1 00:00:00,000 --> 00:00:09,250 2 00:00:09,250 --> 00:00:10,300 >> LUCIANO Arango: OK, guys. 3 00:00:10,300 --> 00:00:11,550 Jina langu ni Luciano Arango. 4 00:00:11,550 --> 00:00:13,915 Mimi nina sophomore katika Adams House. 5 00:00:13,915 --> 00:00:17,550 Na tunakwenda kuzungumza juu ya mtandao usalama kazi ya ulinzi. 6 00:00:17,550 --> 00:00:24,220 Basi, mimi kazi kwa Ofisi ya Habari Usalama katika SEAS. 7 00:00:24,220 --> 00:00:28,670 Na juu ya jua, mimi interned katika SeguraTec, ambayo ilikuwa habari 8 00:00:28,670 --> 00:00:31,310 usalama wa kampuni kwamba aliwahi kwa Benki Kuu ya Columbia. 9 00:00:31,310 --> 00:00:34,740 Hiyo ni zaidi ambapo mimi kujifunza nini nimejifunza hadi sasa. 10 00:00:34,740 --> 00:00:37,990 >> Na hivyo baadhi ya vifaa kwamba sisi ni kwenda juu leo, tuna si 11 00:00:37,990 --> 00:00:39,670 kweli kuongelea katika darasa. 12 00:00:39,670 --> 00:00:40,410 Lakini sisi hivi karibuni. 13 00:00:40,410 --> 00:00:42,360 Ni kwenda kuwa kama SQL, JavaScript. 14 00:00:42,360 --> 00:00:44,870 Na sisi si kweli wamekwenda juu yake. 15 00:00:44,870 --> 00:00:47,730 Ili nipate aina ya ndege kwa njia hiyo, na unaweza kujua baadhi ya mambo. 16 00:00:47,730 --> 00:00:48,890 Lakini hivi karibuni, wewe utakuwa kujifunza. 17 00:00:48,890 --> 00:00:52,080 Na itabidi wote mantiki. 18 00:00:52,080 --> 00:00:54,010 Pia kitu kingine - 19 00:00:54,010 --> 00:00:55,780 kukaa kimaadili. 20 00:00:55,780 --> 00:01:00,560 Baadhi ya mambo ambayo kujifunza, inaweza kutumia katika njia zisizo za kimaadili. 21 00:01:00,560 --> 00:01:01,950 >> Kama ni yako, dhahiri kujaribu. 22 00:01:01,950 --> 00:01:04,500 Mimi dhahiri kuwahamasisha wewe guys kujaribu seva yako mwenyewe, jaribu 23 00:01:04,500 --> 00:01:05,519 kwenda ndani yao. 24 00:01:05,519 --> 00:01:08,500 Kuona kama unaweza kupenya yao, kama unaweza kupata ndani yao. 25 00:01:08,500 --> 00:01:09,560 Lakini si mtu mwingine. 26 00:01:09,560 --> 00:01:12,390 Cops si kweli kama utani na kwa ujumla, sisi kuweka hii hapa. 27 00:01:12,390 --> 00:01:14,040 Sisi messing kote. 28 00:01:14,040 --> 00:01:15,780 Wao kupata kweli hasira. 29 00:01:15,780 --> 00:01:18,700 >> Hivyo kichwa juu ya tovuti hii. 30 00:01:18,700 --> 00:01:23,560 Mimi na kufunguliwa hapa. 31 00:01:23,560 --> 00:01:26,780 Hii ni tovuti, na ina rundo la mifano. 32 00:01:26,780 --> 00:01:30,000 Kinachojitokeza ni kwamba mfano wa kwanza ni aina ya kwenda kuwa rahisi sana 33 00:01:30,000 --> 00:01:33,470 kuliko mfano mwisho kwa maana ya kwamba mfano wa kwanza 34 00:01:33,470 --> 00:01:34,970 ni uhaba kabisa. 35 00:01:34,970 --> 00:01:40,850 Na ile ya mwisho ni aina ya nini a kawaida mtandao usalama mtu atafanya. 36 00:01:40,850 --> 00:01:42,760 Lakini bado unaweza aina ya kupata suala hilo. 37 00:01:42,760 --> 00:01:44,860 Na tunakwenda kulenga mmoja tu na mbili, mifano moja na mbili. 38 00:01:44,860 --> 00:01:49,880 39 00:01:49,880 --> 00:01:49,920 >> OK. 40 00:01:49,920 --> 00:01:52,780 Hebu kuanza na msalaba-site scripting. 41 00:01:52,780 --> 00:01:56,100 JavaScript ni kukimbia juu ya mteja browser. 42 00:01:56,100 --> 00:01:59,980 Ni lugha ya programu kwamba matumizi ya kukimbia kwenye browser mteja ya hivyo 43 00:01:59,980 --> 00:02:04,120 huna update tovuti na kurudi nyuma kwa server. 44 00:02:04,120 --> 00:02:04,940 Una mbio. 45 00:02:04,940 --> 00:02:08,870 Kwa mfano, Facebook, huna Reload tovuti kwa ajili ya hadhi mpya 46 00:02:08,870 --> 00:02:09,710 updates kuja. 47 00:02:09,710 --> 00:02:12,170 Ni kwa kutumia JavaScript kuzalisha mambo hayo yote. 48 00:02:12,170 --> 00:02:16,290 Ili tuweze kuingiza malicious JavaScript katika tovuti. 49 00:02:16,290 --> 00:02:20,890 Na kwa njia hiyo, wakati sisi kutuma kiungo kwa mtu, tunaweza aina ya kutuma kwa 50 00:02:20,890 --> 00:02:23,050 baadhi ya maadili ya kwamba tunataka. 51 00:02:23,050 --> 00:02:26,450 >> Kuna kuendelea na mashirika yasiyo ya kuendelea JavaScript - 52 00:02:26,450 --> 00:02:30,640 kuendelea na mashirika yasiyo ya kuendelea msalaba-site scripting, I mean. 53 00:02:30,640 --> 00:02:33,760 Na tofauti ni kuwa kuendelea ni JavaScript ambayo itakuwa 54 00:02:33,760 --> 00:02:36,060 kuokolewa kwenye tovuti. 55 00:02:36,060 --> 00:02:39,780 Na mashirika yasiyo ya kuendelea itakuwa JavaScript kwamba kweli tu kutokea mara moja. 56 00:02:39,780 --> 00:02:41,795 Basi hebu tuangalie mfano halisi haraka. 57 00:02:41,795 --> 00:02:45,660 58 00:02:45,660 --> 00:02:46,130 >> OK. 59 00:02:46,130 --> 00:02:51,620 Hivyo tovuti hii, rahisi, hakuna kinachotokea hapa. 60 00:02:51,620 --> 00:02:53,070 Na sisi ni kwenda kujaribu kuingiza baadhi ya JavaScript. 61 00:02:53,070 --> 00:02:58,110 Hivyo njia sisi kuanza kuandika JavaScript ni sisi kuanza na script mwanzo. 62 00:02:58,110 --> 00:03:00,570 Na sisi karibu ni pamoja na script. 63 00:03:00,570 --> 00:03:03,770 Sisi ni tu kwenda kuweka ujumbe - 64 00:03:03,770 --> 00:03:05,410 Mimi nitakuonyesha - 65 00:03:05,410 --> 00:03:06,500 tahadhari. 66 00:03:06,500 --> 00:03:11,150 Tahadhari ni kazi ambayo JavaScript anatumia kuonyesha kitu fulani. 67 00:03:11,150 --> 00:03:12,400 Hivyo basi jaribu ni kweli haraka. 68 00:03:12,400 --> 00:03:15,600 69 00:03:15,600 --> 00:03:18,944 Mimi nina kwenda, tahadhari hello. 70 00:03:18,944 --> 00:03:20,400 Naam, mimi alisahau kuweka - 71 00:03:20,400 --> 00:03:24,510 72 00:03:24,510 --> 00:03:25,460 OK. 73 00:03:25,460 --> 00:03:26,540 Hivyo kwamba ni rahisi. 74 00:03:26,540 --> 00:03:28,730 >> Sisi kuweka JavaScript kwenye tovuti, na alikuja up. 75 00:03:28,730 --> 00:03:31,200 Na ni aina ya hutokea tu kwenye tovuti yetu, sawa? 76 00:03:31,200 --> 00:03:33,040 Hivyo inaonekana kama siyo tatizo, sawa? 77 00:03:33,040 --> 00:03:34,920 I mean, jinsi unaweza kutumia hii kwa nia mbaya? 78 00:03:34,920 --> 00:03:39,930 Hivyo njia kwamba Hackare kufanya hii ni kweli rahisi. 79 00:03:39,930 --> 00:03:40,970 Wao wanaenda kunyakua hiyo. 80 00:03:40,970 --> 00:03:43,750 Wanaweza kutuma kiungo na wewe. 81 00:03:43,750 --> 00:03:46,780 Kama mimi itabidi kutuma kiungo huu na wewe sasa hivi, na kufungua it up, ni kwenda kwa 82 00:03:46,780 --> 00:03:51,620 kusema, hello, akisema kwamba tovuti yangu akiwaambia hello. 83 00:03:51,620 --> 00:03:57,280 >> Na hivyo kama ningekuwa kusema kitu a kidogo nadhifu, kama mimi kuvuta up 84 00:03:57,280 --> 00:03:59,880 JavaScript kazi mimi aina ya tayari aliandika - 85 00:03:59,880 --> 00:04:03,940 lakini kama ukiangalia hiyo, nitakwenda juu yake kabla ya niliandika yake. 86 00:04:03,940 --> 00:04:06,650 Hivyo sisi ni kwenda kuweka timeout. 87 00:04:06,650 --> 00:04:08,450 Tunakwenda kusubiri kwa sekunde kadhaa. 88 00:04:08,450 --> 00:04:13,970 Kwa kweli, tunakwenda kusubiri kwa, kama Mimi si makosa, sekunde tano. 89 00:04:13,970 --> 00:04:15,870 Hii inakwenda katika milliseconds. 90 00:04:15,870 --> 00:04:18,640 Na kisha nini tunakwenda kufanya ni sisi ni kwenda kwa macho kwamba kuingia 91 00:04:18,640 --> 00:04:21,459 wakati muafaka nje kuingia tena ndani 92 00:04:21,459 --> 00:04:23,990 Na tunakwenda na mabadiliko ya eneo kwa eneo tofauti. 93 00:04:23,990 --> 00:04:30,370 94 00:04:30,370 --> 00:04:32,970 >> Basi, ikiwa mimi kutuma tovuti hii kwa mtu, wao wanaenda kuwa na 95 00:04:32,970 --> 00:04:34,380 kuvinjari karibu, utulivu. 96 00:04:34,380 --> 00:04:35,650 Hakuna kinachofanyika. 97 00:04:35,650 --> 00:04:38,550 Na katika sekunde tano, ni kwenda kusema, kuingia kwako wakati muafaka nje. 98 00:04:38,550 --> 00:04:40,200 Tafadhali kuingia tena ndani 99 00:04:40,200 --> 00:04:43,400 Mara baada ya wao bonyeza OK, mimi nina kwenda kuwapeleka tovuti nyingine. 100 00:04:43,400 --> 00:04:45,980 Takribani, tovuti kwenda kuwa sawa na tovuti ya kwamba 101 00:04:45,980 --> 00:04:47,280 walikuwa katika kabla ya. 102 00:04:47,280 --> 00:04:50,770 Na wao wanaenda kuingia yao sifa katika tovuti yangu badala ya 103 00:04:50,770 --> 00:04:51,850 tovuti yao. 104 00:04:51,850 --> 00:04:54,780 >> Na hivyo naweza kutuma watu barua pepe na kiungo hiki. 105 00:04:54,780 --> 00:04:56,240 Mimi kusema, oh, hapa ni kiungo. 