开发者

Trying to create a mysql injection proof script [closed]

开发者 https://www.devze.com 2022-12-21 10:46 出处:网络
This question is unlikely to help any future visitors; it is only relevant to a small geographic area, a specific moment in time,or an extraordinarily narrow situation that is not generally applic
This question is unlikely to help any future visitors; it is only relevant to a small geographic area, a specific moment in time, or an extraordinarily narrow situation that is not generally applicable to the worldwide audience of the internet. For help making this question more broadly applicable, visit the help center. Closed 9 years ago.

I'm just a beginner, What's wrong with my code, I'm trying to experiment on this so that the webpages I'm going to create will not be vulnerable to mysql injections. What's the correct way of doing this:

<?php



$host="localhost";
$username="root";
$password="";
$db_name="testing";
$tbl="hospital";

$connection=mysql_connect($host, $username, $password) or die("cannot connect!");
mysql_select_db($db_name, $connection) or die("cannot select db!");


     $LASTNAME = $_POST[lname];
     $FIRSTNAME = $_POST[fname];



     $FIRSTNAME=(isset($_POST['fname']||trim($_POST['fname'])=="")?die('Error:Enter Firstname!')
                                                                       mysql_escape_string(trim($_PO开发者_如何学JAVAST['fname']));




      $sqlque="INSERT INTO hospital (LASTNAME, FIRSTNAME)
      VALUES ('$LASTNAME',  '$FIRSTNAME')"; 






if (!mysql_query($sqlque,$con))
  {
  die('Error: ' . mysql_error());
  }
echo "<script>alert('Record successfully added!')</script>";



mysql_close($con)


?>

Here's the error, please help, thanks:

Parse error: parse error, expecting `','' or `')'' in C:\wamp\www\sql injection check\aisaction.php on line 20


use prepared statements


There is a missing : after die('Error:Enter Firstname!')


Just an update for anyone who comes across this question. The preferred method now would be to use PDO http://php.net/manual/en/book.pdo.php and prepared statements.

Specifically the MySQL extension either is no longer, or soon will not be supported in PHP. PDO is also more portable than MySQL or MySQLi

$db = new PDO(/*connection info*/);
$sql = "SELECT * FROM tbl WHERE condition1 = :param1 AND condition2 = :param2";

$stmt = $db->prepare($sql);
$stmt->bindValue(":param1", 10);
$stmt->bindValue(":param2", "banana");

$stmt->execute();
0

精彩评论

暂无评论...
验证码 换一张
取 消