PHP MySQL MySQLi保护MySQL，并且超链接重定向在提交后无法工作 [英] PHP TO MySQL secured with MySQLi and hyperlink redirect not working once submitted

问题描述

我有一个自由职业者在我的网站上工作，无法完成我应该对他很轻松的项目，我需要让它完全运行才能在早上准备好。

I had a Freelancer work on a site for me and could not finish my project which should of been of ease to him and I need to get this fully running to be ready by morning.

这是我必须快速创建的PHP代码

This is my PHP code which I had to create in a hurry

<?php

$con = mysqli_connect('localhost','dbuser','password'

if(!$con)
{
        echo 'Not Connected To Server';
}

if(!mysqli_select_db($con,'DBName'))
{
    echo 'Database Not Selected';
}

$UserN = $_POST['UserN'];
$FullN = $_POST['FullN'];
$Adrs  = $_POST['Adrs'];
$Email = $_POST['Email'];
$PhoneN = $_POST['PhoneN'];

$sql = "INSERT INTO UserIn (UserN, FullN, Adrs, Email, PhoneN) VALUES ('$UserN', '$FullN', '$Adrs', '$Email', '$PhoneN')";

if(!mysqli_query($con,$sql))
{
        echo 'Not Inserted';
}
else
{
    echo 'Inserted';
}

header("refresh:2; url=survey.html

?>

这是PHP

这是我的表格

 <div class="form-con">
         <form actoin="insert.php" method="post">
             <label>Username</label><br>
             <input type="text" name="UserN" placeholder="Your Username" ><br>
             <label>Full Name</label><br>
             <input type="text" name="FullN" placeholder="Full Name"><br>
             <label>Full Address</label><br>
             <textarea type="text" rows="4" cols="50" name="Adrs" placeholder="Address"></textarea><br> 
                  <label>Email Address</label><br>
                  <input type="email" name="Email" placeholder="Email Address"><br>
                  <label>Phone Number</label><br>
                  <input type="text" name="PhoneN" placeholder="Phone Number"><br>
                   <div class="btn">
                     <a href="survey.html"><button type="submit">Submit</button></a>
                   </div>
         </form>
      </div>

请帮助我，我还要保证表格

Please help me I want to also secure the form with

Using MySQLi (for MySQL):
$stmt = $dbConnection->prepare('SELECT * FROM employees WHERE name = ?');
$stmt->bind_param('s', $name);

$stmt->execute();

$result = $stmt->get_result();
while ($row = $result->fetch_assoc()) {
    // do something with $row
}

From here

https://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php?rq=1

please help.

新PHP

<?php

$dbh = new PDO("mysql:host=$host;dbame=$dbname",$user,$pass);

$UserN = mysqli_real_escape_string($con, $_POST['UserN']);
    $FullN = mysqli_real_escape_string($con, $_POST['FullN']);
    $Adrs = mysqli_real_escape_string($con, $_POST['Adrs']);
$Email = mysqli_real_escape_string($con, $_POST['Email']);
$PhoneN = mysqli_real_escape_string($con, $_POST['PhoneN']);

$ stmt = $ dbh-> prepare（INSERT INTO UserIn（UserN，FullN，Adrs，Email ，PhoneN）VALUES（'$ UserN'，'$ FullN'，'$ Adrs'，'$ Email'，'$ PhoneN'））; //插入查询
$ stmt-> execute（$ UserN，$ FullN，$ Adrs，$ Email，$ PhoneN）;

$stmt = $dbh->prepare("INSERT INTO UserIn (UserN, FullN, Adrs, Email, PhoneN) VALUES ('$UserN','$FullN','$Adrs','$Email','$PhoneN')"); //Insert query $stmt->execute($UserN, $FullN, $Adrs, $Email, $PhoneN);

header("refresh:1; url=survey.html");

?>

推荐答案

You can do 2 things to secure from SQL-injection- 

1) use $UserN = mysqli_real_escape_string($con, $_POST['UserN']); instead of 
$UserN = $_POST['UserN'];

2) for connecting to MySql, use PDO like so-

$dbh = new PDO("mysql:host=$host;dbame=$dbname",$user,$pass);
Then the Insert query $sql = "INSERT INTO UserIn (UserN, FullN, Adrs, Email, PhoneN) VALUES ('$UserN', '$FullN', '$Adrs', '$Email', '$PhoneN')";
 becomes-

$stmt = $dbh->prepare("INSERT INTO UserIn (UserN, FullN, Adrs, Email, PhoneN) VALUES (?,?,?,?,?)");        //Insert query
$stmt->execute($UserN, $FullN, $Adrs, $Email, $PhoneN);

这篇关于PHP MySQL MySQLi保护MySQL，并且超链接重定向在提交后无法工作的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！