我为现场访客创建了访客登录门户,他们输入了各种详细信息。提交后,它会显示一个徽章并将数据记录到数据库中,我唯一担心的是自我学习我的编码并不出色,并且知道如何使用技术来防止SQL注入,我使用了mysqli_real_escape_string和mysqli_stmt_bind_param等各种方法。我还能采取其他措施来防止SQL注入。
<?php
mysqli_report(MYSQLI_REPORT_ERROR | MYSQLI_REPORT_STRICT);
try {
$mysqli = new mysqli("","","","");
$mysqli->set_charset("utf8mb4");
} catch(Exception $e) {
error_log($e->getMessage());
exit('Error connecting to database');
}
$full_name = mysqli_real_escape_string($mysqli, $_POST['full_name']);
$company = mysqli_real_escape_string($mysqli, $_POST['company']);
$visiting = mysqli_real_escape_string($mysqli, $_POST['visiting']);
$vehicle = mysqli_real_escape_string($mysqli, $_POST['vehicle']);
$stmt = $mysqli->prepare("INSERT INTO signin (full_name ,company, visiting, vehicle) VALUES (?, ?, ?, ?)");
mysqli_stmt_bind_param($stmt, "ssss", $full_name, $company, $visiting, $vehicle );
$stmt -> execute();
echo "<p><h1>$full_name</h1></p>";
echo "<p>Company: $company</p>";
echo "Date: " . date("Y-m-d") ."";
$stmt->close();
$mysqli->close();
header( "refresh:10;url=VisitorHomePage.html" );
?>