任何人都可以改进此代码,使其安全并使用预处理语句吗?
$sql= "INSERT INTO users
(level,fname, mname, lname, dob, age, reg_date, phone, email, login, pwd, type, `group`, region, school, class, ip, subject, ban, university, profession, activation_code)
VALUES
('1','$data[fname]', '$data[mname]', '$data[lname]', '$dob', '$age', now(), '$data[phone]', '$email', '$login', '$pwd', '$type', '$group', '$region', '$school', '$class', '$ip', '$subject', NULL, '$university', '$profession', '$activ_code')";
$result = $db->query($sql) or die(printf("Error: %s\n", $db->error));
$id = $db->insert_id;
$md5_id = md5($id);
$db->query("update users set md5_id='$md5_id' where id='$id'");
// echo "<h3>Thank You</h3> We received your submission.";
?>
答案 0 :(得分:2)
如果我们假设所有直接变量都填充了用户生成的内容,那么您的代码对于sql注入是完全开放的。而是使用prepare语句和bind_param()自动设置正确的安全设置/转义:
$stmt = $dbh->prepare(
"INSERT INTO REGISTRY (name, value) VALUES (:name, :value)");
$stmt->bindParam('name', $name);
$stmt->bindParam('value', $value);
mysqli_stmt_execute($stmt);
答案 1 :(得分:1)
如何定义列? MySQL只对字符串使用单引号,尝试将它们从非字符串字段(level,dob,age)中取出。