PHP Security-A Simple Way to Prevent SQL Injection Attacks_PHP Tutorial

This article simply uses an example to introduce a simple way to prevent SQL injection in PHP. Friends who need to learn can refer to this article.

Method 1: Password comparison

Idea: First, query the database through the user name entered by the user, get the password corresponding to the user name in the database, and then compare the password queried from the database with the password submitted by the user.

Code:

}else{

The code is as follows

代码如下	复制代码
$sql="select password from users where username='$name'";        $res=mysql_query($sql,$conn);        if ($arr=mysql_fetch_assoc($res)){//如果用户名存在               if ($arr['password']==$pwd) {//密码比对                      echo "登录成功";        }else{               echo "密码输入有误";        }        }else {               echo "该用户名不存在";        }

Copy code

$sql="select password from users where username='$name'";

$res=mysql_query($sql,$conn);

if ($arr=mysql_fetch_assoc($res)){//If the username exists

                if ($arr['password']==$pwd) {//Password comparison

echo "Login successful";

代码如下

复制代码

$name=$_GET['username'];        $pwd=$_GET['password'];           $sql="select * from users where username=? and password=?";        //1.创建一个pdo对象        $pdo=new PDO("mysql:host=localhost;port=3306;dbname=injection","root","");        //2.设置编码        $pdo->exec("set names 'utf8'");        //3.预处理$sql语句        $pdoStatement=$pdo->prepare($sql);        //4.把接收到的用户名和密码填入        $pdoStatement->execute(array($name,$pwd));        //5.取出结果        $res=$pdoStatement->fetch();        if(empty($res)){               echo "用户名或密码输入有误";        }else{               echo "登录成功";                }

echo "Password entered incorrectly"; } }else { echo "This username does not exist"; } Analysis: In this case, the code is much more robust and can prevent SQL injection attacks even when magic_quote_gpc=Off. Because if an attacker wants to log in successfully, he has to bypass two hurdles. The first is that the entered user name must exist. This step can be bypassed directly by constructing a SQL statement (' or 1=1%23), but this method cannot be passed. The second hurdle. Because the user is required to enter a correct password to pass, this obviously denies SQL injection attacks. Method 2: Use PDO’s PDO::prepare() preprocessing operation to prevent SQL injection attacks Idea: Create a pdo object and use the preprocessing operation of pdo to prevent SQL injection attacks Code:

The code is as follows

Copy code

$name=$_GET['username']; $pwd=$_GET['password']; $sql="select * from users where username=? and password=?"; //1. Create a pdo object $pdo=new PDO("mysql:host=localhost;port=3306;dbname=injection","root",""); //2. Set encoding $pdo->exec("set names 'utf8'"); //3. Preprocess $sql statement $pdoStatement=$pdo->prepare($sql); //4. Fill in the received user name and password $pdoStatement->execute(array($name,$pwd)); //5. Get the result $res=$pdoStatement->fetch(); if(empty($res)){ echo "The username or password entered is incorrect"; }else{ echo "Login successful"; } http://www.bkjia.com/PHPjc/629678.htmlwww.bkjia.comtruehttp: //www.bkjia.com/PHPjc/629678.htmlTechArticleThis article simply uses an example to introduce a simple way to prevent SQL injection in PHP. Friends who need to learn You can refer to this article. Method 1: Password comparison Idea: First...