113 ochrana proti vložení skriptu, přesměrování
This commit is contained in:
parent
06061f84dc
commit
9e16b335c9
@ -38,10 +38,10 @@ if (isset($_GET["id"]) and is_numeric($_GET["id"])) {
|
|||||||
<?php if ($students === null): ?>
|
<?php if ($students === null): ?>
|
||||||
<p>Žák nenalezen</p>
|
<p>Žák nenalezen</p>
|
||||||
<?php else : ?>
|
<?php else : ?>
|
||||||
<h2><?php echo $students["first_name"]. " " .$students["second_name"] ?></h2>
|
<h2><?= htmlspecialchars($students["first_name"]). " " .htmlspecialchars($students["second_name"]) ?></h2>
|
||||||
<p>Věk: <?php echo $students["age"] ?></p>
|
<p>Věk: <?= htmlspecialchars($students["age"] ) ?></p>
|
||||||
<p>Dodatečné informace: <?= $students["life"] ?></p>
|
<p>Dodatečné informace: <?= htmlspecialchars($students["life"])?></p>
|
||||||
<p>Kolej: <?= $students["college"] ?></p>
|
<p>Kolej: <?= htmlspecialchars($students["college"])?></p>
|
||||||
<?php endif ?>
|
<?php endif ?>
|
||||||
</section>
|
</section>
|
||||||
</main>
|
</main>
|
||||||
|
@ -1,13 +1,33 @@
|
|||||||
<?php
|
<?php
|
||||||
|
|
||||||
|
/** XSS - cross-site scripting (ochrana proti spuštění scriptu)
|
||||||
|
* konvertuje speciální znaky na HTML
|
||||||
|
* vložit ho do HTML jako < ?= htmlspecialchars($first_name);?> do values, p či h1 atd.
|
||||||
|
* Notno ošetřit kde pomocí php zobrazuji data
|
||||||
|
*
|
||||||
|
*/
|
||||||
|
|
||||||
global $connection;
|
global $connection;
|
||||||
require "assets/database.php";
|
require "assets/database.php";
|
||||||
|
|
||||||
|
/**....proměnné pro zapamatování hodnot formuláře.... */
|
||||||
|
$first_name = null;
|
||||||
|
$second_name = null;
|
||||||
|
$age = null;
|
||||||
|
$life = null;
|
||||||
|
$college = null;
|
||||||
|
|
||||||
|
|
||||||
if ($_SERVER ["REQUEST_METHOD"] === "POST") {
|
if ($_SERVER ["REQUEST_METHOD"] === "POST") {
|
||||||
|
|
||||||
|
|
||||||
|
/**....nastavení proměnných formuláře co si má pamatovat ( html část Value.... */
|
||||||
|
$first_name = $_POST["first_name"];
|
||||||
|
$second_name = $_POST["second_name"];
|
||||||
|
$age = $_POST["age"];
|
||||||
|
$life = $_POST["life"];
|
||||||
|
$college = $_POST["college"];
|
||||||
|
|
||||||
|
/**....vytvoření SQL dotazu pro vložení nového žáka + ochrana proti SQL injection.... */
|
||||||
$sgl = "INSERT INTO student (first_name, second_name, age, life, college)
|
$sgl = "INSERT INTO student (first_name, second_name, age, life, college)
|
||||||
VALUES (?, ?, ?, ?, ?)";
|
VALUES (?, ?, ?, ?, ?)";
|
||||||
|
|
||||||
@ -19,11 +39,29 @@ if ($_SERVER ["REQUEST_METHOD"] === "POST") {
|
|||||||
if ($statement === false) {
|
if ($statement === false) {
|
||||||
echo mysqli_error($connection);
|
echo mysqli_error($connection);
|
||||||
} else {
|
} else {
|
||||||
|
/**..ochrana SQL injecton pomocí types (jako integer či string..*/
|
||||||
mysqli_stmt_bind_param($statement, "ssiss", $_POST["first_name"], $_POST["second_name"], $_POST["age"], $_POST["life"], $_POST["college"]);
|
mysqli_stmt_bind_param($statement, "ssiss", $_POST["first_name"], $_POST["second_name"], $_POST["age"], $_POST["life"], $_POST["college"]);
|
||||||
|
|
||||||
|
/**.. provedení SQL dotazu pro vložení žáka..*/
|
||||||
if (mysqli_stmt_execute($statement)) {
|
if (mysqli_stmt_execute($statement)) {
|
||||||
$id = mysqli_insert_id($connection);
