我想在db中插入并使用此代码
$con=mysqli_connect(DB_HOST, DB_USER, DB_PASSWORD, DB_NAME);
$sql = "select * from `mobiles` where `user_id`='$_SESSION[userid]' AND `id`='mysqli_real_escape_string($con,$_POST[con_id])' AND `activecode`='mysqli_real_escape_string($con,$_POST[regcode])' ";
但是当我执行显示的错误时:
Catchable fatal error: Object of class mysqli could not be converted to string in /home/mobileab/public_html/index.php on line 116
为什么我如何在我的代码中使用它来进行sql注入? 谢谢你
答案 0 :(得分:2)
您没有正确连接,函数不会以字符串形式执行:
$sql = "select * from `mobiles` where `user_id`='$_SESSION[userid]'
AND `id`='" . mysqli_real_escape_string($con,$_POST['con_id']) . "'
AND `activecode`='" . mysqli_real_escape_string($con,$_POST['regcode']) . "'";
但我建议改用预先准备好的声明。