php& MySQL的。在Youtube上关注了一个教程,但在搞砸了一下后,我设法绕过并使用admin'#作为用户名和空白密码访问我的网站。 See here.
我的代码(PHP):
<?php
$username = "***";
$password = "****";
$hostname = "mysql1.000webhost.com";
$database = "***_login";
$dbhandle = mysql_connect($hostname, $username, $password );
$selected = mysql_select_db("a7653250_login", $dbhandle)
or die("Could not connect to database");
$myusername = $_POST['user'];
$mypassword = $_POST['pass'];
$myusername = stripslashes($myusername);
$mypassword = stripslashes($mypassword);
$query = "SELECT * FROM Users WHERE Username='$myusername' and Password='$mypassword'";
$result = mysql_query ($query) or die(mysql_error());
$count = mysql_num_rows($result);
if($count==1){
$seconds = 186400 + time();
setcookie(loggedin, date("F jS - g:i a"), $seconds);
header("location:index.php");}
else{
header("location:loginfailed.php");
}
mysql_close()
?>
我读过有关使用某种参数但我不知道在何处或如何使用它们。
非常感谢
答案 0 :(得分:2)
您应该使用PHP PDO库http://php.net/manual/en/book.pdo.php或至少MySQLi http://php.net/manual/en/book.mysqli.php
mysql_函数系列本身已被弃用且不安全
在这里,您可以阅读有关MySQLi预处理语句和参数绑定http://php.net/manual/en/mysqli.quickstart.prepared-statements.php
的信息