Secure code with Mysqli [closed]

2020-01-20 02:35发布

站内文章 / PHP
18 0 0

问题:

Closed. This question is off-topic. It is not currently accepting answers.

Want to improve this question? Update the question so it's on-topic for Stack Overflow.

Closed 5 years ago.

Is this code good proteceted, and if not could you tell me how to secure that. I use Mysqli...Also I would like to someone show me how this can be exploited if it is not secure?

if(isset($_POST['vrsta_predmeta']) AND !empty($_POST['vrsta_predmeta']) AND 
  isset($_POST['res_text']) AND isset($_POST['glavni_dug']) AND isset($_POST['res']) AND
  isset($_POST['zaklj']) AND isset($_POST['povjerilac']) AND isset($_POST['duznik']) AND
  isset($_POST['predmet_zaveden'])){

    $racunob =  trim($_POST['rac']);
    $obrazlozenje = trim($_POST['obr']);     
    $ob_text = trim($_POST['res_ob']);  
    $res_text = trim($_POST['res_text']);
    $vrsta_pre = trim($_POST['vrsta_predmeta']);
    $izvrsenje = trim(strtolower($_POST['res']));
    $obrazac = trim($_POST['zaklj']);
    $povjerilac = $_POST['povjerilac'];
    $duznik = $_POST['duznik'];
    $datum= trim($_POST['predmet_zaveden']);
    foreach($povjerilac as $key){
        $lica = $db -> prepare("INSERT INTO p_lica(povjerilac, doc_br, dokument_vlasnik) VALUES('$key', '$dok_broj', '$ses_val')");
    }       

    foreach($duznik as $key1){
        $lica1 = $db -> prepare("INSERT INTO d_lica(duznik,doc_br, dokument_vlasnik) VALUES('$key1', '$dok_broj', '$ses_val')");
    }

    $insert_dok = $db -> prepare("INSERT INTO document_tbl(dokument_vlasnik,dokument_broj,vrsta_dokumenta,zakljucak, resenje_izvrsenja,datum,resenje_text,obrazlozenje,obtext,racunob) VALUES('$ses_val','$dok_broj', '$vrsta_pre','$obrazac','$izvrsenje','$datum','$res_text','$obrazlozenje','$ob_text','$racunob')");
    if($lica -> execute() AND $insert_dok -> execute() AND $lica1 -> execute()){
        $lica -> close();
        $lica1 -> close();
        $insert_dok -> close();
        echo '<script>new Messi(\'Dokument uspjesno dodat.\', {title: \'Obavjestenje\', titleClass: \'success\', buttons: [{id: 0, label: \'Close\', val: \'X\'}]});</script>';
       header('location:login.php');
    }else{
        echo '<script>new Messi(\'Dokument uspjesno dodat.\', {title: \'Obavjestenje\', titleClass: \'anim warning\', buttons: [{id: 0, label: \'Close\', val: \'X\'}]});</script>'; 
    }

}

回答1:

Even though you are using prepared statements, you are currently directly appending user input to your query. Take a look at the documentation of prepared statements. There are a lot of examples and clear explanation as to why and how you should use prepared statements.



标签: php security post mysqli
举报

收藏的人(0)

Ta的文章 更多文章
登录 后发表评论
0条评论
还没有人评论过~