sql injection login form error
Question
I am working on tutorial about how to make an sql injection with old php code. I have this code that I am testing on it, but I have an error that said:
Fatal error: Call to a member function fetch_assoc() on a non-object
This is the old code:
<?php
$host="localhost"; // Host name
$username="root"; // Mysql username
$password="root"; // Mysql password
$db_name="graphic_db"; // Database name
$tbl_name="login"; // Table name
//if(!session_is_registered(myusername)){
//header("location:index.html");
$con=mysqli_connect($host,$username,$password,$db_name);
if(isset($_POST['login_submit'])){
if($_POST['username'] != '' && $_POST['password']!=''){
if(!isset($_SESSION))
{
session_start();
//session_register('username');
}
$result = mysqli_query($con, "SELECT * FROM login WHERE username='" . $_POST["username"] . "' and password = '". $_POST["password"]."'");
while($row = $result->fetch_assoc($result) ){
if(is_array($row)) {
$_SESSION["username"] = $row[$_POST["username"]];
$_SESSION['username'] = $_POST["username"];
header("Location:home.php");
}
else {
$message = "Invalid Username or Password!";
}
}
}
}
?>
3 answers
solution1
3 2015-12-21 08:58:02
You have mixing Object oriented style and Procedural style in your code .Use only one style as
In Object oriented style
$result = $mysqli->query( "SELECT * FROM login WHERE username='" . $_POST["username"] . "' and password = '". $_POST["password"]."'");
while($row = $result->fetch_assoc() ){
In Procedural style
$result = mysqli_query($con, "SELECT * FROM login WHERE username='" . $_POST["username"] . "' and password = '". $_POST["password"]."'");
while($row = mysqli_fetch_assoc($result) ){
solution2
0 2015-12-21 08:58:06
试试这段代码$row=mysqli_fetch_array($result,MYSQLI_ASSOC);
solution3
0 2015-12-21 09:03:04
$host="localhost"; // Host name
$username="root"; // Mysql username
$password="root"; // Mysql password
$db_name="graphic_db"; // Database name
$tbl_name="login"; // Table name
session_start();
$mysqli = new mysqli($host, $username, $password, $db_name);
if(isset($_POST['login_submit'])){
$stmt = $mysqli->prepare("SELECT * FROM login WHERE email=? AND password=? ");
$email = $_POST['username'];
$password = md5($_POST['password']);
$stmt->bind_param('ss', $email, $password);
$stmt->execute();
$stmt->bind_result($email, $password);
$stmt->store_result();
if($stmt->num_rows == 1) //To check if the row exists
{
while($stmt->fetch()) //fetching the contents of the row
{
$_SESSION['Logged'] = 1;
$_SESSION['Email'] = $email;
header('Location: home.php');
exit();
}
}
else
{
echo "Wrong Username or Password!";
}
$stmt->close();
$stmt->free_result();
}
Use prepared query for your sql injection code. it is best practice for it.
Prepared statements are very useful against SQL injections, because parameter values, which are transmitted later using a different protocol, need not be correctly escaped. If the original statement template is not derived from external input, SQL injection cannot occur.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.