PHP登录脚本未选择行
我是PHP的初学者,所以这个登录脚本会有很多安全缺陷。不过别担心。等我把这个修好,我就把那些修好。这是我的登录PHP脚本PHP登录脚本未选择行,php,mysql,Php,Mysql,我是PHP的初学者,所以这个登录脚本会有很多安全缺陷。不过别担心。等我把这个修好,我就把那些修好。这是我的登录PHP脚本 <?php $error=''; if(isset($_POST['submit'])){ if(empty($_POST['username']) || empty($_POST['password'])) { $error = "Username or Password is Invalid"; echo "<scrip
<?php
$error='';
if(isset($_POST['submit'])){
if(empty($_POST['username']) || empty($_POST['password'])) {
$error = "Username or Password is Invalid";
echo "<script type='text/javascript'>alert('$error');</script>";
}
else {
$user = $_POST['username'];
$pass = $_POST['password'];
$servername = "localhost";
$username = "id1394453_users";
$password = "password";
$database = "id1394453_users";
$conn = mysqli_connect($servername, $username, $password, $database);
if (!$conn) {
die("Connection failed: " . mysqli_connect_error());
}
$query = mysqli_query($conn, "SELECT * FROM Users WHERE user='username' AND pass='password'");
$rows = mysqli_query($conn, $query);
if (mysqli_num_rows($rows) == 1) {
header("Location: Home.html");
}
else {
$error = "Username of Password is Invalid";
echo "<script type='text/javascript'>alert('$error');</script>";
echo "<script type='text/javascript'>alert('$user');</script>";
echo "<script type='text/javascript'>alert('$pass');</script>";
echo "<script type='text/javascript'>alert('$rows');</script>";
}
mysqli_close($conn);
}
}
此处的查询看起来是静态的
$query = mysqli_query($conn, "SELECT * FROM Users WHERE user='username' AND pass='password'");
你应该用变量替换它,对吗?您忘记了$
:
$query = mysqli_query($conn, "SELECT * FROM Users WHERE user='$user' AND pass='$pass'");
还有一个错误。$query
应该是$rows
。您应该在此处收到一个错误:
$query = mysqli_query($conn, "SELECT * FROM Users WHERE user='username' AND pass='password'");
$rows = mysqli_query($conn, $query);
上述规定完全无效。应将其替换为:
$query = "SELECT * FROM Users WHERE username='$user' AND password='$pass'";
$rows = mysqli_query($conn, $query);
不要忘记SQL注入预防部分:
$user = mysqli_real_escape_string($conn, $_POST['username']);
$pass = mysqli_real_escape_string($conn, $_POST['password']);
你运行了两次查询,我希望这个东西不会被激活;它是/会是吗?他使用$user
和$pass
“它应该被替换为:”---它绝对不能被易受攻击的代码替换。我们开始吧。谢谢如果他们继续使用password\u hash()
/password\u verify()
,我们都希望他们这样做,那么密码就不应该被转义。比如123'\——我还添加了SQL注入预防。