我有一个易受MySQL注入攻击的PHP表单,但我试图利用它来证明它存在,但我不断收到语法错误
我尝试这样做','','','','','');更新注册SET年= 2000 WHERE student_id ='s01'; -
但是我遇到了SQL错误
<html>
<body>
<?php
$servername = "localhost";
$username = "root";
$password = "";
$dbname = "test";
// Create connection
$conn = new mysqli($servername,$username,$password,$dbname);
// Check connection
if ($conn->connect_error) {
die("Connection failed: " . $conn->connect_error);
}
echo "Connected successfully <br> <br>";
$input1 = $_POST['input1'];
$input2 = $_POST['input2'];
$input3 = $_POST['input3'];
$input4 = $_POST['input4'];
$input5 = $_POST['input5'];
$input6 = $_POST['input6'];
$sql = "INSERT INTO student (student_id,first_name,last_name,DOB,sex,phone) VALUES ('$input1','$input2','$input3','$input4','$input5','$input6')";
if ($conn->multi_query($sql) === TRUE) {
echo "New record created successfully";
} else {
echo "Error: " . $sql . "<br>" . $conn->error;
}
$conn->close();
?><br><br>
Input 1 <?php echo $_POST["input1"]; ?><br>
Input 2 <?php echo $_POST["input2"]; ?><br>
Input 3 <?php echo $_POST["input3"]; ?><br>
Input 4 <?php echo $_POST["input4"]; ?><br>
Input 5 <?php echo $_POST["input5"]; ?><br>
Input 6 <?php echo $_POST["input6"]; ?>
<p>
<a href="/index.html">Return to the form</a>
</p>
</body>
</html>