Possible Duplicate:
Best way to stop SQL Injection in PHP
我的登录脚本正被黑入(黑入可以绕过登录进入成员部分)。
以下是我的登录 :
<form action="<?php echo $_SERVER[ PHP_SELF ]?>" method="post">
<table width="450px"><tr><td>
<?php
if(isset($_POST[ login ]))
{
$user= mysql_real_escape_string($_POST[ username ]);
$user22 = strip_tags($user);
$pass= mysql_real_escape_string($_POST[ password ]);
$pass2 = strip_tags($pass);
$pass1 = md5($pass2);
$mod = 1 ;
$sql = "SELECT * FROM users WHERE username= ".$user22." AND password = ".$pass1." ";
$result = mysql_query($sql) or die(mysql_error());
$battle_get = mysql_fetch_array($result);
if ( $battle_get[ mod ] == 1 ) {
$month = time() + 3600*24*30;
$hour = time() + 3600*1*1;
$LastLogin = date( l, M d, Y H:i:s );
$_SESSION[ user ] = $_POST[ username ];
setcookie("save_user", stripslashes(htmlentities($user22)), $hour);
setcookie("save_pass", stripslashes(htmlentities($user22)), $month);
$username = stripslashes(htmlentities($user22));
$result = mysql_query("UPDATE users SET LastLogin = $LastLogin WHERE username= $username ");
header("location: home.php");
}
}
?></td></tr></table>
<ul><li class="topper" style="width:410px;"></li>
<table>
<tr><td>Username</td><td><input type="text" name="username" id="textfield"></td></tr>
<tr><td>Password</td><td><input type="password" name="password" id="textfield"></td></tr>
</table><li class="bottomer" style="width:410px;"></li></ul>
<table><tr><td><input type="submit" name="login" value="login" id="button"></td></tr></table>
</form>
在我的配置文件中,我有一个代码 阻止用户更改每个登录的IP等 。
if(isset($_SESSION[ last_ip ]) == false){
$_SESSION[ last_ip ] = $_SERVER[ REMOTE_ADDR ];
}
if ($_SESSION[ last_ip ] !== $_SERVER[ REMOTE_ADDR ]){
session_unset();
session_destroy();
}
if(empty($_SESSION[ user ])){
echo"Please login into the rpg first" ;
die;
}
我在每个页面上插入配置文件(上面的代码), 如果是空的话, 用户将无法在网站旁查看... 黑客告诉我他正在使用 Sql 进入......
我做错什么了?