我是PHP新手
当前正在构建我的第一个Web应用程序!
我创建了这个PHP脚本来注册/注册我的Web应用, 我希望它可以防止SQL注入 所以在这里我需要一些指导,我从零开始自我学习了一切!
所以我决定使用我所阅读和学习的东西。
这是我的代码:
$server = "localhost";
$user = "root";
$pass = "";
$selected_db = "User";
$selected_table = "usersbio";
// Create connection
$linking = new mysqli($server, $user, $pass, $selected_db);
// Input variable
$firstname = mysqli_real_escape_string($linking, $_POST['firstname']);
$lastname = mysqli_real_escape_string($linking, $_POST['lastname']);
$userpass = mysqli_real_escape_string($linking, $_POST['userpass']);
$useremail = mysqli_real_escape_string($linking, $_POST['useremail']);
$udob_d = mysqli_real_escape_string($linking, $_POST['userdobd']);
$udob_m = mysqli_real_escape_string($linking, $_POST['userdobm']);
$udob_y = mysqli_real_escape_string($linking, $_POST['userdoby']);
$hashingpass = password_hash($userpass, PASSWORD_DEFAULT);
// Saving data to db - table
$stmt = $linking->prepare("INSERT INTO $selected_table (userfirstname,
userlastname, userpasskey, useremail, userdobd, userdobm, userdoby)
VALUES ('?', '?', '?', '?', '?', '?', '?')");
$stmt->bind_param('s', 's', 's', 's', 'i', 's', 'i', $firstname,
$lastname, $hashingpass, $useremail, $udob_d, $udob_m, $udob_y);
$stmt->execute();
$linking->close();
答案 0 :(得分:2)
如果您刚刚入门,建议您使用PDO代替旧的mysqli接口。它不那么冗长,更易于使用。这是您的代码外观:
<?php
$server = "localhost";
$user = "root";
$pass = "";
$selected_db = "User";
// Create connection
$linking = new PDO("mysql:host=$server;dbname=$selected_db", $user, $pass);
// Saving data to db - table
$query = "
INSERT INTO usersbio
(userfirstname, userlastname, userpasskey, useremail, userdobd, userdobm, userdoby)
VALUES (?, ?, ?, ?, ?, ?, ?)";
$params = [
$_POST["firstname"],
$_POST["lastname"],
password_hash($_POST["userpass"], PASSWORD_DEFAULT),
$_POST["useremail"],
$_POST["userdobd"],
$_POST["userdobm"],
$_POST["userdoby"],
];
$stmt = $linking->prepare($query);
$stmt->execute($params);
$linking->close();
答案 1 :(得分:0)
您的prepare()语句似乎应该起作用...
也如Alex Howansky所说:
不要依靠real_escape_string()函数来防止SQL注入,仅靠它们是不够的。您应该通过mysqli或PDO使用带有绑定参数的准备好的语句。这篇文章有一些很好的例子。
引用:How can I prevent SQL injection in PHP?
您还必须删除问号周围的单引号...
尝试:
$server = "localhost";
$user = "root";
$pass = "";
$selected_db = "User";
$selected_table = "usersbio";
// Create connection
$linking = new mysqli($server, $user, $pass, $selected_db);
// Input variable
$firstname = mysqli_real_escape_string($linking, $_POST['firstname']);
$lastname = mysqli_real_escape_string($linking, $_POST['lastname']);
$userpass = mysqli_real_escape_string($linking, $_POST['userpass']);
$useremail = mysqli_real_escape_string($linking, $_POST['useremail']);
$udob_d = mysqli_real_escape_string($linking, $_POST['userdobd']);
$udob_m = mysqli_real_escape_string($linking, $_POST['userdobm']);
$udob_y = mysqli_real_escape_string($linking, $_POST['userdoby']);
$hashingpass = password_hash($userpass, PASSWORD_DEFAULT);
// Saving data to db - table
$stmt = $linking->prepare("INSERT INTO $selected_table (userfirstname,
userlastname, userpasskey, useremail, userdobd, userdobm, userdoby)
VALUES (?, ?, ?, ?, ?, ?, ?)");
$stmt->bind_param('ssssisi', $firstname,
$lastname, $hashingpass, $useremail, $udob_d, $udob_m, $udob_y);
$stmt->execute();
$linking->close();
这是更新的查询:
INSERT INTO $selected_table (userfirstname, userlastname, userpasskey, useremail, userdobd, userdobm, userdoby)
VALUES (?, ?, ?, ?, ?, ?, ?)
如果您需要有关准备好的语句的更多帮助,请查看以下链接:
http://php.net/manual/en/mysqli.quickstart.prepared-statements.php