我有这个脚本。我已经被警告说它可能不安全并且容易受到某些攻击方法的攻击?任何人都可以进一步深入解释这一点吗?
$first = mysqli_real_escape_string($conn, htmlentities($_POST['first']));
$last = mysqli_real_escape_string($conn, htmlentities($_POST['last']));
$username = mysqli_real_escape_string($conn, htmlentities($_POST['uid']));
$password = mysqli_real_escape_string($conn, md5(htmlentities($_POST['password'])));
$email = mysqli_real_escape_string($conn, strtolower(htmlentities($_POST['email'])));
$unid = md5(generateRandomString());
$grp = 'user';
$chk_query = "SELECT email, username FROM accounts where email = '".$email."' and username = '".$username."'" or die("Error in the select" . mysqli_error($conn));
$chk_result = $conn->query($chk_query);
$num_rows = mysqli_num_rows($chk_result);
if($num_rows>0) {
$err_msg="Sorry! This email address or username is already in use!";
die($err_msg);
exit();
}
//******************************************************************************
$sql = "INSERT INTO accounts (first, last, email, username, password, unid, grp)
VALUES ('$first', '$last', '$email', '$username', '$password', '$unid', '$grp')";
if ($conn->query($sql) === TRUE) {} else {
die("An Error has occured. Contact an admin.");
}
$conn->close();