【发布时间】:2017-10-17 12:37:16
【问题描述】:
正在处理从数据库返回的数组构建页面以发布故事,但不确定它不工作的地方。页面 URL 如下所示:https://ohcrap.ninja/games/ps4/article.php?id=1
这是应该生成内容的代码:
<?php
$id = $_GET['id'];
$query = mysqli_query($con,'SELECT * FROM `PS4` WHERE `id` =' .$id) or die(mysqli_error($con));
while ($row = mysqli_fetch_array($query));
// Echo page content
echo "<div class='col s12 m12 l12'>";
echo "<div class='card small grey darken-3'>";
echo "<div class='card-stacked'>";
echo "<div class='card-content'>";
echo "$id";
echo "<span class='card-title'>" . $row['title'] . "</span>";
echo "<hr color='black'>";
echo "<P>By:<i> " . $row['author'] . "</i></P>";
echo "<P>Published: " . $row['published'] . "</P>";
echo "<br>";
echo "<P class='truncate'>" . $row['story'] . "</P>";
echo "</div>";
echo "</div>";
echo "</div>";
echo "</div>";
?>
【问题讨论】:
-
Little Bobby 说 your script is at risk for SQL Injection Attacks. 了解有关 MySQLi 的 prepared 语句。即使escaping the string 也不安全!
-
感谢您的提醒,我会研究一下。我很感激!