我正在尝试学习用于登录用户的SQL,现在我得到了一些开放源代码,以便我了解更多的语言并尝试从示例中学习。用户登录的SQL代码
现在我无法弄清楚本地主机;我的意思是我想补充表(命名用户),我只加3的细节:
Name | Data Type | Default Value | Is Primary Key? | Is Identity? | Allow Nulls
Localhost | nvarchar | Null -------- | No ------------ | No --------- | Yes
user | nvarchar | Null -------- | No ------------ | No --------- | Yes
pass | nvarchar | Null -------- | No ------------ | No --------- | Yes
的---不是代码的一部分,它只是为订单表:)。
总之,这里是我的代码:
<?php
// Edit your mssql info here
// BEGIN MSSQL INFO
$CONFIG['host'] = "localhost";
$CONFIG['user'] = "sa";
$CONFIG['pass'] = "server";
// END MSSQL INFO
//----------------------------- DO NOT EDIT ANYTHING BELOW HERE !!!!! ------------------------------------
$CONFIG['conn'] = mssql_connect($CONFIG['host'], $CONFIG['user'], $CONFIG['pass']);
function anti_injection($sql) {
$sql = preg_replace(sql_regcase("/(from|select|insert|delete|where|drop table|show tables|#|\*|--|\\\\)/"),"",$sql);
$sql = trim($sql);
$sql = strip_tags($sql);
$sql = addslashes($sql);
return $sql;
}
?>
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="utf-8" />
<title>Test</title>
</head>
<body>
<?php
if(isset($_GET['action']) && ($_GET['action'] == "login")){
$user = anti_injection($_POST['user']);
$pass = anti_injection($_POST['pass']);
$crypt_pass = md5($pass);
$result1 = mssql_query("SELECT * FROM account.dbo.user_profile WHERE user_id = '".$user."'");
$count1 = mssql_num_rows($result1);
$result2 = mssql_query("SELECT user_pwd FROM account.dbo.user_profile WHERE user_id = '".$user."'");
$row2 = mssql_fetch_row($result2);
if($count1 == '0') {
echo '<br>This game account is not found in the database.';
}
elseif($row2[0] != $crypt_pass) {
echo '<br>Wrong password. Try again.';
}
elseif($_GET['login'] != 'login' && $count1 == '0') {
echo '<br>Login Error, Please login again.';
} else {
// Begin secure content
$_SESSION['user'] = $user;
echo "<h3>Welcome, ".$_SESSION['user']."</h3>";
echo "<br>";
echo "Your content here";
// Dont forget to and your session
// session_destroy();
// End secure content
}
} else {
echo '<h2>Login here</h2><br />
<form name="" action="'.$_SERVER['php_self'].'?action=login" method="post">
Name: <input type="text" name="user" maxlength="16"><br />
Password: <input type="password" name="pass" maxlength="16"> <br />
<input type="submit" value="Login!">
</form>';
}
?>
</body>
</html>
正如我所说的,我真的不知道如何使表和代码之间的连接。
你能解释一下吗?
你的代码应工作..你遇到什么错误? – 2013-04-05 21:36:58
你为什么要滚动自己的代码来防止SQL注入,而不是仅仅使用参数(http://stackoverflow.com/questions/6744490/add-parameters-to-a-php-mssql-query)? – Pondlife 2013-04-05 21:40:19
另请检查您的帐户是否已关闭魔术引号。如果不是,则这个换行将每个变量周围的引号数量加倍。 – 2013-04-05 22:10:28