標題基本概括起來。我建立了一個小博客,但我甚至不能在我的文章中發佈鏈接!我能做什麼?我試過htmlentities()
,htmlspecialchars()
,real_escape_string()
,基本上每種逃生方式都有。我使用PHP 5.3和MySQL 5.1安全地保存和顯示mysql數據庫中的HTML和特殊字符?
這裏是我的代碼的博客保存到數據庫:
function check_input($data, $problem='')
{
$data = trim($data);
$data = stripslashes($data);
$data = htmlentities($data);
if ($problem && strlen($data) == 0)
{
die($problem);
}
return $data;
}
if(isset($_POST['addBlog'])) { //form submitted?
// get form values, escape them and apply the check_input function
$title = $link->real_escape_string($_POST['title']);
$category = $link->real_escape_string(check_input($_POST['category'], "You must choose a category."));
$content = $link->real_escape_string(check_input($_POST['blogContent'], "You can't publish a blog with no blog... dumbass."));
$date = $link->real_escape_string(check_input($_POST['pub_date'], "What day is it foo?"));
// our sql query
$sql = $link->prepare("INSERT INTO pub_blogs (title, date, category, content) VALUES (?, ?, ?, ?)");
$sql->bind_param('ssss', $title, $date, $category, $content);
//save the blog
#mysqli_query($link, $sql) or die("Error in Query: " . mysqli_error($link));
$sql->execute();
if (!$sql)
{
print "<p> Your Blog Was NOT Saved. </p>";
}
}
,這裏是我的代碼,以顯示博客:
// Grab the data from our people table
$result = mysqli_query($link, "SELECT * FROM pub_blogs ORDER BY date DESC") or die ("Could not access DB: " . mysqli_error($link));
while ($row = mysqli_fetch_assoc($result))
{
$id = $link->real_escape_string($row['id']);
$title = $link->real_escape_string($row['title']);
$date = $link->real_escape_string($row['date']);
$category = $link->real_escape_string($row['category']);
$content = $link->real_escape_string($row['content']);
$id = stripslashes($id);
$title = stripslashes($title);
$date = stripslashes($date);
$category = stripslashes($category);
$content = stripslashes($content);
echo "<div class='blog_entry_container'>";
echo "<span class='entry_date'><a href='#'>" .$date. "</a> - </span><span class='blog_title'><a class='blogTitleLink' href='blog-view.php?id=" .$id. "'>" .$title. "</a></span>";
echo "<p>" .$content. "</p>";
echo "</div>";
}
您正在使用mysqli預準備語句,** AND ** real_escape_string,這意味着您基本上雙重轉義了您在該查詢中使用的每個字段。準備好的陳述中佔位符的重點在於你所做的** NOT **需要做任何轉義。數據庫爲你做 –
我知道這一點,我想我已經認爲安全性越高越好:/ –
除了額外的工作來取消檢索數據後額外的轉義層外,你什麼也得不到。即使是一個可怕的惡意注入數據庫的廢話數據是完全安全的,如果你可以安全地進入數據庫。例如一層逃逸進去,然後它是無害的。 –