可能重复:
What's the best method for sanitizing user input with PHP?
我有一些代码需要更改,并使SQL注入更安全。
我的一些代码是:
SELECT * FROM student WHERE email='$this->email_1'
插入
INSERT INTO student (complete_name, date_birth, gender, email, student_status)
VALUES ( '$this->name', '$this->date', '$this->gender', '$this->email_1', 'current')
用于获取数据
$this->query = "SELECT * FROM payments";
$this->payments = mysqli_query($this->link,$this->query) or die("Error in query: ". mysqli_error($this->link));
//printing the payments
if(mysqli_num_rows($this->payments)>0)
{
while($this->row=mysqli_fetch_row($this->payments))
{
echo "Name: " .$this->row[0]. "</br> Amount: $" .$this->row[2]. "</br>Payment type: " .$this->row[3]. "</br></br>";
}
}
我用过
$safe_variable = mysql_real_escape_string($unsafe_variable);
但是当我输入“'”(单引号)时,存储了一个空值,这是我不想要的。