ÏàʶLinuxЧÀÍÆ÷ÉϵÄWeb½Ó¿ÚÎó²îÓë¹¥»÷¡£
ÏàʶLinuxЧÀÍÆ÷ÉϵÄWeb½Ó¿ÚÎó²îÓë¹¥»÷
Ëæ×Å»¥ÁªÍøµÄ¿ìËÙÉú³¤£¬WebÓ¦ÓóÌÐòÒѾ³ÉΪÆóÒµºÍСÎÒ˽ÈËÖ÷ÒªµÄÐÅÏ¢´«ÊäºÍ½»»¥·½·¨¡£¶øLinuxЧÀÍÆ÷×÷ΪWebÓ¦ÓÃ×î³£¼ûµÄÍйÜƽ̨֮һ£¬Ò²³ÉΪºÚ¿Í¹¥»÷µÄÖصãÄ¿µÄ¡£ÔÚLinuxЧÀÍÆ÷ÉÏ£¬Web½Ó¿ÚÎó²îºÍ¹¥»÷ÊÇ×î³£¼ûµÄÇå¾²ÎÊÌâÖ®Ò»¡£±¾ÎĽ«Ì½ÌÖ¼¸ÖÖ³£¼ûµÄWeb½Ó¿ÚÎó²îºÍ¹¥»÷·½·¨£¬²¢¸ø³öÏìÓ¦µÄ´úÂëʾÀý¡£
Ò»¡¢SQL×¢Èë¹¥»÷
SQL×¢ÈëÊÇ×î³£¼ûµÄWeb½Ó¿ÚÎó²îÖ®Ò»¡£ºÚ¿Íͨ¹ýÔÚÓû§Ìá½»µÄÊý¾ÝÖÐ×¢ÈëÌØÊâµÄSQLÓï¾ä£¬´Ó¶ø¿ØÖÆÊý¾Ý¿âÖ´ÐзÇÊÚȨµÄ²Ù×÷£¬½ø¶ø»ñÈ¡¡¢Ð޸Ļòɾ³ýÃô¸ÐÊý¾Ý¡£ÒÔÏÂÊÇÒ»¸ö¼òÆӵĴúÂëʾÀý£º
import pymysql def login(username, password): db = pymysql.connect("localhost", "root", "password", "database") cursor = db.cursor() sql = "SELECT * FROM users WHERE username = '%s' AND password = '%s'" % (username, password) cursor.execute(sql) data = cursor.fetchone() db.close() return data
µÇ¼ºó¸´ÖÆ
ÉÏÊö´úÂëÖУ¬ÎüÊÕµ½µÄusernameºÍpasswordÖ±½ÓÒÔ×Ö·û´®Æ´½ÓµÄ·½·¨½á¹¹ÁËÒ»ÌõSQLÅÌÎÊÓï¾ä¡£ÕâÑùµÄ´úÂëÈÝÒ×Êܵ½SQL×¢Èë¹¥»÷£¬ºÚ¿Í¿ÉÒÔͨ¹ýÔÚusername»òpasswordÖвåÈë¶ñÒâ´úÂëÀ´ÈƹýµÇ¼ÑéÖ¤¡£
Ϊ×èÖ¹´ËÀ๥»÷£¬Ó¦¸ÃʹÓòÎÊý»¯ÅÌÎÊ»òÕßORM¿ò¼Ü£¬È·±£ÊäÈëÊý¾Ý»ñµÃ׼ȷµÄתÒåºÍ´¦Àí¡£Ð޸ĴúÂëÈçÏ£º
import pymysql def login(username, password): db = pymysql.connect("localhost", "root", "password", "database") cursor = db.cursor() sql = "SELECT * FROM users WHERE username = %s AND password = %s" cursor.execute(sql, (username, password)) data = cursor.fetchone() db.close() return data
µÇ¼ºó¸´ÖÆ
¶þ¡¢ÎļþÉÏ´«Îó²î
ÎļþÉÏ´«Îó²îÊÇָδ¶ÔÉÏ´«Îļþ¾ÙÐÐÊʵ±µÄУÑéºÍ¹ýÂË£¬µ¼ÖºڿÍÉÏ´«¶ñÒâÎļþ½øÈëЧÀÍÆ÷¡£ºÚ¿Í¿ÉÒÔͨ¹ýÉÏ´«¶ñÒâµÄWeb shellÀ´»ñȡЧÀÍÆ÷ȨÏÞ£¬½ø¶øÖ´ÐÐí§ÒâµÄ²Ù×÷£¬ÉõÖÁ¿ØÖÆÕû¸öЧÀÍÆ÷¡£ÒÔÏÂÊÇÒ»¸ö¼òÆӵĴúÂëʾÀý£º
