实例演绎pdo在用户登录环节是怎么防sql注入及实战预处理与会话跟踪
16lz
2021-08-23
实例演绎pdo在用户登录环节是怎么防sql注入的?
$sql = 'SELECT `username`,`password` FROM `user` WHERE `username`= ? AND `password`=? ; ';//占位符来构成预处理语句$stmt = $pdo->prepare( $sql );//准备要执行的预处理语句,并返回语句对象$stmt->execute( [$username, $password] );//执行预处理语句$res = $stmt->fetch();if ( $res ){//验证通过 存session$_SESSION['username'] = $res['username'];echo json_encode( array( 'status'=>1, 'msg'=>'登录成功...正在跳转' ), 320 );exit;}echo json_encode( array( 'status'=>0, 'msg'=>'用户名或密码错误' ), 320 );
写一个小实战,实现预处理与会话跟踪?
一个前端页面显示文件,一个后端处理文件
后端文件实现预处理与会话跟踪
<?phpsession_start();require 'config.php';$username = !empty( $_POST['username'] ) && isset( $_POST['username'] ) ? $_POST['username']:null;$password = !empty( $_POST['password'] ) && isset( $_POST['password'] ) ? md5( $_POST['password'] ):null;$code = !empty( $_POST['code_value'] ) && isset( $_POST['code_value'] ) ? $_POST['code_value'] :null;//请求分发器 type 1登录验证 2 验证码验证 3退出登录$type = isset( $_REQUEST['type'] ) && !empty( $_REQUEST['type'] ) ? intval( $_REQUEST['type'] ):null;switch( $type ){case 1://检测用户是否存在$sql = 'SELECT `username`,`password` FROM `user` WHERE `username`= ? AND `password`=? ; ';$stmt = $pdo->prepare( $sql );$stmt->execute( [$username, $password] );$res = $stmt->fetch();if ( $res ){//验证通过 存session$_SESSION['username'] = $res['username'];echo json_encode( array( 'status'=>1, 'msg'=>'登录成功...正在跳转' ), 320 );exit;}echo json_encode( array( 'status'=>0, 'msg'=>'用户名或密码错误' ), 320 );break;case 2://将session中的验证码和用户提交的验证码进行核对, 当成功时提示验证码正确,并销毁之前的session值, 不成功则重新提交 strcasecmpif ( !empty( $code ) && strtolower( $_SESSION['code'] ) === strtolower( $code ) ) {$_SESSION['code'] = '';echo json_encode( ['status'=>1, 'msg'=>'验证码正确'], 320 );exit;}echo json_encode( ['status'=>0, 'msg'=>'验证码不正确'], 320 );break;// 退出登录case 3:// 清空session变量session_unset();// 删除session文件session_destroy();header( 'Location: /demo.php' );break;default:echo json_encode( ['status'=>520, 'msg'=>'非法参数访问'], 320 );break;}
前端页面
<?session_start()?><!DOCTYPE html><html lang = 'en'><head><meta charset = 'utf-8' /><title>用户登录</title><meta name = 'viewport' content = 'width=device-width, initial-scale=1.0' /><meta name = 'description' content = 'Premium Bootstrap 4 Landing Page Template' /><meta name = 'keywords' content = 'bootstrap 4, premium, marketing, multipurpose' /><meta content = 'Themesdesign' name = 'author' /><!-- css --><link href = 'login/static/bootstrap.min.css' rel = 'stylesheet' type = 'text/css' /><!--Themify Icon --><link href = 'login/static/style.css' rel = 'stylesheet' type = 'text/css' /></head><body><section class = 'bg-login d-flex align-items-center'><div class = 'container'><div class = 'row justify-content-center mt-4'><div class = 'col-lg-4'><nav><?php if (!isset($_SESSION['username']) || empty($_SESSION['username'])): ?><div class = 'bg-white p-4 rounded'><div class = 'text-center'><h4 class = 'fw-bold mb-3'>用户登录</h4></div><div class = 'row login-form'><div class = 'col-lg-12 mt-2'><input type="text" name="username" class = 'form-control' placeholder="用户名" autofocus></div><div class = 'col-lg-12 mt-2'><input type="password" name="password" class = 'form-control' placeholder="请输入密码" ></div><div class = 'col-lg-12 mt-2'><input type = 'code' class = 'form-control' placeholder = '验证码' required = '' name="code" id="code" style = 'float: left; width:55%;'><label class = 'form-check-label'><img src = 'login/code.php' onclick="this.src='login/code.php?id='+ Math.random();" height = '40px' style="margin: auto 10px;vertical-align: bottom; cursor:pointer" alt = '点击刷新'></label><span id="error_msg"> </span></div><div class = 'col-lg-12 mt-2'><div class = 'form-check'><input class = 'form-check-input' style = 'color: red;' type = 'checkbox' value = '' id = 'flexCheckDefault'><label class = 'form-check-label' for = 'flexCheckDefault'>记住</label></div></div><div class = 'col-lg-12 mt-3 mb-4'><button type ="button" class = 'btn btn-primary w-100' name="btn">登录</button></div><div class = 'txet-center'><p class = 'mb-0 mt-2 text-center'><a href = 'password_forget.html' class = 'text-dark fw-bold'>忘记密码 ?</a></p></div></div></div><div class = 'text-center mt-3'><p><small class = 'text-white mr-2'>未注册用户 ?</small> <a href = 'reg.html'class = 'text-white fw-bold'>创建账号</a></p></div><?php else : ?><div class = 'text-center'><h4 class = 'fw-bold mb-3'>您以成功登录</h4><a href="javascript:;"><?=$_SESSION['username']?></a> <a href="login/login.php?type=3">退出</a></div><?php endif ?></nav></div></div></div></section><!-- javascript --><script type = 'text/javascript' src = "https://cdn.bootcss.com/jquery/3.3.1/jquery.min.js"></script><script type="text/javascript">//登录$('button[name="btn"]').click(function(){var data = {};data.username =$.trim($('input[name="username"]').val()) ;data.password = $.trim($('input[name="password"]').val());data.type = 1;var code = $.trim($('input[name="code"]').val())if(data.username == '' || data.password == '' || code == ''){alert('必选项不能为空哦~');return;}$.post('login/login.php',data,function(res){if(res.status == 1){alert(res.msg);//用户验证通过 跳转首页setTimeout(()=>location.href = 'demo.php',500);}else{alert(res.msg);}},"json")})//使用ajax异步验证 验证码$('input[name="code"]').keyup(function(){var data={};data.code_value = $.trim($(this).val());data.type = 2;if(data.code_value == ''){$("#error_msg").html("<span style='color:green'>验证码不能为空</span>")return;}$.post('login/login.php',data,function(res){if(res.status == 1){$("#error_msg").html("<span style='color:green'>验证码正确</span>")}else{$("#error_msg").html("<span style='color:red'>验证码错误</span>")}},"json")})</script></body></html>
更多相关文章
- 配置ssh远程登录sshd服务器
- 配置SSH密码登录
- php 登录注册
- PHP:【商城后台管理系统】部署管理员未登录拦截,进行重定向
- PHP:【商城后台管理系统】admin超级管理员后台登录界面部署
- 【RS】H3C设备 配置SSH登录
- mysql之pdo预处理与sql防注入
- 【PHP会话控制】理解会话控制cookie和session详解(附自动登录案例
- PHP:PDO预处理机制在防SQL注入的作用/PDO CURD预处理/PDO预处理