我目前正在处理我的代码并尝试实施措施来防止SQL注入。我的其他页面工作正常但是这个页面有点不同。
用户要确定要从哪个表中删除,这是通过使用$ Level变量,(不用担心,这限制为三个)。它适用于旧的易受攻击的方法,但现在还没有。有什么想法吗?
if (isset($_POST['Delete']))
{
$Level = trim($_POST['Level']);
$UserName = trim($_POST['UserName']);
//----------------Check if Exists------------------//
$Check = $conn->prepare("SELECT * FROM ? WHERE UserName = ?");
$Check->bind_param('ss', $Level, $UserName);
$Check->execute();
$result = $Check->get_result();
$count = $result->num_rows;
if ($count>0)
{
$Confirm= $UserName . ' Deleted';
//----------------Delete SQL-------------------//
$Delete = "DELETE FROM $Level WHERE UserName = '$UserName'";
$Delete = mysqli_query($conn,$sql);
header( "refresh:5;url=stratdeleteuser.php" );
}
else
{
$Confirm= 'No Matches Found';
}
}
答案 0 :(得分:1)
if语句足以保护用户输入
if ($Level == 'strategic' || $Level == 'tactical')
{
//----------------Check if Exists------------------//
$Check = $conn->prepare("SELECT * FROM $Level WHERE UserName = ?");
$Check->bind_param('s', $UserName);
$Check->execute();
$result = $Check->get_result();
$count = $result->num_rows;
if ($count>0)
{
$Confirm= $UserName . ' Deleted';
//----------------Delete SQL-------------------//
$Delete = $conn->prepare("DELETE FROM $Level WHERE UserName = ?");
$Delete->bind_param('s', $UserName);
$Delete->execute();
$Confirm = $UserName . ' Deleted';
header( "refresh:5;url=stratdeleteuser.php" );
}
else
{
$CheckErr= 'No Matches Found';
}
}
我照顾后一部分为你实施OO风格,正如Terminus正确建议的那样