平时在写程序时没有注意小细节,总是觉得那些代码可有可无,导致大问题发生,
最恨这些耍小聪明的人,从网上down几个软件就开始"黑客"~~~
赶快将php的防注入看下:
example:
登录实例
index.php 用户名密码输入:1' or Ƈ'=Ƈ,不能登录
<form name="form1" action="login.php" method="post">
<input type=text name=username>
<input type=password name="password">
<input type=submit value=提交>
</form>
login.php
<?php
$cn=mysql_connect("localhost","root","");
$db=mysql_select_db("test");
$username=$_POST["username"];
$pwd=$_POST["password"];
echo $username."<br/>";
echo stripslashes($username)."<br/>";
$username=mysql_escape_string(stripslashes($username));
echo "<br/>";
echo $pwd."<br/>";
echo stripslashes($pwd)."<br/>";
$pwd=mysql_escape_string(stripslashes($pwd));
$sql="Select * from admin where admin='".$username."' and pwd='".$pwd."'";
echo $sql."<br/>";
mysql_query("set names gb2312");
$result=mysql_query($sql);
if($row=mysql_fetch_array($result)){
echo "ok";
}
else{
echo "sorry";
}
?>