Question

我是MySQL的新手，所以很抱歉，如果这些看起来很明显。我有以下代码：

<?php

          include_once '../includes/db.inc.php';
          if(isset($_GET["id"])){
          $id = $_GET["id"];
          $sql = "SELECT * FROM clients WHERE nif_id='".$id."';";
          $result = mysqli_query($conn, $sql);

          while ($row = mysqli_fetch_assoc($result)) {
                $first = $row["prm_nome"];
              $last = $row["apelido"];
              $phone = $row['nmr_tlm'];
              $email = $row['mail'];
              $nif = $row['nif_id'];

              echo '<tr>';
                      echo '<td>'.$nif.'</td>';
                      echo '<td>'.$first.'</td>';
                      echo '<td>'.$last.'</td>';
                      echo '<td>'.$phone.'</td>';
                      echo '<td>'.$email.'</td>';
                      echo '</tr>';
            }
          }
         ?>

，这给了我一个像profile?Id=0000这样的URL。我该如何翻身

if(isset($_GET["id"])){
      $id = $_GET["id"];
      $sql = "SELECT * FROM clients WHERE nif_id='".$id."';";

变成准备好的语句，以避免SQL注入？

MySQL-profile？id到准备好的语句

0 个答案: