Sql-injection-safe-php: Unterschied zwischen den Versionen
Zur Navigation springen
Zur Suche springen
Zeile 9: | Zeile 9: | ||
mysqli_set_charset($link, "utf8"); | mysqli_set_charset($link, "utf8"); | ||
if($link === false){ | if($link === false){ | ||
− | + | echo(mysqli_connect_error()); | |
− | + | die("ERROR: Could not connect. " . mysqli_connect_error()); | |
− | + | } | |
− | |||
− | + | ||
− | + | //unsafe query | |
− | + | $search = $_POST['search']; | |
− | $search = | ||
//Database search | //Database search | ||
$sql = "SELECT * FROM users WHERE username='$search'"; | $sql = "SELECT * FROM users WHERE username='$search'"; | ||
− | + | mysqli_multi_query($link, $sql); | |
} | } | ||
?> | ?> | ||
Zeile 32: | Zeile 30: | ||
<input type="text" name="search"><br> | <input type="text" name="search"><br> | ||
<input type="submit" name="submit" value="Suche"> | <input type="submit" name="submit" value="Suche"> | ||
− | </form> | + | </form> |
<br> | <br> | ||
<table border = "1"> | <table border = "1"> | ||
Zeile 41: | Zeile 39: | ||
</tr> | </tr> | ||
<?php | <?php | ||
− | while ($row = mysqli_fetch_row($result)) { | + | |
− | + | do{ | |
− | + | if ($result = mysqli_store_result($link)){ | |
− | + | while ($row = mysqli_fetch_row($result)) { | |
− | + | echo "<tr>"; | |
− | + | echo "<td>".$row[0]." </td>"; | |
+ | echo "<td>".$row[1]." </td>"; | ||
+ | echo "<td>".$row[2]." </td><br>"; | ||
+ | echo "</tr>"; | ||
+ | } | ||
} | } | ||
+ | |||
+ | }while (mysqli_more_results($link)); | ||
?> | ?> | ||
− | + | </table> | |
− | + | </body> | |
</html> | </html> | ||
+ | |||
+ | |||
</pre> | </pre> |
Version vom 11. September 2023, 11:44 Uhr
<?php if(isset($_POST['submit'])){ define('DB_SERVER', '127.0.0.1'); define('DB_USERNAME', 'xinux'); define('DB_PASSWORD', 'suxer'); define('DB_NAME', 'sql_injections'); $link = mysqli_connect(DB_SERVER, DB_USERNAME, DB_PASSWORD, DB_NAME); mysqli_set_charset($link, "utf8"); if($link === false){ echo(mysqli_connect_error()); die("ERROR: Could not connect. " . mysqli_connect_error()); } //unsafe query $search = $_POST['search']; //Database search $sql = "SELECT * FROM users WHERE username='$search'"; mysqli_multi_query($link, $sql); } ?> <!DOCTYPE html> <html> <body> <h2>SQL Injection</h2> <form method="post"> <label for="fname">Suche</label><br> <input type="text" name="search"><br> <input type="submit" name="submit" value="Suche"> </form> <br> <table border = "1"> <tr> <td>ID</td> <td>Name</td> <td>Passwort</td> </tr> <?php do{ if ($result = mysqli_store_result($link)){ while ($row = mysqli_fetch_row($result)) { echo "<tr>"; echo "<td>".$row[0]." </td>"; echo "<td>".$row[1]." </td>"; echo "<td>".$row[2]." </td><br>"; echo "</tr>"; } } }while (mysqli_more_results($link)); ?> </table> </body> </html>