2012-06-16 89 views
-2

我有這個論壇的另一個問題。一切都很好,只是不張貼HTML。論壇不顯示來自mysql的HTML

當我發佈沒有任何html的線程時,它顯示在線程視圖上,但是如果我發佈html,bold等東西,它根本不會顯示。

繼承人的後處理文件

<?php 

include "connect.php"; //connection string 

if(isset($_POST['submit'])) 

{ 

    $name=$_POST['name']; 

    $yourpost=$_POST['yourpost']; 

    $subject=$_POST['subject']; 

    if(strlen($name)<1) 

    { 

     print "You did not type in a name."; //no name entered 

    } 

    else if(strlen($yourpost)<1) 

    { 

     print "You did not type in a post."; //no post entered 

    } 

    else if(strlen($subject)<1) 

    { 

     print "You did not enter a subject."; //no subject entered 

    } 

    else 

    { 

     $thedate=date("U"); //get unix timestamp 

     $displaytime=date("F j, Y, g:i a"); 

     //we now strip HTML injections 

     $subject=strip_tags($subject); 

     $name=strip_tags($name); 

     $yourpost=strip_tags($yourpost); 

     $insertpost="INSERT INTO forumtutorial_posts(author,title,post,showtime,realtime,lastposter) values('$name','$subject','$yourpost','$displaytime','$thedate','$name')"; 

     mysql_query($insertpost) or die("Could not insert post"); //insert post 

     print "Message posted, go back to <A href='index.php'>Forum</a>."; 

    } 



} 

else 

{ 

    print "<form action='post.php' method='post'>"; 

    print '<input type="hidden" name="name" value="' . $_SESSION[usr_name] . '" size="20"><br>'; 

    print "Topic title:<br>"; 

    print "<input type='text' name='subject' size='20'><br>"; 

    print "Your message:<br>"; 

    print "<textarea name='yourpost' rows='5' cols='40' id='new_thread'></textarea><br>"; 

    print "<input type='submit' name='submit' value='submit'></form>"; 



} 

?> 
<script language="JavaScript"> 
    generate_wysiwyg('new_thread'); 
</script> 

這裏是線程視圖

<?php 

include "connect.php"; //mysql db connection here 

$id=$_GET['id']; 

$gettopic="SELECT * from forumtutorial_posts where postid='$id'"; 

$gettopic2=mysql_query($gettopic) or die("Could not get topic"); 

$gettopic3=mysql_fetch_array($gettopic2); 

print "<div id='left'>"; 

print "<div id='navi-body'>"; 

print "<a href='index.php'>Back to main forum</a> <a href='post.php'>New Topic</a> <A href='reply.php?id=$id'>Reply</a>"; 

print "</div>"; 

print "<div class='content'>"; 

print "<div class='content-header yellow'>$gettopic3[title]</div>"; 

print "<div class='content-mid'>"; 

$message=strip_tags($gettopic3['post']); 

$message=nl2br($message); 

print "$message"; 

print "<br /><br />"; 

print "Posted by: $gettopic3[author] Created at: $gettopic3[showtime]"; 

print "</div>"; 

print "<div class='content-footer'></div>"; 

print "</div>"; 

$getreplies="Select * from forumtutorial_posts where parentid='$id' order by postid desc"; //getting replies 

$getreplies2=mysql_query($getreplies) or die("Could not get replies"); 

while($getreplies3=mysql_fetch_array($getreplies2)) 

{ 

    print "<div class='content'>"; 

    print "<div class='content-header yellow'>$getreplies3[author] replied at $getreplies3[showtime]</div>"; 

    print "<div class='content-mid'>"; 

    $message=strip_tags($getreplies3['post']); 

    $message=nl2br($message); 

    print "$message"; 

    print "</div>"; 

    print "<div class='content-footer'></div>"; 

    print "</div>"; 

} 

print " "; 



?> 

我想讓它顯示HTML和非HTML。

+0

請顯示正在發佈的內容以及返回的內容的示例 - 無論是在MySQL中,還是在PHP中。 –

+0

嗨Blowski,在MySQL的「職位」位是空白的,但其他一切正確填寫。 – NickkN

+0

我希望這只是虛擬代碼,因爲您現在的輸入是完全不安全的。你應該仔細研究PDO。 –

回答

1

..但你有strip_tags()函數那裏從字符串(後)條紋任何HTML或PHP標籤。

$message=strip_tags($getreplies3['post']); 

您可能想要使用此函數的第二部分,併爲您希望允許的那些標記添加一些額外的參數。 (如粗體,斜體等)

$message_with_some_html = strip_tags($getreplies3['post'], '<strong><em>'); 

我希望我是正確的,請檢查PHP文件... :)

你也可能要消毒$ _ POST變量使用客戶端輸入之前用htmlentities()和一些正則表達式語句來過濾掉可能的攻擊

+0

Milan我想要允許所有的HTML。是否有幫助我理解的教程?S – NickkN

+0

嗨;您可能想爲您的客戶端實現類似tinyMCE的輸入(http://www.tinymce.com /),並檢查這個帖子的一些很好的建議如何過濾一些額外的規範。字符。 :http://stackoverflow.com/questions/1225472/validation-detected-dangerous-client-input-post-from-tinymce-in-asp-net – Milan

+0

你能更具體的如何使用您的網頁? – Milan