stackoom
  简体   繁体   中英

PHP filter_input() and bindValue()

 原文  2013-05-22 23:27:09       php/ sql/ crud

Question

I am writing a basic CRUD application to get my head around PHP . I am a little confused as to what exactly the following code is doing. I understand the general concept of it but I am not 100% sure of the logic going on.

I am hoping someone might be able to help me understand it a bit better?

This is my script 

    <?php
//Establish connection to db
require_once 'includes/db.php';

//Array for validation
$errors = array();

//Sanitize the fields to ensure db integrity.
$title = filter_input(INPUT_POST, 'title', FILTER_SANITIZE_STRING);
$release_date = filter_input(INPUT_POST, 'release_date', FILTER_SANITIZE_NUMBER_INT);
$publisher = filter_input(INPUT_POST, 'publisher', FILTER_SANITIZE_STRING);
$system = filter_input(INPUT_POST, 'system', FILTER_SANITIZE_STRING);
$rating = filter_input(INPUT_POST, 'rating', FILTER_SANITIZE_NUMBER_INT);
$num_players = filter_input(INPUT_POST, 'num_players', FILTER_SANITIZE_NUMBER_INT);


if($_SERVER['REQUEST_METHOD']=='POST'){

    //Validate the form
    if(empty($title)){
        $errors['title'] = true;
    }
    if(empty($release_date)){
        $errors['release_date'] = true;
    }
    if(empty($publisher)){
        $errors['publisher'] = true;
    }
    if(empty($system)){
        $errors['system'] = true;
    }
    if(empty($rating)){
        $errors['rating'] = true;
    }
    if(empty($num_players)){
        $errors['num_players'] = true;
    }

    //If no errors
    if(empty($errors)){
        //Build SQL Statement
        $sql = $db->prepare("INSERT INTO videogames SET title = :title, release_date = :release_date, publisher = :publisher, system = :system, rating = :rating, num_players = :num_players");
        //Bind values
        $sql -> bindValue(':title', $title, PDO::PARAM_STR);
        $sql -> bindValue(':release_date', $release_date, PDO::PARAM_STR);
        $sql -> bindValue(':publisher', $publisher, PDO::PARAM_STR);
        $sql -> bindValue(':system', $system, PDO::PARAM_STR);
        $sql -> bindValue(':rating', $rating, PDO::PARAM_INT);
        $sql -> bindValue(':num_players', $num_players, PDO::PARAM_INT);

        //Execute SQL
        $sql -> execute();

        //Redirect back to homepage
        header('Location: index.php');
        exit();
    }
}

?>

I am a little confused as to what this line of code is doing: 

$title = filter_input(INPUT_POST, 'title', FILTER_SANITIZE_STRING);

Is it assigning the value in the input field of the form to the $title variable?

Also this line: 

        $sql -> bindValue(':title', $title, PDO::PARAM_STR);

I read in the documentation that this

Binds a value to a corresponding named or question mark placeholder in the SQL statement that was used to prepare the statement.

If I am storing the data already in the $title variable then is there another way to prepare my SQL statement?

I'd appreciate any help, as I am trying to expand my knowledge of PHP. Many thanks!

1 answers

solution1
 1 ACCPTED  2015-03-13 09:06:07

Question 1 - filter_input

I am a little confused as to what this line of code is doing:

$title = filter_input(INPUT_POST, 'title', FILTER_SANITIZE_STRING);

Is it assigning the value in the input field of the form to the $title variable?

Yes.

filter_input was introduced in PHP 5 . What this line of code is doing is grabbing the input variable ( $_POST['title'] ), and then applying a SANITIZE method on it, that is; " Strip tags, optionally strip or encode special characters ."

Question 2 - bindValue

Also this line:

$sql -> bindValue(':title', $title, PDO::PARAM_STR);

If I am storing the data already in the $title variable then is there another way to prepare my SQL statement?

I don't actually understand this question, however I'll try my best.

This is a PDO method to bind a value to a prepared query. Effectively, it does this:

  • Hey MySQL, here's a query I need you to run
    • Query these tables
    • Get these columns back
  • MySQL does this
  • Hey MySQL, remember that query I asked you to run? Here's the values to filter the result set

You can read more about preparing and binding here: http://use-the-index-luke.com/sql/where-clause/bind-parameters

Another way in which you could prepare the query is the use of mysqli , but the logic is the same.

This question was asked a year ago. I didn't revive it, OP edited his question and it was bumped. I see nothing wrong answering a question if OP still shows interest in an answer (by bumping) no matter the age of the question

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question php error with filter_input PHP filter_input not working PHP filter_input validate INT PHP filter_input returns false Using filter_input() causes PHP to not echo PHP filter_input validate and sanitize Is it possible to combine PHP's filter_input() filter flags with AND/OR? PHP & HTTP authentication - get login and password with filter_input PHP - filter_input() expects parameter 3 to be long, string given Does PHP's built-in filter_input work correctly?
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM