登录表单的简单SQL注入解决方案?
[英]Simple sql injection solution for login forms?
问题描述
I saw several examples and people using this way to query the database in a login form. 
我看到了几个示例,人们使用这种方式以登录表单查询数据库。 I'm not fully sure is this is the best way to do a login form secure. 我不确定这是否是确保登录表单安全的最佳方法。
This is the query in PHP: 这是PHP中的查询:
$query = "SELECT * FROM users WHERE usern = '".$_POST['username']."' AND passw = '".md5($_POST['password'])."'";
Is enough having md5() on the password post to avoid sql injection?. 在密码栏中输入md5()是否足以避免sql注入? I think that the md5 function will convert all characters and sql strings to a 32 char string. 我认为md5函数会将所有字符和sql字符串转换为32个字符的字符串。
Which other ways can I protect the login form? 我还可以通过哪些其他方式保护登录表单?
7 个解决方案
解决方案1
6 已采纳 2012-03-30 15:39:31
mysql_real_escape_string($_POST['username']) , etc. mysql_real_escape_string($_POST['username'])等
Although it's better to use the mysqli extension and use prepared statements. 尽管最好使用mysqli扩展名并使用准备好的语句。
(Assuming you're using MySQL) (假设您使用的是MySQL)
Edit: In response to the comment below, it might be good to use this for LIKE queries: 编辑:为回应以下评论,最好将其用于LIKE查询:
addcslashes(mysql_real_escape_string($_POST['username']), '%_')
解决方案2
0
Just one simple solution use parameters for fields like username and password so that SQL command string is separably sent from the parameters and then attacker will only get blank responses.When parameters are used SQL command string is parsed and compiled separately from the parameters. 仅有一种简单的解决方案在用户名和密码等字段中使用参数,以便将SQL命令字符串与参数分开发送,然后攻击者将仅获得空白响应。使用参数时,将SQL命令字符串与参数分开进行解析和编译。 Using prepared statements is the best solution. 使用准备好的语句是最好的解决方案。
解决方案3
0 2012-03-30 15:38:58
You must sanitize your data before you let it near your database. 您必须先清理数据,然后才能将其放到数据库中。 The simplest way to do this is by using mysql_real_escape_string($_POST['username']) but this is only the very least you need to do. 最简单的方法是使用mysql_real_escape_string($_POST['username'])但这仅是您最少要做的事情。
If you're using a framework like CodeIgniter, you can use their in-build functionality which strips $_POST or $_GET inputs of any XSS risk. 如果您使用的是CodeIgniter之类的框架,则可以使用其内置功能来消除$ _POST或$ _GET输入的任何XSS风险。 Otherwise, I'd recommend these posts: 否则,我建议这些帖子:
解决方案4
0 2012-03-30 15:40:03
You need to escape $_POST['username'] as well 您还需要转义$_POST['username']
and yes md5 will protect you from sql injection. 是的md5将保护您免受sql注入。
For this example, something like this would be ok 对于此示例,这样的事情就可以了
$query = "SELECT * FROM users WHERE MD5(usern) = '".md5($_POST['username'])."' AND passw = '".md5($_POST['password'])."'";
解决方案5
0 2012-03-30 15:41:05
The way you have build your query easily allows to inject pieces of code in the username. 建立查询的方式可以轻松地在用户名中插入代码段。 You can use prepared statements to avoid that: http://php.net/manual/en/pdo.prepared-statements.php 您可以使用准备好的语句来避免这种情况: http : //php.net/manual/zh/pdo.prepared-statements.php
Prepared statements basically will describe how the statement will be structured, and adds the data afterwards. 准备好的语句基本上将描述该语句的结构,然后再添加数据。 This way, the user can not alter the structure of the statement with the input data. 这样,用户无法使用输入数据更改语句的结构。
解决方案6
0 2012-03-30 15:41:27
If you make a function which sanitizes all POSTS and GETS you are safe 如果您执行的功能可以对所有POST和GETS进行消毒,那将是安全的
function clean() {
foreach($_POST as $key => $val) {
$_POST[$key] = mysql_real_escape_string($val);
}
}
You can also use PDO and statements with variables, and PDO will clean automatically. 您还可以将PDO和带有变量的语句一起使用,PDO将自动清除。
解决方案7
0 2012-03-30 15:51:07
<?php
try {
$dbh = new PDO("mysql:host=$hostname;dbname=$db", $dbusername, $dbpassword);
$query = "SELECT * FROM users WHERE usern = ? AND passw = ?";
$sth=$dbh->prepare($sql);
$sth->execute(array($_POST['username'], md5($_POST['password']));
$result = $sth->fetch();
}
} catch(PDOException $e) {
echo $e->getMessage();
exit;
}
PDO is the Best way to stop SQL Injection in PHP PDO是停止PHP中的SQL注入的最佳方法
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.