我已经构建了一个数据表单,它在发布时运行一个小脚本。它有一个间歇性错误。该脚本应该将条目记录到数据库中,否则就会死亡,然后发送一封包含详细信息的电子邮件。我收到了100%的电子邮件,但只有大约90%的条目真正记录到了数据库中。有人能在这里发现问题、改进或建议吗?谢谢-
$name=$_POST[name];
$email=$_POST[email];
$state=$_POST[state];
$phone=$_POST[phone];
$comments=$_POST[comments];
$today = date("F j, Y, g:i a");
include("config.php");
$link = mysqli_connect("$db_host" , "$db_user" , "$db_password" , "$db") or die();
mysqli_select_db($link, $db) or die();
mysqli_query($link,"INSERT INTO form (name,email,state,phone,comments,date)
VALUES ('$name','$email','$state','$phone','$comments','$today')");
$Body= " 'n";
$Body .= "Contact Request From my_site.com'n'n";
$Body .= "Name: $name'n";
$Body .= "Email: $email'n";
$Body .= "State: $state'n";
$Body .= "Telephone: $phone'n";
$Body .= "Comments: $comments'n";
$Body .= "'n";
mail ("my_email@my_site.com", "Contact Request From my_site.com", $Body, "From: $email");
header("Location: https://www.my_site.com/thank-you/");
die();
已解决!
POST值未作为字符串转义。任何包含一个"引号"的值都会结束SQL参数并引发SQL错误,并且实际上打开了一个漏洞(即SQL注入)。
修复:
$name=$_POST[name];
$email=$_POST[email];
$state=$_POST[state];
$phone=$_POST[phone];
$comments=$_POST[comments];
$today = date("F j, Y, g:i a");
include("config.php");
$link = mysqli_connect("$db_host" , "$db_user" , "$db_password" , "$db") or die();
mysqli_select_db($link, $db) or die();
$name=mysqli_real_escape_string($link, $name);
$email=mysqli_real_escape_string($link, $email) ;
$state=mysqli_real_escape_string($link, $state) ;
$phone=mysqli_real_escape_string($link, $phone) ;
$comments=mysqli_real_escape_string($link, $comments);