Fatal编程技术网
  • php/
  • Php SQL:条件语法错误和mysql\u fetch\u对象滥用

Php SQL:条件语法错误和mysql\u fetch\u对象滥用

php mysql sql object

Php SQL:条件语法错误和mysql\u fetch\u对象滥用,php,mysql,sql,object,fetch,Php,Mysql,Sql,Object,Fetch,我正在尝试使用SQL和PHP创建一个登录系统。我有一个标准数据库,有三个字段:用户名、密码和授权级别。出于某种原因,当我测试代码时,登录失败,即使我使用了正确的访问级别和正确的凭据。在我将访问级别检查器添加到PHP之前,代码是正常的,但现在它返回一个登录失败错误 //If there are input validations, redirect back to the login form if($errflag) { $_SESSION['ERRMSG_ARR

我正在尝试使用SQL和PHP创建一个登录系统。我有一个标准数据库,有三个字段:用户名、密码和授权级别。出于某种原因,当我测试代码时,登录失败,即使我使用了正确的访问级别和正确的凭据。在我将访问级别检查器添加到PHP之前,代码是正常的,但现在它返回一个登录失败错误

    //If there are input validations, redirect back to the login form
    if($errflag) {
        $_SESSION['ERRMSG_ARR'] = $errmsg_arr;
        session_write_close();
        header("location: login-test.php");
        exit();
    }

    //Create query
    $qry="SELECT * FROM members WHERE username='$username' AND password='$password'";
    $result=mysql_query($qry);
    $row = mysql_fetch_object($qry);

    //Check whether the query was successful or not
    if($result) {
        if(mysql_num_rows($result) == 1 && $row->authlevel == "admin") {
            //Login Successful
            session_regenerate_id();
            $member = mysql_fetch_assoc($result);
            $_SESSION['SESS_MEMBER_ID'] = $member['username'];
            $_SESSION['SESS_FIRST_NAME'] = $member['firstname'];
            $_SESSION['SESS_LAST_NAME'] = $member['username'];
            session_write_close();
            header("location: admin_index.php");
            exit();
        } else {
            //Login failed
            header("location: login-failed.php");
        }
    }else {
        die("Query failed");
    }
?>
正如我在评论中所说,使用PDO或mysqli并准备好语句。有人可以把这个放进去

  '; Select * from members where authLevel = "admin" limit 1 --
对于
$username
,请以管理员身份登录。这就是为什么

 SELECT * FROM members WHERE username=''; Select * from members where authLevel = "admin" limit 1 -- AND password='ababsdf'
这就是您查询的结果,
--
是MySql的注释方式,因此之后的任何内容都将被忽略。本质上,我只是告诉它选择一个具有admin的用户作为authLevel,并将其限制为一个结果

更新 至于答案有两种可能性

  • 1级错误

  • 2更可能的情况是您有重复的用户记录。因此,行数检查失败

另外,
admin
与带有空格的
admin
admin
[space]admin
不同。php中的字符串比较区分大小写

不管该条件是否失败,因此其中的一项或两项都不是真的。你所要做的就是这样

  echo 'NumRows: '.mysql_num_rows($result);
  echo "<br>\n";
  echo 'AuthLevel: '.$row->authlevel;
对于authlevel,您可能希望将其用这样的括号括起来

    echo 'AuthLevel: ['.$row->authlevel.']';

    [  admin]

$dsn = 'mysql:host=127.0.0.1;dbname=members;';
$user = 'db_user';
$password = '*******';

try {
    $DB = new PDO($dsn, $user, $password);
} catch (PDOException $e) {
    die('Connection failed: ' . $e->getMessage());
}

$qry="SELECT * FROM members WHERE username=:username";  ///( add field named salt, this is a random string )
//search only for username 

