7.443 views
Weet iemand een goede tutorial hoe zo'n anti bot veld kan maken?
Verder mis er beveiliging tegen SQL-injection en ben je nu behoorlijk goed hackbaar:
[link]http://www.phpfreaks.com/tutorial/php-security[/link]
Ik zit dit te lezen maar zie niet hoe ik mijn script ermee kan beveiligen.
[link]http://www.phpfreaks.com/tutorial/php-security[/link]
Ik zit dit te lezen maar zie niet hoe ik mijn script ermee kan beveiligen.
Ik heb in dit topic al een voorbeeld gegeven, en deze middag nog daarheen verwezen. Lees mijn berichten nog eens terug.....
[table]
<?php session_start();
function quote_smart($value) {
if (get_magic_quotes_gpc()) {
$value = stripslashes($value);
}
if(version_compare(phpversion(),"4.3.0") == "-1") {
return mysql_escape_string($value);
} else {
return mysql_real_escape_string($value);
}
}
if(isset($_POST['Submit'])){
// code for check server side validation
if(empty($_SESSION['captcha_code'] ) || strcasecmp($_SESSION['captcha_code'], $_POST['captcha_code']) != 0){
$msg="<span style='color:red'>The Validation code does not match!</span>";// Captcha verification is incorrect.
}else{// Captcha verification is Correct. Final Code Execute here!
$msg="<span style='color:green'>The Validation code has been matched.</span>";
$servername = "";
$username = "";
$password = "";
$dbname = "user";
// Create connection
$conn = new mysqli($servername, $username, $password, $dbname);
// Check connection
if ($conn->connect_error) {
die("Connection failed: " . $conn->connect_error);
}
$sql = "INSERT INTO students (student_name, student_email, student_city)
VALUES(
'".$conn->real_escape_string($_POST["student_name"])."',
'".$conn->real_escape_string($_POST["student_email"])."',
'".$conn->real_escape_string($_POST["student_city"])."'
)";
if ($conn->query($sql) === TRUE) {
echo "<script type= 'text/javascript'>alert('New record created successfully');</script>";
} else {
echo "<script type= 'text/javascript'>alert('Error: " . $sql . "<br>" . $conn->error."');</script>";
}
$collection= array('orange', 'apple', 'grapefruit', 'banana', 'watermelon');
$fruit = array('orange', 'apple', 'grapefruit', 'banana', 'watermelon');
if(isset($_POST['submit']))
{ $fruit = $_POST['fruit'];
$values = array($collection);
foreach($collection as $selection )
{ if(in_array($selection, $fruit))
{ $values[ $selection ] = 1; }
else
{ $values[ $selection ] = 0; }
} // end of foreach.
// MySQL statement.
$insert = "INSERT INTO table_fruit (orange, apple, grapefruit, banana, watermelon)
VALUES ({$values['orange']}, {$values['apple']}, {$values['grapefruit']}, {$values['banana']}, {$values['watermelon']})";
// MySQL statement to execute the INSERT statement above.
mysqli_query($conn, $insert) or die('<br/>Error reading database: '.mysqli_error($dbconnect));
mysqli_close($conn);
} // End of, if statement from the button check
;
}
}
?>
<html>
<head>
<meta charset="utf-8">
<title>Testwebsite</title>
<script type='text/javascript'>
function refreshCaptcha(){
var img = document.images['captchaimg'];
img.src = img.src.substring(0,img.src.lastIndexOf("?"))+"?rand="+Math.random()*1000;
}
</script>
</head>
<body>
<div>
<form action="" method="post" name="form1" id="form1" >
<input type="checkbox" name="fruit[Orange]" value="orange"> Orange
<input type="checkbox" name="fruit[Apple]" value="apple"> Apple
<input type="checkbox" name="fruit[Grapefruit]" value="grapefruit"> Grapefruit
<input type="checkbox" name="fruit[Banana]" value="banana"> Banana
<input type="checkbox" name="fruit[Watermelon]" value="watermelon"> Watermelon
<br>
<label>Student Name :</label>
<input type="text" name="student_name" id="name" required="required" placeholder="Please Enter Name"/><br /><br />
<label>Student Email :</label>
<input type="email" name="student_email" id="email" required="required" placeholder="[email protected]"/><br/><br />
<label>Student City :</label>
<input type="text" name="student_city" id="city" required="required" placeholder="Please Enter Your City"/><br/><br />
</div>
<meta charset="utf-8">
<script type='text/javascript'>
function refreshCaptcha(){
var img = document.images['captchaimg'];
img.src = img.src.substring(0,img.src.lastIndexOf("?"))+"?rand="+Math.random()*1000;
}
</script>
<?php if(isset($msg)){?>
<?php echo $msg;?></td>
<?php } ?>
Validation code:
<img src="captcha.php?rand=<?php echo rand();?>" id='captchaimg'><br>
<label for='message'>Enter the code above here :</label>
<br>
<input id="captcha_code" name="captcha_code" type="text">
<br>
Can't read the image? click <a href='javascript: refreshCaptcha();'>here</a> to refresh.</td>
<input name="Submit" type="submit" value="Submit">
</form>
</body>
</html>
[/table]
Toevoeging op 14/11/2015 11:43:03:
Dus zo ziet het er goed uit?
