briedis Posted June 16, 2011 Report Share Posted June 16, 2011 Izskatās, ka tev trūkst izpratnes par vienkāršām pamata lietām, vai arī tu vienkārši nespēj piespiest sevi nedaudz padomāt... Link to comment Share on other sites More sharing options...
xPtv45z Posted June 17, 2011 Report Share Posted June 17, 2011 array(1) { ["733e425d35f0c18d93714ced3773b815"]=> string(0) "" } Un kur tu šajā redzi $_GET['akey'] ? Es piemēram redzu $_GET['733e425d35f0c18d93714ced3773b815'] Link to comment Share on other sites More sharing options...
ziedinjsh Posted June 17, 2011 Author Report Share Posted June 17, 2011 nu lab.. $email = $_GET['email']; $hash = $_GET['hash']; $sql = mysql_query("SELECT * FROM akeys WHERE email='$email' AND hash ='$hash' AND status='0' ") or die(mysql_error()); if(mysql_num_rows($sql) == '1'){ echo " <form method='post' action='misc/register.php'> <p>Nosukums<input type='text' name='name' class=''></p> <p>Epasts<input type='text' name='email' value='".$email."' class=''></p> <p>Parole<input type='password' name='pass' class=''></p> <p>Parole 2x<input type='password' name='pass2' class=''></p> <p>Biogrāfija<textarea name='biografy'></textarea></p> <input type='text' mame='hash' value='".$hash."' class=''> <p><input type='submit' name='register' value='Reģistrēties' class=''></p> </form> "; }else{ echo 'Kods ir aizņemts'; } array(2) { ["email"]=> string(16) "email@gmail.com" ["hash"]=> string(33) "e00da03b685a0dd18fb6a08af0923de0/" } Vienalga rāda ka kods ir auzņemts. Vai arī man tām input formām jābūt tājā vietā kur ir teksts "kods ir aiņemts" ? Link to comment Share on other sites More sharing options...
xPtv45z Posted June 17, 2011 Report Share Posted June 17, 2011 Un tev datubāzē ir tāds epasts ar atbilstošo hash? Link to comment Share on other sites More sharing options...
ziedinjsh Posted June 17, 2011 Author Report Share Posted June 17, 2011 Jap, 17 e00da03b685a0dd18fb6a08af0923de0 email@gmail.com 0 Link to comment Share on other sites More sharing options...
Kemito Posted June 17, 2011 Report Share Posted June 17, 2011 Lai parametru salīdzinātu ar datubāzi izmanto taču parametru + vērtību, kur vērtība ir kods un parametrs ir konstante, jeb doma = manslinks.lv?param=23455gfg5b6456b35 un datubāzē pēc sūtīšanas ieliec "23455gfg5b6456b35" un čeko pēc GET`a nu kungs dieniņ. Link to comment Share on other sites More sharing options...
indoom Posted June 17, 2011 Report Share Posted June 17, 2011 ["hash"]=> string(33) "e00da03b685a0dd18fb6a08af0923de0/" } Jap, 17 e00da03b685a0dd18fb6a08af0923de0 email@gmail.com 0 neredzi atšķirību starp hašiem? Link to comment Share on other sites More sharing options...
Faks Posted June 17, 2011 Report Share Posted June 17, 2011 (edited) Personīgi Veidota invite sistēma :: Personīgais Lepnums par sevi un savu padarīto :: 312 Līnijas Koda :) vienīgi invite_name_generator ņemts pus gatavs bet pārakstits uz 70% priekš manām vajadzībam :) tāka to var nosaukt par paša darbu jau :),starpcitu šeit ir 1 trial ar 10 invite un pēctam nāk pēc invite no cita lietotāja atslēgas un uzzaicinājuma vārda :) Šadi reali izskatās tas vis :) <?php if ($_SESSION['logged_in']) { if ($_SESSION['rights'] <= 3) { echo $redirect; } elseif ($_SESSION['rights'] == 4) { echo $redirect; } } else { //Invite Code Generator function invite_code_generator() { $rand_id_invite = rand(10,100); $multiply_id_invite = $rand_id_invite * 20; $uniqid_id_invite_random = uniqid(microtime($multiply_id_invite)); $uniqid_id_invite_encrypt = sha1($uniqid_id_invite_random); return $uniqid_id_invite_encrypt; } function invite_name_generator() { //Invite Name Generator $length = 20; $validCharacters = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ123456789+-*#&@!?"; $validuniqid = uniqid(microtime(rand(20,$validCharacters))); $validCharNumber = strlen($validuniqid); $result = ""; for ($i = 0; $i < $length; $i++) { $index = mt_rand(20, $validCharNumber); $result .