dpt8910 2015-11-07 21:19
浏览 39
已采纳

在boolean [duplicate]上调用成员函数bind_param()

This question already has an answer here:

I am currently working through my code and trying to implement measures to protect from SQL injections. My other pages work fine however this page is a little different.

The user is to determine which table they are to delete from, this is by using the $Level variable, (don't worry, this is restricted to three). It worked with the old vulnerable method but doesn't now. Any ideas?

if (isset($_POST['Delete']))
{
$Level = trim($_POST['Level']);
$UserName = trim($_POST['UserName']);
//----------------Check if Exists------------------//
$Check = $conn->prepare("SELECT * FROM ? WHERE UserName = ?");
$Check->bind_param('ss', $Level, $UserName);
$Check->execute();
$result = $Check->get_result();
$count = $result->num_rows;
if ($count>0)
{   
    $Confirm= $UserName . ' Deleted';
    //----------------Delete SQL-------------------//
    $Delete = "DELETE FROM $Level WHERE UserName = '$UserName'";
    $Delete = mysqli_query($conn,$sql);
    header( "refresh:5;url=stratdeleteuser.php" );
}
else 
{
    $Confirm= 'No Matches Found';
}

}

</div>
  • 写回答

1条回答 默认 最新

  • doubishi8303 2015-11-07 22:48
    关注

    An if statement would suffice to protect the user input

    if ($Level == 'strategic' || $Level == 'tactical')
{
    //----------------Check if Exists------------------//
    $Check = $conn->prepare("SELECT * FROM $Level WHERE UserName = ?");
    $Check->bind_param('s', $UserName);
    $Check->execute();
    $result = $Check->get_result();
    $count = $result->num_rows;
    if ($count>0)
    {   
        $Confirm= $UserName . ' Deleted';
        //----------------Delete SQL-------------------//
        $Delete = $conn->prepare("DELETE FROM $Level WHERE UserName = ?");
        $Delete->bind_param('s', $UserName);
        $Delete->execute();
        $Confirm = $UserName . ' Deleted';
        header( "refresh:5;url=stratdeleteuser.php" );
    }
    else 
    {
        $CheckErr= 'No Matches Found';
    }
}

    I took care of the latter part for you to implement the OO style as Terminus rightfully suggested

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论

报告相同问题?

悬赏问题

  • ¥15 metadata提取的PDF元数据,如何转换为一个Excel
  • ¥15 关于arduino编程toCharArray()函数的使用
  • ¥100 vc++混合CEF采用CLR方式编译报错
  • ¥15 coze 的插件输入飞书多维表格 app_token 后一直显示错误,如何解决?
  • ¥15 vite+vue3+plyr播放本地public文件夹下视频无法加载
  • ¥15 c#逐行读取txt文本,但是每一行里面数据之间空格数量不同
  • ¥50 如何openEuler 22.03上安装配置drbd
  • ¥20 ING91680C BLE5.3 芯片怎么实现串口收发数据
  • ¥15 无线连接树莓派,无法执行update,如何解决?(相关搜索:软件下载)
  • ¥15 Windows11, backspace, enter, space键失灵