보안1
보안2
php/5.php
사용자가 입력한 script 태그를 무력화시키는 방법. (참고 : htmlspecialchars)
<html>
<head>
<title></title>
</head>
<body>
<?php
echo htmlspecialchars('<script>alert(1);</script>');
?>
</body>
</html>
index.php
<?php
$conn = mysqli_connect("localhost", "root", 111111);
mysqli_select_db($conn, "opentutorials");
$result = mysqli_query($conn, "SELECT * FROM topic");
?>
<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8">
<link rel="stylesheet" type="text/css" href="http://localhost/style.css">
</head>
<body id="target">
<header>
<img src="https://s3.ap-northeast-2.amazonaws.com/opentutorials-user-file/course/94.png" alt="생활코딩">
<h1><a href="http://localhost/index.php">JavaScript</a></h1>
</header>
<nav>
<ol>
<?php
while( $row = mysqli_fetch_assoc($result)){
echo '<li><a href="http://localhost/index.php?id='.$row['id'].'">'.htmlspecialchars($row['title']).'</a></li>'."\n";
}
?>
</ ol>
</nav>
<div id="control">
<input type="button" value="white" onclick="document.getElementById('target').className='white'"/>
<input type="button" value="black" onclick="document.getElementById('target').className='black'" />
<a href="http://localhost/write.php">쓰기</a>
</div>
<article>
<?php
if(empty($_GET['id']) === false ) {
$sql = "SELECT topic.id,title,name,description FROM topic LEFT JOIN user ON topic.author = user.id WHERE topic.id=".$_GET['id'];
$result = mysqli_query($conn, $sql);
$row = mysqli_fetch_assoc($result);
echo '<h2>'.htmlspecialchars($row['title']).'</h2>';
echo '<p>'.htmlspecialchars($row['name']).'</p>';
echo strip_tags($row['description'], '<a><h1><h2><h3><h4><h5><ul><ol><li>');
}
?>
</article>
</body>
</html>
보안3
/phpjs/14.php
<?php
$conn = mysqli_connect("localhost", "root", 111111);
mysqli_select_db($conn, "opentutorials");
$name = mysqli_real_escape_string($conn, $_GET['name']);
$password = mysqli_real_escape_string($conn, $_GET['password']);
$sql = "SELECT * FROM user WHERE name='".$name."' AND password='".$password."'";
echo $sql;
$result = mysqli_query($conn, $sql);
?>
<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8">
</head>
<body>
<?php
if($result->num_rows == "0"){
echo "뉘신지?";
} else {
echo "안녕하세요. 주인님";
}
?>
</body>
</html>
process.php
원래는 process.php 파일에도 보안을 적용해야 합니다. 하지만 우리수업에서는 수업 시간을 줄이기 위해서 생략합니다. 참고로 아래와 같이 process.php 개선할 수 있습니다. 아래 파일을 그대로 적용해주세요.
<?php
$conn = mysqli_connect("localhost", "root", 111111);
mysqli_select_db($conn, "opentutorials");
$title = mysqli_real_escape_string($conn, $_POST['title']);
$author = mysqli_real_escape_string($conn, $_POST['author']);
$description = mysqli_real_escape_string($conn, $_POST['description']);
$sql = "SELECT * FROM user WHERE name='".$author."'";
$result = mysqli_query($conn, $sql);
if($result->num_rows == 0){
$sql = "INSERT INTO user (name, password) VALUES('".$author."', '111111')";
mysqli_query($conn, $sql);
$user_id = mysqli_insert_id($conn);
} else {
$row = mysqli_fetch_assoc($result);
$user_id = $row['id'];
}
$sql = "INSERT INTO topic (title,description,author,created) VALUES('".$title."', '".$description."', '".$user_id."', now())";
$result = mysqli_query($conn, $sql);
header('Location: http://localhost/index.php');
?>
소스코드
참고
보안의 중요한 주제인 암호화에 대해서 궁금하신 분은 아래 수업을 참고해주세요.
