php防注入

平时在写程序时没有注意小细节,总是觉得那些代码可有可无,导致大问题发生,

最恨这些耍小聪明的人,从网上down几个软件就开始"黑客"~~~

赶快将php的防注入看下:

example:

登录实例

index.php   用户名密码输入:1' or Ƈ'=Ƈ,不能登录

<form name="form1" action="login.php" method="post">
 <input type=text name=username>
 <input type=password name="password">
 <input type=submit value=提交>
</form>

login.php

<?php
$cn=mysql_connect("localhost","root","");
$db=mysql_select_db("test");
$username=$_POST["username"];
$pwd=$_POST["password"];
echo $username."<br/>";
echo stripslashes($username)."<br/>";
$username=mysql_escape_string(stripslashes($username));
echo "<br/>";
echo $pwd."<br/>";
echo stripslashes($pwd)."<br/>";
$pwd=mysql_escape_string(stripslashes($pwd));
$sql="Select * from admin where admin='".$username."' and pwd='".$pwd."'";
echo $sql."<br/>";
mysql_query("set names gb2312");
$result=mysql_query($sql);
if($row=mysql_fetch_array($result)){
echo "ok";
}
else{
echo "sorry";
}
?>

    A+
发布日期:2009年04月15日  所属分类:未分类

发表评论

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen: