在這塊代碼中,我把mysqli_real_escape_string()放在哪裏?PHP和MySQL表格提交
或者,如果您有更好的方式來編寫整個區塊,我很樂意聽到。
<?php
$title = ($_POST["title"]);
$date = ($_POST["date"]);
$content = ($_POST["content"]);
$query = "INSERT INTO months (";
$query .= " title, date, content ";
$query .= ") VALUES (";
$query .= " '{$title}', '{$date}', '{$content}' ";
$query .= ")";
mysqli_query($connection, $query); ?>
這將是最好用準備好的發言。
$stmt = mysqli_prepare($connection, "INSERT INTO months (title, date, content)
VALUES(?, ?, ?)");
mysqli_stmt_bind_param($stmt, "sss", $title, $date, $content);
$title = $_POST["title"];
$date = $_POST["date"];
$content = $_POST["content"];
mysqli_stmt_execute($stmt);
當使用轉義函數和字符串連接時,可能仍然存在sql注入的情況。 Prepared Statements的工作方式不同,因此它們可以防止sql注入。 https://stackoverflow.com/a/60496/3595565
試試這個:
$title = mysqli_real_escape_string($_POST["title"]);
$date = mysqli_real_escape_string($_POST["date"]);
$content = mysqli_real_escape_string($_POST["content"]);
謝謝菲利普 – benjiman