mrlan
/
LRR
4
0
Fork 2
Code Issues Pull Requests 7 Projects Releases Wiki Activity

Xuxuan #48

Merged
xuxuan merged 6 commits from Xuxuan into master 2022-11-08 15:24:36 +08:00
Conversation 3 Commits 6 Files Changed 5
5 changed files with 33 additions and 34 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
Download.php
View File

@ -8,7 +8,7 @@ session_start();
// 修改这一行设置你的文件下载目录 // 修改这一行设置你的文件下载目录
// IMPORTANT: Do not delete the following conditional test // IMPORTANT: Do not delete the following conditional test
if (strpos($_GET['file'], "../") != false) { // 检查是否有 ../,防止用户构造路径,访问某个他不应该访问的目录 if (strpos($_GET['file'], "../") !== false) { // 检查是否有 ../,防止用户构造路径,访问某个他不应该访问的目录
mrlan marked this conversation as resolved
mrlan commented 2022-10-13 09:26:28 +08:00
Review

@xuxuan

我理解了。当 '../' 是在最左边位置时,strpos 返回 0, 而 0 != false 是不成立的, 所以不会 die("Sorry. Nothing to download.");

改正后,0 !== false 成立。

https://www.php.net/manual/en/function.strpos.php 中的Example#1, Example#2 说明了这个问题。

Hui

@xuxuan 我理解了。当 `'../'` 是在最左边位置时,strpos 返回 0, 而 `0 != false` 是不成立的, 所以不会 `die("Sorry. Nothing to download.")`; 改正后,`0 !== false` 成立。 https://www.php.net/manual/en/function.strpos.php 中的Example#1, Example#2 说明了这个问题。 Hui
die("Sorry. Nothing to download."); die("Sorry. Nothing to download.");
} }

4
Reset_password.php
View File

@ -8,8 +8,8 @@
include 'Header.php'; include 'Header.php';
$token=$_GET['token']; $token = htmlspecialchars($_GET['token']);
$email=$_GET['email']; $email = htmlspecialchars($_GET['email']);
mrlan commented 2022-10-13 09:38:41 +08:00
Outdated
Review

@xuxuan

多谢。

htmlspecialchars 将特殊字符转化为 HTML entities。 要不要设置 ENT_QUOTES 选项, 将引号也转化一下?

还有, 是不是要把程序中所有出现过 $_GET 的地方, 都包上 htmlspecialchars 调用?还是只有在变量用于SQL语句时才需要?

Hui

@xuxuan 多谢。 [htmlspecialchars](https://www.php.net/manual/en/function.htmlspecialchars.php) 将特殊字符转化为 HTML entities。 要不要设置 ENT_QUOTES 选项, 将引号也转化一下? 还有, 是不是要把程序中所有出现过 `$_GET` 的地方, 都包上 `htmlspecialchars` 调用?还是只有在变量用于SQL语句时才需要? Hui
xuxuan commented 2022-10-13 09:54:34 +08:00
Outdated
Review

htmlspecialchars的作用是防止xss,主要是将<(小于号)变为&lt;和>(大于号)变为&gt; 防止输入html标签,在可能存在xss的地方使用就可以了

htmlspecialchars的作用是防止xss,主要是将<(小于号)变为\&lt;和>(大于号)变为\&gt; 防止输入html标签,在可能存在xss的地方使用就可以了
👍 1
mrlan commented 2022-10-25 16:15:06 +08:00
Outdated
Review

@xuxuan

今天上课展示后我懂多了。

就是如果不加 htmlspecialchars 转义, 学生可以通过在重新改分理由中构造 script 语句,将该语句存入 LRR 数据库, 等老师查看重新改分理由时, 将老师的cookies发送到指定位置。这种攻击叫做 Stored XSS。我的理解对吗?

