这是我的login.php页面的PHP代码:
<?php require_once('../Connections/minisrty.php'); ?>
<?php
// *** Validate request to login to this site.
if (!isset($_SESSION)) {
session_start();
}
$loginFormAction = $_SERVER['PHP_SELF'];
if (isset($_GET['accesscheck'])) {
$_SESSION['PrevUrl'] = $_GET['accesscheck'];
}
if (isset($_POST['user'])) {
**htmlspecialchars($loginUsername=$_POST['user'],ENT_QUOTES,'utf-8');**
**htmlspecialchars($password=$_POST['pass'],ENT_QUOTES,'utf-8');**
$MM_fldUserAuthorization = "";
$MM_redirectLoginSuccess = "insertion.php";
$MM_redirectLoginFailed = "login.php";
$MM_redirecttoReferrer = false;
mysql_select_db($database_minisrty, $minisrty);
$LoginRS__query=sprintf("SELECT username, password FROM log WHERE username='%s' AND password='%s'",
get_magic_quotes_gpc() ? $loginUsername : addslashes($loginUsername), get_magic_quotes_gpc() ? $password : addslashes($password));
$LoginRS = mysql_query($LoginRS__query, $minisrty) or die(mysql_error());
$loginFoundUser = mysql_num_rows($LoginRS);
if ($loginFoundUser) {
$loginStrGroup = "";
//declare two session variables and assign them
$_SESSION['MM_Username'] = $loginUsername;
$_SESSION['MM_UserGroup'] = $loginStrGroup;
if (isset($_SESSION['PrevUrl']) && false) {
$MM_redirectLoginSuccess = $_SESSION['PrevUrl'];
}
header("Location: " . $MM_redirectLoginSuccess );
}
else {
header("Location: ". $MM_redirectLoginFailed );
}
}
?>
这会有效吗??? ???
答案 0 :(得分:4)
$filtered_variable = htmlspecialchars($bad_variable, ENT_QUOTES);
您应该对放入SQL查询中的变量使用mysql_real_escape_string()以避免SQL注入。