106 00:04:56,240 --> 00:04:57,290 Hii ni benki, kwa mfano. 107 00:04:57,290 --> 00:05:01,390 Nasema, hapa, kwenda kwenye kiungo hiki. 108 00:05:01,390 --> 00:05:03,730 Na mara moja wao kutuma, wao ni kwenda kuwa kuvinjari karibu. 109 00:05:03,730 --> 00:05:07,560 Siwezi kusubiri kwa sekunde 15, sekunde 20, na kisha pop kwamba tafadhali ingia tena katika 110 00:05:07,560 --> 00:05:08,840 ishara nyuma. 111 00:05:08,840 --> 00:05:10,120 You guys unaweza kujaribu kwa mambo mengi zaidi. 112 00:05:10,120 --> 00:05:13,190 Ni ngumu kwa sababu nyie hawajaona JavaScript, hivyo unaweza 113 00:05:13,190 --> 00:05:14,750 si kujua baadhi ya kazi. 114 00:05:14,750 --> 00:05:18,625 Lakini wote una kufanya ni kuanza kwa script, mwisho na script. 115 00:05:18,625 --> 00:05:22,105 116 00:05:22,105 --> 00:05:25,510 Na unaweza kuweka kitu chochote katikati. 117 00:05:25,510 --> 00:05:27,350 >> Tahadhari ni kazi, kusubiri kwa. 118 00:05:27,350 --> 00:05:29,365 Dirisha eneo inachukua wewe eneo mpya. 119 00:05:29,365 --> 00:05:31,370 Lakini unaweza kufanya hivyo zaidi. 120 00:05:31,370 --> 00:05:32,630 Na hivyo Wazo ni kwamba sisi kuchukua mbali. 121 00:05:32,630 --> 00:05:39,350 Kama mimi kwenda kwa mfano wawili, na mimi kuweka katika kanuni hiyo, ni 122 00:05:39,350 --> 00:05:40,210 si kwenda kufanya kazi. 123 00:05:40,210 --> 00:05:43,620 Hivyo ni uchapishaji kila kitu nje kwa sababu nini tovuti hii awali 124 00:05:43,620 --> 00:05:50,350 gani ni kama mimi kuweka kitu chochote hapa, kutakuwa na magazeti ya nje hapa hapa. 125 00:05:50,350 --> 00:05:52,390 Hivyo si uchapishaji chochote. 126 00:05:52,390 --> 00:05:55,560 Mfano huu ni kweli kuangalia kuona kama hati ni huko. 127 00:05:55,560 --> 00:05:57,163 Hivyo yeah, kwenda mbele. 128 00:05:57,163 --> 00:05:57,606 Kuuliza mimi. 129 00:05:57,606 --> 00:05:59,560 >> Watazamaji: Je, si kutuma a kupata au baada ya ombi? 130 00:05:59,560 --> 00:06:00,670 >> LUCIANO Arango: Yeah. wao ni kutuma kupata ombi. 131 00:06:00,670 --> 00:06:01,350 >> Watazamaji: Ni? 132 00:06:01,350 --> 00:06:02,490 >> LUCIANO Arango: Yeah. 133 00:06:02,490 --> 00:06:04,030 Pia browsers kutumia maombi ya mwisho. 134 00:06:04,030 --> 00:06:07,470 Lakini mimi nina kujaribu kuonyesha maombi kupata ili tuweze kuona ni nini 135 00:06:07,470 --> 00:06:10,760 hasa kinachoendelea. 136 00:06:10,760 --> 00:06:12,880 Na hivyo kama sisi kuangalia kanuni hii - hivyo si kazi tena. 137 00:06:12,880 --> 00:06:24,870 Na kama sisi kuangalia kanuni hii, ni kwenda kuwa katika mfano mbili. 138 00:06:24,870 --> 00:06:29,300 Nini mtu hii ni kufanya, mtu katika malipo ya browser hii - 139 00:06:29,300 --> 00:06:35,370 kufungua, OK - 140 00:06:35,370 --> 00:06:39,290 nafasi ya neno script. 141 00:06:39,290 --> 00:06:42,850 Hii ni PHP, ambayo guys nguvu tumeona kidogo bado. 142 00:06:42,850 --> 00:06:46,250 >> Yeye kuchukua nafasi ya tu neno script na jina. 143 00:06:46,250 --> 00:06:50,895 Hivyo hata hivyo, kama mimi kwenda mbele na tu ya kuweka katika - 144 00:06:50,895 --> 00:06:58,520 145 00:06:58,520 --> 00:07:02,360 kama mimi kunyakua code yangu tena, na mimi nina kwenda kwa kurekebisha kidogo tu. 146 00:07:02,360 --> 00:07:15,010 Badala ya script, mimi nina kwenda na mabadiliko ni kwa script na mji mkuu wa R. Na 147 00:07:15,010 --> 00:07:16,390 tunakwenda kuona kama kanuni hii kazi. 148 00:07:16,390 --> 00:07:19,090 Hivyo hakuwa na magazeti ya nje, ambayo ni dalili nzuri. 149 00:07:19,090 --> 00:07:21,990 Na hopefully katika sekunde mbili zaidi, itakuja pop up. 150 00:07:21,990 --> 00:07:22,820 >> Kuingia yako wakati muafaka nje. 151 00:07:22,820 --> 00:07:23,210 OK. 152 00:07:23,210 --> 00:07:24,460 Hiyo ni sawa. 153 00:07:24,460 --> 00:07:27,670 Hivyo kuangalia kwa script nguvu si lazima kufanya kazi. 154 00:07:27,670 --> 00:07:28,130 mtu - 155 00:07:28,130 --> 00:07:32,290 inaweza pia kuangalia kwa script uppercase, script lowercase, str kesi 156 00:07:32,290 --> 00:07:34,180 kulinganisha, kuhakikisha kuwa ni sawa. 157 00:07:34,180 --> 00:07:38,480 Lakini hacker bado anaweza kufanya aina ya nini tulivyofanya katika Vigenere wakati sisi wakiongozwa 158 00:07:38,480 --> 00:07:40,620 wahusika nyuma ya wanandoa, kusonga mbele. 159 00:07:40,620 --> 00:07:43,470 Na unaweza kufikiri jinsi ya kuweka script nyuma huko ili iweze kuingiza 160 00:07:43,470 --> 00:07:44,460 kwamba script. 161 00:07:44,460 --> 00:07:50,370 >> Basi nini unataka kutumia ni htmlspecialchars kwa 162 00:07:50,370 --> 00:07:51,330 kulinda tovuti yako. 163 00:07:51,330 --> 00:07:56,490 Na nini hii haina ni inafanya kuhakikisha kwamba nini kuweka katika - 164 00:07:56,490 --> 00:07:59,610 kwa mfano, nukuu au hii zaidi au chini ya - 165 00:07:59,610 --> 00:08:04,701 ni kubadilishwa na kitu ambayo si kuwa - 166 00:08:04,701 --> 00:08:05,951 napenda kuvuta hapa - 167 00:08:05,951 --> 00:08:08,730 168 00:08:08,730 --> 00:08:09,685 Ampersand halisi. 169 00:08:09,685 --> 00:08:13,420 Itakuwa nafasi wale HTML maalum wahusika kwamba tutaweza kuona wakati sisi ni 170 00:08:13,420 --> 00:08:14,670 kuzungumza juu - 171 00:08:14,670 --> 00:08:18,635 172 00:08:18,635 --> 00:08:20,740 oh, hii ni kwenda kuchukua yangu nyuma - 173 00:08:20,740 --> 00:08:24,220 174 00:08:24,220 --> 00:08:25,380 wahusika hawa hapa. 175 00:08:25,380 --> 00:08:28,180 >> Haya yanamaanisha kwamba kitu anakuja. 176 00:08:28,180 --> 00:08:31,570 Kwa HTML, kwamba bracket mwanzo inatuambia kwamba kitu 177 00:08:31,570 --> 00:08:33,299 HTML kuhusiana anakuja. 178 00:08:33,299 --> 00:08:33,980 Na sisi wanataka kujikwamua ya kwamba. 179 00:08:33,980 --> 00:08:36,200 Hatutaki kuweka HTML katika website.k Hatutaki mtumiaji kuwa 180 00:08:36,200 --> 00:08:40,260 uwezo wa kuweka kitu katika tovuti yao ambayo inaweza kuathiri tovuti yao, kama 181 00:08:40,260 --> 00:08:43,480 script au HTML au kitu kama hicho. 182 00:08:43,480 --> 00:08:53,090 Nini muhimu ni kwamba kumsafisha pembejeo user. 183 00:08:53,090 --> 00:08:54,720 >> Hivyo watumiaji inaweza pembejeo mambo mengi. 184 00:08:54,720 --> 00:08:58,110 Anaweza pembejeo rundo ya mambo ya kujaribu hila browser yako katika bado 185 00:08:58,110 --> 00:08:59,410 mbio hii code script. 186 00:08:59,410 --> 00:09:02,870 Nini unataka kufanya ni si tu kuangalia kwa script, lakini kuangalia kwa kila kitu 187 00:09:02,870 --> 00:09:04,250 ambayo inaweza kuwa mbaya. 188 00:09:04,250 --> 00:09:06,800 Na htmlspecialchars kufanya kwamba kwa wewe, hivyo hawana 189 00:09:06,800 --> 00:09:07,340 na wasiwasi kuhusu hilo. 190 00:09:07,340 --> 00:09:12,280 Lakini si kujaribu kufanya na wewe mwenyewe aina ya pamoja na kanuni yako mwenyewe. 191 00:09:12,280 --> 00:09:14,055 Je, kila mtu wazi juu ya XSS? 192 00:09:14,055 --> 00:09:14,370 >> OK. 193 00:09:14,370 --> 00:09:16,355 Hebu kwenda SQL sindano. 194 00:09:16,355 --> 00:09:21,010 Hivyo sindano SQL pengine ni mazingira magumu namba moja 195 00:09:21,010 --> 00:09:22,490 katika tovuti mbalimbali. 196 00:09:22,490 --> 00:09:24,350 I mean, mfano mzuri - 197 00:09:24,350 --> 00:09:27,350 Nilikuwa tu kutafiti akipiga kwa jambo hili. 198 00:09:27,350 --> 00:09:34,430 Na mimi kupatikana makala hii ya kushangaza, ambapo Nikaona kwamba Harvard ilikuwa kuuvunja, 199 00:09:34,430 --> 00:09:35,390 ilikuwa hacked. 200 00:09:35,390 --> 00:09:37,370 Na nilishangaa, vizuri, jinsi gani wao kufanya hivyo? 201 00:09:37,370 --> 00:09:41,660 Harvard ajabu zaidi, wengi kupata chuo kikuu milele. 202 00:09:41,660 --> 00:09:43,850 Haki? 203 00:09:43,850 --> 00:09:45,410 Naam, kwa uvunjaji watumishi, walaghai kutumika 204 00:09:45,410 --> 00:09:47,710 mbinu ya kuitwa SQL sindano. 