Cibiņš Posted June 11, 2012 Report Share Posted June 11, 2012 Kā īsti pareizi lai aizsargājas no pārrāvumiem ja piem $content saturā tiek padots piem teksts he's vai <img src='pathtoimage', jeb teksts, kas satur simbolu ' vai " ?? Jo arī kāda starpība vai pie kvērija mainīgie tiek likti iekavās vai 'ķepās', tāpat notiek inserta apraušana! mysql_query("INSERT INTO table (name, content, add_by, add_date, modified_by, modify_date, control, status) VALUES ('$stripslashed_ttl','".$content."','".$_SESSION["name"]."','$timetype','".$_SESSION["name"]."','$timetype','$hash','2');") or die(mysql_error()); Link to comment Share on other sites More sharing options...
404 Posted June 11, 2012 Report Share Posted June 11, 2012 Regulāri lasot tavas problēmas,sen jau radās viens jautājums,bet pēc šīs vēlme pajautāt kļuva neizturama.. Tu skaidri zini ka programmēšana ir tavs aicinājums? Link to comment Share on other sites More sharing options...
briedis Posted June 11, 2012 Report Share Posted June 11, 2012 (edited) Psc, 400 posti, bet nav dzirdējis par tādu lietu kā eskeipošana... Jāpiekrīt vien 404 būs... Edited June 11, 2012 by briedis Link to comment Share on other sites More sharing options...
Cibiņš Posted June 11, 2012 Author Report Share Posted June 11, 2012 Kapēc gan sākotnēji nebūtu muļķa lomā lai nākošreiz saprastu kā kļūdu atrisināt? Link to comment Share on other sites More sharing options...
rpr Posted June 11, 2012 Report Share Posted June 11, 2012 palasi par sql injekcijām kaut ko. Link to comment Share on other sites More sharing options...
briedis Posted June 11, 2012 Report Share Posted June 11, 2012 Tiešām neesi dzirdējis par mysql_real_escape_string()? Link to comment Share on other sites More sharing options...
Cibiņš Posted June 11, 2012 Author Report Share Posted June 11, 2012 LOL Psc labs forums - reģistrējieties lai jūs nodirstu "krutākie"! :D Link to comment Share on other sites More sharing options...
Cibiņš Posted June 11, 2012 Author Report Share Posted June 11, 2012 (edited) Pirms dirsties, varbūt paprasīt arī koda sākumgalabu? $escaped_ttl=mysql_real_escape_string($ttl); $escaped_news=mysql_real_escape_string($news); $stripslashed_ttl = stripslashes($escaped_ttl); $stripslashed_news = stripcslashes($escaped_news); $stripslashed_news = str_replace("'", "'", $stripslashed_news); $stripslashed_news = str_replace(">", ">", $stripslashed_news); $stripslashed_news = str_replace(""", "\"", $stripslashed_news); $stripslashed_news = str_replace("\"", """, $stripslashed_news); $stripslashed_news = str_replace("\"", """, $stripslashed_news); $stripslashed_news = str_replace("<", "<", $stripslashed_news); $stripslashed_news = str_replace("\;", ";", $stripslashed_news); $stripslashed_news = str_replace('"', '"', $stripslashed_news); Edited June 11, 2012 by Cibiņš Link to comment Share on other sites More sharing options...
briedis Posted June 11, 2012 Report Share Posted June 11, 2012 (edited) Bet tu reāli saproti, ko dara tas koda gabals? Vajag domāt līdzi, nevis copy-paste kaut kādus sūdus no interneta, un tad cerēt, ka strādās kaut kas. Kad tu raksti kodu tev vajag SAPRAST, ko dara KATRA koda rindiņa, un kāpēc tā ir jāraksta... Ja nesaproti, tad lasi manuāli. Edited June 11, 2012 by briedis Link to comment Share on other sites More sharing options...
404 Posted June 11, 2012 Report Share Posted June 11, 2012 (edited) Kritika var būt pamatota un ne tik pamatota,bet bez iemesla viņa šeit parasti nav sastopama. Šis koda fragments rosina uz vēl dažiem jautājumiem,bet lai nu paliek. Palasi ko dara mysql_real_escape_string un kāds ir stripslashes uzdevums. Ja iedziļināsies problēmā,atbildi atradīsi :) Edited June 11, 2012 by 404 Link to comment Share on other sites More sharing options...
Kemito Posted June 11, 2012 Report Share Posted June 11, 2012 Pirms dirsties, varbūt paprasīt arī koda sākumgalabu? $escaped_ttl=mysql_real_escape_string($ttl); $escaped_news=mysql_real_escape_string($news); $stripslashed_ttl = stripslashes($escaped_ttl); $stripslashed_news = stripcslashes($escaped_news); $stripslashed_news = str_replace("'", "'", $stripslashed_news); $stripslashed_news = str_replace(">", ">", $stripslashed_news); $stripslashed_news = str_replace(""", "\"", $stripslashed_news); $stripslashed_news = str_replace("\"", """, $stripslashed_news); $stripslashed_news = str_replace("\"", """, $stripslashed_news); $stripslashed_news = str_replace("<", "<", $stripslashed_news); $stripslashed_news = str_replace("\;", ";", $stripslashed_news); $stripslashed_news = str_replace('"', '"', $stripslashed_news); April, April!? Link to comment Share on other sites More sharing options...
rATRIJS Posted June 11, 2012 Report Share Posted June 11, 2012 what is this I don't even... Bet jaa - izmanto mysql_real_escape_string() vai veel labaak MySQLi vai PDO. Vislabaak gan buutu saakt meegjinaat saprast ko raksti. Kaut vai tas koda gabals ko iepeistoji - tur tak pat dazhs labs cilveeks kas neko nezin no programmeeshanas saprastu ka tiek dariitas bezjeedziigas lietas... Link to comment Share on other sites More sharing options...
Cibiņš Posted June 11, 2012 Author Report Share Posted June 11, 2012 Paldies nevajag, samainīju to sanitize padarīšanu uzreiz aiz $_POST un aizgāja..paldies par nodiršanu ;) Link to comment Share on other sites More sharing options...
Recommended Posts