{完成} Mysql查询无法处理php脚本但正在使用PhpMyAdmin
问题描述:
I have this user verification file:
<?php
session_start();
require 'db-D.php';
$email = $_GET['email'];
$code = $_GET['code'];
$sql = 'UPDATE `login_D` SET `active`= 1 WHERE email=\"'.$email.'\" and code=\''.$code.'\'';
$conn->query($sql) or $_SESSION['message'] = 'invalid URL' and $_SESSION['details'] = null and header('location: error.php') and die();
header('location: login.php');
?>
I send the user a mail and then use GET method to retrieve the info. The URL looks like this:
192.168.0.101/verifiy.php?email=somemail@mail.com&code=c16c0745def04703e62daa72270c9a89c113a0b208ddd0072b6f828fe1adc81b
The problem is that when I query $sql I get no errors and when I check the active value on PhpMyAdmin it is 0 not 1.
I ran the same script (with the values manually inserted) on PhpMyAdmin and the value changed.
I also looked at the log files (apache and php) and there are no errors.
I am running a LAMP server on a raspberry pi 3.
答
I found the error:
$sql = 'UPDATE `login_D` SET `active`= 1 WHERE email="'.$email.'" and code=\''.$code.'\'';
there were two extra backslashes on email part of the query (the backslashes were taken as text so the query was failing.
old version:
<--here-->
$sql = 'UPDATE `login_D` SET `active`= 1 WHERE email=\"'.$email.'\" and code=\''.$code.'\'';
答
this is the code with protection against sql injection:
<?php
session_start();
require 'db-D.php';
$email = $_GET['email'];
$code = $_GET['code'];
if ($conn->connect_errno) {
die("Connection failed: " . $conn->connect_error);
}
$sql = 'UPDATE `login_D` SET `active`= 1 WHERE email=? and code=?';
$stmt = mysqli_stmt_init($conn);
if (!mysqli_stmt_prepare($stmt, $sql)) {
$_SESSION['message'] = 'invalid URL';
$_SESSION['details'] = $conn->error;
header('location: error.php');
} else {
mysqli_stmt_bind_param($stmt, "ss", $email, $code );
mysqli_stmt_execute($stmt);
$_SESSION['message'] = 'Please login to go to account';
header('location: login.php');
}
?>