Fatal编程技术网
  • php/
  • Php 我的搜索表单上的SQL准备语句错误

Php 我的搜索表单上的SQL准备语句错误

php sql

Php 我的搜索表单上的SQL准备语句错误,php,sql,sql-injection,Php,Sql,Sql Injection,我发现为我的搜索表单编写SQL准备的语句很困难,我可以得到帮助来修复它吗?没有SQL准备的bind语句,一切都很好,但我确信它不是那么安全 这是我的密码: <?php // Define Database connection parameters $dbserver = "localhost"; $username = "root"; $password = ""; $dbname = "student"; // Lets Connect to theDatab

我发现为我的搜索表单编写SQL准备的语句很困难,我可以得到帮助来修复它吗?没有SQL准备的bind语句,一切都很好,但我确信它不是那么安全

这是我的密码:

<?php
  // Define Database connection parameters 
  $dbserver = "localhost";
  $username = "root";
  $password = "";
  $dbname = "student";
  // Lets Connect to theDatabase Table, But if there is an Error lets tell before its too late to figured
  $conn = mysqli_connect ( $dbserver, $username, $password, $dbname ) or die ( ' I can not connect to the database ' );

   // Its time to Capture the varibles and user inpute from the form , also we need to sanitize the input to avoid SQL Injection    
  $study_group = mysqli_real_escape_string ( $conn, $_POST['matric_number']);

  /* Lets try to use bind Statement to reduce further hacking

  I am also avoiding using "LIKE" Clause because IVariable direct Exact results so will be using the Direct Varible 
  */

  $sql = $conn->prepare (" SELECT * FROM study_circle WHERE matric = ? ") ;
  $sql->bind_param('s', $study_group);
  $sql ->execute();

  $results = mysqli_query ($conn, $sql);
  $mysqlResults = mysqli_num_rows ($results);

  if (  $mysqlResults > 0   )
  { 
    while (  $row = mysqli_fetch_assoc ( $results )) 
    {
      // Display results in table form
      echo " <div>
        <h4> ".$row['full_name']."</h4>
      </div>";
     }      
  } else {
    echo " Please Ensure your Matric Number is correct, We can not find anything relting to your data";
  }

如果使用prepared语句,则不应使用mysqli\u real\u escape\u字符串

尝试注释mysqli_real_escape_string行,并直接在bind_参数中使用$\u POST['matric_number']


// $study_group = mysqli_real_escape_string ( $conn, $_POST['matric_number']);

/* Lets try to use bind Statement to reduce further hacking


我也避免使用“LIKE”子句,因为可变的直接精确结果将使用直接可变的
*/


binding param and prepared语句阻止SQL注入,因此您不需要mysqli_real_escape_字符串操作
错误是什么?使用prepared语句时不应转义值,现在它将检查不带引号的值。
$results=mysqli_query($conn,$SQL)。此时,
$sql
是一个语句对象,而不是包含sql查询的字符串。该行也非常无用,因为您之前已经进行了几行查询。

$sql = $conn->prepare (" SELECT * FROM study_circle WHERE matric = ? ") ;
$sql->bind_param('s',  $_POST['matric_number']);
$sql ->execute();