<分区>
我想知道这个 sql 查询是否受到 sql 注入(inject)的保护,如果它没问题,或者我应该修改一些东西。
我尝试从 GET 绑定(bind) ID,如果一切正常,我将使用该 ID 进行实际查询。
if(isset($_GET['id']) && $_GET['id'] != null) {
$id = $_GET['id'];
$stmt = $mysqli->prepare('SELECT id FROM maps WHERE id = ?');
$stmt->bind_param('i', $id);
$stmt->execute();
$result = $stmt->get_result();
if (mysqli_num_rows($result) == 1) {
$row = $result->fetch_assoc();
$secid = $row["id"];
} else {
header("LOCATION: index.php");
}
$sql = "SELECT
maps.id,
maps.name,
maps.description,
maps.date,
maps.mcversion,
maps.mapid,
maps.category,
maps.format,
maps.userid,
users.username,
users.rank,
users.verified,
users.mc_username,
(SELECT COUNT(*) FROM likes WHERE likes.mapid = maps.id) AS likes,
(SELECT COUNT(*) FROM downloads WHERE downloads.mapid = maps.id) AS downloads,
(SELECT COUNT(*) FROM subscribe WHERE subscribe.channelid = maps.userid) AS subscribes,
(SELECT COUNT(*) FROM views WHERE views.mapid = maps.id) AS views
FROM maps
INNER JOIN users
ON maps.userid = users.id
WHERE maps.id = '$secid'";
$result = mysqli_query($con,$sql);
if (mysqli_num_rows($result) > 0) {
$row = mysqli_fetch_assoc($result);
} else {
header("LOCATION: index.php");
}
} else {
header("LOCATION: index.php");
}