需要帮助以使logged.php安全

时间:2018-06-02 12:52:15

标签: php mysql mysqli

我知道我必须使用PDO但我现在无法更新它,因为旧版本中有大量的PHP文件。如何使我的代码安全并保护它免受SQL注入?

 $myusername=$_POST['myusername']; 
 $mypassword=$_POST['mypassword']; 

 $sql="SELECT * FROM user WHERE username='$myusername' AND password='$mypassword'";
 $result=mysql_query($sql);
 $count=mysql_num_rows($result);

 if($count==1)
 {
      $_SESSION["myusername"]=$myusername;

      echo"<script type='text/javascript'>
      window.location.href='dashboard.php';
      </script>";
 }
 else
 {
      $sql="SELECT * FROM user WHERE email='$myusername' AND password='$mypassword'";
      $result=mysql_query($sql);
      $count=mysql_num_rows($result);

      if($count==1)
      {
           $sql="SELECT username FROM user WHERE email='$myusername'";
           $result=mysql_query($sql);
           $myusername=mysql_result($result,0);

           $_SESSION["myusername"]=$myusername;

           echo"<script type='text/javascript'>
           window.location.href='dashboard.php';
           </script>";
      }
      else
      {
           echo"<script type='text/javascript'>
           alert('The username or password you entered is incorrect');
           window.location.href='login.php';
           </script>";
      }
 }

3 个答案:

答案 0 :(得分:1)

这是一个非常广泛的问题,但无论如何我都会尽力帮助你。

一般信息

mysql_函数已被弃用并已完全从PHP7中删除,因此请勿使用它们。

您的代码不受SQL注入保护,使用prepared statements和函数bind_param()绑定查询参数。

我用准备好的语句和错误处理重写了你的代码。我会在下面发布结果,因为它非常大。

您不会散列密码并将其作为纯文本存储在数据库中。这是一个重大的安全风险!

创建一个哈希密码的函数。

function hashPassword($passwordToHash) {
    return password_hash($passwordToHash, PASSWORD_DEFAULT);
}

这是一个验证它们的功能。

function verifyPassword($passwordToVerify, $hash) {
    if(password_verify($passwordToVerify, $hash)) {
        return true;
    } else {
        return false;
    }
}

表单验证

您不进行任何表单验证,这意味着人们只需使用用户名; DROP TABLE user进行注册即可删除您的用户表。

通过编写基本功能来检查输入是否包含特殊字符,您可以阻止它。

function isAlphaNumeric($stringToValidate) {
    if(ctype_alnum($stringToValidate)) {
      return true;
    } else {
      return false;
    }
}

然后,您可以验证$_POST输入。

if(!isAlphaNumeric($_POST['myusername']) || !isAlphaNumeric($_POST['mypassword'])) {
    $error = [
        'error' => 'Special characters are not allowed.',
        'class' => 'your class for error handling',
    ];
}

这是用准备好的语句和错误处理重写的代码。

$name = "root";
$pass = "";
$db = "yourDB";
$host = "localhost";

$connect = mysqli_connect($host, $name, $pass, $db);

if (mysqli_connect_errno()) {
  echo "Could not connect to database. Error: " . mysqli_connect_error();
}

$stmt = $connect->prepare('SELECT * FROM `user` WHERE username = ? AND password = ?');

if(!$stmt) {
  $error = [
    'error' => 'Something went wrong, please contact the administrator',
    'class' => 'your class for error handling'
  ];
}

$username = $_POST['myusername'];
$password = $_POST['mypassword'];

if(!$stmt->bind_param('ss', $username, $password)) {
  $error = [
    'error' => 'Something went wrong, please contact the administrator',
    'class' => 'your class for error handling'
  ];
}

if(!$stmt->execute()) {
  $error = [
    'error' => 'Something went wrong, please contact the administrator',
    'class' => 'your class for error handling'
  ];
} else {
  $stmt->get_result();
  $rows = $stmt->num_rows();

  if($rows > 0) {
    $_SESSION['myusername'] = $username;
    header('Location: dashboard.php');
  } else {
    $stmt = $connect->prepare('SELECT * FROM `user` WHERE email = ? AND password = ?');

    if(!$stmt) {
      $error = [
        'error' => 'Something went wrong, please contact the administrator',
        'class' => 'your class for error handling'
      ];
    }

    if(!$stmt->bind_param('ss', $username, $password)) {
      $error = [
        'error' => 'Something went wrong, please contact the administrator',
        'class' => 'your class for error handling'
      ];
    }

    if(!$stmt->execute()) {
      $error = [
        'error' => 'Something went wrong, please contact the administrator',
        'class' => 'your class for error handling'
      ];
    } else {
      $stmt->get_result();
      $rows = $stmt->num_rows();

      if($rows > 0) {
        $_SESSION['myusername'] = $username;
        header('Location: dashboard.php');
      } else {
        $error = [
          'error' => 'The username or password you entered is incorrect.',
          'class' => 'your class for error handling'
        ];
      }
    }
  }
}

答案 1 :(得分:-1)

安全是一个大词,....正如你自己建议的那样,你实际上不应该使用这些方法,而是升级到某些地方,不管怎样这些功能都被弃用了。

但是现在......这有帮助

$sql=sprint("SELECT username FROM user WHERE email='%s'", mysql_real_escape_string($myusername));

http://php.net/manual/en/function.mysql-real-escape-string.php

http://php.net/manual/en/function.sprintf.php

在任何地方都这样做,你使用在查询中使用的变量/输入数据。

答案 2 :(得分:-1)

使用可以使用

 $myusername=mysql_real_escape_string(htmlspecialchars($_POST['myusername'])); 
 $mypassword=mysql_real_escape_string(htmlspecialchars($_POST['mypassword']));

代替

 $myusername=$_POST['myusername']; 
 $mypassword=$_POST['mypassword'];

添加此小查询后,管理员页面无法绕过。该页面将给您一条错误消息。 但是,请尝试将您的整个代码更新为最新版本

相关问题
最新问题