205 00:09:47,710 --> 00:09:50,250 >> Hivyo hii hutokea katika siku ya msingi siku. 206 00:09:50,250 --> 00:09:53,590 Watu kusahau kuchukua akaunti kwa SQL sindano. 207 00:09:53,590 --> 00:09:54,930 Harvard gani. 208 00:09:54,930 --> 00:10:00,050 Nadhani anasema hapa, Princeton, Stanford, Cornell. 209 00:10:00,050 --> 00:10:03,550 Hivyo ni jinsi gani sisi - hivyo ni nini SQL hii sindano kwamba ni kuleta haya yote 210 00:10:03,550 --> 00:10:05,668 watu chini? 211 00:10:05,668 --> 00:10:08,010 OK. 212 00:10:08,010 --> 00:10:12,090 Hivyo SQL ni lugha ya programu kwamba sisi kutumia ili kupata database. 213 00:10:12,090 --> 00:10:14,560 Tunachofanya ni sisi kuchagua - 214 00:10:14,560 --> 00:10:18,510 hivyo nini hii inasema hivi sasa ni kuchagua kila kitu kutoka meza. 215 00:10:18,510 --> 00:10:22,640 >> SQL, ni mabadiliko ya ndani ya hifadhidata hii kuwa na meza kamili wa habari. 216 00:10:22,640 --> 00:10:26,550 Hivyo kuchagua kila kitu kutoka kwa watumiaji ambapo jina ni jina la mtumiaji. 217 00:10:26,550 --> 00:10:28,120 Haki? 218 00:10:28,120 --> 00:10:30,770 Rahisi ya kutosha. 219 00:10:30,770 --> 00:10:34,490 wazo la sindano SQL ni kwamba sisi kuingiza baadhi ya kanuni malicious kwamba ingekuwa 220 00:10:34,490 --> 00:10:37,270 hila server katika mbio kitu mbalimbali zaidi kuliko yale ya 221 00:10:37,270 --> 00:10:38,430 awali ilikuwa mbio. 222 00:10:38,430 --> 00:10:44,970 Basi hebu kusema kwa jina la mtumiaji, sisi kuweka au 1 ni sawa na 1. 223 00:10:44,970 --> 00:10:46,700 Hivyo sisi kuweka katika au 1 ni sawa na 1. 224 00:10:46,700 --> 00:10:49,890 njia itakuwa kusoma sasa itakuwa kuchagua kutoka kwa watumiaji, kila kitu kutoka 225 00:10:49,890 --> 00:10:51,360 watumiaji - hii ni kila kitu - 226 00:10:51,360 --> 00:10:55,880 ambapo jina ni jina la mtumiaji, lakini jina la mtumiaji ni au 1 ni sawa na 1. 227 00:10:55,880 --> 00:11:01,760 >> Hivyo jina ni kitu au 1 ni sawa na 1. 228 00:11:01,760 --> 00:11:04,060 1 sawa na 1 daima ni kweli. 229 00:11:04,060 --> 00:11:07,690 Hivyo hii itakuwa daima kurudi habari kutoka kwa watumiaji. 230 00:11:07,690 --> 00:11:08,100 OK. 231 00:11:08,100 --> 00:11:10,030 Hatuna haja ya kuwa na jina la mtumiaji sahihi. 232 00:11:10,030 --> 00:11:14,240 Tunaweza tu kuwa na kitu chochote kwamba tunataka, na itakuwa kurudi habari 233 00:11:14,240 --> 00:11:15,690 kwamba tunahitaji. 234 00:11:15,690 --> 00:11:17,160 Hebu tuangalie mfano mwingine. 235 00:11:17,160 --> 00:11:22,720 >> Kama tuna kuchagua kila kitu kutoka kwa mtumiaji, ambapo jina ni tone watumiaji TABLE - 236 00:11:22,720 --> 00:11:26,420 hivyo unafikiri nini hali hii kufanya kama mimi kuweka katika jina la mtumiaji 237 00:11:26,420 --> 00:11:29,560 kama watumiaji tone TABLE? 238 00:11:29,560 --> 00:11:30,230 Mtu yeyote kuwa na wazo? 239 00:11:30,230 --> 00:11:31,050 Ndiyo. 240 00:11:31,050 --> 00:11:32,470 >> Watazamaji: Ni kwenda kuwaambia ni dampo meza zote. 241 00:11:32,470 --> 00:11:35,460 >> LUCIANO Arango: Ni kwenda kutuambia dampo kila kitu katika tovuti, 242 00:11:35,460 --> 00:11:38,290 kila kitu katika database. 243 00:11:38,290 --> 00:11:41,910 Na nini watu kutumia hii kwa - hivyo Mimi nina kwenda kuonyesha nyie. 244 00:11:41,910 --> 00:11:45,462 Mimi walemavu kuacha meza kwa sababu mimi sitaki ninyi 245 00:11:45,462 --> 00:11:48,240 guys kushuka meza yangu. 246 00:11:48,240 --> 00:11:49,850 Hebu tuangalie hii. 247 00:11:49,850 --> 00:11:54,410 Hivyo hii tu pulls juu ya habari kwa mtu fulani. 248 00:11:54,410 --> 00:11:57,550 Hivyo ni jinsi gani sisi kujua kama hii ni walioathirika na SQL sindano. 249 00:11:57,550 --> 00:12:01,545 Sisi ni kwenda kuangalia halisi haraka kama tunaweza kuweka kitu - 250 00:12:01,545 --> 00:12:04,990 251 00:12:04,990 --> 00:12:06,080 napenda nakala ya kanuni hii. 252 00:12:06,080 --> 00:12:08,140 Mimi nina kwenda juu yake katika pili. 253 00:12:08,140 --> 00:12:12,210 Mimi naenda kuweka mizizi na 1 ni sawa na 1. 254 00:12:12,210 --> 00:12:15,510 >> Haki hii hapa, hii asilimia ishara 23 - 255 00:12:15,510 --> 00:12:19,970 nini ni kweli, kama mimi kuangalia haki hapa katika - 256 00:12:19,970 --> 00:12:23,820 njia HTML inachukua katika idadi, kama wewe kuangalia wakati mimi kuweka katika nafasi 257 00:12:23,820 --> 00:12:28,380 hapa - kama ningekuwa nafasi kitu hapa, ni mabadiliko ya ni asilimia 2. 258 00:12:28,380 --> 00:12:31,420 Je, guys kuona haki hii hapa wakati mimi kuweka katika nafasi? 259 00:12:31,420 --> 00:12:36,710 Njia hiyo kazi ni kwamba unaweza tu kutuma maadili ASCII kupitia HTML. 260 00:12:36,710 --> 00:12:40,330 Hivyo nafasi, kwa mfano, nafasi kwa asilimia 20. 261 00:12:40,330 --> 00:12:41,970 Sijui kama wewe guys tumeona kwamba kabla ya. 262 00:12:41,970 --> 00:12:45,100 >> Ni nafasi ya alama kwa asilimia 23. 263 00:12:45,100 --> 00:12:50,840 Tunahitaji alama mwishoni mwa au taarifa ili tuweze kuwaambia 264 00:12:50,840 --> 00:13:00,885 orodha ya kusahau maoni nje semicolon hii ya mwisho mwishoni. 265 00:13:00,885 --> 00:13:03,060 Tunataka kwa kufikiri juu ya hilo. 266 00:13:03,060 --> 00:13:05,980 Sisi tu unataka kuendesha kila kitu kwamba tuna kabla na 267 00:13:05,980 --> 00:13:07,450 maoni kwamba nje. 268 00:13:07,450 --> 00:13:08,710 Hebu tuangalie katika hilo. 269 00:13:08,710 --> 00:13:14,670 >> Hivyo kama ningekuwa kuweka kitu kibaya - hebu sema kwa mfano, mimi kuweka 2 usawa 270 00:13:14,670 --> 00:13:15,690 1, haina nipe kitu chochote. 271 00:13:15,690 --> 00:13:22,930 Wakati mimi kuweka katika 1 ni sawa na 1, na ni gani kurudi kitu, hii ananiambia kwamba 272 00:13:22,930 --> 00:13:24,660 hii ni hatari kwa SQL sindano. 273 00:13:24,660 --> 00:13:29,090 Mimi najua sasa kwamba kila Mimi kuweka baada ya hii - 274 00:13:29,090 --> 00:13:39,110 na kwa mfano, kuacha TABLES au kitu kama hicho 275 00:13:39,110 --> 00:13:41,190 dhahiri kazi. 276 00:13:41,190 --> 00:13:44,350 Mimi najua ni katika mazingira magumu na SQL sindano kwa sababu najua kwamba 277 00:13:44,350 --> 00:13:49,850 chini ya Hood, ni kuruhusu mimi kufanya 1 sawa na 1 kitu. 278 00:13:49,850 --> 00:13:51,100 OK? 279 00:13:51,100 --> 00:13:53,950 280 00:13:53,950 --> 00:13:56,540 >> Na kama sisi kuangalia hawa nyingine, namba mbili na namba tatu, ni 281 00:13:56,540 --> 00:13:59,110 kwenda kufanya kidogo zaidi ya kuangalia chini ya 282 00:13:59,110 --> 00:14:03,680 kofia ya ni nini. 283 00:14:03,680 --> 00:14:07,425 Hivyo mtu yeyote kuwawezesha kushuka chochote bado au walijaribu? 284 00:14:07,425 --> 00:14:08,760 Je, guys aina ya kupata SQL bado? 285 00:14:08,760 --> 00:14:10,430 Sababu mimi najua wewe guys na si kuonekana kuwa bado, hivyo ni aina ya 286 00:14:10,430 --> 00:14:11,759 utata kwa nyie. 287 00:14:11,759 --> 00:14:16,160 288 00:14:16,160 --> 00:14:18,480 Hebu tuangalie. 289 00:14:18,480 --> 00:14:21,270 Basi nini njia ya kuzuia SQLI? 290 00:14:21,270 --> 00:14:21,390 OK. 291 00:14:21,390 --> 00:14:23,330 Hivyo hii ni muhimu kwa sababu ninyi guys dhahiri wanataka kuzuia 292 00:14:23,330 --> 00:14:24,090 hii katika tovuti yako. 293 00:14:24,090 --> 00:14:28,040 >> Kama siyo, rafiki yako yote ni kwenda kufanya furaha ya wewe wakati kushuka wote 294 00:14:28,040 --> 00:14:29,390 meza yako. 295 00:14:29,390 --> 00:14:36,150 Hivyo wazo ni kwamba kukarabati SQL kwa njia fulani, ambapo mechi ya 296 00:14:36,150 --> 00:14:41,940 nini pembejeo user kwa kamba fulani. 297 00:14:41,940 --> 00:14:46,120 Hivyo njia hii kazi ni wewe kuandaa database. 298 00:14:46,120 --> 00:14:50,830 Kuchagua jina, rangi, na kalori kutoka orodha ya aitwaye matunda. 299 00:14:50,830 --> 00:14:53,580 Na kisha ambapo kalori ni chini, na sisi kuweka alama swali kuna 300 00:14:53,580 --> 00:14:56,530 akisema tunakwenda pembejeo kitu katika pili. 301 00:14:56,530 --> 00:14:58,850 >> Na rangi sawa, na sisi kuweka swali alama akisema tunakwenda 302 00:14:58,850 --> 00:15:00,913 pembejeo kitu katika pili pia. 303 00:15:00,913 --> 00:15:02,660 OK? 304 00:15:02,660 --> 00:15:09,920 Na kisha sisi nitafanya hivyo, kuweka katika 150 na nyekundu. 