如何编辑我的“ mySQL”代码,以便避免SQL注入攻击?

时间:2018-11-27 17:59:28

标签: php html mysql session sql-injection

有人可以帮助我编辑代码,以便避免出现“ SQL注入攻击”吗?有人告诉我我的代码对SQL注入攻击开放,但我不知道如何编辑它。您能帮我个忙吗?非常感谢。

我看到了类似的其他问题(您说重复),但是由于我是mysql的新手,所以我希望你们中的某人会好心地帮助我重写代码。非常感谢

这是我的注册代码:

<?php
// Include config file
require_once "config.php";

//the form has been submitted with post
if ($_SERVER["REQUEST_METHOD"] == "POST") {


        //define other variables with submitted values from $_POST
        $username = $mysqli->real_escape_string($_POST['username']);
        $fullname = $mysqli->real_escape_string($_POST['fullname']);
        $jobtitle = $mysqli->real_escape_string($_POST['jobtitle']);

        $password = password_hash($_POST['password'], PASSWORD_BCRYPT);

        //path were our avatar image will be stored
        $avatar_path = $mysqli->real_escape_string('images/avatars/'.$_FILES['avatar']['name']);

        //make sure the file type is image
        if (preg_match("!image!",$_FILES['avatar']['type'])) {

            //copy image to images/ folder
            if (copy($_FILES['avatar']['tmp_name'], $avatar_path)){

                //set session variables to display on welcome page
                $_SESSION['username'] = $username;
                $_SESSION['avatar'] = $avatar_path;
                $_SESSION['jobtitle'] = $jobtitle;

                //insert user data into database
                $sql =
                "INSERT INTO users (username, password, fullname, avatar, jobtitle) "
                . "VALUES ('$username', '$password', '$fullname', '$avatar_path', '$jobtitle')";

                //check if mysql query is successful
                if ($mysqli->query($sql) === true){
                    $_SESSION['message'] = "Registration successful!"
                    . "Added $username to the database!";
                    //redirect the user to welcome.php
                    header("location: index.php");
                  }
                  else {
                      $_SESSION['message'] = 'User could not be added to the database!';
                  }
                  $mysqli->close();
              }
              else {
                  $_SESSION['message'] = 'File upload failed!';
              }
          }
          else {
              $_SESSION['message'] = 'Please only upload GIF, JPG or PNG images!';
          }
      }



?>

这是我的“ 配置”代码:

define('DB_SERVER', 'localhost');
define('DB_USERNAME', 'root');
define('DB_PASSWORD', '');
define('DB_NAME', 'employees');

/* Attempt to connect to MySQL database */
$mysqli = new mysqli(DB_SERVER, DB_USERNAME, DB_PASSWORD, DB_NAME);

// Check connection
if($mysqli === false){
    die("ERROR: Could not connect. " . $mysqli->connect_error);
}
?>

这是登录页面中的代码:

<?php
// Initialize the session
session_start();

// Check if the user is already logged in, if yes then redirect him to welcome page
if(isset($_SESSION["loggedin"]) && $_SESSION["loggedin"] === true){
    header("location: dash.php");
    exit;
}

// Include config file
require_once "config.php";

// Define variables and initialize with empty values
$username = $password = "";
$username_err = $password_err = "";

// Processing form data when form is submitted
if($_SERVER["REQUEST_METHOD"] == "POST"){

    // Check if username is empty
    if(empty(trim($_POST["username"]))){
        $username_err = "Внесете Корисничко Име";
    } else{
        $username = trim($_POST["username"]);
    }

    // Check if password is empty
    if(empty(trim($_POST["password"]))){
        $password_err = "Внесете Лозинка";
    } else{
        $password = trim($_POST["password"]);
    }

    // Validate credentials
    if(empty($username_err) && empty($password_err)){
        // Prepare a select statement
        $sql = "SELECT id, username, password, fullname, avatar, jobtitle FROM users WHERE username = ?";

        if($stmt = $mysqli->prepare($sql)){
            // Bind variables to the prepared statement as parameters
            $stmt->bind_param("s", $param_username);

            // Set parameters
            $param_username = $username;

            // Attempt to execute the prepared statement
            if($stmt->execute()){
                // Store result
                $stmt->store_result();

                // Check if username exists, if yes then verify password
                if($stmt->num_rows == 1){
                    // Bind result variables
                    $stmt->bind_result($id, $username, $hashed_password, $fullname, $avatar_path, $jobtitle);
                    if($stmt->fetch()){
                        if(password_verify($password, $hashed_password)){
                            // Password is correct, so start a new session
                            session_start();

                            // Store data in session variables
                            $_SESSION["loggedin"] = true;
                            $_SESSION["id"] = $id;
                            $_SESSION["username"] = $username;
                            $_SESSION["fullname"] = $fullname;
                            $_SESSION["avatar"] = $avatar_path;
                            $_SESSION["jobtitle"] = $jobtitle;

                            // Redirect user to welcome page
                            header("location: dash.php");
                        } else{
                            // Display an error message if password is not valid
                            $password_err = "Лозинката не е точна.";
                        }
                    }
                } else{
                    // Display an error message if username doesn't exist
                    $username_err = "Не постои такво корисничко име";
                }
            } else{
                echo "Упссс! Има некоја грешка. Обидетесе повторно.";
                }
        }

        // Close statement
        $stmt->close();
    }

    // Close connection
    $mysqli->close();
}
?>

0 个答案:

没有答案
相关问题
最新问题