<?php session_start();
function quote_smart($value) {
if (get_magic_quotes_gpc()) {
$value = stripslashes($value);
}
if(version_compare(phpversion(),"4.3.0") == "-1") {
return mysql_escape_string($value);
} else {
return mysql_real_escape_string($value);
}
}
if(isset($_POST['Submit'])){
// code for check server side validation
if(empty($_SESSION['captcha_code'] ) || strcasecmp($_SESSION['captcha_code'], $_POST['captcha_code']) != 0){
$msg="<span style='color:red'>The Validation code does not match!</span>";// Captcha verification is incorrect.
}else{// Captcha verification is Correct. Final Code Execute here!
$msg="<span style='color:green'>The Validation code has been matched.</span>";
$servername = "";
$username = "";
$password = "";
$dbname = "user";
// Create connection
$conn = new mysqli($servername, $username, $password, $dbname);
// Check connection
if ($conn->connect_error) {
die("Connection failed: " . $conn->connect_error);
}
$sql = "INSERT INTO students (student_name, student_email, student_city)
VALUES(
'".$conn->real_escape_string($_POST["student_name"])."',
'".$conn->real_escape_string($_POST["student_email"])."',
'".$conn->real_escape_string($_POST["student_city"])."'
)";
if ($conn->query($sql) === TRUE) {
echo "<script type= 'text/javascript'>alert('New record created successfully');</script>";
} else {
echo "<script type= 'text/javascript'>alert('Error: " . $sql . "<br>" . $conn->error."');</script>";
}
$collection= array('orange', 'apple', 'grapefruit', 'banana', 'watermelon');
$fruit = array('orange', 'apple', 'grapefruit', 'banana', 'watermelon');
if(isset($_POST['submit']))
{ $fruit = $_POST['fruit'];
$values = array($collection);
foreach($collection as $selection )
{ if(in_array($selection, $fruit))
{ $values[ $selection ] = 1; }
else
{ $values[ $selection ] = 0; }
} // end of foreach.
// MySQL statement.
$insert = "INSERT INTO table_fruit (orange, apple, grapefruit, banana, watermelon)
VALUES ({$values['orange']}, {$values['apple']}, {$values['grapefruit']}, {$values['banana']}, {$values['watermelon']})";
// MySQL statement to execute the INSERT statement above.
mysqli_query($conn, $insert) or die('<br/>Error reading database: '.mysqli_error($dbconnect));
mysqli_close($conn);
} // End of, if statement from the button check
;
}
}
?>
<html>
<head>
<meta charset="utf-8">
<title>Testwebsite</title>
<script type='text/javascript'>
function refreshCaptcha(){
var img = document.images['captchaimg'];
img.src = img.src.substring(0,img.src.lastIndexOf("?"))+"?rand="+Math.random()*1000;
}
</script>
</head>
<body>
<div>
<form action="" method="post" name="form1" id="form1" >
<input type="checkbox" name="fruit[Orange]" value="orange"> Orange
<input type="checkbox" name="fruit[Apple]" value="apple"> Apple
<input type="checkbox" name="fruit[Grapefruit]" value="grapefruit"> Grapefruit
<input type="checkbox" name="fruit[Banana]" value="banana"> Banana
<input type="checkbox" name="fruit[Watermelon]" value="watermelon"> Watermelon
<br>
<label>Student Name :</label>
<input type="text" name="student_name" id="name" required="required" placeholder="Please Enter Name"/><br /><br />
<label>Student Email :</label>
<input type="email" name="student_email" id="email" required="required" placeholder="[email protected]"/><br/><br />
<label>Student City :</label>
<input type="text" name="student_city" id="city" required="required" placeholder="Please Enter Your City"/><br/><br />
</div>
<meta charset="utf-8">
<script type='text/javascript'>
function refreshCaptcha(){
var img = document.images['captchaimg'];
img.src = img.src.substring(0,img.src.lastIndexOf("?"))+"?rand="+Math.random()*1000;
}
</script>
<?php if(isset($msg)){?>
<?php echo $msg;?></td>
<?php } ?>
Validation code:
<img src="captcha.php?rand=<?php echo rand();?>" id='captchaimg'><br>
<label for='message'>Enter the code above here :</label>
<br>
<input id="captcha_code" name="captcha_code" type="text">
<br>
Can't read the image? click <a href='javascript: refreshCaptcha();'>here</a> to refresh.</td>
<input name="Submit" type="submit" value="Submit">
</form>
</body>
</html>
[/table]
Toevoeging op 14/11/2015 11:43:03:
Marcel Groot op 14/11/2015 11:42:31
<?php session_start();
function quote_smart($value) {
if (get_magic_quotes_gpc()) {
$value = stripslashes($value);
}
if(version_compare(phpversion(),"4.3.0") == "-1") {
return mysql_escape_string($value);
} else {
return mysql_real_escape_string($value);
}
}
if(isset($_POST['Submit'])){
// code for check server side validation
if(empty($_SESSION['captcha_code'] ) || strcasecmp($_SESSION['captcha_code'], $_POST['captcha_code']) != 0){
$msg="<span style='color:red'>The Validation code does not match!</span>";// Captcha verification is incorrect.
