“post”数组的键:。你能在这里发布完整的代码吗?谢谢你向我解释这个原则。所以这可能比标准的mysql/php更安全?但是我仍然不明白为什么以后执行variables语句更安全。我的意思是它还是来自表单的相同值?这并不比标准的mysql/php更安全-这
“post”数组的键:。你能在这里发布完整的代码吗?谢谢你向我解释这个原则。所以这可能比标准的mysql/php更安全?但是我仍然不明白为什么以后执行variables语句更安全。我的意思是它还是来自表单的相同值?这并不比标准的mysql/php更安全-这,php,html,mysql,forms,Php,Html,Mysql,Forms,“post”数组的键:。你能在这里发布完整的代码吗?谢谢你向我解释这个原则。所以这可能比标准的mysql/php更安全?但是我仍然不明白为什么以后执行variables语句更安全。我的意思是它还是来自表单的相同值?这并不比标准的mysql/php更安全-这是标准,这就是为什么当别人教连接时我会生气。我将在我的回答中添加一个简短的解释。。。 <form action='' method='post'> <select name="myselectbox"> <o
“post”数组的键:。你能在这里发布完整的代码吗?谢谢你向我解释这个原则。所以这可能比标准的mysql/php更安全?但是我仍然不明白为什么以后执行variables语句更安全。我的意思是它还是来自表单的相同值?这并不比标准的mysql/php更安全-这是标准,这就是为什么当别人教连接时我会生气。我将在我的回答中添加一个简短的解释。。。
<form action='' method='post'>
<select name="myselectbox">
<option name="myoption1" value="myoption1">myoption1</option>
<option name="myoption2" value="myoption2">myoption2</option>
<option name="myoption3" value="myoption3">myoption3</option>
<option name="myoption4" value="myoption4">myoption4</option>
</select>
<input type='submit' value='submit'/>
</form>
$sql = "INSERT INTO Entries (myoption1) VALUES ('$_POST[myselectbox]')";
$value = mysql_real_escape_string($_POST['myselectbox']);
$sql = "INSERT INTO Entries (myoption1) VALUES ($value)";
$sql = "INSERT INTO Entries (myoption1) VALUES (".$_POST['myselectbox'].")";
<form action='' method='post'>
<select name="myselectbox">
<option name="myoption1" value="myoption1">myoption1</option>
<option name="myoption2" value="myoption2">myoption2</option>
<option name="myoption3" value="myoption3">myoption3</option>
<option name="myoption4" value="myoption4">myoption4</option>
</select>
<input type='submit' value='submit'/>
</form>
if(!empty($_POST['myselectbox'])){
/*.. do your query section... */
}
// Connect to mysql
$mysqli = new mysqli('where your server is', 'my_user', 'my_password', 'world');
// Build the initial statement - easier to read as you don't have your string concatenation here
$stmt = $mysqli->prepare( "INSERT INTO Entries (myoption1) VALUES (?)" );
// Tell mysql that the '?' should be replaced with the value in your post array
$stmt->bind_param( "s", $POST['myselectbox'] );
// Execute the statement
$stmt->execute()
$sql = "INSERT INTO Entries (myoption1) VALUES ('". $_POST['myselectbox'] ."')";
INSERT INTO Entries (myoption1) VALUES ('myoption1');
INSERT INTO Entries (myoption1) VALUES (''='' OR '1'='1');
INSERT INTO Entries (myoption1) VALUES (''=''); DROP TABLE Entries WHERE (''='');