Question

大家好，我看过一个令我困惑的代码......代码是

<?php
define('DB_HOST', 'localhost');
define('DB_NAME', 'online');
define('DB_USER','root');
define('DB_PASSWORD','');

$con=mysql_connect(DB_HOST,DB_USER,DB_PASSWORD) or die("Failed to connect to MySQL: " . mysql_error());
$db=mysql_select_db(DB_NAME,$con) or die("Failed to connect to MySQL: " . mysql_error());

$email = $_POST['email'];
$password = $_POST['password'];

function SignIn()
{
    session_start();   //starting the session for user profile page
    if(!empty($_POST['email']) && $_POST['password'])   //checking the 'user' name which is from Sign-In.html, is it empty or have some text
    {
        $query = mysql_query("SELECT *  FROM users where email = '$_POST[email]' AND password = '$_POST[password]'") or die(mysql_error());
        $row = mysql_fetch_array($query) or die(mysql_error());
        if(!empty($row['email']) AND !empty($row['password']))
        {
            $_SESSION['email'] = $row['password'];
            echo "SUCCESSFULLY LOGIN TO USER PROFILE PAGE...";
            header('Location: basicinfo.html');
        }
    }
    else
    {
        header('Location: form.html');
    }
}
if(isset($_POST['Login']))
{
    SignIn();
}

if(isset($_POST['createAccount']))
{
    header('Location:create.html');
}
?>

在此处看到代码$_SESSION['email'] = $row['password'];让我很困惑我知道$row['password']存储到$_SESSION['email'] ..在$row['password']我知道密码是关键所在..

我的问题是来自$row['password']的密钥“密码”的对应值是什么..是从查询中获取的值？ ..我很沮丧。

请帮助我..任何帮助将不胜感激..谢谢

Answer 1

$ row ['password']将包含从数据库返回的查询的密码。

此外，您的代码完全打开以进行sql注入。

Answer 2

$_SESSION['email']和$row['password']将包含使用密钥密码

的查询结果

将密钥存储在会话变量中

2 个答案: