我使用
SQL Inject Me Firefox插件扫描了我的登录脚本
原文链接:https://www.f2er.com/php/240303.html根据测试结果,我的脚本很容易受到sql注入攻击.以结果为例
Results: Server Status Code: 302 Found Tested value: 1' OR '1'='1 Server Status Code: 302 Found Tested value: 1' OR '1'='1 Server Status Code: 302 Found Tested value: 1 UNI/**/ON SELECT ALL FROM WHERE Server Status Code: 302 Found Tested value: %31%27%20%4F%52%20%27%31%27%3D%27%31
我的剧本
> login.PHP – 登录表单
> check-login.PHP – 检查登录详细信息,这是代码.
$email = clean($_ POST [‘username’]);
$pass = clean($_ POST [‘password’]);
$user =“select * from tbl_admin where admin =’$email’and pass =’$pass’”;
//一些代码
$_SESSION [‘login_mes’] =“您已成功登录!”;
标题( “位置:admin.PHP的”);
出口();
} else {
$_SESSION [‘login_mes’] =“无效的电子邮件地址或密码,请再试一次.”;
标题( “位置:login.PHP中”);
出口();
}
} else {
$_SESSION['login_mes'] = "Invalid email address or password,please try again.";
header("Location:login.PHP");
exit();
}
sql Inject Me没有检测到故障以及如何修复此部分?
