PHP登陆的问题

<?php
mysql_connect("localhost","root","123");
mysql_select_db("test");
$sql='select user,pwd from table where user="'.$_POST['user'].'" and pwd="'.$_POST['password'].'";
$result = mysql_query($sql);
$row = mysql_num_rows($result);
if($row != 0)
{
header(.......);
........

解决方案 »

免费领取超大流量手机卡，每月29元包185G流量+100分钟通话, 中国电信官方发货

LZ写的基本解决了。
但是对于SQL，需要从表单里取值的，都要用mysql_escape_string函数提防SQL注入危险。
<?php
mysql_connect("localhost","root","123");
mysql_select_db("test");
$sql='select user,pwd from table where user="'.mysql_escape_string($_POST['user']).'" and pwd="'.mysql_escape_string$_POST['password']).'";
$result = mysql_query($sql);
$row = mysql_num_rows($result);
if($row != 0)
{
header(.......);
........
$sql="select user,pwd from table where user=".$_POST['user'];
对于防注入,其实在整个项目的一个全局文件里面统一处理下$_POST和$_GET就可以了.$_POST = sql_injection($_POST);
$_GET = sql_injection($_GET);function sql_injection($content)
{
if (!get_magic_quotes_gpc()) {
if (is_array($content)) {
foreach ($content as $key=>$value) {
$content[$key] = addslashes($value);
}
} else {
addslashes($content);
}
}
return $content;
}