Voilà, je crois que j'ai un gros problème avec le livre d'or installé sur mon site ... car depuis hier j'ai reçu deux messsages de ce genre :
CITATION
Nom : Bf0QahQrB5
E-mail : dVXDy_AT_L2r0m9B.com
E-mail : dVXDy_AT_L2r0m9B.com
CODE
[url=http://Http://www.seun.ru/criea/cialis-price.html]Http://www.seun.ru/criea/cialis-price.html[/url]
cialis price CODE
[url=http://www.seun.ru/criea/viagra-alternative.html]http://www.seun.ru/criea/viagra-alternative.html[/url]
viagra alternative CODE
[url=http://www.seun.ru/criea/online-phentermine.html]http://www.seun.ru/criea/online-phentermine.html[/url]
online phentermine CODE
[url=http://www.seun.ru/criea/generic-cialis.html]http://www.seun.ru/criea/generic-cialis.html[/url]
generic cialis CODE
[url=http://www.seun.ru/criea/viagra-purchase.html]http://www.seun.ru/criea/viagra-purchase.html[/url]
viagra purchase CODE
[url=http://www.seun.ru/criea/cialis-order.html]http://www.seun.ru/criea/cialis-order.html[/url]
cialis orderLe premier me disait même "Very nice site ! Thanks you very much !!"
Je commence seulement à apprendre le php et mon script est, je crois, assez rudimentaire. Que puis-je faire comme tests pour éviter ce genre de choses ? Voyez-vous une autre faille qui permettrait de causer des dégâts + importants ?
Voici mon code (la connexion à la DB se fait via l'include) :
CODE
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="fr">
<?php
include "conf.php";
if(isset($_POST['posted']))
{
if(!empty($_POST['pseudo']) AND !empty($_POST['email']) AND !empty($_POST['message']))
{
$pseudo=trim(ucfirst(addslashes($_POST['pseudo'])));
$email=trim(addslashes($_POST['email']));
$message=trim(ucfirst(addslashes($_POST['message'])));
$requete="INSERT INTO guestbook (pseudo, email, message, date) VALUES ('$pseudo','$email','$message','$date')";
$query=mysql_query($requete) OR die ("Impossible de prendre note de votre message<br>".mysql_error());
echo '<script language="JavaScript">;';
echo 'alert ("Merci pour votre message !");';
echo '</script>;';
}
else
{
echo ' <script language="JavaScript">;';
echo 'alert("Remplissez chaque champ svp ! Merci.");';
echo 'java script:history.back(1);';
echo '</script>;';
}
}
?>
<head>
<title>Le livre d'or Karpeace</title>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<meta name="keywords" content="livre d'or,guestbook,karpeace,carp,carpe,carpes,poisson,poissons,message,mail" />
<meta name="description" content="Pour laisser des encouragements, insultes ou autres : le livre d'or" />
<meta name="author" content="KnockedMaster" />
<meta name="generator" content="Notepad" />
<meta name="robots" content="index,follow" />
<meta name="expires" content="never" />
<meta name="rating" content="General" />
<meta name="distribution" content="Global" />
<meta name="audience" content="all" />
<link href="../style.css" type="text/css" rel="stylesheet" />
<link href="../style_menu_ver.css" type="text/css" rel="stylesheet" />
<link rel="alternate" title="Test rss" type="application/rss+xml" href="http://www.karpeace.com/news.xml" />
<link rel="shortcut icon" href="http://www.karpeace.com/img/icones/favicon.ico" />
<script type="text/javascript" src="../menu.js"></script>
</head>
<body>
<table id="table_smileys" border="1" rules="none" summary="Ce tableau présente une liste de smileys qui peuvent être insérés dans les messages">
<tr>
<td width="116" height="59" align="center"><img src="../img/smileys/30.gif" width="57" height="33" alt="Smiley" /> <br/> </td>
<td width="123" align="center"><img src="../img/smileys/2.gif" width="46" height="26" alt="Smiley" /> <br /> </td>
<td width="72" align="center"><img src="../img/smileys/27.gif" width="60" height="29" alt="Smiley" /> <br /> </td>
<td width="72" align="center"><img src="../img/smileys/6.gif" width="65" height="28" alt="Smiley" /> <br /> </td>
</tr>
<tr>
<td align="center">:'A </td>
<td align="center">:'B</td>
<td align="center">:'C</td>
<td align="center">:'D</td>
</tr>
<tr>
<td height="54" align="center"><img src="../img/smileys/28.gif" width="26" height="25" alt="Smiley" /> <br /> </td>
