-2

I am New to development.I have created an simple html 5 game for facebook .I use post Request to update.php to store score in database.

Below is my code 

<? 
include 'config.php';
mysql_connect(localhost,$user,$password);
$id = mysql_real_escape_string($_POST['id']);
$score = mysql_real_escape_string($_POST['score']);
@mysql_select_db($database) or die( "Unable to select database");
$query = "UPDATE heli SET score = '$score' WHERE app = '$id'";
echo $query;
$result=mysql_query($query);
mysql_close();
?>

Many Complain that my code is vulnerable to Sql injection.Any one Suggest good code that is Secure.Thanks..

4

2 回答 2

4

use PDO or MySQLi Extension on PHP. Please read the article below,

于 2013-02-22T12:27:16.240 回答
1

不,您当前的代码不容易受到攻击。但是,您的其他代码可以。
只要你把它mysql_real_escape_string()当作一种“万能注射预防剂”,你就有危险。

这是我对类似问题的解释的答案

于 2013-02-22T12:31:32.957 回答