无法从数据库中获取数据
Not able getting data from database
connect.php :
<?php
$db = new mysqli('localhost', 'root', '', 'cms');
if ($db->connect_errno) {
die('Sorry, We are having some problems');
}
function escape($string){
return htmlentities($string,ENT_QUOTES,'UTF-8');
}
?>
printdata.php :
<?php
require 'include/connect.php';
$cerid = escape($_POST['cerid']);
$student = escape($_POST['student']);
if($result = $db->query("SELECT * FROM certificate WHERE name = {$student} ")){
if ($result->num_rows) {
$rows =$result->fetch_assoc();
echo $rows['cerid'];
echo "<br> {$rows['name']} ";
echo $rows['cname'];
echo $rows['dname'];
}
}
?>
你有两个问题:
- 您没有引用您的价值观。当您不使用准备好的语句(推荐...)时,您应该引用它们;
- 您有一个潜在的 sql 注入问题。
htmlentities() 并不能保护你不受此影响。
应该是这样的:
function escape($string, $mysqli){
return mysqli_real_escape_string($mysqli, $string);
// or
return $mysqli->real_escape_string($string);
}
像这样调用您的函数:
$cerid = escape($db, $_POST['cerid']);
// etc.
和:
if($result = $db->query("SELECT * FROM certificate WHERE name = '{$student}' ")){
尽管准备好的语句可以避免您转义值的麻烦。
connect.php :
<?php
$db = new mysqli('localhost', 'root', '', 'cms');
if ($db->connect_errno) {
die('Sorry, We are having some problems');
}
function escape($string){
return htmlentities($string,ENT_QUOTES,'UTF-8');
}
?>
printdata.php :
<?php
require 'include/connect.php';
$cerid = escape($_POST['cerid']);
$student = escape($_POST['student']);
if($result = $db->query("SELECT * FROM certificate WHERE name = {$student} ")){
if ($result->num_rows) {
$rows =$result->fetch_assoc();
echo $rows['cerid'];
echo "<br> {$rows['name']} ";
echo $rows['cname'];
echo $rows['dname'];
}
}
?>
你有两个问题:
- 您没有引用您的价值观。当您不使用准备好的语句(推荐...)时,您应该引用它们;
- 您有一个潜在的 sql 注入问题。
htmlentities()并不能保护你不受此影响。
应该是这样的:
function escape($string, $mysqli){
return mysqli_real_escape_string($mysqli, $string);
// or
return $mysqli->real_escape_string($string);
}
像这样调用您的函数:
$cerid = escape($db, $_POST['cerid']);
// etc.
和:
if($result = $db->query("SELECT * FROM certificate WHERE name = '{$student}' ")){
尽管准备好的语句可以避免您转义值的麻烦。