= $validCharacters[$index]; } return $result; } $name = $_POST['nick']; $name = mysql_real_escape_string($_POST['nick']); $name = htmlentities($_POST['nick']); $name = trim($_POST['nick']); $name = stripslashes($_POST['nick']); $name = addslashes($_POST['nick']); $pass = $_POST['password']; $pass = mysql_real_escape_string($_POST['password']); $pass = htmlentities($_POST['password']); $pass = trim($_POST['password']); $pass = stripslashes($_POST['password']); $pass = addslashes($_POST['password']); $pass = sha1($_POST['password']); $reason = $_POST['reason']; $reason = mysql_real_escape_string($_POST['reason']); $reason = htmlentities($_POST['reason']); $reason = trim($_POST['reason']); $reason = stripslashes($_POST['reason']); $reason = addslashes($_POST['reason']); $invite_name = $_POST['invite_name']; $invite_name = mysql_real_escape_string($_POST['invite_name']); $invite_name = htmlentities($_POST['invite_name']); $invite_name = trim($_POST['invite_name']); $invite_name = stripslashes($_POST['invite_name']); $invite_name = addslashes($_POST['invite_name']); $invite_code = $_POST['invite_code']; $invite_code = mysql_real_escape_string($_POST['invite_code']); $invite_code = htmlentities($_POST['invite_code']); $invite_code = trim($_POST['invite_code']); $invite_code = stripslashes($_POST['invite_code']); $invite_code = addslashes($_POST['invite_code']); $user_invite_code = $_POST['user_invite_code']; $user_invite_code = mysql_real_escape_string($_POST['user_invite_code']); $user_invite_code = htmlentities($_POST['user_invite_code']); $user_invite_code = trim($_POST['user_invite_code']); $user_invite_code = stripslashes($_POST['user_invite_code']); $user_invite_code = addslashes($_POST['user_invite_code']); $user_invite_code = invite_code_generator(); $user_invite_name = $_POST['user_invite_name']; $user_invite_name = mysql_real_escape_string($_POST['user_invite_name']); $user_invite_name = htmlentities($_POST['user_invite_name']); $user_invite_name = trim($_POST['user_invite_name']); $user_invite_name = stripslashes($_POST['user_invite_name']); $user_invite_name = addslashes($_POST['user_invite_name']); $user_invite_name = invite_name_generator(); $select_check_invite = ("SELECT invite_name,invite_code,COUNT(invite_code) FROM user WHERE invite_name = 'Anonymous' AND invite_code = '3bca474ce5eca0d89554533159f9fe9ff6a26577' "); $query_check_invite = mysql_query($select_check_invite) or die(mysql_error()); $check_valid_invite = mysql_fetch_array($query_check_invite); if ($check_valid_invite['COUNT(invite_code)'] != 5) { if (isset($_POST['Submit'])) { if (isset($_POST['invite_name']) && isset($_POST['invite_code'])) { if ($check_valid_invite['invite_name'] != $_POST['invite_name'] && $check_valid_invite['invite_code'] != $_POST['invite_code']) { echo "<table width='58%' border='0' align='left' cellpadding='0' cellspacing='0' class='table_style'> <tr><td> Please Enter Valid Invitation Name & Valid Invitation Code </td></tr> </table><p>"; } elseif ($check_valid_invite['invite_name'] != $_POST['invite_name']) { echo "<table width='58%' border='0' align='left' cellpadding='0' cellspacing='0' class='table_style'> <tr><td> Please Enter Valid Invitation Name </td></tr> </table><p>"; } elseif ($check_valid_invite['invite_code'] != $_POST['invite_code']) { echo "<table width='58%' border='0' align='left' cellpadding='0' cellspacing='0' class='table_style'> <tr><td> Please Enter Valid Invitation Code </td></tr> </table><p>"; } elseif ($check_valid_invite['invite_name'] == $_POST['invite_name'] && $check_valid_invite['invite_code'] == $_POST['invite_code']) { mysql_query("INSERT INTO user (nick,password,reason,invite_name,invite_code,user_invite_name,user_invite_code) VALUES ('".$name."','".$pass."','".$reason."','".$invite_name."','".$invite_code."','".$user_invite_name."','".$user_invite_code."') "); echo $redirect; } } } echo "<table width='58%' border='0' align='left' cellpadding='0' cellspacing='0' class='table_style'> <tr><td> <form method='post'> <label for='nick'>Name:</label> <br /> <input name='nick' type='text' value='Please Enter User Name !' size='50' /> <p> <label for='password'>Password:</label> <br /> <input name='password' type='password' size='50' /> <p> <label for='invite_name'><a href='#' class='tooltip'>Invitation Name:<span>Bound To Invitation Code</span></a> {$check_valid_invite['invite_name']}</label> <br /> <input name='invite_name' type='text' value='Please Enter Invitation Name!' size='50' /> <p> <label for='invite_code'><a href='#' class='tooltip'>Invitation Code:<span>Bound To Invitation Name</span></a> {$check_valid_invite['invite_code']}</label> <br /> <input name='invite_code' type='text' value='Please Enter Invitation Code !' size='50' /> <p> <label for='reason'>What Is Your Reason Joining Our Cause ?