mysqli_real_escape_string是否足以阻止SQL注入? [重复]

This question already has an answer here:

I have the following php script to insert a form user input data into the database. Is mysqli_real_escape_string enough to prevent SQL injection if I don't wish to use prepared statements to bind parameters to "?" placeholder?

   <?php
   $link = mysqli_connect("localhost", "root", "", "bizcontact");

   $name = mysqli_real_escape_string($link, $_POST['name']);
   $company = mysqli_real_escape_string($link, $_POST['company']);
   $position = mysqli_real_escape_string($link, $_POST['position']);
   $contact = mysqli_real_escape_string($link, $_POST['contact']);
   $email = mysqli_real_escape_string($link, $_POST['email']);
   $gender = mysqli_real_escape_string($link, $_POST['gender']);

   /* check connection */
   if (mysqli_connect_errno()) {
   printf("Connect failed: %s
", mysqli_connect_error());
   exit();
   }

   $sql = "INSERT INTO businesscontact(name, company, position, phone,  email, gender) VALUES('$name', '$company', '$position', '$contact', '$email',  '$gender')";
   if (mysqli_query($link, $sql)){
   echo "success";
   }else{
   echo(mysqli_error($link));
   };

   /* close connection */
   mysqli_close($link);
   ?>

UPDATE

    $stmt = $link->prepare("INSERT INTO businesscontact(name, company, position, phone, email, gender) VALUES(?,?,?,?,?,?)");
    $stmt-> bind_param("ssssss", $name, $company, $position, $contact,  $email, $gender);
    if($stmt->execute()){
    echo "success";
   }else{
    echo(mysqli_error($link));
   }
</div>
php
doqrjrc95405
doqrjrc95405 关于查询本身是可以的,但是您可以通过防止错误文本泄露给黑客来提高安全性。
3 年多之前 回复
dpbrrczhlwbv849228
dpbrrczhlwbv849228 我上面更新的准备好的陈述会更好吗?或者我如何改进它以使其更安全?
3 年多之前 回复
doumen9709
doumen9709 真棒@Machavity。我不知道。
3 年多之前 回复
dongxinche1264
dongxinche1264 现在可以添加多个欺骗原因。我补充说,Q作为第二次欺骗
3 年多之前 回复
doutan2228
doutan2228 逃避字符串是不安全的。看一下这个。
3 年多之前 回复
Csdn user default icon
上传中...
上传图片
插入图片
抄袭、复制答案,以达到刷声望分或其他目的的行为,在CSDN问答是严格禁止的,一经发现立刻封号。是时候展现真正的技术了!
立即提问
相关内容推荐