我想用MySQLi语句或PDO做跟进,但我的服务器上遇到了很多错误。
请检查以下示例以了解我自己做的代码是否可以安全,如果可以使用它。并希望以下代码将帮助新的MySQLi用户至少学习如何从MySQLi开始:
<?php
$host = "localhost";
$username = "db_user";
$password = "db_pass";
$dbname = "db_name";
@ $db = mysqli_connect($host, $username, $password, $dbname);
if(mysqli_connect_errno())
{
die("Connection could not be established");
}
$username = mysqli_real_escape_string($db, $_GET['user']);
$query = ("SELECT * FROM members WHERE profile='$username' ORDER BY id DESC LIMIT 1");
$result = mysqli_query($db, $query);
while($row = mysqli_fetch_array($result))
{
?>
PROFILE VIEW
<br>Name: <?php echo $row['nombre']?> ID: <?php echo $row['Age']?> <br />
<?php
}
?>
一切正常。如果有人能让它更安全,我会很感激。
答案 0 :(得分:1)
我会选择这个。
<?php
$host = "localhost";
$username = "db_user";
$password = "db_pass";
$dbname = "db_name";
$db = mysqli_connect($host, $username, $password, $dbname);
if(mysqli_connect_errno()) {
die("Connection could not be established");
}
$username = $_GET['user'];
$query = $db->prepare("SELECT * FROM `members` WHERE `profile` = ? ORDER BY `id` DESC LIMIT 1");
$query->bind_param('s', $username);
$query->execute();
while($row = $query->fetch_row()) { ?>
<br />Name: <?php echo $row['nombre']; ?> ID: <?php echo $row['Age']; ?> <br /><?php
} ?>