通過$ _Get防止SQL注入

Question

我在我的網站上有一個代碼，它調用特定行的引腳和來自該行的回波數據。我需要知道如何防止使用代碼進行SQL注入。

這就是：

<?php 
if (isset($_GET['pin'])) 
{ 
$con=mysqli_connect("server.com","username","password","database"); 
if (mysqli_connect_errno()) 
    { 
    echo "Failed to connect to MySQL: " . mysqli_connect_error(); 
    } 
$result = mysqli_query($con,"SELECT * FROM beta WHERE pin = " . $_GET['pin']); 
while($row = mysqli_fetch_array($result)) 
    { 
    echo "<table width='600px'><td width='200px'><font face='arial' size='2px'>" . $row['name_pin'] . " " . $row['pin'] . "</font></td><td width='200px'><font face='arial' size='2px'>" . $row['name_info'] . "" . $row['info'] . "</font></td><td width='200px'><font face='arial' size='2px'>" . $row['name_stat'] . " " . $row['stat'] . "</font></td></table>"; 
    echo "<br>"; 
    } 
mysqli_close($con); 
} 
?> 

感謝提前所有幫助！ P.S .:信息越豐富，你越好。

Answer 1

<?php 
if (isset($_GET['pin'])){ 
$con=mysqli_connect("server.com","username","password","database"); 
$pin= mysqli_real_escape_string($con, $_GET['pin']); 
//rest of code, 

http://php.net/manual/en/mysqli.real-escape-string.php

Answer 2

參數值，

$pin = $_GET['pin']; 
$stmt = $dbConnection->prepare('SELECT * FROM beta WHERE pin = ?'); 
$stmt->bind_param('s', $pin); 
$stmt->execute(); 

• More on this link...