Php 我的登记表有多安全?
我是PHP编程新手,我有一个注册表,允许访问者在我的网站上注册,但我不确定我的代码是否安全。代码如下所示:Php 我的登记表有多安全?,php,mysql,security,sql-injection,Php,Mysql,Security,Sql Injection,我是PHP编程新手,我有一个注册表,允许访问者在我的网站上注册,但我不确定我的代码是否安全。代码如下所示: if(isset($_POST['submit'])){ $search = array("<", ">", "join", "union", "'", "/", "(", ")", "Join","jOin", "joIn", "joiN", "Union", "uNion", "unIon", "uniOn", "unioN"); $replace = ""; $u
if(isset($_POST['submit'])){
$search = array("<", ">", "join", "union", "'", "/", "(", ")", "Join","jOin", "joIn", "joiN", "Union", "uNion", "unIon", "uniOn", "unioN");
$replace = "";
$username = str_ireplace($search, $replace, $_POST['username']);
$email = str_ireplace($search, $replace, $_POST['email']);
if (empty($_POST['username']) or empty($_POST['email']) or empty($_POST['pass']) or empty($_POST['confirmpass'])) {
echo "<p>Please Fill all filds</p>";
}
elseif ($_POST['pass'] != $_POST['confirmpass']) {
echo "<p>Match Password</p>";
}
elseif (strlen($username) > 20){
echo "<p>Your Username should less than 20 Char</p>";
}
else{
$username = mysql_real_escape_string(trim($username));
$email = mysql_real_escape_string(trim($_POST['email']));
$pass = mysql_real_escape_string($_POST['pass']);
$pass = md5($pass);
$confirmpass = mysql_real_escape_string($_POST['confirmpass']);
$confirmpass = md5($confirmpass);
$date = date("Y-m-d");
$checkq = mysql_query("SELECT username, email FROM users WHERE username='$username' ");
$num_rows = mysql_num_rows($checkq);
if($num_rows >= 1){
echo "<p>you have to choose another Username</p>";
}else {
$checkq2 = mysql_query("SELECT username, email FROM users WHERE email='$email' ");
$num_rows2 = mysql_num_rows($checkq2);
if($num_rows2 >= 1){
echo "<p>that email is already registerd <br />".$email."</p>";
}else {
$insertuser = mysql_query("INSERT INTO users
(id, username, password, rdate, email)
VALUES
('', '$username', '$pass', '$date', '$email')
");
if ($insertuser){ echo "<span>you are login successfuly ...</span><META http-equiv='refresh' content='4;URL=http://www.6arbyat.com/join/login.php'> ;";}else{echo "<p>Sorry there is something Wrong !!!</p>";
}
}
}
}
}
if(isset($\u POST['submit'])){
$search=array(“,“join”,“union”,“union”,“union”,“union”,“union”,“union”,“union”,“union”);
$replace=“”;
$username=stru-ireplace($search,$replace,$\u POST['username']);
$email=str_ireplace($search,$replace,$_POST['email']);
如果(空($\u POST['username'])或空($\u POST['email'])或空($\u POST['pass'])或空($\u POST['confirmpass'])){
echo“请填写所有文件””;
}
elseif($_POST['pass']!=$_POST['confirmpass']){
回显“匹配密码””;
}
elseif(strlen($username)>20){
echo“您的用户名应少于20个字符”;
}
否则{
$username=mysql\u real\u escape\u字符串(trim($username));
$email=mysql\u real\u escape\u字符串(trim($u POST['email']);
$pass=mysql\u real\u escape\u字符串($\u POST['pass']);
$pass=md5($pass);
$confirmpass=mysql\u real\u escape\u字符串($\u POST['confirmpass']);
$confirmpass=md5($confirmpass);
$date=日期(“Y-m-d”);
$checkq=mysql_查询(“选择用户名,来自用户名为“$username”的用户的电子邮件”);
$num_rows=mysql_num_rows($checkq);
如果($num_rows>=1){
echo“您必须选择另一个用户名”;
}否则{
$checkq2=mysql_query(“选择用户名,从用户处发送电子邮件,其中电子邮件='$email'”);
$num_rows2=mysql_num_rows($checkq2);
如果($num_rows2>=1){
echo“该电子邮件已注册,
“$email。””;
}否则{
$insertuser=mysql\u查询(“插入到用户中
(id、用户名、密码、日期、电子邮件)
价值观
(“$username”、“$pass”、“$date”、“$email”)
");
如果($insertuser){echo“您登录成功…”;“;}否则{echo”对不起,有问题!!!”;
}
}
}
}
}
有什么评论吗
"Join","jOin", "joIn", "joiN"
一点也不安全
如果您关心安全性,请使用适当的参数化查询;如果您不关心安全性,请将值粘贴到查询中。不管怎样,大部分代码都是无用的
$insertuser = mysql_query("INSERT INTO users
(id, username, password, rdate, email)
此外,您可能不应该在数据库中编写原始密码,这会使您的代码看起来像是1985年编写的。这个问题似乎离题了,因为它是一个代码审查请求。这更适合于这种情况。在发布之前,请务必阅读他们的密码,以确保您的问题符合他们的指导原则。如果我使用的密码(如JointMonkeysUnion123)或包含您试图筛选出的其中一个或两个单词的密码,我是否保留了经过修剪的密码,作为回报,我实际上不知道我的真实密码?另外一点是,您的密码甚至可以是SQL查询,但一旦散列,它对您的应用程序并不重要。只要确保不信任用户输入:)你忘了提到他需要使用
mysqli
,而不是不推荐的(希望我拼写正确)mysql
“而且,你可能不应该在数据库中编写原始密码,这会使你的代码看起来像是1985年编写的。”,或者索尼的