使MySQL数据库插入查询安全（串）

Question

可能重复：
Practises for getting information from $_GET/$_POST and saving it to a database?

只是想知道究竟我应该看出来的有关于安全的MySQL数据库插入用户输入字符串。

目前我所做的全部是mysql_real_escape_string($string)，对于我希望放入数据库的每个$ _GET或$ _POST输入。这很酷吗？我还需要做什么？

Answer 1

$stmt = mysqli_prepare($con,"INSERT INTO friend_request (ToUID, FromUID) VALUES (?,?)"); 
mysqli_stmt_bind_param($stmt, "ii", $fid, $uid); //i-> Integer, S -> string 
mysqli_stmt_execute($stmt); 
if (mysqli_stmt_affected_rows($stmt)) 
echo 'Request Sent'; 
else 
echo 'Something went wrong !'; 

Answer 2

这是我的过程：

 
//check to see if the request came from your server or not 
$server = substr($_SERVER[HTTP_REFERER],0,LENGTH OF INCOMING PAGE); 
$prevPage = ""; //the incoming page 
if ($server != $prevPage) { 
    header("Location: $prevPage"); 
    exit; 
} else { 
    //pull and sanitize the data 
    include('link.php'); //include the link to your database 
    $var = $link->mysql_real_escape_string($_POST['data']); 

    //check for null values in required fields 

    //run the data through a regular expression check 

    //then store the information 

有这么多你可以做，以验证所输入的数据。