我正在使用一个简单的cms作为我的网站的后端,我可以更新新闻等.我希望从sql注入中安全,所以我想知道这段代码是否被认为是安全的,或者我是否可以做些什么来使它更安全：

if($_POST) {
    if(isset($_POST['title']) and (isset($_POST['content']) and     ($_POST['added']))) {
        $title = "'".MysqL_real_escape_string($_POST['title'])."'";
        $content = "'".MysqL_real_escape_string($_POST['content'])."'";
        $added = "'".MysqL_real_escape_string($_POST['added'])."'";

        if(isset($_POST['id']) && $_POST['id']!=''){
            $result = MysqL_query("UPDATE news SET title = ".$title.",     added =".$added.", content = ".$content."  WHERE id = ".$_POST['id']);
            $msg = "News Updated Successfully";
        }else{
            $result = MysqL_query("INSERT INTO news (title, content, added) values($title, $content, $added)") or die("err0r");
            $msg = "News Added Successfully";
        }
    }

谢谢,祝你有个美好的一天！

解决方法:

你没有消毒$_POST [‘id’].

如果ID不是整数(假设ID是int字段),则对其执行intval()或(更好)拒绝处理.

if (!is_numeric($_POST['id'])
 die ("Invalid ID");