TIP: Přetáhni ikonu na hlavní panel pro připnutí webu
Ahoj, vedeli by ste mi upraviť tento script proti XSS a SQL Injection? Ďakujem!!
<?php
include ('header.php');
include("functions.php");
session_start();?>
<style>.art-content .art-postcontent-0 .layout-item-0{border-top-width:1px;border-top-style:dotted;border-top-color:#707070;margin-top:10px;margin-bottom:10px}.art-content .art-postcontent-0 .layout-item-1{padding-right:10px;padding-left:10px}.art-content .art-postcontent-0 .layout-item-2{border-right-style:dotted;border-right-width:1px;border-right-color:#707070;padding-right:10px;padding-left:10px}.ie7 .art-post .art-layout-cell{border:none!important;padding:0!important}.ie6 .art-post .art-layout-cell{border:none!important;padding:0!important}</style></head><body>
<div id="art-main">
<header class="art-header">
<div class="art-shapes"></div>
<h1 class="art-headline" data-left="66.04%">
</h1>
<h2 class="art-slogan" data-left="39.8%">Dobi svet a užívaj si slávu</h2>
</header>
<nav class="art-nav">
<ul class="art-hmenu">
<li>
<a href="index.php">Novinky</a>
</li>
<li>
<a href="cookies.php">Cookies</a>
</li>
<li>
<a href="kontakt.php">Kontakt</a>
</li>
</ul>
</nav>
<div class="art-sheet clearfix">
<div class="art-layout-wrapper">
<div class="art-content-layout">
<div class="art-content-layout-row">
<div class="art-layout-cell art-sidebar1">
<div class="art-vmenublock clearfix">
<div class="art-vmenublockcontent">
<ul class="art-vmenu">
<li>
<a href="index.php">Novinky</a>
</li>
>
<li>
<a href="cookies.php">Cookies</a>
</li>
<li>
<a href="kontakt.php">Kontakt</a>
</li>
</ul>
</div>
</div>
</div>
<div class="art-layout-cell art-content">
<article class="art-post art-article">
<div class="art-postmetadataheader"></div>
<div class="art-postcontent art-postcontent-0 clearfix">
<div class="art-content-layout">
<div class="art-content-layout-row">
<div class="art-layout-cell layout-item-1" style="width:100%">
<h3>Registrácia</h3>
<p>Po registrácii je nutné e-mail
<b>
<font color=red>overiť!</font>
</b>
</p>
<p>
<br>
</p>
</div>
</div>
</div>
<div class="art-content-layout-br layout-item-0"></div>
<div class="art-content-layout">
<div class="art-content-layout-row">
<div class="art-layout-cell layout-item-2" style="width:50%">
<h3>Registrujte sa hneď!</h3>
<p>Zvoľ si frakciu a ukáž hráčom, kto je tu pánom! Vyber si svoju frakciu, s ktorou dobiješ herný svet a budeš si užívať ovocie slávy!</p>
<p>
<br>
</p>
</div>
<div class="art-layout-cell layout-item-1" style="width:50%">
<h3>Analýza hráčov</h3>
<p>
<span style="font-weight:bold">Na serveri je registrovaných <?php include ('functions.php');
$result = mysqli_query($con,"SELECT COUNT(*) AS total FROM `user` ") or die(mysqli_error()); $values = mysqli_fetch_assoc($result); $num_rows = $values['total'];
echo $num_rows;
?> hráčov</span>
</p>
</div>
</div>
</div>
</div>
</article>
</div>
<div class="art-layout-cell art-sidebar2">
<div class="art-block clearfix">
<div class="art-blockheader">
<h3 class="t">Registrácia</h3>
</div>
<div class="art-blockcontent">
<?php
if(isset($_SESSION['uid'])){ ?>
<center>
