這是我第一次使用SESSIONS登錄系統。 想知道,如果SQL注入安全嗎?我的代碼是否安全的SQL注入?簡單會話登錄
<?php
$username = $_POST['username'];
$password = $_POST['password'];
if(isset($username, $password)) {
if(get_magic_quotes_gpc()) {
$ousername = stripslashes($username);
$uusername = mysql_real_escape_string(stripslashes($username));
$opassword = stripslashes($_POST['password']);
} else {
$uusername = mysql_real_escape_string($username);
$opassword = $password;
}
$req = mysql_query('select password,id from users where username="'.$uusername.'"');
$dn = mysql_fetch_array($req);
if($dn['password']==$opassword and mysql_num_rows($req)>0)
{
$form = false;
$_SESSION['username'] = $_POST['username'];
$_SESSION['userid'] = $dn['id'];
echo 'Logged in m8';
} else {
$form = true;
$message = 'The username or password is incorrect.';
}
} else {
$form = true;
}
if($form)
{
if(isset($message)) {
echo '<div class="message">'.$message.'</div>';
}
?>
,我在我的高分腳本之前得到一個SQL注入,所以我在想,如果我的簡單會話的登錄腳本有什麼,我40%有一個.. 什麼通常會導致SQL注入? 謝謝!
你在哪裏調用'mysql_connect'? – 2013-02-22 03:06:23
[SQL注入獲得mysql_real_escape_string()](http://stackoverflow.com/questions/5741187/sql-injection-that-gets-around-mysql-real-escape-string) – 2013-02-22 03:07:13
它是。但是,使用[準備語句的PDO](http://stackoverflow.com/questions/60174/how-to-prevent-sql-injection-in-php)比mysql_保姆和手動轉義要容易得多。 – mario 2013-02-22 03:09:07