21,887
社区成员
发帖
与我相关
我的任务
分享会员注册与登录,如何防止sql注入,求大神帮忙!
/*****register.html*****/
<html>
<meta charset="gbk">
<head>
<title>用户注册 </title>
</head>
<body>
<form action="index.php" method="post">
<table>
<tr>
<td>用户名:</td><td><input type="text" name="username"/></td>
</tr>
<tr>
<td>密 码:</td><td><input type="password" name="password"/></td>
</tr>
<tr>
<td>确认密码: </td> <td><input type="password" name="confirm"/></td>
</tr>
<tr>
<td><input type="Submit" name="Submit" value="注册"/> </td>
<td><a href="denglu.html">登录</a> </td>
</tr>
</table>
</form>
</body>
</html>
/***index.php****/
<!doctype html>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=GBK" />
<title>test</title>
</head>
<body>
<?php
$user = @ $_POST["username"];
$psw = @ $_POST["password"];
$psw_confirm = @ $_POST["confirm"];
if($user == "" || $psw == "" || $psw_confirm == "")
{
echo "<script>alert('请确认信息完整性!'); history.go(-1);</script>";
}
else
{
if($psw == $psw_confirm)
{
mysql_connect("localhost","phpcms","123456"); //连接数据库
mysql_select_db("phpcms"); //选择数据库
mysql_query("set names 'gdk'"); //设定字符集
$sql = "select username from user where username = '$_POST[username]'"; //SQL语句
$result = mysql_query($sql); //执行SQL语句
$num = mysql_num_rows($result); //统计执行结果影响的行数
if($num) //如果已经存在该用户
{
echo "<script>alert('用户名已存在'); </script>";
}
else //不存在当前注册用户名称
{
$sql_insert = "insert into user (username,password) values('$_POST[username]','$_POST[password]')";
$res_insert = mysql_query($sql_insert);
if($res_insert)
{
echo "<script>alert('注册成功!'); </script>";
}
else
{
echo "<script>alert('系统繁忙,请稍候!');</script>";
}
}
}
else
{
echo "<script>alert('密码不一致!'); </script>";
}
}
?>
</body>
</html>
/*****登录 denglu.html*****/
<!DOCUTPYE html>
<meta charset="gbk">
<head>
<title>用户登录</title>
</head>
<script src="jquery path"></script>
<body>
<form action="login.php" method="post">
<table>
<tr>
<td>用户名:</td><td><input type="text" name="username" /> </td>
</tr>
<td>密 码:</td><td><input type="password" name="password" /></td>
<tr>
<td> <input type="submit" name="submit" value="登陆" /></td>
<td> <a href="register.html">注册 </a> </td>
</tr>
</table>
</form>
</body>
</html>
/***login.php***/
<!DOCUTPYE html>
<meta charset="gbk">
<head>
<title>用户登录</title>
</head>
<body>
<?php
$user =$_POST["username"];
$psw =$_POST["password"];
$new_pwd =$_POST["password"];
if($user == "" || $psw == "")
{
echo "<script>alert('请输入用户名或密码!'); </script>";
}
else
{
mysql_connect("localhost","phpcms","123456");
mysql_select_db("phpcms");
mysql_query("set names 'gbk'");
$sql = "select username,password from user where username = '$_POST[username]' and password = '$_POST[password]'";
echo 'sql=['.$sql.']';
$result = mysql_query($sql);
if($result){
$row = mysql_fetch_array($result); //将数据以索引方式储存在数组中
}
if($row)
{
//$num = mysql_num_rows($result);
echo $row[0].'<br/>';
echo '修改密码';
echo'<form name="mod_pwd" action="xiugai.php" method="post" >
<table cellpadding="0" cellspacing="1">
<tr>
<th class="criteria"> 原始密码: </th>
<td><input type="password" name="curr_pwd" size="15" maxlength="15" value="$_POST["confirm"]"></td>
</tr>
<tr>
<th class="criteria"> 新密码: </th>
<td><input type="password" name="new_pwd" size="15" maxlength="15" value=""></td>
</tr>
<tr>
<th class="criteria"> 确认新密码: </th>
<td><input type="password" name="renew_pwd" size="15" maxlength="15" value="">
<input type="submit" name="submit" value="提交"></td>
</tr>
</table>
</form>';
}
else
{
echo "<script>alert('用户名或密码不正确!');</script>";
}
}
?>
</body>
</html>
代码如上,本人是初学者,希望大神能帮忙。让本人学习一下!
<html>
<meta charset="gbk">
<head>
<title>用户注册 </title>
</head>
<body>
<form action="index.php" method="post">
<table>
<tr>
<td>用户名:</td><td><input type="text" name="username"/></td>
</tr>
<tr>
<td>密 码:</td><td><input type="password" name="password"/></td>
</tr>
<tr>
<td>确认密码: </td> <td><input type="password" name="confirm"/></td>
</tr>
<tr>
<td><input type="Submit" name="Submit" value="注册"/> </td>
<td><a href="denglu.html">登录</a> </td>
</tr>
</table>
</form>
</body>
</html>
/***index.php****/
<!doctype html>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=GBK" />
<title>test</title>
</head>
<body>
<?php
$user = @ $_POST["username"];
$psw = @ $_POST["password"];
$psw_confirm = @ $_POST["confirm"];
if($user == "" || $psw == "" || $psw_confirm == "")
{
echo "<script>alert('请确认信息完整性!'); history.go(-1);</script>";
}
else
{
if($psw == $psw_confirm)
{
mysql_connect("localhost","phpcms","123456"); //连接数据库
mysql_select_db("phpcms"); //选择数据库
mysql_query("set names 'gdk'"); //设定字符集
$sql = "select username from user where username = '$_POST[username]'"; //SQL语句
$result = mysql_query($sql); //执行SQL语句
$num = mysql_num_rows($result); //统计执行结果影响的行数
if($num) //如果已经存在该用户
{
echo "<script>alert('用户名已存在'); </script>";
}
else //不存在当前注册用户名称
{
$sql_insert = "insert into user (username,password) values('$_POST[username]','$_POST[password]')";
$res_insert = mysql_query($sql_insert);
if($res_insert)
{
echo "<script>alert('注册成功!'); </script>";
}
else
{
echo "<script>alert('系统繁忙,请稍候!');</script>";
}
}
}
else
{
echo "<script>alert('密码不一致!'); </script>";
}
}
?>
</body>
</html>
/*****登录 denglu.html*****/
<!DOCUTPYE html>
<meta charset="gbk">
<head>
<title>用户登录</title>
</head>
<script src="jquery path"></script>
<body>
<form action="login.php" method="post">
<table>
<tr>
<td>用户名:</td><td><input type="text" name="username" /> </td>
</tr>
<td>密 码:</td><td><input type="password" name="password" /></td>
<tr>
<td> <input type="submit" name="submit" value="登陆" /></td>
<td> <a href="register.html">注册 </a> </td>
</tr>
</table>
</form>
</body>
</html>
/***login.php***/
<!DOCUTPYE html>
<meta charset="gbk">
<head>
<title>用户登录</title>
</head>
<body>
<?php
$user =$_POST["username"];
$psw =$_POST["password"];
$new_pwd =$_POST["password"];
if($user == "" || $psw == "")
{
echo "<script>alert('请输入用户名或密码!'); </script>";
}
else
{
mysql_connect("localhost","phpcms","123456");
mysql_select_db("phpcms");
mysql_query("set names 'gbk'");
$sql = "select username,password from user where username = '$_POST[username]' and password = '$_POST[password]'";
echo 'sql=['.$sql.']';
$result = mysql_query($sql);
if($result){
$row = mysql_fetch_array($result); //将数据以索引方式储存在数组中
}
if($row)
{
//$num = mysql_num_rows($result);
echo $row[0].'<br/>';
echo '修改密码';
echo'<form name="mod_pwd" action="xiugai.php" method="post" >
<table cellpadding="0" cellspacing="1">
<tr>
<th class="criteria"> 原始密码: </th>
<td><input type="password" name="curr_pwd" size="15" maxlength="15" value="$_POST["confirm"]"></td>
</tr>
<tr>
<th class="criteria"> 新密码: </th>
<td><input type="password" name="new_pwd" size="15" maxlength="15" value=""></td>
</tr>
<tr>
<th class="criteria"> 确认新密码: </th>
<td><input type="password" name="renew_pwd" size="15" maxlength="15" value="">
<input type="submit" name="submit" value="提交"></td>
</tr>
</table>
</form>';
}
else
{
echo "<script>alert('用户名或密码不正确!');</script>";
}
}
?>
</body>
</html>
代码如上,本人是初学者,希望大神能帮忙。让本人学习一下!
...全文
请发表友善的回复…
发表回复
misaka去年夏天 2015-09-21
- 打赏
- 举报
楼上版主说的预处理即参数化查询,数据库先编译sql指令,再加入参数,最后再执行,目前是最好的防sql注入的方法
傲雪星枫 2015-09-21
- 打赏
- 举报
可以使用pdo的prepare预处理来防注入。
<?php
$dbh = new PDO("mysql:host=localhost; dbname=mydb", "root", "pass");
$dbh->setAttribute(PDO::ATTR_EMULATE_PREPARES, false); //禁用prepared statements的仿真效果
$dbh->exec("set names 'utf8'");
$sql="select * from table where username = ? and password = ?";
$query = $dbh->prepare($sql);
$exeres = $query->execute(array($username, $pass));
if ($exeres) {
while ($row = $query->fetch(PDO::FETCH_ASSOC)) {
print_r($row);
}
}
$dbh = null;
?>
码无边 2015-09-21
- 打赏
- 举报
$sql = "select username,password from user where username = '$_POST[username]' and password = '$_POST[password]'";
这里的变量需要做特殊处理,转义,sprintf处理下
Amy安 2015-09-21
- 打赏
- 举报
借楼学习
萌新只会用str_replace去掉 * % ‘ 空格 这些
萌新只会用str_replace去掉 * % ‘ 空格 这些
攻城狮joe 2015-09-21
- 打赏
- 举报
$user = @ $_POST["username"];
$psw = @ $_POST["password"];
$psw_confirm = @ $_POST["confirm"];
这里的话,用htmlspecialchars或者addslashes来处理一下,不要前面的@符号,用isset来判断下
王大西walker 2015-09-21
- 打赏
- 举报
addslashes
傲雪星枫 2015-09-20
- 打赏
- 举报
你的问题是什么?
50css 2015-09-20
- 打赏
- 举报
代码太长,没时间看
