开发者

Trying to create a mysql injection proof script [closed]

问答 作者:
This question is unlikely to help any future visitors; it is only relevant to a small geographic area, a specific moment in time, or an extraordinarily narrow situation that is not generally applicable to the worldwide audience of the internet. For help making this question more broadly applicable, visit the help center. Closed 9 years ago.

I'm just a beginner, What's wrong with my code, I'm trying to experiment on this so that the webpages I'm going to create will not be vulnerable to mysql injections. What's the correct way of doing this:

<?php



$host="localhost";
$username="root";
$password="";
$db_name="testing";
$tbl="hospital";

$connection=mysql_connect($host, $username, $password) or die("cannot connect!");
mysql_select_db($db_name, $connection) or die("cannot select db!");


     $LASTNAME = $_POST[lname];
     $FIRSTNAME = $_POST[fname];



     $FIRSTNAME=(isset($_POST['fname']||trim($_POST['fname'])=="")?die('Error:Enter Firstname!')
                                                                       mysql_escape_string(trim($_PO开发者_如何学JAVAST['fname']));




      $sqlque="INSERT INTO hospital (LASTNAME, FIRSTNAME)
      VALUES ('$LASTNAME',  '$FIRSTNAME')"; 






if (!mysql_query($sqlque,$con))
  {
  die('Error: ' . mysql_error());
  }
echo "<script>alert('Record successfully added!')</script>";



mysql_close($con)


?>

Here's the error, please help, thanks:

Parse error: parse error, expecting `','' or `')'' in C:\wamp\www\sql injection check\aisaction.php on line 20

use prepared statements

There is a missing : after die('Error:Enter Firstname!')

Just an update for anyone who comes across this question. The preferred method now would be to use PDO http://php.net/manual/en/book.pdo.php and prepared statements.

Specifically the MySQL extension either is no longer, or soon will not be supported in PHP. PDO is also more portable than MySQL or MySQLi

$db = new PDO(/*connection info*/);
$sql = "SELECT * FROM tbl WHERE condition1 = :param1 AND condition2 = :param2";

$stmt = $db->prepare($sql);
$stmt->bindValue(":param1", 10);
$stmt->bindValue(":param2", "banana");

$stmt->execute();

继续阅读:phpsecurity

更多精彩内容

0

上一篇:

下一篇:

精彩评论

暂无评论...
登录 注册
Qedev.com
验证码 换一张
取 消

最新问答

问答排行榜

法律声明:本站内容均为网友上传,网站举办方负责审核和监督,

如存在版权或非法内容,欢迎举报,我们将尽快予以删除。

Copyright © 2018-2020 开发者. All rights reserved.

Powered by 开发者

ICP备案号: 京ICP备10032868号-9