Veiligheid Gastenboek?

Door JunkieXP op 24-11-2006 09:47

863 views

Ik heb laatst een gastenboek gemaakt en vroeg me af in welke mate deze al dan niet veilig was, zelf heb ik een aantal checkjes uitgevoerd die ik her en der tegenkwam maar het kan altijd zijn dat ik "Beveiligingslekken" heb in bv. de Input.

<?php
// +--------------------------------------------------------------------------------
// | Guestbook - Write
// +--------------------------------------------------------------------------------
// | JunkieXP Design - 21-11-2006
// +--------------------------------------------------------------------------------
// | 06-11-21: Build this Page
// | 06-11-22: Official Release
// | 06-11-22: Added Error Checks (incl. Fixes)
// | 06-11-23: Add Functionality for Special Characters
// | 06-11-23: Add IP Recognizer for Teammates
// +--------------------------------------------------------------------------------

//Set SubMenu
$sub_menu = "gbook";

//Set Title
$title = "Gastenboek - Schrijven";

//Include Template Top
require('../top.php');

//Connect to Database
require("../conn.php");

//Write Guestbook Entry
if(isset($_POST['submit'])){
 $error = 0;
 if(strlen($_POST['name']) < 3){
  $error = 1;
  $name_err = "*";
 }if(strlen($_POST['mail']) < 6 || !eregi("[@]", $_POST['mail']) || !eregi("[.]", $_POST['mail'])){
  $error = 1;
  $mail_err = "*";
 }if(strlen($_POST['message']) < 10){
  $error = 1;
  $message_err = "*";
 }

 if($error == 0){
  $gbook_sql = mysql_query("INSERT INTO gbook
                                                 VALUES ('', '".mysql_real_escape_string(htmlentities($_POST['name']))."', '".date('Y-m-d H-i-s')."', '".mysq
l_real_escape_string(htmlentities($_POST['mail']))."', '".mysql_real_escape_string(htmlentities($_POST['site']))."', '".mysql_real_escape_string(htmlentities
($_POST['message']))."', '".$_SERVER['REMOTE_ADDR']."')");
  if($gbook_sql == 1){
   echo("Uw bericht is toegevoegd aan het gastenboek, Dankuwel");
  }else{
   echo("Op dit moment kunnen er helaas geen berichten worden toegevoegd, probeer het later nog eens of neem Contact op met de Webmaster.");
  }
 }
}

if(!isset($_POST['submit']) || $error == 1){
 //IP Check for TeamMates
 if(isset($_POST['name'])){
  $name = $_POST['name'];
 }else if($_SERVER['REMOTE_ADDR'] == "123.123.123.123"){
  $name = "Martijn (Verdediger nr. 2)";
?>

  <table cellpadding="0" cellspacing="0">
   <tr>
    <td class="form_title_fill"><div class="form_content">Bericht Plaatsen</div></td>
    <td class="form_title_curve"></td>
   </tr>
  </table>

  <table cellpadding="0" cellspacing="0" style="width:725px">
   <tr>
    <td class="form_l_top"></td>
    <td class="form_top_fill"></td>
    <td class="form_r_top"></td>
   </tr>

   <tr>
    <td class="form_l_fill"></td>
        <td style="background:#660000;">
        <form method="POST" name="add" action="<?php echo($_SERVER['REQUEST_URI']); ?>">
         <div style="margin:5px;">
          <div style="height:11px;"><div style="width:60px; float:left;">[Naam]<?php echo($name_err); ?></div> <input type="text" name="name" value="<?php ec
ho($name); ?>" size="100" maxlength="45"></div><br>
          <div style="height:11px;"><div style="width:60px; float:left;">[E-Mail]<?php echo($mail_err); ?></div> <input type="text" name="mail" value="<?php
echo($_POST['mail']); ?>" size="100" maxlength="50"></div><br>
          <div style="height:11px;"><div style="width:60px; float:left;">Site</div>http://<input type="text" name="site" value="<?php echo($_POST['site']); ?
>" size="94" maxlength="50"></div><p>

          [Bericht]<?php echo($message_err); ?><br>
          <textarea name="message" cols="110" rows="6"><?php echo($_POST['message']); ?></textarea><p>


          <?php
          if($error == 1){
           echo("De velden met een * zijn niet goed ingevuld.<br>");
          }else{
           echo("Velden tussen [blokhaken] zijn Verplicht.<br>");
          }
          ?>
          <div style="text-align:right"><input class="button" name="submit" value="Toevoegen" type="submit"></div>
         </div>
        </form>
        </td>
    <td class="form_r_fill"></td>
   </tr>

   <tr>
    <td class="form_l_bottom"></td>
    <td class="form_bottom_fill"></td>
    <td class="form_r_bottom"></td>
   </tr>
  </table><p>

<?php
}

require('../bottom.php');
?>

<?php
//Set SubMenu
$sub_menu = "gbook";

//Set Title
$title = "Gastenboek";

//Include Template Top
require('../top.php');

//Connect to Database
require("../conn.php");

//Get Guestbook Entries
$gbook_sql = mysql_query("SELECT *, DATE_FORMAT(date, '%d-%m-%Y om %H:%m') AS date_format FROM gbook ORDER BY date DESC");

while($gbook_whl = mysql_fetch_array($gbook_sql)){
 //Check if E-mail isset
 if(!empty($gbook_whl['mail'])){
  $mail = "<a href=\"mailto:".$gbook_whl['mail']."\">".$gbook_whl['name']."</a>";
 }else{
  $mail = $gbook_whl['name'];
 }

 //Check if Website isset
 if(!empty($gbook_whl['site'])){
  $site = " | <a href=\"http://".$gbook_whl['site']."\" target=\"_blank\">Website</a>";
 }else{
  $site = "";
 }
?>

  <!--Entry #<?php echo($gbook_whl['id']); ?>-->
  <table cellpadding="0" cellspacing="0" style="width:700px">
   <tr>
    <td class="form_l_top"></td>
    <td class="form_top_fill" colspan="1"></td>
    <td class="form_r_top"></td>
   </tr>

   <tr>
    <td class="form_l_fill"></td>
     <td id="form_list" class="form_list_small" style="text-align:left; background:#660000;"><?php echo($mail); ?><br><div style="font-size:7pt;"><?php echo(
$gbook_whl['date_format'].$site); ?></div></td>
    <td class="form_r_fill"></td>
   </tr>

   <tr>
    <td class="form_l_fill"></td>
        <td colspan="1"><div style="margin:5px;"><?php echo(nl2br(html_entity_decode(stripslashes($gbook_whl['message'])))); ?></div></td>
    <td class="form_r_fill"></td>
   </tr>

   <tr>
    <td class="form_l_bottom"></td>
    <td class="form_bottom_fill" colspan="1"></td>
    <td class="form_r_bottom"></td>
   </tr>
  </table><p>

<?php
}

require('../bottom.php');
?>