sql注入登录表单错误
[英]sql injection login form error
问题描述
I am working on tutorial about how to make an sql injection with old php code. 
我正在编写有关如何使用旧的PHP代码进行sql注入的教程。 I have this code that I am testing on it, but I have an error that said: 我有这个代码,我正在测试它,但我有一个错误,说:
Fatal error: Call to a member function fetch_assoc() on a non-object
This is the old code: 这是旧代码:
<?php
$host="localhost"; // Host name
$username="root"; // Mysql username
$password="root"; // Mysql password
$db_name="graphic_db"; // Database name
$tbl_name="login"; // Table name
//if(!session_is_registered(myusername)){
//header("location:index.html");
$con=mysqli_connect($host,$username,$password,$db_name);
if(isset($_POST['login_submit'])){
if($_POST['username'] != '' && $_POST['password']!=''){
if(!isset($_SESSION))
{
session_start();
//session_register('username');
}
$result = mysqli_query($con, "SELECT * FROM login WHERE username='" . $_POST["username"] . "' and password = '". $_POST["password"]."'");
while($row = $result->fetch_assoc($result) ){
if(is_array($row)) {
$_SESSION["username"] = $row[$_POST["username"]];
$_SESSION['username'] = $_POST["username"];
header("Location:home.php");
}
else {
$message = "Invalid Username or Password!";
}
}
}
}
?>
3 个解决方案
解决方案1
3 2015-12-21 08:58:02
You have mixing Object oriented style and Procedural style in your code .Use only one style as 您在代码中混合了Object oriented style和Procedural style 。仅使用一种样式
In Object oriented style 面向对象的风格
$result = $mysqli->query( "SELECT * FROM login WHERE username='" . $_POST["username"] . "' and password = '". $_POST["password"]."'");
while($row = $result->fetch_assoc() ){
In Procedural style 在程序风格
$result = mysqli_query($con, "SELECT * FROM login WHERE username='" . $_POST["username"] . "' and password = '". $_POST["password"]."'");
while($row = mysqli_fetch_assoc($result) ){
Read http://php.net/manual/en/mysqli-result.fetch-assoc.php 阅读http://php.net/manual/en/mysqli-result.fetch-assoc.php
解决方案2
0 2015-12-21 08:58:06
试试这段代码$row=mysqli_fetch_array($result,MYSQLI_ASSOC);
解决方案3
0 2015-12-21 09:03:04
$host="localhost"; // Host name
$username="root"; // Mysql username
$password="root"; // Mysql password
$db_name="graphic_db"; // Database name
$tbl_name="login"; // Table name
session_start();
$mysqli = new mysqli($host, $username, $password, $db_name);
if(isset($_POST['login_submit'])){
$stmt = $mysqli->prepare("SELECT * FROM login WHERE email=? AND password=? ");
$email = $_POST['username'];
$password = md5($_POST['password']);
$stmt->bind_param('ss', $email, $password);
$stmt->execute();
$stmt->bind_result($email, $password);
$stmt->store_result();
if($stmt->num_rows == 1) //To check if the row exists
{
while($stmt->fetch()) //fetching the contents of the row
{
$_SESSION['Logged'] = 1;
$_SESSION['Email'] = $email;
header('Location: home.php');
exit();
}
}
else
{
echo "Wrong Username or Password!";
}
$stmt->close();
$stmt->free_result();
}
Use prepared query for your sql injection code. 使用准备好的查询为您的SQL注入代码。 it is best practice for it. 这是最好的做法。
Prepared statements are very useful against SQL injections, because parameter values, which are transmitted later using a different protocol, need not be correctly escaped. 准备语句对于SQL注入非常有用,因为稍后使用不同协议传输的参数值无需正确转义。 If the original statement template is not derived from external input, SQL injection cannot occur. 如果原始语句模板不是从外部输入派生的,则不能进行SQL注入。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.