更新时间:2023-12-04 14:06:23
$sql = ("DELETE FROM `product` WHERE `product`.`productId`= $productId");
mysqli_query($con,$sql);
到
$sql = "DELETE FROM `product` WHERE `product`.`productId`= $productId";
mysqli_query($con,$sql) OR DIE(mysqli_error($con)); //useful for debugging
警告!!此代码容易受到SQL注入的攻击. 通过清除所有用户输入来修复SQL注入.
warning! this code is vulnerable to SQL injection. fix sql injection by sanitizing all user input.
$productId = mysql_real_escape_string($_GET['productId']); // use mysql_real_escape_string on $_GET
$con = mysqli_connect("BLAH","BLAH","BLAH","BLAH") or die('Server connection not possible.');
$sql = "DELETE FROM `product` WHERE `product`.`productId`= '$productId'"; //add single quotes around variable $productid to seperate string from query
mysqli_query($con, $sql);