Php sanitize before inserting data

Question

How would i sanitize the data and check not empty before putting it into my database?

I am using PDO

My code:

    $nameO = $_POST["name"];
    $number = $_POST["number"];
    $city = $_POST["city"];


    try {
        $sql = "INSERT INTO collection (name, citynumber, city) VALUES ('$number', '$nameO', '$city')";
        $sth = $db->query($sql);
    } catch(PDOExepction $e) {
        echo "SORRY!";
        exit;
    }

header( 'Location: www.site.com' ) ;

ljacqu · Accepted Answer · 2014-08-21T13:52:58.783

2

Use prepared statements:

$sql = "INSERT INTO joukkueet (name, citynumber, city) VALUES (:number, :nameO, :city)";
$statement = $db->prepare($sql);
$sth = $statement->execute( ['number' => $number, 'nameO' => $nameO, 'city' => $city] );

The things like :number, :nameO and :city are placeholders for values. Using the $db->prepare function in PDO creates a PDOStatement object. Now, this object has a method execute, and as you can see, we give it an array whose keys correspond to the placeholder names. So if you have :nameO in the prepared statement, the array should have a value with the key nameO, which PDO will safely add into the SQL code.

Of course, it is best that you check the parameters before just using them (e.g. length checks or making sure that $number is numeric). You ask to check that it is not empty.

Instead of simply:

$nameO = $_POST["name"];
$number = $_POST["number"];
$city = $_POST["city"];

I would suggest:

if (empty($_POST['name']) || empty($_POST['number']) || empty($_POST['city'])) {
    exit('Please input all data!');
}
$nameO = $_POST["name"];
$number = $_POST["number"];
$city = $_POST["city"];

You may wish to handle the error another way than to stop with exit, of course. But a check with empty() can guarantee that there is at least some data in the variables.

edited Aug 21 '14 at 13:52

answered Aug 21 '14 at 13:40

ljacqu

2,132
1
17
21

You've covered 50% of the OP's question. *"and check not [empty()](http://php.net/manual/en/function.empty.php)"* – Funk Forty Niner Aug 21 '14 at 13:42
@ljacqu but how do i now run the code? I did put the code inside the `try` statement but it does nothing. – Pullapooh Aug 21 '14 at 13:48
@Pullapooh Hmm? The SQL portion (first code block in my answer) should do exactly the same as your code before. Putting it in `try` is correct. – ljacqu Aug 21 '14 at 13:49
@ljacqu Do i need to put all three lines in the `try`block? If i do i just get a blank page if i click submit on the form. And it does not put data into the database. – Pullapooh Aug 21 '14 at 13:52
@Pullapooh Is it possible that you've also copied my `if` check further up your file and that it is running `exit` ? Otherwise, try `var_dump($sth);` after the last line and make sure that error reporting is enabled. – ljacqu Aug 21 '14 at 13:54
@ljacqu I get: bool(true) And: Warning: Cannot modify header information - headers already sent. But now the data goes into my database. – Pullapooh Aug 21 '14 at 14:08
1

bool(true) is good; it means it worked successfully. The warning happened because of the output of `var_dump()`. `header()` only works without _any_ output before. But you can remove `var_dump()` again; it was just to verify that `$sth` is indeed `true`. – ljacqu Aug 21 '14 at 14:19

Php sanitize before inserting data

1 Answers1