///$DB is pdo database object
//prepare the sql, this 2 step process prevent sql injection by using a placeholder :username instead of the variable directly
$stmt = $DB->prepare( $qry );
 //execute the statement with variables
$stmt->execute( array(':username' => $username ) );
//retrieve the result row as an object.
$row = $stmt->fetch( PDO::FETCH_OBJ );
//Check whether the query was successful or not
if($stmt->rowCount() == 1 ) {
    if($row->authlevel == "admin") {  //if it's not an admin no need to check password
        if( sha256( $row->salt() . $password ) == $row->password ){
             //Check password in php, db is case insensitive unless its a binary field.
            //Login Successful ( obviously youll want to update the member to account for a better password )
            .....
        }else{
            header("location: login-failed.php"); //change for bad password etc.
        }
    } else {
        //Login failed
        header("location: login-failed.php");  //change for invalid user level ( you do not have authorization to view this page ... etc. )
    }
}else {
    die("Query failed"); //change for username not found, or unknown username
}
为什么??因为如果是这样的话

    echo 'AuthLevel: ['.$row->authlevel.']';

    [  admin]

$dsn = 'mysql:host=127.0.0.1;dbname=members;';
$user = 'db_user';
$password = '*******';

try {
    $DB = new PDO($dsn, $user, $password);
} catch (PDOException $e) {
    die('Connection failed: ' . $e->getMessage());
}

$qry="SELECT * FROM members WHERE username=:username";  ///( add field named salt, this is a random string )
//search only for username 

///$DB is pdo database object
//prepare the sql, this 2 step process prevent sql injection by using a placeholder :username instead of the variable directly
$stmt = $DB->prepare( $qry );
 //execute the statement with variables
$stmt->execute( array(':username' => $username ) );
//retrieve the result row as an object.
$row = $stmt->fetch( PDO::FETCH_OBJ );
//Check whether the query was successful or not
if($stmt->rowCount() == 1 ) {
    if($row->authlevel == "admin") {  //if it's not an admin no need to check password
        if( sha256( $row->salt() . $password ) == $row->password ){
             //Check password in php, db is case insensitive unless its a binary field.
            //Login Successful ( obviously youll want to update the member to account for a better password )
            .....
        }else{
            header("location: login-failed.php"); //change for bad password etc.
        }
    } else {
        //Login failed
        header("location: login-failed.php");  //change for invalid user level ( you do not have authorization to view this page ... etc. )
    }
}else {
    die("Query failed"); //change for username not found, or unknown username
}
然后你可以看到里面有一个空间或什么东西。在你的情况下这样做不是个坏主意

    if( strtolower( trim( $row->authlevel ) ) == 'admin' ...
PDO或mysqli实际上并没有那么难,您可能希望添加至少为sha256的salt add加密(或使用password_hash()),基本上您的代码如下所示

    echo 'AuthLevel: ['.$row->authlevel.']';

    [  admin]

$dsn = 'mysql:host=127.0.0.1;dbname=members;';
$user = 'db_user';
$password = '*******';

try {
    $DB = new PDO($dsn, $user, $password);
} catch (PDOException $e) {
    die('Connection failed: ' . $e->getMessage());
}

$qry="SELECT * FROM members WHERE username=:username";  ///( add field named salt, this is a random string )
//search only for username 

///$DB is pdo database object
//prepare the sql, this 2 step process prevent sql injection by using a placeholder :username instead of the variable directly
$stmt = $DB->prepare( $qry );
 //execute the statement with variables
$stmt->execute( array(':username' => $username ) );
//retrieve the result row as an object.
$row = $stmt->fetch( PDO::FETCH_OBJ );
//Check whether the query was successful or not
if($stmt->rowCount() == 1 ) {
    if($row->authlevel == "admin") {  //if it's not an admin no need to check password
        if( sha256( $row->salt() . $password ) == $row->password ){
             //Check password in php, db is case insensitive unless its a binary field.
            //Login Successful ( obviously youll want to update the member to account for a better password )
            .....
        }else{
            header("location: login-failed.php"); //change for bad password etc.
        }
    } else {
        //Login failed
        header("location: login-failed.php");  //change for invalid user level ( you do not have authorization to view this page ... etc. )
    }
}else {
    die("Query failed"); //change for username not found, or unknown username
}

