下面这段代码是否面临sql注入问题?如果是这样,为什么以及可以改变什么以防止它?
$sql2 = "UPDATE Candidates SET ".$row['Field']."= '$_POST[$tempname]' WHERE ID='".$_GET["id"]."'";
$result2 = mysqli_query($con,$sql2);
if ($con->query($sql2) === TRUE) {
if($_POST['Status']=="Employed"){
$sql3 = "INSERT INTO Employees (AFNumber, CID, Status, Name, DateOfBirth,DateOfEmployment)
VALUES ('".$_POST['AFNumber']."', '".$_POST['ID']."', 'Employed', '".$_POST['FullNameEng']."','".$_POST['DoBasID']."', '".date('d/m/Y')."')";
$result3 = mysqli_query($con,$sql3);
if ($con->query($sql3) === TRUE) {
}else {
echo "Error: " . $sql3 . "<br>" . $con->error;}
echo '<script>swal("Error", "Something went wrong '.$con->error.'", "error");</script>';
}
} else {
echo "Error: " . $sql2 . "<br>" . $con->error;
echo '<script>swal("Error", "Something went wrong '.$con->error.'", "error");</script>';
}
答案 0 :(得分:0)
$row['Field'] = "`{$row['Field']}`"; //its better to use ` around field names. there can be 'date', 'begin', 'column' or other reserved keywords http://dev.mysql.com/doc/refman/5.6/en/keywords.html
$_POST[$tempname] = mysqli_real_escape_string($con, $_POST[$tempname]); //have no idea which data type your $row['Field']-column, so lets rely on escaping will be enough http://php.net/manual/en/mysqli.real-escape-string.php
$_GET['id'] = (int)$_GET['id']; //i believe that your `id` is an integer, otherwise you should use mysqli_real_escape_string
$sql2 = "UPDATE Candidates SET ".$row['Field']." = '{$_POST[$tempname]}' WHERE `ID` = '{$_GET['id']}'";
$result2 = mysqli_query($con, $sql2);
if ($con->query($sql2) === TRUE) {
if($_POST['Status']=="Employed") {
$_POST['AFNumber'] = (int)$_POST['AFNumber']; //i believe that your `AFNumber` is an integer, otherwise you should use mysqli_real_escape_string
$_POST['ID'] = (int)$_POST['ID']; //i believe that your `CID` is an integer, otherwise you should use mysqli_real_escape_string
$_POST['FullNameEng'] = mysqli_real_escape_string($con, $_POST['FullNameEng']);
$_POST['DoBasID'] = mysqli_real_escape_string($con, $_POST['DoBasID']); //if DateOfBirth is not a string - u can use (int) instead
$sql3 = "
INSERT INTO Employees
(AFNumber, CID, Status, Name, DateOfBirth, DateOfEmployment)
VALUES
('".$_POST['AFNumber']."', '".$_POST['ID']."', 'Employed', '".$_POST['FullNameEng']."', '".$_POST['DoBasID']."', '".date('d/m/Y')."')
";
//...
这里的主要想法(也是最简单的,最小的)是:
1)如果data-type对传入值是整数use(int)或intval()。
2)如果data-type是整数unsingned,则对传入值使用abs()。
3)othervise(在字符串上)使用mysqli_real_escape_string
了解转义序列https://dev.mysql.com/doc/refman/5.0/en/string-literals.html
以后阅读有关准备好的陈述https://dev.mysql.com/doc/refman/5.0/en/sql-syntax-prepared-statements.html