请查看我的SQL注入攻击代码。 请帮我避免SQL注入攻击。了解SQL注入。这段代码在SQL注入时是否安全?
<?php
$recno=$_GET['recno'];
$sql = 'set @parameter = (
select group_concat(distinct
concat(
"sum(case when `parid`=\'", `parid`, "\' then `par_values` end)
as `", `parid`, "`"
)
)
from #est_paaram_value
where recno="'.$recno.'"
);
set @parameter = concat("select year as YEAR,qtr as QUARTER, ", @parameter, "
from #est_paaram_value where recno=\''.$recno.'\' group by `year`,qtr");
prepare stmt from @parameter;
execute stmt;';
$result = $con->multi_query($sql);
if ($err=mysqli_error($con)) { echo $err."<br><hr>"; }
if ($result) {
do {
if ($par = $con->store_result()) {
echo "<table id='myTable' name='myTable'>";
echo "<thead><tr>";
for($i=0; $i<mysqli_num_fields($par); $i++)
{
$field = mysqli_fetch_field($par);
echo "<td bgcolor=lightgray><b>{$field->name}</b></td>";
}
echo "</tr>\n</thead>";
echo "<tbody>";
while($row = $par->fetch_row())
{
echo "<tr>";
foreach($row as $par_val) {
if ($par_val === NULL) { $par_val = '(null)'; }
echo "<td>$par_val</td>";
}
echo "</tr>\n";
}
$par->free();
echo"</tbody>";
echo "</table>";
}
} while ($con->more_results() && $con->next_result());
}