我被告知這段代碼非常容易受到SQL注入的影響。我如何改變它以變得安全?我知道使用準備好的語句是最好的,但我還沒有找到一種不會破壞它的方法。使用預準備語句?我完全不明白
<?php
$con = new mysqli("localhost", "", "", "");
// Check connection
if (mysqli_connect_errno()) {
echo "Failed to connect to MySQL: " . mysqli_connect_error();
}
$existsQuery = "select count(*) as count from entry where emailaddress like '" . $_POST[emailaddress] . "'";
$existsResult = mysqli_query($con, $existsQuery);
if ($existsResult->fetch_object()->count > 0) {
header('Location: index2.php?email=exists');
} else {
$sql = "INSERT INTO entry (firstname, lastname, emailaddress, favoritesong) VALUES ('$_POST[firstname]','$_POST[lastname]','$_POST[emailaddress]','$_POST[favoritesong]')";
if (!mysqli_query($con, $sql)) {
die('Error: ' . mysqli_error($con));
}
echo "1 record added";
}
mysqli_close($con);
?>
老實說,只需找到一份好的[PDO教程](http://j.mp/PoWehJ),然後讓它工作。然後返回並將您學到的知識應用於您的代碼。先理解它,然後再應用它。在同一時間嘗試兩種方法都很困難,而且可能是壓倒性的。 – 2013-05-03 12:44:40
還有各種各樣的MySQLi教程(如[this](http://forum.codecall.net/topic/44392-php-5-mysqli-prepared-statements/)) – kero 2013-05-03 12:46:21
永遠不會信任客戶端數據...多數民衆贊成在所有:) – 2013-05-03 12:48:00