2012-04-05 64 views
0

我有一個變量,我需要在插入到我的數據庫之前刪除sybols,任何想法如何將mysql_real_escape_string()函數添加到我現有的代碼?如何讓我的變量對數據庫插入安全?

表格頁面

此頁面是顯示數據庫內容的基本html表單。

<?php 
$query = sprintf("SELECT * FROM sitecontent WHERE ID = $_GET[id]"); 
$result = mysql_query($query) or die (mysql_error()); 
$post = mysql_fetch_array($result); 

    ?> 

     <form action="editp.php" method="POST" name="editform"> 
    <label for="pName" style="padding:10px; ">Post Title</label> 
    <input type="text" name="pName" style=" width:550px;border:#000099; margin:10px;" value="<?php echo $post['Post_Title']; ?>"/> 
    <label for="pCategory" style="padding:10px; ">Category</label> 
    <input type="text" name="pCategory" style=" width:50px;border:#000099; margin:10px;" value="<?php echo $post['Post_Year']; ?>"/> 
    <label for="pItem" style="padding:10px;">Item Type</label> 
    <select name="pItem" style="border:#000099; margin:10px;"> 
    <option value="1">News</option> 
    <option value="2">Review</option> 
</select> 
<label for="pName" style="padding:10px;">Article ID</label> 
     <input type="text" name="pID" style="border:#000099; margin:10px;" value="<?php echo $post['ID']; ?>"/> 
    <label for="pName" style="padding:10px;">Post Date</label> 
    <input type="text" name="pDate" style="border:#000099; margin:10px;" value="<?php echo $post['Date']; ?>"> 
    <label for="pName" style="padding:10px;">Post Author</label> 
<input type="text" name="pAuthor" style="border:#000099; margin:10px;" value="<?php echo $post['Post_Author']; ?>"/> 
    <label for="pName" style="padding:10px;">Home Page</label> 
    <select name="Page" style="border:#000099; margin:10px;"> 
    <option value="0">None</option> 
    <option value="1">Home</option> 
</select> 
<label for="pPriority" style="padding:10px;">Home Priority</label> 
    <select name="pPriority" style="border:#000099; margin:10px;"> 
<option value="0">None</option> 
    <option value="1">1</option> 
    <option value="2">2</option> 
    <option value="3">3</option> 
    <option value="4">4</option> 
    </select> 
    <label for="pName" style="padding:10px;">Post Content</label> 
    <textarea style="width:550px; height:200px;border:#000099; margin:10px;" type="text" name="pContent" id="pContent" value="<?php echo $post['Post_Content']; ?>"><?php echo $post['Post_Content']; ?></textarea> 
    <span id="btnStrong" style=" padding: 2px 8px;background-color:#C00;font-family:'Trebuchet MS', Arial, Helvetica, sans-serif; color:#FFF; cursor:pointer;">Bold</span> &nbsp; <span id="btnItalic" style=" padding: 2px 8px; background-color:#C00;font-family:'Trebuchet MS', Arial, Helvetica, sans-serif; color:#FFF; cursor:pointer;">Italic</span> 
    <label for="pImage_Name" style="padding:10px;">Image Name</label> 
    <input type="text" name="pImage_Name" style="border:#000099; margin:10px; width:550px;" value="<?php echo $post['Image_Name']; ?>"/> 
    <label for="pApproval" style="padding:10px;">Approval</label> 
    <select name="pApproval" style="border:#000099; margin:10px;"> 
    <option value="0">Pending</option> 
    <option value="1">Approved</option> 
    </select> 
    <input type="hidden" name="id" value="<?php echo $_GET['id']; ?>"/> 
    <span style="margin-left:10px;">Please check the changes above before submitting</span>    <br/> 
    <input type="submit" name="go" value="Submit Changes" style=" padding: 2px 8px;background-color:#C00; color:#FFF; margin:10px;"/> 
    </form> 

    <?php 
$updateq = "UPDATE sitecontent WHERE ID = '$_POST[id]'"; 
    ?> 

更新頁面

這是把從形式到數據庫中的內容頁面。

<?php 
include'includes/connection.php'; 
$pName = $_POST['pName']; 
$pItem = $_POST['pItem']; 
$pCategory = $_POST['pCategory']; 
$pDate = $_POST['pDate']; 
$pAuthor = $_POST['pAuthor']; 
$pContent = $_POST['pContent']; 
$Page = $_POST['Page']; 
$id = $_POST['id']; 
$pApproval = $_POST['pApproval']; 
$pPriority = $_POST['pPriority']; 
$pImage_Name = $_POST['pImage_Name']; 

$updateq = "UPDATE sitecontent SET ID = '$pID', Post_Title = '$pName', Post_Year =  '$pCategory', Date = '$pDate', Post_Author = '$pAuthor', Post_Content = '$pContent', Page =  '$Page', Post_Approval = '$pApproval', Priority = '$pPriority', Image_Name = '$pImage_Name'  WHERE ID = '$_POST[id]'"; 

$result = mysql_query($updateq) or die (mysql_error()); 
header("Location:admin.php"); 

?> 
+0

過濾所有別忘了它們輸出到瀏覽器,以防止跨站腳本 – 2012-04-05 13:15:20

+2

使用PDO或mysqli的預處理語句之前也清理你的變量。 .. – 2012-04-05 13:18:21

+0

dafuq我剛纔看過 – 2012-04-05 13:22:52

回答

5

對於字符串只是說:

$pName = mysql_real_escape_string($_POST['pName']); 

對於整數:

$id = intval($_POST['id']); 

這是所有有給它;只是做了所有的變量

編輯
不管怎麼說,我建議你在使用代替PDO,更好的方式來防止SQL注入!

+1

如果'轉義'是爲了XSS安全,那麼請不要這樣做!相反,使用SQL的準備好的語句和佔位符,並存儲沒有任何PHP級別「轉義」的文本。當您將其打印回瀏覽器時,請使用htmlentities($ text) – 2012-04-05 13:32:33

+0

本節中的答案組合非常好,非常感謝。 – huddds 2012-04-05 13:48:30

+0

約定@ David-SkyMesh – Bono 2012-04-05 13:50:36

1

哎唷!不要這樣做!

$updateq = "UPDATE sitecontent SET ID = '$pID', ... WHERE ID = '$_POST[id]'"; 

$result = mysql_query($updateq) or die (mysql_error()); 

如果我發佈這個?

id=1%37%3B%20delete%20from%20sitecontent%20where%20%37%37%3D%37 

這將使您的查詢看起來像:

$updateq = "UPDATE sitecontent SET ID = '$pID', ... WHERE ID = '1'; delete from sitecontent where ''=''"; 

這就是所謂的SQL注入。請使用數據庫查詢佔位符!

即使數據庫驅動程序不允許每個查詢使用多個語句,仍然可以更改某個elses記錄!

+0

什麼是佔位符?也是這個網站是在密碼保護的密碼加密。所以只有密碼和用戶名持有者才能訪問這些頁面。 – huddds 2012-04-05 13:26:01

+0

好的,你想讓你的一個用戶改變他人的內容嗎? – 2012-04-05 13:27:45

+0

請閱讀以下有關佔位符的信息:http://php.net/manual/en/pdo.prepared-statements.php – 2012-04-05 13:28:25

0

您也可以嘗試用一個簡單的foreach

foreach($_POST as $key => $value) 
{ 
    $value = filter_var($value, FILTER_SANITIZE_STRING); 
    $value = mysql_real_escape_string($value); 
    $_POST[$key] = $value ; 
}