305 00:15:09,920 --> 00:15:12,820 Na hii kuangalia kufanya kuhakikisha kwamba hizi mbili - 306 00:15:12,820 --> 00:15:15,300 safu hii kuangalia kwamba hawa mbili ni integer na 307 00:15:15,300 --> 00:15:16,550 kwamba hii ni kamba. 308 00:15:16,550 --> 00:15:18,810 309 00:15:18,810 --> 00:15:20,890 Kisha sisi kwenda, na sisi kuchota wote, sisi kuiweka katika nyekundu. 310 00:15:20,890 --> 00:15:21,964 Hiyo ina maana sisi kuchota wote. 311 00:15:21,964 --> 00:15:26,790 Ina maana sisi kweli nitafanya SQL taarifa na kuiweka nyuma katika nyekundu. 312 00:15:26,790 --> 00:15:30,530 Hapa sisi kufanya hivyo, lakini sisi kufanya hivyo kwa njano. 313 00:15:30,530 --> 00:15:32,490 Na sisi kuchota wote. 314 00:15:32,490 --> 00:15:36,140 >> Na kwa njia hii, sisi kuzuia mtumiaji na kuwa na uwezo wa pembejeo kitu 315 00:15:36,140 --> 00:15:41,710 kwamba ni nini sisi maalum, kamba au integer, kwa mfano. 316 00:15:41,710 --> 00:15:45,100 317 00:15:45,100 --> 00:15:46,610 Mimi nilikuwa kuzungumza mapema kuhusu kutegemea watu wengine. 318 00:15:46,610 --> 00:15:50,010 Wakati guys kuanza mradi wako, wewe ni dhahiri zaidi kwenda kutumia 319 00:15:50,010 --> 00:15:52,310 bootstrap au kitu sawa. 320 00:15:52,310 --> 00:15:53,490 Je, guys milele kutumika Wordpress? 321 00:15:53,490 --> 00:15:57,170 Pengine wewe guys wametumia Wordpress uwezekano mkubwa. 322 00:15:57,170 --> 00:16:00,050 Hivyo tatizo kwa kutumia mambo ya watu wengine - 323 00:16:00,050 --> 00:16:05,940 Mimi naenda tu Google haraka halisi Wordpress mazingira magumu. 324 00:16:05,940 --> 00:16:07,495 >> Kama mimi kuvuta hii up hivi sasa - 325 00:16:07,495 --> 00:16:08,995 I literally alifanya mbili pili Google. 326 00:16:08,995 --> 00:16:12,300 327 00:16:12,300 --> 00:16:13,800 Tunaweza kuona kwamba Wordpress - 328 00:16:13,800 --> 00:16:17,450 hii ni tarehe kama Septemba '12. 329 00:16:17,450 --> 00:16:19,120 26 ni updated. 330 00:16:19,120 --> 00:16:23,620 Configuration default ya Wordpress kabla ya 3.6 haina kuzuia haya 331 00:16:23,620 --> 00:16:27,110 vipakizaji fulani, ambayo nguvu iwe rahisi kwa 332 00:16:27,110 --> 00:16:29,790 msalaba-site scripting mashambulizi. 333 00:16:29,790 --> 00:16:34,530 Hivyo hadithi ya haraka, mara moja sisi walikuwa wakifanya kazi na - hivyo nilikuwa, katika majira ya joto, kufanya kazi 334 00:16:34,530 --> 00:16:34,970 tarajali. 335 00:16:34,970 --> 00:16:40,400 Na sisi walikuwa wakifanya kazi na aina ya kama kadi kubwa ya mikopo kampuni. 336 00:16:40,400 --> 00:16:42,020 >> Na wanategemea kitu kinachoitwa - 337 00:16:42,020 --> 00:16:45,740 Sijui kama wewe guys milele kucheza kwa bidhaa kuitwa Joomla. 338 00:16:45,740 --> 00:16:51,750 Joomla ni bidhaa ambayo hutumiwa kwa kudhibiti - aina ya sawa na 339 00:16:51,750 --> 00:16:54,340 Wordpress, kutumika kujenga tovuti. 340 00:16:54,340 --> 00:16:56,060 Basi, alikuwa tovuti yao kazi ya Joomla. 341 00:16:56,060 --> 00:16:59,290 Hii ni kweli kadi kampuni katika Colombia. 342 00:16:59,290 --> 00:17:01,000 Mimi itabidi kuchukua wewe kwa wao tovuti halisi haraka. 343 00:17:01,000 --> 00:17:04,550 344 00:17:04,550 --> 00:17:05,400 >> Kwa hiyo walitumia Joomla. 345 00:17:05,400 --> 00:17:08,630 Na walikuwa si updated Joomla kwa Aidha karibuni. 346 00:17:08,630 --> 00:17:12,160 Na hivyo wakati tulikuwa kuchukua kuangalia kanuni zao, tulikuwa na uwezo wa kweli 347 00:17:12,160 --> 00:17:18,430 kwenda ndani ya kanuni zao na kuiba wote kadi habari kwamba walikuwa, 348 00:17:18,430 --> 00:17:21,670 idadi ya kadi wote, majina, anwani. 349 00:17:21,670 --> 00:17:22,740 Na hii ilikuwa tu - 350 00:17:22,740 --> 00:17:23,569 na kanuni zao mara kikamilifu faini. 351 00:17:23,569 --> 00:17:24,710 Walikuwa code kubwa. 352 00:17:24,710 --> 00:17:25,389 Ilikuwa ni usalama wote. 353 00:17:25,389 --> 00:17:26,520 Wao checked database wote. 354 00:17:26,520 --> 00:17:29,020 Walitoa uhakika msalaba-site scripting ilikuwa nzuri. 355 00:17:29,020 --> 00:17:34,390 >> Lakini walitumia kitu ambacho si updated, hiyo haikuwa salama. 356 00:17:34,390 --> 00:17:36,940 Na ili aliwaongoza - hivyo guys ni dhahiri kwenda kutumia njia nyingine 357 00:17:36,940 --> 00:17:40,650 kanuni, mifumo ya watu wengine ya watu kujenga tovuti yako. 358 00:17:40,650 --> 00:17:43,860 Kuhakikisha kwamba wao ni salama kwa sababu wakati mwingine ni si wewe, mtu 359 00:17:43,860 --> 00:17:44,480 hufanya makosa. 360 00:17:44,480 --> 00:17:47,440 Lakini mtu mwingine hufanya makosa, na kisha kuanguka chini kwa sababu ya kwamba. 361 00:17:47,440 --> 00:17:51,190 362 00:17:51,190 --> 00:17:53,885 >> Nywila na PII. 363 00:17:53,885 --> 00:17:56,820 Hivyo nywila. 364 00:17:56,820 --> 00:17:58,070 OK. 365 00:17:58,070 --> 00:17:59,980 366 00:17:59,980 --> 00:18:04,230 Hebu tuangalie nywila halisi haraka. 367 00:18:04,230 --> 00:18:04,590 OK. 368 00:18:04,590 --> 00:18:06,520 Tafadhali niambie kwamba kila mtu anatumia salama - 369 00:18:06,520 --> 00:18:09,030 Nina matumaini kila mtu hapa anatumia nywila salama. 370 00:18:09,030 --> 00:18:12,890 Mimi nina kuruhusu tu kwamba katika kama dhana. 371 00:18:12,890 --> 00:18:14,850 Hivyo guys ni dhahiri kwenda kuhifadhi nywila kwa tovuti yako. 372 00:18:14,850 --> 00:18:17,440 Wewe ni kwenda kufanya kitu kama kuingia au kitu kama hicho. 373 00:18:17,440 --> 00:18:19,610 Nini muhimu ni kwa kuhifadhi nywila katika maandishi wazi. 374 00:18:19,610 --> 00:18:20,860 Hii ni muhimu sana. 375 00:18:20,860 --> 00:18:23,960 Hawataki kuhifadhi password katika maandishi wazi. 376 00:18:23,960 --> 00:18:27,370 >> Na wewe dhahiri si kweli unataka kuhifadhi kwa njia moja hash. 377 00:18:27,370 --> 00:18:32,440 Hivyo ni kwa njia gani moja hash ni kwamba wakati kuzalisha neno, wakati kuweka hii 378 00:18:32,440 --> 00:18:36,200 neno katika heshi, itakuwa kuzalisha nyuma baadhi ya aina ya cryptic 379 00:18:36,200 --> 00:18:39,390 ujumbe au cryptic seti ya funguo. 380 00:18:39,390 --> 00:18:40,640 Mimi nitakuonyesha mfano. 381 00:18:40,640 --> 00:18:44,620 382 00:18:44,620 --> 00:18:50,250 Mimi nina kwenda hash neno wao password1. 383 00:18:50,250 --> 00:18:55,280 Hivyo md5 Hash ni kwenda na kurudi kwangu aina fulani ya habari weird. 384 00:18:55,280 --> 00:18:59,140 >> Tatizo ni kwamba watu huko nje kwamba kama kwenda katika tovuti na 385 00:18:59,140 --> 00:19:02,750 tayari figured nje ya aina ya yote hashes md5. 386 00:19:02,750 --> 00:19:06,030 Nini hawakuwa ni wakaketi juu yao kompyuta, na wao heshi kila 387 00:19:06,030 --> 00:19:09,660 moja iwezekanavyo neno huko nje mpaka wao got aina ya nini hii ni. 388 00:19:09,660 --> 00:19:11,420 Kama ningekuwa na kuangalia hii up - 389 00:19:11,420 --> 00:19:12,420 I just grabbed hash hii. 390 00:19:12,420 --> 00:19:14,120 Kama mimi kupata hash hii kutoka - 391 00:19:14,120 --> 00:19:17,470 kama mimi kwenda katika tovuti, na mimi kupata hash hii kwa sababu mimi kupata 392 00:19:17,470 --> 00:19:24,100 database, na mimi kuangalia it up, mtu tayari figured nje kwa ajili yangu. 393 00:19:24,100 --> 00:19:28,600 394 00:19:28,600 --> 00:19:29,100 >> Yeah. 395 00:19:29,100 --> 00:19:35,030 Hivyo watu wakaketi, na chochote md5 hash kwamba kuweka katika, wao wanaenda 396 00:19:35,030 --> 00:19:37,760 kurudi kitu kwamba ni neno. 397 00:19:37,760 --> 00:19:39,800 Kama mimi hash neno lingine, kama - 398 00:19:39,800 --> 00:19:42,410 Sijui - 399 00:19:42,410 --> 00:19:43,490 trees2. 400 00:19:43,490 --> 00:19:46,050 Sitaki kwa kuwa na tamaa na upekuzi wangu Google. 401 00:19:46,050 --> 00:19:49,820 402 00:19:49,820 --> 00:19:52,780 Kuna ni, trees2. 403 00:19:52,780 --> 00:19:55,930 Hivyo mengi ya Nje bado kutumia md5 hash. 404 00:19:55,930 --> 00:19:57,730 Wanasema, oh, ni salama. 405 00:19:57,730 --> 00:19:58,570 Sisi siyo kuhifadhi katika maandishi wazi. 406 00:19:58,570 --> 00:19:59,740 Sisi tuna hii hash md5. 407 00:19:59,740 --> 00:20:01,880 Na mimi wote kufanya ni Google idadi. 408 00:20:01,880 --> 00:20:03,940 >> Mimi wala hata na compute mwenyewe. 409 00:20:03,940 --> 00:20:06,790 Naweza tu Google yake, na mtu tayari alifanya hivyo kwa ajili yangu. 410 00:20:06,790 --> 00:20:08,010 Hapa ni kundi la yao. 411 00:20:08,010 --> 00:20:09,260 Hapa ni kundi la nywila. 412 00:20:09,260 --> 00:20:13,890 413 00:20:13,890 --> 00:20:18,680 Hivyo dhahiri si kutumia md5 hash, kwa sababu wote una 414 00:20:18,680 --> 00:20:19,140 kufanya ni Google yake. 415 00:20:19,140 --> 00:20:20,390 Basi je, unataka kutumia badala yake? 416 00:20:20,390 --> 00:20:29,340 417 00:20:29,340 --> 00:20:30,170 OK. 418 00:20:30,170 --> 00:20:31,260 Kitu kinachoitwa salting. 419 00:20:31,260 --> 00:20:32,460 Kwa hiyo kile ni salting - 420 00:20:32,460 --> 00:20:36,280 je, guys kumbuka tulipokuwa kuzungumza juu ya random katika - 421 00:20:36,280 --> 00:20:37,920 Mimi nina uhakika nini pset ilikuwa - 422 00:20:37,920 --> 00:20:41,140 ilikuwa ni pset huko au nne? 423 00:20:41,140 --> 00:20:45,150 >> Sisi walikuwa wanazungumza juu ya kutafuta sindano katika haystack. 424 00:20:45,150 --> 00:20:48,480 Na katika pset, alisema kwamba unaweza kweli kufikiri nini random 425 00:20:48,480 --> 00:20:51,840 inazalisha kwa sababu mtu tayari mbio random mara milioni na tu 426 00:20:51,840 --> 00:20:53,230 aina ya sumu nini wao kuzalisha. 427 00:20:53,230 --> 00:20:55,840 Nini unataka kufanya ni kuweka katika pembejeo. 428 00:20:55,840 --> 00:20:57,130 Hivyo kwamba ni nini kuweka chumvi aina ya ni. 429 00:20:57,130 --> 00:21:00,900 Tayari figured nini kuweka chumvi anarudi kwa kila kazi. 430 00:21:00,900 --> 00:21:04,750 >> Kwa hiyo kile salting gani ni kuweka katika chumvi. 431 00:21:04,750 --> 00:21:06,160 Kuweka katika neno fulani. 432 00:21:06,160 --> 00:21:09,720 Na itakuwa hash neno kuwa kulingana juu ya nini kuweka katika hapa. 433 00:21:09,720 --> 00:21:13,570 Basi, ikiwa mimi hash password moja na hii hukumu, ni kwenda hash 434 00:21:13,570 --> 00:21:17,180 tofauti kama mimi hash password1 na hukumu tofauti. 435 00:21:17,180 --> 00:21:21,670 Ni aina ya anatoa ni mahali fulani kuanza kwa hashing kuanza. 436 00:21:21,670 --> 00:21:25,970 Hivyo ni vigumu sana kwa compute, lakini bado wanaweza compute, hasa 437 00:21:25,970 --> 00:21:26,830 kama wewe kutumia chumvi mbaya. 438 00:21:26,830 --> 00:21:29,650 >> Watu tayari pia figured chumvi ya kawaida na figured 439 00:21:29,650 --> 00:21:31,500 yale ambayo ni. 440 00:21:31,500 --> 00:21:34,980 Random chumvi ni bora zaidi, lakini njia bora ni kutumia 441 00:21:34,980 --> 00:21:38,160 kitu kinachoitwa crypt. 442 00:21:38,160 --> 00:21:40,480 Na nini crypt utapata kufanya - hivyo kazi hizi ni 443 00:21:40,480 --> 00:21:41,820 tayari kujengwa kwa ajili yenu. 444 00:21:41,820 --> 00:21:44,910 Watu wengi kusahau kwamba, au wao kusahau matumizi yake. 445 00:21:44,910 --> 00:21:54,520 Lakini kama mimi kuangalia juu crypt PHP, crypt tayari anarudi kamba hash kwa ajili yangu. 446 00:21:54,520 --> 00:21:58,790 Na ni kweli chumvi ni mara nyingi na hashes ni mara nyingi. 447 00:21:58,790 --> 00:22:00,070 >> Hivyo hatuna kufanya hivyo. 448 00:22:00,070 --> 00:22:04,790 Hivyo wote kufanya ni kutuma ndani ya crypt. 449 00:22:04,790 --> 00:22:08,170 Na itakuwa kujenga hash kubwa bila wewe kuwa na wasiwasi kuhusu chumvi 450 00:22:08,170 --> 00:22:08,990 au kitu chochote. 451 00:22:08,990 --> 00:22:12,000 Kwa sababu kama ungekuwa na chumvi yake, una kukumbuka kile chumvi unaweza kutumika 452 00:22:12,000 --> 00:22:13,800 kwa sababu kama si hivyo, huwezi kupata yako password nyuma bila 453 00:22:13,800 --> 00:22:15,760 chumvi kwamba kutumika. 454 00:22:15,760 --> 00:22:17,010 OK. 455 00:22:17,010 --> 00:22:21,120 456 00:22:21,120 --> 00:22:23,150 >> Na pia binafsi zinazotambulika habari. 457 00:22:23,150 --> 00:22:26,730 Usalama hivyo kijamii, kadi - kwamba pretty wazi. 458 00:22:26,730 --> 00:22:31,880 Lakini wakati mwingine watu kusahau njia kazi ni, kwa kiasi gani taarifa gani 459 00:22:31,880 --> 00:22:35,690 kweli wanahitaji kupata baadhi ya mtu mmoja? 460 00:22:35,690 --> 00:22:37,740 Mtu alifanya utafiti kuhusu hii njia ya nyuma. 461 00:22:37,740 --> 00:22:40,870 Na ilikuwa kama, kama una jina kamili, huwezi kupata 462 00:22:40,870 --> 00:22:41,610 mtu kwa urahisi. 463 00:22:41,610 --> 00:22:43,900 Lakini nini kama wewe na jina kamili na tarehe yao ya kuzaliwa? 464 00:22:43,900 --> 00:22:47,770 Ni kwamba kutosha kutambua mtu hasa? 465 00:22:47,770 --> 00:22:52,760 >> Nini kama una majina yao na anwani ya mitaani kwamba wao kuishi? 466 00:22:52,760 --> 00:22:55,110 Ni kwamba kutosha kupata mtu? 467 00:22:55,110 --> 00:23:02,490 Na kwamba wakati wao swali, ni nini binafsi zinazotambulika, na 468 00:23:02,490 --> 00:23:05,360 nini kuwa na wasiwasi kuhusu si kutoa mbali? 469 00:23:05,360 --> 00:23:08,770 Kama kutoa mbali zinazotambulika binafsi habari kwamba mtu anakupa, 470 00:23:08,770 --> 00:23:11,420 unaweza uwezekano wa kupata mashitaka. 471 00:23:11,420 --> 00:23:12,610 Na sisi dhahiri hawataki hilo. 472 00:23:12,610 --> 00:23:14,955 >> Hivyo wakati wewe ni kuweka tovuti yako nje, na kwa kweli baridi 473 00:23:14,955 --> 00:23:17,230 kubuni, hopefully umefanya kutisha katika mradi wa mwisho. 474 00:23:17,230 --> 00:23:18,370 Yoyote aina ya kutaka kuiweka huko nje. 475 00:23:18,370 --> 00:23:21,420 Unataka kuhakikisha kwamba kila wewe ni kuchukua kutoka kwa mtumiaji, ikiwa ni 476 00:23:21,420 --> 00:23:25,310 binafsi zinazotambulika, wewe unataka kuhakikisha wewe ni kuwa kweli 477 00:23:25,310 --> 00:23:26,560 makini na hilo. 478 00:23:26,560 --> 00:23:29,670 479 00:23:29,670 --> 00:23:31,080 >> Shell sindano. 480 00:23:31,080 --> 00:23:31,350 OK. 481 00:23:31,350 --> 00:23:37,590 Sindano Shell inaruhusu intruder kwa kupata amri yako halisi line 482 00:23:37,590 --> 00:23:39,660 katika kompyuta yako. 483 00:23:39,660 --> 00:23:44,060 Na hivyo yeye na uwezo wa kukimbia code kwamba huwezi kudhibiti. 484 00:23:44,060 --> 00:23:49,560 Hebu kuchukua mfano wa hii nzuri kamba hapa. 485 00:23:49,560 --> 00:23:55,570 Kama sisi kwenda katika tovuti tena, mimi nina kwenda katika kanuni sindano. 486 00:23:55,570 --> 00:23:58,910 Basi nini hii haina ni - 487 00:23:58,910 --> 00:24:00,420 pia ni nini tulikuwa kuangalia mbele. 488 00:24:00,420 --> 00:24:11,200 Sisi ni kuruhusu user kuweka katika kila anataka, na itakuwa magazeti nje 489 00:24:11,200 --> 00:24:12,220 chochote unataka. 490 00:24:12,220 --> 00:24:13,890 >> Hivyo nina kwenda kuweka simu. 491 00:24:13,890 --> 00:24:15,540 Nini hii ni - 492 00:24:15,540 --> 00:24:16,940 itakuwa kuanza kwa concatenating. 493 00:24:16,940 --> 00:24:19,520 Hivyo basi mimi kukimbia chochote amri ya mtu mbio 494 00:24:19,520 --> 00:24:21,500 kabla na amri yangu. 495 00:24:21,500 --> 00:24:23,980 Na mimi nina mbio amri mfumo. 496 00:24:23,980 --> 00:24:27,310 Na masharti hayo mwisho ni - kumbuka kile aliongea na wewe guys kuhusu, 497 00:24:27,310 --> 00:24:31,725 ambapo una encode katika njia URL. 498 00:24:31,725 --> 00:24:35,010 499 00:24:35,010 --> 00:24:36,992 Kama mimi kukimbia hii sasa - 500 00:24:36,992 --> 00:24:39,150 Mimi nitakuonyesha juu hapa - 501 00:24:39,150 --> 00:24:41,100 utaona kwamba mimi kumalizika up mbio amri. 502 00:24:41,100 --> 00:24:45,700 503 00:24:45,700 --> 00:24:49,320 >> Hii ni kweli server halisi kwamba tovuti yangu ni mbio juu ya. 504 00:24:49,320 --> 00:24:55,840 505 00:24:55,840 --> 00:24:58,510 Hivyo hatutaki kwamba, kwa sababu siwezi kukimbia - 506 00:24:58,510 --> 00:25:00,320 server hii si yangu. 