你好我只是想问一下SQL注入目前我在登录页面上工作但我得到一些关于SQL注入的问题我正在测试一个批处理的SQL代码,如下所示,我还没有输入SQL参数,但它似乎并没有在SQL注入上工作。我的验证基于行计数,如果它等于0,它将破坏会话并再次重定向到索引。代码似乎工作正常,但我担心为什么它没有放任何SQL参数来防止SQL注入正常工作。我希望有人可以解释一下,提前谢谢
secured_page.php
<?php
// Start the session
session_start();
// Set session variables
$_SESSION["email"] = $_POST['email'];
$_SESSION["password"] = md5($_POST['password']);
if (isset($_SESSION['email'])){
header('Location: profile.php');
}
else {
header('Location: index.php');
}
?>
profile.php
<?php
// Start the session
session_start();
include('header.php');
include('db_connect.php');
$email = $_SESSION["email"];
$password = $_SESSION["password"];
$sql = "SELECT * FROM user where email = '$email' and password = '$password' LIMIT 1";
$result = $conn->query($sql);
echo $result->num_rows;
if ($result->num_rows > 0) {
// output data of each row
while($row = $result->fetch_assoc()) {
echo "id: " . $row["id"]. " - Name: " . $row["name"]. " " . $row["email"]. "<br>";
}
} else {
header('Location: unset_session.php');
}
if (!isset($_SESSION['email'])){
header('Location: index.php');
}
?>
<br>
<a href="unset_session.php">Logout</a>
<?php
$conn->close();
include('footer.php');
?>
答案 0 :(得分:1)
这样做是为了防止SQL注入
RewriteEngine on
RewriteRule ^(.*).cms$ index.php?p=$1 [L]
详细了解如何在此处准备语句:http://php.net/manual/en/mysqli.prepare.php