0
我以前一直在使用MYSQL,而且我不是專家,但已經設法生成一個簡單的MySQL登錄腳本。但我知道我的腳本是基本的和過時的,我應該使用MYSQLI,創建一個安全的MYSQLI登錄腳本?
但是,MYSQLI並沒有真正意義,因爲我已經在MySQL中嘗試了下面的代碼,但我無法讓它工作,我得到未定義的索引錯誤。
<?php
session_start();
include("config.php");
if (mysqli_connect_errno())
{
echo 'MySQLi Connection was not established:';
}
// checking the user
$myusername = mysqli_real_escape_string($conn,$_POST[‘myusername’]);
$pass = mysqli_real_escape_string($conn,$_POST[‘mypassword’]);
$sel_user = 'select * from supplier_users where username=’$myusername’ AND password=’$pass';
$run_user = mysqli_query($conn, $sel_user);
$check_user = mysqli_num_rows($run_user);
if($check_user>0){
$_SESSION[‘user’]=$myusername;
echo 「success」;
}
else {
echo 「fail」;
}
?>
這裏是我的MySQL登錄腳本的正常工作:
<?php
session_start();
include("config.php");
$tbl_name="internal_users";
$tbl_name2="supplier_users";
$myusername=$_POST['myusername'];
$mypassword=$_POST['mypassword'];
$myusername = stripslashes($myusername);
$mypassword = stripslashes($mypassword);
$myusername = mysql_real_escape_string($myusername);
$mypassword = mysql_real_escape_string($mypassword);
$sql = "select * from $tbl_name where username = '$myusername' and password = '$mypassword'
union
select * from $tbl_name2 where username = '$myusername' and password = '$mypassword'";
$result=mysql_query($sql);
$count=mysql_num_rows($result);
$row=mysql_fetch_array($result);
if($count==1){
session_start();
include("variables.php");
if($result){
$sql2 = "UPDATE $tbl_name2 SET online = 'online' WHERE online = 'offline' AND username = '$myusername'";
$result2=mysql_query($sql2);
$sql21 = "UPDATE $tbl_name SET online = 'online' WHERE online = 'offline' AND username = '$myusername'";
$result21=mysql_query($sql21); }
else
$_SESSION['val']=1;
header("location:../dashboard.php");
}
else {
$_SESSION['message2'] = '<div id="message_box2"><div class="boxclose" id="boxclose" onclick="this.parentNode.parentNode.removeChild(this.parentNode);">✖</div><h23>Oooops!</h23><p>The Username and Password Combination do not match. Please try again.</p> </div>';
header("location:../index.php");
}
ob_end_flush();
?>
我的config.php文件看起來是這樣的:
<?php
$host="localhost";
$username="mark";
$password="password";
$db_name="hewden1";
$conn = mysql_connect($host, $username, $password) or die("Could Not Connect to Server");
$db = mysql_select_db($db_name)or die("Cannot Connect the Database");
?>
我的問題是,可能有人請告訴我如何我可以將我的簡單登錄腳本從MYSQL轉換爲MYSQLI,並使其更加安全,我試圖在上面做到這一點?我真的很感激任何人的幫助,因爲我真的很難理解。
感謝
你可以檢查[this](http://stackoverflow.com/questions/12859942/why-shouldnt-i-use-mysql-functions-in-php/14110189#14110189)post的詳細解釋 – krishna
幹得好防禦SQL注入,但是您絕對不應該以純文本形式存儲密碼。如果您的數據庫泄漏出去,您的用戶的安全性可能會在其他地方受到影響。在使用MySQLi方面,你有沒有閱讀手冊,或看過例子?網上有很多,包括在這個網站上。 – halfer