这足以阻止sql注入吗? (PDO)

时间:2013-04-09 19:24:31

标签: php sql login pdo code-injection

显然经典的sql注入:('或'1'='1' - ')在这次登录时不起作用,但它足够安全,如果不是这样,你会建议什么。

的index.php:

<?php

include_once 'includes/connection.php';

if (isset($_POST['login'])){
$username = $_POST['usernameInput'];
$password = md5($_POST['passwordInput']);
$query = $pdo->prepare("SELECT * FROM users WHERE u_n = ? AND u_p = ? ");
$query->bindValue(1, $username);
$query->bindValue(2, $password);
$query->execute();
$rows = $query->rowCount();

if ($rows == 1){
    echo "welcome back";
} else {
    echo "incorrect username or passwrod";
}
}

?>

<html>
<center>
    Login :
    <form action="index.php" method="post">
        <input type="text" name="usernameInput" placeholder="Username" autocomplete="off" />
        <input type="password" name="passwordInput" placeholder="Password" autocomplete="off" />
        <input type="submit" name="login" value="Login" />
    </form>
</center>
</html>

connection.php:

<?php
try {
$pdo = new PDO('mysql:host=localhost;dbname=justLove', 'root', 'root');
} catch (PDOException $e) {
exit('cannot connect to database.');
}   
?>

等待你的回答:)

0 个答案:

没有答案
相关问题
最新问题