<h2> Ste už prihlásený! </h2>
<br>
<a href='main.php'>
<button type="button" class="xmiddle green button round">Späť do hry!</button>
</a>
<a href='logout.php'>
<button type="button" class="xmiddle red button round">Odhlásiť!</button>
</a>
</center>
<?php } else {
?>
<form action="register.php" method="post">
<input type="text" name="username" class="inputbox" alt="username" placeholder=Meno style="width:100%" />
<input type="password" name="password" class="inputbox" size="18" alt="password" placeholder=Heslo style="width:100%" />
<input id="modlgn_username" type="text" name="email" class="inputbox" alt="email" placeholder=E-mail style="width:100%" />
</p>
<script>
var vlajkaa = {
"USA" : "images/fraction0.png",
"Nemecko" : "images/fraction1.png",
"Slovensko" : "images/fraction2.png",
"ZSSR" : "images/fraction3.png",
"Taliansko" : "images/fraction4.png",
"Británia" : "images/fraction5.png"
};
var infoo = {
"USA" : "Spojenci",
"Nemecko" : "Osa",
"Slovensko" : "Osa",
"ZSSR" : "Spojenci",
"Taliansko" : "Osa",
"Británia" : "Spojenci"
};
</script>
Frakcia:
<select name="frakcia" onchange="document.getElementById('vlajka').src = vlajkaa[this.value]; document.getElementById('info').innerHTML = infoo[this.value];">
<option value="USA">USA</option>
<option value="Nemecko">Nemecko</option> >
<option value="Slovensko">Slovensko</option>>
<option value="ZSSR">ZSSR</option>
<option value="Taliansko">Taliansko</option>
<option value="Británia">Británia</option>
</select>
<br />
Vojnová politika:
<b>
<font id="info" style="color: #00cc66">Spojenci</font>
</b>
<img src="images/fraction0.png" id="vlajka" style="width: 64px; height: 69px;"/>
<i></i>
<br>
<button type="submit" name="register" class="xmiddle green button round">Registrovať!</button>
<ul>
<li>
<a href="index.php">Prihlásiť sa do účtu</a>
</li>
</ul>
</form>
<?php
function generate_code($length = 10) {
$characters = '0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ';
$charactersLength = strlen($characters);
$randomCode = '';
for ($i = 0; $i < $length; $i++) {
$randomCode .= $characters[rand(0, $charactersLength - 1)];
}
return $randomCode;
}
?>
<?php if(isset($_POST['register'])){
$username = mysqli_real_escape_string($con, $_POST['username']);
$password = mysqli_real_escape_string($con, $_POST['password']);
$email= mysqli_real_escape_string($con, $_POST['email']);
if($username == "" || $password == "" || $email == ""){
echo "Na niečo si zabudol!";
}elseif(strlen($username) > 20){
echo "Tvoje meno je veľmi dlhé!";
}elseif(strlen($email) > 100){
echo "Tvoj e-mail je veľmi dlhý!";
}else{
$register1 = mysqli_query($con,"SELECT `id` FROM `user` WHERE `username`='$username'") or die(mysqli_error());
$register2 = mysqli_query($con,"SELECT `id` FROM `user` WHERE `email`='$email'") or die(mysqli_error());
if(mysqli_num_rows($register1) > 0){
echo "Toto meno je už používané!";
}elseif(mysqli_num_rows($register2) > 0){
echo "Tento e-mail je už používaný!";
}else{
if($_POST['frakcia'] == "USA"){ $frakcia = 0; }
elseif($_POST['frakcia'] == "Nemecko"){ $frakcia = 1;
}
if($_POST['frakcia'] == "Slovensko"){ $frakcia = 2; }
