• September 11, 2018
    <?php
    $con=mysqli_connect("localhost","my_user","my_password","my_db");
    
    // Check connection
    if (mysqli_connect_errno()) {
      echo "Failed to connect to MySQL: " . mysqli_connect_error();
    }
    
    // escape variables for security
    $firstname = mysqli_real_escape_string($con, $_POST['firstname']);
    $lastname = mysqli_real_escape_string($con, $_POST['lastname']);
    $age = mysqli_real_escape_string($con, $_POST['age']);
    
    $sql="INSERT INTO Persons (FirstName, LastName, Age)
    VALUES ('$firstname', '$lastname', '$age')";
    
    if (!mysqli_query($con,$sql)) {
      die('Error: ' . mysqli_error($con));
    }
    echo "1 record added";
    
    mysqli_close($con);
    ?>

    +https://www.w3schools.com/php/func_mysqli_real_escape_string.asp

    php5+
    ป้องกัน injection

    วิธีอื่น

    +https://stackoverflow.com/questions/22304930/is-mysqli-real-escape-string-safe

    +https://stackoverflow.com/questions/14135932/should-i-use-mysqli-real-escape-string-or-mysql-real-escape-string-for-form

    If you connection string is:

    mysql_connect()

    then use:

    mysql_real_escape_string($_POST[''])

    If it is:

    $mysqli = new mysqli();

    then use:

    $mysqli->real_escape_string($_POST[''])


เวอไนน์ไอคอร์ส

ประหยัดเวลากว่า 100 เท่า!






เวอไนน์เว็บไซต์⚡️
สร้างเว็บไซต์ ดูแลเว็บไซต์

Categories