<?php
//create_cat.php
include 'connect.php';
include 'header.php';
include 'parser.php';
$sql = "SELECT
topic_id,
topic_subject
FROM
topics
WHERE
topics.topic_id = " . mysql_real_escape_string($_GET['id']);
$result = mysql_query($sql);
if(!$result)
{
echo 'The topic could not be displayed, please try again later.';
}
else
//check for sign in status
if(!$_SESSION['signed_in'])
{
echo 'You must be signed in!';
header('Location:signin.php') ;
}
else
{
if(mysql_num_rows($result) == 0)
{
echo 'This topic doesn′t exist.';
}
else
{
while($row = mysql_fetch_assoc($result))
{
//display post data
echo '<table class="topic" border="1">
<tr>
<th colspan="2">' . $row['topic_subject'] . '</th>
</tr>';
//fetch the posts from the database
$posts_sql = "SELECT
posts.post_topic,
posts.post_content,
posts.post_date,
posts.post_by,
users.user_id,
users.user_name
FROM
posts
LEFT JOIN users ON posts.post_by = users.user_id
LEFT JOIN topics ON topics.topic_by = users.user_name
WHERE
posts.post_topic = " . mysql_real_escape_string($_GET['id']);
$posts_result = mysql_query($posts_sql);
if(!$posts_result)
{
echo '<tr><td>The posts could not be displayed, please try again later.</tr></td></table>';
}
else
{
$parser = new parser; // start up Recruiting Parsers
while($posts_row = mysql_fetch_assoc($posts_result))
{
// parsesBBCode
$parsed = $parser->p($posts_row['post_content']);
echo '<tr class="topic-post">
<td class="user-post">' . $posts_row['user_name'] . '<br/>' . date('d-m-Y H:i', strtotime($posts_row['post_date'])) . '</td>
<td class="post-content">' . $parsed. '</td>
</tr>';
}
}
if(!$_SESSION['signed_in'])
{
echo '<tr><td colspan=2>You must be <a href="signin.php">signed in</a> to reply. You can also <a href="signup.php">sign up</a> for an account.';
}
else
{
//show reply box
echo '<tr><td colspan="2"><h2>Reply:</h2><br />
<form method="post" action="reply.php?id=' . $row['topic_id'] . '">
<textarea name="reply-content"></textarea><br /><br />
<input type="submit" value="Submit reply" />
</form></td></tr>';
}
//finish the table
echo '</table>';
}
}
}
include 'footer.php';
?>
基於錯誤的SQL注入工作在我的代碼,我無法揣摩出我的錯誤是在我的意思是一切運作正常,但我的代碼是脆弱的肯定。我可以在此代碼中使用哪些更好的實踐來保護它。這是一個簡單的論壇腳本,我正致力於使用MySQL精簡php。PHP MYSQL不安全錯誤的注塑
哇多數民衆贊成在很多SQL注入。 – rook