EXP8 Web Foundation 20154326 Flora

Source: Internet
Author: User

Answer the question

(1) What is a form
Forms are primarily responsible for data collection functions in Web pages. A form has three basic components: form labels: Here The bread contains the URL of the CGI program used to process the form data and the method by which the data is submitted to the server. Form fields: Contains text boxes, password boxes, hidden fields, multiline text boxes, check boxes, radio boxes, drop-down selection boxes, file upload boxes, and so on. Form buttons: Includes the Submit button, reset button, and General button, which can be used to transfer data to CGI scripts on the server, or to cancel input, and to use form buttons to control other processing tasks that define the processing script.

(2) The browser can parse what language to run.
Html,css,javascript, if you want to run other languages, you need to install plugins.

(3) What dynamic languages are supported by webserver
Python, Nodejs, PHP, Ruby, and more.

2. Experiment Summary and experience
The experiment was very difficult, once the database was unloaded, and then the virtual machine was blown up, and finally re-copied the other people's virtual machine. The main difficulty is to create libraries, tables, content, view changes, and php,html files in MySQL there, do not understand the relationship will be confused, finally here is not right there. So you should make a clear order before you do it, and then do it again. In fact, it is quite simple to understand ... The key is to straighten out the bar yourself first.

Lab steps (1) Preparation work
    • Use apachectl start the open Apach to use the netstat -aptn view port. Since open VAS uses port 80, the default listener port in the configuration port file is changed to 8088.

Restart Apache Service

Open 127.0.0.1:8088 to test whether the service has started successfully.

Generate a test file under the/var/www/html folder to test whether the Web page can access files in the folder

(2) Simple web Authoring

Form-related knowledge

    • Forms are primarily responsible for data collection functions in Web pages.
    • There are three basic components of a form: form labels
    • Form fields: Contains text boxes, password boxes, hidden fields, multiline text boxes, check boxes, radio boxes, drop-down selection boxes, file upload boxes, and more
    • Form buttons: Includes the Submit button, reset button, and General button. Form buttons can be used to transfer data to CGI scripts on the server or to cancel input, and you can use form buttons to control other processing tasks that define processing scripts

(This place is after I changed the port number to 4326)

Write a simple Login interface page.

After landing the data will be transferred to the "html_form_action.php" page, because this page is not edited, there is 404

(3) Test PHP

Create a testphp.php file

(4) Web front end Javacipt

1. Related concepts: JavaScript is a widely used scripting language for client Web development, often used to add dynamic functions to HTML pages, such as responding to various actions of the user.
2. Document Object model, or DOM, is the standard programming interface recommended by the Organization for the processing of extensible flag languages.
3. Write a rule that validates the user name and password: (e.g. user name and password cannot be empty)

    String sql= "SELECT * from Users where username=" + "'" "+username+" ' ";//define a query statement    ResultSet rs=db.executequery (SQL);// Run the above statement    if(Rs.next ())    {               if (password.equals (Rs.getobject ("password"            )) { Response.sendredirect ("loginsuccess.jsp");       If the password matches, jump to loginsuccess.jsp        }        else{            out.print ("<script language= ' JavaScript ' > Alert (' Password error ');</script> ");            Response.setheader ("Refresh", "0;url=login.jsp");}} else {out.print ("<script language= ' JavaScript ' > alert (' Please enter user name--else ');</script>"); Response.setheader ("Refresh", "0;url=login.jsp");}        

(5) Web back end

/etc/init.d/mysql start MySQL

mysql -u root –pLog in to MySQL, the default password is[email protected]

Change Password:

Input use MySQL; Select MySQL Database

Enter select user, password, host from user; to display the user name, password, and permissions that are already in the MySQL library

Enter UPDATE user SET password=PASSWORD("新密码") WHERE user=‘root‘; the password to change the root of the user name

Enter flush privileges; , update permissions.

Enter quit exit, reenter re mysql -u root -p -enter, login with new password successfully, indicating successful modification

(This is the last night, the virtual machine was broken, just copied someone else, haven't had time to change the name of the picture)

Build databases, tables, table contents, and database new users:

First set up a database: Create library name;

Then create a table: Create TABLE table name (field settings list);

Then enter the contents of the table: INSERT into table name values (' Value 1 ', ' Value 2 ', ' Value 3 ' ...);

Last query table: SELECT * from table name;

Create new User: Grant Select,insert,update,delete on database. * To User name @ login Host

After adding a new user, exit to re-login: Mysql-u yangqian-p (new user name)

Then check the database Ah, table ah what content, can log in should be no problem.

