1
我有2个PHP页面:editpost.php只是生成一个表单来编辑用户评论。 addcomment.php,在这种情况下应该更新该帖子的mysql。它只是测试以查看是否设置了$ _GET ['edit']和适当的变量。由于某种原因,它永远不会是真的。我在safari中查看editpost.php的“查看源代码”,看起来很好。
editpost.php:
<?php
require_once('checklogin.php');
//require_once('text_encode.php');
//die("Made it past require once");
if(isset($_SESSION['user'])&&isset($_GET['id']))
{
//die("made it past if statement");
$con = mysql_connect('localhost','REDACTED','REDACTED');
mysql_select_db('dancks_db',$con);
$q = mysql_query(sprintf("SELECT userID FROM UserTable WHERE nick='%s'",$_SESSION['user']),$con) or die(mysql_error());
if(mysql_num_rows($q)!=1)
{
//die("1");
redir();
}
else
{
$match = array(); $match2=array();
preg_match("/[0-9]{1,5}/",$_GET['id'],$match);
//preg_match("/[0-1]{1,1}/",$GET['type'],$match2);
if(implode($match)!=$_GET['id'])
{
die("2");
redir();
}
//if($_GET['id']==0)
else
{
$q2 = mysql_query(sprintf("SELECT * FROM Comments WHERE CommentID='%s'",$_GET['id']),$con) or die(mysql_query());
if(mysql_num_rows($q2)==1)
{
$vars = mysql_fetch_assoc($q2);
echo "<!DOCTYPE html PUBLIC \"-//W3C//DTD XHTML 1.0 Transitional//EN\" \"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd\">
<html xmlns=\"http://www.w3.org/1999/xhtml\">
<head>
<meta http-equiv=\"Content-Type\" content=\"text/html; charset=UTF-8\" />
<title>Edit Post</title>
</head>
<body>";
echo "<form method=\"post\" action=\"addcomment.php?type=1,edit=1\">
<p>Rating:";
//die("rating: ".$q2['rating']);
for($i=1;$i<6;$i++)
{
echo "<label>".$i."</label><input type=\"radio\" name=\"rating\" value=\"".$i."\" ";if($vars['rating']==$i){echo "checked=\"checked\"";}echo " id=\"star".$i."\" />\n";
}
echo"</p>
<p>Title:<input type=\"text\" name=\"title\" value=\"".$vars['title']."\" /></p>
<p>Comment:<textarea rows=\"5\" cols=\"80\" name=\"review\" >".$vars['review']."</textarea></p>
<input type=\"hidden\" name=\"commentid\" value=\"".$_GET['id']."\" />
<input type=\"hidden\" name=\"subject\" value=\"".$vars['subject']."\" />
<input type=\"submit\" value=\"submit review\" />
</form>
</body>
</html>";
}
else
{
die("No comment found: get: ".$_GET['id']);
}
}
mysql_free_result($q);
}
}
else
{
die("3");
redir();
}
?>
addcomment.php:
<?php require_once('checklogin.php');
//die("type=".$_GET['type']." rating=".$_POST['rating']);
require_once('text_encode.php');
require_once('validate.php');
if(safe_isset($_GET['type'])&&safe_isset($_SESSION['user']))
{
if((safe_isset($_POST['rating']))&&(safe_isset($_POST['title']))&&(safe_isset($_POST['review']))&&($_GET['type']==1))
{
$match = array(); $match2 = array();
preg_match("/[0-5]{1,1}/",$_POST['rating'],$match);
preg_match("/[0-1]{1,1}/",$_GET['type'],$match2);
if((implode($match)!=$_POST['rating'])&&(implode($match2)!=$_GET['type']))
{
die("type=".$_GET['type']." implode=".implode($match)." rating=".$_POST['rating']." implode=".implode($match2));
//die("Invalid input for rating or type");
redir();
}
else if($_POST['rating']=="" || $_GET['type']=="")
{
die("Rating or type reads empty string");
redir();
}
else if(safe_isset($_GET['edit']))
{
$con = mysql_connect('localhost','REDACTED','REDACTED');
mysql_select_db('dancks_db',$con);
$query=sprintf("UPDATE Comments SET rating='%s', title='%s', review='%s' WHERE CommentID='%s'",
mysql_real_escape_string($_POST['rating']),
mysql_real_escape_string($_POST['title']),
mysql_real_escape_string($_POST['review']),
mysql_real_escape_string($_POST['commentid']));
$r = mysql_query($query,$con) or die(mysql_error());
mysql_close($con);
die("Successful edit");
header(sprintf("Location:http://example.com/redacted/redacted/seller.php?ID=%s",$_POST['subject']));
}
else
{
if(contains($_SERVER['HTTP_REFERER'],"editpost.php"))
{
die("Wrong spot");
}
$con = mysql_connect('localhost','REDACTED','REDACTED');
mysql_select_db('dancks_db',$con);
$query=sprintf("INSERT INTO Comments(nick,type,subject,rating,title,review) VALUES ('%s','%s','%s','%s','%s','%s')",
mysql_real_escape_string($_SESSION['user']),
mysql_real_escape_string($_GET['type']),
mysql_real_escape_string($_POST['subject']),
mysql_real_escape_string($_POST['rating']),
mysql_real_escape_string($_POST['title']),
mysql_real_escape_string($_POST['review']));
$r = mysql_query($query,$con) or die(mysql_error());
mysql_close($con);
//die("successful insert");
header(sprintf("Location:http://example.com/redacted/redacted/seller.php?ID=%s",$_POST['subject']));
}
}
else
{
die("rating, title or review isnt set");
redir();
}
}
else
{
die("type isnt set or user isnt logged in");
redir();
}
?>
相关的额外代码:
function contains($text,$match)
{
return (preg_match("/".$match."/",$text)==1);
}
function safe_isset($text)
{
$good = false;
if(isset($text))
{
if(strlen($text)>0)
{
$good = true;
}
}
return $good;
}
这可能是一件很容易的,我只是忽视。我很抱歉如果是这样的话。我现在正在怀疑,所以我很容易错过任何事情。或者,如果我应该简单地重写或重组这个想法,这是值得欢迎的。
我编辑了您的网址和数据库连接的详细信息。请小心揭露这些东西 - 看起来您已经采取措施,至少可以防止SQL注入,但您不需要获取您的数据库证书的机器人。 –
您会惊讶于人们发布SQL注入漏洞的时间与他们的生产URL一致。 –
@Michael Berkowski OMG谢谢。我通常和那些东西有关。大声笑 –