嘿大家我已经作为网络初级开发人员在我的投资组合中工作,在联系表单中我通过将数据从输入字段传输到数据库而对我的代码安全性有一些疑问,无论如何都要使其更安全sql注入?是吗?如果你愿意,我需要一些帮助。
感谢。
源代码:
<div class="rectoContainer col-lg-4 col-11 wow fadeInUp" align='left'>
<form method="post" action=''>
<input class='col-lg-6 col-6 rad' type="text" placeholder="First name" name='fname'>
<input class='col-lg-5 col-5 rad' type="text" placeholder="Last name" style="float: right" name='lname'>
<input class='rad col-lg-12' type="email" placeholder="Email" name='email'>
<input class='rad col-lg-12' type="text" placeholder="Subject" name='subject'>
<textarea style="height: 140px;resize: none" class='rad col-lg-12' placeholder="Message" name='message'></textarea><br>
<button type="submit" class='btn' style='background-color: #66c0e1;color:white;' name='butSend'>Send message</button>
</form>
<div style="height:1px;"></div>
</div>
<?php
$fname = filter_input(INPUT_POST,'fname');
$lname = filter_input(INPUT_POST,'lname');
$subject = filter_input(INPUT_POST,'subject');
$email= filter_input(INPUT_POST,'email');
$message = filter_input(INPUT_POST,'message');
include('connect.php');
if(isset($_POST['butSend']))
{
if(!empty($email) && !empty($fname) && !empty($message) || !empty($lname) || !empty($subject) )
{
$query = "insert into contact values(NULL,'$fname','$lname','$subject','$email','$message')";
if(mysqli_query($con,$query))
{
?>
<script>
$(function() {
/*slide a notification success bar*/
$('.msgSent').slideDown(500).delay(3000).slideUp(100);
});
</script>
<?php
}
else
{ ?>
<script>
alert('||-- ERROR ---||');
</script>
<?php
}
}
else
{ ?>
<script>
$(function() {
/*slide a notification error bar*/
$('.msgNotSent').slideDown(500).delay(3000).slideUp(100);
});
</script>
<?php
}
}
?>
答案 0 :(得分:-1)
/ *未准备好的陈述* /
if (!$mysqli->query("DROP TABLE IF EXISTS test") || !$mysqli->query("CREATE TABLE test(id INT)")) {
echo "Table creation failed: (" . $mysqli->errno . ") " . $mysqli->error;
}
/ *准备好的声明,第1阶段:准备* /
if (!($stmt = $mysqli->prepare("INSERT INTO test(id) VALUES (?)"))) {
echo "Prepare failed: (" . $mysqli->errno . ") " . $mysqli->error;
}
?>