提交表单之前,请检查是否已填写某些字段
[英]Check to see if certain fields have been filled out before a form is submitted
问题描述
I have a form that is sending data to a MySQL database and I want to make sure several of the fields are not left blank. 
我有一个将数据发送到MySQL数据库的表单,并且我想确保其中的几个字段不为空。 I think I can figure out how to do this with JavaScript, but my question is should I? 我想我可以弄清楚如何使用JavaScript做到这一点,但是我的问题是吗? When I made the database table that I am working with I made the fields that I want to make sure are filled out NOT NULL to ensure I would at least get a MySQL error when they were left empty (I also realize that "empty" and NULL are not the same thing). 当我制作要使用的数据库表时,我要确保填写的字段为NOT NULL以确保当它们保留为空时至少会出现MySQL错误(我也意识到“ empty”和NULL不是同一回事)。
My question is, should I check to see if fields are empty/null with JavaScript before the form is submitted, or should I let the user attempt to submit the form and then base my corrective action on what every MySQL error I get back? 我的问题是,在提交表单之前,我应该使用JavaScript检查字段是否为空/空,还是应该让用户尝试提交表单,然后根据我得到的每个MySQL错误采取的纠正措施?
And a second question, if I do the first (check with JavaScript) what is the point of creating some fields NULL and some fields NOT NULL in my database if I am going to be catching all the possible "errors" with JavaScript before the submitted form hits the database? 还有第二个问题,如果我做的是第一个问题(使用JavaScript检查),那么在提交之前使用JavaScript捕获所有可能的“错误”时,在数据库中创建一些字段NULL和一些字段NOT NULL的意义何在?表格打数据库?
7 个解决方案
解决方案1
4 已采纳 2010-06-19 19:13:01
You should validate on the client side before sending the data to the server. 在将数据发送到服务器之前,您应该在客户端进行验证。 This would allow you to highlight errors to the user, potentially before they've submitted the data to the server. 这将使您可以在用户将数据提交给服务器之前向用户突出显示错误。
But you should also validate on the server side. 但是,您还应该在服务器端进行验证。 It's possible for someone to maliciously send invalid data to your server, bypassing the client-side validation. 有人可能会绕过客户端验证,将恶意数据恶意发送到您的服务器。
Client-side validation is good for ensuring that the user gets some helpful feedback when they haven't filled in a form correctly. 客户端验证有助于确保用户在未正确填写表单时得到一些有用的反馈。 But relying only on that validation is insecure. 但是仅依靠该验证是不安全的。 Make sure the the server doesn't allow invalid data. 确保服务器不允许无效数据。
Also, if you ever allow the data to be accessed through some sort of API, you'll want server-side validation to prevent invalid data getting into the database. 另外,如果您曾经允许通过某种API访问数据,则需要服务器端验证以防止无效数据进入数据库。
解决方案2
2 2010-06-19 19:10:27
My question is, should I check to see if fields are empty/null with JavaScript before the form is submitted, or should I let the user attempt to submit the form and then base my corrective action on what every MySQL error I get back?