Hui

@xuxuan 今天上课展示后我懂多了。 就是如果不加 htmlspecialchars 转义, 学生可以通过在重新改分理由中构造 script 语句,将该语句存入 LRR 数据库, 等老师查看重新改分理由时, 将老师的cookies发送到指定位置。这种攻击叫做 Stored XSS。我的理解对吗? Hui
?> ?>
<div class="row"> <div class="row">

50
Script.php
View File

@ -248,7 +248,7 @@ if (!empty($_POST["frm_reset_password"])) {
// Password Update // Password Update
$hashed_password = hash('sha512', $password); $hashed_password = hash('sha512', $password);
$sql = "UPDATE users_table set HashPassword='$hashed_password' where User_ID=$userid;"; $sql = "UPDATE users_table set HashPassword='$hashed_password' where User_ID='$userid';";
mrlan commented 2022-10-13 09:39:09 +08:00
Review

@xuxuan

多谢,加上单引号的作用是啥?

Hui

@xuxuan 多谢,加上单引号的作用是啥? Hui
xuxuan commented 2022-10-13 09:51:42 +08:00
Review

通过mysqli_real_escape_string防止sql注入的原因是其会将一些特殊符号转义,例如将输入的'转义为\',从而防止sql注入。拼接的变量没有被单引号或双引号包裹mysqli_real_escape_string也就失去了作用

通过mysqli_real_escape_string防止sql注入的原因是其会将一些特殊符号转义,例如将输入的'转义为\\',从而防止sql注入。拼接的变量没有被单引号或双引号包裹mysqli_real_escape_string也就失去了作用
mrlan commented 2022-10-25 17:10:44 +08:00
Review

@xuxuan

Thanks

如果对所有的SQL变量,先使用下面链接中的 check_input 函数(见“预防数据库攻击的正确做法”),可以预防SQL注入问题吗?

https://www.w3school.com.cn/php/func_mysql_real_escape_string.asp

Hui

@xuxuan Thanks 如果对所有的SQL变量,先使用下面链接中的 `check_input` 函数(见“预防数据库攻击的正确做法”),可以预防SQL注入问题吗? https://www.w3school.com.cn/php/func_mysql_real_escape_string.asp Hui
xuxuan commented 2022-11-02 14:52:49 +08:00
Review

