[英]Safe code for SQL Injection using mysql_*
I just want to know if there's a way of making your code using mysql_*
safe for SQL Injection. 我只想知道是否存在一种使
mysql_*
的代码安全用于SQL注入的方法。
I have this code inside my log.php: 我的log.php中有以下代码:
$username = $_POST['username'];
$password = $_POST['password'];
$status = $_POST['status'];
include("conn.php");
if($username && $password)
{
$query = mysql_query("SELECT * FROM student_users WHERE username='$username'");
if($query!=0)
{
while($rows = mysql_fetch_assoc($query))
{
$db_username = $rows['username'];
$db_password = $rows['password'];
}
if($username == $db_username && $password == $db_password)
{
header("location: stud.php");
$_SESSION['username'] = $db_username;
$_SESSION['stud_num'] = $db_stud_num;
break;
}
}
}
How can I test this for SQL Injection? 如何测试SQL注入?
I found a out some ideas that http://127.0.0.1/test/index.php?username=%27%20or%201=1%20/*&password=1
can use to test my website for SQL injection vulnerabilities. 我发现了一些想法,
http://127.0.0.1/test/index.php?username=%27%20or%201=1%20/*&password=1
: http://127.0.0.1/test/index.php?username=%27%20or%201=1%20/*&password=1
可用于测试我的网站的SQL注入漏洞。 But doesn't worked. 但是没有用。
I also try typing inside the input fields 1 OR 1 = 1; --
我也尝试在输入字段
1 OR 1 = 1; --
内输入1 OR 1 = 1; --
1 OR 1 = 1; --
but still doesn't work. 1 OR 1 = 1; --
但仍然不起作用。
I know that it maybe because of the condition I set inside my code but how can I know other hackers strategy for SQL Injection? 我知道这可能是因为我在代码中设置的条件所致,但是我如何才能知道其他黑客使用SQL注入的策略?
maybe just give me some easy-to-use tools for testing local websites. 也许只是给我一些易于使用的工具来测试本地网站。
Thanks for enlightening me :D 谢谢启发我:D
$username = mysql_real_escape_string($_POST['username']);
$password = mysql_real_escape_string($_POST['password']);
$status = mysql_real_escape_string($_POST['status']);
$query = mysql_query("SELECT * FROM student_users WHERE username='$username'");
Try not using mysql_* code. 尝试不使用mysql_ *代码。 If you have beginning of the project rewrite all code to mysqli or PDO.
如果您是项目的开始,请将所有代码重写为mysqli或PDO。 (PDO is better.)
(PDO更好。)
If you want to use mysql_* use mysql_real_escape_string in all input field. 如果要使用mysql_ *,请在所有输入字段中使用mysql_real_escape_string。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.