Snaip3Rs Posted March 23, 2011 Report Share Posted March 23, 2011 Es izmēģināju visu ko zināju un izmeklēju google, bet gan jau jūs varēsiet pateikt! Tātad es ielogojos un pass, username glabājās session Ta es ieeju lapā kur var izveidot topiku un vēlos lai nebūtu jāraksta savs vārds viņš izņem no session username un automatiski to ieposto iekšā! Pēc manām domām jamaina rindiņa kur ir $username=$_POST['username']; $topic=$_POST['topic']; $detail=$_POST['detail']; $username=$_POST['username']; $email=$_POST['email']; $datetime=date("d/m/y h:i:s"); //create date time $sql="INSERT INTO $tbl_name(topic, detail, username, email, datetime)VALUES('$topic', '$detail', '$username', '$email', '$datetime')"; $result=mysql_query($sql); Quote Link to comment Share on other sites More sharing options...
rATRIJS Posted March 23, 2011 Report Share Posted March 23, 2011 Un ko tieši tu izmēģināji? Tiešām ir tik grūti atrast? http://uk2.php.net/manual/en/book.session.php Quote Link to comment Share on other sites More sharing options...
daGrevis Posted March 23, 2011 Report Share Posted March 23, 2011 $username = $_SESSION['user']['username']; Quote Link to comment Share on other sites More sharing options...
wintermute Posted March 23, 2011 Report Share Posted March 23, 2011 Ja tev ir autorizējies jūzeris , tad tu glabā sesijā nevis username, bet gan uid vai auth_key. Un kas tas par padebīlu koda gabalu ?! Ne tu pārbaudi vai vērtības eksistē, ne arī nodrošinies pret injektcijām. Quote Link to comment Share on other sites More sharing options...
Snaip3Rs Posted March 23, 2011 Author Report Share Posted March 23, 2011 Ja gribi redzēt visu garo kodu, lukur ir! Un es nezinu kā var pasargāt, viena droša lieta ir tas ka tikai registretie lietotāji var postot tikai! :) <?php session_start(); ?> <?php // get data that sent from form $topic=$_POST['topic']; $detail=$_POST['detail']; $username=$_POST['username']; $email=$_POST['email']; $datetime=date("d/m/y h:i:s"); //create date time $sql="INSERT INTO $tbl_name(topic, detail, username, email, datetime)VALUES('$topic', '$detail', '$username', '$email', '$datetime')"; $result=mysql_query($sql); if($result){ echo "Successful<BR>"; echo "<a href=main_forum.php>View your topic</a>"; } else { echo "ERROR"; } mysql_close(); ?> Quote Link to comment Share on other sites More sharing options...
rATRIJS Posted March 23, 2011 Report Share Posted March 23, 2011 Ja tas ir viss kas tur ir tajā failā, tad jebkurš tur var veidot topikus kurš grib. Reģistrējies vai nē... Quote Link to comment Share on other sites More sharing options...
rebuilder Posted March 23, 2011 Report Share Posted March 23, 2011 Pie tam ja nezini kā izvairīties no injekcijām, tad jebkurš var nokaut lapu kaut pie reģistrācijas vai login. :D Quote Link to comment Share on other sites More sharing options...
Snaip3Rs Posted March 24, 2011 Author Report Share Posted March 24, 2011 A kā viņš var nokaut ja nevar ielogoties jo man pass ir ar ar md5 un katras lapas sakuma sis kods! <?php // Inialize session session_start(); // Check, if username session is NOT set then this page will jump to login page if (!isset($_SESSION['username'])) { header('Location: login.php'); } ?> Quote Link to comment Share on other sites More sharing options...
mounkuls Posted March 24, 2011 Report Share Posted March 24, 2011 Nu bet ja Tu uzseto $_SESSION['username']=$POST['username'] kā pagaidām izskatās, kāda nafig tur drošība? Jebkurš un no jebkura hosta un postformas gāzīs iekšā ko vien vēlas tur. Pie tam globāli username ir pietiekami izplatīts mainīgais un tādus jebkurš bots ražos maisiem. Quote Link to comment Share on other sites More sharing options...
Snaip3Rs Posted March 24, 2011 Author Report Share Posted March 24, 2011 Ko tad man darīt? Quote Link to comment Share on other sites More sharing options...
mounkuls Posted March 24, 2011 Report Share Posted March 24, 2011 Vienkārši novalidē visus POST datus pirms tos inserto bāzē. Ne jau visi lietotaji būs tik godīgi un nesūtīs SQL injekcijas. Quote Link to comment Share on other sites More sharing options...
mad182 Posted March 24, 2011 Report Share Posted March 24, 2011 http://php.net/manual/en/function.mysql-real-escape-string.php http://php.net/manual/en/function.isset.php Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.