我目前正在升級朋友網站的代碼,並且遇到登錄腳本的問題。我試圖通過使用mysql_real_escape_string()
來防止SQL注入。 mysql_escape_string()
正常,但mysql_real_escape_string()
沒有。這是我得到的:mysql_real_escape_string - 登錄腳本
if (isset($_POST['submit']))
{
$username = mysql_real_escape_string($_POST['username']);
$password = mysql_real_escape_string($_POST['password']);
$db_link = db_connect("project");
$query = "SELECT * FROM user WHERE username = '$username' AND password = password('$password')";
$result = mysql_query($query) or die (mysql_error());
$numrows = mysql_num_rows($result);
if($numrows == 1)
{
RedirectToURL("home.php");
}
else
{
login_page("Invalid login! Try again");
}
}
else
{
login_page("");
}
也許這可能有幫助:http://stackoverflow.com/questions/60174/best-way-to-prevent-sql-injection-in-php – Horen
移動它們在數據庫連接調用後發生。 –