在数据库编码不为中文的情况下是可以的,除了对输入做check_input处理,对数据库中取出来的数据同样也要进行check_input

在数据库编码不为中文的情况下是可以的,除了对输入做check_input处理,对数据库中取出来的数据同样也要进行check_input
if ($con->query($sql) === TRUE) { if ($con->query($sql) === TRUE) {
error_reporting(0); error_reporting(0);
@ -430,7 +430,7 @@ if (!empty($_POST["frm_uploadlab"])) {
$sql = "INSERT INTO `lab_reports_table`(`Course_ID`, `Posted_Date`, `Deadline`, `Instructions`, $sql = "INSERT INTO `lab_reports_table`(`Course_ID`, `Posted_Date`, `Deadline`, `Instructions`,
`Title`, `Attachment_link_1`, `Attachment_link_2`, `Attachment_link_3`, `Attachment_link_4`,Marks,Type) `Title`, `Attachment_link_1`, `Attachment_link_2`, `Attachment_link_3`, `Attachment_link_4`,Marks,Type)
VALUES ('$course_id','$date','$deadline','$instructions','$title','$targetfile','$targetfile2','$targetfile3','$targetfile3',$marks,'$type')"; VALUES ('$course_id','$date','$deadline','$instructions','$title','$targetfile','$targetfile2','$targetfile3','$targetfile3','$marks','$type')";
if ($con->query($sql) === TRUE) { if ($con->query($sql) === TRUE) {
@ -467,7 +467,7 @@ if (!empty($_POST["frm_submitlab"])) {
$date = date("Y-m-d H:i:s"); $date = date("Y-m-d H:i:s");
// GET UPLOADED FILES // GET UPLOADED FILES
$labName = mysqli_query($con, "SELECT * FROM `lab_reports_table` WHERE Lab_Report_ID=$lab_id"); $labName = mysqli_query($con, "SELECT * FROM `lab_reports_table` WHERE Lab_Report_ID='$lab_id'");
while ($row = mysqli_fetch_assoc($labName)) { while ($row = mysqli_fetch_assoc($labName)) {
$lab_name = $row['Title']; $lab_name = $row['Title'];
$_SESSION['Sub_Type'] = $row['Type']; // submission type, either Individual or Group $_SESSION['Sub_Type'] = $row['Type']; // submission type, either Individual or Group
@ -571,13 +571,13 @@ if (!empty($_POST["frm_submitlab"])) {
$group_id = 0; // FIXME $group_id = 0; // FIXME
} }
$sql1 = "DELETE FROM lab_report_submissions where Lab_Report_ID=$lab_id and Student_id=$student_id and Course_Group_id=$group_id"; $sql1 = "DELETE FROM lab_report_submissions where Lab_Report_ID='$lab_id' and Student_id='$student_id' and Course_Group_id='$group_id'";
if ($con->query($sql1) === TRUE) { if ($con->query($sql1) === TRUE) {
} }
$sql = "INSERT INTO `lab_report_submissions`(`Submission_Date`, `Lab_Report_ID`, `Student_id`," $sql = "INSERT INTO `lab_report_submissions`(`Submission_Date`, `Lab_Report_ID`, `Student_id`,"
. " `Course_Group_id`, `Attachment1`, `Notes`, `Attachment2`, `Attachment3`, `Attachment4`, `Status`, `Title`,`Remarking_Reason`)" . " `Course_Group_id`, `Attachment1`, `Notes`, `Attachment2`, `Attachment3`, `Attachment4`, `Status`, `Title`,`Remarking_Reason`)"
. " VALUES ('$date',$lab_id,$student_id,$group_id,'$targetfile','$instructions','$targetfile2','$targetfile3','$targetfile4'," . " VALUES ('$date','$lab_id','$student_id','$group_id','$targetfile','$instructions','$targetfile2','$targetfile3','$targetfile4',"
. "'Pending','$title','')"; . "'Pending','$title','')";
if ($con->query($sql) === TRUE) { if ($con->query($sql) === TRUE) {
@ -665,7 +665,7 @@ if (!empty($_GET["updatevisibility"])) {
$header = mysqli_real_escape_string($con, $_GET["header"]); $header = mysqli_real_escape_string($con, $_GET["header"]);
$labid = mysqli_real_escape_string($con, $_GET["labid"]); $labid = mysqli_real_escape_string($con, $_GET["labid"]);
$sql = "UPDATE `lab_report_submissions` SET `Visibility`='$status' WHERE Submission_ID=$id $sql = "UPDATE `lab_report_submissions` SET `Visibility`='$status' WHERE Submission_ID='$id'
"; ";
if ($con->query($sql) === TRUE) { if ($con->query($sql) === TRUE) {