除此之外,由于PHP7的安全原因,mysql_*函数已经消失,所以最好不要习惯使用它们。

正如我在评论中所说的,使用PDO或mysqli并准备好语句。有人可以把这个放进去

  '; Select * from members where authLevel = "admin" limit 1 --
对于
$username
,请以管理员身份登录。这就是为什么

 SELECT * FROM members WHERE username=''; Select * from members where authLevel = "admin" limit 1 -- AND password='ababsdf'
这就是您查询的结果,
--
是MySql的注释方式,因此之后的任何内容都将被忽略。本质上,我只是告诉它选择一个具有admin的用户作为authLevel,并将其限制为一个结果

更新 至于答案有两种可能性

  • 1级错误

  • 2更可能的情况是您有重复的用户记录。因此,行数检查失败

另外,
admin
与带有空格的
admin
admin
[space]admin
不同。php中的字符串比较区分大小写

不管该条件是否失败,因此其中的一项或两项都不是真的。你所要做的就是这样

  echo 'NumRows: '.mysql_num_rows($result);
  echo "<br>\n";
  echo 'AuthLevel: '.$row->authlevel;
对于authlevel,您可能希望将其用这样的括号括起来

    echo 'AuthLevel: ['.$row->authlevel.']';

    [  admin]

$dsn = 'mysql:host=127.0.0.1;dbname=members;';
$user = 'db_user';
$password = '*******';

try {
    $DB = new PDO($dsn, $user, $password);
} catch (PDOException $e) {
    die('Connection failed: ' . $e->getMessage());
}

$qry="SELECT * FROM members WHERE username=:username";  ///( add field named salt, this is a random string )
//search only for username 

///$DB is pdo database object
//prepare the sql, this 2 step process prevent sql injection by using a placeholder :username instead of the variable directly
$stmt = $DB->prepare( $qry );
 //execute the statement with variables
$stmt->execute( array(':username' => $username ) );
//retrieve the result row as an object.
$row = $stmt->fetch( PDO::FETCH_OBJ );
//Check whether the query was successful or not
if($stmt->rowCount() == 1 ) {
    if($row->authlevel == "admin") {  //if it's not an admin no need to check password
        if( sha256( $row->salt() . $password ) == $row->password ){
             //Check password in php, db is case insensitive unless its a binary field.
            //Login Successful ( obviously youll want to update the member to account for a better password )
            .....
        }else{
            header("location: login-failed.php"); //change for bad password etc.
        }
    } else {
        //Login failed
        header("location: login-failed.php");  //change for invalid user level ( you do not have authorization to view this page ... etc. )
    }
}else {
    die("Query failed"); //change for username not found, or unknown username
}
为什么??因为如果是这样的话

    echo 'AuthLevel: ['.$row->authlevel.']';

    [  admin]

$dsn = 'mysql:host=127.0.0.1;dbname=members;';
$user = 'db_user';
$password = '*******';

try {
    $DB = new PDO($dsn, $user, $password);
} catch (PDOException $e) {
    die('Connection failed: ' . $e->getMessage());
}

$qry="SELECT * FROM members WHERE username=:username";  ///( add field named salt, this is a random string )
//search only for username 

///$DB is pdo database object
//prepare the sql, this 2 step process prevent sql injection by using a placeholder :username instead of the variable directly
$stmt = $DB->prepare( $qry );
 //execute the statement with variables
$stmt->execute( array(':username' => $username ) );
//retrieve the result row as an object.
$row = $stmt->fetch( PDO::FETCH_OBJ );
//Check whether the query was successful or not
if($stmt->rowCount() == 1 ) {
    if($row->authlevel == "admin") {  //if it's not an admin no need to check password
        if( sha256( $row->salt() . $password ) == $row->password ){
             //Check password in php, db is case insensitive unless its a binary field.
            //Login Successful ( obviously youll want to update the member to account for a better password )
            .....
        }else{
            header("location: login-failed.php"); //change for bad password etc.
        }
    } else {
        //Login failed
        header("location: login-failed.php");  //change for invalid user level ( you do not have authorization to view this page ... etc. )
    }
}else {
    die("Query failed"); //change for username not found, or unknown username
}
然后你可以看到里面有一个空间或什么东西。在你的情况下这样做不是个坏主意

    if( strtolower( trim( $row->authlevel ) ) == 'admin' ...
PDO或mysqli实际上并没有那么难,您可能希望添加至少为sha256的salt add加密(或使用password_hash()),基本上您的代码如下所示

    echo 'AuthLevel: ['.$row->authlevel.']';

