0

我有这个代码

$nick = $_POST["user"];
$pass = sha1($_POST["pass"]);

$user = pg_query($dbconn, "SELECT * FROM users");
$user = pg_fetch_object($user);

if($user->nick != $nick || $user->pass != $pass) {
    echo 'Wrong user or password';
}

数据库中的 nick 是字符类型,并且非常散列,但我仍然在输出时收到“错误的用户或密码”。

有没有类型冲突?

4

1 回答 1

1 
$nick = $_POST["user"];
$pass = sha1($_POST["pass"]);

$user = pg_query($dbconn, "SELECT * FROM users WHERE nick = '$nick' and pass='$pass'");
$num = pg_num_rows($user);
$user = pg_fetch_object($user);

if($num==0) {
    echo 'Wrong user or password';
}

当查询一些客户端将交互的值时,确保他不会使用某些注入方法

更改代码:

$nick = pg_escape_string(strip_tags($_POST["user"]));
$pass = sha1($_POST["pass"]);
于 2013-10-22T00:03:53.867 回答