How can I prevent SQL injection in PHP?
                                
                                    （28个答案）
                                
                        
                                上个月关闭。
            
                    
我现在正在为我的大学课程创建一个论坛网站，并试图将主题插入子类别。按提交后，它一直将我带到空白页。 url为空白页面的http://localhost:8000/addnewtopic.php?cid=1&scid=1，它也不会最终将数据导入到我的数据库中

 <?php
            if (isset($_SESSION['username']))
            {
                echo "<form action='/addnewtopic.php?cid=".$_GET['cid']."&scid=".$_GET['scid']."' method='POST'>
                <p>Title: </p>
                <input type='text' id='topic' name='topic' size='100' />
                <p>Content: </p>
                <textarea id='content' name='content'></textarea><br />
                <input type='submit' value='add new post' /><form>";
            }
            else
            {
                echo "<p>Please login first or <a href='register.html'>click here</a> to register.</p>";
            }
        ?>

<?php
    session_start();
    include('db_connection.php');

    $topic = addslashes($_POST['topic']);
    $content = nl2br(addslashes($_POST['content']));
    $cid = $_GET['cid'];
    $scid = $_GET['scid'];

    $insert = mysqli_query($conn, "INSERT INTO topics (category_id, subcategory_id, author, title, content, date_posted)
								          VALUES ('".$cid."', '".$scid."', '".$_SESSION['username']."', '".$topic."', '".$content."', NOW());");

    if ($insert)
    {
        header("Location: topics.php?cid=".$cid."&scid=".$scid."");
    }
?>

我发现了问题。这是我的SQL语句