我正在尝试针对数据库表验证textarea输入。如果存在任何条目,则拒绝该表单。如果未找到任何条目,则接受表单并将textarea输入输入到数据库表中,每个换行符将转到新行。
我遇到了麻烦,以下脚本似乎跳过了验证部分,直接将textarea输入添加到数据库中。
<?php
if (isset($_GET["submit"])) {
}
$host = "localhost";
$user = "root";
$password = "password";
$database = "test";
// Establish server connection and select database
$dbh = mysqli_connect($host, $user, $password, $database);
if (mysqli_connect_errno()) {
die('Unable to connect to database ' . mysqli_connect_error());
}
else {
$text = trim($_POST['serial']);
$textAr = explode("\n", $text);
$textAr = array_filter($textAr, 'trim'); // remove any extra \r chars
foreach ($textAr as $line) {
$query = mysqli_query($dbh, "SELECT serials FROM `wp27_test6serial` WHERE `serials` = '$line'");
$result = mysqli_query($dbh, $query);
if (mysqli_num_rows($result) > 0) {
die('entry already exists');
}
else {
$query = mysqli_query($dbh, "INSERT INTO wp27_test6serial (rtxserials) VALUES ('$line')");
echo ('serials submitted');
}
}
}
任何人都可以告诉我脚本有什么问题以及为什么在将textarea字符串插入数据库之前没有验证?
谢谢
答案 0 :(得分:3)
你要查询两次。
$query = mysqli_query($dbh, "SELECT serials FROM `wp27_test6serial` WHERE `serials` = '$line'");
应该是
$query = "SELECT serials FROM `wp27_test6serial` WHERE `serials` = '$line'";
您的代码可以使用SQL注入攻击。使用准备好的陈述。