db_mysql.class.php 是从discuz拿的
global.func.php 包含:daddslashes 及 getgpc showmsg等函数<?php
require_once('../include/db_mysql.class.php');
$_GET = daddslashes($_GET, 1, TRUE);
$_POST = daddslashes($_POST, 1, TRUE);$user_name=getgpc('user_name');
$user_pwd=getgpc('user_pwd');判断用户名是否合法代码 $user_pwd=md5($user_pwd);
$row_num=$db->num_rows($db->query("select * from web_master where User_Name='$user_name' and User_Pwd='$user_pwd'"));
if($row_num>0)
{
$webmaster=$db->fetch_array($db->query("select * from web_master where User_Name='$user_name' and User_Pwd='$user_pwd'"));
if(!empty($webmaster['id'])&&$webmaster['User_Name']==$user_name&&$webmaster['User_Pwd']==$user_pwd)
{
$_SESSION['mayi_admin']=$user_name;
$db->query("update web_master set Login_IP='$onlineip',Login_Time=$timestamp where User_Name='$user_name'");
showmsg('','2','index.php');
}else{
$showerror='<tr><td colspan="2" align="center" class="red b">用户名或密码出错,请重新输入!</td></tr>';
}
}else{
$showerror='<tr><td colspan="2" align="center" class="red b">用户名或密码出错,请重新输入!</td></tr>';
}
请高手指点一下这样子操作是否安全?
global.func.php 包含:daddslashes 及 getgpc showmsg等函数<?php
require_once('../include/db_mysql.class.php');
$_GET = daddslashes($_GET, 1, TRUE);
$_POST = daddslashes($_POST, 1, TRUE);$user_name=getgpc('user_name');
$user_pwd=getgpc('user_pwd');判断用户名是否合法代码 $user_pwd=md5($user_pwd);
$row_num=$db->num_rows($db->query("select * from web_master where User_Name='$user_name' and User_Pwd='$user_pwd'"));
if($row_num>0)
{
$webmaster=$db->fetch_array($db->query("select * from web_master where User_Name='$user_name' and User_Pwd='$user_pwd'"));
if(!empty($webmaster['id'])&&$webmaster['User_Name']==$user_name&&$webmaster['User_Pwd']==$user_pwd)
{
$_SESSION['mayi_admin']=$user_name;
$db->query("update web_master set Login_IP='$onlineip',Login_Time=$timestamp where User_Name='$user_name'");
showmsg('','2','index.php');
}else{
$showerror='<tr><td colspan="2" align="center" class="red b">用户名或密码出错,请重新输入!</td></tr>';
}
}else{
$showerror='<tr><td colspan="2" align="center" class="red b">用户名或密码出错,请重新输入!</td></tr>';
}
请高手指点一下这样子操作是否安全?
$_SESSION['mayi_admin']=md5($user_name.$user_pwd.'常量');就安全多了。