数据表单的处理脚本 - 间歇性错误

时间:2014-09-15 01:55:35

标签: php

我已经构建了一个数据表单,它在帖子上运行一个小脚本。它有间歇性的错误。该脚本应该将条目记录到数据库或死亡,然后发送包含详细信息的电子邮件。我收到了100%的电子邮件,但只有大约90%的条目实际登录到数据库。任何人都可以在这里找出问题,改进或提出建议吗?谢谢 -

$name=$_POST[name];
$email=$_POST[email];
$state=$_POST[state];
$phone=$_POST[phone];
$comments=$_POST[comments];
$today = date("F j, Y, g:i a");

include("config.php");
$link = mysqli_connect("$db_host" , "$db_user" , "$db_password" , "$db") or die();
mysqli_select_db($link, $db) or die();

mysqli_query($link,"INSERT INTO form (name,email,state,phone,comments,date)
VALUES ('$name','$email','$state','$phone','$comments','$today')");

$Body= " \n";
$Body .= "Contact Request From my_site.com\n\n";
$Body .= "Name: $name\n";
$Body .= "Email: $email\n";
$Body .= "State: $state\n";
$Body .= "Telephone: $phone\n";
$Body .= "Comments: $comments\n";

$Body .= "\n";

mail ("my_email@my_site.com", "Contact Request From my_site.com", $Body, "From: $email");

header("Location: https://www.my_site.com/thank-you/");
die();

1 个答案:

答案 0 :(得分:0)

解决!

POST值未作为字符串进行转义。任何包含单个'引号的值都会结束SQL参数并引发SQL错误,并且实际上是在打开漏洞(即SQL注入)。

修复:

$name=$_POST[name];
$email=$_POST[email];
$state=$_POST[state];
$phone=$_POST[phone];
$comments=$_POST[comments];
$today = date("F j, Y, g:i a");

include("config.php");
$link = mysqli_connect("$db_host" , "$db_user" , "$db_password" , "$db") or die();
mysqli_select_db($link, $db) or die();

$name=mysqli_real_escape_string($link, $name);
$email=mysqli_real_escape_string($link, $email) ;
$state=mysqli_real_escape_string($link, $state) ;
$phone=mysqli_real_escape_string($link, $phone) ;
$comments=mysqli_real_escape_string($link, $comments);