0

有人告诉我,这段代码是旧的连接方式,容易受到 sql 注入的影响。我怎样才能使它安全?

这是我用来检查数据库中的用户并在他们没有帐户时添加新用户的代码。我尝试了mysqli,但我认为我做的不对,所以我现在不得不回到这个,直到我知道如何使它安全。

<?php
// Connect to the database(host, username, password)
$con = mysql_connect('localhost','user1','pass1');
if (!$con)
{
    echo "Failed to make connection.";
    exit;
}
// Select the database. Enter the name of your database (not the same as the table name)
$db = mysql_select_db('db1');
if (!$db)
{
    echo "Failed to select db.";
    exit;
}
// $_POST['username'] and $_POST['password'] are the param names we sent in our click event in login.js
$username = $_POST['username'];
$password = $_POST['password'];
// Select eveything from the users table where username field == the username we posted and password field == the password we posted
$sql = "SELECT * FROM users WHERE username = '" . $username . "' AND password = '" . $password . "'";
$query = mysql_query($sql);
// If we find a match, create an array of data, json_encode it and echo it out
if (mysql_num_rows($query) > 0)
{
    $row = mysql_fetch_array($query);
    $response = array(
        'logged' => true,
        'name' => $row['name'],
        'email' => $row['email']
    );
    echo json_encode($response);
}
else
{
    // Else the username and/or password was invalid! Create an array, json_encode it and echo it out
    $response = array(
        'logged' => false,
        'message' => 'Invalid Username and/or Password'
    );
    echo json_encode($response);
}
?>
4

1 回答 1

1

来自用户的任何数据都应通过 mysql_real_escape_string() 传递。有关使用该功能的更多信息,请参阅下面的 URL。这很重要。

http://php.net/manual/en/function.mysql-real-escape-string.php

以下是有关使用 PHP 进行 SQL 注入的更多信息:

http://php.net/manual/en/security.database.sql-injection.php

MySQLi 信息(除了 mysql_real_escape_string 之外的另一种技术):

http://php.net/manual/en/mysqli.quickstart.prepared-statements.php

编辑:好吧,我承认,我有点老派。MySQLi 似乎绝对是要走的路。我比较熟悉 PHP3 和 PHP4 开发。如果可以,请使用最后一个链接重新实现您的数据访问代码。

于 2012-09-29T01:01:00.580 回答