briedis Posted June 16, 2011 Report Posted June 16, 2011 Izskatās, ka tev trūkst izpratnes par vienkāršām pamata lietām, vai arī tu vienkārši nespēj piespiest sevi nedaudz padomāt...
xPtv45z Posted June 17, 2011 Report Posted June 17, 2011 array(1) { ["733e425d35f0c18d93714ced3773b815"]=> string(0) "" } Un kur tu šajā redzi $_GET['akey'] ? Es piemēram redzu $_GET['733e425d35f0c18d93714ced3773b815']
ziedinjsh Posted June 17, 2011 Author Report Posted June 17, 2011 nu lab.. $email = $_GET['email']; $hash = $_GET['hash']; $sql = mysql_query("SELECT * FROM akeys WHERE email='$email' AND hash ='$hash' AND status='0' ") or die(mysql_error()); if(mysql_num_rows($sql) == '1'){ echo " <form method='post' action='misc/register.php'> <p>Nosukums<input type='text' name='name' class=''></p> <p>Epasts<input type='text' name='email' value='".$email."' class=''></p> <p>Parole<input type='password' name='pass' class=''></p> <p>Parole 2x<input type='password' name='pass2' class=''></p> <p>Biogrāfija<textarea name='biografy'></textarea></p> <input type='text' mame='hash' value='".$hash."' class=''> <p><input type='submit' name='register' value='Reģistrēties' class=''></p> </form> "; }else{ echo 'Kods ir aizņemts'; } array(2) { ["email"]=> string(16) "email@gmail.com" ["hash"]=> string(33) "e00da03b685a0dd18fb6a08af0923de0/" } Vienalga rāda ka kods ir auzņemts. Vai arī man tām input formām jābūt tājā vietā kur ir teksts "kods ir aiņemts" ?
xPtv45z Posted June 17, 2011 Report Posted June 17, 2011 Un tev datubāzē ir tāds epasts ar atbilstošo hash?
ziedinjsh Posted June 17, 2011 Author Report Posted June 17, 2011 Jap, 17 e00da03b685a0dd18fb6a08af0923de0 email@gmail.com 0
Kemito Posted June 17, 2011 Report Posted June 17, 2011 Lai parametru salīdzinātu ar datubāzi izmanto taču parametru + vērtību, kur vērtība ir kods un parametrs ir konstante, jeb doma = manslinks.lv?param=23455gfg5b6456b35 un datubāzē pēc sūtīšanas ieliec "23455gfg5b6456b35" un čeko pēc GET`a nu kungs dieniņ.
indoom Posted June 17, 2011 Report Posted June 17, 2011 ["hash"]=> string(33) "e00da03b685a0dd18fb6a08af0923de0/" } Jap, 17 e00da03b685a0dd18fb6a08af0923de0 email@gmail.com 0 neredzi atšķirību starp hašiem?
Faks Posted June 17, 2011 Report Posted June 17, 2011 (edited) Personīgi Veidota invite sistēma :: Personīgais Lepnums par sevi un savu padarīto :: 312 Līnijas Koda :) vienīgi invite_name_generator ņemts pus gatavs bet pārakstits uz 70% priekš manām vajadzībam :) tāka to var nosaukt par paša darbu jau :),starpcitu šeit ir 1 trial ar 10 invite un pēctam nāk pēc invite no cita lietotāja atslēgas un uzzaicinājuma vārda :) Šadi reali izskatās tas vis :) <?php if ($_SESSION['logged_in']) { if ($_SESSION['rights'] <= 3) { echo $redirect; } elseif ($_SESSION['rights'] == 4) { echo $redirect; } } else { //Invite Code Generator function invite_code_generator() { $rand_id_invite = rand(10,100); $multiply_id_invite = $rand_id_invite * 20; $uniqid_id_invite_random = uniqid(microtime($multiply_id_invite)); $uniqid_id_invite_encrypt = sha1($uniqid_id_invite_random); return $uniqid_id_invite_encrypt; } function invite_name_generator() { //Invite Name Generator $length = 20; $validCharacters = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ123456789+-*#&@!?"; $validuniqid = uniqid(microtime(rand(20,$validCharacters))); $validCharNumber = strlen($validuniqid); $result = ""; for ($i = 0; $i < $length; $i++) { $index = mt_rand(20, $validCharNumber); $result .