0

我正在编写一个代码,它将检查 2 个不同的表以确定用户将拥有的权限。代码如下所示:

    $query1 = ("SELECT 1 FROM `customers` WHERE `Email` = '$email' AND `Password` = '$password'");
    $query2 = ("SELECT 1 FROM `admins` WHERE `Email` = '$email' AND `Password` = '$password'");

    $result1 = mysql_query($query1) or die(mysql_error());
    $result2 = mysql_query($query2) or die(mysql_error());

    if (mysql_num_rows($result1) == 1) {
        // Log user in as a Customer
        exit;
    } else if (mysql_num_rows($result2) == 1) {
        // Log user in as an Admin.
        exit;
    } else {
        // Direct user to registration page.
    }

任何人都可以看看这个并告诉我这样做是否会有任何安全风险?预先感谢您的帮助!

4

3 回答 3

0

这是不安全的,例如我的密码是

OR 1=1

我可以访问。使用 mysql 准备好的语句

<?php
$mysqli = new mysqli("example.com", "user", "password", "database");
if ($mysqli->connect_errno) {
    echo "Failed to connect to MySQL: (" . $mysqli->connect_errno . ") " . $mysqli->connect_error;
}

/* Prepared statement, stage 1: prepare */
if (!($stmt = $mysqli->prepare("SELECT 1 FROM customers WHERE Email = (?) AND Password = (?)"))) {
    echo "Prepare failed: (" . $mysqli->errno . ") " . $mysqli->error;
}

if (!$stmt->bind_param("ss", $email, $password)) {
    echo "Binding parameters failed: (" . $stmt->errno . ") " . $stmt->error;
}

if (!$stmt->execute()) {
    echo "Execute failed: (" . $stmt->errno . ") " . $stmt->error;
}
?>
于 2012-08-29T23:27:01.573 回答
0

Firstly you have a change that your code is only known by you.

Secondly you have to check the input data. email and password area is not safety. You should prevent SQL injection. Otherwise your code is not secure.

By the way i'm offering you IP restricted login for admins. I'm using this. And it is more secure.

于 2012-08-29T23:29:16.500 回答
0

One big problem here is that the code is vulnerable for sql injections. Which basicly means that the user could put code in the email or password form to bypass the check you have here.

A start would be to perform the following to your input BEFORE you use them in your query:

$email = mysql_real_escape_string($email);
$password = mysql_real_escape_string($password);

Though, the mysql library is not recommended by php, rather read about prepared statements in pdo here: http://www.php.net/manual/en/ref.pdo-mysql.php

But you can try the mysql_real_escape_string to have a first security measure against sql injections.

于 2012-08-29T23:29:26.480 回答