我會如何防止SQL注入這樣的SQL查詢?如何在使用MySQLi時防止SQL注入?
<?php
$mysqli = new mysqli("ip", "username", "pass", "database");
/* check connection */
if (mysqli_connect_errno()) {
printf("Sorry, the login server is 'Under Maintainance'");
exit();
}
$username = $_POST["username1"];
$username = strtolower($username);
$password = $_POST['password1'];
$hash = sha1(strtolower($username) . $password);
$query = "SELECT * FROM accounts WHERE name='$username'";
if ($result = $mysqli->query($query)) {
/* determine number of rows result set */
$rownum = $result->num_rows;
if($rownum != 0)
{
while ($row = $result->fetch_assoc()) {
{
$acct = $row['acct'];
$pass = $row['pass'];
}
if($hash == $pass){
session_start();
$_SESSION['name']=$username;
$_SESSION['acct']=$acct;
header('Location:index.php');
} else {
echo 'There was an error when logging in. Make sure your password and username are correct.';
}
}
$result->close();
}
else
{
echo 'Account does not exist. Please <a href="register.php">Register</a> an account before logging in.';
}
$mysqli->close();
}
?>
我已經添加了加密,但我似乎無法找到一種預防方法,我知道如何使用呢。另外,用戶是否可以在不使用輸入框的情況下使用MySQL注入? (分割頁面)
防止黑客行爲是不可能的。你必須僱用人來保護你的代碼庫,以防有人在添加保護之前及時回擊它。 – 2013-05-04 20:31:09
hahahah post是關於sql注入的,而不是像緩衝區溢出和所有那些很酷的東西 – 2013-05-04 20:32:23