插入數據庫與注入攻擊保護

Question

請幫助我，我嘗試插入數據庫與注入攻擊保護，我發現了一些w3schools的例子，但它不適用於我。連接是正確的，並工作。由於我是SQL和編程方面的新手，我不知道那個Insert有什麼問題。請，任何人都可以幫忙嗎？非常感謝。

我插入PHP：

<?php 

$servername = "localhost"; 
$username = "root"; 
$password = ""; 
$dbname = "dbname"; 

// Create connection 
$conn = new mysqli($servername, $username, $password, $dbname); 
if ($conn->connect_error) { 
    die("Connection failed: " . $conn->connect_error); 
} 
echo "<p>Connected successfully</p>"; 

$From = $_GET['From']; 
$To = $_GET['To']; 
$Type = $_GET['Type']; 
$text = $_GET['text']; 


$stmt = $conn->prepare("INSERT INTO orders (from_lang, to_lang, tex) 
VALUES (:fr, :to, :tex)"); 

$stmt->bindParam(':fr', $From); 
$stmt->bindParam(':to', $To); 
$stmt->bindParam(':tex', $text); 
$stmt->execute(); 


?> 

Answer 1

你混合數據庫的API。如果你想使用的MySQLi你的代碼應該是這樣的：

<?php 

$servername = "localhost"; 
$username = "root"; 
$password = ""; 
$dbname = "dbname"; 

// Create connection 
$conn = new mysqli($servername, $username, $password, $dbname); 
if ($conn->connect_error) { 
    die("Connection failed: " . $conn->connect_error); 
} 
echo "<p>Connected successfully</p>"; 

$From = $_GET['From']; 
$To = $_GET['To']; 
$Type = $_GET['Type']; 
$text = $_GET['text']; 


$stmt = $conn->prepare("INSERT INTO orders (from_lang, to_lang, tex) 
VALUES (?,?,?)"); 
$stmt->bind_param('sss', $From,$To,$text); 
$stmt->execute(); 


?> 

通知我已經改變了佔位符，每個參數?後轉爲bind_param()函數，其中，而不是單獨調用每個參數（這你可以做）我使用了一個函數調用，其中我指定type of variable to be inserted，然後爲每個佔位符指定一個變量。