $stmt->error;  // don't show to public
} elseif (!$stmt->execute()) {
    echo "Error @ execute";  // $stmt->error;  // don't show to public
} else {
    echo "Insert Successful"; 
}

The validation conditions on the submission data ensure that the values are not empty and they are not completely comprised of whitespace characters. If you wish to refine the validation requirement further, just update the conditions.

If you want to simply ensure that $_POST['name'] and $_POST['city'] are not empty, you can replace the first three conditionals with

if (empty($_POST['SAVE']) || empty($_POST['name']) || empty($_POST['city'])) {
    echo "Submission data is missing/invalid";
}...

If you don't use a prepared statement, then name values like Paul O'Malley will break your query. Worse, if someone wants to try to run some injection attacks, your query is vulnerable.

Checking affected_rows() is unnecessary. If there is no error message from the query execution, the INSERT query was a success.

The above suggestions are all best practices which I urge you to adopt.