嗨,我在我的網站有一個聯繫表單,用戶可以選擇性地填寫一些字段,並在點擊提交按鈕數據保存到數據庫,所有這一切工作正常,直到我決定從SQL注入消毒我的代碼,我在第一次試圖從SQL注入消毒它,它工作正常,因爲我表現出下面的代碼之前提到null列保護免受sql注入
<form method="Post" action="">
<input type="text" name="name" />name
<select dir="rtl" style="width: 173px;" name="case" >
<option value="" disabled selected hidden>اplease choose</option>
<option value='rent'>rent</option>
<option value='sell'>sell</option>
</select >
<input type="checkbox" name="check1" value='a'>apartment<br>
<input type="submit" value="submit" />
</form>
<?php
include("config.php");
if(isset($_POST['submit'])){
$date_clicked = date('Y-m-d H:i:s');
}
//insert to database
\t $insert =mysqli_query($connect,"INSERT INTO $db_table VALUES (to simplify code i do not write this part)");
}
?>
<form method="Post" action="">
<input type="text" name="name" />name
<select dir="rtl" style="width: 173px;" name="case" >
<option value="" disabled selected hidden>اplease choose</option>
<option value='rent'>rent</option>
<option value='sell'>sell</option>
</select >
<input type="checkbox" name="check1" value='a'>apartment<br>
<input type="submit" value="submit" />
</form>
<?php
include("config.php");
if(isset($_POST['submit'])){
$date_clicked = date('Y-m-d H:i:s');
}
if(isset($_POST['submit'])){
//insert to database
$query = mysqli_prepare($connect, "INSERT INTO $db_table VALUES (?,?,?,?)");
/* bind parameters for markers */
mysqli_stmt_bind_param($query, "ssss", $_POST[name],$_POST['check1'],$_POST['case'],$_POST['date_clicked']);
// execute query
if (mysqli_stmt_execute($query)) {
echo "Successfully inserted " . mysqli_affected_rows($connect) . " row";
} else {
echo "Error occurred: " . mysqli_error($connect);
}
}
?>
請幫我
'$ _POST [name]'應該是'$ _POST [「name」]',這是在您的原始代碼中,還是隻是在您粘貼在代碼中的錯字? – apokryfos
不是原來的那個,它是$ _POST [「name」] – Malekian
確保沒有任何PHP警告。例如,只有當複選框被設置時,纔會設置'$ _POST [「check1」]',這樣你會在那裏得到一個PHP警告,這會使該行中的其餘代碼行爲不當。此外,請確保您的數據庫表允許可選字段中的空值。 – apokryfos