PHP SQL注入预防语法

Question

我正在学习PHP和SQL，对于这个页面，我正在尝试防止SQL注入。 现在我只是尝试两个变量。 ac1和ac2。 我提交时遇到mysql（）模具错误。 可能有什么不对？

<?php
$host="localhost"; // Host name
$username="******"; // Mysql username
$password="******"; // Mysql password
$db_name="******_practice"; // Database name
$tbl_name="administration"; // Table name

// Connect to server and select databse.
$dbc = mysql_connect("$host", "$username", "$password")or die("cannot connect");
mysql_select_db("$db_name")or die("cannot select DB");

$ac1=$_POST['ac1'];
$ac2=$_POST['ac2'];
$fan=$_POST['fan'];
$na=$_POST['na'];
$dh=$_POST['dh'];

$tolerance1=$_POST['tolerance1'];
$temptime1=$_POST['temptime1'];
$tolerance2=$_POST['tolernce2'];
$temptime2=$_POST['temptime2'];
$tolerance3=$_POST['tolerance3'];
$temptime3=$_POST['temptime3'];
$tolerance4=$_POST['tolerance4'];
$temptime4=$_POST['temptime4'];
$tolerance5=$_POST['tolerance5'];
$temptime5=$_POST['temptime5'];

$humidtolerance1=$_POST['humidtolerance1'];
$humidtime1=$_POST['humidtime1'];
$humidtolerance2=$_POST['humidtolerance2'];
$humidtime2=$_POST['humidtime2'];
$humidtolerance3=$_POST['humidtolerance3'];
$humidtime3=$_POST['humidtime3'];
$humidtolerance4=$_POST['humidtolerance4'];
$humidtime4=$_POST['humidtime4'];
$humidtolerance5=$_POST['humidtolerance5'];
$humidtime5=$_POST['humidtime5'];
// To prevent MySQL injection (a form of internet hacking)
$ac1 = stripslashes($ac1);
$ac2 = stripslashes($ac2);
$ac1 = mysql_real_escape_string($ac1);
$ac2 = mysql_real_escape_string($ac2);


$custnum = 0;
$sql="UPDATE {$tbl_name} SET ac1 = '{$ac1}', ac2 = '{$ac2}', fan = '{$fan}', na = '{$na}', da = '{$dh}', tolerance1 = '{$tolerance1}', temptime1 = '{$temptime1}',tolerance2 = '{$tolerance2}', temptime2 = '{$temptime2}',tolerance3 = '{$tolerance3}', temptime3 = '{$temptime3}',tolerance4 = '{$tolerance4}', temptime4 = '{$temptime4}',tolerance5 = '{$tolerance5}', temptime5 = '{$temptime5}', humidtolerance1 = '{$humidtolerance1}', humidtime1 = '{$humidtime1}',humidtolerance2 = '{$humidtolerance2}', humidtime2 = '{$humidtime2}',humidtolerance3 = '{$humidtolerance3}', humidtime3 = '{$humidtime3}',humidtolerance4 = '{$humidtolerance4}', humidtime4 = '{$humidtime4}',humidtolerance5 = '{$humidtolerance5}', humidtime5 = '{$humidtime5}' WHERE custnum = '{$custnum}'";
  $result = mysql_query($sql)
    or die('Error querying database.');


//Send them back to the page they were at/
header("location:index.php");
?>

Answer 1

如果您想更加确定可以防止SQL注入，您可能需要考虑使用PDO预处理语句 （假设您使用的是PHP 5.1或更高版本），而不是使用mysql_real_escape_string （旧方法）。

如果那不是一个选择：

• 您确定您的数据库中有一个0的custnum吗？ 通常，数据库索引往往从1开始。 如果是这种情况，则可能是查询失败的原因之一（无需更新。）

Answer 2

您应该尝试使用mysqli甚至更好，使用PDO和预处理语句。 直接调用mysql_query通常不是最好的方法。

http://php.net/manual/en/book.pdo.php

Answer 3

在您的情况下必须是引号：

$sql="UPDATE {$tbl_name} SET `ac1` = '{$ac1}', `ac2` = '{$ac2}', `fan` = '{$fan}', `na` = '{$na}', `da` = '{$dh}', `tolerance1` = '{$tolerance1}', `temptime1` = '{$temptime1}',`tolerance2` = '{$tolerance2}', `temptime2` = '{$temptime2}',`tolerance3` = '{$tolerance3}', `temptime3` = '{$temptime3}',`tolerance4` = '{$tolerance4}', `temptime4` = '{$temptime4}',`tolerance5` = '{$tolerance5}', `temptime5` = '{$temptime5}', `humidtolerance1` = '{$humidtolerance1}', `humidtime1` = '{$humidtime1}',`humidtolerance2` = '{$humidtolerance2}', `humidtime2` = '{$humidtime2}',`humidtolerance3` = '{$humidtolerance3}', `humidtime3` = '{$humidtime3}',`humidtolerance4` = '{$humidtolerance4}', `humidtime4` = '{$humidtime4}',`humidtolerance5` = '{$humidtolerance5}', `humidtime5` = '{$humidtime5}' WHERE `custnum` = '{$custnum}'";

也就是说，你应该将这些字段名称放在反引号引号中，因为你将值放在单个引号中。 不过，让我给你一个建议：在生产模式中，你最好使用PDO，如前所述。 祝好运