rob Posted December 27, 2006 Report Share Posted December 27, 2006 Labadiena vēlreiz vai kāds lūdzu nevaretu padalīties pieredzē kā cinaties ar šo te problēmu, kas ir droši kas nav tip kā datus kas nāk piem no POST masīva jau iepriekš apstrādāt tā lai tie būtu droši etc paldies jau iepriekš Link to comment Share on other sites More sharing options...
Kristabs Posted December 27, 2006 Report Share Posted December 27, 2006 stripo html tagus prieksh xss un quotes prieksh injekcijaam Link to comment Share on other sites More sharing options...
andrisp Posted December 27, 2006 Report Share Posted December 27, 2006 (edited) Pamatā: - mysql_real_escape_string - Ja zini, ka dati nesaturēs ' un ", tad tos vispār vari griezt ārā. Edited December 27, 2006 by andrisp Link to comment Share on other sites More sharing options...
rob Posted December 28, 2006 Author Report Share Posted December 28, 2006 paldies Link to comment Share on other sites More sharing options...
Grey_Wolf Posted December 28, 2006 Report Share Posted December 28, 2006 vel : " parversh visus < > utt 'nekaitiigos sibolos/ simbolu virknees ' " htmlspecialchars() ja nu peksnji vajag atpakalj tad htmlspecialchars_decode () P.S. strip_tags() dazreiz var nedereet ja nu cilveeks, teiksim, grib uzrakstiit HTML koda piemeeru.. tad vinja tekstc tiks izkropljots... izmantojot htmlspecialchars() nekas taads nenotiks, bet kods izvadiits lapaa buus vienkarshi kaa teksts ... Link to comment Share on other sites More sharing options...
v3rb0 Posted December 28, 2006 Report Share Posted December 28, 2006 (edited) pavisam labi ir vietās, kur zini no kādiem simboliem dati drīxt sastāvēt, tad ņem tikai atļautos simbolus.. pārējos ignorē. ja nu tomēr db kaut kur palicis lielais bugs, kas izlec aizsūtot kaut kādu "dīvainu" simbolu virkni. Edited December 28, 2006 by v3rb0 Link to comment Share on other sites More sharing options...
cucumber Posted December 28, 2006 Report Share Posted December 28, 2006 Manuprat visvieglak saprast, ka aizsargaties no sql inc, ir pasham uztaisit vainu sev skriptu un sakt testet. Testeju ka tas ir @$get=$_GET['id']; $get=mysql_escape_string($get); echo $q="SELECT id,code,name FROM `sometable` WHERE id=$get"; //query-"SELECT id,code,name FROM `sometable` WHERE id=\"$get\"" //url- ?id=7777777"%20union/**/select+host,user,password/**/from/**/mysql.user/* //query gen-SELECT id,code,name FROM `sometable` WHERE id="?id=7777777" union/**/select host,user,password/**/from/**/mysql.user/*" //query- "SELECT id,code,name FROM `sometable` WHERE id=$get" //url- ?id=7777777%20union/**/select+host,user,password/**/from/**/mysql.user/* //query gen- SELECT id,code,name FROM `sometable` WHERE id=7777777 union select host,user,password from mysql.user-- echo "<br>"; $result = mysql_query($q); if( !$result) echo mysql_error($link); while (@$a_row = mysql_fetch_array($result,MYSQL_NUM)) { echo "$a_row[0]|| $a_row[1] || $a_row[2] <br>"; } Link to comment Share on other sites More sharing options...
des Posted January 5, 2007 Report Share Posted January 5, 2007 Vēl varu piebilst, ka gadījumos, kur sagaidāmi veseli skaitļi (tipa visādi id), arī nokāstojam tos: $id = (int)$id; Link to comment Share on other sites More sharing options...
Recommended Posts