如果插入用户输入而不修改SQL查询,则应用程序容易受到SQL注入的攻击,如下例所示:
$unsafe_variable = $_POST['user_input'];
mysql_query("INSERT INTO `table` (`column`) VALUES ('$unsafe_variable')");
这是因为用户可以输入类似的内容value'); DROP TABLE table;--,查询变为:
INSERT INTO `table` (`column`) VALUES('value'); DROP TABLE table;--')
可以采取哪些措施来防止这种情况发生?
你好我是PDO的新手,所以迷惑并得到错误;)与mysql_real_escape_string ..
可以任何人帮助,这是我的代码
if(!empty($_POST) && isset($_POST)) {
include ('connection_pdo.php');
$dbh = new PDO("mysql:host=$host;dbname=$dbname", $user, $pass);
$source_url= mysql_real_escape_string($_POST['source_url']);
$class = mysql_real_escape_string($_POST['class']);
$year = mysql_real_escape_string($_POST['year']);
$date = time();
$ip = $_SERVER['REMOTE_ADDR'];
$insert = $dbh->prepare("
INSERT IGNORE INTO school_students_images
( folder_name, image_url, source_url, class, year , date , ip )
VALUES (:folder_name, :image_url, :source_url, :class, :year, :date, :ip)
");
$a=0;
while ($a<1000){
$a++;
$insert->execute(array(
'folder_name'=> $name->content, //** geting from other source
'image_url' => $link[$a], //** geting from other source
'source_url' => $source_url,
'class' …