This question already has an answer here:
这个问题在这里已有答案:
- How can I prevent SQL injection in PHP? 28 answers
- 如何在PHP中阻止SQL注入? 28个答案
I'm trying to update my a row. But it automatically creates an error because the data in a column contains this Shaquille O'neal Or are there any problems ? Here's my code
我正在尝试更新我的排。但它会自动创建一个错误,因为列中的数据包含此Shaquille O'neal或者有任何问题吗?这是我的代码
<?php
if(isset($_POST['editSubmit'])){
$buildingID = $_POST['editBuilding'];
$buildingName = $_POST['editBuildingName'];
$buildingProject = $_POST['editBuildingProject'];
$buildingFloors = $_POST['editBuildingFloors'];
$q = "update tblBuilding SET buildingName= '$buildingName' building_projectID='$buildingProject'
floorNumber = '$buildingFloors'
where buildingID = '$buildingID'";
$query = $db-> prepare($q);
$results = $query->execute();
echo" <meta http-equiv='refresh' content='0;url=project.php'>";
}
?>
EDITED: Prepared:
编辑:准备:
<?php
if(isset($_POST['editSubmit'])){
$buildingID = $_POST['editBuilding'];
$buildingName = $_POST['editBuildingName'];
$buildingProject = $_POST['editBuildingProject'];
$buildingFloors = $_POST['editBuildingFloors'];
$stmt = $db->prepare("update tblBuilding set buildingName=?, building_projectID=?,floorNumber=? where buildingID = $buildingID");
$stmt->bindParam(1, $buildingName );
$stmt->bindParam(2, $buildingProject);
$stmt->bindParam(3, $buildingFloors );
$stmt->execute();
echo" <meta http-equiv='refresh' content='0;url=project.php'>";
}
?>
3 个解决方案
#1
1
The real problem is that you're concatenating input data into SQL. This is a no-go: it opens the door wide for SQL injection problems.
真正的问题是您将输入数据连接到SQL。这是一个禁忌:它为SQL注入问题打开了大门。
Use parametrized queries and your problems should vanish.
使用参数化查询,您的问题应该消失。
#2
0
I suggest you could print out the query. Most likely it's because you wrap the value $buildingName using single quote which paired with the one in Shaquille O'neal then causes the rest of the query syntax error.
我建议你打印出来的查询。最有可能的原因是你使用单引号包装值$ buildingName,它与Shaquille O'neal中的那个匹配,然后导致其余的查询语法错误。
#3
-1
the issue is the apostrophe you have in your data. If you have such a data you need to replace all apostrophe to double apostrophe. some thine like below
问题是你的数据中有撇号。如果您有这样的数据,则需要将所有撇号替换为双撇号。有些你喜欢以下
value = replace(value, "'", "''")
then pass that data a your field value
然后将该数据传递给您的字段值
#1
1
The real problem is that you're concatenating input data into SQL. This is a no-go: it opens the door wide for SQL injection problems.
真正的问题是您将输入数据连接到SQL。这是一个禁忌:它为SQL注入问题打开了大门。
Use parametrized queries and your problems should vanish.
使用参数化查询,您的问题应该消失。
#2
0
I suggest you could print out the query. Most likely it's because you wrap the value $buildingName using single quote which paired with the one in Shaquille O'neal then causes the rest of the query syntax error.
我建议你打印出来的查询。最有可能的原因是你使用单引号包装值$ buildingName,它与Shaquille O'neal中的那个匹配,然后导致其余的查询语法错误。
#3
-1
the issue is the apostrophe you have in your data. If you have such a data you need to replace all apostrophe to double apostrophe. some thine like below
问题是你的数据中有撇号。如果您有这样的数据,则需要将所有撇号替换为双撇号。有些你喜欢以下
value = replace(value, "'", "''")
then pass that data a your field value
然后将该数据传递给您的字段值