<td align="center"><img src="../img/smileys/21.gif" width="38" height="29" alt="Smiley" /> <br /> </td>
<td align="center"><img src="../img/smileys/25.gif" width="40" height="26" alt="Smiley" /> <br /> </td>
<td align="center"><img src="../img/smileys/32.gif" width="24" height="26" alt="Smiley" /> <br /> </td>
</tr>
<tr>
<td align="center">:'E</td>
<td align="center">:'F</td>
<td align="center">:'G </td>
<td align="center">:'H</td>
</tr>
<tr>
<td width="105" align="center"><img src="../img/smileys/13.gif" width="80" height="42" alt="Smiley" /> <br /> </td>
<td align="center"><img src="../img/smileys/29.gif" width="92" height="31" alt="Smiley" /> <br /> </td>
<td align="center"><img src="../img/smileys/36.gif" width="86" height="29" alt="Smiley" /> <br /> </td>
<td align="center"><img src="../img/smileys/45.gif" width="28" height="26" alt="Smiley" /> <br /> </td>
</tr>
<tr>
<td align="center">:'I </td>
<td align="center">:'J</td>
<td align="center">:'K</td>
<td align="center">:'L</td>
</tr>
</table>
<img id="livre-or" src="../img/gifs_animes/livre-or.gif" alt="Gif animé livre d′or" title="Laissez-nous un petit mot !" />
<form action="<?php echo $_SERVER['PHP_SELF']; ?>" method="post"><input type="hidden" name="posted" value="1" />
<fieldset>
<legend>Une p′tite bafouille ...</legend>
<p><label for="pseudo">Pseudo : </label> <input type="text" id="pseudo" name="pseudo" /></p>
<br />
<p><label for="email">E-mail : </label> <input type="text" id="email" name="email" /> </p>
<br />
<center><textarea name="message" rows="10" cols="10"> </textarea></center>
<br />
<?php
$ip = $_SERVER["REMOTE_ADDR"];
echo "<center><p><b>Votre adresse IP est :</b> <font color=\"red\"> $ip </font></p></center>";
?>
<br />
<center><input type="submit" name="submit" value="Envoyer" />
<input type="reset" name="reset" value="Réinitialiser" /></center>
</fieldset>
</form>
<?php
$start=0;
if (!$start) {$start=0;}
$rec = mysql_query("SELECT * FROM guestbook ORDER BY id DESC LIMIT ".$start.",".$nb);
while($row=mysql_fetch_assoc($rec))
{
$row['message']= str_replace(":'A","<img src=\"http://www.karpeace.com/img/smileys/30.gif\" alt=\"smiley\" />",$row['message']);
$row['message']= str_replace(":'B","<img src=\"http://www.karpeace.com/img/smileys/2.gif\" alt=\"smiley\" />",$row['message']);
$row['message']= str_replace(":'C","<img src=\"http://www.karpeace.com/img/smileys/27.gif\" alt=\"smiley\" />",$row['message']);
$row['message']= str_replace(":'D","<img src=\"http://www.karpeace.com/img/smileys/6.gif\" alt=\"smiley\" />",$row['message']);
$row['message']= str_replace(":'E","<img src=\"http://www.karpeace.com/img/smileys/28.gif\" alt=\"smiley\" />",$row['message']);
$row['message']= str_replace(":'F","<img src=\"http://www.karpeace.com/img/smileys/21.gif\" alt=\"smiley\" />",$row['message']);
$row['message']= str_replace(":'G","<img src=\"http://www.karpeace.com/img/smileys/25.gif\" alt=\"smiley\" />",$row['message']);
$row['message']= str_replace(":'H","<img src=\"http://www.karpeace.com/img/smileys/32.gif\" alt=\"smiley\" />",$row['message']);
$row['message']= str_replace(":'I","<img src=\"http://www.karpeace.com/img/smileys/13.gif\" alt=\"smiley\" />",$row['message']);
$row['message']= str_replace(":'J","<img src=\"http://www.karpeace.com/img/smileys/29.gif\" alt=\"smiley\" />",$row['message']);
$row['message']= str_replace(":'K","<img src=\"http://www.karpeace.com/img/smileys/36.gif\" alt=\"smiley\" />",$row['message']);
$row['message']= str_replace(":'L","<img src=\"http://www.karpeace.com/img/smileys/45.gif\" alt=\"smiley\" />",$row['message']);
?>
<table class="messages" border="0" align="center" cellpadding="4" cellspacing="0" width="90%" summary="Tableau d′affichage des messages">
<tr>
<td class="ss_messages" width="100%">
<img src="../img/icones/email_open.gif" alt="Icône de message" /> De <span class="pseudo"><?php echo stripslashes($row['pseudo']); ?></span> le <?php echo $row['date']; ?> </td>
</tr>
<tr>
<td width="100%"> <?php echo nl2br(stripslashes($row['message']));?> </td>
