StackOverflow2013

Note that there are some explanatory texts on larger screens.

plurals

PO
primarykey
Id
8474096
data
AcceptedAnswerId
0
AnswerCount
0
ClosedDate
CommentCount
1
CommunityOwnedDate
CreationDate
2011-12-12T12:10:31.533
FavoriteCount
0
LastActivityDate
2011-12-12T12:10:31.533
LastEditDate
LastEditorUserId
0
OwnerUserId
650492
ParentId
8471925
PostTypeId
2
Score
1
ViewCount
0
LastEditorDisplayName
text
Body
Your code does not do any validation, it just <code>die</code>s when there's an error. This will not do in production code. As far as validation goes you have 2 options: A - Check the input in php and disallow any illegal values. B - Use SQL constraints and monitor the output there. Or a combination of the two. The problem with option B is that you'll just get an error back from MySQL that you'll have to handle in php. For that reason I'd go for option A. First step: escape your input The best way to do this is to use <a href="http://php.net/manual/en/ref.pdo-mysql.php" rel="nofollow">PDO</a>. If you use the <code>mysql_</code> lib you'll have to use <code>mysql_real_escape_string</code> on each and every input to escape it and quote your <code>$vars</code>; like so: <pre><code>$a = mysql_real_escape_string($_GET['param1']); examplequery = "SELECT * FROM table1 WHERE field1 = '$a' "; </code></pre> For integer values you can cast the variable to an integer, and then inject it without quotes. <pre><code>$a = intval($_GET['param1']); $b = intval($_GET['param2']); if $a > $b { list($a,$b) = array($b,$a); } //Exchange the two vars if needed. examplequery = "SELECT * FROM table1 WHERE field1 BETWEEN $a AND $b"; </code></pre> Validating your data Here again you have two options, you can hardcode the validation into php, or use SQL to check the input. I like the second approach, because it allows you to put all info in valid input into the database. Validating your data using a validation table One option is to create a table like so: <pre><code>table Checks ( fieldname varchar(50) not null, tablename varchar(50) not null, fieldtype enum('int','varchar','enum','decimal'.....) not null, min_value double default -1000000; max_value double default 1000000; validation_query varchar(1000) default null, primary key (tablename, fieldname)) ENGINE = InnoDB; </code></pre> Now you can check a param like so (using PDO): <pre><code>$stmt = $dbh->prepare("SELECT fieldtype, min_value, max_value, validation_query FROM checks WHERE fieldname = ? AND tablename = ?"); $stmt->execute(array('field1', 'table1')); $result = $stmt->fetch(PDO::FETCH_ASSOC); switch ($result['type']) { case 'int': $allOK = isnumeric($inputvalue_to_check); $allOK = $allOK AND ($intval($inputvalue_to_check) >= $result['min_value'] AND $intval($inputvalue_to_check) <= $result['max_value']); if is_null($result['validation_query']) { $sql = $result['validation_query']; $check = $dbh-?prepare($sql); $check_result = $check->execute(array($inputvalue_to_check)); $check_result->fetch(PDO::FETCH_ASSOC); if is_null($check_result['result']) { //value is not OK} break; case ....... </code></pre> Validating in php If you know your data and it's not subject to change, you can do the validation using <code>if</code> and <code>switch</code> statements. This code looks a lot like the above code, except that it does not fetch data from the database, the logic is hardcoded instead or is stored in php datastructures. 
Tags
Title
singulars
PostAcceptedAnswerId
1. This table or related slice is empty.
PostParentId
1. POavoiding blank and duplicate entries submitted to sql
 singulars
 PostTypePostTypeId
 PTQuestion
PostTypePostTypeId
1. PTAnswer
UserLastEditorUserId
1. This table or related slice is empty.
UserOwnerUserId
1. USJohan
plurals
PostLinksPostIdRelatedPostId
1. This table or related slice is empty.
PostLinksRelatedPostIdPostId
1. This table or related slice is empty.
PostsAcceptedAnswerId
1. POavoiding blank and duplicate entries submitted to sql
 singulars
 PostTypePostTypeId
 PTQuestion
PostsParentIdCreationDate
1. This table or related slice is empty.
VotesPostIdCreationDate
1. VO
 singulars
 PostPostId
 PO
 UserUserId
 This table or related slice is empty.
 VoteTypeVoteTypeId
 VTAcceptedByOriginator
2. VO
 singulars
 PostPostId
 PO
 UserUserId
 This table or related slice is empty.
 VoteTypeVoteTypeId
 VTUpMod
CommentsPostId
1. COThank you so much for this level of detail and effort. Will really help me understand validation.
 singulars
 PostPostId
 PO
 UserUserId
 USMike Thrussell

Querying!

Guidance

A row detail

Detail views are divided into sections. All the information in the data section comes from columns in the selected row. The other sections display data from other, related rows.

Related data can be related in a to-one or a to-many fashion. Captions of data related in a to-many fashion link to a list view showing a filtered view of the table.

Try moving around until you find a non-empty to-many entry and click on the label to get to one. You can move back to the root by clicking on the database name in the header.