这段代码会不会被注入式攻击?
function checkpass($username,$password){
global $db,$timestamp,$onlineip;
$men=$db->get_one("SELECT uid,password,groupid,onlineip,yz FROM pw_members m WHERE username='$username'");
if($men){
$e_login=explode("|",$men['onlineip']);
if($e_login[0]!=$onlineip.' *' || ($timestamp-$e_login[1])>600 || $e_login[2]>1 ){
$men_uid=$men['uid'];
$men_pwd=$men['password'];
$check_pwd=$password;
$yz=$men['yz'];
if(strlen($men_pwd)==16){
$check_pwd=substr($password,8,16);/*支持 16 位 md5截取密码*/
}
if($men_pwd==$check_pwd){
if(strlen($men_pwd)==16){
$db->update("UPDATE pw_members SET password='$password' WHERE uid='$men_uid'");
}
$L_groupid=$men['groupid'];
$hp=1;
}else{
$L_T=$e_login[2];
$L_T ? $L_T--:$L_T=5;
$F_login="$onlineip *|$timestamp|$L_T";
$db->update("UPDATE pw_members SET onlineip='$F_login' WHERE uid='$men_uid'");
$hp=2;//密码错误,您还可以尝试 $e_login[1] 次
}
}else{
$L_T=600-($timestamp-$e_login[1]);
$hp=3;
}
}
return array($hp,$L_T,$men_uid,$L_groupid,$password,$yz);
}