嘿,整晚都在摆弄这个,只是想知道是否有人能注意到我的代码有任何缺陷?在我使用过时的 sql 连接字符串之前有人告诉我,所以我已经更新了。反馈会很好!
<?php
if ( empty( $_POST ) ){
?>
<form method="post" action="">
<div class="form-group">
<label>Full Name:</label>
<input class="form-control" type="text" name="sub_name" />
<br>
<label>Email:</label>
<input class="form-control" type="text" name="sub_email" />
<div class="pull-right">
<input class="btn btn-success" type="submit" value="Subscribe" />
</div>
</div>
</form>
<?php
} else {
try {
$db = new PDO( 'mysql:host=localhost;dbname=test', $subsc_username, $subsc_password );
$form = $_POST;
$subsc_name = $form[ 'sub_name' ];
$subsc_email = $form[ 'sub_email' ];
$sql = "INSERT INTO subscribers (
subsc_name, subsc_email )
VALUES (
$subsc_name, $subsc_email )";
$query = $db->prepare( $sql );
$query->execute( array( 'subsc_name'=>$subsc_name, 'subsc_email'=>$subsc_email, ) );
}
catch(PDOException $e)
{
echo $e->getMessage();
}
}
?>
最佳答案
您没有在准备好的语句中使用占位符。正确的用法是:
<?php
// $_POST might be empty even if the request is a POST
if ('POST' === $_SERVER['REQUEST_METHOD']) {
try {
$db = new PDO('mysql:host=localhost;dbname=test', $subsc_username, $subsc_password);
// default error mode is to return FALSE
$db->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
} catch (PDOException $e) {
die($e->getMessage());
}
$subsc_name = $_POST['sub_name'];
$subsc_email = $_POST['sub_email'];
// never put variables directly in your SQL queries
$sql = 'INSERT INTO subscribers (subsc_name, subsc_email) VALUES (:subsc_name, :subsc_email)';
try {
$query = $db->prepare($sql);
$query->execute(array(
':subsc_name' => $subsc_name,
':subsc_email' => $subsc_email,
));
} catch (PDOException $e) {
die($e->getMessage());
}
} else {
echo <<<EOF
<form method="post" action="">
<div class="form-group">
<label>Full Name:</label>
<input class="form-control" type="text" name="sub_name" />
<br>
<label>Email:</label>
<input class="form-control" type="text" name="sub_email" />
<div class="pull-right">
<input class="btn btn-success" type="submit" value="Subscribe" />
</div>
</div>
</form>
EOF;
}
?>
关于php - 这仍然容易受到sql攻击吗?你能看出什么问题吗?,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/21402324/