dpt8910 2015-11-07 21:19
浏览 39
已采纳

在boolean [duplicate]上调用成员函数bind_param()

This question already has an answer here:

I am currently working through my code and trying to implement measures to protect from SQL injections. My other pages work fine however this page is a little different.

The user is to determine which table they are to delete from, this is by using the $Level variable, (don't worry, this is restricted to three). It worked with the old vulnerable method but doesn't now. Any ideas?

if (isset($_POST['Delete']))
{
$Level = trim($_POST['Level']);
$UserName = trim($_POST['UserName']);
//----------------Check if Exists------------------//
$Check = $conn->prepare("SELECT * FROM ? WHERE UserName = ?");
$Check->bind_param('ss', $Level, $UserName);
$Check->execute();
$result = $Check->get_result();
$count = $result->num_rows;
if ($count>0)
{   
    $Confirm= $UserName . ' Deleted';
    //----------------Delete SQL-------------------//
    $Delete = "DELETE FROM $Level WHERE UserName = '$UserName'";
    $Delete = mysqli_query($conn,$sql);
    header( "refresh:5;url=stratdeleteuser.php" );
}
else 
{
    $Confirm= 'No Matches Found';
}

}

</div>
  • 写回答

1条回答 默认 最新

  • doubishi8303 2015-11-07 22:48
    关注

    An if statement would suffice to protect the user input

    if ($Level == 'strategic' || $Level == 'tactical')
    {
        //----------------Check if Exists------------------//
        $Check = $conn->prepare("SELECT * FROM $Level WHERE UserName = ?");
        $Check->bind_param('s', $UserName);
        $Check->execute();
        $result = $Check->get_result();
        $count = $result->num_rows;
        if ($count>0)
        {   
            $Confirm= $UserName . ' Deleted';
            //----------------Delete SQL-------------------//
            $Delete = $conn->prepare("DELETE FROM $Level WHERE UserName = ?");
            $Delete->bind_param('s', $UserName);
            $Delete->execute();
            $Confirm = $UserName . ' Deleted';
            header( "refresh:5;url=stratdeleteuser.php" );
        }
        else 
        {
            $CheckErr= 'No Matches Found';
        }
    }
    

    I took care of the latter part for you to implement the OO style as Terminus rightfully suggested

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论

报告相同问题?

悬赏问题

  • ¥15 宇视监控服务器无法登录
  • ¥15 PADS Logic 原理图
  • ¥15 PADS Logic 图标
  • ¥15 电脑和power bi环境都是英文如何将日期层次结构转换成英文
  • ¥15 DruidDataSource一直closing
  • ¥20 气象站点数据求取中~
  • ¥15 如何获取APP内弹出的网址链接
  • ¥15 wifi 图标不见了 不知道怎么办 上不了网 变成小地球了
  • ¥50 STM32单片机传感器读取错误
  • ¥50 power BI 从Mysql服务器导入数据,但连接进去后显示表无数据