mrlan
/
LRR
3
0
Fork 2
Code Issues Pull Requests 7 Projects Releases Wiki Activity

fix:fix the sql injection

Xuxuan
徐宣 2022-10-12 14:17:33 +08:00
parent 4bf8d8d970
commit 38551c4174
1 changed files with 2 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
batch_insert.php
View File

@ -19,7 +19,7 @@ if (!$conn) {
} }
//获得用户名数据 //获得用户名数据
$source = $_POST['users']; $source = mysqli_real_escape_string($conn,$_POST['users']);
//如有多个空格,删除剩一个空格 //如有多个空格,删除剩一个空格
$source1 = preg_replace('/\s\s+/', ' ', $source); $source1 = preg_replace('/\s\s+/', ' ', $source);
@ -31,13 +31,12 @@ $source2 = trim($source1);
//根据空格拆分 //根据空格拆分
$user = explode(' ', $source2); $user = explode(' ', $source2);
//插入数据 //插入数据
for($index=0; $index < count($user); $index++) { for($index=0; $index < count($user); $index++) {
$result = mysqli_query($conn, "SELECT * FROM `students_data` WHERE Student_ID='$user[$index]'"); $result = mysqli_query($conn, "SELECT * FROM `students_data` WHERE Student_ID='$user[$index]'");
if (mysqli_num_rows($result) < 1) { if (mysqli_num_rows($result) < 1) {
if (! mysqli_query($conn, "REPLACE INTO `students_data`(`Student_ID`, `Passport_Number`) VALUES('$user[$index]', '')" ) ) { if (! mysqli_query($conn, "REPLACE INTO `students_data`(`Student_ID`, `Passport_Number`) VALUES('$user[$index]', '')" ) ) {
echo "SQL Error: " . $sql_stmt . "<br>" . mysqli_error($conn); echo "SQL Error: " . $sql_stmt . "<br>" .htmlspecialchars(mysqli_error($conn));
} else { } else {
echo "<p>Student number $user[$index] added.</p>"; echo "<p>Student number $user[$index] added.</p>";
} }