目前我正在学习SQL注入,我尝试了
test ="'); DROP TABLE users; '";
它消除了错误消息
mysql_num_rows() expects parameter 1 to be resource, boolean given in C:\Program Files (x86)\EasyPHP-DevServer-14.1VC9\data\localweb\my portable files\sqlinjection\login.php on line 18
登录代码
session_start();
$username = $_POST['username'];
$password = $_POST['password'];
$errors = array();
if ($username&&$password)
{
$connect = mysql_connect("localhost","root","") or die ("Could not connect");
mysql_select_db ("login") or die ("Could not find database");
$query = mysql_query("SELECT * FROM users WHERE username ='$username'");
$numrows = mysql_num_rows($query);
if ($numrows !=0)
{
while ($row =mysql_fetch_assoc($query))
{
$dbusername = $row['username'];
$dbpassword = $row['password'];
}
if ($username==$dbusername&&$password==$dbpassword)
{
echo header( 'Location: member.php' ) ;
$_SESSION['username']=$dbusername;
}
else
echo "Incorrect password";
}
else
die("That user dosen't exist");
}
else
die("Please enter a username and a password");
?>
我哪里出错或这是预期的结果?我查看了我的数据库,桌子就在那里,所以我猜到它是错的。更新以显示登录代码。
答案 0 :(得分:2)
如果您查询是:
"SELECT * FROM users WHERE username ='$username'"
然后您的username变量应为:
$username = "foo'; DROP TABLE users;";
在这种情况下,您的最终查询将变为:
"SELECT * FROM users WHERE username ='foo'; DROP TABLE users;"
为了防止这种注入,你应该使用参数或者至少使用一个服务器函数来删除你变量中的所有特殊字符,然后再将它包含在你的查询中(参见:How can I prevent SQL-injection in PHP?)