1. 首頁
  2. 問答
  3. 我在「html表單」中保留了新的pdo轉換後的代碼嗎?

我在「html表單」中保留了新的pdo轉換後的代碼嗎?

2013-01-15 31 views
0

我想,我在代碼中缺少一些漏洞。 點亮我,我剛剛在PDO中轉換了我的腳本,這不僅是安全的!我在「html表單」中保留了新的pdo轉換後的代碼嗎?

<?PHP 
require_once("./include/membersite_config.php"); 

if(!$fgmembersite->CheckLogin()) 
{ 
$fgmembersite->RedirectToURL("login.php"); 
exit; 
} 

?> 
<?php $utilizator = $fgmembersite->UserFullName() ?> 

<?php require ("../SQL.php"); 

### De aici am setat creearea directoarelor pentru poze ### 
$model   = mysql_real_escape_string("$_POST[model]"); 
$marca   = mysql_real_escape_string("$_POST[marca]"); 

mkdir ("\\server\\htdocs\\panou\\poze\\{$marca}/{$model}", 0777, true); 
$director_poza = ("poze/{$marca}/{$model}/");  
$numetmp_poza = $_FILES['numepoza1']['name']; 
$numepoza1  = $director_poza.$numetmp_poza; 
$numetmp_poza = $_FILES['numepoza2']['name']; 
$numepoza2  = $director_poza.$numetmp_poza; 
$numetmp_poza = $_FILES['numepoza3']['name']; 
$numepoza3  = $director_poza.$numetmp_poza; 
if(move_uploaded_file($_FILES['numepoza1']['tmp_name'], $numepoza1)) 
if(move_uploaded_file($_FILES['numepoza2']['tmp_name'], $numepoza2)) 
if(move_uploaded_file($_FILES['numepoza3']['tmp_name'], $numepoza3)) 
{ 
list($width,$height,$type,$attr)= getimagesize($numepoza1); 
switch($type) 
{ 
case 1: 
$ext = ".gif"; break; 
case 2: 
$ext = ".jpg"; break; 
case 3: 
$ext = ".png"; break; 
default: 
echo "Format foto neacceptat"; 
} }### Gata creeare director si upload poze ### 

$insertie = "INSERT INTO modele 
(id, marca, model, utilizator, despre, data, data_luna, data_zi, img1, img2, img3, doi_g, trei_g, patru_g, info_ecran, rezolutie_ecran, multitouch_ecran, protectie_ecran, sunet_sonerii, sunet_mainilibere, sunet_mufa_jack, memorie_card, mcard_tip, mcard_capacitate,intern_memorie, date_gprs, date_edge, date_viteze, date_wifi, date_bt, date_nfc, date_usb, camera_spate, camera_fata, camera_tehnologii, camera_video, performanta_os,performanta_chipset, performanta_cpu, performanta_cpu_core, performanta_cpu_tip, performanta_rami, performanta_gpu, performanta_senzori, performanta_gps, performanta_java, altele_radio, altele_mesajerie, altele_filme, baterie_autonomie, baterie_mAh, baterie_convorbire, SEO_cuvinte_cheie) 
    VALUES 
    ('',  '$_POST[marca]','$_POST[model]','$utilizator','$_POST[despre]','$_POST[data]','$_POST[data_luna]','$_POST[data_zi]', 
'$numepoza1','$numepoza2','$numepoza3','$_POST[doi_g]', 
'$_POST[trei_g]', 
'$_POST[patru_g]', 
'$_POST[info_ecran]', 
'$_POST[rezolutie_ecran]', 
'$_POST[multitouch_ecran]', 
'$_POST[protectie_ecran]', 
'$_POST[sunet_sonerii]', 
'$_POST[sunet_mainilibere]', 
'$_POST[sunet_mufa_jack]', 
'$_POST[memorie_card]', 
'$_POST[mcard_tip]', 
'$_POST[mcard_capacitate]', 
'$_POST[intern_memorie]', 
'$_POST[date_gprs]', 
'$_POST[date_edge]', 
'$_POST[date_viteze]', 
'$_POST[date_wifi]', 
'$_POST[d ate_bt]', 
'$_POST[date_nfc]', 
'$_POST[date_usb]', 
'$_POST[camera_spate]', 
'$_POST[camera_fata]', 
'$_POST[camera_tehnologii]', 
'$_POST[camera_video]', 
'$_POST[performanta_os]', 
'$_POST[performanta_chipset]', 
'$_POST[performanta_cpu]', 
'$_POST[pe rformanta_cpu_core]', 
'$_POST[performanta_cpu_tip]', 
'$_POST[performanta_rami]', 
'$_POST[perfo rmanta_gpu]', 
'$_POST[performanta_senzori]', 
'$_POST[performanta_gps]', 
'$_POST[performanta_java]', 
'$_POST[altele_radio]', 
'$_POST[altele_mesajerie]', 
'$_POST[altele_filme]', 
'$_POST[baterie_autonomie]', 
'$_POST[baterie_mAh]', 
'$_POST[baterie_convorbire]', 
'$_POST[SEO_cuvinte_cheie]')"; 

if ($dbh->query($insertie)) 
{ 
print '<center><h1>Telefonul/Tableta a fost publicat(a) cu succes!</h1><br /> 
Vei fi redirectionat in cateva momente inspre adaugarea unui nou model de tableta sau   telefon!</center> 
    <meta http-equiv="refresh" content="5; URL=adauga-tableta-tel.php"/>'; 
} 
else(mysql_error())  
?>

請帶一些幫助沒有鏈接來閱讀。

來源

2013-01-15 Domuta Marcel

+0

所有這些,更需要被轉義準備,因爲你拉的所有數據出來後

例如,從網址! '$ _POST [date_nfc]', '$ _POST [date_usb]', '$ _POST [camera_spate]', '$ _POST [camera_fata]', '$ _POST [camera_tehnologii]', 「$ _POST [camera_video ]」, '$ _POST [performanta_os]', '$ _POST [performanta_chipset]', '$ _POST [performanta_cpu]', '$ _POST [PE rformanta_cpu_core]', '$ _POST [performanta_cpu_tip]', '$ _POST [performanta_rami]', '$ _POST [PERFO rmanta_gpu]', '$ _POST [performanta_senzori]', '$ _POST [performanta_gps]', '$ _POST [performanta_java]', 「$ _POST [ altele_radio]', '$ _POST [altele_mesajerie]', '$ _POST [altele_filme]', '$ _POST [baterie_autonomie]', '$ _POST [baterie_mAh]'... – Sven

+0

但是怎麼樣?一個小例子請... –

回答

3

那麼,你應該使用PDO的prepare聲明

http://php.net/manual/en/pdo.prepare.php

我不會重寫你所有的代碼,但那是一個良好的開端。

就安全而言,IIRC,pdo只允許你一次執行一個查詢,所以sql注入有點困難。但我還是會去上面

/* Execute a prepared statement by passing an array of values */ 
$sth = $dbh->prepare('SELECT name, color, calories 
    FROM fruit 
    WHERE calories < ? AND color = ?'); 
$sth->execute(array(150, 'red')); 
$red = $sth->fetchAll();

來源

2013-01-15 22:04:50 Ascherer

+0

你不必爲我寫代碼,但請你能在我的情況下做一個小例子嗎? –

+0

編輯主帖子 – Ascherer

+0

什麼是represint 150? –

相關問題

 相關問題