507 00:25:00,320 --> 00:25:04,030 Hivyo Sitaki kwa fujo up yake dada, server Marcus ya. 508 00:25:04,030 --> 00:25:07,470 Lakini unaweza kukimbia amri zaidi ambayo ni hatari. 509 00:25:07,470 --> 00:25:11,885 Na uwezekano wa, unaweza kufuta files, kuondoa directories. 510 00:25:11,885 --> 00:25:14,390 511 00:25:14,390 --> 00:25:17,970 Naweza kuondoa directory fulani kama Nilitaka, lakini sitaki 512 00:25:17,970 --> 00:25:19,530 kufanya hivyo kwa Marcus. 513 00:25:19,530 --> 00:25:20,420 Yeye ni nzuri guy. 514 00:25:20,420 --> 00:25:21,470 Yeye basi mimi kukopa server yake. 515 00:25:21,470 --> 00:25:24,620 Hivyo nina kwenda kwa basi mbali juu ya moja nzuri. 516 00:25:24,620 --> 00:25:32,280 >> Basi nini hatutaki kutumia - hatuna wanataka kutumia UFUNDISHAJI au mfumo. 517 00:25:32,280 --> 00:25:34,755 Eval au mfumo wa inaruhusu sisi kufanya wito haya mfumo. 518 00:25:34,755 --> 00:25:37,410 519 00:25:37,410 --> 00:25:38,410 Njia Eval kutathmini. 520 00:25:38,410 --> 00:25:40,790 System maana yake nini mimi mbio. 521 00:25:40,790 --> 00:25:42,490 Ni kukimbia kitu katika mfumo. 522 00:25:42,490 --> 00:25:46,730 Lakini tunaweza kukiuka mambo haya katika PHP ili sisi si kutumia yao. 523 00:25:46,730 --> 00:25:47,400 Na upload file. 524 00:25:47,400 --> 00:25:49,180 Mimi alikuwa anaenda kufanya kutisha kitu na upload file. 525 00:25:49,180 --> 00:25:52,740 Lakini kama Mimi niliwaambia guys, faili yangu upload kitu si kazi. 526 00:25:52,740 --> 00:25:54,590 Kama ningekuwa na kupakia faili hivi sasa - 527 00:25:54,590 --> 00:25:57,120 528 00:25:57,120 --> 00:26:00,830 kama ningekuwa kupakia faili, na ni picha - 529 00:26:00,830 --> 00:26:03,180 una upload kitu kwamba picha. 530 00:26:03,180 --> 00:26:03,660 Hiyo ni sawa. 531 00:26:03,660 --> 00:26:04,280 Hakuna kinachotokea. 532 00:26:04,280 --> 00:26:10,840 >> Lakini kama una upload file, kwa mfano, na user kweli vipakizaji 533 00:26:10,840 --> 00:26:19,220 PHP faili au exe file au kitu kama hiyo, basi unaweza uwezekano wa 534 00:26:19,220 --> 00:26:19,740 kuwa na tatizo. 535 00:26:19,740 --> 00:26:21,390 Hii ilikuwa ikifanya kazi kabla ya. 536 00:26:21,390 --> 00:26:25,202 Kwa bahati mbaya kwa ajili yangu, ni si kazi tena. 537 00:26:25,202 --> 00:26:30,230 Kama mimi, kwa mfano, kupakia faili hii, mimi nina si kupata ruhusa ya kupakia 538 00:26:30,230 --> 00:26:33,400 file kutokana na server kutokuwa na mgodi huo. 539 00:26:33,400 --> 00:26:38,670 Hivyo guy kweli smart. 540 00:26:38,670 --> 00:26:39,610 >> Hivyo hatuna unataka - 541 00:26:39,610 --> 00:26:40,130 Mimi nina kwenda kuonyesha guys - 542 00:26:40,130 --> 00:26:41,840 OK, haya ni baadhi ya zana kweli baridi. 543 00:26:41,840 --> 00:26:45,100 Basi hao - 544 00:26:45,100 --> 00:26:47,715 kwenda katika - kama wewe guys na Firefox - hopefully kufanya. 545 00:26:47,715 --> 00:26:54,260 Kuna mbili kuongeza TZ inayoitwa SQL odla Me na Msalaba Site Script Me. 546 00:26:54,260 --> 00:26:56,870 Wao kufungua upande kidogo baa upande. 547 00:26:56,870 --> 00:27:01,480 Na kama ningekuwa kwenda CS60 kwa mfano - 548 00:27:01,480 --> 00:27:04,210 hivyo kile yake ni inaonekana kwa ajili ya aina yote - 549 00:27:04,210 --> 00:27:07,220 550 00:27:07,220 --> 00:27:08,760 hopefully, mimi si kupata katika shida kwa hili. 551 00:27:08,760 --> 00:27:09,190 >> Lakini OK. 552 00:27:09,190 --> 00:27:12,600 Hapa ni mfumo wa siri. 553 00:27:12,600 --> 00:27:18,946 Hivyo wakati mimi kuanza kuangalia kwa mashimo katika mfumo, Jambo la kwanza mimi kufanya ni 554 00:27:18,946 --> 00:27:21,820 kufungua kidogo hii nzuri chombo upande. 555 00:27:21,820 --> 00:27:24,160 Na mimi nina kwenda kupima aina na mashambulizi ya magari. 556 00:27:24,160 --> 00:27:28,510 Na hivyo kile hii haina ni polepole kufungua rundo la browsers. 557 00:27:28,510 --> 00:27:29,930 Hapa ni kundi la browsers. 558 00:27:29,930 --> 00:27:33,320 Na ni kujaribu kila mchanganyiko moja ya msalaba-site scripting 559 00:27:33,320 --> 00:27:37,380 kwamba kuna uwezekano wa, kama unaweza kuona upande. 560 00:27:37,380 --> 00:27:42,080 >> Na itakuwa nipe matokeo aina ya nini jibu ni. 561 00:27:42,080 --> 00:27:42,860 Wote kupita. 562 00:27:42,860 --> 00:27:43,910 Ni wazi, wote kupita. 563 00:27:43,910 --> 00:27:46,190 I mean, ni kweli smart watu huko. 564 00:27:46,190 --> 00:27:48,010 Lakini kama ningekuwa kwa kukimbia - 565 00:27:48,010 --> 00:27:52,050 Nimepata mara kabla ya wakati mimi kukimbia hii katika miradi ya mwisho ya wanafunzi. 566 00:27:52,050 --> 00:27:56,080 Mimi tu kukimbia SQL Kuingiza Mimi kwa wote mashambulizi tofauti. 567 00:27:56,080 --> 00:28:00,080 Na ni kujaribu SQL kuingiza hii server siri. 568 00:28:00,080 --> 00:28:03,590 Hivyo kama sisi kitabu chini, kwa mfano, anasema - 569 00:28:03,590 --> 00:28:04,960 hii ni nzuri kama anarudi. 570 00:28:04,960 --> 00:28:08,250 >> Hivyo ni majaribio baadhi ya maadili fulani. 571 00:28:08,250 --> 00:28:11,170 Na server akarudi kificho kwamba ilikuwa mbaya. 572 00:28:11,170 --> 00:28:11,780 Kuondoa kwa muda. 573 00:28:11,780 --> 00:28:13,030 Hii ni nzuri. 574 00:28:13,030 --> 00:28:17,050 575 00:28:17,050 --> 00:28:20,750 Ni anajaribu vipimo hayo yote. 576 00:28:20,750 --> 00:28:21,790 Hivyo unaweza tu kukimbia - 577 00:28:21,790 --> 00:28:27,860 Nilikuwa napenda kupata tovuti halisi haraka kwamba ingekuwa basi mimi - 578 00:28:27,860 --> 00:28:29,110 labda duka CS50. 579 00:28:29,110 --> 00:28:43,890 580 00:28:43,890 --> 00:28:45,711 >> Wow, hii ni kwenda kuchukua njia muda mrefu sana. 581 00:28:45,711 --> 00:28:53,090 582 00:28:53,090 --> 00:28:55,130 Mimi itabidi basi mtihani wa kwanza si kumaliza haki. 583 00:28:55,130 --> 00:28:57,330 Hivyo ni kulalamika. 584 00:28:57,330 --> 00:28:58,470 Basi hizi ni mambo matatu. 585 00:28:58,470 --> 00:29:00,430 Zana hizi ni za bure. 586 00:29:00,430 --> 00:29:03,960 Unaweza kushusha yao na kukimbia nao juu ya tovuti yako, na itakuambia kama 587 00:29:03,960 --> 00:29:06,650 una msalaba-site scripting, kama una SQL, kama una 588 00:29:06,650 --> 00:29:07,900 kitu cha kama. 589 00:29:07,900 --> 00:29:12,230 590 00:29:12,230 --> 00:29:14,500 Mimi nina aina ya messing up. 591 00:29:14,500 --> 00:29:15,550 >> Nini muhimu - 592 00:29:15,550 --> 00:29:17,900 OK, hivyo kamwe imani user. 593 00:29:17,900 --> 00:29:21,920 Chochote pembejeo mtumiaji wewe, kufanya uhakika kumsafisha yake, kusafisha, 594 00:29:21,920 --> 00:29:25,300 kuangalia kwa mambo ya haki, kwamba ni kutoa nini 595 00:29:25,300 --> 00:29:28,240 unataka kumpa wewe. 596 00:29:28,240 --> 00:29:32,460 Daima kuwa updated juu ya nini mifumo kwamba wewe ni kweli kutumia. 597 00:29:32,460 --> 00:29:34,630 Kama kutumia kitu kama bootstrap - 598 00:29:34,630 --> 00:29:36,340 Mimi najua wewe guys ni kwenda kutumia bootstrap kwa sababu yeye kwenda 599 00:29:36,340 --> 00:29:38,140 juu ya hili hivi karibuni katika darasa - 600 00:29:38,140 --> 00:29:43,120 na Wordpress au kitu kama hicho, kawaida hii inaweza kuwa hacked. 601 00:29:43,120 --> 00:29:44,770 >> Na kisha huna hata kujua. 602 00:29:44,770 --> 00:29:45,800 Wewe ni mbio tu tovuti yako. 603 00:29:45,800 --> 00:29:47,360 Na ni salama kabisa. 604 00:29:47,360 --> 00:29:51,730 Na kwenda chini. 605 00:29:51,730 --> 00:29:54,000 Hivyo mimi nina uvuvi kweli mapema. 606 00:29:54,000 --> 00:29:55,770 Lakini mimi nataka kuwashukuru Pentest Labs. 607 00:29:55,770 --> 00:29:58,140 Mimi nina kwenda kuonyesha guys kitu aitwaye Pentest Labs. 608 00:29:58,140 --> 00:30:05,000 Kama wewe guys ni kweli nia ya nini usalama ni kweli, kuna 609 00:30:05,000 --> 00:30:07,300 tovuti inayoitwa Pentest Labs kama nyie kwenda yake hivi sasa. 610 00:30:07,300 --> 00:30:10,730 Oh, vizuri, si kwamba ni. 611 00:30:10,730 --> 00:30:12,030 Mimi tu kwenda kuendesha kama hii. 612 00:30:12,030 --> 00:30:14,400 Google anasema mimi jibu. 613 00:30:14,400 --> 00:30:16,590 >> OK. 614 00:30:16,590 --> 00:30:19,030 Na inafundisha kukutumia - hivyo anasema, kujifunza mtandao kupenya 615 00:30:19,030 --> 00:30:21,060 kupima njia sahihi. 