hackerman Posted May 17, 2007 Report Share Posted May 17, 2007 Varbūt kāds var pastāstīt ar kādu piemēru kā darbojas search? :) Mekēju googlē, atradu, bet tie bija pa gariem ;D Vēl man sanāk vienā vietā izvadīt datus pēc id (index.php?id=456). Esmu taisījis sql injekcijas, taka zinu, ka tur ir caurums. Tepat forumā, nesen viens bija jautājis par drošību. Tur ieteica fciju mysql_real_escape_string. Es papētīju par to fciju @ php.net, sanāca kautkas ~ tāds: $id = mysql_real_escape_string($_POST['id']); Kā arī testēju pat arī ar htmlspecialchars();, bet vienalga var uztaisīt injekciju o.0 Link to comment Share on other sites More sharing options...
cucumber Posted May 17, 2007 Report Share Posted May 17, 2007 (edited) Tev vel vajaga apskatities uz tipu, kas ir GET parametra. is_int vai ar preg_match un tikai, tad padot id sql querija. Edited May 17, 2007 by cucumber Link to comment Share on other sites More sharing options...
andrisp Posted May 17, 2007 Report Share Posted May 17, 2007 Ja izmanto mysql_real_escape_string, tad injekciju nevajadzētu varētu uztaisīt. Enīvei, iesaku tev darīt šādi numericāliem vērtībām: $id = (int) $_POST['id']; Es meklēšanu taisītu kaut kā šādi: SELECT * FROM `bla` WHERE x LIKE '%keyword%' OR y LIKE '%keyword%' ..... Link to comment Share on other sites More sharing options...
hackerman Posted May 17, 2007 Author Report Share Posted May 17, 2007 include('configg.php'); $string = $_POST['text']; $kverijs = mysql_query("SELECT * FROM users WHERE username LIKE '%$string%'") or die(mysql_error()); A kā tālāk? :D btw ko dod (int) ? Link to comment Share on other sites More sharing options...
andrisp Posted May 17, 2007 Report Share Posted May 17, 2007 1) http://lv2.php.net/language.types.type-juggling 2) Ko tālāk ? izdrukā rezultātus. Link to comment Share on other sites More sharing options...
hackerman Posted May 17, 2007 Author Report Share Posted May 17, 2007 Nu to jau arī es tā īsti nemāku... while($row = mysql_fetch_array( $kverijs )){ } Ko iekšā likt? :) Link to comment Share on other sites More sharing options...
andrisp Posted May 17, 2007 Report Share Posted May 17, 2007 1) http://lv2.php.net/mysql_fetch_assoc piemēri 2) http://lv2.php.net/mysql_fetch_array piemēri Link to comment Share on other sites More sharing options...
hackerman Posted May 17, 2007 Author Report Share Posted May 17, 2007 include('configg.php'); $string = $_POST['text']; $kverijs = mysql_query("SELECT * FROM users WHERE username LIKE '%$string%'") or die(mysql_error()); while($row = mysql_fetch_array( $kverijs )){ $homepage = $row[website]; $id = $row[id]; echo "$id<br>"; //echo "$homepage<br>"; } Viņš selektē visus, nevis tos, kurus meklēju =/ Link to comment Share on other sites More sharing options...
andrisp Posted May 17, 2007 Report Share Posted May 17, 2007 Pārliecinies vai kverijs pareizs. Vai $string vispār satur to, ko tu domā, ka tas satur. Link to comment Share on other sites More sharing options...
hackerman Posted May 17, 2007 Author Report Share Posted May 17, 2007 Viss ok :) Paldies. Link to comment Share on other sites More sharing options...
v3rb0 Posted May 17, 2007 Report Share Posted May 17, 2007 un ja $_POST['text'] satur ' ? Link to comment Share on other sites More sharing options...
hackerman Posted May 17, 2007 Author Report Share Posted May 17, 2007 Nu jā... Tas tā :) Man vajadzēja tikai pamatu, "izpušķot" to skriptu jau varu vēlāk :) btw kā var izvadīt paziņojumu, ja netika nekas atrasts? Link to comment Share on other sites More sharing options...
andrisp Posted May 17, 2007 Report Share Posted May 17, 2007 php.net/mysql_num_rows Link to comment Share on other sites More sharing options...
Recommended Posts