jQuery Ajax和Sanitization

Question

我有这个问题，我还没有找到解决办法。例如，我目前正在使用jQuery通过Ajax将数据发布到我编写的PHP脚本中。当我对Ajax请求发送的数据使用mysql_real_escape_string()时，用户名将被完全简化为零，密码将在MD5中重新散列。我的完整代码如下所示。我认为这是mysql_real_escape_string()的一个问题，因为如果从两个输入中删除函数，表单就会无缝工作。以前有没有人遇到过这个问题，或者知道有什么解决办法？谢谢!

编辑:同时，数据被传递给两个字段的脚本，我已经用echo print_r($_POST, true);确认了这一点

login.php:

<?php
function dbConnect() {
    $db = new mysqli("", "", "", "");
    return $db;
}
$username = mysql_real_escape_string($_POST["username"]);
$sanPass = mysql_real_escape_string($_POST["password"]);
$password = md5($sanPass);
$db = dbConnect();
$query = "SELECT * FROM `users` WHERE `username`='$username' AND `password`='$password';";
$res = $db->query($query);
$num = mysqli_num_rows($res);
if ($num == 0) {
    echo "incorrect u=" . $username . " p=" . $password;
} else {
    $row = $res->fetch_assoc();
    $uuid = uniqid(rand(0, 10000));
    setcookie("jBootUsername", $username);
    setcookie("jBootUUID", $uuid);
    setcookie("jBootIP", $_SERVER["REMOTE_ADDR"]);
    $ip = $_SERVER["REMOTE_ADDR"];
    $query = "INSERT INTO `sessions` (username, cookie, ip) VALUES ('$username', '$uuid', '$ip');";
    $db->query($query);
    echo "success";
}
?>

login.js:

$(document).ready(function() {


var $body = $('body'),
    $content = $('#content'),
    $form = $content.find('#loginform');


    //IE doen't like that fadein
    if(!$.browser.msie) $body.fadeTo(0,0.0).delay(500).fadeTo(1000, 1);


    $("input").uniform();


    $form.wl_Form({
        status:false,
        onBeforeSubmit: function(data){
            $form.wl_Form('set','sent',false);
            if(data.username || data.password){
                $.ajax({
                  type: "POST",
                  url: 'functions/login.php',
                  data: 'username=' + data.username + '&password=' + data.password + '',
                  success: function(data) {
                    if (data == "success") {
                        document.location="home.php";
                    } else {
                        alert(data);
                        $.wl_Alert("Login invalid, please try again.",'info','#content');
                    }
                  }
                });
            }else{
                $.wl_Alert('Please provide both a username and password to login.','info','#content');
            }
            return false;

        }                             
    });


});

Answer 1

1. 您正在使用mysqli，所以mysql_real_escape_string()。取而代之的是使用$mysqli->prepare()
2. Anyways，，或者更好的是在连接到数据库之前使用mysql_real_escape_string()来准备您的查询，因此它返回FALSE。但这只是为了防止你使用mysql_*

更新：

交换mysqli_real_escape_string()中的参数时，需要首先传递$link标识符，然后将变量作为第二个传递。

无论如何，您最好准备并绑定param：

$db = dbConnect();
$username = $_POST['username'];
$password = md5($_POST['password']);
$sql = "SELECT * FROM `users` WHERE `username`= ? AND `password`= ?;"
$stmt = $db->prepare($sql);
$stmt->bind_param('ss', $username, $password);
$stmt->execute();
if($stmt->num_rows == 0)
{
 echo "incorrect username and/or password";
}
else
{
  $row = $stmt->fetch_assoc();
   //...
}