Database Reference
In-Depth Information
2. Validate the input to make sure that it's legal. You cannot trust users to send legal
values, so check input parameters to make sure they look reasonable. For example,
if you expect a user to enter a number into a field, check the value to be sure that
it's really numeric. If a form contains a pop-up menu constructed using the per‐
mitted values of an ENUM column, you might expect the value actually returned to
be one of them. But there's no way to be sure except to check. Remember, you don't
even know there is a real user on the other end of the network connection. It might
be a malicious script roving the Web, trying to hack your site by exploiting weak‐
nesses in your form-processing code.
If you don't check input, you run the risk of storing garbage in your database or
corrupting existing content. It is true that you can prevent entry of values that are
invalid for the data types in your table columns by enabling strict SQL mode (see
Recipe 12.1 ). However, there might be additional semantic constraints on what your
application considers legal, in which case it's still useful to check values in your
script before attempting to enter them. Also, by performing checks in your script,
you may be able to present more meaningful error messages to users about problems
in the input than the messages returned by the MySQL server when it detects bad
data. For these reasons, it might be best to consider strict SQL mode a valuable
additional level of protection, not necessarily sufficient in itself. That is, combine
strict mode on the server side with client-side validation.
3. Construct an SQL statement based on the input. Typically, input parameters are
used to add a record to a database, or to retrieve information from the database for
display to the client. Either way, you use the input to construct a statement and send
it to the MySQL server. Statement construction based on user input should be done
with care, using proper escaping to avoid creating malformed or dangerous SQL
statements. Use of placeholders is a good idea here (see Recipe 2.5 ).
The rest of this recipe explores the first of these three stages of input processing (pulling
input from the execution environment). Recipes 20.6 and 20.7 cover the second and
third stages. The first stage has little to do with MySQL, but is covered here because it's
how you obtain the information used in the later stages.
Input obtained over the Web can be received in several ways, two of which are most
common:
• As part of a get request, in which case input parameters are appended to the end
of the URL. For example, the following URL invokes a PHP script named
price_quote.php and specifies item and quantity parameters with values D-0214
and 60 :
http://localhost/mcb/price_quote.php?item=D-0214&quantity=60
Such requests are generated when a user selects a hyperlink or submits a form that
specifies method="get" in the <form> tag. A parameter list in a URL begins
Search WWH ::




Custom Search