用php和mysql注入处理

时间:2011-03-23 00:57:26

标签: php mysql sql-injection

  

可能重复:
  What's the best method for sanitizing user input with PHP?

我有一些代码需要更改,并使SQL注入更安全。

我的一些代码是:

SELECT * FROM student WHERE email='$this->email_1'

插入

INSERT INTO student (complete_name, date_birth, gender, email, student_status)
            VALUES ( '$this->name', '$this->date', '$this->gender', '$this->email_1', 'current')

用于获取数据

$this->query = "SELECT * FROM payments";
            $this->payments = mysqli_query($this->link,$this->query) or die("Error in query: ". mysqli_error($this->link));

            //printing the payments
            if(mysqli_num_rows($this->payments)>0)
            {
                while($this->row=mysqli_fetch_row($this->payments))
                {
                    echo "Name: " .$this->row[0]. "</br> Amount: $" .$this->row[2]. "</br>Payment type: " .$this->row[3]. "</br></br>";
                }
            }

我用过

$safe_variable = mysql_real_escape_string($unsafe_variable);

但是当我输入“'”(单引号)时,存储了一个空值,这是我不想要的。

0 个答案:

没有答案