这个SQL查询有什么问题?

时间:2020-12-22 00:09:18

Okay I have two variables in PHP

好的,我在PHP中有两个变量

$username;
$password;

which are initialized to the data retrieved from $_POST variable :)

它被初始化为从$ _POST变量中检索的数据:)

I have this SQL query

我有这个SQL查询

$sql = "SELECT * FROM users WHERE username = '" . $username . "' AND password = '" . $password . "')";

But this doesn't works and returns me nothing :(

但这不起作用,并没有给我任何回报:(

Can you instruct me into the right direction. Please?

你能指导我走向正确的方向吗?请?

8 个解决方案

#1


The query has a closing parenthesis on the end for no reason, it won't work.

查询在结尾处有一个右括号,没有任何理由,它将无法工作。

#2


What's wrong with it?

它出什么问题了?

Everything, unfortunately. In particular it's open to SQL injection attacks.

不幸的是,一切。特别是它对SQL注入攻击持开放态度。

If that's a verbatim cut&paste, then the reason it's not actually working is a trailing closing bracket. Presumably you're not checking for errors when you call this?

如果这是一个逐字剪切和粘贴,那么它实际上不工作的原因是一个尾随的结束括号。大概你在打电话的时候没有检查错误?

Using the base MySQL API it should be:

使用基础MySQL API应该是:

$sth = $db->prepare("SELECT COUNT(*) FROM users WHERE username = ? AND password = ?");
$sth->execute($username, $password);
list($count) = $sth->fetchrow();
$authorized = ($count > 0);

or similar (code untested, E&OE, etc...)

或类似的(代码未经测试,E&OE等...)

#3


eeek! sql injection for one!

eeek! sql注入一个!

EDIT: What's your favorite "programmer" cartoon?

编辑:你最喜欢的“程序员”卡通是什么?

#4


Why is there a stray ) at the end of your query? It shouldn't be there.

为什么在查询结束时有一个流浪?它不应该存在。

Oh, and thirded on SQL injection. BAD.

哦,并注意到SQL注入。坏。

#5


First of all, never, ever do it like this. Please read about SQL injection and don't write any SQL until you have understood what it says. Sorry, but this is really essential.

首先,永远不要这样做。请阅读有关SQL注入的内容,除非您理解它的内容,否则不要编写任何SQL。对不起,但这非常重要。

That said, your query contains a closing bracket. That looks like a syntax error. Do you get an error executing it?

也就是说,您的查询包含一个结束括号。这看起来像语法错误。执行它会出错吗?

#6


There's an extra parenthesis on the right hand side of the query.

查询的右侧有一个额外的括号。

Also, if you do not sanitize your code properly you're going to be vulnerable to SQL injection. You should really be using parameterized queries, but in lieu of that at least use mysql_real_escape_string() on $username and $password.

此外,如果您没有正确清理代码,那么您将容易受到SQL注入攻击。你应该真的使用参数化查询,但至少在$ username和$ password上使用mysql_real_escape_string()代替。

Also, as a bit of ghost debugging, it's very possible that your passwords are MD5 hashed in the database, since you should never store them in plain text.

此外,作为一些鬼调试,你的密码很可能是数据库中的MD5哈希值,因为你永远不应该以纯文本形式存储它们。

Try:

$username = mysql_real_escape_string($_POST["username"]);
$password = md5($_POST["password"]);

$sql = "SELECT * FROM users WHERE username = '$username' AND password = '$password'";

#7


You seem to have an excess closing parenthesis at the end of your query string.

您的查询字符串末尾似乎有一个多余的右括号。

[Edit] - for those screaming SQL injection attacks: we don't know what the user has done with their variables before using them in the query. How about benefit of doubt? ;-)

[编辑] - 对于那些尖叫的SQL注入攻击:在查询中使用它们之前,我们不知道用户对其变量做了什么。怀疑的好处怎么样? ;-)

#8


In addition to all the other problems noted. The Password in the Users table is stored encrypted. Unless you've run the Password through the MySQL password encryptor, you will never see any data from this query as the passwords won't match.

