我有以下PHP函数:
public function signup() {
$mysql = mysqli_connect(HOSTNAME, USERNAME, PASSWORD, DATABASE);
if (mysqli_connect_errno($mysql)) {
$this->viewModel->set("pageTitle", "Signup");
$this->viewModel->set("message", "There was an error connecting to the server.");
return $this->viewModel;
}
if ($result = $mysql->query("SELECT id FROM mailinglist WHERE email='" . $this->email . "';")) {
if ($result->num_rows == 0) {
$mysql->query("INSERT INTO mailinglist (email) VALUES ('" . $this->email . "');");
$this->viewModel->set("message", "Great! Thanks for signing up " . $this->email . ".");
} else {
$this->viewModel->set("message", "You are already signed up for updates!");
}
} else {
$this->viewModel->set("message", "There was an error adding you the mailing list.");
}
$this->viewModel->set("pageTitle", "Signup");
return $this->viewModel;
}
哪个运行正常并且返回我想要的内容,但是,如果我尝试将mysqli_real_escape_string()用于我的查询,则它不起作用。也就是说,以下代码
public function signup() {
$mysql = mysqli_connect(HOSTNAME, USERNAME, PASSWORD, DATABASE);
if (mysqli_connect_errno($mysql)) {
$this->viewModel->set("pageTitle", "Signup");
$this->viewModel->set("message", "There was an error connecting to the server.");
return $this->viewModel;
}
$query = $mysql->real_escape_string("SELECT id FROM mailinglist WHERE email='" . $this->email . "';");
if ($result = $mysql->query($query)) {
if ($result->num_rows == 0) {
$query = $mysql->real_escape_string("INSERT INTO mailinglist (email) VALUES ('" . $this->email . "');");
$mysql->query($query);
$this->viewModel->set("message", "Great! Thanks for signing up " . $this->email . ".");
} else {
$this->viewModel->set("message", "You are already signed up for updates!");
}
} else {
$this->viewModel->set("message", "There was an error adding you the mailing list.");
}
$this->viewModel->set("pageTitle", "Signup");
return $this->viewModel;
}
不起作用。这不是连接的问题,我尝试使用mysqli_real_escape_string()而不是$ mysql-> real_escape_string(),但它们都不起作用。任何人都可以看到这段代码有什么问题吗?
答案 0 :(得分:1)
不要这样做,请使用预备语句。它们更安全,更可靠。您仍然需要清理数据以获得正确的值和跨站点脚本,以便列出您仍会遇到的一些风险。转义数据是防止SQL注入的一种方法,但它不是完全证明。准备好的语句告诉数据库服务器假设传入数据不安全并且只接受它,并且不像连接字符串那样处理它。数据库将您的参数视为语句的变量,而不是语句的一部分。
以下是您如何改变自己的准备陈述:
$stmt=$mysql->prepare("SELECT id FROM mailinglist WHERE email=?");
$stmt->bind_param('s',$this->email);
$result=$stmt->execute();
if ($result) {
if ($result->num_rows == 0) {
$stmt=$mysql->prepare("INSERT INTO mailinglist (email) VALUES (?)");
$stmt->bind_param('s', $this->email);
$stmt->execute();
$this->viewModel->set("message", "Great! Thanks for signing up " . $this->email . ".");
} else {
$this->viewModel->set("message", "You are already signed up for updates!");
}
} else {
$this->viewModel->set("message", "There was an error adding you the mailing list.");
}
答案 1 :(得分:-1)
您必须转义数据而不是整个查询。
public function signup() {
$mysql = mysqli_connect(HOSTNAME, USERNAME, PASSWORD, DATABASE);
if (mysqli_connect_errno($mysql)) {
$this->viewModel->set("pageTitle", "Signup");
$this->viewModel->set("message", "There was an error connecting to the server.");
return $this->viewModel;
}
$query = "SELECT id FROM mailinglist WHERE email='" .$mysql->real_escape_string( $this->email ). "'"
if ($result = $mysql->query($query)) {
if ($result->num_rows == 0) {
$query = "INSERT INTO mailinglist (email) VALUES ('" . $mysql->real_escape_string($this->email) . "')";
$mysql->query($query);
$this->viewModel->set("message", "Great! Thanks for signing up " . $this->email . ".");
} else {
$this->viewModel->set("message", "You are already signed up for updates!");
}
} else {
$this->viewModel->set("message", "There was an error adding you the mailing list.");
}
$this->viewModel->set("pageTitle", "Signup");
return $this->viewModel;
}