我被告知这段代码是旧的连接方式,并且容易受到sql注入的影响。我怎样才能保证安全?
这是我用来检查用户数据库的代码,如果他们没有帐户,则添加新用户。我试过mysqli,但我不认为我做对了,所以我现在必须回到这个,直到我知道如何使它安全。
<?php
// Connect to the database(host, username, password)
$con = mysql_connect('localhost','user1','pass1');
if (!$con)
{
echo "Failed to make connection.";
exit;
}
// Select the database. Enter the name of your database (not the same as the table name)
$db = mysql_select_db('db1');
if (!$db)
{
echo "Failed to select db.";
exit;
}
// $_POST['username'] and $_POST['password'] are the param names we sent in our click event in login.js
$username = $_POST['username'];
$password = $_POST['password'];
// Select eveything from the users table where username field == the username we posted and password field == the password we posted
$sql = "SELECT * FROM users WHERE username = '" . $username . "' AND password = '" . $password . "'";
$query = mysql_query($sql);
// If we find a match, create an array of data, json_encode it and echo it out
if (mysql_num_rows($query) > 0)
{
$row = mysql_fetch_array($query);
$response = array(
'logged' => true,
'name' => $row['name'],
'email' => $row['email']
);
echo json_encode($response);
}
else
{
// Else the username and/or password was invalid! Create an array, json_encode it and echo it out
$response = array(
'logged' => false,
'message' => 'Invalid Username and/or Password'
);
echo json_encode($response);
}
?>
答案 0 :(得分:1)
来自用户的任何数据都应该通过mysql_real_escape_string()传递。有关使用该功能的更多信息,请参阅下面的URL。这非常重要。
http://php.net/manual/en/function.mysql-real-escape-string.php
以下是有关使用PHP进行SQL注入的更多信息:
http://php.net/manual/en/security.database.sql-injection.php
MySQLi信息(除了mysql_real_escape_string之外的另一种技术):
http://php.net/manual/en/mysqli.quickstart.prepared-statements.php
编辑:好的,我承认,我有点老了。 MySQLi肯定似乎是要走的路。我对PHP3和PHP4开发更熟悉。如果可以,请使用最后一个链接重新实现数据访问代码。