开发者

Validate Form Fields to send to Database

问答 作者:

im currently sumitting info the database via a form i have created:

<form method="post" action="send.php">
    <input type="text" name="firstname" id="firstname" class="yourinfo" ><br/>
    <input type="text" name="lastname" id="lastname" value="Last Name" onFocus=this.value='' class="yourinfo"><br/>
    <input type="text" name="email" id="email" value="Email Address" onFocus=this.value='' class="yourinfo"><br/>
    <input type="text" name ="date" id="datepicker" value="Enter Your Prediction" onFocus=this.value='' class="yourinfo"><br/>
    <input type="submit" value="submit" >
    </form>

i then have my php which is submitting it to the database:

<?php


$firstname = $_POST['firstname'];
$lastname = $_POST['lastname'];
$email = $_POST['email'];
$datepicker = $_POST['date'];

//get the correct format
$new_date = date('Y-m-d',strtotime($_POST['date']));

mysql_connect ("localhost", "user", "pass") or die ('Error: ' . mysql_error());
mysql_select_db ("database");

$query="INSERT INTO table (id, firstname, lastname, email, date) 
VALUES ('NULL', '".$firstname."', '".$lastname."', '".$email."',   '".mysql_real_escape_string($new_date)."')";


mysql_query($query) or die (mysql_error());  


header('Location: table.php');
?>

ive been told that i MUST validate the form before submittin anything to the database but im not entirely sure on how to do this, i know it something to do with mysql_real_escape_string() but im a little unsure of what to do

hope you can help

Here are the errors:

Warning: mysql_real_escape_string() [function.mysql-real-escape-string]: Access denied for user 'gezzamon'@'localhost' (using password: NO) in /home/gezzamon/public_html/allymccoist/send.php on line 4

Warning: mysql_real_escape_string() [function.mysql-real-escape-string]: A link to the s开发者_StackOverflow中文版erver could not be established in /home/gezzamon/public_html/allymccoist/send.php on line 4

Warning: mysql_real_escape_string() [function.mysql-real-escape-string]: Access denied for user 'gezzamon'@'localhost' (using password: NO) in /home/gezzamon/public_html/allymccoist/send.php on line 5

Warning: mysql_real_escape_string() [function.mysql-real-escape-string]: A link to the server could not be established in /home/gezzamon/public_html/allymccoist/send.php on line 5

Warning: mysql_real_escape_string() [function.mysql-real-escape-string]: Access denied for user 'gezzamon'@'localhost' (using password: NO) in /home/gezzamon/public_html/allymccoist/send.php on line 6

Warning: mysql_real_escape_string() [function.mysql-real-escape-string]: A link to the server could not be established in /home/gezzamon/public_html/allymccoist/send.php on line 6

Warning: mysql_real_escape_string() [function.mysql-real-escape-string]: Access denied for user 'gezzamon'@'localhost' (using password: NO) in /home/gezzamon/public_html/allymccoist/send.php on line 7

Warning: mysql_real_escape_string() [function.mysql-real-escape-string]: A link to the server could not be established in /home/gezzamon/public_html/allymccoist/send.php on line 7

Warning: Cannot modify header information - headers already sent by (output started at /home/gezzamon/public_html/allymccoist/send.php:4) in /home/gezzamon/public_html/allymccoist/send.php on line 23

You can at least check if they are empty or not, and use a regular expression to validate the email. Also use PDO for your database, it will protect you from all forms of SQL Injection.

There are plenty of tutorials about PDO on the internet.

Call mysql_real_escape_string() on all the variables to be used in your SQL statement.

$firstname = mysql_real_escape_string($_POST['firstname']);
$lastname = mysql_real_escape_string($_POST['lastname']);
$email = mysql_real_escape_string($_POST['email']);
$datepicker = mysql_real_escape_string($_POST['date']);

Ironically here, the one thing you don't need to escape is $new_date because you can already be certain it is in the valid and safe form Y-m-d (or it is FALSE if the date was bad). Doesn't hurt though. 

$query="INSERT INTO table (id, firstname, lastname, email, date) 
  VALUES (NULL, '".$firstname."', '".$lastname."', '".$email."',   '".mysql_real_escape_string($new_date)."')";

This is a little messy with all the quoting and concatenation. In PHP you can use string interpolation like this:

$query="INSERT INTO table (id, firstname, lastname, email, date) 
  VALUES (NULL, '$firstname', '$lastname', '$email', '".mysql_real_escape_string($new_date)."')";

继续阅读:php

更多精彩内容

0

上一篇:

下一篇:

精彩评论

暂无评论...
登录 注册
Qedev.com
验证码 换一张
取 消

最新问答

问答排行榜

法律声明:本站内容均为网友上传,网站举办方负责审核和监督,

如存在版权或非法内容,欢迎举报,我们将尽快予以删除。

Copyright © 2018-2020 开发者. All rights reserved.

Powered by 开发者

ICP备案号: 京ICP备10032868号-9