我使用
SQL Inject Me Firefox插件扫描了我的登录脚本
根据测试结果,我的脚本很容易受到sql注入攻击.以结果为例
Results: Server Status Code: 302 Found Tested value: 1' OR '1'='1 Server Status Code: 302 Found Tested value: 1' OR '1'='1 Server Status Code: 302 Found Tested value: 1 UNI/**/ON SELECT ALL FROM WHERE Server Status Code: 302 Found Tested value: %31%27%20%4F%52%20%27%31%27%3D%27%31
我的剧本
> login.PHP – 登录表单
> check-login.PHP – 检查登录详细信息,这是代码.
$email = clean($_ POST [‘username’]);
$pass = clean($_ POST [‘password’]);
$user =“select * from tbl_admin where admin =’$email’and pass =’$pass’”;
//一些代码
$_SESSION [‘login_mes’] =“您已成功登录!”;
标题( “位置:admin.PHP的”);
出口();
} else {
$_SESSION [‘login_mes’] =“无效的电子邮件地址或密码,请再试一次.”;
标题( “位置:login.PHP中”);
出口();
}
} else { $_SESSION['login_mes'] = "Invalid email address or password,please try again."; header("Location:login.PHP"); exit(); }
sql Inject Me没有检测到故障以及如何修复此部分?