<?php $link=mysqli_connect("localhost","user","123456","database","3307"); $sql="SELECT * FROM xxnews WHERE ID = ".$_POST["ID"]; $rs=mysqli_query($link,$sql); while($rows=mysqli_fetch_array($rs)) { echo "<form action='update.php?uID=".$rows["ID"]."' method='post' target='_blank'>"; echo "<div class='head2'>"; echo "标题:<input type='text' name='title' value='".$rows["title"]."' />"; echo "</div>"; echo "<div class='head3'>"; echo "作者:<input type='text' name='author' value='".$rows["author"]."' /> "; echo "时间:"; date_default_timezone_set('PRC'); echo "<input type='text' name='newsDate' value='".date('Y-m-d', time())."' />"; echo " 来源:<input type='text' name='source' value='".$rows["source"]."' /> <input type='submit' name='tijiao' value='修改新闻' class='tijiao' />"; echo "</div>"; echo "<div class='content'>"; echo "<textarea class='content1' name='content'>"; echo $rows["content"]; echo "</textarea>"; echo "</div>"; echo "</form>"; } ?>优化这段代码
时间: 2023-07-19 13:43:40 浏览: 112
这段代码存在SQL注入漏洞,应该使用参数化查询来避免,例如:
```
$stmt = mysqli_prepare($link, "SELECT * FROM xxnews WHERE ID = ?");
mysqli_stmt_bind_param($stmt, "i", $_POST["ID"]);
mysqli_stmt_execute($stmt);
$rs = mysqli_stmt_get_result($stmt);
```
此外,还可以将相同的HTML部分提取出来,避免重复代码,例如:
```
<?php while($rows=mysqli_fetch_array($rs)) { ?>
<form action='update.php?uID=<?php echo $rows["ID"] ?>' method='post' target='_blank'>
<div class='head2'>
标题:<input type='text' name='title' value='<?php echo $rows["title"] ?>' />
</div>
<div class='head3'>
作者:<input type='text' name='author' value='<?php echo $rows["author"] ?>' />
时间: <input type='text' name='newsDate' value='<?php echo date('Y-m-d', time()) ?>' />
来源:<input type='text' name='source' value='<?php echo $rows["source"] ?>' />
<input type='submit' name='tijiao' value='修改新闻' class='tijiao' />
</div>
<div class='content'>
<textarea class='content1' name='content'><?php echo $rows["content"] ?></textarea>
</div>
</form>
<?php } ?>
```
阅读全文