此代码是否容易出现SQL注入?你能提出一些改善安全性的建议吗?使用mysqli_real_escape_string是对的吗?你认为将它用于项目是否正常?
<?php
require 'db.php';
if(isset($_POST['pawnshopName'])&&isset($_POST['street'])&&isset($_POST['barangay'])&&isset($_POST['city'])&&isset($_POST['dtiPermitNo'])&&isset($_POST['mayorPermitNo'])&&isset($_POST['firstName'])&&isset($_POST['lastName'])&&isset($_POST['middleName'])&&isset($_POST['contactNumber'])&&isset($_POST['email'])&&isset($_POST['password'])&&isset($_POST['confirmPassword']))
{
$options = ['cost' => 11, 'salt' => mcrypt_create_iv(22, MCRYPT_DEV_URANDOM),];
$pawnshopName = mysqli_real_escape_string($connection, $_POST['pawnshopName']);
$street = mysqli_real_escape_string($connection, $_POST['street']);
$barangay = mysqli_real_escape_string($connection, $_POST['barangay']);
$city = mysqli_real_escape_string($connection, $_POST['city']);
$dtiPermitNo = mysqli_real_escape_string($connection, $_POST['dtiPermitNo']);
$mayorPermitNo = mysqli_real_escape_string($connection, $_POST['mayorPermitNo']);
$firstName = mysqli_real_escape_string($connection, $_POST['firstName']);
$lastName = mysqli_real_escape_string($connection, $_POST['lastName']);
$middleName = mysqli_real_escape_string($connection, $_POST['middleName']);
$contactNumber = mysqli_real_escape_string($connection, $_POST['contactNumber']);
$email = mysqli_real_escape_string($connection, $_POST['email']);
$password = mysqli_real_escape_string($connection, password_hash($_POST['password'], PASSWORD_BCRYPT, $options));
$confirmPassword = mysqli_real_escape_string($connection, $_POST['confirmPassword']);
if(password_verify($confirmPassword,$password))
{
echo 'Password Match';
}else
{
echo 'Password mismatch';
}
$sql = "INSERT INTO pawnshop ".
"(Pawnshop_ID, Pawnshop_Name, Street, Barangay, City, DTI_Permit_No, Mayor_Permit_No, Firstname, Middlename, Lastname, Contact_Number, Email_Address, Password) ".
"VALUES ".
"('','".$pawnshopName."', '".$street."', '".$barangay."', '".$city."', '".$dtiPermitNo."', '".$mayorPermitNo."', '".$firstName."', '".$lastName."', '".$middleName."', '".$contactNumber."', '".$email."', '".$password."' )";
mysqli_query($connection, $sql);
mysqli_close($connection);
}
?>
答案 0 :(得分:2)
不,您必须使用prepare方法。然后在每个要添加值的地方放置?。比你必须使用bind_param方法。最后,您可以执行它并获得结果whit get_results。一个例子:
$stmt = $connection->prepare("INSERT INTO Customers (CustomerName, Address, CityID) VALUES (?, ?, ?)");
$stmt->bindParam('ssi', $name, $address, $cityId);
$stmt->execute();
$results = $stmt->get_results();
'ssi'是属性类型的对应变量。
i是整数d是双打s是字符串b是一个blob,将以数据包的形式发送