Permalink
Browse files

보안

  • Loading branch information...
egoing committed Apr 30, 2015
1 parent 5379531 commit a715112dfc2f0c49c671979a9a80654528a5c9c7
Showing with 52 additions and 13 deletions.
  1. +10 −10 index.php
  2. +10 −0 php/5.php
  3. +24 −0 phpjs/14.php
  4. +8 −3 process.php
View
@@ -10,19 +10,19 @@
<link rel="stylesheet" type="text/css" href="http://localhost/style.css">
</head>
<body id="target">
<header>
<header>
<img src="https://s3-ap-northeast-1.amazonaws.com/opentutorialsfile/course/94.png" alt="생활코딩">
<h1><a href="http://localhost/index.php">JavaScript</a></h1>
<h1><a href="http://localhost/index.php">JavaScript</a></h1>
</header>
<nav>
<ol>
<nav>
<ol>
<?php
while( $row = mysqli_fetch_assoc($result)){
echo '<li><a href="http://localhost/index.php?id='.$row['id'].'">'.$row['title'].'</a></li>'."\n";
echo '<li><a href="http://localhost/index.php?id='.$row['id'].'">'.htmlspecialchars($row['title']).'</a></li>'."\n";
}
?>
</ol>
</nav>
</ ol>
</nav>
<div id="control">
<input type="button" value="white" onclick="document.getElementById('target').className='white'"/>
<input type="button" value="black" onclick="document.getElementById('target').className='black'" />
@@ -34,9 +34,9 @@
$sql = "SELECT topic.id,title,name,description FROM topic LEFT JOIN user ON topic.author = user.id WHERE topic.id=".$_GET['id'];
$result = mysqli_query($conn, $sql);
$row = mysqli_fetch_assoc($result);
echo '<h2>'.$row['title'].'</h2>';
echo '<p>'.$row['name'].'</p>';
echo $row['description'];
echo '<h2>'.htmlspecialchars($row['title']).'</h2>';
echo '<p>'.htmlspecialchars($row['name']).'</p>';
echo strip_tags($row['description'], '<a><h1><h2><h3><h4><h5><ul><ol><li>');
}
?>
</article>
View
@@ -0,0 +1,10 @@
<html>
<head>
<title></title>
</head>
<body>
<?php
echo htmlspecialchars('<script>alert(1);</script>');
?>
</body>
</html>
View
@@ -0,0 +1,24 @@
<?php
$conn = mysqli_connect("localhost", "root", 111111);
mysqli_select_db($conn, "opentutorials");
$name = mysqli_real_escape_string($conn, $_GET['name']);
$password = mysqli_real_escape_string($conn, $_GET['password']);
$sql = "SELECT * FROM user WHERE name='".$name."' AND password='".$password."'";
echo $sql;
$result = mysqli_query($conn, $sql);
?>
<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8">
</head>
<body>
<?php
if($result->num_rows == "0"){
echo "뉘신지?";
} else {
echo "안녕하세요. 주인님";
}
?>
</body>
</html>
View
@@ -1,17 +1,22 @@
<?php
$conn = mysqli_connect("localhost", "root", 111111);
mysqli_select_db($conn, "opentutorials");
$sql = "SELECT * FROM user WHERE name='".$_POST['author']."'";
$title = mysqli_real_escape_string($conn, $_POST['title']);
$author = mysqli_real_escape_string($conn, $_POST['author']);
$description = mysqli_real_escape_string($conn, $_POST['description']);
$sql = "SELECT * FROM user WHERE name='".$author."'";
$result = mysqli_query($conn, $sql);
if($result->num_rows == 0){
$sql = "INSERT INTO user (name, password) VALUES('".$_POST['author']."', '111111')";
$sql = "INSERT INTO user (name, password) VALUES('".$author."', '111111')";
mysqli_query($conn, $sql);
$user_id = mysqli_insert_id($conn);
} else {
$row = mysqli_fetch_assoc($result);
$user_id = $row['id'];
}
$sql = "INSERT INTO topic (title,description,author,created) VALUES('".$_POST['title']."', '".$_POST['description']."', '".$user_id."', now())";
$sql = "INSERT INTO topic (title,description,author,created) VALUES('".$title."', '".$description."', '".$user_id."', now())";
$result = mysqli_query($conn, $sql);
header('Location: http://localhost/index.php');
?>

0 comments on commit a715112

Please sign in to comment.