Answer the question
In order to leave comments, you need to log in
D
D
dzhuryn_volodymyr2015-09-28 22:11:58
dzhuryn_volodymyr, 2015-09-28 22:11:58
How secure is the script?
I wrote a script that processes user comments and writes to the database how safe it is
made some corrections
example data
type:a ddComment
parent: 1599
name: Natasha
email: [email protected]
text: well written
docId: 26440
cookieImage: 8
$user_id = $modx->user->get('id');
$type = $_GET['type'];
if ($type === 'addComment') {
$name = $_GET['name'];
$name = strip_tags($name); // защита от xss
$name = $modx->runSnippet('Jevix', array( // защита от xss
'input' => $name,
'cfgAllowTags' => 'p'
));
if($name=='')
return 'поле name не заполнено';
$email = $_GET['email'];
$email = strip_tags($email); // защита от xss
$email = $modx->runSnippet('Jevix', array( // защита от xss
'input' => $email,
'cfgAllowTags' => 'p'
));
if($email=='')
return 'поле email не заполнено';
$text = $_GET['text'];
$text = strip_tags($text); // защита от xss
$text = $modx->runSnippet('Jevix', array( // защита от xss
'input' => $text,
'cfgAllowTags' => 'p'
));
if($email=='')
return 'поле text не заполнено';
$docId = $_GET['docId'];
$docId = intval($docId);
//проверка на наличие страницы в базе к которой добавляется комментарий
$page=$modx->getCount('modResource',$docId);
if($page!==1)
return 'page is not found';
$cookieImage = $_GET['cookieImage'];
$cookieImage = intval($cookieImage);
$parent = $_GET['parent'];
$parent = intval($parent);
//проверка наличия комментария на который отвечают
if ($parent >= 0) {
$comment = $modx->getCount('Comments', $parent);
if ($comment !== 1)
return 'comment is not found';
}
$obj = $modx->newObject('Comments', array(
'content_id' => $docId,
'datetime'=>time(),
'name' => $name,
'email' => $email,
'user_id' => $user_id,
'comment' => $text,
'img_id' => $cookieImage,
'parent' => $parent,
'is_moder' => 0
));
$obj->save();
} 4 answer(s)
@prototype_denis
@RuslanCC
D
Denis, 2015-09-28 @prototype_denis
$user_id = $modx->user->get('id');
// PHP Notice: Undefined variable
$type = $_GET['type'];
// ($type === 'addComment') {
if ($type == 'addComment') {
// PHP Notice: Undefined variable
$name = $_GET['name'];
// XSS (?)
$name = strip_tags($name);
$name = $modx->runSnippet('Jevix', array(
'input' => $name,
'cfgAllowTags' => 'p',
));
// PHP Notice: Undefined variable
$email = $_GET['email'];
// XSS (?)
$email = strip_tags($email);
$email = $modx->runSnippet('Jevix', array(
'input' => $email,
'cfgAllowTags' => 'p',
));
// PHP Notice: Undefined variable
$text = $_GET['text'];
// XSS (?)
$text = strip_tags($text);
$text = $modx->runSnippet('Jevix', array(
'input' => $text,
'cfgAllowTags' => 'p',
));
// PHP Notice: Undefined variable
$docId = $_GET['docId'];
$docId = intval($docId, 10); // intval($var);
// PHP Notice: Undefined variable
$cookieImage = $_GET['cookieImage'];
$cookieImage = intval($cookieImage, 10); // intval($var);
// PHP Notice: Undefined variable
$parent = $_GET['parent'];
$parent = intval($parent, 10); // intval($var);
$obj = $modx->newObject('Comments', array(
'content_id' => $docId, // SQL Injection (?) && $docId <= 0 (!)
'name' => $name, // SQL Injection (?)
'email' => $email, // SQL Injection (?)
'user_id' => $user_id,
'comment' => $text, // SQL Injection (?)
'img_id' => $cookieImage, // $cookieImage <= 0 (!)
'parent' => $parent, // $parent <= 0 (!)
'is_moder' => 0,
));
$obj->save();
}
// int intval ( mixed $var [, int $base = 10 ] )R
RuslanCC, 2011-08-15 @RuslanCC
cloudflare is a CDN service, in other words, it caches your site and distributes it across different platforms. And when a user tries to access the site, the server closest to him is selected, which results in faster downloads.
Similar questions
B
G
I
R
A
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question