防止SQL注入中的空列
[英]null column in protection from sql injection
问题描述
hi i am having a contact form in my website where user can optionaly fill some of the fields and after click on submit button data save in to the database all of this worked fine until i decide to sanitize my code from sql injection as i mentioned at first before trying to sanitize it from sql injection it worked properly as i showed in below code 
嗨,我在我的网站上有一个联系表格,用户可以在其中填写一些字段,然后单击“提交”按钮数据保存到数据库中,所有这些工作都很好,直到我决定从sql注入中清除我的代码为止首先,在尝试通过sql注入对它进行清理之前,它可以正常工作,如下面的代码所示
<form method="Post" action=""> <input type="text" name="name" />name <select dir="rtl" style="width: 173px;" name="case" > <option value="" disabled selected hidden>اplease choose</option> <option value='rent'>rent</option> <option value='sell'>sell</option> </select > <input type="checkbox" name="check1" value='a'>apartment<br> <input type="submit" value="submit" /> </form> <?php include("config.php"); if(isset($_POST['submit'])){ $date_clicked = date('Ymd H:i:s'); } //insert to database $insert =mysqli_query($connect,"INSERT INTO $db_table VALUES (to simplify code i do not write this part)"); } ?>
现在,我必须填写所有下拉列表和复选框,否则将显示错误“列”不能为空”。
also i can not insert date and time into database it gives the same error.
我也不能插入日期和时间到数据库,它给出了同样的错误。
here is my code when i protect it fron sql injection:
这是我在保护SQL注入时的代码:
<form method="Post" action=""> <input type="text" name="name" />name <select dir="rtl" style="width: 173px;" name="case" > <option value="" disabled selected hidden>اplease choose</option> <option value='rent'>rent</option> <option value='sell'>sell</option> </select > <input type="checkbox" name="check1" value='a'>apartment<br> <input type="submit" value="submit" /> </form> <?php include("config.php"); if(isset($_POST['submit'])){ $date_clicked = date('Ymd H:i:s'); } if(isset($_POST['submit'])){ //insert to database $query = mysqli_prepare($connect, "INSERT INTO $db_table VALUES (?,?,?,?)"); /* bind parameters for markers */ mysqli_stmt_bind_param( $query, "ssss", $_POST[name],$_POST['check1'],$_POST['case'],$_POST['date_clicked']); // execute query if ( mysqli_stmt_execute($query) ) { echo "Successfully inserted " . mysqli_affected_rows($connect) . " row"; } else { echo "Error occurred: " . mysqli_error($connect); } } ?>
please help me 请帮我
1 个解决方案
解决方案1
1 已采纳 2016-06-07 08:17:16
Make sure that your variables exist. 确保您的变量存在。 This is necessary because your checkbox, for example, will be null if not checked and that could be a problem for the table you are using. 这是必要的,因为例如您的复选框如果未选中,将为null,这可能对您正在使用的表造成问题。 You could set defaults and then insert it. 您可以设置默认值,然后将其插入。
$name = !empty($_POST['name']) ? $_POST['name'] : '';
$check1 = !empty($_POST['check1']) ? $_POST['check1'] : '';
$case = !empty($_POST['case']) ? $_POST['case'] : '';
$date_clicked = date('Y-m-d H:i:s');
// prepare and bind
$stmt = $connect->prepare("INSERT INTO `$db_table` (`name`, `check1`, `case`, `date_clicked`) VALUES (?, ?, ?, ?)");
$stmt->bind_param("ssss", $name, $check1, $case, $date_clicked);
$stmt->execute();
$stmt->close();
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.