我正在尝试使用xampp访问本地主机上的html网站。 php文件与html文件存储在htdocs中。但是我似乎仍然收到此错误。我的数据库名称是check,表名称是loginform。
<?php
$host="localhost";
$user="root";
$password="";
$dbname="check";
//create connection
$conn=mysqli_connect('$host', '$user', '$password', '$dbname');
//check connection
if (mysqli_connect_errno()) {
die('could not connect:'.mysqli_connect_error());
# code...
}
//accept values
if (isset($_POST['username'])) {
$uname=$_POST['username'];
$password=$_POST['password'];
$sql="select * from loginform where $uname='".$user."' AND $password='".$pass."' limit 1";
$result=mysqli_query($sql);
//check query
if (mysqli_num_rows($result)==1) {
echo "You have Successfully logged in";
exit();
}
else{
echo "Invalid credentials";
exit();
}
mysqli_close($conn);
}
我无法访问您的电脑以查明当前位置,但是我将谈论您的代码,您的登录表单是vuln [sql injection]您应该使用mysqli_real_escape_string();或者使用php pdo更安全(使用bindParam)
例如:
# mysql connection
$con = new PDO("mysql:host=localhost;dbname=database", 'username', 'password', array(PDO::ATTR_ERRMODE => PDO::ERRMODE_EXCEPTION,PDO::MYSQL_ATTR_INIT_COMMAND => "SET NAMES utf8"));
$user = $_POST['username'];
$pass = $_POST['password'];
# login
$query = "SELECT * FROM `tableUsers` WHERE `username`=? AND `password`=?";
$run = $con->prepare($query);
$run->bindParam(1, $user, PDO::PARAM_STR);
$run->bindParam(2, $pass, PDO::PARAM_STR);
$run->execute();
$count = $run->RowCount();
if($count > 0) { // or if ($count === 1)
// login complete the $_SESSION
} else {
// wrong password
}
此代码阻止SQLi但仍然阻止XSS