@ -681,13 +681,13 @@ if (!empty($_GET["updatevisibility"])) {
if (!empty($_GET["remarking"])) { if (!empty($_GET["remarking"])) {
$id = mysqli_real_escape_string($con, $_GET["id"]); $id = htmlspecialchars(mysqli_real_escape_string($con, $_GET["id"]));
$url = mysqli_real_escape_string($con, $_GET["url"]); $url = htmlspecialchars(mysqli_real_escape_string($con, $_GET["url"]));
$status = mysqli_real_escape_string($con, $_GET["status"]); $status = htmlspecialchars(mysqli_real_escape_string($con, $_GET["status"]));
$details = mysqli_real_escape_string($con, $_GET["details"]); $details = htmlspecialchars(mysqli_real_escape_string($con, $_GET["details"]));
$sql = "UPDATE `lab_report_submissions` SET `Status`='Remarking',Remarking_Reason='$details' WHERE Submission_ID=$id $sql = "UPDATE `lab_report_submissions` SET `Status`='Remarking',Remarking_Reason='$details' WHERE Submission_ID='$id'
"; ";
if ($con->query($sql) === TRUE) { if ($con->query($sql) === TRUE) {
@ -709,7 +709,7 @@ if (!empty($_GET["creategroup"])) {
$name = mysqli_real_escape_string($con, $_GET["name"]); $name = mysqli_real_escape_string($con, $_GET["name"]);
$sql = "INSERT INTO `course_groups_table`(`Group_Name`, $sql = "INSERT INTO `course_groups_table`(`Group_Name`,
`Group_Leader`, `Course_id`) VALUES ('$name',$student_id,$id)"; `Group_Leader`, `Course_id`) VALUES ('$name','$student_id','$id')";
if ($con->query($sql) === TRUE) { if ($con->query($sql) === TRUE) {
@ -719,7 +719,7 @@ if (!empty($_GET["creategroup"])) {
} }
$sql = "INSERT INTO `course_group_members_table`( `Course_Group_id`, `Student_ID`, `Status`) $sql = "INSERT INTO `course_group_members_table`( `Course_Group_id`, `Student_ID`, `Status`)
VALUES ($gid,$student_id,'Created')"; VALUES ('$gid','$student_id','Created')";
if ($con->query($sql) === TRUE) { if ($con->query($sql) === TRUE) {
$_SESSION["info_ReMarking"] = "Course group Created"; $_SESSION["info_ReMarking"] = "Course group Created";
header("Location: Course.php?url=" . $url); header("Location: Course.php?url=" . $url);
@ -746,7 +746,7 @@ if (!empty($_GET["groupinvite"])) {
header("Location: Course.php?url=" . $url); header("Location: Course.php?url=" . $url);
} else { } else {
$sql = "INSERT INTO `course_group_members_table`( `Course_Group_id`, `Student_ID`, `Status`) $sql = "INSERT INTO `course_group_members_table`( `Course_Group_id`, `Student_ID`, `Status`)
VALUES ($groupid,$student_id,'Invited')"; VALUES ('$groupid','$student_id','Invited')";
} }
if ($con->query($sql) === TRUE) { if ($con->query($sql) === TRUE) {
@ -800,10 +800,10 @@ if (!empty($_GET["acceptinvite"])) {
$groupid = mysqli_real_escape_string($con, $_GET["groupid"]); $groupid = mysqli_real_escape_string($con, $_GET["groupid"]);
if ($action == 1) { if ($action == 1) {
$sql = "Update `course_group_members_table` set Status='Joined' where Course_Group_id =$groupid and student_id=$student_id $sql = "Update `course_group_members_table` set Status='Joined' where Course_Group_id ='$groupid' and student_id='$student_id'
"; ";
} else { } else {
$sql = "Delete from `course_group_members_table` where Course_Group_id =$groupid and student_id=$student_id $sql = "Delete from `course_group_members_table` where Course_Group_id ='$groupid' and student_id='$student_id'
"; ";
} }
@ -830,11 +830,11 @@ if (!empty($_GET["extenddeadline"])) {
$deadline = $date . " " . $time; $deadline = $date . " " . $time;
if ($type == 1) { if ($type == 1) {
$sql = "UPDATE `lab_reports_table` SET `Deadline`='$deadline' WHERE Lab_Report_ID=$id"; $sql = "UPDATE `lab_reports_table` SET `Deadline`='$deadline' WHERE Lab_Report_ID='$id'";
} else { } else {
