if(isset($_POST['submit']))
{
$Team = $_POST['Team'];
echo "$Team" ;
$sql = "DELETE FROM championsleauge WHERE Team = $Team ";
if($con->query($sql) === TRUE)
{
echo "New delete successfully";
}
}
删除无效。它确实会回复团队名称以删除任何想法吗?
答案 0 :(得分:2)
没有 回答您的问题,但它可以睁开眼睛!
DELETE FROM championsleauge WHERE Team = $Team
将此值发送到名为Team
的POST变量5 OR 1=1
它将成为
DELETE FROM championsleauge WHERE Team = 5 OR 1=1
你去了,没有更多的冠军联赛!
顺便说一句,你的错误是一个简单的错字。需要引用字符串值。然后你根本没有错误检查。然后你需要经历How can I prevent SQL injection in PHP?
PDO并不像听起来那么可怕,你的代码可以像这样简单
$dbh = new PDO('mysql:dbname=testdb;host=127.0.0.1', $user, $password);
$sth=$dbh-prepare("DELETE FROM championsleauge WHERE Team = ?");
$sth->execute(array($Team));