我是一名年轻的开发人员,试图在我最初没有自己编写代码的网站上防止 Sql 注入(inject)。我读过很多关于注入(inject)及其背后理论的文章,但我似乎无法理解这一点。在我把头伸进显示器之前请帮助我。 谢谢 我的显示器
代码如下:
<div id="main">
<div id="header"><? include('site_headergraphics.php'); ?></div>
<table width="800" height="100%" border="0" cellspacing="0" cellpadding="0"
class="content">
<tr>
<td width="800" valign="top">
<div style="padding:10px;">
<? if($_SESSION[$_SESSION['SFIX'].'_owner_id'] == ''){ ?>
<br><br>
<form name="balance_login" method="post" action="<? if ($_GET['passthru']){
?>?passthru=<?= $_GET['passthru'] ?><? } else { ?>?<? } ?>">
<input name="action" type="hidden" value="login" />
<table width="780" border="0" cellpadding="5" bgcolor="#FFFFFF">
<tr>
<td><table width="780" border="0" cellpadding="5" cellspacing="0"
bgcolor="#F7C30F" class="body_text">
<tr>
<td colspan="3" align="left" class="rightmenu"><?= $passmessage ?><?=
$specialmessage ?></td>
</tr>
<tr>
<td colspan="2" align="left" valign="top" class="rightmenu">To sign on,
enter your information below.</td>
<td width="412" rowspan="5" valign="top"><p>Welcome to Mediterranean
Wellness!</p>
<p>Ready to join us? You can <a
href="index.php?section=payment">GET STARTED here. </a></p></td>
</tr>
<tr valign="top">
<td width="121" align="right" class="rightmenu">Username:</td>
<td width="217"><input name="username" type="text" class="body_text"
id="username" /></td>
<!--Added in the prevent SQL code injections-->
<?php /*?><?php unset($FindUser);
if(isset($_POST['username']))
{
$_POST['username'] =
trim($_POST['username']);
if(preg_match('/^[a-
zA-Z0-9^$.*+\[\]{,}]{1,32}$/u', $_POST['username']))
$FindUser =
$_POST['username'];
}
?><?php */?>
</tr>
<tr valign="top">
<td align="right" class="rightmenu">Password:</td>
<td><input name="password" type="password" class="body_text"
id="password" /></td>
<?php /*?><?php unset($FindPass);
if(isset($_POST['password']))
{
$_POST['password'] =
trim($_POST['password']);
if(preg_match('/^[a-
zA-Z0-9^$.*+\[\]{,}]{1,32}$/u', $_POST['password']))
$$FindPass =
$_POST['password'];
}
?><?php */?>
<!--End of code added in the prevent SQL code injections-->
</tr>
<tr valign="top">
<td> </td>
<td><input name="Submit" type="submit" class="body_text"
value="Login" />
<?php
function make_safe($variable) {
$variable =
mysql_real_escape_string(trim($variable));
return $variable;
}
$username = make_safe($_POST['username']);
$password = make_safe($_POST['password']);
$check = mysql_query("SELECT Username,
Password, UserLevel FROM Users WHERE Username = '".$username."' and Password =
'".$password."'");
?>
<br>
<br>
<a href="?section=forgot">Forgot your username or password?</a></td>
</tr>
<tr>
<td> </td>
<td colspan="2"> </td>
</tr>
</table></td>
</tr>
</table>
</form>
<? } else { ?>
<p class="body_text">You must <a href="?user_action=logout">logout</a> to continue
to this page</p>
<? } ?>
</div></td>
</tr>
</table>
</div>
最佳答案
我认为避免 SQL 注入(inject)的最好方法是使用 prepared statements当您查询数据库时。
此外,您应该清理代码以使其更具可读性,并且使用像 MVC 这样的设计模式会给它一个更好的结构。
关于php - 为什么我的代码在尝试防止 Sql 注入(inject)时不起作用?,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/12271747/