</label> <br /> <textarea name='reason' cols='50' rows='10'>Please Enter Reason of your Joining !</textarea> <p> <input type='submit' name='Submit' value='Submit' /> <input type='reset' name='Reset' value='Reset' /> </form> </td></tr> </table>"; } else { $name = $_POST['nick']; $name = mysql_real_escape_string($_POST['nick']); $name = htmlentities($_POST['nick']); $name = trim($_POST['nick']); $name = stripslashes($_POST['nick']); $name = addslashes($_POST['nick']); $pass = $_POST['password']; $pass = mysql_real_escape_string($_POST['password']); $pass = htmlentities($_POST['password']); $pass = trim($_POST['password']); $pass = stripslashes($_POST['password']); $pass = addslashes($_POST['password']); $pass = sha1($_POST['password']); $reason = $_POST['reason']; $reason = mysql_real_escape_string($_POST['reason']); $reason = htmlentities($_POST['reason']); $reason = trim($_POST['reason']); $reason = stripslashes($_POST['reason']); $reason = addslashes($_POST['reason']); $invite_name = $_POST['invite_name']; $invite_name = mysql_real_escape_string($_POST['invite_name']); $invite_name = htmlentities($_POST['invite_name']); $invite_name = trim($_POST['invite_name']); $invite_name = stripslashes($_POST['invite_name']); $invite_name = addslashes($_POST['invite_name']); $invite_name = invite_name_generator(); $invite_code = $_POST['invite_code']; $invite_code = mysql_real_escape_string($_POST['invite_code']); $invite_code = htmlentities($_POST['invite_code']); $invite_code = trim($_POST['invite_code']); $invite_code = stripslashes($_POST['invite_code']); $invite_code = addslashes($_POST['invite_code']); $invite_code = invite_code_generator(); $user_invite_name = $_POST['user_invite_name']; $user_invite_name = mysql_real_escape_string($_POST['user_invite_name']); $user_invite_name = htmlentities($_POST['user_invite_name']); $user_invite_name = trim($_POST['user_invite_name']); $user_invite_name = stripslashes($_POST['user_invite_name']); $user_invite_name = addslashes($_POST['user_invite_name']); $user_invite_code = $_POST['user_invite_code']; $user_invite_code = mysql_real_escape_string($_POST['user_invite_code']); $user_invite_code = htmlentities($_POST['user_invite_code ']); $user_invite_code = trim($_POST['user_invite_code']); $user_invite_code = stripslashes($_POST['user_invite_code']); $user_invite_code = addslashes($_POST['user_invite_code']); $select_user_invite = sprintf('SELECT user_invite_name,user_invite_code,COUNT(user_invite_code) FROM user WHERE user_invite_name = "%s" AND user_invite_code = "%s" ',$user_invite_name,$user_invite_code); $query_user_invite = mysql_query($select_user_invite) or die(mysql_error()); $check_user_invite = mysql_fetch_array($query_user_invite); if ($check_user_invite['COUNT(user_invite_code)'] != 5) { $select_check_invite = sprintf('SELECT invite_name,invite_code,COUNT(invite_code) FROM user WHERE invite_name = "%s" AND invite_code = "%s" ',$user_invite_name,$user_invite_code); $query_check_invite = mysql_query($select_check_invite) or die(mysql_error()); $check_valid_invite = mysql_fetch_array($query_check_invite); if ($check_user_invite['user_invite_code'] == $check_valid_invite['invite_code'] && $check_valid_invite['COUNT(invite_code)'] == 1 && $check_user_invite['COUNT(user_invite_code)'] != 5) { if (isset($_POST['Submit'])) { if (isset($_POST['user_invite_name']) && isset($_POST['user_invite_code'])) { if ($check_user_invite['user_invite_name'] != $_POST['user_invite_name'] && $check_user_invite['user_invite_code'] != $_POST['user_invite_code']) { echo "<table width='58%' border='0' align='left' cellpadding='0' cellspacing='0' class='table_style'> <tr><td> Please Enter Valid Invitation Name & Valid Invitation Code </td></tr> </table><p>"; } elseif ($check_user_invite['user_invite_name'] != $_POST['user_invite_name']) { echo "<table width='58%' border='0' align='left' cellpadding='0' cellspacing='0' class='table_style'> <tr><td> Please Enter Valid Invitation Name </td></tr> </table><p>"; } elseif ($check_user_invite['user_invite_code'] != $_POST['user_invite_code']) { echo "<table width='58%' border='0' align='left' cellpadding='0' cellspacing='0' class='table_style'> <tr><td> Please Enter Valid Invitation Code </td></tr> </table><p>"; } elseif ($check_user_invite['user_invite_name'] == $_POST['user_invite_name'] && $check_user_invite['user_invite_code'] == $_POST['user_invite_code']) { mysql_query("INSERT INTO user (nick,password,reason,invite_name,invite_code,user_invite_name,user_invite_code) VALUES ('".