请帮助我,我尝试插入具有注入攻击保护的数据库,我在w3schools上找到了一些例子,但它对我没有用。连接是正确的,有效。作为我在SQL和编程方面的新成员,我不知道该插件有什么问题。拜托,有人可以帮忙吗?非常感谢。
我的php插入:
<?php
$servername = "localhost";
$username = "root";
$password = "";
$dbname = "dbname";
// Create connection
$conn = new mysqli($servername, $username, $password, $dbname);
if ($conn->connect_error) {
die("Connection failed: " . $conn->connect_error);
}
echo "<p>Connected successfully</p>";
$From = $_GET['From'];
$To = $_GET['To'];
$Type = $_GET['Type'];
$text = $_GET['text'];
$stmt = $conn->prepare("INSERT INTO orders (from_lang, to_lang, tex)
VALUES (:fr, :to, :tex)");
$stmt->bindParam(':fr', $From);
$stmt->bindParam(':to', $To);
$stmt->bindParam(':tex', $text);
$stmt->execute();
?>
答案 0 :(得分:3)
您正在混合使用数据库API。如果你想使用MySQLi,你的代码将如下所示:
<?php
$servername = "localhost";
$username = "root";
$password = "";
$dbname = "dbname";
// Create connection
$conn = new mysqli($servername, $username, $password, $dbname);
if ($conn->connect_error) {
die("Connection failed: " . $conn->connect_error);
}
echo "<p>Connected successfully</p>";
$From = $_GET['From'];
$To = $_GET['To'];
$Type = $_GET['Type'];
$text = $_GET['text'];
$stmt = $conn->prepare("INSERT INTO orders (from_lang, to_lang, tex)
VALUES (?,?,?)");
$stmt->bind_param('sss', $From,$To,$text);
$stmt->execute();
?>
注意我已将每个参数的占位符更改为?并更改为bind_param()函数,而不是单独调用每个参数(您可以执行我使用了单个函数调用,在其中我指定了type of variable to be inserted,然后为每个占位符指定了一个变量。