nameI'm是一位长期以来最近决定升级到PHP 5.5并建立基于PDO的新网站的MySQL用户。由于我非常关注通过注入的安全性而没有为我的PDO开发提供mysql_real_escape,我基本上想知道我的代码注入是否安全?
这是我的测试脚本,谢谢!
<?php
try {
$DB = new PDO("mysql:host=localhost;dbname=dbtest", "dbtest", "TbhPXM!Wv9sz");
$DB->setAttribute( PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION );
}
catch(PDOException $e) {
echo "<div style='text-align: center; margin-top: 100px; font-size: 21px; font-weight: bold;'>Damn, your experiencing technical issues with our website. An administrator has been notified and will address the issue shortly.<br /><br />T_T</div>";
file_put_contents('error.txt', $e->getMessage()."\n", FILE_APPEND);
}
if (isset($_POST['RegUser']) && isset($_POST['Username']) && isset($_POST['Password'])) {
try {
$stmt = $DB->prepare("INSERT INTO users (name, pass) VALUES (:name, :pass)");
$stmt->bindParam(':name', $name);
$stmt->bindParam(':pass', $pass);
$name = $_POST['Username'];
$options = ['cost' => 12,'salt' => mcrypt_create_iv(22, MCRYPT_DEV_URANDOM),];
$pass = password_hash($_POST['Password'], PASSWORD_BCRYPT, $options)."\n";
$stmt->execute();
}
catch(PDOException $e) {
echo "Registration Failed, Try another username.";
}
}
if (isset($_POST['Login']) && isset($_POST['Username']) && isset($_POST['Password'])) {
$name = $_POST['Username'];
$STH = $DB->prepare('SELECT name, pass from users where name=:name LIMIT 0,1');
$STH->bindParam(':name', $name);
$STH->execute();
$STH->setFetchMode(PDO::FETCH_ASSOC);
if ($STH->rowCount() == 1) {
while($row = $STH->fetch()) {
$hash = $row['pass'];
if (password_verify($_POST['Password'], $hash)) {
echo 'Password is valid!';
session_start();
$_SESSION['logged'] = true;
$_SESSION['name'] = $row['name'];
$_SESSION['pass'] = $row['pass'];
} else {
echo 'Invalid password.';
}
}
} else {
echo "User Not Found!";
}
}
?>
<form action="index.php" method="post" target="_self" enctype="multipart/form-data">
<input type="text" placeholder="Username" size="40" name="Username" /><br />
<input type="text" placeholder="Password" size="40" name="Password" /><br />
<input type="submit" value="Register" name="RegUser" />
</form><br />
<form action="index.php" method="post" target="_self" enctype="multipart/form-data">
<input type="text" placeholder="Username" size="40" name="Username" /><br />
<input type="text" placeholder="Password" size="40" name="Password" /><br />
<input type="submit" value="Login" name="Login" />
</form>
<?php
if (isset($_SESSION)) {
var_dump($_SESSION);
}
if (isset($_SESSION['logged']) && $_SESSION['logged'] == true) {
echo "Hey ".$_SESSION['name'].", Welcome back!";
}
$DB = null;
答案 0 :(得分:2)
防止SQL注入是安全的(尽管您可以使用bindValue
或execute(array())
缩短代码。
哈希看起来不错。
如果你回复HTML, echo "Hey ".$_SESSION['name'].", Welcome back!";
允许XSS。您应该使用htmlspecialchars($_SESSION['name'])
将文本转换为HTML。