这是我的代码在用户注册后显示我的数据库(member_details)但在数据库中我有一行正在注入javascript。
<script>window.location="http://google.com"</script>
当我在浏览器中查看脚本时,它会将用户重定向到google.com。
<?php
session_start();
include ('includes/database_connection.inc.php');
$conn = connectDatabase();
if($_SESSION['uid'] == ''){
// redirect unauthenticate user to login page.
header('Location: login.php');
}
if($_GET['task'] == 'delete' && $_GET['id'] != ''){
// delete function here
$sql="DELETE FROM Newest Where ID='".mysql_real_escape_string($_GET['id'])."'";
mysql_query($sql,$conn);
header('Location: member_list.php');
}
if($_POST['Logout']){
session_destroy();
header('Location: login.php');
}
?>
<html><head><title>Member Details</title>
</head>
<body>
<div style=" margin: 350px ">
<?php
$sql="SELECT * FROM Newest";
$rs = mysql_query($sql,$conn)
or die( mysql_error() );
$list = "<table border=\"1\" cellpadding= \"2\">";
$list .= "<tr><th>First Name</th>";
$list .="<th>Last Name</th>";
$list .= "<th>User Name</th>";
$list .= "<th>Email</th>";
$list .= "<th>Edit User</th>";
$list .= "<th>Delete User</th>";
$list .= "<th>Change Password</th>";
While( $row = mysql_fetch_array($rs) ) {
$list .= "<tr>";
$list .= "<td>".$row["name"]."</td>";
$list .= "<td>".$row["last"]."</td>";
$list .= "<td>".$row["user"]."</td>";
$list .= "<td>".$row["email"]."</td>";
$list .= "<td><a href='member_details.php?id=".$row['ID']."'>Edit</a></td>";
$list .= "<td><a onclick='return confirm(\"Are you sure to delete ".$row["name"]." \")' href='member_list.php?id=".$row["ID"]."&task=delete'>Delete</a></td>";
$list .= "<td><a href='Password.php?id=".$row['ID']."'>Click Here</a></td>
</tr>";
}
$list .= "</table>";
echo ( $list );
?>
<form method="post" action="member_list.php"><br>
<div style="margin : 0px 600px">
<style type="text/css">
body {background:#F5F5F5 url('http://images.apple.com/downloads/dashboard/travel/images/traveltodolist_20070724165034.jpg') no-repeat top;;
}</style>
<input type="submit" name="Logout" value="logout" />
</form>
</body>
</html>
答案 0 :(得分:0)