dongtun4268 2016-01-02 12:29
浏览 73
已采纳

获取访问者在数据库中的网站详细信息,但相同的IP地址多次保存

This is to create database

CREATE TABLE `xxx`.`track`(`id_stat` smallint(6) unsigned NOT NULL auto_increment,
                          `v_ip` varchar(15) collate utf8_unicode_ci NOT NULL,
                          `v_time` datetime NOT NULL default '0000-00-00 00:00:00',
                          `v_ref` varchar(200) collate utf8_unicode_ci NOT NULL,
                          `v_agent` varchar(100) collate utf8_unicode_ci NOT NULL,
                          `v_url` varchar(100) collate utf8_unicode_ci NOT NULL,
                           PRIMARY KEY (`id_stat`)
               ) ENGINE = MyISAM DEFAULT CHARSET = utf8 COLLATE = utf8_unicode_ci;

and this is php code but is not working . kindly tell me what mistake i am doing here

<?php
$stsip = $_SERVER['REMOTE_ADDR'];
$stagent = $_SERVER['HTTP_USER_AGENT'];
$sturl = $_SERVER['REQUEST_URL'];
$stref = $_SERVER['HTTP_REFERER'];
$stuser="abc";
$stpass = "thanks";
$sthost="localhost";

$stdb= "visitorsrecord";

$sttable="track";
$handle = mysql_connect("$sthost",$stuser,$stpass) or die("Connection Failure to Database");
mysql_select_db($stdb,$handle) or die ($stdb."Database not found.".$stuser);
mysql_query("insert into $sttable(v_time, v_ip, v_agent, v_url, v_ref) values(NOW(), '".$stsip."', '".$stagent."','".$sturl."', '".$stref."')");
mysql_close($handle);

?>

Now the code is working fine. but now I am facing problem is . if someone open the website then i am getting one entry in database but if he further opening then another entry is coming. but i want to record only unique ip address per day.

  • 写回答

1条回答 默认 最新

  • dszm02606009 2016-02-27 10:06
    关注

    (I'm offering here a partial answer, focussing on the SQL injection vulnerability in this code).

    The first part is to reset the User Agent string in your browser. There are plugins for this, and in Firefox additionally you can visit about:config to see the internal settings, and it can be edited by hand here. Try resetting your browser to have a user agent string of My Browser' (note the unmatched quote mark).

    Then run your code above. You'll effectively be executing this partial bit of SQL: values(NOW(), '1.2.3.4', 'My Browser'', 'url', 'referrer'). Look carefully at it - and please try it too - the unmatched quote mark has been injected in. In fact the referrer can also be easily faked to do this, and perhaps the URL field as well.

    This example would just cause a database error. Depending on how you have configured your live server, this may cause errors to appear on-screen, which could give useful information to an attacker.

    By luck and accident, it is not possible with this database library to run multiple SQL commands in the same query. That saves you from the most damaging kinds of injection, which would work as follows:

    referrer = My Browser', '', ''); DELETE FROM track; --

    What would happen in this case, if the library were to allow it? Well, it would finish off the existing query up to the first semi-colon, then dutifully delete everything in the table it just inserted to. The -- comment at the end then amends the remainder of the real query to a comment.

    However, it is absolutely not recommended to rely on the library not being able to do this. It is bad enough that an error can be caused, but an attacker might inject and run MySQL functions, which may not be safe. For tables that are used to implement security features, such as login, they might inject their own admin accounts, etc.

    The quickest solution here is to escape your input so it is not possible to do this. Try doing this to all your inputs:

    $stagent = mysql_real_escape_string($_SERVER['HTTP_USER_AGENT']);
    

    That will format special characters - in particular the apostrophe - so that they will be treated as part of the string, and not as a delimiter. Do this on all of your server variables, even if you don't think they need it - the worst that it can do is nothing.

    Lastly, this approach of escaping-and-concatenation mostly will protect you, but in security terms parameterisation is thought to be significantly safer. Unfortunately, this library does not support it, and since it is deprecated anyway (and removed in PHP 7), it is worth moving to PDO/mysql or MySQLi when you get the chance.

    Further reading: How can I prevent SQL-injection in PHP?

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论

报告相同问题?

悬赏问题

  • ¥100 关于使用MATLAB中copularnd函数的问题
  • ¥20 在虚拟机的pycharm上
  • ¥15 jupyterthemes 设置完毕后没有效果
  • ¥15 matlab图像高斯低通滤波
  • ¥15 针对曲面部件的制孔路径规划,大家有什么思路吗
  • ¥15 钢筋实图交点识别,机器视觉代码
  • ¥15 如何在Linux系统中,但是在window系统上idea里面可以正常运行?(相关搜索:jar包)
  • ¥50 400g qsfp 光模块iphy方案
  • ¥15 两块ADC0804用proteus仿真时,出现异常
  • ¥15 关于风控系统,如何去选择