0
我以前一直在使用MYSQL,而且我不是专家,但已经设法生成一个简单的MySQL登录脚本。但我知道我的脚本是基本的和过时的,我应该使用MYSQLI,创建一个安全的MYSQLI登录脚本?
但是,MYSQLI并没有真正意义,因为我已经在MySQL中尝试了下面的代码,但我无法让它工作,我得到未定义的索引错误。
<?php
session_start();
include("config.php");
if (mysqli_connect_errno())
{
echo 'MySQLi Connection was not established:';
}
// checking the user
$myusername = mysqli_real_escape_string($conn,$_POST[‘myusername’]);
$pass = mysqli_real_escape_string($conn,$_POST[‘mypassword’]);
$sel_user = 'select * from supplier_users where username=’$myusername’ AND password=’$pass';
$run_user = mysqli_query($conn, $sel_user);
$check_user = mysqli_num_rows($run_user);
if($check_user>0){
$_SESSION[‘user’]=$myusername;
echo “success”;
}
else {
echo “fail”;
}
?>
这里是我的MySQL登录脚本的正常工作:
<?php
session_start();
include("config.php");
$tbl_name="internal_users";
$tbl_name2="supplier_users";
$myusername=$_POST['myusername'];
$mypassword=$_POST['mypassword'];
$myusername = stripslashes($myusername);
$mypassword = stripslashes($mypassword);
$myusername = mysql_real_escape_string($myusername);
$mypassword = mysql_real_escape_string($mypassword);
$sql = "select * from $tbl_name where username = '$myusername' and password = '$mypassword'
union
select * from $tbl_name2 where username = '$myusername' and password = '$mypassword'";
$result=mysql_query($sql);
$count=mysql_num_rows($result);
$row=mysql_fetch_array($result);
if($count==1){
session_start();
include("variables.php");
if($result){
$sql2 = "UPDATE $tbl_name2 SET online = 'online' WHERE online = 'offline' AND username = '$myusername'";
$result2=mysql_query($sql2);
$sql21 = "UPDATE $tbl_name SET online = 'online' WHERE online = 'offline' AND username = '$myusername'";
$result21=mysql_query($sql21); }
else
$_SESSION['val']=1;
header("location:../dashboard.php");
}
else {
$_SESSION['message2'] = '<div id="message_box2"><div class="boxclose" id="boxclose" onclick="this.parentNode.parentNode.removeChild(this.parentNode);">✖</div><h23>Oooops!</h23><p>The Username and Password Combination do not match. Please try again.</p> </div>';
header("location:../index.php");
}
ob_end_flush();
?>
我的config.php文件看起来是这样的:
<?php
$host="localhost";
$username="mark";
$password="password";
$db_name="hewden1";
$conn = mysql_connect($host, $username, $password) or die("Could Not Connect to Server");
$db = mysql_select_db($db_name)or die("Cannot Connect the Database");
?>
我的问题是,可能有人请告诉我如何我可以将我的简单登录脚本从MYSQL转换为MYSQLI,并使其更加安全,我试图在上面做到这一点?我真的很感激任何人的帮助,因为我真的很难理解。
感谢
你可以检查[this](http://stackoverflow.com/questions/12859942/why-shouldnt-i-use-mysql-functions-in-php/14110189#14110189)post的详细解释 – krishna
干得好防御SQL注入,但是您绝对不应该以纯文本形式存储密码。如果您的数据库泄漏出去,您的用户的安全性可能会在其他地方受到影响。在使用MySQLi方面,你有没有阅读手册,或看过例子?网上有很多,包括在这个网站上。 – halfer