-3

我的网站上有一个代码,它调用特定行的引脚,然后回显该行的数据。我需要知道如何使用代码防止 SQL 注入。

这里是:

<?php
if (isset($_GET['pin']))
{
$con=mysqli_connect("server.com","username","password","database");
if (mysqli_connect_errno())
  {
  echo "Failed to connect to MySQL: " . mysqli_connect_error();
  }
$result = mysqli_query($con,"SELECT * FROM beta WHERE pin = " . $_GET['pin']);
while($row = mysqli_fetch_array($result))
  {
  echo "<table width='600px'><td width='200px'><font face='arial' size='2px'>" . $row['name_pin'] . " " . $row['pin'] . "</font></td><td width='200px'><font face='arial' size='2px'>" . $row['name_info'] . "" . $row['info'] . "</font></td><td width='200px'><font face='arial' size='2px'>" . $row['name_stat'] . " " . $row['stat'] . "</font></td></table>";
  echo "<br>";
  }
mysqli_close($con);
}
?>

感谢您提前提供的所有帮助!PS:信息越多越好。

4

2 回答 2

4

参数化值,

$pin = $_GET['pin'];
$stmt = $dbConnection->prepare('SELECT * FROM beta WHERE pin =  ?');
$stmt->bind_param('s', $pin);
$stmt->execute();
于 2013-05-18T05:35:47.133 回答
0 
<?php
if (isset($_GET['pin'])){
$con=mysqli_connect("server.com","username","password","database");
$pin= mysqli_real_escape_string($con, $_GET['pin']);
//rest of code,

http://php.net/manual/en/mysqli.real-escape-string.php

于 2013-05-18T05:35:54.160 回答