0
此代碼檢查表單輸入值是否爲空,如果是 - 更新相關行(id)的相關MySql列。SQL準備語句和str_replace()的組合 - 是否安全?
str_replace()是否在準備語句(用於通過列循環)上運行使其易受攻擊?
此代碼是否安全?有更好的選擇嗎?
// get submitted form values
$ids = $_POST['ids_edit_mult'];
$exhibition_he = $_POST['exhibition_he_edit_mult'];
$subjects_en = $_POST['subjects_en_edit_mult'];
$subjects_he = $_POST['subjects_he_edit_mult'];
$keywords_en = $_POST['keywords_en_edit_mult'];
$keywords_he = $_POST['keywords_he_edit_mult'];
$year = $_POST['year_edit_mult'];
$sold = $_POST['sold_edit_mult'];
$columns_array = array("exhibition_he", "subjects_en", "subjects_he", "keywords_en", "keywords_he", "year", "sold");
$values_array = array($exhibition_he, $subjects_en, $subjects_he, $keywords_en, $keywords_he, $year, $sold);
$ids_array = explode(", ", $ids);
for ($i1=0; $i1 < count($values_array); $i1++) {
if ($values_array[$i1] != "") {
for ($i2=0; $i2 < count($ids_array); $i2++) {
// prepare statement for editing row values ($stmt1)
$sql_string = "UPDATE paintings_catalog SET column=? WHERE id=?";
$sql = str_replace("column", $columns_array[$i1], $sql_string);
$stmt1 = $conn->prepare($sql);
// bind submitted row values
$stmt1->bind_param("si", $values_array[$i1], $ids_array[$i2]);
// edit row values
$stmt1->execute();
}
}
}