Do both, check with javascript but checking with PHP is a must . 两者都使用javascript进行检查,但是必须使用PHP进行检查 。 Don't insert empty values if you want that. 如果需要,请勿插入空值。
解决方案3
1 2010-06-19 19:13:00
You should always do checks on the back-end, regardless of whether or not there are JavaScript checks. 无论是否进行JavaScript检查,您都应该始终在后端进行检查。 What if someone has JavaScript disabled? 如果有人禁用了JavaScript怎么办? What if the user is malicious and uses something like Firebug to compromise your JavaScript validation and security? 如果用户恶意并且使用Firebug之类的东西来破坏JavaScript验证和安全性怎么办? It's not only possible, it's very easy to do. 这不仅可能,而且非常容易做到。 Always check on the back end. 始终检查后端。
I would say do the check in PHP first - if any fields are empty, take them back to the form and make them fill it back out. 我会说先在PHP中进行检查-如果有任何字段为空,请将它们带回到表单中,并使其重新填写。 After it works in PHP, add JavaScript validation to make the form more usable. 在PHP中运行后,添加JavaScript验证以使该表单更可用。
解决方案4
0 2010-06-19 19:08:24
You shouldn't be messing with back-end errors like this. 您不应该对这样的后端错误感到困惑。 Make sure you validate at client side with JavaScript. 确保使用JavaScript在客户端进行验证。 Not say ignore back end validations and or sanatization. 更不用说忽略后端验证和/或清理。
解决方案5
0 2010-06-19 19:08:47
If you are not going to allow the user to submit the form with empty fields then you are correct there is no point allowing these fields to be NULL in the database. 如果您不希望用户提交带有空字段的表单,那么您是正确的,在数据库中没有必要让这些字段为NULL。
I would say that you should use Javascript to validate as a usability issue (it saves the user waiting for a page reload to discover they have not entered a required field). 我要说的是,您应该使用Javascript来验证是否存在可用性问题(它可以节省等待页面重新加载以发现他们尚未输入必填字段的用户)。 However this needs to be backed up by server side validation and appropriate error messages for users with javascript disabled. 但是,这需要通过服务器端验证和针对禁用了javascript的用户的适当错误消息进行备份。
解决方案6
0 2010-06-19 19:33:51
Your database should always enforce your assumptions about the structure of the data. 您的数据库应始终执行关于数据结构的假设。 It costs you nothing to do, but it serves as a last line of defense against corruption of your database. 它不需要您花费任何精力,但是它是防止数据库损坏的最后一道防线。
Never assume that a client side process is going to hand you well formed data. 永远不要假设客户端进程会处理您格式正确的数据。 Your server side scripts should consider anything coming from a browser as having come out of the saddle bag of a dead Pony Express rider whose horse dragged him in from the frontier. 您的服务器端脚本应该将来自浏览器的任何内容视为已死的Pony Express骑手的鞍袋中的东西,该骑手的马将他从边境拖了进来。
Check on both sides. 双方检查。 Setting your db column NOT NULL costs you nothing. 设置数据库列NOT NULL花费您任何钱。 Javascript uses the client's resources, so it also costs you nothing, and it gives your user instant feedback without having to communicate with the server. Javascript使用客户端的资源,因此它也不花钱,而且无需与服务器进行通信即可为用户提供即时反馈。
You can check that a field has data by checking that it's value attribute is not an empty string. 您可以通过检查字段的value属性是否为空字符串来检查其是否包含数据。 Something like: 就像是:
if (formElement.attachEvent) { //handle IE
formElement.attachEvent('onsubmit', function() {
if (window.event.sourceElement.someFormElement.value === '') {
// outline empty form in red or otherwise alert user of bad input
return false;
} else {
// check other fields that can't be empty
}
}
} else {
formElement.addEventListener('submit', function() {
if (this.someFormElement.value === '') {
// outline empty form in red or otherwise alert user of bad input
return false;
} else {
// check other fields that can't be empty
}
}
}
Returning false from the even handler prevents the form from being submitted. 从偶数处理程序返回false将阻止提交表单。
解决方案7
0 2010-06-19 20:53:28
I'm a newcomer to SQL, so I've been reading up on ways to destroy and hack into DBs. 我是SQL的新手,所以我一直在阅读有关销毁和侵入数据库的方法。 Frightening! 吓死我了 The bottom line, for me, is: always validate everything at your server BEFORE submitting any SQL query. 对于我来说,最重要的是:在提交任何SQL查询之前,始终验证服务器上的所有内容。 Ref: http://www.securitydocs.com/library/3587 参考: http : //www.securitydocs.com/library/3587
I also validate a lot of things via JS to maintain responsiveness, as many others have mentioned before. 我还通过JS验证了很多东西来保持响应能力,就像其他很多人之前提到的那样。
A rule that I like a lot and try to follow: validate with a whitelist , the collection of things to allow. 我非常喜欢并尝试遵循的一条规则:通过白名单进行验证,以允许收集事物。 Don't validate with a blacklist, the things to disallow. 不要用黑名单来验证,这是不允许的事情。 Why? 为什么? Because I really can't be sure the blacklist contains all things illegal. 因为我真的不能确定黑名单中是否包含所有违法的东西。 My carelessness and the constant pressure of hacker inventiveness ensure there will be hundreds or thousands of illegals. 我的粗心和黑客发明的不断压力确保将有成千上万的违法者。
It's much easier to be sure of the things that are allowable: there are relatively few of those guys. 确定允许的事情要容易得多:这些家伙相对很少。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.