Jak upravit svůj „mySQL“ kód, takže mohu vyhnout SQL injection útok?

hlasů
0

Může někdo prosím , pomozte mi upravit svůj kód tak, abych mohl vyhnout „ SQL injection útok “? Bylo mi řečeno, že můj kód je otevřený pro SQL Injection útoku, ale nevím, jak ji upravit. Byste prosím tak laskav a pomozte mi ji přepsat? Díky moc.

Viděl jsem jiné podobné otázky, jako je tento (říkáš duplicitní), ale od té doby jsem nováček k MySQL jsem doufal, že někdo z vás bude natolik laskavý, aby mi pomohli přepsat svůj kód. Díky moc

To je můj Register kód:

<?php
// Include config file
require_once config.php;

//the form has been submitted with post
if ($_SERVER[REQUEST_METHOD] == POST) {


    //define other variables with submitted values from $_POST
    $username = $mysqli->real_escape_string($_POST['username']);
    $fullname = $mysqli->real_escape_string($_POST['fullname']);
    $jobtitle = $mysqli->real_escape_string($_POST['jobtitle']);

    $password = password_hash($_POST['password'], PASSWORD_BCRYPT);

    //path were our avatar image will be stored
    $avatar_path = $mysqli->real_escape_string('images/avatars/'.$_FILES['avatar']['name']);

    //make sure the file type is image
    if (preg_match(!image!,$_FILES['avatar']['type'])) {

      //copy image to images/ folder
      if (copy($_FILES['avatar']['tmp_name'], $avatar_path)){

        //set session variables to display on welcome page
        $_SESSION['username'] = $username;
        $_SESSION['avatar'] = $avatar_path;
        $_SESSION['jobtitle'] = $jobtitle;

        //insert user data into database
        $sql =
        INSERT INTO users (username, password, fullname, avatar, jobtitle) 
        . VALUES ('$username', '$password', '$fullname', '$avatar_path', '$jobtitle');

        //check if mysql query is successful
        if ($mysqli->query($sql) === true){
          $_SESSION['message'] = Registration successful!
          . Added $username to the database!;
          //redirect the user to welcome.php
          header(location: index.php);
         }
         else {
           $_SESSION['message'] = 'User could not be added to the database!';
         }
         $mysqli->close();
       }
       else {
         $_SESSION['message'] = 'File upload failed!';
       }
     }
     else {
       $_SESSION['message'] = 'Please only upload GIF, JPG or PNG images!';
     }
   }?>

To je můj „ config “ kód:

define('DB_SERVER', 'localhost');
define('DB_USERNAME', 'root');
define('DB_PASSWORD', '');
define('DB_NAME', 'employees');

/* Attempt to connect to MySQL database */
$mysqli = new mysqli(DB_SERVER, DB_USERNAME, DB_PASSWORD, DB_NAME);

// Check connection
if($mysqli === false){
  die(ERROR: Could not connect. . $mysqli->connect_error);
}
?>

Jedná se o kód z přihlašovací stránky :

<?php
// Initialize the session
session_start();

// Check if the user is already logged in, if yes then redirect him to welcome page
if(isset($_SESSION[loggedin]) && $_SESSION[loggedin] === true){
  header(location: dash.php);
  exit;
}

// Include config file
require_once config.php;

// Define variables and initialize with empty values
$username = $password = ;
$username_err = $password_err = ;

// Processing form data when form is submitted
if($_SERVER[REQUEST_METHOD] == POST){

  // Check if username is empty
  if(empty(trim($_POST[username]))){
    $username_err = Внесете Корисничко Име;
  } else{
    $username = trim($_POST[username]);
  }

  // Check if password is empty
  if(empty(trim($_POST[password]))){
    $password_err = Внесете Лозинка;
  } else{
    $password = trim($_POST[password]);
  }

  // Validate credentials
  if(empty($username_err) && empty($password_err)){
    // Prepare a select statement
    $sql = SELECT id, username, password, fullname, avatar, jobtitle FROM users WHERE username = ?;

    if($stmt = $mysqli->prepare($sql)){
      // Bind variables to the prepared statement as parameters
      $stmt->bind_param(s, $param_username);

      // Set parameters
      $param_username = $username;

      // Attempt to execute the prepared statement
      if($stmt->execute()){
        // Store result
        $stmt->store_result();

        // Check if username exists, if yes then verify password
        if($stmt->num_rows == 1){
          // Bind result variables
          $stmt->bind_result($id, $username, $hashed_password, $fullname, $avatar_path, $jobtitle);
          if($stmt->fetch()){
            if(password_verify($password, $hashed_password)){
              // Password is correct, so start a new session
              session_start();

              // Store data in session variables
              $_SESSION[loggedin] = true;
              $_SESSION[id] = $id;
              $_SESSION[username] = $username;
              $_SESSION[fullname] = $fullname;
              $_SESSION[avatar] = $avatar_path;
              $_SESSION[jobtitle] = $jobtitle;

              // Redirect user to welcome page
              header(location: dash.php);
            } else{
              // Display an error message if password is not valid
              $password_err = Лозинката не е точна.;
            }
          }
        } else{
          // Display an error message if username doesn't exist
          $username_err = Не постои такво корисничко име;
        }
      } else{
        echo Упссс! Има некоја грешка. Обидетесе повторно.;
        }
    }

    // Close statement
    $stmt->close();
  }

  // Close connection
  $mysqli->close();
}
?>
Položena 27/11/2018 v 17:59
zdroj uživatelem
V jiných jazycích...                            

Cookies help us deliver our services. By using our services, you agree to our use of cookies. Learn more