这会返回MySQL错误:
<?php
$name = $_POST['inputName2'];
$email = $_POST['inputEmail2'];
$instruments = $_POST['instruments'];
$city = $_POST['inputCity'];
$country = $_POST['inputCountry'];
$distance = $_POST['distance'];
// ^^ These all echo properly ^^
// CONNECT TO DB
$dbhost = "xxx";
$dbname = "xxx";
$dbuser = "xxx";
$dbpass = "xxx";
$con = mysqli_connect("$dbhost", "$dbuser", "$dbpass", "$dbname");
if (mysqli_connect_errno())
{
echo "Failed to connect to MySQL: " . mysqli_connect_error();
}
$query = "INSERT INTO depfinder (name, email, instrument1, instrument2, instrument3, instrument4, instrument5, city, country, max_distance) VALUES ($name, $email, $instruments[0], $instruments[1], $instruments[2], $instruments[3], $instruments[4], $city, $country, $max_distance)";
$result = mysqli_query($con, $query) or die(mysqli_error($con)); // script fails here
if (!$result)
{
echo "There was a problem with the signup process. Please try again later.";
}
else
{
echo "Success";
}
}
?>
N.B。我不确定它是否相关,但用户可能不会选择五种乐器,因此某些$instrument[]
数组值可能为空。
奖金问题:我的脚本足够安全还是我可以做的更多?
答案 0 :(得分:1)
您需要在查询中的字符串值周围引用:
$query = "INSERT INTO depfinder
(name, email, instrument1, instrument2, instrument3, instrument4, instrument5, city, country, max_distance)
VALUES ('$name', '$email', '$instruments[0]', '$instruments[1]', '$instruments[2]',
'$instruments[3]', '$instruments[4]',
'$city', '$country', $distance)";
要回答您的红利问题,您的脚本根本不安全,它易受SQL注入攻击,并且如果任何值包含撇号,也会出现语法错误。您应该使用带参数而不是字符串替换的准备查询。或者,如果使用替换,则应使用mysqli_real_escape_string
来防止注入和语法错误。
答案 1 :(得分:1)
看起来查询中变量周围缺少单引号似乎是最初的问题。所以这可以被认为是一个快速修复。
但是我继续重构你的代码以简化它并提供一些基本的验证。
添加注意事项包括使用$post_array
滚动$_POST
值并使用isset
&amp;进行基本值检查。 !empty
。只是旁注,但在原始脚本中 - 在此清理中 - 您正在设置$distance
字符串,但实际上您并未在此代码中使用它。它会在以后出现吗?但是$max_distance
是什么?您可以将$distance
与$max_distance
混为一谈吗?公平的错字,但我注意到了。
另外,摆脱单引号的另一个选择是使用mysqli_stmt_bind_param
我在此处设置为mysqli_free_result
&amp; mysqli_close
整齐地结束MySQL进程。
// Set a '$_POST' array and roll through each value.
$post_array = array('inputName2', 'inputEmail2', 'instruments', 'inputCity', 'inputCountry', 'distance');
foreach ($post_array as $post_key => $post_value) {
$$post_value = isset($_POST[$post_value]) && !empty($_POST[$post_value]) ? $_POST[$post_value] : null;
}
// CONNECT TO DB
$dbhost = "xxx";
$dbname = "xxx";
$dbuser = "xxx";
$dbpass = "xxx";
// Set the connection or die returning an error.
$con = mysqli_connect($dbhost, $dbuser, $dbpass, $dbname) or die(mysqli_connect_error());
// Set the query.
$query = "INSERT INTO depfinder (name, email, instrument1, instrument2, instrument3, instrument4, instrument5, city, country, max_distance)"
. " VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?)"
;
// Bind the params.
mysqli_stmt_bind_param($query, 'ssssssssss', $inputName2, $inputEmail2, $instruments[0], $instruments[1], $instruments[2], $instruments[3], $instruments[4], $city, $country, $max_distance);
// Run the query.
$result = mysqli_query($con, $query) or die(mysqli_error());
// Check if the result is returned & echo a message based on that.
if (!$result) {
echo "There was a problem with the signup process. Please try again later.";
}
else {
echo "Success";
}
// Free the result set.
mysqli_free_result($result);
// Close the connection.
mysqli_close($con);