有人可以帮助我识别漏洞并解决它们吗?我今天早上发布了这个网站,但它一直被黑客入侵或其他一些事情,我对 sql 注入漏洞不熟悉。有人可以帮我找到它们是什么吗?
<?php
//Variables for connecting to your database.
//These variable values come from your hosting account.
$hostname = "istheinternet.db.10527209.hostedresource.com";
$username = "istheinternet";
$dbname = "istheinternet";
//These variable values need to be changed by you before deploying
$password = "**********";
$usertable = "posts";
$yourfield1 = "post";
$yourfield2 = "time";
//Connecting to your database
mysql_connect($hostname, $username, $password) OR DIE ("Unable to
connect to database! Please try again later.");
mysql_select_db($dbname);
// Fetching from your database table.
$query = "SELECT * FROM $usertable ORDER BY time DESC";
$result = mysql_query($query);
?>
<html>
<meta name="viewport" content="width=device-width"/>
<meta http-equiv="Content-Language" content="English" />
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
<link rel="stylesheet" type="text/css" href="style.css">
<head>
<img src="/istheinternetfuckingawesome/images/pageLogo.jpg">
<script type="text/javascript"><!--s
google_ad_client = "ca-pub-8924330365282159";
/* itifa header/footer */
google_ad_slot = "6694391056";
google_ad_width = 728;
google_ad_height = 90;
//-->
</script>
<script type="text/javascript"
src="http://pagead2.googlesyndication.com/pagead/show_ads.js">
</script>
<script>
(function(i,s,o,g,r,a,m){i['GoogleAnalyticsObject']=r;i[r]=i[r]||function(){
(i[r].q=i[r].q||[]).push(arguments)},i[r].l=1*new Date();a=s.createElement(o),
m=s.getElementsByTagName(o)[0];a.async=1;a.src=g;m.parentNode.insertBefore(a,m)
})(window,document,'script','//www.google-analytics.com/analytics.js','ga');
ga('create', 'UA-40841654-1', 'istheinternetfuckingawesome.com');
ga('send', 'pageview');
</script>
<meta http-equiv="Content-Script-Type" content="text/javascript">
<script type="text/JavaScript">
function valid(f) {
!(/^[A-z!., Ñ!., ñ0-9]*$/i).test(f.value)?f.value = f.value.replace(/[^A-z!., Ñ!., ñ0-9]/ig,''):null;
}
</script>
</head>
<div class="breadcrumbs">
</div>
<body>
<div>
<h1>What makes your internet awesome?</h1>
<form id="blog_form" action ="thisfile.php"
method ="POST" enctype="multipart/form-data">
<textarea name="post" placeholder="Tell us what makes your internet awesome!" rows="15" cols="50" maxlength="300" onkeyup="valid(this)" onblur="valid(this)"> </textarea></body></br>
<button type="submit"> Post</button>
<button type="reset"> Clear</button>
</form>
</div>
<span class="column1">
<h2> Stories</h2>
<?php while ($row = mysql_fetch_assoc($result))
{
echo $row["$yourfield2"].", ".$row["$yourfield1"]."<br/>\n"."<br/>\n";
}
?>
</span>
<span class="column2">
<div>
<center>
<p><Strong>Keep in mind all posts are final unless the website owner finds errors in formatting.</Strong></p
<p><Strong><Strong>Welcome Reddit users</Strong></Strong></p>
<p>Please note that any links and or images will not post sorry to ruin your fun!</p>
</center>
</div>
</span>
<span class="column3">
<script type="text/javascript"><!--
google_ad_client = "ca-pub-8924330365282159";
/* itifa */
google_ad_slot = "3372494652";
google_ad_width = 160;
google_ad_height = 600;
//-->
</script>
<script type="text/javascript"
src="http://pagead2.googlesyndication.com/pagead/show_ads.js">
</script>
</span>
</body>
<footer>
</footer>
</html>
提交php文件
//These variable values need to be changed by you before deploying
$password = "**********";
$usertable = "posts";
$yourfield1 = "time";
$yourfield2="post";
//Connecting to your database
mysql_connect($hostname, $username, $password) OR DIE ("Unable to
connect to database! Please try again later.");
mysql_select_db($dbname);
$post= trim($_REQUEST['post']);
// Required field names
$required = array('post');
$insert_sql = "INSERT INTO posts (post)" . "Values('{$post}')";
mysql_query($insert_sql) or die(mysql_error());
header("Location: http://istheinternetfuckingawesome.com");
?>