(6) MySQL implementation landing page

Go to the Authoring page

Refer to the code given by the teacher: (PHP)

<?Php$uname= ($_get["username"]); $pwd = ($_get["Password"];/* echo $uname; */$query _str= "SELECT * FROMYqtable (This is the name of the table that was just written)Where Username= ' {$uname} ' and password= ' {$pwd} '; ";/* echo "<br> {$query _str} <br>"; */$mysqli = new mysqli("127.0.0.1", "Yangqian", "4326", "Yq" 
          ); (Yangqian is the new username, 4326 is the login password, YQ is the database name)/* Check connection */if ($mysqli-Connect_errno) { printf ("Connect failed:%s\n", $mysqli-connect_error); exit (); echo "Connection ok!" ;/* Select queries return a resultset */if ($result = $mysqli,query ($query _str)) {if ($result->num_rows &G T 0 ) {echo "<br> Wellcome login mr/mrs:{$uname} <br>";} else {echo ' <br> login failed!!!! <br> " ;} /* Free Result set * /$result-close ();} $mysqli-Close ();? >            

Note that the PHP file is yellow: The first is the previous established, the following line, Yangqian is created before the new database user, 4326 is the password, YQ is the database name of the library.

Here is the HTML file:

"4326login.php"Name= "Frmlogin" >(Remember the name of the PHP file you just wrote)     <tr> <td>user</td> <td><input type= "text" name= "username" value= "Your name" size = "onfocus=" if (this.value== ' Your name ') this.value= ";"/></td> <td> </td> <td> & lt;/td> </tr> <tr> <td>password</td> <td><input type= "password" name= " Password "value=" Your password "size=" "maxlength=" "onfocus=" if (this.value== ' Your password ') this.value= ";" ></td> <td> </td> <td> </td> </tr> <tr> &LT;TD&GT;&L T;input type= "checkbox" Name= "Zlogin" value= "1" >auto login</td> </tr> <table> <t R> <td><input type= "Submit" name= "Login" value= "login" onclick= "return Validatelogin ()"/&GT;&LT;/TD&G          T <td><input type= "Reset" Name= "RS" value= "reset"/></td> </tr> </table> &L T;/form> </tAble> <script language= "JavaScript" > function Validatelogin () {var susername = Document.frmLogin.username.value;            var spassword = Document.frmLogin.password.value; if ((sUserName = = "") | | (susername== "Your name"))          {alert ("User name"); return false ;} if ((Spassword = = "") | | (spassword== "Your password")) {Alert ("password!" ); return false ;}} </script> </body>         

Input 127.0.0.1:4326/4326login.html

Automatically jump to PHP page

Enter your username and password (the user name and password you just added in the table)

(7) SQL injection, XSS attack test

SQL attack

SQL injection, by inserting a SQL command into a Web form to submit or entering a query string for a domain name or page request, eventually achieves a malicious SQL command that deceives the server. Specifically, it is the ability to inject (malicious) SQL commands into the background database engine execution using existing applications, which can be obtained by entering (malicious) SQL statements in a Web form to a database on a Web site that has a security vulnerability, rather than executing the SQL statement as the designer intended.

Perpetual attack

In the User name input box, enter ' or 1=1#, the password is entered randomly, this time the synthesized SQL query statement is

SELECT * from users where username= ' or 1=1# ' and Password=md5 (")

At this point, the computer thinks # and everything behind it is a comment.

SELECT * from users where username= ' or 1=1

In other words, the above line is what you want to do: Select the user in the database: XX or 1=1 can be allowed to login

1=1 is never true, then this time will always be able to land.

SQL injection

The SQL injection statement is constructed first to add data to the database.

INSERT into yqtable values (' One ', ' one '), #SELECT * from yqtable WHERE username= "insert into yqtable values (' 11 ', ' 11 ');

The command received by the system is

SELECT * from yqtable where username= "; insert into yqtable values (' One ', ' one '); #SELECT * from yqtable where username= ' ins ert into yqtable values (' 11 ', ' 11 ');

This time is equivalent to two statements:

SELECT * from yqtable WHERE username= ';
INSERT into yqtable values (' One ', ' one '), #SELECT * from yqtable WHERE username= "insert into yqtable values (' 11 ', ' 11 ');

This time the database will definitely add a user name, but do not know why, my database is not added ....

So I changed the code: ';d rop from yqtable where username= ' 20154326 ';

Want to let it delete the contents of the table, but it is still strong dead do not move a bit ...

So I finally gave up ...

XSS attacks:

XSS is a computer security vulnerability that often appears in web applications, allowing malicious Web users to embed code into pages that are available to other users.

First drag the picture to the folder var/www/html

User name Input haha</a>

This seems to be because the computer's permissions are not enough, so I entered the chmod 777 /var/www/html/tuzi.jpg grant to anyone read, write, run the permissions

EXP8 Web Foundation 20154326 Flora

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.