除了提到的所有其他问题。 Users表中的密码以加密方式存储。除非您通过MySQL密码加密器运行密码,否则您将永远不会看到此查询中的任何数据,因为密码不匹配。

#1


The query has a closing parenthesis on the end for no reason, it won't work.

查询在结尾处有一个右括号,没有任何理由,它将无法工作。

#2


What's wrong with it?

它出什么问题了?

Everything, unfortunately. In particular it's open to SQL injection attacks.

不幸的是,一切。特别是它对SQL注入攻击持开放态度。

If that's a verbatim cut&paste, then the reason it's not actually working is a trailing closing bracket. Presumably you're not checking for errors when you call this?

如果这是一个逐字剪切和粘贴,那么它实际上不工作的原因是一个尾随的结束括号。大概你在打电话的时候没有检查错误?

Using the base MySQL API it should be:

使用基础MySQL API应该是:

$sth = $db->prepare("SELECT COUNT(*) FROM users WHERE username = ? AND password = ?");
$sth->execute($username, $password);
list($count) = $sth->fetchrow();
$authorized = ($count > 0);

or similar (code untested, E&OE, etc...)

或类似的(代码未经测试,E&OE等...)

#3


eeek! sql injection for one!

eeek! sql注入一个!

EDIT: What's your favorite "programmer" cartoon?

编辑:你最喜欢的“程序员”卡通是什么?

#4


Why is there a stray ) at the end of your query? It shouldn't be there.

为什么在查询结束时有一个流浪?它不应该存在。

Oh, and thirded on SQL injection. BAD.

哦,并注意到SQL注入。坏。

#5


First of all, never, ever do it like this. Please read about SQL injection and don't write any SQL until you have understood what it says. Sorry, but this is really essential.

首先,永远不要这样做。请阅读有关SQL注入的内容,除非您理解它的内容,否则不要编写任何SQL。对不起,但这非常重要。

That said, your query contains a closing bracket. That looks like a syntax error. Do you get an error executing it?

也就是说,您的查询包含一个结束括号。这看起来像语法错误。执行它会出错吗?

#6


There's an extra parenthesis on the right hand side of the query.

查询的右侧有一个额外的括号。

Also, if you do not sanitize your code properly you're going to be vulnerable to SQL injection. You should really be using parameterized queries, but in lieu of that at least use mysql_real_escape_string() on $username and $password.

此外,如果您没有正确清理代码,那么您将容易受到SQL注入攻击。你应该真的使用参数化查询,但至少在$ username和$ password上使用mysql_real_escape_string()代替。

Also, as a bit of ghost debugging, it's very possible that your passwords are MD5 hashed in the database, since you should never store them in plain text.

此外,作为一些鬼调试,你的密码很可能是数据库中的MD5哈希值,因为你永远不应该以纯文本形式存储它们。

Try:

$username = mysql_real_escape_string($_POST["username"]);
$password = md5($_POST["password"]);

$sql = "SELECT * FROM users WHERE username = '$username' AND password = '$password'";

#7


You seem to have an excess closing parenthesis at the end of your query string.

您的查询字符串末尾似乎有一个多余的右括号。

[Edit] - for those screaming SQL injection attacks: we don't know what the user has done with their variables before using them in the query. How about benefit of doubt? ;-)

[编辑] - 对于那些尖叫的SQL注入攻击:在查询中使用它们之前,我们不知道用户对其变量做了什么。怀疑的好处怎么样? ;-)

#8


In addition to all the other problems noted. The Password in the Users table is stored encrypted. Unless you've run the Password through the MySQL password encryptor, you will never see any data from this query as the passwords won't match.

除了提到的所有其他问题。 Users表中的密码以加密方式存储。除非您通过MySQL密码加密器运行密码,否则您将永远不会看到此查询中的任何数据,因为密码不匹配。