1. 首頁
  2. 問答
  3. 創建一個安全的MYSQLI登錄腳本?

創建一個安全的MYSQLI登錄腳本?

2015-01-05 60 views
0

我以前一直在使用MYSQL,而且我不是專家,但已經設法生成一個簡單的MySQL登錄腳本。但我知道我的腳本是基本的和過時的,我應該使用MYSQLI,創建一個安全的MYSQLI登錄腳本?

但是,MYSQLI並沒有真正意義,因爲我已經在MySQL中嘗試了下面的代碼,但我無法讓它工作,我得到未定義的索引錯誤。

<?php 
session_start(); 
include("config.php"); 

if (mysqli_connect_errno()) 

{ 

echo 'MySQLi Connection was not established:'; 

} 

// checking the user 



$myusername = mysqli_real_escape_string($conn,$_POST[‘myusername’]); 

$pass = mysqli_real_escape_string($conn,$_POST[‘mypassword’]); 

$sel_user = 'select * from supplier_users where username=’$myusername’ AND password=’$pass'; 

$run_user = mysqli_query($conn, $sel_user); 

$check_user = mysqli_num_rows($run_user); 

if($check_user>0){ 

$_SESSION[‘user’]=$myusername; 

echo 「success」; 

} 

else { 

echo 「fail」; 

} 


?>

這裏是我的MySQL登錄腳本的正常工作:

<?php 
session_start(); 
include("config.php"); 
$tbl_name="internal_users"; 
$tbl_name2="supplier_users"; 
$myusername=$_POST['myusername']; 
$mypassword=$_POST['mypassword']; 
$myusername = stripslashes($myusername); 
$mypassword = stripslashes($mypassword); 
$myusername = mysql_real_escape_string($myusername); 
$mypassword = mysql_real_escape_string($mypassword); 
$sql = "select * from $tbl_name where username = '$myusername' and password = '$mypassword' 
union 
select * from $tbl_name2 where username = '$myusername' and password = '$mypassword'"; 
$result=mysql_query($sql); 
$count=mysql_num_rows($result); 
$row=mysql_fetch_array($result); 
if($count==1){ 
session_start(); 
include("variables.php"); 
if($result){ 
$sql2 = "UPDATE $tbl_name2 SET online = 'online' WHERE online = 'offline' AND username = '$myusername'"; 
$result2=mysql_query($sql2); 
$sql21 = "UPDATE $tbl_name SET online = 'online' WHERE online = 'offline' AND username = '$myusername'"; 
$result21=mysql_query($sql21); } 
else 
$_SESSION['val']=1; 
header("location:../dashboard.php"); 
} 
else { 
$_SESSION['message2'] = '<div id="message_box2"><div class="boxclose" id="boxclose" onclick="this.parentNode.parentNode.removeChild(this.parentNode);">&#10006;</div><h23>Oooops!</h23><p>The Username and Password Combination do not match. Please try again.</p> </div>'; 
header("location:../index.php"); 
} 
ob_end_flush(); 
?>

我的config.php文件看起來是這樣的:

<?php 
$host="localhost"; 
$username="mark"; 
$password="password"; 
$db_name="hewden1"; 
$conn = mysql_connect($host, $username, $password) or die("Could Not Connect to Server"); 
$db = mysql_select_db($db_name)or die("Cannot Connect the Database"); 
?>

我的問題是,可能有人請告訴我如何我可以將我的簡單登錄腳本從MYSQL轉換爲MYSQLI,並使其更加安全,我試圖在上面做到這一點?我真的很感激任何人的幫助,因爲我真的很難理解。

感謝

來源

2015-01-05 James Daley

+0

你可以檢查[this](http://stackoverflow.com/questions/12859942/why-shouldnt-i-use-mysql-functions-in-php/14110189#14110189)post的詳細解釋 – krishna

+0

幹得好防禦SQL注入,但是您絕對不應該以純文本形式存儲密碼。如果您的數據庫泄漏出去,您的用戶的安全性可能會在其他地方受到影響。在使用MySQLi方面,你有沒有閱讀手冊,或看過例子?網上有很多,包括在這個網站上。 – halfer

回答

0

,你發佈的mysqli的代碼似乎有點畸形,報價有一些其他的編碼類型報價:」當它應該是「IDK如果這將使意義,但。 另外在你的SELECT語句:

$sel_user = 'select * from supplier_users where username=’$myusername’ AND password=’$pass';
到底

報價失蹤,它應該是像

$sel_user = "select * from supplier_users where username='$myusername' AND password='$pass'";

,它並沒有什麼意義使用mysql()代替的mysqli( ),因爲前者已折舊。

來源

2015-01-05 11:24:01 Arfan

相關問題

 相關問題