1. 首页
  2. 问答
  3. 创建一个安全的MYSQLI登录脚本?

创建一个安全的MYSQLI登录脚本?

2015-01-05 61 views
0

我以前一直在使用MYSQL,而且我不是专家,但已经设法生成一个简单的MySQL登录脚本。但我知道我的脚本是基本的和过时的,我应该使用MYSQLI,创建一个安全的MYSQLI登录脚本?

但是,MYSQLI并没有真正意义,因为我已经在MySQL中尝试了下面的代码,但我无法让它工作,我得到未定义的索引错误。

<?php 
session_start(); 
include("config.php"); 

if (mysqli_connect_errno()) 

{ 

echo 'MySQLi Connection was not established:'; 

} 

// checking the user 



$myusername = mysqli_real_escape_string($conn,$_POST[‘myusername’]); 

$pass = mysqli_real_escape_string($conn,$_POST[‘mypassword’]); 

$sel_user = 'select * from supplier_users where username=’$myusername’ AND password=’$pass'; 

$run_user = mysqli_query($conn, $sel_user); 

$check_user = mysqli_num_rows($run_user); 

if($check_user>0){ 

$_SESSION[‘user’]=$myusername; 

echo “success”; 

} 

else { 

echo “fail”; 

} 


?>

这里是我的MySQL登录脚本的正常工作:

<?php 
session_start(); 
include("config.php"); 
$tbl_name="internal_users"; 
$tbl_name2="supplier_users"; 
$myusername=$_POST['myusername']; 
$mypassword=$_POST['mypassword']; 
$myusername = stripslashes($myusername); 
$mypassword = stripslashes($mypassword); 
$myusername = mysql_real_escape_string($myusername); 
$mypassword = mysql_real_escape_string($mypassword); 
$sql = "select * from $tbl_name where username = '$myusername' and password = '$mypassword' 
union 
select * from $tbl_name2 where username = '$myusername' and password = '$mypassword'"; 
$result=mysql_query($sql); 
$count=mysql_num_rows($result); 
$row=mysql_fetch_array($result); 
if($count==1){ 
session_start(); 
include("variables.php"); 
if($result){ 
$sql2 = "UPDATE $tbl_name2 SET online = 'online' WHERE online = 'offline' AND username = '$myusername'"; 
$result2=mysql_query($sql2); 
$sql21 = "UPDATE $tbl_name SET online = 'online' WHERE online = 'offline' AND username = '$myusername'"; 
$result21=mysql_query($sql21); } 
else 
$_SESSION['val']=1; 
header("location:../dashboard.php"); 
} 
else { 
$_SESSION['message2'] = '<div id="message_box2"><div class="boxclose" id="boxclose" onclick="this.parentNode.parentNode.removeChild(this.parentNode);">&#10006;</div><h23>Oooops!</h23><p>The Username and Password Combination do not match. Please try again.</p> </div>'; 
header("location:../index.php"); 
} 
ob_end_flush(); 
?>

我的config.php文件看起来是这样的:

<?php 
$host="localhost"; 
$username="mark"; 
$password="password"; 
$db_name="hewden1"; 
$conn = mysql_connect($host, $username, $password) or die("Could Not Connect to Server"); 
$db = mysql_select_db($db_name)or die("Cannot Connect the Database"); 
?>

我的问题是,可能有人请告诉我如何我可以将我的简单登录脚本从MYSQL转换为MYSQLI,并使其更加安全,我试图在上面做到这一点?我真的很感激任何人的帮助,因为我真的很难理解。

感谢

来源

2015-01-05 James Daley

+0

你可以检查[this](http://stackoverflow.com/questions/12859942/why-shouldnt-i-use-mysql-functions-in-php/14110189#14110189)post的详细解释 – krishna

+0

干得好防御SQL注入,但是您绝对不应该以纯文本形式存储密码。如果您的数据库泄漏出去,您的用户的安全性可能会在其他地方受到影响。在使用MySQLi方面,你有没有阅读手册,或看过例子?网上有很多,包括在这个网站上。 – halfer

回答

0

,你发布的mysqli的代码似乎有点畸形,报价有一些其他的编码类型报价:”当它应该是“IDK如果这将使意义,但。 另外在你的SELECT语句:

$sel_user = 'select * from supplier_users where username=’$myusername’ AND password=’$pass';
到底

报价失踪,它应该是像

$sel_user = "select * from supplier_users where username='$myusername' AND password='$pass'";

,它并没有什么意义使用mysql()代替的mysqli( ),因为前者已折旧。

来源

2015-01-05 11:24:01 Arfan

相关问题

 相关问题