堆栈内存溢出
  简体   繁体   English

如何使用 Angular.js、PHP 和 MySQL 防止基于 SQL 查询的注入

[英]How to prevent SQL query based injection using Angular.js ,PHP and MySQL

 原文  2015-11-18 04:34:43       php/ mysql/ angularjs

问题描述

I have a issue.I have a login page made using Angular.js,PHP and MySQL.When user is typing the following credential ,it is able to login.我有一个问题。我有一个使用 Angular.js、PHP 和 MySQL 制作的登录页面。当用户输入以下凭据时,它可以登录。

username-1' or '1' = '1' or '1
password- 1' or '1' = '1' or '1

I think this is the SQL query based injection.I am explaining my php code below.我认为这是基于 SQL 查询的注入。我在下面解释我的 php 代码。

login.php:登录.php:

<?php 
require_once '../../include/dbconfig.php'; 
$dept_id = $_SESSION["admin_dept_id"];
$postdata = file_get_contents("php://input");
$request = json_decode($postdata);
$user_name=$request->user_name;
$user_pass=$request->user_pass;

$password =sha1(htmlspecialchars(trim($user_pass)));
$selquery = "SELECT * FROM db_user WHERE login_name='".$user_name."' and password='".$password."' and user_status='1'";
$selres = mysql_query($selquery); 
if(mysql_num_rows($selres ) > 0){
    $result=mysql_fetch_array($selres); 
    $_SESSION["admin_id"]=$result['user_id'];
    $_SESSION["admin_user_name"]=$result['first_name']." ".$result['last_name'];
    $_SESSION["admin_user_type"]=$result['user_type'];
    $_SESSION["admin_email_id"]=$result['email'];
    $_SESSION["admin_role_id"]=$result['role_id'];
    $_SESSION["admin_clg_id"]=$result['colg_id'];
    $_SESSION["admin_dept_id"]=$result['dept_id'];
    //$result['msg'] = 'Login successfull...';
}else{
    header("HTTP/1.0 401 Unauthorized");
    $result['msg'] = 'Invalid username or password, Please try again...';
}
echo json_encode($result);
?>

Here I need to prevent this credentials for login.Please help me to resolve this issue.在这里,我需要阻止此凭据登录。请帮助我解决此问题。

1 个解决方案

解决方案1
 0 已采纳  2015-11-18 04:43:40

I suggest you read:我建议你阅读:

How can I prevent SQL injection in PHP? 如何防止 PHP 中的 SQL 注入?

In your case the problem is right here:在您的情况下,问题就在这里:

$selquery = "SELECT * FROM db_user WHERE login_name='".$user_name."' and password='".$password."' and user_status='1'";

For a quick fix, change it to:要快速修复,请将其更改为:

$selquery = "SELECT * FROM db_user WHERE login_name='".mysql_real_escape_string($user_name)."' and password='".mysql_real_escape_string($password)."' and user_status='1'";

For a long-term fix, convert your code to use PDO.对于长期修复,请将您的代码转换为使用 PDO。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 如何使用angular.js PHP从mysql显示数据? - How to display data from mysql using angular.js PHP? 使用MySQL,PHP和angular.js在数据库中插入数据数组 - Insert array of data in Database using MySQL,PHP and angular.js 如何组织angular.js中的SQL查询返回的列表 - How to organize a list returned by a sql query in angular.js 如何使用Angular.js,PHP和Mysql实现自动会话超时 - How to implement auto session timeout using Angular.js,PHP and Mysql 如何使用PHP,Angular.js和MySQL由单个用户提交的多行插入值 - How to insert value in multiple row by a single user submit using PHP,Angular.js and MySQL 如何防止用php和mysql进行sql注入 - How do I prevent sql injection with php and mysql 如何防止 PHP SQL 使用 PHP ZE6B391A8D2C4D45902DZ3A2 参数注入 - How to prevent PHP SQL Injection using PHP URL parameters 获取RangeError:使用angular.js和php - Getting RangeError: using angular.js and php 使用Angular.js和PHP获取TypeError - Getting TypeError using Angular.js and PHP 使用php和mysql的占位符来防止注入 - using placeholders with php and mysql to prevent injection
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM