我有这个代码
$nick = $_POST["user"];
$pass = sha1($_POST["pass"]);
$user = pg_query($dbconn, "SELECT * FROM users");
$user = pg_fetch_object($user);
if($user->nick != $nick || $user->pass != $pass) {
echo 'Wrong user or password';
}
数据库中的昵称是字符类型,并且非常散列,但我仍然在输出中得到"错误的用户或密码"。
是否存在任何类型冲突?
$nick = $_POST["user"];
$pass = sha1($_POST["pass"]);
$user = pg_query($dbconn, "SELECT * FROM users WHERE nick = '$nick' and pass='$pass'");
$num = pg_num_rows($user);
$user = pg_fetch_object($user);
if($num==0) {
echo 'Wrong user or password';
}
当使用客户端将交互的某些值进行查询时,请确保他不会使用某些注入方法
更改代码:
$nick = pg_escape_string(strip_tags($_POST["user"]));
$pass = sha1($_POST["pass"]);