嗨,我在我的网站有一个联系表单,用户可以选择性地填写一些字段,并在点击提交按钮数据保存到数据库,所有这一切工作正常,直到我决定从SQL注入消毒我的代码,我在第一次试图从SQL注入消毒它,它工作正常,因为我表现出下面的代码之前提到null列保护免受sql注入
<form method="Post" action="">
<input type="text" name="name" />name
<select dir="rtl" style="width: 173px;" name="case" >
<option value="" disabled selected hidden>اplease choose</option>
<option value='rent'>rent</option>
<option value='sell'>sell</option>
</select >
<input type="checkbox" name="check1" value='a'>apartment<br>
<input type="submit" value="submit" />
</form>
<?php
include("config.php");
if(isset($_POST['submit'])){
$date_clicked = date('Y-m-d H:i:s');
}
//insert to database
\t $insert =mysqli_query($connect,"INSERT INTO $db_table VALUES (to simplify code i do not write this part)");
}
?>
<form method="Post" action="">
<input type="text" name="name" />name
<select dir="rtl" style="width: 173px;" name="case" >
<option value="" disabled selected hidden>اplease choose</option>
<option value='rent'>rent</option>
<option value='sell'>sell</option>
</select >
<input type="checkbox" name="check1" value='a'>apartment<br>
<input type="submit" value="submit" />
</form>
<?php
include("config.php");
if(isset($_POST['submit'])){
$date_clicked = date('Y-m-d H:i:s');
}
if(isset($_POST['submit'])){
//insert to database
$query = mysqli_prepare($connect, "INSERT INTO $db_table VALUES (?,?,?,?)");
/* bind parameters for markers */
mysqli_stmt_bind_param($query, "ssss", $_POST[name],$_POST['check1'],$_POST['case'],$_POST['date_clicked']);
// execute query
if (mysqli_stmt_execute($query)) {
echo "Successfully inserted " . mysqli_affected_rows($connect) . " row";
} else {
echo "Error occurred: " . mysqli_error($connect);
}
}
?>
请帮我
'$ _POST [name]'应该是'$ _POST [“name”]',这是在您的原始代码中,还是只是在您粘贴在代码中的错字? – apokryfos
不是原来的那个,它是$ _POST [“name”] – Malekian
确保没有任何PHP警告。例如,只有当复选框被设置时,才会设置'$ _POST [“check1”]',这样你会在那里得到一个PHP警告,这会使该行中的其余代码行为不当。此外,请确保您的数据库表允许可选字段中的空值。 – apokryfos