$ID = $db->real_escape_string(strip_tags(stripslashes($_GET['ID'])));
$GetThreadFromID = mysqli_fetch_object(mysqli_query($db, "SELECT * FROM ForumThreads WHERE ID=$ID"));
$GetThreadStarter = mysqli_fetch_object(mysqli_query($db, "SELECT * FROM Users WHERE ID='$GetThreadFromID->PosterID'"));
$GetTopicFromThread = mysqli_fetch_object(mysqli_query($db, "SELECT * FROM ForumTopics WHERE ID='$GetThreadFromID->ForumID'"));
$ThreadExist = mysqli_num_rows(mysqli_query($db, "SELECT * FROM ForumThreads WHERE ID='$ID'"));
$GetAllWatching = mysqli_query($db, "SELECT * FROM ForumWatchedThreads WHERE ThreadID='$ID' AND UserID='$client->ID'");
if ($ThreadExist == "0") {
echo "
<div class='container'>
<div class='panel panel-danger'>
<div class='panel-heading'>Error</div>
<div class='panel-body'>
The thread you requested does not exist.
</div>
</div>
</div>
";
include $_SERVER["DOCUMENT_ROOT"]."/_INCLUDES/Footer.php";
exit();
}
我有一个带有手工编码论坛的网站。您可以访问论坛帖子。假设线程ID是12,但我在其末尾放了一个撇号?ID =那么论坛标题和论坛正文将与其他信息一起为空。我该怎么做才能显示带有ID的线程,所以如果我把它放在URL栏中:?ID = 13 //或?ID = 13'',它仍会显示?ID = 13没有任何干扰,甚至显示一个错误,说论坛帖子不存在?
答案 0 :(得分:1)
您只是假设查询成功。由于您不检查失败,如果查询失败,则== "0"将成功,因为query()和fetch()返回的布尔值为FALSE将等于&#34; 0&#34;
永远不要假设db操作成功。即使您的SQL语法是完美的,但无论如何,查询失败的原因几乎无穷无尽。
$result = mysqli_query(...) or die(mysqli_error($db));
^^^^^^^^^^^^^^^^^^^^^^^^^^
if (mysqli_num_rows($result) === 0) {
die("No results");
}
or die()将处理查询失败,===严格相等测试将确保您测试实际的整数0,而不是任何其他也测试相等的值为0,例如php中的'' == 0为TRUE。
请注意,尽管您正在进行所有剥离和引用,但您的第一个查询仍然容易受到某种形式sql injection attacks的影响。例如1 or 1=1会一直滑过,因为没有标签,没有斜线,也没有'个字符可以逃脱。