stackoom
  简体   繁体   中英

How can I better secure my database connection

 原文  2012-09-29 00:58:50       php/ mysql/ security

Question

I've been told that this code is old way of connecting and is susceptible to sql injections. How can I make it secure?

This is the code I use to check a database for users and add a new user if they don't have an account. I tried mysqli but I don't think I got it right so I had to go back to this for now until I know how to make it secure. 

<?php
// Connect to the database(host, username, password)
$con = mysql_connect('localhost','user1','pass1');
if (!$con)
{
    echo "Failed to make connection.";
    exit;
}
// Select the database. Enter the name of your database (not the same as the table name)
$db = mysql_select_db('db1');
if (!$db)
{
    echo "Failed to select db.";
    exit;
}
// $_POST['username'] and $_POST['password'] are the param names we sent in our click event in login.js
$username = $_POST['username'];
$password = $_POST['password'];
// Select eveything from the users table where username field == the username we posted and password field == the password we posted
$sql = "SELECT * FROM users WHERE username = '" . $username . "' AND password = '" . $password . "'";
$query = mysql_query($sql);
// If we find a match, create an array of data, json_encode it and echo it out
if (mysql_num_rows($query) > 0)
{
    $row = mysql_fetch_array($query);
    $response = array(
        'logged' => true,
        'name' => $row['name'],
        'email' => $row['email']
    );
    echo json_encode($response);
}
else
{
    // Else the username and/or password was invalid! Create an array, json_encode it and echo it out
    $response = array(
        'logged' => false,
        'message' => 'Invalid Username and/or Password'
    );
    echo json_encode($response);
}
?>

1 answers

solution1
 1  2012-09-29 01:01:00

Any data coming from a user should be passed through mysql_real_escape_string(). See the URL below for more information on using that function. It's very important.

http://php.net/manual/en/function.mysql-real-escape-string.php

Here is a little more information on SQL Injections with PHP:

http://php.net/manual/en/security.database.sql-injection.php

MySQLi Information (another technique besides mysql_real_escape_string):

http://php.net/manual/en/mysqli.quickstart.prepared-statements.php

EDIT: OK, I'll admit, I'm kinda old-school. MySQLi definitely seems to be the way to go. I'm more familiar with PHP3 and PHP4 development. If you can, re-implement your data-access code using the last link.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question How do I make my database connection secure? How can I secure my PHP sessions? How can I secure my $_GETs in PHP? How can I secure my database credentials when using shared hosting and no access to outside the webroot? How can I make this database schema better? How can I make my database response time & render time better? How to secure a connection to a remote mysql database How can I make this php database class more secure? Is PDO database connection secure? Php connection to database: is it secure?
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM