这是将数据插入数据库的不良做法吗?

时间:2012-11-13 15:30:30

标签: php mysql

我有这个函数将复选框中的数据插入到我的sql数据库中,它只是找不到,但我是新手,所以我想知道是否有更好/更安全(来自sql注入)的方法这个。我知道我应该在准备好的语句中使用PDO,但这是我稍后要解决的问题。

以下是生成html复选框的表单:

<form action="" method="post">
<?php
    if(empty($clients) === true){   
    echo '<p>You do not have any clients yet.</p>';
    }
    else
    {
    foreach($clients as $client){
    echo'
        <input type="checkbox"  name="client_data[]" value="'.$_SESSION['user_id'].'|'.$class_id.'|'.$client['first_name'].'|'.$client['nickname'].'|'.$client['last_name'].'">
        '.$client['first_name'].' ('.$client['nickname'].') '.$client['last_name'].'
         <br />';


   } // foreach($client

} // if empty 

?>

这是调用函数的php:

if (isset($_POST['exist_to_class'])){
if (empty($_POST['client_data']) === true){
    $errors [] = 'You much select a client to be added to the class.';
} else {
    if (isset($_POST['client_data']) && !empty($_POST['client_data']));
    foreach ($_POST['client_data'] as $cd){
     exist_client_to_class($cd);
     header('Location: view_class.php?class_id='.$class_id.' ');

} // foreach $cd

} // else

} //isset

这是我的函数,将数据插入db:

// add existing client to class  ----------------------------------------------------
function exist_client_to_class($cd){

list($user_id, $class_id, $first_name, $last_name, $nickname) = explode('|', $cd);
mysql_query("INSERT INTO `clients` (user_id, class_id, first_name, last_name, nickname, date) 
            VALUES('$user_id', '$class_id', '$first_name', '$last_name', '$nickname', CURDATE())");

}

首先尝试PDO准备好的声明:更新

function exist_client_to_class($cd){

try{

$stmt = $conn->prepare('INSERT INTO clients 
(user_id, class_id, first_name, last_name, nickname, date)
VALUES (:user_id, :class_id, :first_name, :last_name, :nickname, CURDATE())
');

list($user_id, $class_id, $first_name, $last_name, $nickname) = explode('|', $cd);

$stmt->execute(array(
        ':user_id' => $user_id, 
        ':class_id' => $class_id, 
        ':first_name' => $first_name,
        ':last_name' => $last_name,
        ':nickname' => $nickname
        )
        );
}

catch(PDOException $e) {
    echo 'Error: ' . $e->getMessage();
}

}

这是db连接文件:

//PDO database connect
try {
$conn = new PDO('mysql:host=localhost;dbname=customn7_cm', '**********', '**********');
$conn->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
$conn->exec("SET CHARACTER SET utf8");
} catch(PDOException $e) {
echo 'ERROR: ' . $e->getMessage();
}

2 个答案:

答案 0 :(得分:2)

简单地说,是的。

您无论如何都没有清理或转义您的用户数据。您正在使用旧的mysql_*社区弃用函数。您最好的选择是开始使用PDOMysqli

阅读这篇文章:PHP Database Access: Are You Doing It Correctly?

答案 1 :(得分:1)

这适用于大多数sql注入:(来自php.net
decleration:
string mysql_real_escape_string(string $ unescaped_string [,resource $ link_identifier = NULL])

       // Connect
       $link = mysql_connect('mysql_host', 'mysql_user', 'mysql_password') OR die(mysql_error());
        // Query
        $query = sprintf("SELECT * FROM users WHERE user='%s' AND password='%s'",
        mysql_real_escape_string($user),
        mysql_real_escape_string($password));