您的位置: 首页  >  技术问答  >  尝试使用我的localhost上的代码修复SQL注入,无法使其工作。 (PHP)

尝试使用我的localhost上的代码修复SQL注入,无法使其工作。 (PHP)

分类: 技术问答 2022-03-18 21:20:42

尝试使用我的localhost上的代码修复SQL注入,无法使其工作。 (PHP)

问题描述:

Iam very new to PHP and I have been told that my previous code can be SQL injected so I am trying to solve it now. This is what I have come up with so far. When I submit into my form with this code below I get this error:

Notice: Undefined variable: mysqli in /Applications/XAMPP/xamppfiles/htdocs/index.php on line 49

Fatal error: Call to a member function prepare() on null in /Applications/XAMPP/xamppfiles/htdocs/index.php on line 49".

I have commented on line 49.

<?php 

$mysql_pekare= new mysqli ("localhost", "username","pass", "database");

if(!empty($_GET['namn'])) {
$unsafe_variable = "Welcome ". $_GET["namn"]. ". You are ".$_GET["age"]. " years old." ; 

$stmt = $mysqli->prepare("INSERT INTO Personinfo(`Personname`, `Personage`) VALUES('$_GET[namn]', '$_GET[age]')");` //this is line 49

$stmt->bind_param("s", $unsafe_variable);

$stmt->execute();

$stmt->close();

$mysqli->close();
}
?>

My form looks like this:

<form id="Personinfo" action="index.php" > 
<input type="text" id="namn" name="namn" placeholder="namn"/>
<input type="text" id="age" name="age" placeholder="age"/> 
<input type="submit"/>
</form>

我对PHP很新,我被告知我以前的代码可以是SQL注入,所以我试图解决 现在。 这是我到目前为止所提出的。 当我使用下面的代码提交到我的表单时,我收到此错误: p>

注意:未定义的变量:/Applications/XAMPP/xamppfiles/htdocs/index.php中的mysqli 第49行 p>

致命错误:在第49行的/Applications/XAMPP/xamppfiles/htdocs/index.php中调用null上的成员函数prepare()。“ p> \ n blockquote>

我在第49行发表了评论。 p> 

 &lt;?php 
 
 $ mysql_pekare = new mysqli(“localhost”  ,“username”,“pass”,“database”); 
 
if(!empty($ _ GET ['namn'])){
 $ unsafe_variable =“Welcome”。$ _GET [“namn”]。“  。 你是“。$ _ GET [”age“]。”岁了。“; 
 
 $ stmt = $ mysqli-&gt; prepare(”INSERT INTO Personinfo(`Personname`,`Personage`)VALUES('$ _ GET  [namn]','$ _GET [age]')“);`//这是第49行
 
 $ stmt-&gt; bind_param(”s“,$ unsafe_variable); 
 
 $ stmt-&gt  ;执行(); 
 
 $的stmt-&GT;关闭(); 
 
 $的mysqli-&GT;关闭(); \ N} 
&GT;吗?
 代码>  PRE> \  n 
 
我的表单如下所示: p> 
 
 


 &lt; form id =“Personinfo”action =“index.php”&gt; 
&lt; input type =“  text“id =”namn“name =”namn“placeholder =”namn“/&gt; 
&lt; input type =”text“id =”age“name =”age“placeholder =”age“/&gt; 
&lt; 输入类型=“提交”/&gt; 
&lt; / form&gt; 
  code>  pre> 
  div>

You have to use the connection as you have named it:

$mysql_pekare= new mysqli ("localhost", "username","pass", "database");

if(!empty($_GET['namn'])) {
    $unsafe_variable = "Welcome ". $_GET["namn"]. " You are ".$_GET["age"]. " years old." ; 

    $stmt = $mysql_pekare->prepare("INSERT INTO Personinfo(`Personname`, `Personage`) VALUES(?,?))";
    $stmt->bind_param("ss", $_GET['namn'], $_GET['age']);
    $stmt->execute();
    $mysql_pekare->close();
}

Once you do that you have to use placeholders (?) for each unsafe variable and then bind to those variables.

You first create $mysql_pekare and then try to use $msqli. That's your issue.

Change your variables to match, and you should be good.

$mysql_pekare = new mysqli(...);

$mysql_pekare->prepare(...);

相关推荐