[MySqli扩展]①0--预处理语句防止SQL注入

test.php

<html>
<head>
    <title>Login</title>
</head>
<body>
<h2>登录页面</h2>
<form action="doLogin.php" method="post">
    username:<input type="text" name="username" id=""<br/>
    password:<input type="password" name="password" id=""><br/>
    <input type="submit" value="登录">
</form>
</body>
</html>

doLogin.php

<?php
header("Content-type:text/html;charset=utf-8");
$mysqli = new mysqli('localhost', 'root', '', 'test');
if ($mysqli->errno) {
    die('Connect Error ' . $mysqli->error);
}
$mysqli->set_charset('UTF8');
$username = $_POST['username'];
$password = md5($_POST['password']);
$sql = "SELECT * FROM user WHERE username='{$username}' AND password ='{$password}'";
$mysqli_result = $mysqli->query($sql);
if ($mysqli_result && $mysqli_result->num_rows > 0) {
    echo "登录成功";
} else {
    echo "登录失败";
}
?>

Paste_Image.png

预处理语句

<?php
header("Content-type:text/html;charset=utf-8");
$mysqli = new mysqli('localhost', 'root', '', 'test');
if ($mysqli->errno) {
    die('Connect Error ' . $mysqli->error);
}
$mysqli->set_charset('UTF8');
$username = $_POST['username'];
$password = md5($_POST['password']);
$sql = "SELECT * FROM user WHERE username=? AND password=?";
$mysqli_stmt = $mysqli->prepare($sql);
$mysqli_stmt->bind_param('ss', $username, $password);
if ($mysqli_stmt->execute()) {
    $mysqli_stmt->store_result();
    if ($mysqli_stmt->num_rows > 0) {
        echo "登录成功";
    } else {
        echo "登录失败";
    }
}
//释放结果集
$mysqli_stmt->free_result();
//关闭预处理语句
$mysqli_stmt->close();
//关闭连接
$mysqli->close();
?>

Paste_Image.png

最后编辑于：2017.12.10 05:04:14

©著作权归作者所有,转载或内容合作请联系作者
【社区内容提示】社区部分内容疑似由AI辅助生成，浏览时请结合常识与多方信息审慎甄别。
平台声明：文章内容（如有图片或视频亦包括在内）由作者上传并发布，文章内容仅代表作者本人观点，简书系信息发布平台，仅提供信息存储服务。

[MySqli扩展]①0--预处理语句防止SQL注入

[MySqli扩展]①0--预处理语句防止SQL注入

test.php

doLogin.php

预处理语句

相关阅读更多精彩内容

友情链接更多精彩内容