= $validCharacters[$index]; } return $result; } $name = $_POST['nick']; $name = mysql_real_escape_string($_POST['nick']); $name = htmlentities($_POST['nick']); $name = trim($_POST['nick']); $name = stripslashes($_POST['nick']); $name = addslashes($_POST['nick']); $pass = $_POST['password']; $pass = mysql_real_escape_string($_POST['password']); $pass = htmlentities($_POST['password']); $pass = trim($_POST['password']); $pass = stripslashes($_POST['password']); $pass = addslashes($_POST['password']); $pass = sha1($_POST['password']); $reason = $_POST['reason']; $reason = mysql_real_escape_string($_POST['reason']); $reason = htmlentities($_POST['reason']); $reason = trim($_POST['reason']); $reason = stripslashes($_POST['reason']); $reason = addslashes($_POST['reason']); $invite_name = $_POST['invite_name']; $invite_name = mysql_real_escape_string($_POST['invite_name']); $invite_name = htmlentities($_POST['invite_name']); $invite_name = trim($_POST['invite_name']); $invite_name = stripslashes($_POST['invite_name']); $invite_name = addslashes($_POST['invite_name']); $invite_code = $_POST['invite_code']; $invite_code = mysql_real_escape_string($_POST['invite_code']); $invite_code = htmlentities($_POST['invite_code']); $invite_code = trim($_POST['invite_code']); $invite_code = stripslashes($_POST['invite_code']); $invite_code = addslashes($_POST['invite_code']); $user_invite_code = $_POST['user_invite_code']; $user_invite_code = mysql_real_escape_string($_POST['user_invite_code']); $user_invite_code = htmlentities($_POST['user_invite_code']); $user_invite_code = trim($_POST['user_invite_code']); $user_invite_code = stripslashes($_POST['user_invite_code']); $user_invite_code = addslashes($_POST['user_invite_code']); $user_invite_code = invite_code_generator(); $user_invite_name = $_POST['user_invite_name']; $user_invite_name = mysql_real_escape_string($_POST['user_invite_name']); $user_invite_name = htmlentities($_POST['user_invite_name']); $user_invite_name = trim($_POST['user_invite_name']); $user_invite_name = stripslashes($_POST['user_invite_name']); $user_invite_name = addslashes($_POST['user_invite_name']); $user_invite_name = invite_name_generator(); $select_check_invite = ("SELECT invite_name,invite_code,COUNT(invite_code) FROM user WHERE invite_name = 'Anonymous' AND invite_code = '3bca474ce5eca0d89554533159f9fe9ff6a26577' "); $query_check_invite = mysql_query($select_check_invite) or die(mysql_error()); $check_valid_invite = mysql_fetch_array($query_check_invite); if ($check_valid_invite['COUNT(invite_code)'] != 5) { if (isset($_POST['Submit'])) { if (isset($_POST['invite_name']) && isset($_POST['invite_code'])) { if ($check_valid_invite['invite_name'] != $_POST['invite_name'] && $check_valid_invite['invite_code'] != $_POST['invite_code']) { echo "<table width='58%' border='0' align='left' cellpadding='0' cellspacing='0' class='table_style'> <tr><td> Please Enter Valid Invitation Name & Valid Invitation Code </td></tr> </table><p>"; } elseif ($check_valid_invite['invite_name'] != $_POST['invite_name']) { echo "<table width='58%' border='0' align='left' cellpadding='0' cellspacing='0' class='table_style'> <tr><td> Please Enter Valid Invitation Name </td></tr> </table><p>"; } elseif ($check_valid_invite['invite_code'] != $_POST['invite_code']) { echo "<table width='58%' border='0' align='left' cellpadding='0' cellspacing='0' class='table_style'> <tr><td> Please Enter Valid Invitation Code </td></tr> </table><p>"; } elseif ($check_valid_invite['invite_name'] == $_POST['invite_name'] && $check_valid_invite['invite_code'] == $_POST['invite_code']) { mysql_query("INSERT INTO user (nick,password,reason,invite_name,invite_code,user_invite_name,user_invite_code) VALUES ('".$name."','".$pass."','".$reason."','".$invite_name."','".$invite_code."','".$user_invite_name."','".$user_invite_code."') "); echo $redirect; } } } echo "<table width='58%' border='0' align='left' cellpadding='0' cellspacing='0' class='table_style'> <tr><td> <form method='post'> <label for='nick'>Name:</label> <br /> <input name='nick' type='text' value='Please Enter User Name !' size='50' /> <p> <label for='password'>Password:</label> <br /> <input name='password' type='password' size='50' /> <p> <label for='invite_name'><a href='#' class='tooltip'>Invitation Name:<span>Bound To Invitation Code</span></a> {$check_valid_invite['invite_name']}</label> <br /> <input name='invite_name' type='text' value='Please Enter Invitation Name!' size='50' /> <p> <label for='invite_code'><a href='#' class='tooltip'>Invitation Code:<span>Bound To Invitation Name</span></a> {$check_valid_invite['invite_code']}</label> <br /> <input name='invite_code' type='text' value='Please Enter Invitation Code !' size='50' /> <p> <label for='reason'>What Is Your Reason Joining Our Cause ?