    [  admin]

$dsn = 'mysql:host=127.0.0.1;dbname=members;';
$user = 'db_user';
$password = '*******';

try {
    $DB = new PDO($dsn, $user, $password);
} catch (PDOException $e) {
    die('Connection failed: ' . $e->getMessage());
}

$qry="SELECT * FROM members WHERE username=:username";  ///( add field named salt, this is a random string )
//search only for username 

///$DB is pdo database object
//prepare the sql, this 2 step process prevent sql injection by using a placeholder :username instead of the variable directly
$stmt = $DB->prepare( $qry );
 //execute the statement with variables
$stmt->execute( array(':username' => $username ) );
//retrieve the result row as an object.
$row = $stmt->fetch( PDO::FETCH_OBJ );
//Check whether the query was successful or not
if($stmt->rowCount() == 1 ) {
    if($row->authlevel == "admin") {  //if it's not an admin no need to check password
        if( sha256( $row->salt() . $password ) == $row->password ){
             //Check password in php, db is case insensitive unless its a binary field.
            //Login Successful ( obviously youll want to update the member to account for a better password )
            .....
        }else{
            header("location: login-failed.php"); //change for bad password etc.
        }
    } else {
        //Login failed
        header("location: login-failed.php");  //change for invalid user level ( you do not have authorization to view this page ... etc. )
    }
}else {
    die("Query failed"); //change for username not found, or unknown username
}

除此之外,由于PHP7的安全原因,mysql_*函数已不存在,因此最好不要习惯使用它们。

为什么要搜索密码,它应该被散列而不是传输。例如查找用户名,然后进行比较。您也不应该使用mysql,也不应该将变量放入sql
”;从authLevel=“admin”limit 1--
的成员中选择*如果这是我输入的用户名,我刚刚入侵了您的登录系统。我只是说。这个sql有很多错误,我可以把你链接到一个教程,让你用mysqli做一个正确的登录表单吗?我猜这就是sql注入的意思吧?我会对密码进行散列,但出于测试目的,我取出了md5,以便查看传递给SQL的内容,但我会在发布之前将其放回。md5不安全,请至少使用一个salted sha256密码或php hash_password函数。为什么要搜索密码,它应该进行散列,而不是传输。例如查找用户名,然后进行比较。您也不应该使用mysql,也不应该将变量放入sql
”;从authLevel=“admin”limit 1--
的成员中选择*如果这是我输入的用户名,我刚刚入侵了您的登录系统。我只是说。这个sql有很多错误,我可以把你链接到一个教程,让你用mysqli做一个正确的登录表单吗?我猜这就是sql注入的意思吧?我会对密码进行散列,但出于测试目的,我取出了md5,这样我可以看到传递给SQL的是什么,但我会在发布之前将其放回。md5不安全,至少使用salt sha256密码或php hash_密码函数。tbh这并不能回答问题,但这是一个好的观点。同意,当然,这对保护区的安全是很重要的。这个问题不可能回答,很明显,授权级别是错误的。num_行是肤浅的,对它的检查永远不会在没有结果的情况下发生,还有两种可能,注意密码比较是在PHP中完成的(不是MySQL)。MySQL查询在默认情况下是不区分大小写的。它是区分大小写的,但对黑客没有帮助,因为最初通过哈希运算获得密码的内容是未知的(所以你不能仅凭它是否是咸的来判断),但是我知道我在表单中输入了什么。而且它是在mysql端口上完成的,而不是在端口80上完成的,因此它不会很容易显示。即使他们能在mysql传输中看到密码的salt,也很难弄清楚它是在哪里添加的,在之前还是之后,因为他们同样不知道原始数据。基本上,通过原始数据和散列,您可以计算出所使用的方法。tbh这不是