我在.htaccess文件中写了以下modrewrite:
RewriteRule ^forum/read/([^/]*)-([^/]*)$ ?i=f&p=t&cat=$1&id=$2 [L]
我一直在收到有关SQL漏洞的报告:
读取文件如下所示:
$topicname = $_GET['id'];
$topicid = $_GET['id'];
$cat = $_GET['cat'];
$topicname = explode('-', $topicname);
$id = $topicname[0];
//Get the data from the posts.
$p = $dbh->prepare("
SELECT
p.*,
u.*,
FROM forum_posts p
JOIN users u on u.id = p.userid
WHERE topic_id=:id AND post_deleted='0'
ORDER BY post_time ASC
LIMIT $offset, $rowsperpage");
$p->bindParam(':id', $id);
$p->execute();
报告是:
You need to make the database not to get confused with the -> '
当我使用prepare()声明时,如何存在漏洞?