我想知道如果我的代碼實際上是免受SQL注入的保護。我的網站已經注入過,我從來沒有真正理解如何防止它。這裏是我的代碼插入評論:這是SQL注入嗎?
if ($_POST['comment']) {
$comment = strip_tags(nl2br(mysql_real_escape_string($_POST['comment'])));
$conn = new PDO("mysql:host=$servername;dbname=$dbname", $username, $password);
// set the PDO error mode to exception
$conn->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
$sql = "INSERT INTO posts (comment, authorid)
VALUES ('$comment', '$uid')";
// use exec() because no results are returned
$conn->exec($sql);
echo '<div style="width: 98%; max-width: 98%; border: 1px solid white; background-color: green; color: white; vertical-align: text-top; text-align: center;">Your comment was added to the wall!</div><br>';
}
我建立他們的樂趣。我只是一名高中生 –
mysql_real_escape_string和PDO?!? – 2016-03-02 23:24:57
是的,這是可能的。看到這:http://stackoverflow.com/questions/5741187/sql-injection-that-gets-around-mysql-real-escape-string – Harsh