616 00:30:21,060 --> 00:30:23,650 Ni inafundisha - 617 00:30:23,650 --> 00:30:25,150 hopefully, wewe ni mtu kimaadili. 618 00:30:25,150 --> 00:30:29,200 Lakini inatufundisha jinsi gani unaweza kuangalia jinsi gani unaweza kupata ndani ya tovuti. 619 00:30:29,200 --> 00:30:31,130 Na kama wewe kujifunza jinsi gani unaweza kupata ndani ya Nje, unaweza kujifunza jinsi ya 620 00:30:31,130 --> 00:30:34,960 kujikinga na kupata Nje ndani. 621 00:30:34,960 --> 00:30:39,100 Hebu zoom kwa sababu labda nyie si kuangalia haki hii. 622 00:30:39,100 --> 00:30:46,350 >> Kutoka SQL sindano shell, hivyo aina ya jinsi gani naweza kupata kutoka SQL 623 00:30:46,350 --> 00:30:48,530 sindano shell. 624 00:30:48,530 --> 00:30:53,890 Na kushusha mashine hii virtual. 625 00:30:53,890 --> 00:30:55,690 Na mashine virtual tayari huja na tovuti ya kuwa wewe ni 626 00:30:55,690 --> 00:30:56,780 kwenda kujaribu juu. 627 00:30:56,780 --> 00:30:58,030 Download hii PDF. 628 00:30:58,030 --> 00:31:03,610 629 00:31:03,610 --> 00:31:08,370 Na itakuwa kuonyesha mstari kwa mstari nini una kufanya, nini kuangalia. 630 00:31:08,370 --> 00:31:14,560 Hii ni nini mshambuliaji kweli gani kupata ndani ya tovuti. 631 00:31:14,560 --> 00:31:15,750 >> Na baadhi ya mambo haya ni ngumu. 632 00:31:15,750 --> 00:31:17,520 Nilikuwa napenda kwenda juu zaidi mambo kwa nyie. 633 00:31:17,520 --> 00:31:21,090 Lakini mimi wasiwasi kwamba guys na si kweli - 634 00:31:21,090 --> 00:31:23,090 hii ni nini nilikwenda juu na nyie, vipimo vya mtandao 635 00:31:23,090 --> 00:31:26,830 kwa ajili ya kupenya ya kupima. 636 00:31:26,830 --> 00:31:33,540 Je, si kweli kujua nini SQL ni na nini - 637 00:31:33,540 --> 00:31:35,960 Carl Jackson semina ni wa kushangaza pia. 638 00:31:35,960 --> 00:31:37,360 You guys sijui aina ya nini hii ni. 639 00:31:37,360 --> 00:31:39,450 Lakini kama wewe kwenda kwenye tovuti hii, na kushusha tutorials haya na haya 640 00:31:39,450 --> 00:31:43,290 PDFs, unaweza kuangalia aina ya nini eneo la usalama kweli haina 641 00:31:43,290 --> 00:31:46,940 katika kupenya kupima, kuona ni jinsi gani unaweza kupata tovuti ndani na kulinda 642 00:31:46,940 --> 00:31:48,020 mwenyewe kutoka humo. 643 00:31:48,020 --> 00:31:56,360 >> Basi, ikiwa mimi kufanya maelezo ya super haraka, kutakuwa na kuwa kuzuia msalaba-site scripting. 644 00:31:56,360 --> 00:32:00,160 Unataka kutumia htmlspecialchars kila mara, pembejeo user kitu. 645 00:32:00,160 --> 00:32:01,580 Kuzuia SQL sindano. 646 00:32:01,580 --> 00:32:04,510 Kama kufanya hivyo, uko tayari bora zaidi kuliko Harvard mara 647 00:32:04,510 --> 00:32:06,530 Walipofika kuuvunja. 648 00:32:06,530 --> 00:32:10,510 Na kuhakikisha nywila yako ni si katika maandishi wazi. 649 00:32:10,510 --> 00:32:16,220 Kuhakikisha si tu njia moja hash yao lakini kwamba matumizi ya crypt, PHP 650 00:32:16,220 --> 00:32:18,670 kazi ambayo mimi ilionyesha nyie. 651 00:32:18,670 --> 00:32:20,060 Kwa njia hiyo, unapaswa kuwa nzuri. 652 00:32:20,060 --> 00:32:25,830 >> Pia, kama rafiki yako basi wewe, kukimbia SQL Kuingiza Me kwenye tovuti yao. 653 00:32:25,830 --> 00:32:28,140 Kukimbia msalaba-site scripting kwenye tovuti yao. 654 00:32:28,140 --> 00:32:33,720 Na utaona mengi ya tovuti hizi kuwa na tani ya udhaifu. 655 00:32:33,720 --> 00:32:40,400 Ni ajabu kiasi gani watu kusahau kumsafisha database yao au kufanya 656 00:32:40,400 --> 00:32:46,340 uhakika nini inputting mtu si script code. 657 00:32:46,340 --> 00:32:47,200 OK. 658 00:32:47,200 --> 00:32:49,182 Mimi aina ya kumalizika kwa kweli mapema. 659 00:32:49,182 --> 00:32:56,510 Lakini kama mtu ana maswali yoyote kuhusu kitu chochote, unaweza risasi mimi swali. 660 00:32:56,510 --> 00:32:56,630 Yeah. 661 00:32:56,630 --> 00:32:56,970 Go, go. 662 00:32:56,970 --> 00:32:59,846 >> Watazamaji: Mimi nataka tu kuuliza, unaweza kueleza jinsi file 663 00:32:59,846 --> 00:33:03,160 kupakia kazi hasa. 664 00:33:03,160 --> 00:33:03,480 >> LUCIANO Arango: Yeah. 665 00:33:03,480 --> 00:33:06,350 Hivyo basi mimi kuonyesha faili kupakia halisi haraka. 666 00:33:06,350 --> 00:33:11,300 Hivyo upload file - 667 00:33:11,300 --> 00:33:14,500 tatizo yaani upload file sasa hivi ni kwamba - 668 00:33:14,500 --> 00:33:18,541 Mimi nina kwenda kufungua code hivyo guys kuona kanuni nyuma ya pazia. 669 00:33:18,541 --> 00:33:22,390 670 00:33:22,390 --> 00:33:24,305 Na ni upload. 671 00:33:24,305 --> 00:33:28,030 672 00:33:28,030 --> 00:33:31,560 Hapa ni kanuni kwa ajili ya file kipakiaji. 673 00:33:31,560 --> 00:33:33,980 >> Sisi ni kujaribu kwenda katika hii directory zaidi ya hapa. 674 00:33:33,980 --> 00:33:37,380 675 00:33:37,380 --> 00:33:44,880 Na sisi ni kujaribu, mara sisi pembejeo file, isset file - hivyo wakati kuna 676 00:33:44,880 --> 00:33:50,900 faili katika FILES, picha hiyo, basi sisi kujaribu hoja hiyo hapa. 677 00:33:50,900 --> 00:33:51,910 Sisi kunyakua file zaidi ya hapa. 678 00:33:51,910 --> 00:33:58,350 njia ni POST, aina, picha, faili. 679 00:33:58,350 --> 00:33:59,630 Na sisi ni kutuma faili hii. 680 00:33:59,630 --> 00:34:03,910 Na kisha mara moja sisi kupata, hivyo mara moja file ina picha, sisi ni kujaribu kutuma 681 00:34:03,910 --> 00:34:05,060 kwa saraka hii. 682 00:34:05,060 --> 00:34:09,814 >> Tatizo ni kwamba tovuti ni si kuruhusu mimi kwenda saraka hii, 683 00:34:09,814 --> 00:34:12,239 kwa sababu hataki mimi kurudi nyuma. 684 00:34:12,239 --> 00:34:13,489 Ni hataki mimi kwenda - 685 00:34:13,489 --> 00:34:15,620 686 00:34:15,620 --> 00:34:17,070 Mimi kwenda - hivyo hapa ni upload. 687 00:34:17,070 --> 00:34:17,639 Hapa ni images. 688 00:34:17,639 --> 00:34:21,780 Mimi na kwenda njia yote nyuma mwanzo na kuiweka katika huko na kisha 689 00:34:21,780 --> 00:34:23,820 kwenda na kuiweka katika directory. 690 00:34:23,820 --> 00:34:30,000 Hivyo kama mimi nilikuwa mbio dirisha terminal, na nilitaka kwa hoja file - 691 00:34:30,000 --> 00:34:30,409 [Inaudible] 692 00:34:30,409 --> 00:34:32,159 unaweza kuona. 693 00:34:32,159 --> 00:34:37,940 Kama nilitaka hoja file, nina kuweka jina la faili na kisha 694 00:34:37,940 --> 00:34:40,860 njia kamili nataka kutuma kwa. 695 00:34:40,860 --> 00:34:45,110 >> Na kisha server si kuruhusu mimi kurudi nyuma. 696 00:34:45,110 --> 00:34:46,929 Na hivyo si kuruhusu mimi kupata faili hilo. 697 00:34:46,929 --> 00:34:47,670 Lakini kwa kawaida - 698 00:34:47,670 --> 00:34:49,360 hivyo kuna kanuni kwa ajili ya kuweka file. 699 00:34:49,360 --> 00:34:52,260 Hivyo kwa kawaida itakuwaje ni kwamba mtu si kuangalia kama faili yangu 700 00:34:52,260 --> 00:34:57,920 kumalizika kwa. jpeg, hivyo mimi wanataka kuangalia. 701 00:34:57,920 --> 00:35:00,054 Hebu kufungua mfano pia halisi haraka. 702 00:35:00,054 --> 00:35:07,766 703 00:35:07,766 --> 00:35:08,260 >> OK. 704 00:35:08,260 --> 00:35:09,230 Mtu haki hii - 705 00:35:09,230 --> 00:35:11,980 hivyo mfano mbili ni kuangalia kama preg_match - 706 00:35:11,980 --> 00:35:14,180 hapa ni juu hapa - 707 00:35:14,180 --> 00:35:19,660 kuhakikisha kwamba mwisho na PHP, ambayo ni nzuri. 708 00:35:19,660 --> 00:35:20,580 Hii ni nzuri. 709 00:35:20,580 --> 00:35:22,820 Lakini kuna kubwa halisi tatizo na hili. 710 00:35:22,820 --> 00:35:24,600 Hii ni nzuri. 711 00:35:24,600 --> 00:35:44,190 Lakini kama ningekuwa kuweka faili inayoitwa myfavoritepicture.php.jpeg, mimi naweza 712 00:35:44,190 --> 00:35:50,060 bado uwezekano wa kujikwamua jpeg na kukimbia it.k Hiyo PHP hatari. 713 00:35:50,060 --> 00:35:53,850 Hawataki mtu kuwa na uwezo kuendesha code kwenye tovuti yako. 714 00:35:53,850 --> 00:35:55,750 >> Lakini wakati huo. Jpeg lets kupita. 715 00:35:55,750 --> 00:36:00,720 Wazo ni kweli unataka kufanya si kuchukua files, A. Lakini, OK, nini 716 00:36:00,720 --> 00:36:07,500 kweli unataka kufanya ni kuhakikisha kwamba kusoma juu ya dunia nzima. 