堆栈内存溢出
  简体   繁体   English

如何更好地保护我的数据库连接

[英]How can I better secure my database connection

 原文  2012-09-29 00:58:50       php/ mysql/ security

问题描述

I've been told that this code is old way of connecting and is susceptible to sql injections. 有人告诉我,这段代码是旧的连接方式,容易受到sql注入的影响。 How can I make it secure? 如何确保它的安全性?

This is the code I use to check a database for users and add a new user if they don't have an account. 这是我用来检查数据库的用户并在没有帐户的情况下添加新用户的代码。 I tried mysqli but I don't think I got it right so I had to go back to this for now until I know how to make it secure. 我尝试了mysqli,但是我认为我做错了,所以我现在必须回到现在,直到我知道如何使其安全为止。 

<?php
// Connect to the database(host, username, password)
$con = mysql_connect('localhost','user1','pass1');
if (!$con)
{
    echo "Failed to make connection.";
    exit;
}
// Select the database. Enter the name of your database (not the same as the table name)
$db = mysql_select_db('db1');
if (!$db)
{
    echo "Failed to select db.";
    exit;
}
// $_POST['username'] and $_POST['password'] are the param names we sent in our click event in login.js
$username = $_POST['username'];
$password = $_POST['password'];
// Select eveything from the users table where username field == the username we posted and password field == the password we posted
$sql = "SELECT * FROM users WHERE username = '" . $username . "' AND password = '" . $password . "'";
$query = mysql_query($sql);
// If we find a match, create an array of data, json_encode it and echo it out
if (mysql_num_rows($query) > 0)
{
    $row = mysql_fetch_array($query);
    $response = array(
        'logged' => true,
        'name' => $row['name'],
        'email' => $row['email']
    );
    echo json_encode($response);
}
else
{
    // Else the username and/or password was invalid! Create an array, json_encode it and echo it out
    $response = array(
        'logged' => false,
        'message' => 'Invalid Username and/or Password'
    );
    echo json_encode($response);
}
?>

1 个解决方案

解决方案1
 1  2012-09-29 01:01:00

Any data coming from a user should be passed through mysql_real_escape_string(). 来自用户的任何数据都应通过mysql_real_escape_string()传递。 See the URL below for more information on using that function. 有关使用该功能的更多信息,请参见下面的URL。 It's very important. 这很重要。

http://php.net/manual/en/function.mysql-real-escape-string.php http://php.net/manual/zh/function.mysql-real-escape-string.php

Here is a little more information on SQL Injections with PHP: 这是有关使用PHP进行SQL注入的更多信息:

http://php.net/manual/en/security.database.sql-injection.php http://php.net/manual/zh/security.database.sql-injection.php

MySQLi Information (another technique besides mysql_real_escape_string): MySQLi信息(除mysql_real_escape_string之外的另一种技术):

http://php.net/manual/en/mysqli.quickstart.prepared-statements.php http://php.net/manual/zh/mysqli.quickstart.prepared-statements.php

EDIT: OK, I'll admit, I'm kinda old-school. 编辑:好的,我承认,我有点老派。 MySQLi definitely seems to be the way to go. MySQLi无疑是必经之路。 I'm more familiar with PHP3 and PHP4 development. 我对PHP3和PHP4开发更加熟悉。 If you can, re-implement your data-access code using the last link. 如果可以,请使用最后一个链接重新实现数据访问代码。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 如何确保数据库连接安全? - How do I make my database connection secure? 如何保护我的PHP会话? - How can I secure my PHP sessions? 如何在PHP中保护我的$ _GET? - How can I secure my $_GETs in PHP? 使用共享托管并且无法访问外部Webroot时,如何保护数据库凭据? - How can I secure my database credentials when using shared hosting and no access to outside the webroot? 如何使该数据库架构更好? - How can I make this database schema better? 如何提高数据库响应时间和渲染时间? - How can I make my database response time & render time better? 如何保护与远程 mysql 数据库的连接 - How to secure a connection to a remote mysql database 如何使这个 php 数据库 class 更安全? - How can I make this php database class more secure? PDO数据库连接安全吗? - Is PDO database connection secure? Php与数据库的连接:它安全吗? - Php connection to database: is it secure?
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM