dpt8910 2015-11-07 21:19
浏览 39
已采纳

在boolean [duplicate]上调用成员函数bind_param()

This question already has an answer here:

I am currently working through my code and trying to implement measures to protect from SQL injections. My other pages work fine however this page is a little different.

The user is to determine which table they are to delete from, this is by using the $Level variable, (don't worry, this is restricted to three). It worked with the old vulnerable method but doesn't now. Any ideas?

if (isset($_POST['Delete']))
{
$Level = trim($_POST['Level']);
$UserName = trim($_POST['UserName']);
//----------------Check if Exists------------------//
$Check = $conn->prepare("SELECT * FROM ? WHERE UserName = ?");
$Check->bind_param('ss', $Level, $UserName);
$Check->execute();
$result = $Check->get_result();
$count = $result->num_rows;
if ($count>0)
{   
    $Confirm= $UserName . ' Deleted';
    //----------------Delete SQL-------------------//
    $Delete = "DELETE FROM $Level WHERE UserName = '$UserName'";
    $Delete = mysqli_query($conn,$sql);
    header( "refresh:5;url=stratdeleteuser.php" );
}
else 
{
    $Confirm= 'No Matches Found';
}

}

</div>
  • 写回答

1条回答 默认 最新

  • doubishi8303 2015-11-07 22:48
    关注

    An if statement would suffice to protect the user input

    if ($Level == 'strategic' || $Level == 'tactical')
    {
        //----------------Check if Exists------------------//
        $Check = $conn->prepare("SELECT * FROM $Level WHERE UserName = ?");
        $Check->bind_param('s', $UserName);
        $Check->execute();
        $result = $Check->get_result();
        $count = $result->num_rows;
        if ($count>0)
        {   
            $Confirm= $UserName . ' Deleted';
            //----------------Delete SQL-------------------//
            $Delete = $conn->prepare("DELETE FROM $Level WHERE UserName = ?");
            $Delete->bind_param('s', $UserName);
            $Delete->execute();
            $Confirm = $UserName . ' Deleted';
            header( "refresh:5;url=stratdeleteuser.php" );
        }
        else 
        {
            $CheckErr= 'No Matches Found';
        }
    }
    

    I took care of the latter part for you to implement the OO style as Terminus rightfully suggested

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论

报告相同问题?

悬赏问题

  • ¥15 MATLAB动图问题
  • ¥15 有段代码不知道怎么理解,const isToken = (config.headers || {}).isToken === false
  • ¥100 采用栈和深度优先算法对我的代码进行修改显示路径
  • ¥15 pointnet2包安装
  • ¥20 射频功率问题,解答者有酬谢!
  • ¥80 构建降雨和积水的预测模型
  • ¥15 #Qt Transform setTransform()在鼠标拖动移动视角是一致在原地不动,无法变换视角(细微观察似乎视图有在原地抖动),无法变换视角(细微观察似乎视图有在原地抖动)
  • ¥50 如何利用无人机拍摄的数码照片测量鸟卵的长短径
  • ¥100 github贡献者给与奖励
  • ¥15 使用DS18B20+ESP8266获取温度数据返回-127.00