1
做下面这段代码面临SQL注入问题?如果是的话,为什么和可以改变以防止它呢?sql适当的语法
$sql2 = "UPDATE Candidates SET ".$row['Field']."= '$_POST[$tempname]' WHERE ID='".$_GET["id"]."'";
$result2 = mysqli_query($con,$sql2);
if ($con->query($sql2) === TRUE) {
if($_POST['Status']=="Employed"){
$sql3 = "INSERT INTO Employees (AFNumber, CID, Status, Name, DateOfBirth,DateOfEmployment)
VALUES ('".$_POST['AFNumber']."', '".$_POST['ID']."', 'Employed', '".$_POST['FullNameEng']."','".$_POST['DoBasID']."', '".date('d/m/Y')."')";
$result3 = mysqli_query($con,$sql3);
if ($con->query($sql3) === TRUE) {
}else {
echo "Error: " . $sql3 . "<br>" . $con->error;}
echo '<script>swal("Error", "Something went wrong '.$con->error.'", "error");</script>';
}
} else {
echo "Error: " . $sql2 . "<br>" . $con->error;
echo '<script>swal("Error", "Something went wrong '.$con->error.'", "error");</script>';
}
只是一个提示 - 太使它更安全,你应该做的验证你正在插入的'values'。例如,确保你的ID只是一个数字。如果你需要使用正则表达式。 – James111
是的。 PHP的mysqli_ API的优点是它允许准备好的语句,所以看看这些。 – Strawberry