</label> <br /> <textarea name='reason' cols='50' rows='10'>Please Enter Reason of your Joining !</textarea> <p> <input type='submit' name='Submit' value='Submit' /> <input type='reset' name='Reset' value='Reset' /> </form> </td></tr> </table>"; } else { $name = $_POST['nick']; $name = mysql_real_escape_string($_POST['nick']); $name = htmlentities($_POST['nick']); $name = trim($_POST['nick']); $name = stripslashes($_POST['nick']); $name = addslashes($_POST['nick']); $pass = $_POST['password']; $pass = mysql_real_escape_string($_POST['password']); $pass = htmlentities($_POST['password']); $pass = trim($_POST['password']); $pass = stripslashes($_POST['password']); $pass = addslashes($_POST['password']); $pass = sha1($_POST['password']); $reason = $_POST['reason']; $reason = mysql_real_escape_string($_POST['reason']); $reason = htmlentities($_POST['reason']); $reason = trim($_POST['reason']); $reason = stripslashes($_POST['reason']); $reason = addslashes($_POST['reason']); $invite_name = $_POST['invite_name']; $invite_name = mysql_real_escape_string($_POST['invite_name']); $invite_name = htmlentities($_POST['invite_name']); $invite_name = trim($_POST['invite_name']); $invite_name = stripslashes($_POST['invite_name']); $invite_name = addslashes($_POST['invite_name']); $invite_name = invite_name_generator(); $invite_code = $_POST['invite_code']; $invite_code = mysql_real_escape_string($_POST['invite_code']); $invite_code = htmlentities($_POST['invite_code']); $invite_code = trim($_POST['invite_code']); $invite_code = stripslashes($_POST['invite_code']); $invite_code = addslashes($_POST['invite_code']); $invite_code = invite_code_generator(); $user_invite_name = $_POST['user_invite_name']; $user_invite_name = mysql_real_escape_string($_POST['user_invite_name']); $user_invite_name = htmlentities($_POST['user_invite_name']); $user_invite_name = trim($_POST['user_invite_name']); $user_invite_name = stripslashes($_POST['user_invite_name']); $user_invite_name = addslashes($_POST['user_invite_name']); $user_invite_code = $_POST['user_invite_code']; $user_invite_code = mysql_real_escape_string($_POST['user_invite_code']); $user_invite_code = htmlentities($_POST['user_invite_code ']); $user_invite_code = trim($_POST['user_invite_code']); $user_invite_code = stripslashes($_POST['user_invite_code']); $user_invite_code = addslashes($_POST['user_invite_code']); $select_user_invite = sprintf('SELECT user_invite_name,user_invite_code,COUNT(user_invite_code) FROM user WHERE user_invite_name = "%s" AND user_invite_code = "%s" ',$user_invite_name,$user_invite_code); $query_user_invite = mysql_query($select_user_invite) or die(mysql_error()); $check_user_invite = mysql_fetch_array($query_user_invite); if ($check_user_invite['COUNT(user_invite_code)'] != 5) { $select_check_invite = sprintf('SELECT invite_name,invite_code,COUNT(invite_code) FROM user WHERE invite_name = "%s" AND invite_code = "%s" ',$user_invite_name,$user_invite_code); $query_check_invite = mysql_query($select_check_invite) or die(mysql_error()); $check_valid_invite = mysql_fetch_array($query_check_invite); if ($check_user_invite['user_invite_code'] == $check_valid_invite['invite_code'] && $check_valid_invite['COUNT(invite_code)'] == 1 && $check_user_invite['COUNT(user_invite_code)'] != 5) { if (isset($_POST['Submit'])) { if (isset($_POST['user_invite_name']) && isset($_POST['user_invite_code'])) { if ($check_user_invite['user_invite_name'] != $_POST['user_invite_name'] && $check_user_invite['user_invite_code'] != $_POST['user_invite_code']) { echo "<table width='58%' border='0' align='left' cellpadding='0' cellspacing='0' class='table_style'> <tr><td> Please Enter Valid Invitation Name & Valid Invitation Code </td></tr> </table><p>"; } elseif ($check_user_invite['user_invite_name'] != $_POST['user_invite_name']) { echo "<table width='58%' border='0' align='left' cellpadding='0' cellspacing='0' class='table_style'> <tr><td> Please Enter Valid Invitation Name </td></tr> </table><p>"; } elseif ($check_user_invite['user_invite_code'] != $_POST['user_invite_code']) { echo "<table width='58%' border='0' align='left' cellpadding='0' cellspacing='0' class='table_style'> <tr><td> Please Enter Valid Invitation Code </td></tr> </table><p>"; } elseif ($check_user_invite['user_invite_name'] == $_POST['user_invite_name'] && $check_user_invite['user_invite_code'] == $_POST['user_invite_code']) { mysql_query("INSERT INTO user (nick,password,reason,invite_name,invite_code,user_invite_name,user_invite_code) VALUES ('".$name."','".$pass."','".$reason."','".$user_invite_name."','".$user_invite_code."','".$invite_name."','".$invite_code."') "); echo $redirect; } } } echo "<table width='58%' border='0' align='left' cellpadding='0' cellspacing='0' class='table_style'> <tr><td> <form method='post'> <label for='nick'>Name:</label> <br /> <input name='nick' type='text' value='Please Enter User Name !' size='50' /> <p> <label for='password'>Password:</label> <br /> <input name='password' type='password' size='50' /> <p> <label for='user_invite_name'><a href='#' class='tooltip'>Invitation Name:<span>Bound To Invitation Code</span></a></label> <br /> <input name='user_invite_name' type='text' value='Please Enter Invitation Name!' size='50' /> <p> <label for='user_invite_code'><a href='#' class='tooltip'>Invitation Code:<span>Bound To Invitation Name</span></a></label> <br /> <input name='user_invite_code' type='text' value='Please Enter Invitation Code !' size='50' /> <p> <label for='reason'>What Is Your Reason Joining Our Cause ?</label> <br /> <textarea name='reason' cols='50' rows='10'>Please Enter Reason of your Joining !</textarea> <p> <input type='submit' name='Submit' value='Submit' /> <input type='reset' name='Reset' value='Reset' /> </form> </td></tr> </table>"; } else { echo "<table width='58%' border='0' align='left' cellpadding='0' cellspacing='0' class='table_style'> <tr><td> Validation Name & Validation Code usage limit reached </td></tr> </table>".$refresh; } } else { echo "<table width='58%' border='0' align='left' cellpadding='0' cellspacing='0' class='table_style'> <tr><td> Validation Name & Validation Code usage limit reached </td></tr> </table>".$refresh; } } } ?> Edited June 17, 2011 by Faks
nemakuphp Posted June 17, 2011 Report Posted June 17, 2011 Faks, es par tavu kodu smejoties nokritu no krēsla :D $name = $_POST['nick']; $name = mysql_real_escape_string($_POST['nick']); $name = htmlentities($_POST['nick']); $name = trim($_POST['nick']); $name = stripslashes($_POST['nick']); $name = addslashes($_POST['nick']); Un šādi visu laiku. Tev reāli ar $_POST['nick'] tiek veikta tikai 1 darbība - addslashes. Pārējās neko nemaina, jo tu ar katru nākamo darbību pārraksti iepriekšējo.
Faks Posted June 17, 2011 Report Posted June 17, 2011 Faks, es par tavu kodu smejoties nokritu no krēsla :D Un šādi visu laiku. Tev reāli ar $_POST['nick'] tiek veikta tikai 1 darbība - addslashes. Pārējās neko nemaina, jo tu ar katru nākamo darbību pārraksti iepriekšējo. tāmi ir tas joks ka tas tirs un pareizs varijants anti inject ja savādāk rakstīsi būs inject caurums tāka teu pašam nekaitētu pamācīties vel pajautā briedim ....
nemakuphp Posted June 17, 2011 Report Posted June 17, 2011 Kur es kaut ko minēju par SQL injections? Es runāju par to, kā tu apstrādā savus $_POST mainīgos.
daGrevis Posted June 17, 2011 Report Posted June 17, 2011 Sviests! Kāpēc Jūs nesakiet "pajautā grevim"?!
rATRIJS Posted June 17, 2011 Report Posted June 17, 2011 IMO šito topiku vajag piepinot kaut kur. Labprāt laiku pa laikam šo visu pārlasītu...
Val Posted June 18, 2011 Report Posted June 18, 2011 Personīgais Lepnums par sevi un savu padarīto Jā, var redzēt.
ziedinjsh Posted June 18, 2011 Author Report Posted June 18, 2011 neredzi atšķirību starp hašiem? $_GET procesā viņam ir sliplīnija beigās, bet datubāzē nav
Recommended Posts