更新时间:2023-02-26 09:53:50
你有一个 SQL 注入,在发送到任何用户提交或以其他方式可能被篡改的数据之前,总是应用 mysql_real_escape_string()
一个 MySQL 数据库.
You have an SQL injection, always apply mysql_real_escape_string()
to any user-submitted or otherwise potentially tampered-with data before sending to a MySQL database.
注意电子邮件变量周围的 '
.
Note the '
around the email variable.
$email = mysql_real_escape_string($_POST['email']);
$query = "
SELECT name, smacker, surname, sex, age, nationality, email
FROM employee
WHERE email = '$email'
";