Good day, I am writing a comment system for the site materials, it consists of two parts, one generates a form for adding a comment, and also returns the id of the requested document - this is all sent to the client (and also makes a request to the database to display comments for this id) , the second server checks, if possible, the adequacy of the entered data and makes an entry in the database table: comment text + soap + ... and + this same id. The fact is that the POST request can be faked ie change the id value on the client side, and then as a result of sending the record will be attached at best to non-existent material, or worse, to the existing one. I ask for advice, I have some ideas, but they are not quite satisfied with me. Thanks for attention.
|
3 answers
First of all, when writing to the database, it is worth checking whether the record exists.
[level=hurt-me-plently]We make a tricky form that is sent only by the Ajax and the form itself is printed by javascript.[level=normal]Check$_SERVER['REFERER'].[level=hardcore]In the hidden field, we write down the salty hash of the title of the record -sha1(md5('ΠΌΡΡΠΎΡ'.$record->title)). At a minimum, you will have to make 3 requests (request the record page, find the request code in the add form, get the add form, pull out the hash, send spam).[level=nightmare]At each page generation, we assign a unique ID to the form with a record in the database; when inserting a comment, we check if there is such an ID, delete the ID. If not - banim on IP nafig). Each time yousubmityou can add a hidden field with a hash to the form ID. Accordingly, in case of inconsistency, also banim)
On the difficulty [1+2+3+4] it will be really easier to enter the site and write with your own hands
Sh4dow Sh4dow
13.8k 17 silver marks 34 bronze marks
- Level 4 is quite interesting :) Thanks - stck
- Thanks, helped. - triplustri
|
Form <? Php
echo "<form action=add_komm.php method=POST>"; echo "<table><tr><td>ΠΠΌΡ</td>"; echo "<td><input type='text' name='name' required></td></tr>"; echo "<tr><td>E-mail</td>"; echo "<td><input type='text' name='mail' required></td></tr>"; echo "<tr valign='top'><td>ΠΠΎΠΌΠΌΠ΅Π½ΡΠ°ΡΠΈΠΉ</td>"; echo "<td><textarea name='comment' placeholder='ΠΠΎΠΌΠΌΠ΅Π½ΡΠ°ΡΠΈΠΉ' maxlength='1000' rows='7' cols='50' required></textarea></td></tr></table>"; echo "<input type='submit'></form>"; ?> Adding a comment:
<?php $name=$_POST['name']; $komm=$_POST['comment']; $mail=$_POST['mail']; if (!$name||!$komm||!$mail){echo 'ΠΡΠ²Π²Π΅Π»ΠΈ Π½Π΅ Π²ΡΠ΅ Π΄Π°Π½Π½ΡΠ΅';} else { $db = mysql_pconnect('localhost', 'root', ''); mysql_query('SET NAMES utf8'); if (!$db) { echo 'ΠΡΠΈΠ±ΠΊΠ° ΡΠΎΠ΅Π΄ΠΈΠ½Π΅Π½ΠΈΡ Ρ Π±Π°Π·ΠΎΠΉ Π΄Π°Π½Π½ΡΡ
'; exit; } mysql_select_db('db'); $day=date("d")+1; if($day<10){$day="0".$day;} $date_today = $day.date(".mY"); $today = date("H:i:s"); $date=$date_today." ".$today; $name=trim($_POST['name']); $mail=trim($_POST['mail']); $komm=$_POST['comment']; $query="insert into komment values(NULL,'".$date."','".$name."','".$mail."','".$komm."')"; $result = mysql_query($query); $query = " select * from komment"; $result = mysql_query($query); $num_results = mysql_num_rows($result); $focus=$num_results/10; if ($focus>(int)($focus)) {$focus=(int)($focus)+1;} $URL="number_5.php?number=".$focus; header ("Location: $URL");} ?> In the database table komment with fields id, date, name, email, komm.
Display comments on 10 per page:
<?PHP $db = mysql_pconnect('localhost', 'root', ''); mysql_query('SET NAMES utf8'); session_start(); if (!$db) { echo 'ΠΡΠΈΠ±ΠΊΠ° ΡΠΎΠ΅Π΄ΠΈΠ½Π΅Π½ΠΈΡ Ρ Π±Π°Π·ΠΎΠΉ Π΄Π°Π½Π½ΡΡ
'; exit; } mysql_select_db('kurs'); $query = " select * from komment"; $result = mysql_query($query); $num_results = mysql_num_rows($result); $num=10; echo "<div align='right'><a href='add_komm_prom.php'>ΠΠΎΠ±Π°Π²ΠΈΡΡ Π·Π°ΠΏΠΈΡΡ</a> </div>"; $_SESSION["str"]=10*($_GET['number']-1)+1; $_SESSION["end"]=$_SESSION['str']+9; if ($num_results<$_SESSION["end"]) {$_SESSION["end"]=$num_results;} $query1 = " select * from komment limit ".($_SESSION['str']-1).",10"; $result1 = mysql_query($query1); if($num_results!=0){ echo '<table width="100%"><tr><td>'; echo "ΠΠΎΠΊΠ°Π·Π°Π½ΠΎ<b> ". $_SESSION["str"]." - ".$_SESSION["end"]."</b> ΠΈΠ· <b>". $num_results."</b> ΠΊΠΎΠΌΠΌΠ΅Π½ΡΠ°ΡΠΈΠ΅Π²</td>"; echo "<td><p align='right'>Π‘ΡΡΠ°Π½ΠΈΡΡ: "; for ($j=1; $j-1< $num_results/10; $j++) { echo "<a class='str' href=number_5.php?number=".$j.">".($j)."</a>  "; } echo '</p></td></tr></table>'; } if($num_results==0) {echo "ΠΠΎΠΊΠ° Π½Π΅ Π±ΡΠ»ΠΎ Π΄ΠΎΠ±Π°Π²Π»Π΅Π½ΠΎ Π½ΠΈ ΠΎΠ΄Π½ΠΎΠ³ΠΎ ΠΊΠΎΠΌΠΌΠ΅Π½ΡΠ°ΡΠΈΡ. ΠΡ ΠΌΠΎΠΆΠ΅ΡΠ΅ ΡΡΠ°ΡΡ ΠΏΠ΅ΡΠ²ΡΠΌ.<br><a href='add_komm_prom.php'>ΠΠΎΠ±Π°Π²ΠΈΡΡ Π·Π°ΠΏΠΈΡΡ</a>";} for ($i=$_SESSION['str']; $i <=$_SESSION['end']; $i++) { $row = mysql_fetch_array($result1); echo '<p> '.($i).'. '; echo stripslashes($row['name']); echo " (".stripslashes($row['date']).")<br>"; echo "✓".stripslashes($row['komm']); echo "<hr>"; echo '</p>'; } ?> 
Dank94 Dank94
eleven 1 bronze sign
|
And you can simply write the document id to the session. And when sending a form, take the id from the session, and not from the POST. It is logical, before writing to the database, it is necessary to check the availability and accessibility of the document for the user.
ling ling
14k 1 golden mark 18 silver marks 45 bronze marks
|