如果插入用户输入而不修改SQL查询,则应用程序容易受到SQL注入的攻击,如下例所示:
$unsafe_variable = $_POST['user_input'];
mysql_query("INSERT INTO `table` (`column`) VALUES ('$unsafe_variable')");
这是因为用户可以输入类似的内容value'); DROP TABLE table;--,查询变为:
INSERT INTO `table` (`column`) VALUES('value'); DROP TABLE table;--')
可以采取哪些措施来防止这种情况发生?
我想第一次使用mySQLi.我已经在循环的情况下完成了它.循环结果显示但我在尝试显示单个记录时卡住了.这是循环代码正在工作.
<?php
// Connect To DB
$hostname="localhost";
$database="mydbname";
$username="root";
$password="";
@$conn = mysqli_connect($hostname, $username, $password)
or die("Could not connect to server " . mysql_error());
mysqli_select_db($conn, $database)
or die("Error: Could not connect to the database: " . mysql_error());
/*Check for Connection*/
if(mysqli_connect_errno()){
// Display Error message if fails
echo 'Error, could not connect to the database please try again again.';
exit();
}
?>
<?php
$query = "SELECT ssfullname, ssemail FROM userss ORDER BY ssid";
$result = mysqli_query($conn, $query);
@$num_results = mysqli_num_rows($result); …我只需要从mysql数据库中获取用户名为X的成员的id.这只能通过while循环完成,还是有其他方法吗?
我在想的是:
$id = mysqli_query($con,'SELECT id FROM membrs WHERE username = '$username' LIMIT 1)
谢谢,