-2

我有一个登录系统,我一直在使用 mysql 函数,如 real_escape_strings 等。但现在我正试图将其转换为 PDO,因为它比 mysql 函数更现代。问题是现在它不适用于 PDO。下面是我的代码,请告诉我我做错了什么。

<?php
try {
$con = new PDO('mysql:host=localhost;dbname=tish_database;charset=utf8','root','');

} catch(PDOException $e){
echo 'Connection failed'.$e->getMessage();
}

?>
<?php 
$is_ajax = $_POST['is_ajax'];
    if(isset($is_ajax) && $is_ajax)

    {
$username =(isset($_POST['username']))? trim($_POST['username']): '';
$Password=(isset($_POST['Password']))? $_POST['Password'] : '';
$redirect=(isset($_REQUEST['redirect']))? $_REQUEST['redirect'] :
'view.php';
$query ='SELECT username FROM tish_user WHERE '.
'username="'.($username,$con).'" AND ' .
   'Password = md5("'.($Password,$con).'")';
  $result = $con->prepare($query); 
   $result->execute();
        if(count($result)>0)
        {
        $_SESSION['username']=$username;
$_SESSION['logged'] = 1;
            echo "success"; 
        }
        else {
//set these explicitly just to make sure 

}
    }

?>
4

2 回答 2

2

删除所有无用代码后

<?php
$con = new PDO('mysql:host=localhost;dbname=tish_database;charset=utf8','root','');

if(!empty($_POST['is_ajax']))
{
    $sql = 'SELECT id FROM tish_user WHERE username=? AND Password = md5(?)';
    $stm = $con->prepare($sql); 
    $stm->execute(array($_POST['username'],$_POST['Password']));
    if($row = $stm->fetch())
    {
        $_SESSION['id'] = $row['id'];
    }
}
?>

你也需要检查字母大小写。大写的“密码”看起来很可疑。最好选择一个标准(全小写)并在任何地方遵循它

这是我对准备好的语句如何防止 SQL 注入攻击的回答?解释它是如何工作的问题

于 2013-02-17T08:24:19.660 回答
0 
$query ='SELECT username FROM tish_user WHERE username=? AND Password = md5(?) )';
$result = $con->prepare($query); 
$result->execute(array($username, $password));

这将自动为您转义字符串。

于 2013-02-17T08:21:19.967 回答