堆栈内存溢出
  简体   繁体   English

SQL注入保护…语句的第二部分不起作用

[英]SQL Injection protection…2nd Half of statement does not work

 原文  2015-04-29 17:57:09       php/ mysql/ mysqli

问题描述

My first part of the PHPstatement updates the value accordingly in the database but the 2nd half no longer sets the cookie value, what am I doing wrong, I know its something minor: 我的PHPstatement的第一部分相应地更新了数据库中的值,但是第二半部分不再设置cookie值,我在做什么错了,我知道它有些小: 

    include("db_connect.php");
session_start();
$input_game = $_POST['game'];
$input_user = $_POST['email'];

//$sql = "UPDATE users_table SET Pref_Game = '" . $input_game . "' WHERE Email='" . $input_user . "'";
$stmt = $conn->prepare("UPDATE users_table SET Pref_Game = ? WHERE Email= ?");
$stmt->bind_param("ss", $input_game, $input_user);

2nd half of the statement: 陈述的第二部分: 

   if( $stmt->execute() ) {
$cookie_name2 = "content";
setcookie($cookie_name2,$input_game, time() + (86400 * 30), "/"); // 86400 = 1 day
} else {
    //Error
}

Can someone shine some light on the issue on to integrate it into the 2nd half of the statement. 有人可以就此问题发表一些看法,以将其整合到声明的第二部分。 So it works accordingly. 因此,它相应地工作。

1 个解决方案

解决方案1
 1 已采纳  2015-04-29 18:13:48

Wrap the return from execute() in a conditional test. 在条件测试中包装来自execute()的返回值。 ( execute() returns TRUE on success and FALSE on failure.) execute()成功返回TRUE,失败返回FALSE 。)

You can also use a prepared statement to run your subsequent query, for example: 您还可以使用准备好的语句来运行后续查询,例如: 

if( $stmt->execute() ) {

   $sql="SELECT Pref_Game FROM users_table WHERE Email = ?";
   $stmt2 = $conn->prepare($sql);
   $stmt2->bind_param("s",$input_user);
   $stmt2->execute();
   $pref_game = $stmt2->fetchColumn();
   setcookie($cookie_name2,$pref_game, time() + (86400 * 30), "/"); // 86400 = 1 day
   $stmt2->close();

} else {
   //Error
}

NOTES: 笔记:

This assumes that Email is unique in users_table. 这假定Email在users_table中是唯一的。 This example code isn't testing whether the $stmt2->execute returns successfully or not, you can wrap that in a conditional test, so we don't fall through to the fetchColumn. If the query is successful, but doesn't return a row, then the 这个示例代码没有测试$stmt2->execute是否成功返回,您可以将其包装在条件测试中,因此我们不会陷入fetchColumn. If the query is successful, but doesn't return a row, then the fetchColumn. If the query is successful, but doesn't return a row, then the fetchColumn()` will return FALSE. fetchColumn. If the query is successful, but doesn't return a row, then the fetchColumn()将返回FALSE。 

if( $stmt->execute() ) {

   $sql="SELECT Pref_Game FROM users_table WHERE Email = ?";
   $stmt2 = $conn->prepare($sql);
   $stmt2->bind_param("s",$input_user);
   if ( $stmt2->execute() ) {
       $pref_game = $stmt2->fetchColumn();
       setcookie($cookie_name2,$pref_game, time() + (86400 * 30), "/"); // 86400 = 1 day
   } else {
     // error executing stmt2
   }
} else {
  // error executing stmt
}

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 第二阶段SQL注入 - 2nd stage SQL Injection 分页的第二页上无法排序 - Sorting does not work on 2nd page of pagination PHP网站中的安全策略:SQL注入,XSS攻击和二阶SQL注入 - Security strategies in PHP website: SQL Injection, XSS attack and 2nd order SQL Injection SQL注入保护 - SQL Injection Protection PHP SQL注入保护 - Php sql injection protection SQL注入保护动作 - SQL injection protection action DB::unprepared() 不会在第二个或以后的语句中引发异常 - DB::unprepared() does no raise exception on 2nd or later statement Java脚本功能的第二部分不起作用 - 2nd part of Java Script Function does not work PHP中的SQL注入保护机制 - SQL injection protection mechanism in php PHP - 自动SQL注入保护? - PHP — automatic SQL injection protection?
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM