我是PHP的新手。我听过很多(并读过)SQL注入攻击。 我已经习惯了以下编写PHP代码的方法。有人能告诉我这是否容易发生SQL攻击。另外,我可以用什么方式改进此代码以防止SQL攻击?
<?php
if($_POST['submit']){
$email = protect($_POST['email']);
$password = protect($_POST['password']);
$md5password=MD5($password);
if(!$email || !$password){
echo '<span style="color: red;" /><center>You need to fill in your <b>User Name</b> and <b>Password</b>!</center></span>';
}else{
$res = mysql_query("SELECT * FROM `employer` WHERE `email` = '".$email."'");
$num = mysql_num_rows($res);
if($num == 0){
echo '<span style="color: red;" /><center>The <b>E Mail ID</b> you supplied does not exist!</center></span>';
}else{
$res = mysql_query("SELECT * FROM `employer` WHERE `email` = '".$email."' AND `password` = '".$md5password."'");
$num = mysql_num_rows($res);
if($num == 0){
echo '<span style="color: red;" /><center>The <b>Password</b> you supplied does not match the one for that E Mail ID!</center></span>';}else{
$row = mysql_fetch_assoc($res);
$_SESSION['uid'] = $row['id'];
echo "<center>You have successfully logged in!</center>";
$time = date('U')+50;
mysql_query("UPDATE `employer` SET `online` = '".$time."' WHERE `id` = '".$_SESSION['uid']."'");
mysql_query("UPDATE employer (date) VALUES (NOW())");
header('Location: loggedin_employer.php');
}
}
}
}
?>
答案 0 :(得分:4)
您应该停止使用mysql_*个功能。他们被弃用了。而是使用PDO(从PHP 5.1开始支持)或mysqli(从PHP 4.1开始支持)。如果您不确定使用哪一个,read this article。
另外,请阅读此交流:How can I prevent SQL injection in PHP?