關於賬號登陸那裏的SQL注入測試

<?php
    
    header("charset=utf8");
    include('./common.php');
    include('db.php');
    include('functions.php');
    //sql注入
    //var_dump($GLOBALS['DB']);
    if($_SESSION['isLogin'] == 1){
        //登陸了
        echo $_SESSION['username'].'您已經登陸了' .'<a href = "logout.php"></a>';
    }else{
?>

    <form action = "inject.php" method = "post">
    <input type = "checkbox" name = "zy" value = "1"/>開啓防止注入
    <input type = "text" name = "username" value = ""/>
    
    <input type = "password" name = "password" value = "" />
    <input type = "submit" value = "登陸" name = "login"/>
    </form>
<?php
    if($_POST['login']){
            
        var_dump($_POST);
        //查詢數據庫
        //1.普通
        if($_POST['zy'] == 1){
            
            $_POST['username'] = addslashes($_POST['username']);
        }else{

            $_POST['username'] = $_POST['username'];
        
        }
        $_POST['password'] = md5($_POST['password']);

/*
        $sql = "select * from user where username = '{$_POST['username']}' and password = '{$_POST['password']}'";
        //SQL注入        admin' or '1' = '1  
        //                admin' #                 //能夠無視密碼,有用戶名就行
*/
        
        /*
        $sql = "select * from user where  username = ".'"'.$_POST['username'].'" and password = '.'"'.$_POST['password'].'"';
        SQL注入    admin" or "1" = "1;
                    admin" #                        //能夠無視密碼,有用戶名就行
        */

        $sql = "select * from user where  username = ".'"'.$_POST['username'].'" and password = '.'"'.$_POST['password'].'"';


        $result = mysql_query($sql,$GLOBALS['DB']);
        if($result && mysql_affected_rows()){
            echo $sql;
            $row = mysql_fetch_assoc($result);
            $_SESSION = $row;
            $_SESSION['isLogin'] = 1;
        }else{
            echo $sql;
        }
        
    }


    }
?>