Question

我的网站上有一个代码，它调用特定行的引脚，而不是来自该行的回声数据。我需要知道如何使用代码阻止SQL注入。

这是：

<?php
if (isset($_GET['pin']))
{
$con=mysqli_connect("server.com","username","password","database");
if (mysqli_connect_errno())
  {
  echo "Failed to connect to MySQL: " . mysqli_connect_error();
  }
$result = mysqli_query($con,"SELECT * FROM beta WHERE pin = " . $_GET['pin']);
while($row = mysqli_fetch_array($result))
  {
  echo "<table width='600px'><td width='200px'><font face='arial' size='2px'>" . $row['name_pin'] . " " . $row['pin'] . "</font></td><td width='200px'><font face='arial' size='2px'>" . $row['name_info'] . "" . $row['info'] . "</font></td><td width='200px'><font face='arial' size='2px'>" . $row['name_stat'] . " " . $row['stat'] . "</font></td></table>";
  echo "<br>";
  }
mysqli_close($con);
}
?>

提前感谢所有帮助！ P.S。：你越是信息越好。

Answer 1

参数化了值

$pin = $_GET['pin'];
$stmt = $dbConnection->prepare('SELECT * FROM beta WHERE pin =  ?');
$stmt->bind_param('s', $pin);
$stmt->execute();

More on this link...

Answer 2

<?php
if (isset($_GET['pin'])){
$con=mysqli_connect("server.com","username","password","database");
$pin= mysqli_real_escape_string($con, $_GET['pin']);
//rest of code,

http://php.net/manual/en/mysqli.real-escape-string.php

通过$ _Get防止SQL注入

2 个答案: