Dr.*_*ion 2 php mysql url-parameters
首先,这是我第一次尝试PHP ..
这是代码:
<?php
if (isset($_GET['name']) && isset($_GET['password'])
$uname = $_GET['name'];
$pass = $_GET['password'];
$conn = mysql_connect("localhost","DBusername","DBpassword");
mysql_select_db("DBname",$conn);
$result = mysql_query("SELECT * FROM table WHERE username=$uname and password =$password");
$row = mysql_fetch_array($result);
if(is_array($row)) {
$ip = $row[ip];
echo $ip ;
}else {
echo = "Invalid Username or Password!";
}
?>
当我尝试此链接时:http://www.mywebsite.com/page.php?name = user&password = mypassword
这是一个隐藏页面,当用户尝试登录用C#编写的Windows窗体应用程序时,我用它来获取我记录的成员IP地址
总是得到一个空白页..
提前致谢
使用单引号包围变量,并die(mysql_error());在结尾添加a ,如图所示.
$result = mysql_query("SELECT * FROM `dvtmembers` WHERE username='$uname' and password ='$pass'") or die(mysql_error());
警告:您的代码对SQL注入攻击是开放的.
其他重大错误.
$uname不是$uanmeisset构造之后错过了一个括号echo声明进行分配.<?php
ini_set('display_startup_errors',1);
ini_set('display_errors',1);
error_reporting(-1);
if (isset($_GET['name']) && isset($_GET['password']))
{
$conn = mysql_connect("localhost","DBusername","DBpassword");
mysql_select_db("DBname",$conn);
$uname = mysql_real_escape_string($_GET['name']);
$pass = mysql_real_escape_string($_GET['password']);
$result = mysql_query("SELECT * FROM table WHERE username='$uname' and password ='$pass'") or die(mysql_error());
$row = mysql_fetch_array($result);
if(is_array($row)) {
$ip = $row['ip'];
echo $ip ;
}else {
echo "Invalid Username or Password!";
}
}
else { echo "Name and Password was not passed !";}
?>
此(mysql_*)扩展名已弃用PHP 5.5.0,将来将被删除.相反,应该使用MySQLi或PDO_MySQL扩展.切换到PreparedStatements更好地抵御SQL注入攻击!