dongwoqin7034 2016-11-25 21:56
浏览 46
已采纳

插入表时不能使用符号(php / sql)

I have a problem with adding some text from my site if that text contain some symbols like (", ? , script, or some sql tags ) ..

Here is a little bit of code,hope this is enough :)

    if(isset($_POST['submit_achievement'])){
    $title = $_POST['title_field'];
    $description = $_POST['description_field'];
    $sql2 = 'INSERT INTO achievements (title,description) VALUES (' . '"' .$title . '"'. "," . '"' . $description . '"' . ')';
    $records2 = mysqli_query($conn,$sql2);
}

If you need any more line from my code just write,thanks a lot! :)

  • 写回答

1条回答 默认 最新

  • dta38159 2016-11-25 22:03
    关注

    The problem here is you're not using prepared statements and you're not escaping things properly, so some symbols conflict with SQL. In general terms this means you're vulnerable to SQL injection bugs.

    Switch to using parameterized queries and bind_param to fix this issue:

    $stmt = mysqli_prepare($conn, "INSERT INTO achievements (title, description) VALUES (?,?)");

$stmt->bind_param("ss", $_POST['title_field'], $_POST['description_field']);

    As a note, try to avoid putting redundant things in names like _field. It's presumed to be a field if it's in a form submission.

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论

报告相同问题?

悬赏问题

  • ¥15 谁有desed数据集呀
  • ¥20 手写数字识别运行c仿真时,程序报错错误代码sim211-100
  • ¥15 关于#hadoop#的问题
  • ¥15 (标签-Python|关键词-socket)
  • ¥15 keil里为什么main.c定义的函数在it.c调用不了
  • ¥50 切换TabTip键盘的输入法
  • ¥15 可否在不同线程中调用封装数据库操作的类
  • ¥15 微带串馈天线阵列每个阵元宽度计算
  • ¥15 keil的map文件中Image component sizes各项意思
  • ¥20 求个正点原子stm32f407开发版的贪吃蛇游戏