강의 대시보드 PHP & MySQL 보안
PHP & MySQL 보안
강의명 : WEB3 - PHP & MySQL
수강 기한 : 무제한
진도율 : 0강/21강 (0%) | 시간 : 0분/233분
나가기
미수강
이전수업
다음수업

입력 공격의 차단

변경사항 보기

index.php

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
<?php
$conn = mysqli_connect(
'localhost',
'root',
'111111',
'opentutorials');
$sql = "SELECT * FROM topic";
$result = mysqli_query($conn, $sql);
$list = '';
while($row = mysqli_fetch_array($result)) {
$list = $list."<li><a href=\"index.php?id={$row['id']}\">{$row['title']}</a></li>";
}
$article = array(
'title'=>'Welcome',
'description'=>'Hello, web'
);
if(isset($_GET['id'])) {
$filtered_id = mysqli_real_escape_string($conn, $_GET['id']);
$sql = "SELECT * FROM topic WHERE id={$filtered_id}";
$result = mysqli_query($conn, $sql);
$row = mysqli_fetch_array($result);
$article['title'] = $row['title'];
$article['description'] = $row['description'];
}
?>
<!doctype html>
<html>
<head>
<meta charset="utf-8">
<title>WEB</title>
</head>
<body>
<h1><a href="index.php">WEB</a></h1>
<ol>
<?=$list?>
</ol>
<a href="create.php">create</a>
<h2><?=$article['title']?></h2>
<?=$article['description']?>
</body>
</html>

create.php

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
<?php
$conn = mysqli_connect(
'localhost',
'root',
'111111',
'opentutorials');
$sql = "SELECT * FROM topic";
$result = mysqli_query($conn, $sql);
$list = '';
while($row = mysqli_fetch_array($result)) {
$list = $list."<li><a href=\"index.php?id={$row['id']}\">{$row['title']}</a></li>";
}
$article = array(
'title'=>'Welcome',
'description'=>'Hello, web'
);
if(isset($_GET['id'])) {
$filtered_id = mysqli_real_escape_string($conn, $_GET['id']);
$sql = "SELECT * FROM topic WHERE id={$filtered_id}";
$result = mysqli_query($conn, $sql);
$row = mysqli_fetch_array($result);
$article['title'] = $row['title'];
$article['description'] = $row['description'];
}
?>
<!doctype html>
<html>
<head>
<meta charset="utf-8">
<title>WEB</title>
</head>
<body>
<h1><a href="index.php">WEB</a></h1>
<ol>
<?=$list?>
</ol>
<form action="process_create.php" method="POST">
<p><input type="text" name="title" placeholder="title"></p>
<p><textarea name="description" placeholder="description"></textarea></p>
<p><input type="submit"></p>
</form>
</body>
</html>

process_create.php

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
<?php
$conn = mysqli_connect(
'localhost',
'root',
'111111',
'opentutorials');
$filtered = array(
'title'=>mysqli_real_escape_string($conn, $_POST['title']),
'description'=>mysqli_real_escape_string($conn, $_POST['description'])
);
$sql = "
INSERT INTO topic
(title, description, created)
VALUES(
'{$filtered['title']}',
'{$filtered['description']}',
NOW()
)
";
$result = mysqli_query($conn, $sql);
if($result === false){
echo '저장하는 과정에서 문제가 생겼습니다. 관리자에게 문의해주세요';
error_log(mysqli_error($conn));
} else {
echo '성공했습니다. <a href="index.php">돌아가기</a>';
}
?>

SQL 주입(injection)의 차단

출력 공격(Cross site scripting)의 차단

변경사항

index.php

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
<?php
$conn = mysqli_connect(
'localhost',
'root',
'111111',
'opentutorials');
$sql = "SELECT * FROM topic";
$result = mysqli_query($conn, $sql);
$list = '';
while($row = mysqli_fetch_array($result)) {
$escaped_title = htmlspecialchars($row['title']);
$list = $list."<li><a href=\"index.php?id={$row['id']}\">{$escaped_title}</a></li>";
}
$article = array(
'title'=>'Welcome',
'description'=>'Hello, web'
);
if(isset($_GET['id'])) {
$filtered_id = mysqli_real_escape_string($conn, $_GET['id']);
$sql = "SELECT * FROM topic WHERE id={$filtered_id}";
$result = mysqli_query($conn, $sql);
$row = mysqli_fetch_array($result);
$article['title'] = htmlspecialchars($row['title']);
$article['description'] = htmlspecialchars($row['description']);
}
?>
<!doctype html>
<html>
<head>
<meta charset="utf-8">
<title>WEB</title>
</head>
<body>
<h1><a href="index.php">WEB</a></h1>
<ol>
<?=$list?>
</ol>
<a href="create.php">create</a>
<h2><?=$article['title']?></h2>
<?=$article['description']?>
</body>
</html>
    목차 커뮤니티