我的代码易受sql注入攻击吗?

4ngedf3f  于 2021-06-23  发布在  Mysql
关注(0)|答案(1)|浏览(375)

我正在创建一个cms,但我不知道如何编写代码,以获得从sql注入保存,让我知道,如果有sql注入漏洞在我的代码。

if(isset($_POST['cout'])){

        $servername = "localhost";
        $username = "root";
        $password = "";
        $db = "bangla";
        $con = new mysqli($servername, $username, $password, $db);
        mysqli_query($con, "SET CHARACTER SET utf8");
        mysqli_query($con, "SET SESSION collation collation='utf8_general_ci'");

        $id = NULL;

        $name = $_POST['name'];
        $name = strip_tags($name);
        $name = htmlentities($name);
        $name = mysqli_real_escape_string($con, $name);

        $distrct = $_POST['distrct'];
        $distrct = strip_tags($distrct);
        $distrct = htmlentities($distrct);
        $distrct = mysqli_real_escape_string($con, $distrct);

        $division = $_POST['division'];
        $distrct = strip_tags($division);
        $distrct = htmlentities($division);
        $distrct = mysqli_real_escape_string($con, $division);

        $stmt = $con->prepare("INSERT INTO couts (id, name, distrct, division) VALUES( ?,?,?,?)");
        $stmt->bind_param('ssss', $id, $name, $distrct, $division);
        if($stmt->execute()){
            echo "New record created successfully";
        }
    }
mysqlmysqlisql-injection

1条答案

按热度按时间
qqrboqgw

qqrboqgw1#

你不需要 strip_tags() .
你不需要 htmlentities() .
你不需要 mysqli_real_escape_string() .
只需使用查询参数。

赞(0)分享  回复(0)举报  2021-06-23
我来回答

相关问题

    查看更多

    热门标签

    更多
    JavaquerypythonNode开发语言requestUtil数据库Table后端算法LoggerMessageElementParser

    最新问答

    更多
    • 蜀ICP备2022004421号-2 NULL123 https://www.null123.com © All rights reserved
    • 本站内容来源互联网,如果侵犯您的权益请联系我们删除, 联系方式:448109455@qq.com