因此,我一直在阅读很多关于准备好的语句的内容,并不断得到关于准备好的语句如何防止 mysql 注入的各种答案。有人说它完全涵盖了它,而另一些人则说还有一些小工作或其他东西。几乎我只是想确保我拥有的这段代码是安全的,并且知道在准备好的语句中是否真的有任何漏洞:
<?php
ignore_user_abort(true);
$user = $_REQUEST['username'];
$pass = $_REQUEST['password'];
if (isset($user) && isset($pass)) {
require('/var/www/data/config.php'); //contains the db connection
if ($stmt = mysqli_prepare($mysqli, "SELECT password FROM users WHERE username=?")) {
mysqli_stmt_bind_param($stmt, 's', $user);
mysqli_stmt_execute($stmt);
mysqli_stmt_bind_result($stmt, $gpass);
mysqli_stmt_fetch($stmt);
mysqli_stmt_close($stmt);
if ($gpass) {
require('/var/www/data/handles/fCrypt.php');
$chk = verify($pass, $gpass); //custom blowfish validation
if ($chk) {
//password correct, continue
} else {
mysqli_close($mysqli);
//echo invalid password stuff
}
} else {
mysqli_close($mysqli);
//echo invalid username stuff
}
} else {
mysqli_close($mysqli);
die('Query Error');
}
} else {
die('Invalid Request');
}
?>