所以我的基于PHP的应用程序很容易进行SQL注入,因为我不使用预处理语句,现在我不得不使用prepare语句,这非常困难,因为我一次要向表单中插入100多个变量。
下面是我的mysqli_query语句的示例,该语句更新了我的表单。这只是一个简单的表格,我有超过100个帖子的类似表格。据我所知,除了准备好的语句外别无选择,请提出一些建议,以最少的努力将这些更新为准备好的语句。
<?php
/* Connect to database. */
require ("../db_con.php");
date_default_timezone_set('Asia/Kolkata');
$school_id = $_REQUEST['school_id'];
$principal =ucwords(strtolower($_REQUEST['principal']));
$school_role = $_REQUEST['school_role'];
$principal_contact = $_REQUEST['principal_contact'];
$dise_code = $_REQUEST['dise_code'];
$building = $_REQUEST['building'];
$rent = $_REQUEST['rent'];
$school_name = $_REQUEST['school_name'];
$door_no = $_REQUEST['door_no'];
$street = ucwords(strtolower($_REQUEST['street']));
$area = ucwords(strtolower($_REQUEST['area']));
$taluk = ucwords(strtolower($_REQUEST['taluk']));
$post_name =ucwords(strtolower($_REQUEST['post_name']));
$pin_code = $_REQUEST['pin_code'];
$year_started = $_REQUEST['year_started'];
$stamp = date('d/m/Y h:i:s a', time()).' by ADMIN';
$update_profile = "UPDATE profile t1
INNER JOIN admission t2 ON t1.school_id=t2.school_id
INNER JOIN results t3 ON t1.school_id=t3.school_id
SET
t1.principal = '$principal',
t1.school_role = '$school_role',
t1.principal_contact = '$principal_contact',
t1.dise_code = '$dise_code',
t1.building = '$building',
t1.rent = '$rent',
t1.school_name = '$school_name',
t2.school_name = '$school_name',
t3.school_name = '$school_name',
t1.door_no = '$door_no',
t1.street = '$street',
t1.area = '$area',
t1.taluk = '$taluk',
t2.taluk = '$taluk',
t3.taluk = '$taluk',
t1.post_name = '$post_name',
t1.pin_code = '$pin_code',
t1.date_time = '$stamp',
t1.year_started = '$year_started',
t1.status = '1'
where t1.school_id = '$school_id' ";
if (mysqli_query($db_con,$update_profile)){
header("Location:profile_list.php?success&&school_id=$school_id");
}
else
{
echo("Error description: " . mysqli_error($db_conx));
}
?>
更新1:
$data= [
'school_id' => $_REQUEST['school_id'],
'principal' => ucwords(strtolower($_REQUEST['principal'])),
'school_role' => $_REQUEST['school_role'],
'principal_contact' => $_REQUEST['principal_contact'],
'place' => $_REQUEST['place'],
'dise_code' => $_REQUEST['dise_code'],
'building' => $_REQUEST['building'],
'rent' => $_REQUEST['rent'],
'school_name' => $_REQUEST['school_name'],
'door_no' => $_REQUEST['door_no'],
'street' => ucwords(strtolower($_REQUEST['street'])),
'area' => ucwords(strtolower($_REQUEST['area'])),
'taluk' => ucwords(strtolower($_REQUEST['taluk'])),
'post_name' => ucwords(strtolower($_REQUEST['post_name'])),
'pin_code' => $_REQUEST['pin_code'],
'warden' => ucwords(strtolower($_REQUEST['warden'])),
'hostel_role' => $_REQUEST['hostel_role'],
'warden_contact' => $_REQUEST['warden_contact'],
'year_started' => $_REQUEST['year_started'],
'stamp' => date('d/m/Y h:i:s a', time()).' by Admin'
];
$sql = "UPDATE profile t1
INNER JOIN admission t2 ON t1.school_id=t2.school_id
INNER JOIN sslc_results t3 ON t1.school_id=t3.school_id
SET
t1.school_id = :school_id,
t1.principal = :principal,
t1.school_role = :school_role,
t1.principal_contact = :principal_contact,
t1.place = :place,
t1.dise_code = :dise_code,
t1.building = :building,
t1.rent = :rent,
t1.school_name = :school_name,
t2.school_name = :school_name,
t3.school_name = :school_name,
t1.door_no = :door_no,
t1.street = :street,
t1.area = :area,
t1.taluk = :taluk,
t2.taluk = :taluk,
t3.taluk = :taluk,
t1.post_name = :post_name,
t1.pin_code = :pin_code,
t1.warden = :warden,
t1.hostel_role = :hostel_role,
t1.warden_contact = :warden_contact,
t1.year_started = :year_started,
t1.date_time = :stamp,
t1.status = 1
where t1.school_id = :school_id ";
if ($pdo->prepare($sql)->execute($data)){
header("Location:profile_list.php?success");
}
else
{
echo("Error description: " . mysqli_error($db_conx));
}
是否可以使用它来防止SQL注入?