From 38551c4174824623076a07e7fe3ee104291afa06 Mon Sep 17 00:00:00 2001
From: Xuxfff <1683793776@qq.com>
Date: Wed, 12 Oct 2022 14:17:33 +0800
Subject: [PATCH] fix:fix the sql injection

---
 batch_insert.php | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/batch_insert.php b/batch_insert.php
index 20867af..afad832 100644
--- a/batch_insert.php
+++ b/batch_insert.php
@@ -19,7 +19,7 @@ if (!$conn) {
 }
 
 //获得用户名数据
-$source = $_POST['users'];
+$source = mysqli_real_escape_string($conn,$_POST['users']);
 
 //如有多个空格，删除剩一个空格
 $source1 = preg_replace('/\s\s+/', ' ', $source);
@@ -31,13 +31,12 @@ $source2 = trim($source1);
 //根据空格拆分
 $user = explode(' ', $source2);
 
-
 //插入数据
 for($index=0; $index < count($user); $index++) {
     $result = mysqli_query($conn, "SELECT * FROM `students_data` WHERE Student_ID='$user[$index]'");    
     if (mysqli_num_rows($result) < 1) {
         if (! mysqli_query($conn, "REPLACE INTO `students_data`(`Student_ID`, `Passport_Number`) VALUES('$user[$index]', '')" ) ) {
-            echo "SQL Error: " . $sql_stmt . "<br>" . mysqli_error($conn);
+            echo "SQL Error: " . $sql_stmt . "<br>" .htmlspecialchars(mysqli_error($conn));
         } else {
             echo "<p>Student number $user[$index] added.</p>";
         }