我正在尝试保护我的PHP mysqli_real_escape_string代码,但无效。
我尝试过,但是没有用。
$connection=mysqli_connect("");
// Check connection
if (mysqli_connect_errno())
{
echo "Failed to connect to MySQL: " . mysqli_connect_error();
}
$msg='';
if(!empty($_GET['code']) && isset($_GET['code']))
{
$code=$connection->mysqli_real_escape_string($_GET['code']);
$c=$connection->mysqli_query("SELECT id FROM users WHERE activationcode='$code'");
$code=$connection->bind_param("sss", $activationcode);
if(mysqli_num_rows($c) > 0)
{
$count=mysqli_query($connection,"SELECT id FROM users WHERE activationcode='$code' and status='0'");
if(mysqli_num_rows($count) == 1)
{
mysqli_query($connection,"UPDATE users SET status='1' WHERE activationcode='$code'");
$msg="Your account is activated";
}
else
{
$msg ="Your account is already active, no need to activate again";
}
}
else
{
$msg ="Wrong activation code.";
}
}
?>
<?php echo $msg; ?>
我的代码是:
$connection=mysqli_connect("");
// Check connection
if (mysqli_connect_errno())
{
echo "Failed to connect to MySQL: " . mysqli_connect_error();
}
$msg='';
if(!empty($_GET['code']) && isset($_GET['code']))
{
$code=mysqli_real_escape_string($connection,$_GET['code']);
$c=mysqli_query($connection,"SELECT id FROM users WHERE activationcode='$code'");
if(mysqli_num_rows($c) > 0)
{
$count=mysqli_query($connection,"SELECT id FROM users WHERE activationcode='$code' and status='0'");
if(mysqli_num_rows($count) == 1)
{
mysqli_query($connection,"UPDATE users SET status='1' WHERE activationcode='$code'");
$msg="Your account is activated";
}
else
{
$msg ="Your account is already active, no need to activate again";
}
}
else
{
$msg ="Wrong activation code.";
}
}
?>
<?php echo $msg; ?>
当我尝试转到该URL时,它给我一个错误,而不是激活用户帐户。