SQLインジェクションを防ぐためにこのクエリを作成します。しかし、このコードは機能していません。誰かが私がこれでどこが間違っているのか教えてもらえますか?また、このコードがSQLインジェクション攻撃を防ぐかどうかも知る必要がありますか?
// Make sure the email address and username are available:
$q = "SELECT *
FROM
(
SELECT userName, NULL AS email FROM Login
UNION
SELECT NULL AS username, email FROM contact
) s
WHERE username = ? OR email = ?";
$stmt = mysqli_prepare($dbc, $q);
mysqli_stmt_bind_param($stmt, 'ss', $username, $email);
// Execute the query:
mysqli_stmt_execute($stmt);
// Get the number of rows returned:
$rows = mysqli_stmt_num_rows($stmt);
if ($rows == 0) { // No problems! Going to next page
}
更新1:このスタイルで動作する上記のコード
// Make sure the email address and username are available:
$q = "SELECT *
FROM
(
SELECT userName, NULL AS email FROM Login
UNION
SELECT NULL AS username, email FROM contact
) s
WHERE username = '$username' OR email = '$email'";
$r = mysqli_query ($dbc, $q);
// Get the number of rows returned:
$rows = mysqli_num_rows($r);
if ($rows == 0) { // No problems! Going to next page
}
更新2:私のユーザー名とメールアドレスは次のようになります
// Check for a username:
if (preg_match ('/^[A-Z \'.-]{2,20}$/i', $_POST['username'])) {
$username = mysqli_real_escape_string ($dbc, $_POST['username']);
} else {
$reg_errors['username'] = 'You have not entered your username!';
}
// Check for an email address:
if (!empty( $_POST['email'])) {
if (filter_var($_POST['email'], FILTER_VALIDATE_EMAIL)) {
$email = mysqli_real_escape_string ($dbc, $_POST['email']);
} else {
$reg_errors['email'] = 'You are NOT entered a valid email address!';
}
} else {
$reg_errors['email'] = 'Your email address field can not be empty!';
}