Sql-injection-safe-php
Version vom 11. September 2023, 11:45 Uhr von Tina.messmann (Diskussion | Beiträge)
<?php if(isset($_POST['submit'])){ define('DB_SERVER', '127.0.0.1'); define('DB_USERNAME', 'xinux'); define('DB_PASSWORD', 'suxer'); define('DB_NAME', 'sql_injections'); $link = mysqli_connect(DB_SERVER, DB_USERNAME, DB_PASSWORD, DB_NAME); mysqli_set_charset($link, "utf8"); if($link === false){ echo(mysqli_connect_error()); die("ERROR: Could not connect. " . mysqli_connect_error()); } //safe query $search = mysqli_real_escape_string($link, $_POST['search']); //Database search $sql = "SELECT * FROM users WHERE username='$search'"; mysqli_multi_query($link, $sql); } ?> <!DOCTYPE html> <html> <body> <h2>SQL Injection</h2> <form method="post"> <label for="fname">Suche</label><br> <input type="text" name="search"><br> <input type="submit" name="submit" value="Suche"> </form> <br> <table border = "1"> <tr> <td>ID</td> <td>Name</td> <td>Passwort</td> </tr> <?php do{ if ($result = mysqli_store_result($link)){ while ($row = mysqli_fetch_row($result)) { echo "<tr>"; echo "<td>".$row[0]." </td>"; echo "<td>".$row[1]." </td>"; echo "<td>".$row[2]." </td><br>"; echo "</tr>"; } } }while (mysqli_more_results($link)); ?> </table> </body> </html>