这是PHP脚本SQL注入证明吗？

Question

＆＃13;

＆＃13;

   <?php
 
$mysqli = new mysqli("localhost", "root", "", "aspire"); or die ('Error connecting to MySQL!');
 
$earnedpoints = false;
$account = $_POST['name'];
$account = mysqli_real_escape_string($account);
 
if ($account == "") {
    echo 'Enter an account name!';
    exit();
}
 
$ip = $_SERVER['REMOTE_ADDR'];
$time = time();
 
$stmt = $mysqli_prepare("SELECT *, SUM(`times`) as amount FROM votingrecords WHERE account='$account' OR ip='$ip'");
$lasttime = mysqli_fetch_array($stmt);
$amount = $lasttime['amount'];
$insertnew = false;    
if ($amount == "") {
    $insertnew = true;
}
$timecalc = $time - $lasttime['date'];
if (!$insertnew) {
    if ($timecalc < 21600) {  
        echo ' Hello '. $account .' you have already voted with this account ('. $account .') or IP ('. $ip .') in the last 6 hours!';
        echo ' Last voted on: '. date('M d\, h:i:s A', $lasttime['date']) .'';
        echo '<html>';
        echo '<head>';
        echo '<meta HTTP-EQUIV="REFRESH" content="10; url=http://www.">';
        echo '</head>';
        echo '<body>';
        echo '<br><br>You will be redirected to the main website in 10 seconds.';
        echo '</body>';
        echo '</html>';
        exit();
    } else {                
        $update = $mysqli_prepare("UPDATE votingrecords SET account='$account', date='$time', times=times+1 WHERE ip='$ip'");
            if (!$update) {
                $message  = 'Invalid query: ' . mysql_error() . "\n";
                $message .= 'Whole query: ' . $update;
                die($message);
            } else {
                $earnedpoints = true;
            }
        }
} else {
    $success = $mysqli_prepare("INSERT INTO votingrecords (`account`, `ip`, `date`, `times`) VALUES ('$account', '$ip', '$time', 1)");
    if (!$success) {
            $message  = 'Invalid query: ' . mysql_error() . "\n";
            $message .= 'Whole query: ' . $success;
            die($message);
    } else {
        $earnedpoints = true;
    }
}
 
 
 
 
if ($earnedpoints) {
    $points = $mysqli_prepare("UPDATE accounts SET votepoints = votepoints + 2 WHERE name='$account'");                
    if (!$points) {
 
            $message  = 'Invalid query: ' . mysql_error() . "\n";
            $message .= 'Whole query: ' . $stmt;
            die($message);
    }
	$stmt->execute();
    $stmt->close();
    echo '<html>';
    echo '<head>';
    echo '<meta HTTP-EQUIV="REFRESH" content="0; url=http://www.gtop100.com/">';
    echo '</head>';
    echo '</html>';
} else {
    echo 'There was an error processing your request.';
    exit();
}
?>

＆＃13;

＆＃13;

＆＃13;

大家好，

这是我以前的PHP脚本的后续帖子。我仍然非常缺乏经验，几乎不知道我在做什么，而且我所看到的所有教程都不是很有帮助。

我想知道这个新脚本是否更好，实际上是SQL注入证明。 提前谢谢。