我知道我必须使用PDO,但是我现在不能更新它,因为旧版本中有大量的PHP文件。如何使我的代码安全并保护其免受SQL注入的影响?
$myusername=$_POST['myusername'];
$mypassword=$_POST['mypassword'];
$sql="SELECT * FROM user WHERE username='$myusername' AND password='$mypassword'";
$result=mysql_query($sql);
$count=mysql_num_rows($result);
if($count==1)
{
$_SESSION["myusername"]=$myusername;
echo"<script type='text/javascript'>
window.location.href='dashboard.php';
</script>";
}
else
{
$sql="SELECT * FROM user WHERE email='$myusername' AND password='$mypassword'";
$result=mysql_query($sql);
$count=mysql_num_rows($result);
if($count==1)
{
$sql="SELECT username FROM user WHERE email='$myusername'";
$result=mysql_query($sql);
$myusername=mysql_result($result,0);
$_SESSION["myusername"]=$myusername;
echo"<script type='text/javascript'>
window.location.href='dashboard.php';
</script>";
}
else
{
echo"<script type='text/javascript'>
alert('The username or password you entered is incorrect');
window.location.href='login.php';
</script>";
}
}
发布于 2018-06-13 18:22:39
安全是一个很大的词,....如你所建议的那样,你实际上不应该使用这些方法,而是升级到某些地方,这些功能已被弃用。
但现在..这有助于
$sql=sprint("SELECT username FROM user WHERE email='%s'", mysql_real_escape_string($myusername));
发布于 2018-06-13 19:21:07
创建一个像这样散列密码的函数。
function hashPassword($passwordToHash) {
return password_hash($passwordToHash, PASSWORD_DEFAULT);
}
并有一个函数来验证它们是这样的。
function verifyPassword($passwordToVerify, $hash) {
if(password_verify($passwordToVerify, $hash)) {
return true;
} else {
return false;
}
}
表单验证
不需要进行任何表单验证,这意味着用户只需注册用户名; DROP TABLE user
即可删除用户表。
通过编写基本函数来检查输入是否包含特殊字符,可能会阻止它。
function isAlphaNumeric($stringToValidate) {
if(ctype_alnum($stringToValidate)) {
return true;
} else {
return false;
}
}
然后,可以像这样验证输入。
if(!isAlphaNumeric($_POST['myusername']) || !isAlphaNumeric($_POST['mypassword'])) {
$error = [
'error' => 'Special characters are not allowed.',
'class' => 'your class for error handling',
];
}
这是用准备好的语句和错误处理重写的代码。
$name = "root";
$pass = "";
$db = "yourDB";
$host = "localhost";
$connect = mysqli_connect($host, $name, $pass, $db);
if (mysqli_connect_errno()) {
echo "Could not connect to database. Error: " . mysqli_connect_error();
}
$stmt = $connect->prepare('SELECT * FROM `user` WHERE username = ? AND password = ?');
if(!$stmt) {
$error = [
'error' => 'Something went wrong, please contact the administrator',
'class' => 'your class for error handling'
];
}
$username = $_POST['myusername'];
$password = $_POST['mypassword'];
if(!$stmt->bind_param('ss', $username, $password)) {
$error = [
'error' => 'Something went wrong, please contact the administrator',
'class' => 'your class for error handling'
];
}
if(!$stmt->execute()) {
$error = [
'error' => 'Something went wrong, please contact the administrator',
'class' => 'your class for error handling'
];
} else {
$stmt->get_result();
$rows = $stmt->num_rows();
if($rows > 0) {
$_SESSION['myusername'] = $username;
header('Location: dashboard.php');
} else {
$stmt = $connect->prepare('SELECT * FROM `user` WHERE email = ? AND password = ?');
if(!$stmt) {
$error = [
'error' => 'Something went wrong, please contact the administrator',
'class' => 'your class for error handling'
];
}
if(!$stmt->bind_param('ss', $username, $password)) {
$error = [
'error' => 'Something went wrong, please contact the administrator',
'class' => 'your class for error handling'
];
}
if(!$stmt->execute()) {
$error = [
'error' => 'Something went wrong, please contact the administrator',
'class' => 'your class for error handling'
];
} else {
$stmt->get_result();
$rows = $stmt->num_rows();
if($rows > 0) {
$_SESSION['myusername'] = $username;
header('Location: dashboard.php');
} else {
$error = [
'error' => 'The username or password you entered is incorrect.',
'class' => 'your class for error handling'
];
}
}
}
}
https://stackoverflow.com/questions/-100004894
复制相似问题