Php 如何进行避免注入的SQLite查询?
我正在尝试检查数据库中是否有myusername和mypassword,如果有,则打印结果。如果结果与数据库中的内容相匹配,我无法返回和显示结果,请有人帮助我好吗Php 如何进行避免注入的SQLite查询?,php,pdo,sqlite,Php,Pdo,Sqlite,我正在尝试检查数据库中是否有myusername和mypassword,如果有,则打印结果。如果结果与数据库中的内容相匹配,我无法返回和显示结果,请有人帮助我好吗 // username and password sent from form $myusername=$_POST['myusername']; $mypassword=$_POST['mypassword']; //echo $myusername; //echo $mypassword; $stmt = $db-&g
// username and password sent from form
$myusername=$_POST['myusername'];
$mypassword=$_POST['mypassword'];
//echo $myusername;
//echo $mypassword;
$stmt = $db->prepare('SELECT * FROM ADMIN_LOGIN WHERE USERNAME = $myusername AND PASSWORD = $mypassword');
//var_dump($stmt->readOnly()); // -> true
$result = $db->query("SELECT * FROM ADMIN_LOGIN WHERE USERNAME = '$myusername' AND PASSWORD = '$mypassword'");
while ($row = $result->fetchArray()) {
print $row["USERNAME"] . "\n";
print $row["PASSWORD"] . "\n";
}
您没有正确使用准备好的语句。准备好的语句首先向服务器发送查询内容,然后发送参数。这样就不能利用服务器,因为查询结构“阶段”已经完成
$sql = "SELECT * FROM ADMIN_LOGIN WHERE USERNAME = ? AND PASSWORD = ? LIMIT 1"
$sth = $dbh->prepare($sql);
$sth->execute(array($_POST['username'], $_POST['password']));
$res = $sth->fetch();
您很容易受到sql注入攻击,这一点尤其糟糕,因为您已经在使用准备好的语句。这就是我试图避免的(sql注入攻击),您会建议我如何使此代码成为sql注入证明?为此,我只需转到php.net/pdo并单击
preparePHP.net/thing