zoukankan html css js c++ java

DVWA-12.4 XSS (Stored)（存储型跨站脚本）-Impossible

Impossible Level

查看源码

<?php

if( isset( $_POST[ 'btnSign' ] ) ) {
    // Check Anti-CSRF token
    checkToken( $_REQUEST[ 'user_token' ], $_SESSION[ 'session_token' ], 'index.php' );

    // Get input
    $message = trim( $_POST[ 'mtxMessage' ] );
    $name    = trim( $_POST[ 'txtName' ] );

    // Sanitize message input
    $message = stripslashes( $message );
    $message = ((isset($GLOBALS["___mysqli_ston"]) && is_object($GLOBALS["___mysqli_ston"])) ? mysqli_real_escape_string($GLOBALS["___mysqli_ston"],  $message ) : ((trigger_error("[MySQLConverterToo] Fix the mysql_escape_string() call! This code does not work.", E_USER_ERROR)) ? "" : ""));
    $message = htmlspecialchars( $message );

    // Sanitize name input
    $name = stripslashes( $name );
    $name = ((isset($GLOBALS["___mysqli_ston"]) && is_object($GLOBALS["___mysqli_ston"])) ? mysqli_real_escape_string($GLOBALS["___mysqli_ston"],  $name ) : ((trigger_error("[MySQLConverterToo] Fix the mysql_escape_string() call! This code does not work.", E_USER_ERROR)) ? "" : ""));
    $name = htmlspecialchars( $name );

    // Update database
    $data = $db->prepare( 'INSERT INTO guestbook ( comment, name ) VALUES ( :message, :name );' );
    $data->bindParam( ':message', $message, PDO::PARAM_STR );
    $data->bindParam( ':name', $name, PDO::PARAM_STR );
    $data->execute();
}

// Generate Anti-CSRF token
generateSessionToken();

?>

可以看到，impossible级别的代码使用htmlspecialchars函数将message和name中的预定义字符转换成html实体，这样就防止了我们填入标签。而且使用token来防范CSRF攻击，使用PDO技术防御SQL注入，进一步提高了安全性。

查看全文

相关阅读:
算法训练表达式计算
 基础练习十六进制转十进制
 基础练习十六进制转十进制
 基础练习十六进制转十进制
 New ways to verify that Multipath TCP works through your network
TCP的拥塞控制 (Tahoe Reno NewReno SACK)
Multipath TCP Port for Android 4.1.2
How to enable ping response in windows 7?
NS3
Multipath TCP Port for Android

原文地址：https://www.cnblogs.com/zhengna/p/12781688.html