Query Posts (View all the posts) <?php
$ posts_query"SELECT * FROM posts " ;
$ posts$ connquery ($ posts_querywhile ($ post$ postsfetch_assoc ()){
$ title$ post'title ' ];
$ author$ post'author ' ];
$ date$ post'date ' ];
$ image$ post'image ' ];
$ content$ post'content ' ];
$ tags$ post'tags ' ];
$ comments_num$ post'comments_num ' ];
?>
<!-- Blog Post template -->
<h2>
<a href="#"><?php echo $ title?> </a>
</h2>
<p class="lead">
by <a href="index.php"><?php echo $ author?> </a>
</p>
<p><span class="glyphicon glyphicon-time"></span> Posted on <?php echo $ date?> </p>
<hr>
<img class="img-responsive" src="images/<?php echo $ image?> " alt="">
<hr>
<p><?php echo $ content?> </p>
<a class="btn btn-primary" href="#">Read More <span class="glyphicon glyphicon-chevron-right"></span></a>
<hr>
<?php } ?> <?php
if (isset ($ _POST 'submit ' ])){
$ key$ _POST 'search_key ' ];
$ search_query"SELECT * FROM posts WHERE tags LIKE '% $ key%' " ;
if (!$ search_querydie ('Error :( ' . $ search_queryerror );
}
$ results$ connquery ($ search_querywhile ($ result$ resultsfetch_assoc ()){
?>
<li><a href="#"><?php echo $ result'title ' ] ?> </a>
</li>
<?php }
}
?> <?php
<!-- check post id -->
if (isset ($ _GET 'p_id ' ])){
$ post_id$ _GET 'p_id ' ];
}
$ posts_query"SELECT * FROM posts WHERE id= $ post_id ;
$ posts$ connquery ($ posts_querywhile ($ post$ postsfetch_assoc ()){
$ post_id$ post'id ' ];
$ title$ post'title ' ];
$ author$ post'author ' ];
$ date$ post'date ' ];
$ image$ post'image ' ];
$ content$ post'content ' ];
$ tags$ post'tags ' ];
$ comments_num$ post'comments_num ' ];
<!-- Blog Post template -->
<h2>
<a href="#posts.php?p_id=<? echo $post_id; ?> "><?php echo $ title?> </a>
</h2>
<p class="lead">
by <a href="index.php"><?php echo $ author?> </a>
</p>
<p><span class="glyphicon glyphicon-time"></span> Posted on <?php echo $ date?> </p>
<hr>
<img class="img-responsive" src="images/<?php echo $ image?> " alt="">
<hr>
<p><?php echo $ content?> </p>
<a class="btn btn-primary" href="#">Read More <span class="glyphicon glyphicon-chevron-right"></span></a>
<hr>
<?php } ?>
?>
< h4 > Leave a Comment:</ h4 >
< form action ="# " method ="post " role ="form ">
< div class ="form-group ">
< label for ="Author "> Author</ label >
< input type ="text " name ="comment_author " class ="form-control " name ="comment_author ">
</ div >
< div class ="form-group ">
< label for ="Author "> Email</ label >
< input type ="email " name ="comment_email " class ="form-control " name ="comment_email ">
</ div >
< div class ="form-group ">
< label for ="comment "> Your Comment</ label >
< textarea name ="comment_content " class ="form-control " rows ="3 "> </ textarea >
</ div >
< button type ="submit " name ="create_comment " class ="btn btn-primary "> Submit</ button >
</ form >
</ div>
< hr > Insert comment to the database #PHP_XSS #PHP_SQLi // Create a comment
<?php
if (isset ($ _POST 'create_comment ' ])){
$ post_id$ _GET 'p_id ' ];
$ author$ _POST 'comment_author ' ];
$ email$ _POST 'comment_email ' ];
$ content$ _POST 'comment_content ' ];
$ post_query"INSERT INTO comments (post_id, author, email, content,status, comment_date) " ;
$ post_query"VALUES ( $ post_id, ' {$ author', ' {$ email', ' {$ content', 'unapproved', now()) " ;
$ comment_created$ connquery ($ post_queryecho "<h1> " . $ _POST 'comment_author ' ] . " have created a comment :) </h1> " ; // #PHP_XSS
}
?> Query comments (View all the comments ) <h2>All the comments </h3>
<hr>
<?php
$ comments_query"SELECT * FROM comments WHERE post_id= $ post_id ;
$ comments$ connquery ($ comments_querywhile ($ comment$ commentsfetch_assoc ()){
