php安全-防止sql注入攻击简单方法
本文章简单的利用一个实例来介绍了关于php防止sql注入的简单办法,有需要学习的朋友可以参考一下本文章哦。
方法一:密码比对
思路:首先通过用户输入的用户名去查询数据库,得到该用户名在数据库中对应的密码,再将从数据库中查询到的密码和用户提交过来的密码进行比对。
代码:
| 代码如下 | 复制代码 |
|
$sql="select password from users where username='$name'"; $res=mysql_query($sql,$conn); if ($arr=mysql_fetch_assoc($res)){//如果用户名存在 if ($arr['password']==$pwd) {//密码比对 echo "登录成功"; }else{ echo "密码输入有误"; } }else { echo "该用户名不存在"; } |
|
分析:该情况下,代码健壮了不少,即使在magic_quote_gpc=Off的情况下,也能防止SQL注入攻击。因为攻击者想成功登录的话,得绕过两道坎,第一是输入的用户名要存在,这一步可以构造一个SQL语句(‘ or 1=1%23)直接绕过,但是这样子无法通过第二道坎。因为需要用户输入一个正确的密码才能通过,显然,这已经拒绝了SQL注入攻击。
方法二:使用PDO的PDO::prepare()预处理操作来防止SQL注入攻击
思路:创建一个pdo对象,利用pdo的预处理操作可以防止SQL注入攻击
代码:
| 代码如下 | 复制代码 |
|
$name=$_GET['username']; $pwd=$_GET['password']; $sql="select * from users where username=? and password=?"; //1.创建一个pdo对象 $pdo=new PDO("mysql:host=localhost;port=3306;dbname=injection","root",""); //2.设置编码 $pdo->exec("set names 'utf8'"); //3.预处理$sql语句 $pdoStatement=$pdo->prepare($sql); //4.把接收到的用户名和密码填入 $pdoStatement->execute(array($name,$pwd)); //5.取出结果 $res=$pdoStatement->fetch(); if(empty($res)){ echo "用户名或密码输入有误"; }else{ echo "登录成功"; } |
|
Hot AI Tools
Undresser.AI Undress
AI-powered app for creating realistic nude photos
AI Clothes Remover
Online AI tool for removing clothes from photos.
Undress AI Tool
Undress images for free
Clothoff.io
AI clothes remover
Video Face Swap
Swap faces in any video effortlessly with our completely free AI face swap tool!
Hot Article
Hot Tools
SecLists
SecLists is the ultimate security tester's companion. It is a collection of various types of lists that are frequently used during security assessments, all in one place. SecLists helps make security testing more efficient and productive by conveniently providing all the lists a security tester might need. List types include usernames, passwords, URLs, fuzzing payloads, sensitive data patterns, web shells, and more. The tester can simply pull this repository onto a new test machine and he will have access to every type of list he needs.
WebStorm Mac version
Useful JavaScript development tools
Atom editor mac version download
The most popular open source editor
EditPlus Chinese cracked version
Small size, syntax highlighting, does not support code prompt function
DVWA
Damn Vulnerable Web App (DVWA) is a PHP/MySQL web application that is very vulnerable. Its main goals are to be an aid for security professionals to test their skills and tools in a legal environment, to help web developers better understand the process of securing web applications, and to help teachers/students teach/learn in a classroom environment Web application security. The goal of DVWA is to practice some of the most common web vulnerabilities through a simple and straightforward interface, with varying degrees of difficulty. Please note that this software