<?php $target_dir = "uploads/"; $target_file = $target_dir . basename($_FILES["fileToUpload"]["name"]); $uploadOk = 1; $imageFileType = strtolower(pathinfo($target_file,PATHINFO_EXTENSION)); // ¼ì²éÎļþÀàÐÍ if($imageFileType != "jpg" && $imageFileType != "png" && $imageFileType != "jpeg" && $imageFileType != "gif" ) { echo "Ö»ÔÊÐíÉÏ´«Í¼Æ¬Îļþ."; $uploadOk = 0; } // ¼ì²éÎļþ¾Þϸ if ($_FILES["fileToUpload"]["size"] > 500000) { echo "ǸØÆ£¬ÎļþÌ«´ó."; $uploadOk = 0; } // ÉúÑÄÉÏ´«Îļþ if ($uploadOk == 0) { echo "ǸØÆ£¬ÎļþδÉÏ´«."; } else { if (move_uploaded_file($_FILES["fileToUpload"]["tmp_name"], $target_file)) { echo "ÎļþÉÏ´«ÀÖ³É."; } else { echo "ǸØÆ£¬ÎļþÉÏ´«Ê§°Ü."; } } ?>
µÇ¼ºó¸´ÖÆ
ÉÏÊö´úÂëÖУ¬Î´¶ÔÉÏ´«ÎļþµÄÀàÐ;ÙÐÐ׼ȷÅжϺ͹ýÂË£¬ºÚ¿Í¿ÉÒÔͨ¹ýÐÞ¸ÄÎļþÀàÐÍÈƹýÏÞÖÆ£¬²¢ÉÏ´«¶ñÒâÎļþ¡£Îª×èÖ¹´ËÀ๥»÷£¬Ó¦¸Ã¶ÔÉÏ´«Îļþ¾ÙÐÐ׼ȷµÄÑéÖ¤ºÍ¹ýÂË£¬ÏÞÖÆÔÊÐíÉÏ´«µÄÎļþÀàÐͺ;Þϸ¡£
Èý¡¢¿çÕ¾¾ç±¾¹¥»÷
¿çÕ¾¾ç±¾¹¥»÷£¨Cross-Site Scripting, XSS£©ÊÇÖ¸ºÚ¿Íͨ¹ýÔÚWebÒ³ÃæÖÐ×¢Èë¶ñÒâ¾ç±¾£¬´Ó¶ø»ñµÃÓû§µÄСÎÒ˽ÈËÐÅÏ¢»ò¾ÙÐÐÆäËû²»·¨²Ù×÷¡£ÒÔÏÂÊÇÒ»¸ö¼òÆӵĴúÂëʾÀý£º
<?php $user_input = $_GET['input']; echo "<p>" . $user_input . "</p>"; ?>
µÇ¼ºó¸´ÖÆ
ÉÏÊö´úÂëÖУ¬Ö±½ÓÊä³öÁËÓû§ÊäÈëµÄÄÚÈÝ£¬Ã»ÓжÔÓû§ÊäÈë¾ÙÐд¦ÀíºÍ¹ýÂË£¬ºÚ¿Í¿ÉÒÔͨ¹ý½á¹¹¶ñÒâ½ÅÔÀ´ÊµÏÖXSS¹¥»÷¡£Îª×èÖ¹´ËÀ๥»÷£¬Ó¦¸Ã¶ÔÓû§µÄÊäÈë¾ÙÐÐ׼ȷµÄ´¦ÀíºÍ¹ýÂË£¬Ê¹ÓÃתÒ庯Êý»òHTML¹ýÂËÆ÷¡£
±¾ÎÄÏÈÈÝÁËLinuxЧÀÍÆ÷Éϳ£¼ûµÄWeb½Ó¿ÚÎó²îºÍ¹¥»÷·½·¨£¬²¢¸ø³öÏìÓ¦µÄ´úÂëʾÀý¡£Òª°ü¹ÜWebÓ¦ÓõÄÇå¾²£¬¿ª·¢Ö°Ô±Ó¦¸ÃÊìϤµ½ÕâЩÎó²îµÄ±£´æ£¬²¢½ÓÄÉÏìÓ¦µÄ·À»¤²½·¥À´ÌáÉýЧÀÍÆ÷µÄÇå¾²ÐÔ¡£
ÒÔÉϾÍÊÇÏàʶLinuxЧÀÍÆ÷ÉϵÄWeb½Ó¿ÚÎó²îÓë¹¥»÷¡£µÄÏêϸÄÚÈÝ£¬¸ü¶àÇë¹Ø×¢±¾ÍøÄÚÆäËüÏà¹ØÎÄÕ£¡