rob Posted December 27, 2006 Report Posted December 27, 2006 Labadiena vēlreiz vai kāds lūdzu nevaretu padalīties pieredzē kā cinaties ar šo te problēmu, kas ir droši kas nav tip kā datus kas nāk piem no POST masīva jau iepriekš apstrādāt tā lai tie būtu droši etc paldies jau iepriekš
Kristabs Posted December 27, 2006 Report Posted December 27, 2006 stripo html tagus prieksh xss un quotes prieksh injekcijaam
andrisp Posted December 27, 2006 Report Posted December 27, 2006 (edited) Pamatā: - mysql_real_escape_string - Ja zini, ka dati nesaturēs ' un ", tad tos vispār vari griezt ārā. Edited December 27, 2006 by andrisp
Grey_Wolf Posted December 28, 2006 Report Posted December 28, 2006 vel : " parversh visus < > utt 'nekaitiigos sibolos/ simbolu virknees ' " htmlspecialchars() ja nu peksnji vajag atpakalj tad htmlspecialchars_decode () P.S. strip_tags() dazreiz var nedereet ja nu cilveeks, teiksim, grib uzrakstiit HTML koda piemeeru.. tad vinja tekstc tiks izkropljots... izmantojot htmlspecialchars() nekas taads nenotiks, bet kods izvadiits lapaa buus vienkarshi kaa teksts ...
v3rb0 Posted December 28, 2006 Report Posted December 28, 2006 (edited) pavisam labi ir vietās, kur zini no kādiem simboliem dati drīxt sastāvēt, tad ņem tikai atļautos simbolus.. pārējos ignorē. ja nu tomēr db kaut kur palicis lielais bugs, kas izlec aizsūtot kaut kādu "dīvainu" simbolu virkni. Edited December 28, 2006 by v3rb0
cucumber Posted December 28, 2006 Report Posted December 28, 2006 Manuprat visvieglak saprast, ka aizsargaties no sql inc, ir pasham uztaisit vainu sev skriptu un sakt testet. Testeju ka tas ir @$get=$_GET['id']; $get=mysql_escape_string($get); echo $q="SELECT id,code,name FROM `sometable` WHERE id=$get"; //query-"SELECT id,code,name FROM `sometable` WHERE id=\"$get\"" //url- ?id=7777777"%20union/**/select+host,user,password/**/from/**/mysql.user/* //query gen-SELECT id,code,name FROM `sometable` WHERE id="?id=7777777" union/**/select host,user,password/**/from/**/mysql.user/*" //query- "SELECT id,code,name FROM `sometable` WHERE id=$get" //url- ?id=7777777%20union/**/select+host,user,password/**/from/**/mysql.user/* //query gen- SELECT id,code,name FROM `sometable` WHERE id=7777777 union select host,user,password from mysql.user-- echo "<br>"; $result = mysql_query($q); if( !$result) echo mysql_error($link); while (@$a_row = mysql_fetch_array($result,MYSQL_NUM)) { echo "$a_row[0]|| $a_row[1] || $a_row[2] <br>"; }
des Posted January 5, 2007 Report Posted January 5, 2007 Vēl varu piebilst, ka gadījumos, kur sagaidāmi veseli skaitļi (tipa visādi id), arī nokāstojam tos: $id = (int)$id;
Recommended Posts