我是一名年轻的开发人员,试图在一个我最初没有自己编写代码的网站上阻止Sql注入。我读过很多关于注射及其背后的理论的文章,但我似乎无法理解。在我把头伸进监视器前,请帮帮我。谢谢我的显示器
这是代码:
<div id="main">
<div id="header"><? include('site_headergraphics.php'); ?></div>
<table width="800" height="100%" border="0" cellspacing="0" cellpadding="0"
class="content">
<tr>
<td width="800" valign="top">
<div style="padding:10px;">
<? if($_SESSION[$_SESSION['SFIX'].'_owner_id'] == ''){ ?>
<br><br>
<form name="balance_login" method="post" action="<? if ($_GET['passthru']){
?>?passthru=<?= $_GET['passthru'] ?><? } else { ?>?<? } ?>">
<input name="action" type="hidden" value="login" />
<table width="780" border="0" cellpadding="5" bgcolor="#FFFFFF">
<tr>
<td><table width="780" border="0" cellpadding="5" cellspacing="0"
bgcolor="#F7C30F" class="body_text">
<tr>
<td colspan="3" align="left" class="rightmenu"><?= $passmessage ?><?=
$specialmessage ?></td>
</tr>
<tr>
<td colspan="2" align="left" valign="top" class="rightmenu">To sign on,
enter your information below.</td>
<td width="412" rowspan="5" valign="top"><p>Welcome to Mediterranean
Wellness!</p>
<p>Ready to join us? You can <a
href="index.php?section=payment">GET STARTED here. </a></p></td>
</tr>
<tr valign="top">
<td width="121" align="right" class="rightmenu">Username:</td>
<td width="217"><input name="username" type="text" class="body_text"
id="username" /></td>
<!--Added in the prevent SQL code injections-->
<?php /*?><?php unset($FindUser);
if(isset($_POST['username']))
{
$_POST['username'] =
trim($_POST['username']);
if(preg_match('/^[a-
zA-Z0-9^$.*+'[']{,}]{1,32}$/u', $_POST['username']))
$FindUser =
$_POST['username'];
}
?><?php */?>
</tr>
<tr valign="top">
<td align="right" class="rightmenu">Password:</td>
<td><input name="password" type="password" class="body_text"
id="password" /></td>
<?php /*?><?php unset($FindPass);
if(isset($_POST['password']))
{
$_POST['password'] =
trim($_POST['password']);
if(preg_match('/^[a-
zA-Z0-9^$.*+'[']{,}]{1,32}$/u', $_POST['password']))
$$FindPass =
$_POST['password'];
}
?><?php */?>
<!--End of code added in the prevent SQL code injections-->
</tr>
<tr valign="top">
<td> </td>
<td><input name="Submit" type="submit" class="body_text"
value="Login" />
<?php
function make_safe($variable) {
$variable =
mysql_real_escape_string(trim($variable));
return $variable;
}
$username = make_safe($_POST['username']);
$password = make_safe($_POST['password']);
$check = mysql_query("SELECT Username,
Password, UserLevel FROM Users WHERE Username = '".$username."' and Password =
'".$password."'");
?>
<br>
<br>
<a href="?section=forgot">Forgot your username or password?</a></td>
</tr>
<tr>
<td> </td>
<td colspan="2"> </td>
</tr>
</table></td>
</tr>
</table>
</form>
<? } else { ?>
<p class="body_text">You must <a href="?user_action=logout">logout</a> to continue
to this page</p>
<? } ?>
</div></td>
</tr>
</table>
</div>
我认为避免SQL注入的最佳方法是在查询数据库时使用准备好的语句。
此外,你应该清理你的代码,使其可读性更好,使用MVC这样的设计模式会给它一个更好的结构。
mysql_*正在被弃用,并且在新版本中不起作用-您应该签出PDO或MySQLi。
特别是bind_param()函数-这就是您现在应该处理用户输入的方式(mysql_real_aescape_String()并不完美)
也就是说,您永远不会在代码中连接到数据库-如果没有活动的DB连接,mysql_real_eescape_string()将无法工作