htmlspecialchars neaktivizējas kāpēc?

waplet · September 21, 2008

$uname = htmlspecialchars($uname);
echo "
<CENTER>Персонаж <B><?=$uname?></B> не найден в базе</CENTER>";

Redzat itkā ir $uname definēts ar chariem , bet tik un tā alertu met ārā!

Kā to izlabot?

werd · September 21, 2008

Kādu alertu?

waplet · September 21, 2008

nu man ir tā :

ir links kur izskatās šadi

inf.php?uname=... , un kā ierakstot šādi inf.php?uname=<script>alert(1)</script> , izmet 1.

sourcē izsatās tā

<CENTER>Персонаж <B><script>alert(1)</script></B> не найден в базе</CENTER>

, bet php kodā tā

	echo "
<CENTER>Персонаж <B><?=$uname?></B> не найден в базе</CENTER>";

p.s. cerams saprotat

, bet augstāk minēts $uname ir ar htmlspecial chariem , bet viņš izpildas bez!

Edited September 21, 2008 by waplet

werd · September 21, 2008

No tā saprotu, tu vēlies panākt, lai neizpildās html, to var panākt ar strip_tags.

Val · September 21, 2008

tev jau vajag $_GET['uname']...

andrisp · September 22, 2008

It kā jau viņam tas $uname jau satur to tekstu, tā kā nav nozīmes vai $uname vai $_GET['uname'].

waplet, parādi pilnu kodu, ja vari. Nu vismaz visu kodu, kur tiek iegūts $uname līdz pašai izdrukāšanai.

waplet · September 22, 2008

<?session_start();
$unhide_id="unhide";
$hide_id="hide";


include ("db_config.php");
include_once('func.php');
$moder_status = 0;

if ((session_is_registered('login')) && ($login != '')) {
$result1 = mysql_query("SELECT * FROM players WHERE Username = '$login'");
$result = mysql_fetch_array($result1);
$ClanID = $result[ClanID];
$LevelV = $result[Level];
if ( (($ClanID != 9) && (($ClanID == 9) || ($ClanID == 9) || ($ClanID == 9) || ($ClanID == 9) || ($ClanID == 9) || ($ClanID == 9) || ($ClanID == 9) || ($ClanID == 9) || ($ClanID == 9) ||($ClanID == 9) || ($ClanID == 9))) && (($uname != 'Банкомат1') && ($uname != 'Bingo1') && ($uname != '1Кассир') && ($uname != '12') && ($uname != '1') && ($uname != '1') && ($uname != '2') && ($uname != '3')) )
 {
$moder_status = $ClanID;
 }

if (($login == 'Slaya4a') || ($login == 'w4p13337') || ($login == 'Slay4aa') || ($login == 'Slaya4a') || ($login == 'Bin1gо'))
 {
	 $moder_status = '1';
}

 if ((($uname == 'Slay4aa') || ($uname == 'w4p13337') || ($uname == 'Slay4aa')) && ($uname == $login))
{
	 $moder_status = '1';
}
}

$NetwarsVIP = mysql_query("SELECT * FROM vip WHERE Username = '$uname'",$db);
$NetwarsVIP = mysql_fetch_array($NetwarsVIP);
if ($NetwarsVIP){
 if (($NetwarsVIP['Link'] != '')&&($moder_status != 1)&&($uname != $login)){
header("Location: ".$NetwarsVIP['Link']."");
 }
}

$Player_name = $uname;
include ("func_get_info.php");

//echo "city=$City";
if ((!$City) && ($reply == 1)) {
$uname = htmlspecialchars($uname);
echo "
<HTML><HEAD>
<TITLE>Last Century Wars - Player not exists</TITLE>
<link rel=\"SHORTCUT ICON\" href=\"favicon.ico\">
<link rel=stylesheet type=\"text/css\" href=\"main.css\">
<meta content=\"text/html; charset=windows-1251\" http-equiv=Content-type>
<META Http-Equiv=Cache-Control Content=\"no-cache, max-age=0, must-revalidate, no-store\">
<meta http-equiv=PRAGMA content=NO-CACHE>
<meta http-equiv=\"Content-Type\" content=\"text/html; charset=windows-1251\">
<META Http-Equiv=Expires Content=0>
<script src='main.js'></SCRIPT>
<script>
function thing_info(thing) {
	window.open('thing.php?thing='+thing);
}
</SCRIPT>
</HEAD>
<body bgcolor=#DDDDCC>
<CENTER>Персонаж <B><?=$uname?></B> не найден в базе</CENTER>";

Re kur ir pilnais kods :)

Edited September 22, 2008 by waplet

andrisp · September 22, 2008

Btw, no kurienes tev nāk tas $uname ? Tu izmanto register_globals ?

Lai nu kā - it kā jau vajadzēja visam strādāt. Paskaties renderētajā sourcē (Pārlūkā View source) kā tur izskatās tas <CENTER>Персонаж <B><?=$uname?></B> не найден в базе</CENTER>.

p4F · September 22, 2008

<CENTER>Персонаж <B><?=htmlspecialchars($uname);?></B> не найден в базе</CENTER>

waplet · September 22, 2008

p4F , es tač tā biju rakstījis , apskatos sourcē , tik un tā

<CENTER>Персонаж <B><script>alert(1)</script></B> не найден в базе</CENTER>

bubu · September 22, 2008

Iesaku sākt ar register_globals ini parametra uzstādīšanu uz 0.

waplet · September 22, 2008

un beigt ar ko?A kaut kas ar var neiet , ja man tur ir uz cookieiem?

Edited September 22, 2008 by waplet

p4F · September 22, 2008

http://google.lv http://php.net http://dev.mysql.com/ lasi manuālus, nokača kautkādas i-grāmatas sāc jau mācīties

waplet · September 22, 2008

Uzliekot register_globas off , rāda ka nav cookie un ka nav tāda usera @ db!

Val · September 22, 2008

tad vajag pārrakstīt kodu _pareizi_

Sign In

htmlspecialchars neaktivizējas kāpēc?

Recommended Posts

Link to comment

Share on other sites

Top Posters In This Topic

Popular Days

Top Posters In This Topic

Popular Days

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites