PDO TUTORIAL SERIES 6
Past tutorials:
5. Tutorial 4
6. Tutorial 5
For today, Create a form in your public index file.
There are certain things to note in the form i have created.
1. Use htmlentities to convert all applicable characters to HTML entities. Meaning if a malicious user tries to insert some codes, other than html, into your document, the codes are converted to html and become harmless to your form.
2. I also use a server variable, PHP_SELF, this means the form submits to itself. It has been recommended not to use PHP_SELF, but even if you willl, ensure you don't use it without htmlentities or htmlspecialchars which does the same thing as htmlentities. You can also use action="" to submit the form to itself, this - as far as i know - is also secure against malicious inputs to your page URL.
3. I use name attribute for my button so i can check if the form has been submitted using that particular button.
4. Don't forget to add method='POST' to your form. If you don't add the method, then the default which is the less secure GET will be used.
And here's what we have:
P.S: i added the method, H3 tag just to make the form a tad pretty and placeholders.
Browser Preview:
P.S: I used different input type so we can use the input PHP function to verify our user's input type. Although, most modern browsers already do these checking but there's nothing wrong in checking again. You can also add the required attribute to each input type so that the form will not be submitted if any field is left blank.
The next thing you should do is check if your form properly submits. I prefer periodic checking to avoid mass errors later.
If you followed the code above, then you should notice the error. The button name attribute is wrong compared with the check we are performing in the PHP tag above, just correct the error and enter some text and you should have something like this:
Now that we have our structure done, and all seems to be working well... lets focus on PHP.
The first thing i do is to apply filter to my data.
I will advice that you never directly user $_POST[somename] without applying filter. Read more about filter_input here: http://php.net/manual/en/book.filter.php
Optionally, you can trim your input before applying filter:
You can echo out the variables to be sure all is working properly. Now, please note that PHP inbuilt filters are good, but you might still want to do your own checking on the user input, like the popular saying: NEVER TRUST USER INPUT - Unfortunately, some developers learnt this the hard way.
Lets perform a little variable checking,
1. First, i want to double ensure that the user did not somehow submit a blank form
2. I want to double ensure that the user supplied the kind/type of data i want
Now, lets do a basic insert into the database.
Result:
Ok, thats it for today.
I know we are taking things slow... i have been extra busy lately. But feel free to do personally reading online. There are lots of resources out there.
In our next tutorial, i will make the code much better and simply, presently it looks bogus and non-OOP.. then we'll do our data insert properly, the PDO way.
Thank you for reading to the end.
Endeavor to share.
6. Tutorial 5
For today, Create a form in your public index file.
Form |
1. Use htmlentities to convert all applicable characters to HTML entities. Meaning if a malicious user tries to insert some codes, other than html, into your document, the codes are converted to html and become harmless to your form.
2. I also use a server variable, PHP_SELF, this means the form submits to itself. It has been recommended not to use PHP_SELF, but even if you willl, ensure you don't use it without htmlentities or htmlspecialchars which does the same thing as htmlentities. You can also use action="" to submit the form to itself, this - as far as i know - is also secure against malicious inputs to your page URL.
3. I use name attribute for my button so i can check if the form has been submitted using that particular button.
4. Don't forget to add method='POST' to your form. If you don't add the method, then the default which is the less secure GET will be used.
And here's what we have:
Browser Preview:
P.S: I used different input type so we can use the input PHP function to verify our user's input type. Although, most modern browsers already do these checking but there's nothing wrong in checking again. You can also add the required attribute to each input type so that the form will not be submitted if any field is left blank.
The next thing you should do is check if your form properly submits. I prefer periodic checking to avoid mass errors later.
If you followed the code above, then you should notice the error. The button name attribute is wrong compared with the check we are performing in the PHP tag above, just correct the error and enter some text and you should have something like this:
Now that we have our structure done, and all seems to be working well... lets focus on PHP.
The first thing i do is to apply filter to my data.
Optionally, you can trim your input before applying filter:
Lets perform a little variable checking,
1. First, i want to double ensure that the user did not somehow submit a blank form
2. I want to double ensure that the user supplied the kind/type of data i want
Now, lets do a basic insert into the database.
Result:
Ok, thats it for today.
I know we are taking things slow... i have been extra busy lately. But feel free to do personally reading online. There are lots of resources out there.
In our next tutorial, i will make the code much better and simply, presently it looks bogus and non-OOP.. then we'll do our data insert properly, the PDO way.
Thank you for reading to the end.
Endeavor to share.
Post a Comment