因此,经过6年的学习编写PHP代码,我终于完成了我的网站编写(Not Online Yet),我读了一篇关于MYSQL_ *函数被折旧并出现安全问题的文章,所以我决定学习如何使用它重新编写它MYSQLi_ *函数。
虽然我已经使用mysqli_函数重新编写代码并且正在按原样运行(Login& Sessions)但我不确定这是否对那些令人讨厌的SQL注入脚本是安全的。 (我认为将$ _POST的值绑定到预准备语句中足以阻止SQL注入?)
我真的很感激任何建议......
亲切的问候。
include / mysqli_connection.php(连接脚本)
<?php
// Connection Details
$MySQLi_Server = 'localhost';
$MySQLi_Username = '#####';
$MySQLi_Password = '#####';
$MySQLi_Database = '#####';
// Connect To Server
$MySQLi_Connection = new PDO("mysql:host=$MySQLi_Server;dbname=$MySQLi_Database", $MySQLi_Username, $MySQLi_Password);
// Tables
$MySQLi_Users_Table = 'users';
?>
include / global.php(包含在每个用户受限制的网页上)
<?php
// Session (Start)
session_start();
// Check (Logged In)
if(!isset($_SESSION['authenticated'])){
// Session (Destroy)
session_destroy();
// Redirect (Failed)
die(header('Location: ../login.php'));
}
// Session (Regenerate ID)
session_regenerate_id(TRUE);
// Include MySQLi Connection
include_once('mysqli_connection.php');
?>
login_process.php(登录表单提交到此脚本)
<?php
// Session (Start)
session_start();
// Session (Destroy)
session_destroy();
// Check Form Elements (Exists)
if((!isset($_POST['username'])) || !isset($_POST['password'])){
die('Ooops, Please Enter Your Username & Password!');
}
// Form Elements (Variables)
$Username = trim($_POST['username']);
$Password = trim(md5($_POST['password']));
// Include MySQLi Connection
include_once('include/mysqli_connection.php');
// Login (Query)
$LoginUser = $MySQLi_Connection->prepare("SELECT * FROM $MySQLi_Users_Table WHERE username=:username AND password=:password");
$LoginUser->bindParam(':username', $Username);
$LoginUser->bindParam(':password', $Password);
$LoginUser->execute();
$LoginUserResult = $LoginUser->fetch(PDO::FETCH_NUM);
if($LoginUserResult < 1){
// Redirect (Failed)
die(header('Location: index.php'));
} else {
// Session (Start)
session_start();
// Session (Data)
$_SESSION['authenticated'] = 'Y';
$_SESSION['username'] = $Username;
// Redirect (Successful)
die(header('Location: members_area/dashboard.php'));
}
?>
members_area / dashboard.php
<?php
// Include Global Settings
include('../include/global.php');
// Display Message (Logged In)
echo 'Username : ('.$_SESSION['username'].')';
?>
答案 0 :(得分:-1)
使用MySQLi扩展程序:
$db_user='user';
$db_pass='pass';
$db_server='localhost';
$db_database='database';
$mysqli = new mysqli($db_server, $db_user, $db_pass, $db_database);
if ($mysqli->connect_error){
die('Connect Error (' . $mysqli->connect_errno . ') ' . $mysqli->connect_error);
}
// Login (Query)
$stmt = $mysqli->prepare("SELECT count(*) FROM $MySQLi_Users_Table WHERE username=? AND password=?");
$stmt->bindParam('ss', $Username, $Password);
$stmt->bindResult($count);
$stmt->execute();
$stmt->fetch();
$stmt->close();
if ($count > 0 ) {... user exists - can login him...