3

我目前正在升级朋友网站的代码,但遇到了登录脚本问题。我试图通过使用来防止 SQL 注入mysql_real_escape_string()mysql_escape_string()工作正常,但mysql_real_escape_string()没有。这就是我所拥有的:

if (isset($_POST['submit']))
{
    $username = mysql_real_escape_string($_POST['username']); 
    $password = mysql_real_escape_string($_POST['password']);

    $db_link = db_connect("project");
    $query = "SELECT * FROM user WHERE username = '$username' AND password = password('$password')";
    $result = mysql_query($query) or die (mysql_error());
    $numrows = mysql_num_rows($result);

    if($numrows == 1)
    {
        RedirectToURL("home.php");
    }
    else
    {
        login_page("Invalid login! Try again");
    }   
}
else
{
    login_page("");
}
4

2 回答 2

6

为了使用 mysql_real_escape_string 您必须登录到数据库。如果您没有登录,则使用 mysql_escape_string。

于 2012-11-04T19:48:36.810 回答
2

正如@MichaelBerkowski 在您的评论中所说,将mysql_real_escape_string()呼叫移过您的连接命令:

if (isset($_POST['submit']))
{

    $db_link = db_connect("project");

    $username = mysql_real_escape_string($_POST['username']); 
    $password = mysql_real_escape_string($_POST['password']);

    $query = "SELECT * FROM user WHERE username = '$username' AND password = password('$password')";
    $result = mysql_query($query) or die (mysql_error());
    $numrows = mysql_num_rows($result);

    if($numrows == 1)
    {
        RedirectToURL("home.php");
    }
    else
    {
        login_page("Invalid login! Try again");
    }   
}
else
{
    login_page("");
}

如上所述,原因that mysql_real_escape_string()取决于您的 mysql 连接是否正常工作

于 2012-11-04T19:55:09.717 回答