在您开发这个系统时,应该尽早而不是晚些采用最佳实践—在本例中,我指的是
sql injection
唉,上面的代码很脆弱。我的猜测是嵌入变量周围缺少引号-
code_ticket = $order
~如果
$order
是字符串,则需要引号。也就是说,很容易给这个注射上肮脏的东西,所以
prepared statement
会是前进的方向。我很快重写了你的代码,告诉你如何使用
try/catch
布洛克和
准备好的声明
希望能解决问题,使代码更安全。
if( $link && $_SERVER['REQUEST_METHOD']=='POST' && !empty( $_POST["order"] ) ){
try{
$order = $_POST['order'];
/* basic query with placeholder for variable */
$sql = 'select `shipping_status` from `orders` where `code_ticket` = ?';
/* create the prepared statement object */
$stmt = $link->prepare( $sql );
/* if the query failed raise an exception to indicate failure */
if( !$stmt ) throw new Exception( 'Failed to prepare sql' );
/* so far so good. Bind placeholder to a variable */
$stmt->bind_param( 's', $order );
/* execute the query */
$result = $stmt->execute();
/* deal with recordset */
if( !$result ) throw new Exception( 'No results: Order not placed' );
else {
/* bind column data to an output variable */
$stmt->bind_result( $status );
/* fetch the records */
$stmt->fetch();
/* do something with output variable */
printf( 'Shipping Status: %s', $status );
$stmt->free_result();
$stmt->close();
}
}catch( Exception $e ){
exit( $e->getMessage() );
}
}
?>