Verificare protectie SQL inject
Scris: Sâm Feb 07, 2015
Salut ! am urmatorul cod:
Deci campurile au un Focus in JS ceea ce inseamna ca ele contin deja o valoare,ca sa evit primirea de informatii gresite am ales sa scriu partea asta de cod.
Dupa care am incercat sa parcurg cumva campurile si sa le protejez cumva fata de un sql inject.
care este partea asta de cod.
Iar mai jos insertul propriu zis.
Bun scriptul functioneaza in ceea ce priveste verificarea valorilor sa nu fie aceleasi ce le am eu in focus,inserarea de date daca formul e completat corespunzator.Dar in cazul in care vreau sa testez sql inject , adica sa adaug in campuri un caracter de genul (' * etc) imi da eroare de sql adica asta de aici.
practic imi sare peste for-ul acela si nu-mi afiseaza msj de eroare.
Ceva sugestii.
PS : Acel regex e dat de tine intr-un topic anterior,m-ai putea ajuta sa-l inteleg ce si cum e campat.pt ca vreau sa scap de niste caractere de acolo cum ar fi. ( ! - . )
PS2:Ideea e ca forumul e deja protejat cu JS dar cum JS se poate dezactiva am zis sa fac un back-up plan.
Mersi !
Cod: Selectaţi tot
<?php
$phone = 'Phone Model';
$na = 'Name';
$su = 'Surname';
$ad1 = 'Address Line 1';
$ad2 = 'Address Line 2';
$cit = 'City';
$cou = 'County';
$mo = 'Mobile No';
$em = 'Email';
$comm = 'Tell us whats happen with your phone before get broken.';
$phonemodel = $_POST['phonemodel'];
$name = $_POST['name'];
$surname = $_POST['surname'];
$address1 = $_POST['address1'];
$address2 = $_POST['address2'];
$city = $_POST['city'];
$county = $_POST['county'];
$mobileno = $_POST['mobileno'];
$mail = $_POST['email'];
$comment = $_POST['comment'];
if(!isset
($phonemodel) &&
($name) &&
($surname) &&
($address1) &&
($address2) &&
($city) &&
($county) &&
($mobileno) &&
($mail) &&
($comment)
){
header("Location: emailsend.php?validate=empty");
}
elseif($phonemodel == $phone ||
$name == $na ||
$surname == $su ||
$address1 == $ad1 ||
$address2 == $ad2 ||
$city == $cit ||
$county == $cou ||
$mobileno == $mo ||
$mail == $em ||
$comment == $comm ){
header("Location: emailsend.php?validate=realdetails");
}
else{
$regex = '/[\/=#\$%\*!\[\]\.\'^\-]/i';
$checkarr = array($phonemodel,$name,$surname,$address1,$address2,$city,$county,$mobileno,$comment,$mail);
for($i=0;$i<count($checkarr)-1;$i++){
if(preg_match($regex, $checkarr[$i])){
header("Location: emailsend.php?validate=forbidden");
}
elseif(!filter_var($checkarr[9], FILTER_VALIDATE_EMAIL)){
header("Location: emailsend.php?validate=notallowed");
}
}
$sql="INSERT INTO diagnose (phonemodel,name,surname,address1,address2,city,county,mobileno,email,comment)
VALUES
('".$phonemodel."','".$name."','".$surname."','".$address1."','".$address2."','".$city."','".$county."','".$mobileno."','".$mail."','".$comment."')";
$sqlquery = $conn->sqlExec($sql);
if (!$sqlquery) {
die(header("Location: emailsend.php?validate=error") . mysql_error());
}
else {
header("Location: emailsend.php?validate=booked");
}
mysql_close($conn);
}
?>
Cod: Selectaţi tot
elseif($phonemodel == $phone ||
$name == $na ||
$surname == $su ||
$address1 == $ad1 ||
$address2 == $ad2 ||
$city == $cit ||
$county == $cou ||
$mobileno == $mo ||
$mail == $em ||
$comment == $comm ){
header("Location: emailsend.php?validate=realdetails");
}
care este partea asta de cod.
Cod: Selectaţi tot
else{
$regex = '/[\/=#\$%\*!\[\]\.\'^\-]/i';
$checkarr = array($phonemodel,$name,$surname,$address1,$address2,$city,$county,$mobileno,$comment,$mail);
for($i=0;$i<count($checkarr)-1;$i++){
if(preg_match($regex, $checkarr[$i])){
header("Location: emailsend.php?validate=forbidden");
}
elseif(!filter_var($checkarr[9], FILTER_VALIDATE_EMAIL)){
header("Location: emailsend.php?validate=notallowed");
}
}
Bun scriptul functioneaza in ceea ce priveste verificarea valorilor sa nu fie aceleasi ce le am eu in focus,inserarea de date daca formul e completat corespunzator.Dar in cazul in care vreau sa testez sql inject , adica sa adaug in campuri un caracter de genul (' * etc) imi da eroare de sql adica asta de aici.
Cod: Selectaţi tot
if (!$sqlquery) {
die(header("Location: emailsend.php?validate=error") . mysql_error());
}
Ceva sugestii.
PS : Acel regex e dat de tine intr-un topic anterior,m-ai putea ajuta sa-l inteleg ce si cum e campat.pt ca vreau sa scap de niste caractere de acolo cum ar fi. ( ! - . )
PS2:Ideea e ca forumul e deja protejat cu JS dar cum JS se poate dezactiva am zis sa fac un back-up plan.
Mersi !