我有此用户验证文件:
strSQL = "SELECT MED, RX, HSAHRA, ACR, ML, Sum(MBRS) AS SumOfMBRS, Sum(PREM) AS SumOfPREM, Sum(CLMSTAT) AS SumOfCLMSTAT
FROM W " & _
"WHERE [DATE] Between #" & Me.tbxStart & "# And #" & Me.tbxEnd & "# AND [ST]='" & Me.tbxState & "' " & _
"GROUP BY MED, RX, HSAHRA, ACR, ML " & _
"ORDER BY MED, RX, HSAHRA, ACR, ML;"
我向用户发送邮件,然后使用GET方法检索信息。 URL看起来像这样:
<?php
session_start();
require 'db-D.php';
$email = $_GET['email'];
$code = $_GET['code'];
$sql = 'UPDATE `login_D` SET `active`= 1 WHERE email=\"'.$email.'\" and code=\''.$code.'\'';
$conn->query($sql) or $_SESSION['message'] = 'invalid URL' and $_SESSION['details'] = null and header('location: error.php') and die();
header('location: login.php');
?>
问题是,当我查询192.168.0.101/verifiy.php?email=somemail@mail.com&code=c16c0745def04703e62daa72270c9a89c113a0b208ddd0072b6f828fe1adc81b
时我没有收到错误,并且当我检查PhpMyAdmin上的活动值时,它的值为0而不是1。
我在PhpMyAdmin上运行了相同的脚本(手动插入了值),并更改了值。
我还查看了日志文件(apache和php),没有错误。
我在树莓派3上运行LAMP服务器。
答案 0 :(得分:0)
我发现了错误:
$sql = 'UPDATE `login_D` SET `active`= 1 WHERE email="'.$email.'" and code=\''.$code.'\'';
查询的电子邮件部分有两个额外的反斜杠(反斜杠作为文本,因此查询失败。
旧版本:
<--here-->
$sql = 'UPDATE `login_D` SET `active`= 1 WHERE email=\"'.$email.'\" and code=\''.$code.'\'';
答案 1 :(得分:-1)
这是具有防止sql注入保护的代码:
<?php
session_start();
require 'db-D.php';
$email = $_GET['email'];
$code = $_GET['code'];
if ($conn->connect_errno) {
die("Connection failed: " . $conn->connect_error);
}
$sql = 'UPDATE `login_D` SET `active`= 1 WHERE email=? and code=?';
$stmt = mysqli_stmt_init($conn);
if (!mysqli_stmt_prepare($stmt, $sql)) {
$_SESSION['message'] = 'invalid URL';
$_SESSION['details'] = $conn->error;
header('location: error.php');
} else {
mysqli_stmt_bind_param($stmt, "ss", $email, $code );
mysqli_stmt_execute($stmt);
$_SESSION['message'] = 'Please login to go to account';
header('location: login.php');
}
?>