-6
<?php
$connect = mysqli_connect('localhost', 'root', 'samagulf', 'wordpress');
$input = filter_input_array(INPUT_POST);
$country = mysqli_real_escape_string($connect, $input["country"]);
$city = mysqli_real_escape_string($connect, $input["city"]);
$for = mysqli_real_escape_string($connect, $input["for"]);
$title = mysqli_real_escape_string($connect, $input["title"]);
$details = mysqli_real_escape_string($connect, $input["details"]);
$price = mysqli_real_escape_string($connect, $input["price"]);
$email = mysqli_real_escape_string($connect, $input["email"]);
$phone = mysqli_real_escape_string($connect, $input["phone"]);
$photo = mysqli_real_escape_string($connect, $input["photo"]);
if($input["action"] === 'edit') {
$query = "UPDATE wp_wpdatatable_1
SET country=' " . $country . " ',city=' " . $city . " ',for=' " . $for . " ',title='
" . $title . " ',details=' " . $details . " ',price=' " . $price . " ',email='
" . $email . "
',phone=' " . $phone . " ',photo=' " . $photo . " '
where wdt_ID=' " . $input["wdt_ID"] . " ' ";
mysqli_query($connect, $query);
}
if($input["action"] === 'delete') {
$query = "DELETE FROM wp_wpdatatable_1
where wdt_ID=' " . $input["wdt_ID"] . " ' ";
mysqli_query($connect, $query);
}
echo json_encode($input);
?>
您可以廣泛開放SQL注入。由於您使用的是mysqli,請利用[prepared statements](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php)和[bind_param](http://php.net/手動/ EN/mysqli的-stmt.bind-param.php)。 – aynber
這裏沒有什麼能完美的工作。相信我 – Akintunde007
如上所述,使用準備好的語句,我可以看到的其中一個問題將通過該更改得到修復。列名中有多餘的空間。 country ='「。$ country。」',city ='「。$ city。」'。應該是country ='「。$ country。」',city ='「。$ city。」'。然後當然所有的變量都需要被轉義以防止SQL注入 – Blueline