[英]sql injection login form error
我正在編寫有關如何使用舊的PHP代碼進行sql注入的教程。 我有這個代碼,我正在測試它,但我有一個錯誤,說:
致命錯誤:在非對象上調用成員函數fetch_assoc()
這是舊代碼:
<?php
$host="localhost"; // Host name
$username="root"; // Mysql username
$password="root"; // Mysql password
$db_name="graphic_db"; // Database name
$tbl_name="login"; // Table name
//if(!session_is_registered(myusername)){
//header("location:index.html");
$con=mysqli_connect($host,$username,$password,$db_name);
if(isset($_POST['login_submit'])){
if($_POST['username'] != '' && $_POST['password']!=''){
if(!isset($_SESSION))
{
session_start();
//session_register('username');
}
$result = mysqli_query($con, "SELECT * FROM login WHERE username='" . $_POST["username"] . "' and password = '". $_POST["password"]."'");
while($row = $result->fetch_assoc($result) ){
if(is_array($row)) {
$_SESSION["username"] = $row[$_POST["username"]];
$_SESSION['username'] = $_POST["username"];
header("Location:home.php");
}
else {
$message = "Invalid Username or Password!";
}
}
}
}
?>
您在代碼中混合了Object oriented style
和Procedural style
。僅使用一種樣式
面向對象的風格
$result = $mysqli->query( "SELECT * FROM login WHERE username='" . $_POST["username"] . "' and password = '". $_POST["password"]."'");
while($row = $result->fetch_assoc() ){
在程序風格
$result = mysqli_query($con, "SELECT * FROM login WHERE username='" . $_POST["username"] . "' and password = '". $_POST["password"]."'");
while($row = mysqli_fetch_assoc($result) ){
試試這段代碼$row=mysqli_fetch_array($result,MYSQLI_ASSOC);
$host="localhost"; // Host name
$username="root"; // Mysql username
$password="root"; // Mysql password
$db_name="graphic_db"; // Database name
$tbl_name="login"; // Table name
session_start();
$mysqli = new mysqli($host, $username, $password, $db_name);
if(isset($_POST['login_submit'])){
$stmt = $mysqli->prepare("SELECT * FROM login WHERE email=? AND password=? ");
$email = $_POST['username'];
$password = md5($_POST['password']);
$stmt->bind_param('ss', $email, $password);
$stmt->execute();
$stmt->bind_result($email, $password);
$stmt->store_result();
if($stmt->num_rows == 1) //To check if the row exists
{
while($stmt->fetch()) //fetching the contents of the row
{
$_SESSION['Logged'] = 1;
$_SESSION['Email'] = $email;
header('Location: home.php');
exit();
}
}
else
{
echo "Wrong Username or Password!";
}
$stmt->close();
$stmt->free_result();
}
使用准備好的查詢為您的SQL注入代碼。 這是最好的做法。
准備語句對於SQL注入非常有用,因為稍后使用不同協議傳輸的參數值無需正確轉義。 如果原始語句模板不是從外部輸入派生的,則不能進行SQL注入。
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.