</tr>
</table>
<br /><br />
<?php
}
mysql_free_result($rec);
$result=mysql_query("SELECT COUNT(*) FROM guestbook");
$row = mysql_fetch_row($result);
?>
<p align="center">
<?php
if ($start == "0") {
echo"<b><font size=\"1\" face=\"Verdana\">[1]</font></b>";
} else {
echo"<a href=\"index.php?start=0\">[1]</a>";
}
for($index=1;($index*$nb)<$row[0];$index++) {
$pg = $index+1;
if(($index*$nb)!=$start) {
print("<a href=\"index.php?start=".($index*$nb)."\">");
echo"[".$pg."]";
print("</a>");
}
else {
echo" <b><font size=\"1\" face=\"Verdana\">[".$pg."]</font></b>";
} }
?></p>
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="fr">
<?php
include "conf.php";
if(isset($_POST['posted']))
{
if(!empty($_POST['pseudo']) AND !empty($_POST['email']) AND !empty($_POST['message']))
{
$pseudo=trim(ucfirst(addslashes($_POST['pseudo'])));
$email=trim(addslashes($_POST['email']));
$message=trim(ucfirst(addslashes($_POST['message'])));
$requete="INSERT INTO guestbook (pseudo, email, message, date) VALUES ('$pseudo','$email','$message','$date')";
$query=mysql_query($requete) OR die ("Impossible de prendre note de votre message<br>".mysql_error());
echo '<script language="JavaScript">;';
echo 'alert ("Merci pour votre message !");';
echo '</script>;';
}
else
{
echo ' <script language="JavaScript">;';
echo 'alert("Remplissez chaque champ svp ! Merci.");';
echo 'java script:history.back(1);';
echo '</script>;';
}
}
?>
<head>
<title>Le livre d'or Karpeace</title>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<meta name="keywords" content="livre d'or,guestbook,karpeace,carp,carpe,carpes,poisson,poissons,message,mail" />
<meta name="description" content="Pour laisser des encouragements, insultes ou autres : le livre d'or" />
<meta name="author" content="KnockedMaster" />
<meta name="generator" content="Notepad" />
<meta name="robots" content="index,follow" />
<meta name="expires" content="never" />
<meta name="rating" content="General" />
<meta name="distribution" content="Global" />
<meta name="audience" content="all" />
<link href="../style.css" type="text/css" rel="stylesheet" />
<link href="../style_menu_ver.css" type="text/css" rel="stylesheet" />
<link rel="alternate" title="Test rss" type="application/rss+xml" href="http://www.karpeace.com/news.xml" />
<link rel="shortcut icon" href="http://www.karpeace.com/img/icones/favicon.ico" />
<script type="text/javascript" src="../menu.js"></script>
</head>
<body>
<table id="table_smileys" border="1" rules="none" summary="Ce tableau présente une liste de smileys qui peuvent être insérés dans les messages">
<tr>
<td width="116" height="59" align="center"><img src="../img/smileys/30.gif" width="57" height="33" alt="Smiley" /> <br/> </td>
<td width="123" align="center"><img src="../img/smileys/2.gif" width="46" height="26" alt="Smiley" /> <br /> </td>
<td width="72" align="center"><img src="../img/smileys/27.gif" width="60" height="29" alt="Smiley" /> <br /> </td>
<td width="72" align="center"><img src="../img/smileys/6.gif" width="65" height="28" alt="Smiley" /> <br /> </td>
</tr>
<tr>
<td align="center">:'A </td>
<td align="center">:'B</td>
<td align="center">:'C</td>
<td align="center">:'D</td>
</tr>
<tr>
<td height="54" align="center"><img src="../img/smileys/28.gif" width="26" height="25" alt="Smiley" /> <br /> </td>
<td align="center"><img src="../img/smileys/21.gif" width="38" height="29" alt="Smiley" /> <br /> </td>
<td align="center"><img src="../img/smileys/25.gif" width="40" height="26" alt="Smiley" /> <br /> </td>
<td align="center"><img src="../img/smileys/32.gif" width="24" height="26" alt="Smiley" /> <br /> </td>
</tr>
<tr>
<td align="center">:'E</td>
<td align="center">:'F</td>
<td align="center">:'G </td>
<td align="center">:'H</td>
</tr>
<tr>
<td width="105" align="center"><img src="../img/smileys/13.gif" width="80" height="42" alt="Smiley" /> <br /> </td>
<td align="center"><img src="../img/smileys/29.gif" width="92" height="31" alt="Smiley" /> <br /> </td>
<td align="center"><img src="../img/smileys/36.gif" width="86" height="29" alt="Smiley" /> <br /> </td>