717 00:36:07,500 --> 00:36:08,720 Na kuna kitu. PHP ndani yake. 718 00:36:08,720 --> 00:36:10,500 Hakuna php. Katika file zima jina. 719 00:36:10,500 --> 00:36:12,780 >> Watazamaji: Lakini unaweza kuweka. jpeg ya mwisho. 720 00:36:12,780 --> 00:36:15,830 watumishi bado kukimbia code. 721 00:36:15,830 --> 00:36:16,870 >> LUCIANO Arango: Hapana, si kukimbia mwanzoni. 722 00:36:16,870 --> 00:36:22,310 Una kwenda nyuma na kujaribu kuona kama unaweza - 723 00:36:22,310 --> 00:36:24,210 >> Watazamaji: Hivyo tuna - 724 00:36:24,210 --> 00:36:26,020 OK, tu kuweka mwingine ambayo inahusisha - 725 00:36:26,020 --> 00:36:26,936 >> LUCIANO Arango: Yeah. 726 00:36:26,936 --> 00:36:29,230 >> Watazamaji: OK. 727 00:36:29,230 --> 00:36:31,486 >> LUCIANO Arango: Yeah. 728 00:36:31,486 --> 00:36:31,900 OK. 729 00:36:31,900 --> 00:36:32,865 Maswali yoyote mengine? 730 00:36:32,865 --> 00:36:33,180 OK. 731 00:36:33,180 --> 00:36:37,350 Mimi nina kwenda kuondoka up na aina ya kujaribu kuona kama nyie unaweza - 732 00:36:37,350 --> 00:36:40,490 wale wengine ni kidogo zaidi ngumu kwa sababu wao wanahitaji sana 733 00:36:40,490 --> 00:36:44,050 maarifa zaidi ya SQL kuliko tu mwanzo maarifa ya mtandao SQL ni na 734 00:36:44,050 --> 00:36:47,010 nini JavaScript ni. 735 00:36:47,010 --> 00:36:49,730 Lakini mimi nina kwenda kujaribu kuweka hii juu, na hopefully nyie kujifunza 736 00:36:49,730 --> 00:36:53,230 kuhusu hili na kujaribu kuchukua Peek katika nini unaweza kufanya na jinsi mifano mingi 737 00:36:53,230 --> 00:36:54,420 unaweza kupata kupitia. 738 00:36:54,420 --> 00:36:56,020 >> Mtu yeyote kuwa na mtu mwingine yeyote maswali kuhusu hilo? 739 00:36:56,020 --> 00:36:59,387 740 00:36:59,387 --> 00:37:00,350 Kwenda mbele. 741 00:37:00,350 --> 00:37:01,170 Yeah, risasi, risasi. 742 00:37:01,170 --> 00:37:01,580 Yeah, kwenda mbele. 743 00:37:01,580 --> 00:37:01,850 Kwenda mbele. 744 00:37:01,850 --> 00:37:02,310 >> Watazamaji: OK. 745 00:37:02,310 --> 00:37:08,870 Basi, mimi kusikia kuhusu jinsi uchawi Quotes si salama ya kutosha. 746 00:37:08,870 --> 00:37:09,280 >> LUCIANO Arango: Nini - 747 00:37:09,280 --> 00:37:10,110 Uchawi Quotes? 748 00:37:10,110 --> 00:37:10,595 >> Watazamaji: Yeah. 749 00:37:10,595 --> 00:37:15,445 Hivyo anaongeza - hivyo wakati pembejeo kitu, daima anaongeza quotes. 750 00:37:15,445 --> 00:37:15,930 >> LUCIANO Arango: Yeah. 751 00:37:15,930 --> 00:37:16,000 Yeah. 752 00:37:16,000 --> 00:37:16,496 OK. 753 00:37:16,496 --> 00:37:19,113 >> Watazamaji: Na kisha mimi kwamba ingawa kazi, lakini kisha I searched it up. 754 00:37:19,113 --> 00:37:21,648 Na alisema si nzuri. 755 00:37:21,648 --> 00:37:23,050 Lakini mimi nina uhakika kwa nini. 756 00:37:23,050 --> 00:37:23,360 >> LUCIANO Arango: Yeah. 757 00:37:23,360 --> 00:37:26,240 >> Watazamaji: Je, si kutumia uchawi Quotes, kwa sababu si salama. 758 00:37:26,240 --> 00:37:26,360 >> LUCIANO Arango: OK. 759 00:37:26,360 --> 00:37:31,735 Quotes hivyo uchawi ni wakati kuingiza SQL na tayari anaongeza quote kwa ajili yenu. 760 00:37:31,735 --> 00:37:33,520 >> Watazamaji: Ni daima anaongeza quotes karibu chochote kuweka in 761 00:37:33,520 --> 00:37:34,210 >> LUCIANO Arango: Yeah. 762 00:37:34,210 --> 00:37:37,190 Hivyo tatizo na kwamba ni kwamba - 763 00:37:37,190 --> 00:37:38,445 Mimi itabidi tuangalie - 764 00:37:38,445 --> 00:37:41,390 >> Watazamaji: Jinsi gani kupata SQL taarifa? 765 00:37:41,390 --> 00:37:44,690 Au ni mimi nadhani inaweza kuwa kama quote kuchagua. 766 00:37:44,690 --> 00:37:49,030 >> LUCIANO Arango: Yeah, unahitaji nzuri quotes kwa SQL. 767 00:37:49,030 --> 00:37:52,900 >> Watazamaji: Hapana, lakini server anafanya hivyo kwa ajili yenu. 768 00:37:52,900 --> 00:37:54,460 >> LUCIANO Arango: Hizi quotes ndogo haki hapa, hizi quotes kidogo? 769 00:37:54,460 --> 00:37:55,670 >> Watazamaji: Yeah. 770 00:37:55,670 --> 00:37:56,450 >> LUCIANO Arango: Yeah. 771 00:37:56,450 --> 00:37:59,860 Tatizo ni kwamba unaweza maoni nje ya mwisho - 772 00:37:59,860 --> 00:38:05,770 OK, hivyo nini siwezi kufanya ni mimi kutoa maoni nje - basi tuangalie - basi mimi 773 00:38:05,770 --> 00:38:07,920 kufungua Nakala hariri faili. 774 00:38:07,920 --> 00:38:09,610 Napenda tu hariri hii haki hapa moja kwa moja. 775 00:38:09,610 --> 00:38:19,510 776 00:38:19,510 --> 00:38:20,400 OK. 777 00:38:20,400 --> 00:38:23,710 Je, unaweza kuona kwamba guys kwa uwazi? 778 00:38:23,710 --> 00:38:29,730 Ninachoweza kufanya ni mimi kutoa maoni nje ya mwisho. 779 00:38:29,730 --> 00:38:32,190 Hii maoni nje moja ya mwisho. 780 00:38:32,190 --> 00:38:36,760 Na basi mimi itabidi kuweka moja hapa, kuweka mambo yote malicious hapa. 781 00:38:36,760 --> 00:38:39,840 782 00:38:39,840 --> 00:38:42,630 >> Hivyo user kweli inputting, sawa? 783 00:38:42,630 --> 00:38:45,230 user si inputting mambo, sawa? 784 00:38:45,230 --> 00:38:47,430 Hii ni nini mimi kwenda pembejeo kama mtu kujaribu kupata ndani. 785 00:38:47,430 --> 00:38:49,430 Mimi naenda kuweka katika - 786 00:38:49,430 --> 00:38:59,290 787 00:38:59,290 --> 00:39:00,180 hiyo ni moja alama ya kutaja. 788 00:39:00,180 --> 00:39:01,760 Ni tu squiggly kwa makosa. 789 00:39:01,760 --> 00:39:15,080 790 00:39:15,080 --> 00:39:19,400 Na kisha nini code ni kwenda kufanya - 791 00:39:19,400 --> 00:39:20,190 sorry, mimi nina kwenda kuchukua hii nje. 792 00:39:20,190 --> 00:39:22,170 Nini code ni kwenda kufanya ni ni kwenda kuongeza kwanza 793 00:39:22,170 --> 00:39:24,030 quotation alama hapa. 794 00:39:24,030 --> 00:39:26,040 Na ni kwenda kuongeza mwisho alama ya kutaja pia. 795 00:39:26,040 --> 00:39:29,350 796 00:39:29,350 --> 00:39:33,270 >> Na pia kwenda kuongeza mwisho, mwisho alama ya kutaja. 797 00:39:33,270 --> 00:39:37,380 Lakini nina maoni haya quotation alama ya nje, hivyo si kukimbia. 798 00:39:37,380 --> 00:39:41,440 Na mimi nina kumaliza quotation hii alama zaidi ya hapa. 799 00:39:41,440 --> 00:39:42,290 Je, unaelewa? 800 00:39:42,290 --> 00:39:43,750 Je, wewe ni kupotea? 801 00:39:43,750 --> 00:39:45,880 Mimi kutoa maoni quotation mwisho alama, na utunzaji wa 802 00:39:45,880 --> 00:39:46,680 kwanza quotation alama. 803 00:39:46,680 --> 00:39:47,350 >> Watazamaji: Na kumaliza tu kwanza moja. 804 00:39:47,350 --> 00:39:47,480 >> LUCIANO Arango: Yeah. 805 00:39:47,480 --> 00:39:48,400 Na tu kumaliza kwanza. 806 00:39:48,400 --> 00:39:48,790 Yeah, hiyo ni haki. 807 00:39:48,790 --> 00:39:50,800 Hiyo ni nini siwezi kufanya. 808 00:39:50,800 --> 00:39:51,890 Yeah. 809 00:39:51,890 --> 00:39:52,980 Maswali mengine kama hayo? 810 00:39:52,980 --> 00:39:54,230 Hiyo ni swali kubwa. 811 00:39:54,230 --> 00:39:56,960 812 00:39:56,960 --> 00:39:59,790 No, ndiyo, labda. 813 00:39:59,790 --> 00:40:06,150 Hopefully, you guys itakuwa aina ya kufanya zaidi maana wakati wewe kujifunza SQL na 814 00:40:06,150 --> 00:40:06,650 mambo kama hayo. 815 00:40:06,650 --> 00:40:07,980 Lakini hakikisha - 816 00:40:07,980 --> 00:40:10,340 kuweka zana hizo katika kuangalia. 817 00:40:10,340 --> 00:40:12,760 Sorry, zana hizo zaidi ya hapa. 818 00:40:12,760 --> 00:40:14,200 Zana hizo ni kubwa. 819 00:40:14,200 --> 00:40:17,190 Kama mtu ana maswali yoyote, unaweza pia email yangu. 820 00:40:17,190 --> 00:40:19,020 Hii ni email yangu ya kawaida. 821 00:40:19,020 --> 00:40:25,015 Na hii ni kazi yangu ya barua pepe, ambayo ni wakati mimi kazi katika SEAS. 822 00:40:25,015 --> 00:40:26,040 >> OK, shukrani. 823 00:40:26,040 --> 00:40:26,740 Thanks, guys. 824 00:40:26,740 --> 00:40:27,860 Wewe nzuri ya kwenda. 825 00:40:27,860 --> 00:40:28,830 Huwezi kukaa hapa. 826 00:40:28,830 --> 00:40:29,570 Je, si makofi. 827 00:40:29,570 --> 00:40:30,170 Hiyo ni weird. 828 00:40:30,170 --> 00:40:31,420 OK, shukrani, guys. 829 00:40:31,420 --> 00:40:32,320