我目前正在升级朋友网站的代码,并且遇到登录脚本的问题。我试图通过使用mysql_real_escape_string()
来防止SQL注入。 mysql_escape_string()
正常,但mysql_real_escape_string()
没有。这是我得到的:mysql_real_escape_string - 登录脚本
if (isset($_POST['submit']))
{
$username = mysql_real_escape_string($_POST['username']);
$password = mysql_real_escape_string($_POST['password']);
$db_link = db_connect("project");
$query = "SELECT * FROM user WHERE username = '$username' AND password = password('$password')";
$result = mysql_query($query) or die (mysql_error());
$numrows = mysql_num_rows($result);
if($numrows == 1)
{
RedirectToURL("home.php");
}
else
{
login_page("Invalid login! Try again");
}
}
else
{
login_page("");
}
也许这可能有帮助:http://stackoverflow.com/questions/60174/best-way-to-prevent-sql-injection-in-php – Horen
移动它们在数据库连接调用后发生。 –