RRR*_*ind 2 php database login content-management-system
最近有人攻击我的PHP CMS并种植了SQL注入.有没有办法让我的登录代码更受保护并防止黑客入侵?任何帮助都会很棒,谢谢.
登录表格
<div id="loginform">
<form method="post" action="check-login.php" name="form1">
<label for="username" /><span style="color:#FFFFFF; font-family:'Trebuchet MS', Arial, Helvetica, sans-serif;">username:</span></label>
<input type="text" name="myusername" id="username"/>
<label for="password"/><span style="color:#FFFFFF; font-family:'Trebuchet MS', Arial, Helvetica, sans-serif;">password:</span></label>
<input type="password" name="mypassword" id="password"/>
<label for="submit"></label>
<input type="submit" name="sumbit" value="Login">
</form>
</div>
PHP
mysql_connect ($host, $username, $password) or die ("can't connect");
mysql_select_db ($db_name) or die (mysql_error());
$myusername = $_POST['myusername'];
$mypassword = $_POST['mypassword'];
$sql = "SELECT * FROM $tbl_name WHERE username='$myusername' and password='$mypassword'";
$result = mysql_query($sql);
$count = mysql_num_rows($result);
if ($count == 1){
session_register("myusername");
session_register("mypassword");
header("Location:cms/admin.php");
}else{
echo "Wrong username or password";
}
哇.这是一个很大的禁忌:
$myusername = $_POST['myusername'];
$mypassword = $_POST['mypassword'];
至少需要对这些输入进行消毒mysql_real_escape_string.
把它改成这个:
$myusername = mysql_real_escape_string($_POST['myusername']);
$mypassword = mysql_real_escape_string($_POST['mypassword']);
htmlentities()并且htmlspecialchars()也很有用,但我建议不要在进入数据库的数据中使用它们.