$sql = "INSERT INTO `extended_deadlines_table`(`Student_ID`, " $sql = "INSERT INTO `extended_deadlines_table`(`Student_ID`, "
. "`Lab_Report_ID`, `Extended_Deadline_Date`," . "`Lab_Report_ID`, `Extended_Deadline_Date`,"
. " `ReasonsForExtension`) VALUES ($stdid,$id,'$deadline','$reason')"; . " `ReasonsForExtension`) VALUES ('$stdid','$id','$deadline','$reason')";
} }
if ($con->query($sql) === TRUE) { if ($con->query($sql) === TRUE) {
@ -856,7 +856,7 @@ if (!empty($_GET["ignoreremarking"])) {
$subid = mysqli_real_escape_string($con, $_GET["subid"]); $subid = mysqli_real_escape_string($con, $_GET["subid"]);
$sql = "UPDATE lab_report_submissions SET Status='Marked' WHERE Submission_ID=$subid"; $sql = "UPDATE lab_report_submissions SET Status='Marked' WHERE Submission_ID='$subid'";
if ($con->query($sql) === TRUE) { if ($con->query($sql) === TRUE) {
@ -874,7 +874,7 @@ if (!empty($_GET["assignTA"])) {
$id = mysqli_real_escape_string($con, $_GET["id"]); $id = mysqli_real_escape_string($con, $_GET["id"]);
$ta = mysqli_real_escape_string($con, $_GET["ta"]); $ta = mysqli_real_escape_string($con, $_GET["ta"]);
$sql = "INSERT INTO `course_ta`(`Course_ID`, `TA`) VALUES ($id,$ta)"; $sql = "INSERT INTO `course_ta`(`Course_ID`, `TA`) VALUES ('$id','$ta')";
if ($con->query($sql) === TRUE) { if ($con->query($sql) === TRUE) {
@ -893,9 +893,9 @@ if (!empty($_GET["AcceptStudent"])) {
$rs = mysqli_real_escape_string($con, $_GET["rs"]); $rs = mysqli_real_escape_string($con, $_GET["rs"]);
if ($rs == "yes") { if ($rs == "yes") {
$sql = "Update course_students_table set Status='Joined' Where ID=$id"; $sql = "Update course_students_table set Status='Joined' Where ID='$id'";
} else { } else {
$sql = "Delete FROM course_students_table Where ID=$id"; $sql = "Delete FROM course_students_table Where ID='$id'";
} }
if ($con->query($sql) === TRUE) { if ($con->query($sql) === TRUE) {
@ -931,7 +931,7 @@ if (!empty($_GET["action"])) {
} }
if ($action == "passchange" && $_SESSION['user_id'] == $uid) { if ($action == "passchange" && $_SESSION['user_id'] == $uid) {
$sql = "UPDATE users_table set Password='$pass' where User_ID=$uid;"; $sql = "UPDATE users_table set Password='$pass' where User_ID='$uid';";
if ($con->query($sql) === TRUE) { if ($con->query($sql) === TRUE) {
error_reporting(0); error_reporting(0);
echo "Password has been changed"; echo "Password has been changed";
@ -945,7 +945,7 @@ if (!empty($_GET["action"])) {
} }
if ($action == "statuschange" && $_SESSION['user_id'] == $uid && ($_SESSION['user_type'] == "Lecturer" || $_SESSION['user_type'] == "Admin")) { if ($action == "statuschange" && $_SESSION['user_id'] == $uid && ($_SESSION['user_type'] == "Lecturer" || $_SESSION['user_type'] == "Admin")) {
$sql = "UPDATE users_table set Status='$status' where User_ID=$uid;"; $sql = "UPDATE users_table set Status='$status' where User_ID='$uid';";
if ($con->query($sql) === TRUE) { if ($con->query($sql) === TRUE) {
$_SESSION["info_Admin_Users"] = $type . " user Status updated successfully "; $_SESSION["info_Admin_Users"] = $type . " user Status updated successfully ";
header("Location: Admin.php"); header("Location: Admin.php");
@ -1018,7 +1018,7 @@ INNER JOIN lab_reports_table on lab_reports_table.Lab_Report_ID=lab_report_submi
INNER JOIN users_table on users_table.Student_ID=lab_report_submissions.Student_id INNER JOIN users_table on users_table.Student_ID=lab_report_submissions.Student_id
WHERE lab_report_submissions.Lab_Report_ID=$lab"; WHERE lab_report_submissions.Lab_Report_ID='$lab'";
$export = mysqli_query($con, $select); $export = mysqli_query($con, $select);