$name."','".$pass."','".$reason."','".$user_invite_name."','".$user_invite_code."','".$invite_name."','".$invite_code."') "); echo $redirect; } } } echo "<table width='58%' border='0' align='left' cellpadding='0' cellspacing='0' class='table_style'> <tr><td> <form method='post'> <label for='nick'>Name:</label> <br /> <input name='nick' type='text' value='Please Enter User Name !' size='50' /> <p> <label for='password'>Password:</label> <br /> <input name='password' type='password' size='50' /> <p> <label for='user_invite_name'><a href='#' class='tooltip'>Invitation Name:<span>Bound To Invitation Code</span></a></label> <br /> <input name='user_invite_name' type='text' value='Please Enter Invitation Name!' size='50' /> <p> <label for='user_invite_code'><a href='#' class='tooltip'>Invitation Code:<span>Bound To Invitation Name</span></a></label> <br /> <input name='user_invite_code' type='text' value='Please Enter Invitation Code !' size='50' /> <p> <label for='reason'>What Is Your Reason Joining Our Cause ?</label> <br /> <textarea name='reason' cols='50' rows='10'>Please Enter Reason of your Joining !</textarea> <p> <input type='submit' name='Submit' value='Submit' /> <input type='reset' name='Reset' value='Reset' /> </form> </td></tr> </table>"; } else { echo "<table width='58%' border='0' align='left' cellpadding='0' cellspacing='0' class='table_style'> <tr><td> Validation Name & Validation Code usage limit reached </td></tr> </table>".$refresh; } } else { echo "<table width='58%' border='0' align='left' cellpadding='0' cellspacing='0' class='table_style'> <tr><td> Validation Name & Validation Code usage limit reached </td></tr> </table>".$refresh; } } } ?> Edited June 17, 2011 by Faks Link to comment Share on other sites More sharing options...
nemakuphp Posted June 17, 2011 Report Share Posted June 17, 2011 Faks, es par tavu kodu smejoties nokritu no krēsla :D $name = $_POST['nick']; $name = mysql_real_escape_string($_POST['nick']); $name = htmlentities($_POST['nick']); $name = trim($_POST['nick']); $name = stripslashes($_POST['nick']); $name = addslashes($_POST['nick']); Un šādi visu laiku. Tev reāli ar $_POST['nick'] tiek veikta tikai 1 darbība - addslashes. Pārējās neko nemaina, jo tu ar katru nākamo darbību pārraksti iepriekšējo. Link to comment Share on other sites More sharing options...
Faks Posted June 17, 2011 Report Share Posted June 17, 2011 Faks, es par tavu kodu smejoties nokritu no krēsla :D Un šādi visu laiku. Tev reāli ar $_POST['nick'] tiek veikta tikai 1 darbība - addslashes. Pārējās neko nemaina, jo tu ar katru nākamo darbību pārraksti iepriekšējo. tāmi ir tas joks ka tas tirs un pareizs varijants anti inject ja savādāk rakstīsi būs inject caurums tāka teu pašam nekaitētu pamācīties vel pajautā briedim .... Link to comment Share on other sites More sharing options...
nemakuphp Posted June 17, 2011 Report Share Posted June 17, 2011 Kur es kaut ko minēju par SQL injections? Es runāju par to, kā tu apstrādā savus $_POST mainīgos. Link to comment Share on other sites More sharing options...
daGrevis Posted June 17, 2011 Report Share Posted June 17, 2011 Sviests! Kāpēc Jūs nesakiet "pajautā grevim"?! Link to comment Share on other sites More sharing options...
rATRIJS Posted June 17, 2011 Report Share Posted June 17, 2011 IMO šito topiku vajag piepinot kaut kur. Labprāt laiku pa laikam šo visu pārlasītu... Link to comment Share on other sites More sharing options...
Val Posted June 18, 2011 Report Share Posted June 18, 2011 Personīgais Lepnums par sevi un savu padarīto Jā, var redzēt. Link to comment Share on other sites More sharing options...
ziedinjsh Posted June 18, 2011 Author Report Share Posted June 18, 2011 neredzi atšķirību starp hašiem? $_GET procesā viņam ir sliplīnija beigās, bet datubāzē nav Link to comment Share on other sites More sharing options...
Recommended Posts