最近有人入侵了我的 PHP CMS 并植入了 SQL 注入(inject)。有没有办法让我的登录代码更安全并防止黑客入侵?任何帮助都会很棒,谢谢。
登录表单
<div id="loginform">
<form method="post" action="check-login.php" name="form1">
<label for="username" /><span style="color:#FFFFFF; font-family:'Trebuchet MS', Arial, Helvetica, sans-serif;">username:</span></label>
<input type="text" name="myusername" id="username"/>
<label for="password"/><span style="color:#FFFFFF; font-family:'Trebuchet MS', Arial, Helvetica, sans-serif;">password:</span></label>
<input type="password" name="mypassword" id="password"/>
<label for="submit"></label>
<input type="submit" name="sumbit" value="Login">
</form>
</div>
PHP
mysql_connect ($host, $username, $password) or die ("can't connect");
mysql_select_db ($db_name) or die (mysql_error());
$myusername = $_POST['myusername'];
$mypassword = $_POST['mypassword'];
$sql = "SELECT * FROM $tbl_name WHERE username='$myusername' and password='$mypassword'";
$result = mysql_query($sql);
$count = mysql_num_rows($result);
if ($count == 1){
session_register("myusername");
session_register("mypassword");
header("Location:cms/admin.php");
}else{
echo "Wrong username or password";
}
最佳答案
哇。这是一个大禁忌:
$myusername = $_POST['myusername'];
$mypassword = $_POST['mypassword'];
您至少需要使用 mysql_real_escape_string 来清理这些输入。
改成这样:
$myusername = mysql_real_escape_string($_POST['myusername']);
$mypassword = mysql_real_escape_string($_POST['mypassword']);
htmlentities() 和 htmlspecialchars() 也很有用,但我建议不要对进入数据库的数据使用它们。
关于PHP CMS 登录黑客,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/9333545/