<td align="center"><img src="../img/smileys/45.gif" width="28" height="26" alt="Smiley" /> <br /> </td>
</tr>
<tr>
<td align="center">:'I </td>
<td align="center">:'J</td>
<td align="center">:'K</td>
<td align="center">:'L</td>
</tr>
</table>
<img id="livre-or" src="../img/gifs_animes/livre-or.gif" alt="Gif animé livre d′or" title="Laissez-nous un petit mot !" />
<form action="<?php echo $_SERVER['PHP_SELF']; ?>" method="post"><input type="hidden" name="posted" value="1" />
<fieldset>
<legend>Une p′tite bafouille ...</legend>
<p><label for="pseudo">Pseudo : </label> <input type="text" id="pseudo" name="pseudo" /></p>
<br />
<p><label for="email">E-mail : </label> <input type="text" id="email" name="email" /> </p>
<br />
<center><textarea name="message" rows="10" cols="10"> </textarea></center>
<br />
<?php
$ip = $_SERVER["REMOTE_ADDR"];
echo "<center><p><b>Votre adresse IP est :</b> <font color=\"red\"> $ip </font></p></center>";
?>
<br />
<center><input type="submit" name="submit" value="Envoyer" />
<input type="reset" name="reset" value="Réinitialiser" /></center>
</fieldset>
</form>
<?php
$start=0;
if (!$start) {$start=0;}
$rec = mysql_query("SELECT * FROM guestbook ORDER BY id DESC LIMIT ".$start.",".$nb);
while($row=mysql_fetch_assoc($rec))
{
$row['message']= str_replace(":'A","<img src=\"http://www.karpeace.com/img/smileys/30.gif\" alt=\"smiley\" />",$row['message']);
$row['message']= str_replace(":'B","<img src=\"http://www.karpeace.com/img/smileys/2.gif\" alt=\"smiley\" />",$row['message']);
$row['message']= str_replace(":'C","<img src=\"http://www.karpeace.com/img/smileys/27.gif\" alt=\"smiley\" />",$row['message']);
$row['message']= str_replace(":'D","<img src=\"http://www.karpeace.com/img/smileys/6.gif\" alt=\"smiley\" />",$row['message']);
$row['message']= str_replace(":'E","<img src=\"http://www.karpeace.com/img/smileys/28.gif\" alt=\"smiley\" />",$row['message']);
$row['message']= str_replace(":'F","<img src=\"http://www.karpeace.com/img/smileys/21.gif\" alt=\"smiley\" />",$row['message']);
$row['message']= str_replace(":'G","<img src=\"http://www.karpeace.com/img/smileys/25.gif\" alt=\"smiley\" />",$row['message']);
$row['message']= str_replace(":'H","<img src=\"http://www.karpeace.com/img/smileys/32.gif\" alt=\"smiley\" />",$row['message']);
$row['message']= str_replace(":'I","<img src=\"http://www.karpeace.com/img/smileys/13.gif\" alt=\"smiley\" />",$row['message']);
$row['message']= str_replace(":'J","<img src=\"http://www.karpeace.com/img/smileys/29.gif\" alt=\"smiley\" />",$row['message']);
$row['message']= str_replace(":'K","<img src=\"http://www.karpeace.com/img/smileys/36.gif\" alt=\"smiley\" />",$row['message']);
$row['message']= str_replace(":'L","<img src=\"http://www.karpeace.com/img/smileys/45.gif\" alt=\"smiley\" />",$row['message']);
?>
<table class="messages" border="0" align="center" cellpadding="4" cellspacing="0" width="90%" summary="Tableau d′affichage des messages">
<tr>
<td class="ss_messages" width="100%">
<img src="../img/icones/email_open.gif" alt="Icône de message" /> De <span class="pseudo"><?php echo stripslashes($row['pseudo']); ?></span> le <?php echo $row['date']; ?> </td>
</tr>
<tr>
<td width="100%"> <?php echo nl2br(stripslashes($row['message']));?> </td>
</tr>
</table>
<br /><br />
<?php
}
mysql_free_result($rec);
$result=mysql_query("SELECT COUNT(*) FROM guestbook");
$row = mysql_fetch_row($result);
?>
<p align="center">
<?php
if ($start == "0") {
echo"<b><font size=\"1\" face=\"Verdana\">[1]</font></b>";
} else {
echo"<a href=\"index.php?start=0\">[1]</a>";
}
for($index=1;($index*$nb)<$row[0];$index++) {
$pg = $index+1;
if(($index*$nb)!=$start) {
print("<a href=\"index.php?start=".($index*$nb)."\">");
echo"[".$pg."]";
print("</a>");
}
else {
echo" <b><font size=\"1\" face=\"Verdana\">[".$pg."]</font></b>";
} }
?></p>
Merci d'avance pour votre aide
KnockedMaster
Edit captain_torche : merci d'utiliser les balises CODE et CODEBOX lorsque vous postez vos codes (respectivement courts et longs)
