我还是关于php bind_param的新手,我正在徘徊如何转换这个(搜索)部分脚本以避免sql注入? 我仍然卡住了(实际上不知道如何处理这个问题:
$rest.="where name like '%".$name."%'";
$rest.="where country='".$country."'
$rest.="where ip = '".$ip."'
/////////////////////////////////////////////// /////////////////////////////
$name = $_POST['name'];
$country = $_POST['country'];
$ip = $_POST['ip'];
$o="AND";
$rest="";
$text="Search Keywords : ";
if($name!="")
{
if($rest=="")
{
$rest.="where name like '%".$name."%'";
$text.="Name like ".$name." ";
}
else {
$rest.="$o name like '%".$name."%'";
$text.="Name like ".$name." ";
}
}
if($country!="")
{
if($rest=="")
{
$rest.="where country='".$country."' ";
$text.="Country = ".$country."";
}
else
{
$rest.=" $o country='".$country."' ";
$text.=", Country = ".$country."";
}
}
if($ip!="")
{
if($rest=="")
{
$rest.="where ip = '".$ip."' ";
$text.="Ip Address = ".$ip." ";
}
else
{
$rest.=" $o ip = '".$ip."' ";
$text.=", Ip Address = ".$ip." ";
}
}
if($rest!="")
{
$rest=$rest;
}
else
{
}
$stmt = $mysqli->prepare("select $search.* from $search $rest order by id");
$stmt->execute();
$stmt->store_result();
$num = $stmt->num_rows;
答案 0 :(得分:0)
你不应该连接字符串来构建查询。用问号代替:
where country='".$country."'
应该是:
where country=?
然后,将bind_param与序号(问题参数号)和关联值
一起使用