Php 对于登录表单，使用htmlspecialcharacters和单引号是否足够？_Php_Html_Mysql_Sql Injection - Fatal编程技术网

Warning: file_get_contents(/data/phpspider/zhask/data//catemap/1/php/298.json): failed to open stream: No such file or directory in /data/phpspider/zhask/libs/function.php on line 167

Warning: Invalid argument supplied for foreach() in /data/phpspider/zhask/libs/tag.function.php on line 1116

Notice: Undefined index: in /data/phpspider/zhask/libs/function.php on line 180

Warning: array_chunk() expects parameter 1 to be array, null given in /data/phpspider/zhask/libs/function.php on line 181

Warning: file_get_contents(/data/phpspider/zhask/data//catemap/3/html/86.json): failed to open stream: No such file or directory in /data/phpspider/zhask/libs/function.php on line 167

Warning: Invalid argument supplied for foreach() in /data/phpspider/zhask/libs/tag.function.php on line 1116

Notice: Undefined index: in /data/phpspider/zhask/libs/function.php on line 180

Warning: array_chunk() expects parameter 1 to be array, null given in /data/phpspider/zhask/libs/function.php on line 181

Warning: file_get_contents(/data/phpspider/zhask/data//catemap/2/google-app-engine/4.json): failed to open stream: No such file or directory in /data/phpspider/zhask/libs/function.php on line 167

Warning: Invalid argument supplied for foreach() in /data/phpspider/zhask/libs/tag.function.php on line 1116

Notice: Undefined index: in /data/phpspider/zhask/libs/function.php on line 180

Warning: array_chunk() expects parameter 1 to be array, null given in /data/phpspider/zhask/libs/function.php on line 181
Php 对于登录表单，使用htmlspecialcharacters和单引号是否足够？_Php_Html_Mysql_Sql Injection - Fatal编程技术网

Php 对于登录表单，使用htmlspecialcharacters和单引号是否足够？

php html mysql

Php 对于登录表单，使用htmlspecialcharacters和单引号是否足够？,php,html,mysql,sql-injection,Php,Html,Mysql,Sql Injection,我有以下代码 $username=htmlspecialchars($_POST['username'],ENT_QUOTES); $sql="SELECT * FROM user_account WHERE account_name='".$username."'"; 这容易受到sql注入的攻击。如果是这样的话，有人怎么能绕过这个问题呢？像这样使用MySQLi $username = mysqli_real_escape_string($con, $_POST['username']); $

我有以下代码

$username=htmlspecialchars($_POST['username'],ENT_QUOTES);
$sql="SELECT * FROM user_account WHERE account_name='".$username."'";

这容易受到sql注入的攻击。如果是这样的话，有人怎么能绕过这个问题呢？

像这样使用

MySQLi

$username = mysqli_real_escape_string($con, $_POST['username']);
$con is your connection

也读一下这个

和

检查

mysql\u real\u escape\u string

切换到PDO或MySQLi。比MySQL好得多，MySQL从年起就消失了PHP7@vicky-gonsalves谢谢，但是这怎么比HTMLSecialChars好呢？停止使用不推荐使用的和从PHP7起删除的mysql_*函数。迁移到PDO并开始使用准备好的语句，这真的不难。原因如下：投票支持手动链接

[html]相关文章推荐

随机文章推荐