普通网友 2017-03-09 15:54
浏览 167

mysqli_real_escape_string是否足以阻止SQL注入? [重复]

This question already has an answer here:

I have the following php script to insert a form user input data into the database. Is mysqli_real_escape_string enough to prevent SQL injection if I don't wish to use prepared statements to bind parameters to "?" placeholder?

   <?php
   $link = mysqli_connect("localhost", "root", "", "bizcontact");

   $name = mysqli_real_escape_string($link, $_POST['name']);
   $company = mysqli_real_escape_string($link, $_POST['company']);
   $position = mysqli_real_escape_string($link, $_POST['position']);
   $contact = mysqli_real_escape_string($link, $_POST['contact']);
   $email = mysqli_real_escape_string($link, $_POST['email']);
   $gender = mysqli_real_escape_string($link, $_POST['gender']);

   /* check connection */
   if (mysqli_connect_errno()) {
   printf("Connect failed: %s
", mysqli_connect_error());
   exit();
   }

   $sql = "INSERT INTO businesscontact(name, company, position, phone,  email, gender) VALUES('$name', '$company', '$position', '$contact', '$email',  '$gender')";
   if (mysqli_query($link, $sql)){
   echo "success";
   }else{
   echo(mysqli_error($link));
   };

   /* close connection */
   mysqli_close($link);
   ?>

UPDATE

    $stmt = $link->prepare("INSERT INTO businesscontact(name, company, position, phone, email, gender) VALUES(?,?,?,?,?,?)");
    $stmt-> bind_param("ssssss", $name, $company, $position, $contact,  $email, $gender);
    if($stmt->execute()){
    echo "success";
   }else{
    echo(mysqli_error($link));
   }

</div>
  • 写回答

0条回答

    报告相同问题?

    悬赏问题

    • ¥15 用visual studi code完成html页面
    • ¥15 聚类分析或者python进行数据分析
    • ¥15 逻辑谓词和消解原理的运用
    • ¥15 三菱伺服电机按启动按钮有使能但不动作
    • ¥15 js,页面2返回页面1时定位进入的设备
    • ¥50 导入文件到网吧的电脑并且在重启之后不会被恢复
    • ¥15 (希望可以解决问题)ma和mb文件无法正常打开,打开后是空白,但是有正常内存占用,但可以在打开Maya应用程序后打开场景ma和mb格式。
    • ¥20 ML307A在使用AT命令连接EMQX平台的MQTT时被拒绝
    • ¥20 腾讯企业邮箱邮件可以恢复么
    • ¥15 有人知道怎么将自己的迁移策略布到edgecloudsim上使用吗?