$ comment_date$ comment'comment_date ' ];
$ comment_content$ comment'content ' ];
$ comment_author$ comment'author ' ];
?>
<!-- Comment loop -->
<div class="media">
<a class="pull-left" href="#">
<img class="media-object" src="http://placehold.it/64x64" alt="">
</a>
<div class="media-body">
<h4 class="media-heading"><?php echo $ comment_author?>
<small><?php echo $ comment_date?> </small>
</h4>
<?php echo $ comment_content?>
</div>
</div>
<?php } ?> <!-- Login form -->
<div class ="well">
<h4>Login</h4> <form action= "class ="form-control" placeholder='Enter username'>
</div> <div class= "class ="form-control" placeholder='Enter password'>
</div> <div class= "true ">
<label for="SQLi">vulnerable to SQLi</label><br>
</div>
<div class="form-group">
<input name='login' type="submit" class ="form-control" value='Login'>
</div>
</form>
<!-- /.input-group -->
</div> <?php
session_start ();
include "db_connect.php " ;
if (isset ($ _POST 'login ' ])){
$ login_name$ _POST 'username ' ];
$ login_pass$ _POST 'password ' ];
if (isset ($ SQLi_vulnerable$ SQLi_vulnerable$ _POST 'SQLi ' ];
}
if (!$ SQLi_vulnerable# if not vulnerable to SQL injection
{
$ login_namemysqli_real_escape_string ($ conn$ login_name$ login_passmysqli_real_escape_string ($ conn$ login_pass$ login_query"SELECT * FROM users WHERE username=' {$ login_name' " ;
$ result$ connquery ($ login_querywhile ($ row$ resultfetch_assoc ())
{
$ db_id$ row'id ' ];
$ db_username$ row'username ' ];
$ db_password$ row'password ' ];
$ db_firstname$ row'firstname ' ];
$ db_lastname$ row'lastname ' ];
$ db_rols$ row'role ' ];
}
#PHP_SQLi
if ($ login_name$ db_usernameand $ login_pass$ db_password$ _SESSION 'username ' ] = $ db_username$ _SESSION 'firstname ' ] = $ db_firstname$ _SESSION 'lastname ' ] = $ db_lastname$ _SESSION 'role ' ] = $ db_role$ _SESSION 'lastname ' ] = $ db_lastnameheader ("Location: ../admin " ); // you should start the session inside the admin page (include it header.php)
}else {# Wrong credentials
header ("Location: ../index.php " );
}
}
?> <?php
session_start ();
$ _SESSION 'username ' ] = null ;
$ _SESSION 'firstname ' ] = null ;
$ _SESSION 'lastname ' ] = null ;
$ _SESSION 'role ' ] = null ;
$ _SESSION 'lastname ' ] = null ;
header ("Location: ../admins " );
?> File Upload #PHP_File_upload_vuln
the first thing you need is to create an "uploads" file in the $_SERVER['DOCUMENT_ROOT']
mkdir /var/www/html/uploads < form method ='post ' enctype ='multipart/form-data '> <!-- you should specify the encoding type (enctype) -->
< input type ='file ' name ='user_file '/>
< input type ='submit ' name ='wanna_upload '/>
</ form >
$_FILES['filename']
$_FILES['html input file tag name attribue'] will hold all the data about the uploaded file \$_FILES['userfile']['tmp_name']; the file uploaded to temp directory first upload_tmp_dir = in php.ini$_FILES['userfile']['name'];$_FILES['userfile']['size'];$_FILES['userfile']['type'];$_FILES['userfile']['error']; equals to zero () if there is no error (UPLOAD_ERR_OK is a constant equals to 0)
php > echo "output = " UPLOAD_ERR_OK; # output = 0
move_uploaded_file($tmp_name, $save_path) is a build-in function
<?php
if (isset ($ _POST 'wanna_upload ' ]))
{
$ uploads_dir$ _SERVER 'DOCUMENT_ROOT ' ] . '/uploads ' ;
# upload_dir = '/var/www/html' . '/uploads'
$ user_file'' ;
if ($ _FILES 'user_file ' ]['error ' ] == UPLOAD_ERR_OK ){ # check if there is no error
$ tmp_name$ _FILES 'user_file ' ]['tmp_name ' ];
$ user_filebasename ($ _FILES 'user_file ' ]['name ' ]);
move_uploaded_file ($ tmp_name"$ uploads_dir/ $ user_file );
}
}
?>