防止注入和$ _GET方法的正确语法 [英] Protect from injections and right syntax for $_GET method

问题描述

因此，我正在尝试使用get方法，同时防止注入.我正在尝试从数据库中获取数据并将其回显到页面.我认为很明显我正在尝试使用下面的代码，但是我需要使用正确的语法的帮助.

So, I am trying to use the get method while protecting from injections. I'm trying to get data from the database and echo it out to a page. I think it's pretty obvious what I'm trying to do with the code below but i need help with using the right syntax.

有人可以向我展示prepare语句的正确语法，以便使用防止注入的mysqli从数据库中获取数据吗?

Can someone show me the right syntax for the prepare statement to get data from a database using mysqli that is protected from injections?

我看过的这个网站似乎找不到我想要的东西，而PHP站点我找不到最新的方法.感谢您的所有帮助.

I've looked on this site can't seem to find what I'm looking for and the PHP site I couldn't find an up to date method. Thanks for all the help.

<?php
$mysqli = new mysqli("", "", "", "");
if ($mysqli->connect_error) {
    echo "Failed to connect to MySQL: (" . $mysqli->connect_error . ") " . $mysqli->connect_error;
}

$stmt = $mysqli->stmt_init();

if($stmt->prepare("SELECT 'name,name' FROM 'table' WHERE 'name, name' = ?,?")) {
}

if (!$stmt->bind_param('si', $_GET['name'], $_GET['name'])); {
    echo "Binding parameters failed: (" . $stmt->error . ") " . $stmt->error;
}

if (!$stmt->execute()) {
    echo "Execute failed: (" . $stmt->error . ") " . $stmt->error;
}

if (!$stmt->fetch()); {
    echo "Binding parameters failed: (" . $stmt->error . ") " . $stmt->error;
}

$stmt->close();
?>

推荐答案

您的sql错误:

if($stmt->prepare("SELECT 'name,name' FROM 'table' WHERE 'name, name' = ?,?")) {

必须

if($stmt->prepare("SELECT name, name FROM table WHERE name=? AND name=? ")) {

将表现力name加倍，我只是因为这个问题才使用

Double the expressive name, I used only because of the question.

以下内容更清楚:

if($stmt->prepare("SELECT astring, ainteger FROM table WHERE astring=? AND ainteger=? ")) 
{
if (!$stmt->bind_param('si', $_GET['astring'], $_GET['ainteger'])) {

花一些时间仔细地写问题.如果使用了两个变量，则指定不同的变量，其他所有变量都将被混淆.

Take out some time to write the question carefully. If two variables are used, then designate different, everything else just confused.

更新:

• 使用bind_param()
之前
• 您必须测试所有$ _GET ["xx"].

• Before you use bind_param()
• You have to test all $_GET["xx"].

if (isset($_GET['name']))

• 调用函数时，以;终止，例如:

• When you call a function, terminated with ; for example:

if (!$stmt->bind_param('si', $_GET['name'], $_GET['name'])); {

然后，无论if是true还是false，花括号都没用！

Then the curly braces are useless, no matter the if gets true or false!

由于命令已完成，因此将始终执行if (!$stmt->bind_param(...));之后的以下代码.

The following code after if (!$stmt->bind_param(...)); will always be executed, because the command, is finished.

if (!$stmt->bind_param('si', $_GET['name'], $_GET['name'])); {
    echo "Binding parameters failed: (" . $stmt->error . ") " . $stmt->error;
}

花了很长时间才发现此错误.它很容易被忽略.

It took a long time until I found this error. It is easily overlooked.

这就是为什么您总是收到自己的错误消息的原因.

这篇关于防止注入和$ _GET方法的正确语法的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！