Php 使用MySQLi时如何防止SQL注入?
在这样的SQL查询中,如何防止SQL注入Php 使用MySQLi时如何防止SQL注入?,php,mysql,sql,mysqli,code-injection,Php,Mysql,Sql,Mysqli,Code Injection,在这样的SQL查询中,如何防止SQL注入 <?php $mysqli = new mysqli("ip", "username", "pass", "database"); /* check connection */ if (mysqli_connect_errno()) { printf("Sorry, the login server is 'Under Maintainance'"); exit(); } $username = $_POST["username
<?php
$mysqli = new mysqli("ip", "username", "pass", "database");
/* check connection */
if (mysqli_connect_errno()) {
printf("Sorry, the login server is 'Under Maintainance'");
exit();
}
$username = $_POST["username1"];
$username = strtolower($username);
$password = $_POST['password1'];
$hash = sha1(strtolower($username) . $password);
$query = "SELECT * FROM accounts WHERE name='$username'";
if ($result = $mysqli->query($query)) {
/* determine number of rows result set */
$rownum = $result->num_rows;
if($rownum != 0)
{
while ($row = $result->fetch_assoc()) {
{
$acct = $row['acct'];
$pass = $row['pass'];
}
if($hash == $pass){
session_start();
$_SESSION['name']=$username;
$_SESSION['acct']=$acct;
header('Location:index.php');
} else {
echo 'There was an error when logging in. Make sure your password and username are correct.';
}
}
$result->close();
}
else
{
echo 'Account does not exist. Please <a href="register.php">Register</a> an account before logging in.';
}
$mysqli->close();
}
?>
加密和查询不相关
您已经在使用mysqli
,这很好,但是您没有清理查询的输入(即$username
,这可能也不需要strtolower
ed)
您应该使用适当的参数化查询进行查询
$query = "SELECT * FROM accounts WHERE name = ?";
$stmt = $mysqli->prepare($query);
$stmt->bind_param("s", $username);
$stmt->execute();
$stmt->bind_result($acct, $pass);
$stmt->fetch();
//$act and $pass are now properly set
SQL注入的限制与用户无关。您甚至可能意外地将自己注入到自己的代码中,注入甚至不必是恶意的。因此,即使您认为不存在任何恶意注入的风险,也应始终正确地参数化查询。不可能防止黑客攻击。你必须雇佣人来保护你的代码库,以防有人在你添加保护之前及时入侵你的代码库。。。缓冲区溢出和所有很酷的stuffstrtolower就是我使用的东西,这样多个用户就不会有相同的用户名。例如:用户和用户:)