可能重复:
Practises for getting information from $_GET/$_POST and saving it to a database?
只是想知道对于输入字符串的用户的MySQL数据库插入的安全性我应该注意什么。
目前,我正在为我希望放入数据库的每个$ _GET或$ _POST输入做mysql_real_escape_string($string)
。那很酷吗?我还需要做什么?
答案 0 :(得分:0)
$stmt = mysqli_prepare($con,"INSERT INTO friend_request (ToUID, FromUID) VALUES (?,?)");
mysqli_stmt_bind_param($stmt, "ii", $fid, $uid); //i-> Integer, S -> string
mysqli_stmt_execute($stmt);
if (mysqli_stmt_affected_rows($stmt))
echo 'Request Sent';
else
echo 'Something went wrong !';
答案 1 :(得分:0)
这是我的过程:
//check to see if the request came from your server or not $server = substr($_SERVER[HTTP_REFERER],0,LENGTH OF INCOMING PAGE); $prevPage = ""; //the incoming page if ($server != $prevPage) { header("Location: $prevPage"); exit; } else { //pull and sanitize the data include('link.php'); //include the link to your database $var = $link->mysql_real_escape_string($_POST['data']); //check for null values in required fields //run the data through a regular expression check //then store the information
您可以执行更多操作来验证输入的数据。