5
batch_insert.php
View File

@ -19,7 +19,7 @@ if (!$conn) {
} }
//获得用户名数据 //获得用户名数据
$source = $_POST['users']; $source = mysqli_real_escape_string($conn,$_POST['users']);
//如有多个空格,删除剩一个空格 //如有多个空格,删除剩一个空格
$source1 = preg_replace('/\s\s+/', ' ', $source); $source1 = preg_replace('/\s\s+/', ' ', $source);
@ -31,13 +31,12 @@ $source2 = trim($source1);
//根据空格拆分 //根据空格拆分
$user = explode(' ', $source2); $user = explode(' ', $source2);
//插入数据 //插入数据
for($index=0; $index < count($user); $index++) { for($index=0; $index < count($user); $index++) {
$result = mysqli_query($conn, "SELECT * FROM `students_data` WHERE Student_ID='$user[$index]'"); $result = mysqli_query($conn, "SELECT * FROM `students_data` WHERE Student_ID='$user[$index]'");
if (mysqli_num_rows($result) < 1) { if (mysqli_num_rows($result) < 1) {
if (! mysqli_query($conn, "REPLACE INTO `students_data`(`Student_ID`, `Passport_Number`) VALUES('$user[$index]', '')" ) ) { if (! mysqli_query($conn, "REPLACE INTO `students_data`(`Student_ID`, `Passport_Number`) VALUES('$user[$index]', '')" ) ) {
echo "SQL Error: " . $sql_stmt . "<br>" . mysqli_error($conn); echo "SQL Error: " . $sql_stmt . "<br>" .htmlspecialchars(mysqli_error($conn));
} else { } else {
echo "<p>Student number $user[$index] added.</p>"; echo "<p>Student number $user[$index] added.</p>";
} }

6
recover_password.php
View File

@ -27,9 +27,9 @@ include 'Header.php';
<div class="panel-body"> <div class="panel-body">
<form method="post" action="Script.php"> <form method="post" action="Script.php">
<input type="hidden" name="frm_recover_password" value="true"/> <input type="hidden" name="frm_recover_password" value="true"/>
Student number <input type="text" name="sno" placeholder="Enter your student number" class="form-control" required="required" value="<?php echo $_SESSION['student_number']; ?>"> Student number <input type="text" name="sno" placeholder="Enter your student number" class="form-control" required="required" value="<?php echo htmlspecialchars($_SESSION['student_number']); ?>">
<br/> <br/>
Email <input type="text" name="email" placeholder="Enter your email address" class="form-control" required="required" value="<?php echo $_SESSION['user_email']; ?>"> Email <input type="text" name="email" placeholder="Enter your email address" class="form-control" required="required" value="<?php echo htmlspecialchars($_SESSION['user_email']); ?>">
<br/> <br/>
<input type="submit" class="btn-primary" value="Recover"> <input type="submit" class="btn-primary" value="Recover">
@ -38,7 +38,7 @@ include 'Header.php';
<?php <?php
if(isset($_SESSION['info_recover_password'])) { if(isset($_SESSION['info_recover_password'])) {
echo '<hr><div class="alert alert-danger" role="alert">'.$_SESSION['info_recover_password'].'</div>'; echo '<hr><div class="alert alert-danger" role="alert">'.htmlspecialchars($_SESSION['info_recover_password']).'</div>';
$_SESSION['info_recover_password']=null; $_SESSION['info_recover_password']=null;
} }