我有以下PHP函数:
public function signup() {
$mysql = mysqli_connect(HOSTNAME, USERNAME, PASSWORD, DATABASE);
if (mysqli_connect_errno($mysql)) {
$this->viewModel->set("pageTitle", "Signup");
$this->viewModel->set("message", "There was an error connecting to the server.");
return $this->viewModel;
}
if ($result = $mysql->query("SELECT id FROM mailinglist WHERE email='" . $this->email . "';")) {
if ($result->num_rows == 0) {
$mysql->query("INSERT INTO mailinglist (email) VALUES ('" . $this->email . "');");
$this->viewModel->set("message", "Great! Thanks for signing up " . $this->email . ".");
} else {
$this->viewModel->set("message", "You are already signed up for updates!");
}
} else {
$this->viewModel->set("message", "There was an error adding you the mailing list.");
}
$this->viewModel->set("pageTitle", "Signup");
return $this->viewModel;
}
哪个运行正常,并返回我想要的,但是,如果我尝试使用mysqli_real_escape_string()来查询,它不起作用 . 也就是说,以下代码
public function signup() {
$mysql = mysqli_connect(HOSTNAME, USERNAME, PASSWORD, DATABASE);
if (mysqli_connect_errno($mysql)) {
$this->viewModel->set("pageTitle", "Signup");
$this->viewModel->set("message", "There was an error connecting to the server.");
return $this->viewModel;
}
$query = $mysql->real_escape_string("SELECT id FROM mailinglist WHERE email='" . $this->email . "';");
if ($result = $mysql->query($query)) {
if ($result->num_rows == 0) {
$query = $mysql->real_escape_string("INSERT INTO mailinglist (email) VALUES ('" . $this->email . "');");
$mysql->query($query);
$this->viewModel->set("message", "Great! Thanks for signing up " . $this->email . ".");
} else {
$this->viewModel->set("message", "You are already signed up for updates!");
}
} else {
$this->viewModel->set("message", "There was an error adding you the mailing list.");
}
$this->viewModel->set("pageTitle", "Signup");
return $this->viewModel;
}
不起作用 . 这不是连接的问题,我尝试使用mysqli_real_escape_string()而不是$ mysql-> real_escape_string(),但它们都不起作用 . 任何人都可以看到这个代码有什么问题吗?
2 回答
不要这样做,使用准备好的陈述 . 它们更安全,更可靠 . 您仍然需要清理数据以获得正确的值和跨站点脚本,以便列出您仍会遇到的一些风险 . 转义数据是防止SQL注入的一种方法,但它不是完全证明 . 准备好的语句告诉数据库服务器假设传入数据不安全并且只接受它,并且不像连接字符串那样处理它 . 数据库将您的参数视为语句的变量而不是语句的一部分 .
以下是您如何改变自己的准备陈述:
您必须转义数据而不是整个查询 .