Although the we discussed in the previous sections will work, there are many loopholes in it. We will look into the different problems in the next chapters, however here let's see three of them here and also see how we can solve them:
- Validation
- Authentication
- No response in case of 404
Right now in our code, although we are using PDO
prepare and bindValue()
methods, it will just save it from SQL injection. However, we are not all fields in the case insert and update. We need to validate that the title should be of a specific limit, the status should be either draft or published, and the user_id
should be always one of IDs in the users table.
The first and simple solution is to manual checks to validate data coming from the user's end. This is simple but it is a lot of work. That means it will work but we can miss something, and if we do not miss any check, it will be a lot of low level detail to deal with.
So a better way is to utilize some open source package...