}else{// Captcha verification is Correct. Final Code Execute here!
$msg="<span style='color:green'>The Validation code has been matched.</span>";
$servername = "";
$username = "";
$password = "";
$dbname = "user";
// Create connection
$conn = new mysqli($servername, $username, $password, $dbname);
// Check connection
if ($conn->connect_error) {
die("Connection failed: " . $conn->connect_error);
}
$sql = "INSERT INTO students (student_name, student_email, student_city)
VALUES(
'".$conn->real_escape_string($_POST["student_name"])."',
'".$conn->real_escape_string($_POST["student_email"])."',
'".$conn->real_escape_string($_POST["student_city"])."'
)";
if ($conn->query($sql) === TRUE) {
echo "<script type= 'text/javascript'>alert('New record created successfully');</script>";
} else {
echo "<script type= 'text/javascript'>alert('Error: " . $sql . "<br>" . $conn->error."');</script>";
}
$collection= array('orange', 'apple', 'grapefruit', 'banana', 'watermelon');
$fruit = array('orange', 'apple', 'grapefruit', 'banana', 'watermelon');
if(isset($_POST['submit']))
{ $fruit = $_POST['fruit'];
$values = array($collection);
foreach($collection as $selection )
{ if(in_array($selection, $fruit))
{ $values[ $selection ] = 1; }
else
{ $values[ $selection ] = 0; }
} // end of foreach.
// MySQL statement.
$insert = "INSERT INTO table_fruit (orange, apple, grapefruit, banana, watermelon)
VALUES ({$values['orange']}, {$values['apple']}, {$values['grapefruit']}, {$values['banana']}, {$values['watermelon']})";
// MySQL statement to execute the INSERT statement above.
mysqli_query($conn, $insert) or die('<br/>Error reading database: '.mysqli_error($dbconnect));
mysqli_close($conn);
} // End of, if statement from the button check
;
}
}
?>
<?php
<html>
<head>
<meta charset="utf-8">
<title>Testwebsite</title>
<script type='text/javascript'>
function refreshCaptcha(){
var img = document.images['captchaimg'];
img.src = img.src.substring(0,img.src.lastIndexOf("?"))+"?rand="+Math.random()*1000;
}
</script>
</head>
<body>
<div>
<form action="" method="post" name="form1" id="form1" >
<input type="checkbox" name="fruit[Orange]" value="orange"> Orange
<input type="checkbox" name="fruit[Apple]" value="apple"> Apple
<input type="checkbox" name="fruit[Grapefruit]" value="grapefruit"> Grapefruit
<input type="checkbox" name="fruit[Banana]" value="banana"> Banana
<input type="checkbox" name="fruit[Watermelon]" value="watermelon"> Watermelon
<br>
<label>Student Name :</label>
<input type="text" name="student_name" id="name" required="required" placeholder="Please Enter Name"/><br /><br />
<label>Student Email :</label>
<input type="email" name="student_email" id="email" required="required" placeholder="[email protected]"/><br/><br />
<label>Student City :</label>
<input type="text" name="student_city" id="city" required="required" placeholder="Please Enter Your City"/><br/><br />
</div>
<meta charset="utf-8">
<script type='text/javascript'>
function refreshCaptcha(){
var img = document.images['captchaimg'];
img.src = img.src.substring(0,img.src.lastIndexOf("?"))+"?rand="+Math.random()*1000;
}
</script>
<?php if(isset($msg)){?>
<?php echo $msg;?></td>
<?php } ?>
Validation code:
<img src="captcha.php?rand=<?php echo rand();?>" id='captchaimg'><br>
<label for='message'>Enter the code above here :</label>
<br>
<input id="captcha_code" name="captcha_code" type="text">
<br>
Can't read the image? click <a href='javascript: refreshCaptcha();'>here</a> to refresh.</td>
<input name="Submit" type="submit" value="Submit">
</form>
</body>
</html>
?>
Dus zo ziet het er goed uit?
Ziet er goed uit, ik zou de laatste queries voor je fruit ook even herschrijven naar het object-georiënteerde MySQLi.
Bovenste blok regel 12 en 45 zijn het zelfde moet regel 45 niet weg? en hoezo herschrijven het werkt goed?
Consequente code zorgt altijd voor minder frustraties. ;-)