|
$id = mysqli_insert_id($connection);
|
||||||
echo "Úspěšně vložen žák s ID: $id";
|
// echo "Úspěšně vložen žák s ID: $id";
|
||||||
|
/**..Máš povolený https server? Pokud máš HTTPS nastavený a není vypnutý nastav header na HTTPS (!= nesmí být vypnutý)
|
||||||
|
* else jinak nastav http:// na headeru
|
||||||
|
* */
|
||||||
|
if (isset($_SERVER["HTTPS"]) and $_SERVER["HTTPS"] != "off") {
|
||||||
|
$url_protocol = "https";
|
||||||
|
} else {
|
||||||
|
$url_protocol = "http";
|
||||||
|
}
|
||||||
|
|
||||||
|
// localhost = $_SERVER["HTTP_HOST"];
|
||||||
|
|
||||||
|
/**..po úspěšném vložení žáka přesměrujeme na stránku onoho žáka (relativní cesta) apsolutní by byla https://... ..*/
|
||||||
|
// header("location: jeden-zak.php?id=$id");
|
||||||
|
|
||||||
|
/**.. varianta apsolutní adresy kdy na webu nahradím localhost už jen adresou */
|
||||||
|
header("location: $url_protocol://" . $_SERVER["HTTP_HOST"] . "/PHP_DS_Project/www2databaze/jeden-zak.php?id=$id");
|
||||||
} else {
|
} else {
|
||||||
echo mysgli_stmt_error($statement);
|
echo mysgli_stmt_error($statement);
|
||||||
}
|
}
|
||||||
@ -44,15 +82,16 @@ if ($_SERVER ["REQUEST_METHOD"] === "POST") {
|
|||||||
<main>
|
<main>
|
||||||
<section class="add-form">
|
<section class="add-form">
|
||||||
<form action="pridat-zaka.php" method="POST">
|
<form action="pridat-zaka.php" method="POST">
|
||||||
<input type="text" name="first_name" placeholder="Křestní jméno" required>
|
<input type="text" name="first_name" placeholder="Křestní jméno" required value="<?= htmlspecialchars($first_name )?>">
|
||||||
<br>
|
<br>
|
||||||
<input type="text" name="second_name" placeholder="Příjmení" required>
|
<input type="text" name="second_name" placeholder="Příjmení" value="<?= htmlspecialchars($second_name) ?>" required>
|
||||||
<br>
|
<br>
|
||||||
<input type="number" name="age" placeholder="Věk" min="10" required>
|
<input type="number" name="age" placeholder="Věk" min="10" value="<?= htmlspecialchars($age)?>" required>
|
||||||
<br>
|
<br>
|
||||||
<textarea name="life" placeholder="Podrobnosti o žákovi" required></textarea>
|
<!-- text area pamatovátko vložit mezi tagy -->
|
||||||
|
<textarea name="life" placeholder="Podrobnosti o žákovi" required><?= htmlspecialchars($life)?></textarea>
|
||||||
<br>
|
<br>
|
||||||
<input type="text" name="college" placeholder="Kolej" required>
|
<input type="text" name="college" placeholder="Kolej" value="<?= htmlspecialchars($college) ?>" required>
|
||||||
<br>
|
<br>
|
||||||
<input type="submit" value="Přidat žáka">
|
<input type="submit" value="Přidat žáka">
|
||||||
</form>
|
</form>
|
||||||
|
@ -41,7 +41,7 @@ if ($result === false) {
|
|||||||
<?php else: ?>
|
<?php else: ?>
|
||||||
<ul>
|
<ul>
|
||||||
<?php foreach ($students as $one_student): ?>
|
<?php foreach ($students as $one_student): ?>
|
||||||
<li><?php echo $one_student["first_name"]. " " .$one_student["second_name"] ?></li>
|
<li><?= htmlspecialchars($one_student["first_name"]). " " .htmlspecialchars($one_student["second_name"]) ?></li>
|
||||||
<a href="jeden-zak.php?id=<?= $one_student['id'] ?>">Více informací</a>
|
<a href="jeden-zak.php?id=<?= $one_student['id'] ?>">Více informací</a>
|
||||||
<?php endforeach; ?>
|
<?php endforeach; ?>
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user