使MySQL查询对数据库插入安全(字符串)

时间:2011-05-01 02:53:44

标签: php mysql sql-injection

  

可能重复:
  Practises for getting information from $_GET/$_POST and saving it to a database?

只是想知道对于输入字符串的用户的MySQL数据库插入的安全性我应该注意什么。

目前,我正在为我希望放入数据库的每个$ _GET或$ _POST输入做mysql_real_escape_string($string)。那很酷吗?我还需要做什么?

2 个答案:

答案 0 :(得分:0)

$stmt = mysqli_prepare($con,"INSERT INTO friend_request (ToUID, FromUID) VALUES (?,?)");
mysqli_stmt_bind_param($stmt, "ii", $fid, $uid); //i-> Integer, S -> string
mysqli_stmt_execute($stmt);
if (mysqli_stmt_affected_rows($stmt))
 echo 'Request Sent';
else
 echo 'Something went wrong !';

答案 1 :(得分:0)

这是我的过程:

//check to see if the request came from your server or not
$server = substr($_SERVER[HTTP_REFERER],0,LENGTH OF INCOMING PAGE);
$prevPage = ""; //the incoming page
if ($server != $prevPage) {
    header("Location: $prevPage");
    exit;
} else {
    //pull and sanitize the data
    include('link.php'); //include the link to your database
    $var = $link->mysql_real_escape_string($_POST['data']);

    //check for null values in required fields

    //run the data through a regular expression check

    //then store the information

您可以执行更多操作来验证输入的数据。