elseif($_POST['frakcia'] == "ZSSR"){ $frakcia = 3;
}
if($_POST['frakcia'] == "Taliansko"){ $frakcia = 4; }
elseif($_POST['frakcia'] == "Británia"){ $frakcia = 5;
}
$code = generate_code();
$ins1 = mysqli_query($con,"INSERT INTO `stats` (`gold`,`attack`,`defense`,`food`,`income`,`farming`,`battery`,`rank`,`floor`,`quest`,`qok`,`wall`,`cannon`,`ccost`,`cattack`,`wcost`,`wdefense`,`username`,`inv`,`new`,`guild`,`apotion`,`dpotion`) VALUES (100,0,0,200,0,0,100,0,1,1,0,0,0,1000,0,1250,0,'$username',0,0,0,0,0)") or die(mysqli_error($con));
$ins2 = mysqli_query($con,"INSERT INTO `unit` (`worker`,`farmer`,`rifleman`,`machinegunner`,`tfarmer`,`dog`,`fisherman`,`soldier`,`sergeant`,`gendef`,`schutze`,`soldad`,`maschinengewehr`,`leutant`,`hauptmann`,`hund`,`strelec`,`gulometcik`,`vojak`,`serzant`,`generalobrany`,`pes`,`strelets`,`pistoleti`,`vojnik`,`sershant`,`obscht`,`kuce`,`tiratore`,`artigliere`,`soldato`,`sergente`,`generale`,`enfieldman`,`gunner`) VALUES (0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0)") or die (mysqli_error());
$ins3 = mysqli_query($con,"INSERT INTO `user` (`username`,`password`,`email`,`fraction`,`activated`,`code`) VALUES ('$username', '".sha1($password)."', '$email', '$frakcia', 0, '$code')") or die (mysqli_error());
$ins4 = mysqli_query($con,"INSERT INTO `weapon` (`springfield`,`m1garand`,`browning`,`pershing`,`hellcat`,`sherman`,`thompson`,`kar98`,`mp40`,`gw43`,`mp44`,`mg42`,`m1a1`,`tiger`,`stugv`,`tiger2`,`howitzer`,`panzerstellung`,`pps43`,`pps41`,`mp38`,`zk383`,`gulometvz24`,`puskavz24`,`pak38`,`flak37`,`grw`,`lt38`,`enfield`,`sten`,`bren`,`bar`,`delisle`,`lewis`,`vickers`,`cromwell`,`comet`,`carcano`,`skoda`,`brixia`,`breda`,`ovp`,`baretta`,`fucile`,`p43`,`carro`,`mosinnagant`,`minometvz40`,`maxim`,`kv2`,`dp27`,`zis3`,`t34`,`is2`,`svt40`) VALUES (0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0)") or die (mysqli_error());
$ins5 = mysqli_query($con,"INSERT INTO `working` (`fyes`,`myes`,`bonus`,`ayes`,`fwork`,`mwork`,`tfwork`,`tyes`,`fishermanwork`,`adyes`,`ad2yes`) VALUES (0,0,0,0,0,0,0,0,0,0,0)") or die (mysqli_error());
$ins6 = mysqli_query($con,"INSERT INTO `ranking` (`number`) VALUES (0)") or die (mysqli_error());
$ins7 = mysqli_query($con,"INSERT INTO `timer` (`ftime`,`mtime`,`atime`,`adtime`,`ad2time`) VALUES (0,0,0,0,0)") or die (mysqli_error());
$ins8 = mysqli_query($con,"INSERT INTO `daily` (`bonus`) VALUES (0)") or die (mysqli_error());
echo "Si úspešne zaregistrovaný!";
$t = file_get_contents("registracie.txt");
$today = date("Y-m-d H:i:s");
$t .= $today." Používateľ ".$username." "."sa zaregistroval!"."\r\n";
file_put_contents("registracie.txt",$t);
mail($email,"Nation Wars: Aktivačný Kód","Vítaj v hre Nation Wars!\r\n\r\nPrihlásovacie meno: ".$username."\r\n);
}
}
}}
?>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</body>
</html>
A tu dávam functions.php
<?php
$con = mysqli_connect("","s","","");
// Check connection
if (mysqli_connect_errno())
{
echo "Problém s napojením na MySQL: " . mysqli_connect_error();
}
?>
Udaje DB sú vymazane naschval.
Nahlásit jako SPAM
IP: 84.16.53.–
Zjistit počet nových příspěvků
