我正在创建一个cms,但我不知道如何编写代码,以获得从sql注入保存,让我知道,如果有sql注入漏洞在我的代码。
if(isset($_POST['cout'])){
$servername = "localhost";
$username = "root";
$password = "";
$db = "bangla";
$con = new mysqli($servername, $username, $password, $db);
mysqli_query($con, "SET CHARACTER SET utf8");
mysqli_query($con, "SET SESSION collation collation='utf8_general_ci'");
$id = NULL;
$name = $_POST['name'];
$name = strip_tags($name);
$name = htmlentities($name);
$name = mysqli_real_escape_string($con, $name);
$distrct = $_POST['distrct'];
$distrct = strip_tags($distrct);
$distrct = htmlentities($distrct);
$distrct = mysqli_real_escape_string($con, $distrct);
$division = $_POST['division'];
$distrct = strip_tags($division);
$distrct = htmlentities($division);
$distrct = mysqli_real_escape_string($con, $division);
$stmt = $con->prepare("INSERT INTO couts (id, name, distrct, division) VALUES( ?,?,?,?)");
$stmt->bind_param('ssss', $id, $name, $distrct, $division);
if($stmt->execute()){
echo "New record created successfully";
}
}
1条答案
按热度按时间qqrboqgw1#
你不需要
strip_tags()
.你不需要
htmlentities()
.你不需要
mysqli_real_escape_string()
.只需使用查询参数。