Sql适当的语法

时间:2015-08-08 05:47:54

标签: php mysql

下面这段代码是否面临sql注入问题?如果是这样,为什么以及可以改变什么以防止它?

$sql2 = "UPDATE Candidates SET ".$row['Field']."= '$_POST[$tempname]' WHERE ID='".$_GET["id"]."'";
                $result2 = mysqli_query($con,$sql2);
                if ($con->query($sql2) === TRUE) {
                    if($_POST['Status']=="Employed"){
                    $sql3 = "INSERT INTO Employees (AFNumber, CID, Status, Name, DateOfBirth,DateOfEmployment)
VALUES ('".$_POST['AFNumber']."', '".$_POST['ID']."', 'Employed', '".$_POST['FullNameEng']."','".$_POST['DoBasID']."', '".date('d/m/Y')."')";
                    $result3 = mysqli_query($con,$sql3);
                    if ($con->query($sql3) === TRUE) {
                    }else {
                        echo "Error: " . $sql3 . "<br>" . $con->error;}
                        echo '<script>swal("Error", "Something went wrong '.$con->error.'", "error");</script>';
                    }
                } else {
                    echo "Error: " . $sql2 . "<br>" . $con->error;
                    echo '<script>swal("Error", "Something went wrong '.$con->error.'", "error");</script>';
                }

1 个答案:

答案 0 :(得分:0)

$row['Field']       = "`{$row['Field']}`"; //its better to use ` around field names. there can be 'date', 'begin', 'column' or other reserved keywords http://dev.mysql.com/doc/refman/5.6/en/keywords.html
$_POST[$tempname]   = mysqli_real_escape_string($con, $_POST[$tempname]); //have no idea which data type your $row['Field']-column, so lets rely on escaping will be enough http://php.net/manual/en/mysqli.real-escape-string.php
$_GET['id']         = (int)$_GET['id']; //i believe that your `id` is an integer, otherwise you should use mysqli_real_escape_string

$sql2 = "UPDATE Candidates SET ".$row['Field']." = '{$_POST[$tempname]}' WHERE `ID` = '{$_GET['id']}'";
$result2 = mysqli_query($con, $sql2);
if ($con->query($sql2) === TRUE) {
    if($_POST['Status']=="Employed") {
        $_POST['AFNumber'] = (int)$_POST['AFNumber']; //i believe that your `AFNumber` is an integer, otherwise you should use mysqli_real_escape_string
        $_POST['ID'] = (int)$_POST['ID']; //i believe that your `CID` is an integer, otherwise you should use mysqli_real_escape_string
        $_POST['FullNameEng'] = mysqli_real_escape_string($con, $_POST['FullNameEng']);
        $_POST['DoBasID'] = mysqli_real_escape_string($con, $_POST['DoBasID']);  //if DateOfBirth is not a string - u can use (int) instead
        $sql3 = "
            INSERT INTO Employees 
                (AFNumber, CID, Status, Name, DateOfBirth, DateOfEmployment)
            VALUES 
                ('".$_POST['AFNumber']."', '".$_POST['ID']."', 'Employed', '".$_POST['FullNameEng']."', '".$_POST['DoBasID']."', '".date('d/m/Y')."')
            ";
//...

这里的主要想法(也是最简单的,最小的)是:

1)如果data-type对传入值是整数use(int)或intval()。

2)如果data-type是整数unsingned,则对传入值使用abs()。

3)othervise(在字符串上)使用mysqli_real_escape_string

了解转义序列https://dev.mysql.com/doc/refman/5.0/en/string-literals.html

以后阅读有关准备好的陈述https://dev.mysql.com/doc/refman/5.0/en/sql-syntax-prepared-statements.html