避免攻击SQL注入? [英] Avoiding attack SQL injection ?
问题描述
您好。我想学习防止sql注入。如您所知,通过nuke可以获得的最佳保护是sql注入的工作原理。我有用PHP编写的代码我使用PDO来提高安全性。我已经阅读了许多与sql注入攻击相关的文章,但很少有关于PDO的文章,因此可以理解PDO更安全。我有一个代码,有时可以阻止我的攻击。所以简而言之,我希望将来成为一名安全专家。无论如何。也许您知道PDO上的攻击方法是什么?下面我将给你一个代码,正如我之前所说的相对抵抗攻击。在此先感谢您的帮助。
index.php
Hello. I would like to learn protection against sql injection. As you know, the best protection you can get through the nuke is how sql injection works. I have code written in PHP I used PDO for greater security. I have read many articles related to sql injection attacks but few articles are on PDO, so it can be understood that PDO is more secure. I have a code that at times prevented my attacks. So in a nutshell, in the future I would like to become a security expert. Anyway. Maybe you know what attack methods are on PDO? Below I will give you a code that as I said before is relatively resistant to attacks. Thanks in advance for your help.
index.php
<!DOCTYPE html>
<html>
<body>
<form action="login.php" method="post">
<input type="text" name="name" placeholder="Your name">
<input type="text" name="email" placeholder="Your email">
<input type="submit" name="sent" id="ref" value="Send">
</form><
</div>
</body>
</html>
login.php >
<?php
session_start();
$dbname = 'test';
$dbhost = 'localhost';
$dbuser = 'root';
$dbpass = '';
try
{
if((!isset($_POST['name'])) || (!isset($_POST['email'])))
{
header("Location: index.php");
exit();
}
$PDO = new PDO('mysql:host='.$dbhost.';dbname='.$dbname,$dbuser,$dbpass);
$userow = $PDO->prepare('SELECT * FROM `users` WHERE `user`="'.$_POST['name'].'" ');
$userow->execute();
$count = $userow->rowCount();
if($count>0)
{
$row = $userow->fetch(PDO::FETCH_ASSOC);
if($_POST['email'] === $row['pass'])
{
$_SESSION['logged'] = true;
$_SESSION['nick'] = $row['user'];
$_SESSION['pass'] = $row['pass'];
header("Location: logged.php");
}
else
{
echo "Wrong login or password!";
}
}
else
{
echo "Wrong login or password!";
}
}
catch(PDOException $error)
{
die('Error!:'.$error->getMessage());
}
?>
logged.php
logged.php
<?php
session_start();
if (!isset($_SESSION['logged']))
{
header("Location: index.php");
exit();
}
?>
<!DOCTYPE html>
<html>
<body>
<a href="logout.php">Logout!</a>
<?php
$dbname = 'test';
$dbhost = 'localhost';
$dbuser = 'root';
$dbpass = '';
try
{
$PDO = new PDO('mysql:host='.$dbhost.';dbname='.$dbname,$dbuser,$dbpass);
$userow = $PDO->prepare('SELECT * FROM `users` WHERE user`="'.$_SESSION['nick'].'" ');
$userow->execute();
$row = $userow->fetch(PDO::FETCH_ASSOC);
echo $row['user'];
}
catch(PDOException $error)
{
die('Error!'.$error->getMessage());
}
?>
</body>
</html>
我尝试了什么:
基本sql注入
-在文本框登录中添加撇号
- 在文本框密码中添加撇号或1 = 2
等。
What I have tried:
Basic sql injection
-Add an apostrophe to the textbox login
-Add an apostrophe to the textbox password OR 1=2
etc.
推荐答案
dbname = ' test';
dbname = 'test';
dbhost = ' 本地主机'跨度>;
dbhost = 'localhost';
dbuser = ' 根跨度>;
dbuser = 'root';
这篇关于避免攻击SQL注入?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!