//database connection
include ("inc/db.php");
// select record from mysql
$sql="SELECT c.conference_id, concat(s.firstName,' ',s.lastName) as
Student, concat(ta.firstName,' ',ta.lastName) as Teacher, ta.title, sc.schoolName,
sc.logo, sc.phone, sc.fax, sc.css, sc.studentHours,
concat(ts.month,'/',ts.day,'/',ts.year) as Date, ts.startTime,
ts.endTime, ta.room, p.parent_id
FROM conference c,
student s,
teacherAdmin ta,
school sc,
timeslots ts,
parent p
WHERE c.conference_id = ts.conference_id
and ta.teacherAdmin_id = ts.teacherAdmin_id
and p.parent_id = c.parent_id
and s.student_id = c.student_id
and sc.school_id = ta.school_id
and s.student_id = '".$student_id."'
and c.parent_id = '".$parent_id."'
GROUP BY conference_id";
$result = $conn->query($sql);
?>
答案 0 :(得分:-4)
是的,这个sql已准备好注入。如果$ student_id的值为“0 OR 1 = 1; - ”,则会转储所有表格。