論壇不顯示來自mysql的HTML

Question

我有這個論壇的另一個問題。一切都很好，只是不張貼HTML。

當我發佈沒有任何html的線程時，它顯示在線程視圖上，但是如果我發佈html，bold等東西，它根本不會顯示。

繼承人的後處理文件

<?php 

include "connect.php"; //connection string 

if(isset($_POST['submit'])) 

{ 

    $name=$_POST['name']; 

    $yourpost=$_POST['yourpost']; 

    $subject=$_POST['subject']; 

    if(strlen($name)<1) 

    { 

     print "You did not type in a name."; //no name entered 

    } 

    else if(strlen($yourpost)<1) 

    { 

     print "You did not type in a post."; //no post entered 

    } 

    else if(strlen($subject)<1) 

    { 

     print "You did not enter a subject."; //no subject entered 

    } 

    else 

    { 

     $thedate=date("U"); //get unix timestamp 

     $displaytime=date("F j, Y, g:i a"); 

     //we now strip HTML injections 

     $subject=strip_tags($subject); 

     $name=strip_tags($name); 

     $yourpost=strip_tags($yourpost); 

     $insertpost="INSERT INTO forumtutorial_posts(author,title,post,showtime,realtime,lastposter) values('$name','$subject','$yourpost','$displaytime','$thedate','$name')"; 

     mysql_query($insertpost) or die("Could not insert post"); //insert post 

     print "Message posted, go back to <A href='index.php'>Forum</a>."; 

    } 



} 

else 

{ 

    print "<form action='post.php' method='post'>"; 

    print '<input type="hidden" name="name" value="' . $_SESSION[usr_name] . '" size="20"><br>'; 

    print "Topic title:<br>"; 

    print "<input type='text' name='subject' size='20'><br>"; 

    print "Your message:<br>"; 

    print "<textarea name='yourpost' rows='5' cols='40' id='new_thread'></textarea><br>"; 

    print "<input type='submit' name='submit' value='submit'></form>"; 



} 

?> 
<script language="JavaScript"> 
    generate_wysiwyg('new_thread'); 
</script> 

這裏是線程視圖

<?php 

include "connect.php"; //mysql db connection here 

$id=$_GET['id']; 

$gettopic="SELECT * from forumtutorial_posts where postid='$id'"; 

$gettopic2=mysql_query($gettopic) or die("Could not get topic"); 

$gettopic3=mysql_fetch_array($gettopic2); 

print "<div id='left'>"; 

print "<div id='navi-body'>"; 

print "<a href='index.php'>Back to main forum</a> <a href='post.php'>New Topic</a> <A href='reply.php?id=$id'>Reply</a>"; 

print "</div>"; 

print "<div class='content'>"; 

print "<div class='content-header yellow'>$gettopic3[title]</div>"; 

print "<div class='content-mid'>"; 

$message=strip_tags($gettopic3['post']); 

$message=nl2br($message); 

print "$message"; 

print "<br /><br />"; 

print "Posted by: $gettopic3[author] Created at: $gettopic3[showtime]"; 

print "</div>"; 

print "<div class='content-footer'></div>"; 

print "</div>"; 

$getreplies="Select * from forumtutorial_posts where parentid='$id' order by postid desc"; //getting replies 

$getreplies2=mysql_query($getreplies) or die("Could not get replies"); 

while($getreplies3=mysql_fetch_array($getreplies2)) 

{ 

    print "<div class='content'>"; 

    print "<div class='content-header yellow'>$getreplies3[author] replied at $getreplies3[showtime]</div>"; 

    print "<div class='content-mid'>"; 

    $message=strip_tags($getreplies3['post']); 

    $message=nl2br($message); 

    print "$message"; 

    print "</div>"; 

    print "<div class='content-footer'></div>"; 

    print "</div>"; 

} 

print " "; 



?> 

我想讓它顯示HTML和非HTML。

Answer 1

..但你有strip_tags（）函數那裏從字符串（後）條紋任何HTML或PHP標籤。

$message=strip_tags($getreplies3['post']); 

您可能想要使用此函數的第二部分，併爲您希望允許的那些標記添加一些額外的參數。 （如粗體，斜體等）

$message_with_some_html = strip_tags($getreplies3['post'], '<strong><em>'); 

我希望我是正確的，請檢查PHP文件... :)

你也可能要消毒$ _ POST變量使用客戶端輸入之前用htmlentities（）和一些正則表達式語句來過濾掉可能的攻擊