$ID = $db->real_escape_string(strip_tags(stripslashes($_GET['ID'])));
$GetThreadFromID = mysqli_fetch_object(mysqli_query($db, "SELECT * FROM ForumThreads WHERE ID=$ID"));
$GetThreadStarter = mysqli_fetch_object(mysqli_query($db, "SELECT * FROM Users WHERE ID='$GetThreadFromID->PosterID'"));
$GetTopicFromThread = mysqli_fetch_object(mysqli_query($db, "SELECT * FROM ForumTopics WHERE ID='$GetThreadFromID->ForumID'"));
$ThreadExist = mysqli_num_rows(mysqli_query($db, "SELECT * FROM ForumThreads WHERE ID='$ID'"));
$GetAllWatching = mysqli_query($db, "SELECT * FROM ForumWatchedThreads WHERE ThreadID='$ID' AND UserID='$client->ID'");
if ($ThreadExist == "0") {
echo "
<div class='container'>
<div class='panel panel-danger'>
<div class='panel-heading'>Error</div>
<div class='panel-body'>
The thread you requested does not exist.
</div>
</div>
</div>
";
include $_SERVER["DOCUMENT_ROOT"]."/_INCLUDES/Footer.php";
exit();
}
我有一個手動編碼論壇的網站。你可以訪問論壇線程罰款。假設線程ID爲12,但我在其末尾加上了一個撇號?ID =,那麼論壇標題和論壇主體將與其他信息一起爲空。我怎樣才能使它所以它會顯示與ID線程,因此,如果我把這個在地址欄:???ID = 13 //或ID = 13「」,它仍然會顯示ID = 13,不受任何干擾,甚至顯示錯誤說論壇帖子不存在?當在ID中輸入撇號時沒有數據顯示 - PHP
閱讀本文http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php?rq=1 – rjdown