使用MySQLi将数据库与php连接的安全方法
我只是把我的长代码缩减为小代码,这样就容易理解了。我正在建立基于php的网站。我正在使用使用MySQLi将数据库与php连接的安全方法,php,mysqli,Php,Mysqli,我只是把我的长代码缩减为小代码,这样就容易理解了。我正在建立基于php的网站。我正在使用MySQLi,因为我知道一些MySQL。对我来说,PDO在短时间内很难学会 我创建了三个文件 - db.con.php - index.php - logout.php 我将发布我所有的三个文件,我只想知道它是否安全,或者是否存在任何漏洞 我感谢所有看到我的问题并非常感谢回答的人 db.con.php <?php //db.con.php class DB { protected $d
MySQLiMySQL - db.con.php
- index.php
- logout.php
<?php
//db.con.php
class DB {
protected $db_name = 'demo';
protected $db_user = 'root';
protected $db_pass = '';
protected $db_host = 'localhost';
public function connect() {
$DBerror = 'Database Error';
$connection = ($GLOBALS["___mysqli_ston"] = mysqli_connect($this->db_host, $this->db_user, $this->db_pass)) or die($DBerror);
((bool)mysqli_query($GLOBALS["___mysqli_ston"], "USE $this->db_name")) or die($DBerror);
return true;
}
}
$db = new DB();
$db->connect();
//start session
session_start();
?>
<?php
require_once 'db.con.php';
$userID = $_GET['userID'];
$userID = mysqli_real_escape_string($GLOBALS["___mysqli_ston"], $userID);
$CheckQuery = mysqli_query($GLOBALS["___mysqli_ston"], "SELECT * FROM users WHERE id='$userID'");
$VerifyID = mysqli_num_rows($CheckQuery);
if ($VerifyID !== 1){
header("Location: logout.php");
}
while ($row = mysqli_fetch_assoc($CheckQuery)) {
$id = $row['id'];
$name = $row['name'];
}
echo "My id is $id and my name is $name";
?>
<?php
//logout.php
session_start();
session_destroy();
echo "Logout successful";
?>
<?php
$dsn = "mysql:host=localhost;dbname=demo;charset=utf8";
$opt = array(
PDO::ATTR_ERRMODE => PDO::ERRMODE_EXCEPTION,
PDO::ATTR_DEFAULT_FETCH_MODE => PDO::FETCH_ASSOC
);
$pdo = new PDO($dsn, 'root', '', $opt);
session_start();
<?php
require_once 'db.con.php';
$stmt = $pdo->prepare("SELECT 1 FROM users WHERE id=?");
$stmt->execute(array($_GET['userID']));
$row = $stmt->fetch();
if(!$row) {
header("Location: logout.php");
exit;
}
$id = $row['id'];
$name = $row['name'];
echo "My id is $id and my name is $name";
<?php
//db.con.php
class DB {
protected $db_name = 'demo';
protected $db_user = 'root';
protected $db_pass = '';
protected $db_host = 'localhost';
public function connect() {
$DBerror = 'Database Error';
$connection = ($GLOBALS["___mysqli_ston"] = mysqli_connect($this->db_host, $this->db_user, $this->db_pass)) or die($DBerror);
((bool)mysqli_query($GLOBALS["___mysqli_ston"], "USE $this->db_name")) or die($DBerror);
return true;
}
}
$db = new DB();
$db->connect();
//start session
session_start();
?>
<?php
require_once 'db.con.php';
$userID = $_GET['userID'];
$userID = mysqli_real_escape_string($GLOBALS["___mysqli_ston"], $userID);
$CheckQuery = mysqli_query($GLOBALS["___mysqli_ston"], "SELECT * FROM users WHERE id='$userID'");
$VerifyID = mysqli_num_rows($CheckQuery);
if ($VerifyID !== 1){
header("Location: logout.php");
}
while ($row = mysqli_fetch_assoc($CheckQuery)) {
$id = $row['id'];
$name = $row['name'];
}
echo "My id is $id and my name is $name";
?>
<?php
//logout.php
session_start();
session_destroy();
echo "Logout successful";
?>
<?php
$dsn = "mysql:host=localhost;dbname=demo;charset=utf8";
$opt = array(
PDO::ATTR_ERRMODE => PDO::ERRMODE_EXCEPTION,
PDO::ATTR_DEFAULT_FETCH_MODE => PDO::FETCH_ASSOC
);
$pdo = new PDO($dsn, 'root', '', $opt);
session_start();
<?php
require_once 'db.con.php';
$stmt = $pdo->prepare("SELECT 1 FROM users WHERE id=?");
$stmt->execute(array($_GET['userID']));
$row = $stmt->fetch();
if(!$row) {
header("Location: logout.php");
exit;
}
$id = $row['id'];
$name = $row['name'];
echo "My id is $id and my name is $name";
让它成为PDO而不是mysqli
让DB类单独呆一会儿
学习准备好的陈述
db.con.php
<?php
//db.con.php
class DB {
protected $db_name = 'demo';
protected $db_user = 'root';
protected $db_pass = '';
protected $db_host = 'localhost';
public function connect() {
$DBerror = 'Database Error';
$connection = ($GLOBALS["___mysqli_ston"] = mysqli_connect($this->db_host, $this->db_user, $this->db_pass)) or die($DBerror);
((bool)mysqli_query($GLOBALS["___mysqli_ston"], "USE $this->db_name")) or die($DBerror);
return true;
}
}
$db = new DB();
$db->connect();
//start session
session_start();
?>
<?php
require_once 'db.con.php';
$userID = $_GET['userID'];
$userID = mysqli_real_escape_string($GLOBALS["___mysqli_ston"], $userID);
$CheckQuery = mysqli_query($GLOBALS["___mysqli_ston"], "SELECT * FROM users WHERE id='$userID'");
$VerifyID = mysqli_num_rows($CheckQuery);
if ($VerifyID !== 1){
header("Location: logout.php");
}
while ($row = mysqli_fetch_assoc($CheckQuery)) {
$id = $row['id'];
$name = $row['name'];
}
echo "My id is $id and my name is $name";
?>
<?php
//logout.php
session_start();
session_destroy();
echo "Logout successful";
?>
<?php
$dsn = "mysql:host=localhost;dbname=demo;charset=utf8";
$opt = array(
PDO::ATTR_ERRMODE => PDO::ERRMODE_EXCEPTION,
PDO::ATTR_DEFAULT_FETCH_MODE => PDO::FETCH_ASSOC
);
$pdo = new PDO($dsn, 'root', '', $opt);
session_start();
<?php
require_once 'db.con.php';
$stmt = $pdo->prepare("SELECT 1 FROM users WHERE id=?");
$stmt->execute(array($_GET['userID']));
$row = $stmt->fetch();
if(!$row) {
header("Location: logout.php");
exit;
}
$id = $row['id'];
$name = $row['name'];
echo "My id is $id and my name is $name";
您正在使用MySQLi,这意味着您可以使用准备好的语句。没有更多的mysqli\u real\u escape\u字符串
!请参见此处:您的$connection
对我来说似乎太长了:/P.S.您可以将$this->db\u name
作为第四个参数传递给mysqli\u connect
。另外,如果您只是将连接保存到$GLOBALS[“\uuuuuuuuu mysqli\u ston”]
,那么$connection
的意义何在?创建一个连接的单例,而不是将其分配给全局。这个问题应该在“打开”而不是在这里。