可能重复:
Practises for getting information from $_GET/$_POST and saving it to a database?
只是想知道对于输入字符串的用户的MySQL数据库插入的安全性我应该注意什么。
目前,我正在为我希望放入数据库的每个$ _GET或$ _POST输入做mysql_real_escape_string($string)。那很酷吗?我还需要做什么?
答案 0 :(得分:0)
$stmt = mysqli_prepare($con,"INSERT INTO friend_request (ToUID, FromUID) VALUES (?,?)");
mysqli_stmt_bind_param($stmt, "ii", $fid, $uid); //i-> Integer, S -> string
mysqli_stmt_execute($stmt);
if (mysqli_stmt_affected_rows($stmt))
echo 'Request Sent';
else
echo 'Something went wrong !';
答案 1 :(得分:0)
这是我的过程:
//check to see if the request came from your server or not
$server = substr($_SERVER[HTTP_REFERER],0,LENGTH OF INCOMING PAGE);
$prevPage = ""; //the incoming page
if ($server != $prevPage) {
header("Location: $prevPage");
exit;
} else {
//pull and sanitize the data
include('link.php'); //include the link to your database
$var = $link->mysql_real_escape_string($_POST['data']);
//check for null values in required fields
//run the data through a regular expression check
//then store the information
您可以执行更多操作来验证输入的数据。