创建一个安全的MYSQLI登录脚本?

时间:2015-01-05 09:44:38

标签: php mysql mysqli

我过去一直在使用MYSQL而且不是专家,但已设法生成一个简单的MySQL登录脚本。但是我知道我的脚本是基本的和过时的,我应该使用MYSQLI,

然而,MYSQLI对我没有任何意义,因为我在MySQL中尝试了以下代码,但我似乎无法使其工作,并且我得到了未定义的索引错误。

<?php
session_start();
include("config.php");

if (mysqli_connect_errno())

{

echo 'MySQLi Connection was not established:';

}

// checking the user



$myusername = mysqli_real_escape_string($conn,$_POST[‘myusername’]);

$pass = mysqli_real_escape_string($conn,$_POST[‘mypassword’]);

$sel_user = 'select * from supplier_users where username=’$myusername’ AND password=’$pass';

$run_user = mysqli_query($conn, $sel_user);

$check_user = mysqli_num_rows($run_user);

if($check_user>0){

$_SESSION[‘user’]=$myusername;

echo “success”;

}

else {

echo “fail”;

}


?>

这是我的MySQL登录脚本,工作正常:

<?php
session_start();
include("config.php");
$tbl_name="internal_users";  
$tbl_name2="supplier_users";  
$myusername=$_POST['myusername']; 
$mypassword=$_POST['mypassword']; 
$myusername = stripslashes($myusername);
$mypassword = stripslashes($mypassword);
$myusername = mysql_real_escape_string($myusername);
$mypassword = mysql_real_escape_string($mypassword);
$sql = "select * from $tbl_name where username = '$myusername' and password = '$mypassword'
union
select * from $tbl_name2 where username = '$myusername' and password = '$mypassword'";
$result=mysql_query($sql);
$count=mysql_num_rows($result);
$row=mysql_fetch_array($result);
if($count==1){
session_start();
include("variables.php");
if($result){
$sql2 = "UPDATE $tbl_name2 SET online = 'online' WHERE online = 'offline' AND username = '$myusername'";  
$result2=mysql_query($sql2); 
$sql21 = "UPDATE $tbl_name SET online = 'online' WHERE online = 'offline' AND username = '$myusername'";  
$result21=mysql_query($sql21); }
else
$_SESSION['val']=1;
header("location:../dashboard.php");
}
else {
$_SESSION['message2'] = '<div id="message_box2"><div class="boxclose" id="boxclose" onclick="this.parentNode.parentNode.removeChild(this.parentNode);">&#10006;</div><h23>Oooops!</h23><p>The Username and Password Combination do not match. Please try again.</p> </div>';
header("location:../index.php");
} 
ob_end_flush();
?>

我的config.php文件如下所示:

<?php
$host="localhost";
$username="mark";
$password="password";
$db_name="hewden1";
$conn = mysql_connect($host, $username, $password) or die("Could Not Connect to Server");
$db = mysql_select_db($db_name)or die("Cannot Connect the Database"); 
?>

我的问题是,有人可以告诉我如何将我的简单登录脚本从MYSQL转换为MYSQLI,并以我上面尝试的方式使其更加安全吗?我真的很感激任何人对此的帮助,因为我真的很难理解。

由于

1 个答案:

答案 0 :(得分:0)

您发布的Mysqli代码似乎有点格式错误,引号是一些其他编码类型的引号:'当它应该是'IDK,如果这有意义的话。 同样在你的select语句中:

$sel_user = 'select * from supplier_users where username=’$myusername’ AND password=’$pass';

最后缺少一个引用,它应该像

$sel_user = "select * from supplier_users where username='$myusername' AND password='$pass'";

并且使用mysql()而不是mysqli()是没有意义的,因为前者是折旧的。

相关问题
最新问题