PHP MySQL MySQLi保护MySQL,并且超链接重定向在提交后无法工作 [英] PHP TO MySQL secured with MySQLi and hyperlink redirect not working once submitted
问题描述
我有一个自由职业者在我的网站上工作,无法完成我应该对他很轻松的项目,我需要让它完全运行才能在早上准备好。
I had a Freelancer work on a site for me and could not finish my project which should of been of ease to him and I need to get this fully running to be ready by morning.
这是我必须快速创建的PHP代码
This is my PHP code which I had to create in a hurry
<?php
$con = mysqli_connect('localhost','dbuser','password'
if(!$con)
{
echo 'Not Connected To Server';
}
if(!mysqli_select_db($con,'DBName'))
{
echo 'Database Not Selected';
}
$UserN = $_POST['UserN'];
$FullN = $_POST['FullN'];
$Adrs = $_POST['Adrs'];
$Email = $_POST['Email'];
$PhoneN = $_POST['PhoneN'];
$sql = "INSERT INTO UserIn (UserN, FullN, Adrs, Email, PhoneN) VALUES ('$UserN', '$FullN', '$Adrs', '$Email', '$PhoneN')";
if(!mysqli_query($con,$sql))
{
echo 'Not Inserted';
}
else
{
echo 'Inserted';
}
header("refresh:2; url=survey.html
?>
这是PHP
这是我的表格
<div class="form-con">
<form actoin="insert.php" method="post">
<label>Username</label><br>
<input type="text" name="UserN" placeholder="Your Username" ><br>
<label>Full Name</label><br>
<input type="text" name="FullN" placeholder="Full Name"><br>
<label>Full Address</label><br>
<textarea type="text" rows="4" cols="50" name="Adrs" placeholder="Address"></textarea><br>
<label>Email Address</label><br>
<input type="email" name="Email" placeholder="Email Address"><br>
<label>Phone Number</label><br>
<input type="text" name="PhoneN" placeholder="Phone Number"><br>
<div class="btn">
<a href="survey.html"><button type="submit">Submit</button></a>
</div>
</form>
</div>
请帮助我,我还要保证表格
Please help me I want to also secure the form with
Using MySQLi (for MySQL):
$stmt = $dbConnection->prepare('SELECT * FROM employees WHERE name = ?');
$stmt->bind_param('s', $name);
$stmt->execute();
$result = $stmt->get_result();
while ($row = $result->fetch_assoc()) {
// do something with $row
}
From here
https://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php?rq=1
please help.
新PHP
<?php
$dbh = new PDO("mysql:host=$host;dbame=$dbname",$user,$pass);
$UserN = mysqli_real_escape_string($con, $_POST['UserN']);
$FullN = mysqli_real_escape_string($con, $_POST['FullN']);
$Adrs = mysqli_real_escape_string($con, $_POST['Adrs']);
$Email = mysqli_real_escape_string($con, $_POST['Email']);
$PhoneN = mysqli_real_escape_string($con, $_POST['PhoneN']);
$ stmt = $ dbh-> prepare(INSERT INTO UserIn(UserN,FullN,Adrs,Email ,PhoneN)VALUES('$ UserN','$ FullN','$ Adrs','$ Email','$ PhoneN')); //插入查询
$ stmt-> execute($ UserN,$ FullN,$ Adrs,$ Email,$ PhoneN);
$stmt = $dbh->prepare("INSERT INTO UserIn (UserN, FullN, Adrs, Email, PhoneN) VALUES ('$UserN','$FullN','$Adrs','$Email','$PhoneN')"); //Insert query $stmt->execute($UserN, $FullN, $Adrs, $Email, $PhoneN);
header("refresh:1; url=survey.html");
?>
推荐答案
You can do 2 things to secure from SQL-injection-
1) use $UserN = mysqli_real_escape_string($con, $_POST['UserN']); instead of
$UserN = $_POST['UserN'];
2) for connecting to MySql, use PDO like so-
$dbh = new PDO("mysql:host=$host;dbame=$dbname",$user,$pass);
Then the Insert query $sql = "INSERT INTO UserIn (UserN, FullN, Adrs, Email, PhoneN) VALUES ('$UserN', '$FullN', '$Adrs', '$Email', '$PhoneN')";
becomes-
$stmt = $dbh->prepare("INSERT INTO UserIn (UserN, FullN, Adrs, Email, PhoneN) VALUES (?,?,?,?,?)"); //Insert query
$stmt->execute($UserN, $FullN, $Adrs, $Email, $PhoneN);
这篇关于PHP MySQL MySQLi保护MySQL,并且超链接重定向在提交后无法工作的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!