使用(准备好的声明)使我的查询更安全

时间:2015-04-28 15:20:42

标签: php mysql security mysqli prepared-statement

我正在弄清楚如何使以下查询更安全: 我已经使用过mysqli_real_escape_string,但我怀疑这会增加安全性。

我调查了以下内容: http://mattbango.com/notebook/code/prepared-statements-in-php-and-mysqli/

但我还必须考虑以下几行:

    $check_customer = mysqli_num_rows($run_c);

以下是代码

   $c_email = mysqli_real_escape_string($con,$_POST['email']);
        $c_pass = mysqli_real_escape_string($con,$_POST['pass']);
        $couponCodeLogin = mysqli_real_escape_string($con,$_POST['couponCodeLogin']);
$couponCodeLoginAmount = mysqli_real_escape_string($con,$_POST['couponCodeLoginAmount']);

        $sel_c = "select * from customers where customer_pass='$c_pass' AND customer_email='$c_email'";

        $run_c = mysqli_query($con, $sel_c);
        $check_customer = mysqli_num_rows($run_c); 
        if($check_customer==0){

        echo "<script>
        document.getElementById('loginError').innerHTML = 'Password or email is incorrect, please try again.'
        </script>";
        exit();
        }


        if($check_customer>0){
                    $crs_id = $_GET['crs_id'];

     $insert_c = "insert into customers (customer_email,coupon_code_login,coupon_code_login_amount) values ('$c_email','$couponCodeLogin','$couponCodeLoginAmount')";
                $run_c = mysqli_query($con, $insert_c); 


                $_SESSION['userCoupon'] = $_POST['couponCodeLoginAmount'];

        $_SESSION['customer_email']=$c_email; 
                        $_SESSION['userCouponName'] = $_POST['couponCodeLogin'];


        echo "<script>window.open('coursePayment.php?crs_id=$crs_id','_self')</script>";

        }
        else {
        $_SESSION['customer_email']=$c_email; 


        echo "<script>window.open('coursePayment.php?crs_id=$crs_id','_self')</script>";

        $_SESSION['userCoupon'] = $_POST['couponCodeLoginAmount'];
                $_SESSION['userCouponName'] = $_POST['couponCodeLogin'];

        }
    }


        $fname= mysqli_real_escape_string($con,$_POST['fname']);
        $lname = mysqli_real_escape_string($con,$_POST['lname']);
        $email = mysqli_real_escape_string($con,$_POST['email']);
        $pnumber = mysqli_real_escape_string($con,$_POST['pnumber']);       
 $couponCodeRegister=mysqli_real_escape_string($con,$_POST['couponCodeRegister']);
$couponCodeRegisterAmount = mysqli_real_escape_string($con,$_POST['couponCodeRegisterAmount']);

        $pass = mysqli_real_escape_string($con,$_POST['pass']);
        $cname = mysqli_real_escape_string($con,$_POST['cname']);
        $cposition = mysqli_real_escape_string($con,$_POST['cposition']);


         $insert_c = "insert into customers (customer_fname,customer_lname,customer_email,customer_number,customer_pass,customer_cname,customer_cposition,coupon_code_register,coupon_code_register_amount) values ('$fname','$lname','$email','$pnumber','$pass','$cname','$cposition','$couponCodeRegister','$couponCodeRegisterAmount')";

        $run_c = mysqli_query($con, $insert_c); 


        $insert_email = "select * from customers";
        $run_email = mysqli_query($con, $insert_email);

        $find_email = mysqli_fetch_array($run_email);
        $demail = $find_email['customer_email'];     

        if($email!= $demail)
       {
         $crs_id = $_GET['crs_id'];

         $_SESSION['userCoupon'] = $_POST['couponCodeRegisterAmount'];
         $_SESSION['userCouponName'] = $_POST['couponCodeRegister'];
         $_SESSION['customer_email']=$email; 

         echo "<script>
         document.getElementById('registerError').innerHTML = 'Account has been created successfully, Thanks!'
         </script>";
         echo "<script>window.open('coursePayment.php?crs_id=$crs_id','_self')</script>";

       }

0 个答案:

没有答案
相关问题
最新问题