如果我只输入空白字符,查询仍会执行:
$newdisplayname = $_POST['newdisplayname'];
$sessionid = $_SESSION['userid'];
if(!empty($_POST) && isset($_SESSION['userid'])){
if(strlen($newdisplayname)>=2 && strlen($newdisplayname)<=15 && !ctype_space($newdisplayname) && substr_count(strtoupper($newdisplayname), 'M') < 7 && substr_count(strtoupper($newdisplayname), 'W') < 7){
// update displayname
$stmt = $conn->prepare("UPDATE users SET u_displayname=? WHERE u_id=?");
$stmt->bind_param("si", $newdisplayname, $sessionid);
$stmt->execute();
$stmt->close();
echo "success";
}
}
另外,如果我输入一个空格,它也会执行查询 - 它如何绕过strlen($newdisplayname)>=2?