我的数据库最近遭受了sql注入攻击,主要是因为我对编程比较陌生,不知道这样的事情。我一直在努力学习如何防止他们,但我不知道如何为这个脚本。我确实有另一种类型的脚本,我成功地实现了。如何使用此脚本防止sql注入攻击?
<?php
$autor = $_GET["multi"];
$autop = $_GET["multis"];
$sql = "UPDATE autoj SET autob = '$autop' WHERE autoq = '$autor'";
$hd = "something";
$dd = $_GET['something'];
$ud = "something";
$pd = "something";
$mysqli = new mysqli($hd, $ud, $pd, $dd);
if (mysqli_connect_errno()) {
printf("Connect failed: %s'n", mysqli_connect_error());
exit();
}
$result = $mysqli->query($sql);
if ($result) {
....
如何使用此脚本防止sql注入攻击?
和其他的完全一样
试试这个:
$hd = "something";
$dd = "PUT SOMETHING HERE";
$ud = "something";
$pd = "something";
$mysqli = new mysqli($hd, $ud, $pd, $dd);
if (mysqli_connect_errno()) {
printf("Connect failed: %s'n", mysqli_connect_error());
exit();
}
$autor = $_GET["multi"];
$autop = $_GET["multis"];
$autor = $mysqli->real_escape_string($autor);
$autop = $mysqli->real_escape_string($autop);
$sql = "UPDATE autoj SET autob = '$autop' WHERE autoq = '$autor'";
另外,在第二行,我看到您使用了$_GET['something']来选择数据库。没有。
使用mysqli_real_escape_stringhttp://php.net/manual/en/mysqli.real-escape-string.php