实例演绎pdo在用户登录环节是怎么防sql注入的?
$sql = 'SELECT `username`,`password` FROM `user` WHERE `username`= ? AND `password`=? ; ';//占位符来构成预处理语句
$stmt = $pdo->prepare( $sql );//准备要执行的预处理语句,并返回语句对象
$stmt->execute( [$username, $password] );//执行预处理语句
$res = $stmt->fetch();
if ( $res )
{
//验证通过 存session
$_SESSION['username'] = $res['username'];
echo json_encode( array( 'status'=>1, 'msg'=>'登录成功...正在跳转' ), 320 );
exit;
}
echo json_encode( array( 'status'=>0, 'msg'=>'用户名或密码错误' ), 320 );
写一个小实战,实现预处理与会话跟踪?
一个前端页面显示文件,一个后端处理文件
后端文件实现预处理与会话跟踪
<?php
session_start();
require 'config.php';
$username = !empty( $_POST['username'] ) && isset( $_POST['username'] ) ? $_POST['username']:null;
$password = !empty( $_POST['password'] ) && isset( $_POST['password'] ) ? md5( $_POST['password'] ):null;
$code = !empty( $_POST['code_value'] ) && isset( $_POST['code_value'] ) ? $_POST['code_value'] :null;
//请求分发器 type 1登录验证 2 验证码验证 3退出登录
$type = isset( $_REQUEST['type'] ) && !empty( $_REQUEST['type'] ) ? intval( $_REQUEST['type'] ):null;
switch( $type )
{
case 1:
//检测用户是否存在
$sql = 'SELECT `username`,`password` FROM `user` WHERE `username`= ? AND `password`=? ; ';
$stmt = $pdo->prepare( $sql );
$stmt->execute( [$username, $password] );
$res = $stmt->fetch();
if ( $res )
{
//验证通过 存session
$_SESSION['username'] = $res['username'];
echo json_encode( array( 'status'=>1, 'msg'=>'登录成功...正在跳转' ), 320 );
exit;
}
echo json_encode( array( 'status'=>0, 'msg'=>'用户名或密码错误' ), 320 );
break;
case 2:
//将session中的验证码和用户提交的验证码进行核对, 当成功时提示验证码正确,并销毁之前的session值, 不成功则重新提交 strcasecmp
if ( !empty( $code ) && strtolower( $_SESSION['code'] ) === strtolower( $code ) ) {
$_SESSION['code'] = '';
echo json_encode( ['status'=>1, 'msg'=>'验证码正确'], 320 );
exit;
}
echo json_encode( ['status'=>0, 'msg'=>'验证码不正确'], 320 );
break;
// 退出登录
case 3:
// 清空session变量
session_unset();
// 删除session文件
session_destroy();
header( 'Location: /demo.php' );
break;
default:
echo json_encode( ['status'=>520, 'msg'=>'非法参数访问'], 320 );
break;
}
前端页面
<?session_start()?>
<!DOCTYPE html>
<html lang = 'en'>
<head>
<meta charset = 'utf-8' />
<title>用户登录</title>
<meta name = 'viewport' content = 'width=device-width, initial-scale=1.0' />
<meta name = 'description' content = 'Premium Bootstrap 4 Landing Page Template' />
<meta name = 'keywords' content = 'bootstrap 4, premium, marketing, multipurpose' />
<meta content = 'Themesdesign' name = 'author' />
<!-- css -->
<link href = 'login/static/bootstrap.min.css' rel = 'stylesheet' type = 'text/css' />
<!--Themify Icon -->
<link href = 'login/static/style.css' rel = 'stylesheet' type = 'text/css' />
</head>
<body>
<section class = 'bg-login d-flex align-items-center'>
<div class = 'container'>
<div class = 'row justify-content-center mt-4'>
<div class = 'col-lg-4'>
<nav>
<?php if (!isset($_SESSION['username']) || empty($_SESSION['username'])): ?>
<div class = 'bg-white p-4 rounded'>
<div class = 'text-center'>
<h4 class = 'fw-bold mb-3'>用户登录</h4>
</div>
<div class = 'row login-form'>
<div class = 'col-lg-12 mt-2'>
<input type="text" name="username" class = 'form-control' placeholder="用户名" autofocus>
</div>
<div class = 'col-lg-12 mt-2'>
<input type="password" name="password" class = 'form-control' placeholder="请输入密码" >
</div>
<div class = 'col-lg-12 mt-2'>
<input type = 'code' class = 'form-control' placeholder = '验证码' required = '' name="code" id="code" style = 'float: left; width:55%;'>
<label class = 'form-check-label'>
<img src = 'login/code.php' onclick="this.src='login/code.php?id='+ Math.random();" height = '40px' style="margin: auto 10px;vertical-align: bottom; cursor:pointer" alt = '点击刷新'>
</label>
<span id="error_msg"> </span>
</div>
<div class = 'col-lg-12 mt-2'>
<div class = 'form-check'>
<input class = 'form-check-input' style = 'color: red;' type = 'checkbox' value = '' id = 'flexCheckDefault'>
<label class = 'form-check-label' for = 'flexCheckDefault'>
记住
</label>
</div>
</div>
<div class = 'col-lg-12 mt-3 mb-4'>
<button type ="button" class = 'btn btn-primary w-100' name="btn">登录</button>
</div>
<div class = 'txet-center'>
<p class = 'mb-0 mt-2 text-center'>
<a href = 'password_forget.html' class = 'text-dark fw-bold'>忘记密码 ?</a>
</p>
</div>
</div>
</div>
<div class = 'text-center mt-3'>
<p><small class = 'text-white mr-2'>未注册用户 ?</small> <a href = 'reg.html'
class = 'text-white fw-bold'>创建账号</a></p>
</div>
<?php else : ?>
<div class = 'text-center'>
<h4 class = 'fw-bold mb-3'>您以成功登录</h4>
<a href="javascript:;"><?=$_SESSION['username']?></a>
<a href="login/login.php?type=3">退出</a>
</div>
<?php endif ?>
</nav>
</div>
</div>
</div>
</section>
<!-- javascript -->
<script type = 'text/javascript' src = "
https://cdn.bootcss.com/jquery/3.3.1/jquery.min.js"></script>
<script type="text/javascript">
//登录
$('button[name="btn"]').click(function(){
var data = {};
data.username =$.trim($('input[name="username"]').val()) ;
data.password = $.trim($('input[name="password"]').val());
data.type = 1;
var code = $.trim($('input[name="code"]').val())
if(data.username == '' || data.password == '' || code == '')
{
alert('必选项不能为空哦~');
return;
}
$.post('login/login.php',data,function(res){
if(res.status == 1)
{
alert(res.msg);
//用户验证通过 跳转首页
setTimeout(()=>location.href = 'demo.php',500);
}else{
alert(res.msg);
}
},"json")
})
//使用ajax异步验证 验证码
$('input[name="code"]').keyup(function(){
var data={};
data.code_value = $.trim($(this).val());
data.type = 2;
if(data.code_value == '')
{
$("#error_msg").html("<span style='color:green'>验证码不能为空</span>")
return;
}
$.post('login/login.php',data,function(res){
if(res.status == 1)
{
$("#error_msg").html("<span style='color:green'>验证码正确</span>")
}else{
$("#error_msg").html("<span style='color:red'>验证码错误</span>")
}
},"json")
})
</script>
</body>
</html>