我想知道是否有人能够帮助我改变我的连接代码&查询,以便它有助于保护我免受SQL注入?
任何建议都会很棒
我在dbconfig.php文件中有以下代码:
<?php
$servername = "localhost";
$username = "root";
$password = "fnjfi8378f3hrn39fb3";
$dbname = "crm4";
// Create connection
$conn = new mysqli($servername, $username, $password, $dbname);
// Check connection
if ($conn->connect_error) {
die("Connection failed: " . $conn->connect_error);
}
?>
以及运行查询的网页上的以下内容:
<?php
$sql = "SELECT format(count(id),0) as id3 FROM Orders
INNER JOIN membership_userrecords ON Orders.id = membership_userrecords.pkValue
where Year = 2017 AND membership_userrecords.memberID = '$memberid' AND membership_userrecords.tableName='Orders'
";
$result2 = $conn->query($sql);
$row = $result2->fetch_assoc();
echo $row["id3"];
?>