הוסטס - פורום אחסון האתרים הגדול בישראל - View Single Post - אתגר TrubleShooting - מס' #1 בסדרה

omercnet · 25-07-07, 21:04

כל הכבוד לכל המשתתפים,
הקוד שלי:

PHP קוד:


			
<?php
error_reporting(0);

function secure_array($array) { # Recursivly dig in an array and secure it.
  if ( is_array($array) ) {
    array_map('secure_array', $array);
  } else {
      mysql_escape_string($array);
      stripslashes($array);
  }
  return $array;
}

session_start(); /* Session must start before any headers are sent */

/* First check if we've seen this dude before, and only then set the session/cookie */
if ($_SESSION['IwasHere'] || $_COOKIE['IwasHere'] ) {
  if ( !isset($_POST['Username'] ) { # Make sure we don't block the user after posting the form.
      die("You have already visited the site. Access denied, you can't view the site.");
  } else {
    $_SESSION['IwasHere'] = true;
    setcookie("IwasHere", true ,time() + 3600); # Make sure the cookie will expire in 1 hour from now, instead of deleting it :)
  }
}

?>
<p>
Hello, welcome to my system. 
You are a new programmer at Hosts.co.il, your employer wants you to check his code and fix the errors. 
He doesn't have any server with PHP installed, so you are allowed to use your eyes only!<br />
<br />
Good luck.</p>
<?php
/* Remove any badly formed vars ($-Database-Username, $Database-Hostname) and sort all db related info into an array */
$db = array();
$db['user']   = "root";
$db['pass']   = "xyzPassWord";
$db['host']   = "localhost";
$db['dbase']  = "hosts";

/* Make sure we don't have any problems connecting to database */
if ( !$db['Connect'] = mysql_connect($db['host'], $db['user'], $db['pass']) ) { die("<b>DB Err:</b> ".mysql_error()); }
if ( !$db['SelectDB'] = mysql_select_db($db['dbase']) ) { die("<b>DB Err:</b> ".mysql_error()); }

$_POST = secure_array($_POST); # Secure all POST information before we handle it.

if ( isset($_POST['Username']) ) {
  $db['Query'] = mysql_query("SELECT * FROM `tblUsers` WHERE `Username`=\"{$_POST['Username']}\" AND `Password`=\"{$_POST['Password']}\"");
  echo ( mysql_num_rows($db['Query']) != 0 ? "Invalid user and/or password<br />" : "User exist and password correct!" );
} else {
  ?>
<FORM METHOD=POST ACTION="">
  Usrname: <INPUT TYPE="text" NAME="Username"><br />
  Password: <INPUT TYPE="password" NAME="Password"><br />
  <INPUT TYPE="submit">
</FORM>
  <?
}
?>

25-07-07, 21:04	# 8
omercnet אחראי פורום תחזוק שרתים מיני פרופיל תאריך הצטרפות: Aug 2006 גיל: 38 הודעות: 722	כל הכבוד לכל המשתתפים, הקוד שלי: PHP קוד: <?php error_reporting(0); function secure_array($array) { # Recursivly dig in an array and secure it. if ( is_array($array) ) { array_map('secure_array', $array); } else { mysql_escape_string($array); stripslashes($array); } return $array; } session_start(); /* Session must start before any headers are sent / / First check if we've seen this dude before, and only then set the session/cookie / if ($_SESSION['IwasHere'] \|\| $_COOKIE['IwasHere'] ) { if ( !isset($_POST['Username'] ) { # Make sure we don't block the user after posting the form. die("You have already visited the site. Access denied, you can't view the site."); } else { $_SESSION['IwasHere'] = true; setcookie("IwasHere", true ,time() + 3600); # Make sure the cookie will expire in 1 hour from now, instead of deleting it :) } } ?> <p> Hello, welcome to my system. You are a new programmer at Hosts.co.il, your employer wants you to check his code and fix the errors. He doesn't have any server with PHP installed, so you are allowed to use your eyes only!<br /> <br /> Good luck.</p> <?php / Remove any badly formed vars ($-Database-Username, $Database-Hostname) and sort all db related info into an array / $db = array(); $db['user'] = "root"; $db['pass'] = "xyzPassWord"; $db['host'] = "localhost"; $db['dbase'] = "hosts"; / Make sure we don't have any problems connecting to database / if ( !$db['Connect'] = mysql_connect($db['host'], $db['user'], $db['pass']) ) { die("<b>DB Err:</b> ".mysql_error()); } if ( !$db['SelectDB'] = mysql_select_db($db['dbase']) ) { die("<b>DB Err:</b> ".mysql_error()); } $_POST = secure_array($_POST); # Secure all POST information before we handle it. if ( isset($_POST['Username']) ) { $db['Query'] = mysql_query("SELECT FROM `tblUsers` WHERE `Username`=\"{$_POST['Username']}\" AND `Password`=\"{$_POST['Password']}\""); echo ( mysql_num_rows($db['Query']) != 0 ? "Invalid user and/or password<br />" : "User exist and password correct!" ); } else { ?> <FORM METHOD=POST ACTION=""> Usrname: <INPUT TYPE="text" NAME="Username"><br /> Password: <INPUT TYPE="password" NAME="Password"><br /> <INPUT TYPE="submit"> </FORM> <? } ?> __________________ Omer Cohen Information Security Specialist eBaY Inc