尝试在同一页面上显示错误消息

时间:2021-04-02 13:35:05

标签: php html mysql

这仅用于漏洞测试目的

只是为了找到克服 XSS 攻击的方法

如果文本框字段为空,我会尝试显示错误消息。

但是当我单击提交按钮时,它只在其他(db_connection.php)页面上显示错误消息,尽管它没有将数据插入到我的数据库中。我希望它与表单在同一页面上显示该错误消息。

这是我的 index.php

<html>
    <head>
        <meta charset="UTF-8">
        <title>BadStore.net - Sign our Guestbook</title>
    </head>
    <body>
        <?php
  
        ?>
        <td width="615">
      <table cellspacing="0" cellpadding="0" width="614" border="0">
        <tbody>
            <tr>
                <td bgcolor="#333333"></td>
            </tr>
        </tbody>
      </table>
      <table cellspacing="0" cellpadding="0" width="614" border="0">
        <tbody>
            <tr bgcolor="#ecece0"></tr>
       
            <tr bgcolor="#333333"></tr>
        </tbody>
      </table>
     
     
            <h1>Sign our Guestbook!</h1>
            <hr><p>Please complete this form to sign our Guestbook.  The email field is not required, but helps us contact you to respond to your feedback.  Thanks!</p><p></p><hr>
   <form method="post" action="db_connection.php">
            <table border="0" cellpadding="10">
        
        <tbody>
            <tr>
                <td>Your Name:</td> <td><input type="text" name="name" size="30"></td>
            </tr>
            <tr>
                <td>Email:</td> <td><input type="text" name="email" size="40"></td>
            </tr>
            <tr>
                <td valign="TOP">Comments:</td> 
                <td><textarea name="comments" cols="60" rows="4"></textarea></td>
            </tr>
        </tbody>
    </table>
        <hr>
        <center><input type="submit" name="submit" value="Add Entry">  <input type="reset"></center></font></td>
        </form>

    </body>
</html>

这是我的 db_connection.php

<?php
 $dbhost = "localhost";
 $dbuser = "root";
 $dbpass = "";
 $db = "xss";
 $conn = mysqli_connect($dbhost,$dbuser,$dbpass,$db);
echo "<a href=\"javascript:history.go(-1)\">GO BACK</a>";
 if(isset($_POST['submit']))
        {
     if(!empty(($_POST['name'])) && !empty(($_POST['email'])) && !empty(($_POST['comments'])))
     {    
            $Name= htmlspecialchars($_POST['name']);
            $Email=htmlspecialchars($_POST['email']);
            $Comments=htmlspecialchars($_POST['comments']);
            
            $result="INSERT into form(Name,Email,Comments) values('$Name','$Email','$Comments')";
            $run = mysqli_query($conn, $result) or die("Connect failed: %s\n". $conn -> error);
            
     }
     else{
         echo "Please fill in all the information!";
     }
        }
        mysqli_close($conn);
?>
 
        
<?php


 $dbhost = "localhost";
 $dbuser = "root";
 $dbpass = "";
 $db = "xss";
 $conn = mysqli_connect($dbhost,$dbuser,$dbpass,$db);


$sql = "Select * from form";
$abc = mysqli_query($conn,$sql);
?>      
        <table align="center" border="1px" style="width:600px; line-height:40px;"> 
    <tr> 
        <th colspan="4"><h2>Guestbook</h2></th> 
        </tr> 
              <th> No </th> 
              <th> Name </th> 
              <th> Email </th> 
              <th> Comments </th> 
              
        </tr> 
        
        <?php while($rows=mysqli_fetch_assoc($abc)) 
        { 
        ?> 
        <tr> <td><?php echo $rows['No']; ?></td> 
                <td><?php echo $rows['Name']; ?></td> 
        <td><?php echo $rows['Email']; ?></td> 
        <td><?php echo $rows['Comments']; ?></td> 
        </tr> 
    <?php 
               } 
                mysqli_close($conn);
          ?> 
</table>

1 个答案:

答案 0 :(得分:0)

您可以将 required 添加到您的 <input> 中,这样您就不必在其他页面中检查和显示错误消息(请填写所有信息!):
<input type"#" name="#" required>
对于 Database 错误消息,如果您希望它显示在同一页面上,并像这样将代码移动到它:

<?php
 $dbhost = "localhost";
 $dbuser = "root";
 $dbpass = "";
 $db = "xss";
 $conn = mysqli_connect($dbhost,$dbuser,$dbpass,$db);
echo "<a href=\"javascript:history.go(-1)\">GO BACK</a>";
 if(isset($_POST['submit']))
        {
        
            $Name= htmlspecialchars($_POST['name']);
            $Email=htmlspecialchars($_POST['email']);
            $Comments=htmlspecialchars($_POST['comments']);
            
            $result="INSERT into form(Name,Email,Comments) values('$Name','$Email','$Comments')";
            $run = mysqli_query($conn, $result) or die("Connect failed: ". $conn -> error);
            
     header('Location: db_connection.php');
        }
        mysqli_close($conn);
?>

<html>
    <head>
        <meta charset="UTF-8">
        <title>BadStore.net - Sign our Guestbook</title>
    </head>
    <body>
        <?php
  
        ?>
        <td width="615">
      <table cellspacing="0" cellpadding="0" width="614" border="0">
        <tbody>
            <tr>
                <td bgcolor="#333333"></td>
            </tr>
        </tbody>
      </table>
      <table cellspacing="0" cellpadding="0" width="614" border="0">
        <tbody>
            <tr bgcolor="#ecece0"></tr>
       
            <tr bgcolor="#333333"></tr>
        </tbody>
      </table>
     
     
            <h1>Sign our Guestbook!</h1>
            <hr><p>Please complete this form to sign our Guestbook.  The email field is not required, but helps us contact you to respond to your feedback.  Thanks!</p><p></p><hr>
   <form method="post" action="index.php">
            <table border="0" cellpadding="10">
        
        <tbody>
            <tr>
                <td>Your Name:</td> <td><input type="text" name="name" size="30" required></td>
            </tr>
            <tr>
                <td>Email:</td> <td><input type="text" name="email" size="40" required></td>
            </tr>
            <tr>
                <td valign="TOP">Comments:</td> 
                <td><textarea name="comments" cols="60" rows="4" required></textarea></td>
            </tr>
        </tbody>
    </table>
        <hr>
        <center><input type="submit" name="submit" value="Add Entry">  <input type="reset"></center></font></td>
        </form>

    </body>
</html>
相关问题
最新问题