1. 首頁
  2. 問答
  3. 無法消毒用戶輸入的數據

無法消毒用戶輸入的數據

2012-06-07 41 views
0

我有一個腳本可以讓藝術家編輯他們的個人資料。有一件事證明是一個問題。我無法如何清理用戶輸入的內容。每當一個'被放入數據不顯示,因爲它削減了PHP短。無法消毒用戶輸入的數據

這裏是我的生物形式:

username = $_SESSION['username']; 
    $pass = $_SESSION['password']; 
    include ("../database.php"); 
    $result = mysql_query("SELECT * FROM members WHERE username='$username' AND  password='$pass' AND artist='Y'"); 

while($row = mysql_fetch_array($result)){ 

     echo '<div id="artistsbio"><form action="phpscripts/artistupdate.php" method="post"> 
     <textarea name="bio" rows="10" cols="80" name="bio" value="'. $row['bio']. '" class="bio">'. $row['bio']. '</textarea><br> 
     <div id="probwarn"><t1>Everything is still in the beta stage so there are bound to be a few problems. If you spot one please <a href="mailto:[email protected]"><b>tell us about it.</b></a></t1></div> 

     </div>';

這裏是腳本上傳到數據庫;

$username = $_SESSION['username']; 
    $pass = $_SESSION['password']; 

    $artistname = $_POST['artistname']; 
    $bio = $_POST['bio']; 




include ("../database.php"); 
mysql_query("UPDATE members SET bio='$bio', artistname ='$artistname' 
WHERE username='$username' AND password='$pass' AND artist='Y'"); 

$artisturl = mysql_query("SELECT * FROM members 
WHERE username='$username' AND password='$pass' AND artist='Y'"); 

while($row = mysql_fetch_array($artisturl)){ 
if (isset($_POST['submit'])) {header("location:../artists/artist.php? artist=".$row['artistname']."");} 
} 

} 
else echo'<p1>You must be an artist to use these features.</p1>';

是的,我知道我需要升級到mysqli,我知道我需要使用預處理語句。首先需要對此進行分類。

來源

2012-06-07 Jacob Windsor

+2

如果你移動到準備好的語句,那麼你不會_have_解決這種令人沮喪的cruft ... – sarnold

回答

0

如果你將要使用在SQL查詢的用戶輸入,它需要進行消毒。 下面是一個簡單的例子。

$username = mysql_real_escape_string($_SESSION['username']); 
$pass = mysql_real_escape_string($_SESSION['password']); 
$artistname = mysql_real_escape_string($_POST['artistname']); 
$bio = mysql_real_escape_string($_POST['bio']); 

include ("../database.php"); 
mysql_query("UPDATE members SET bio='$bio', artistname ='$artistname' 
WHERE username='$username' AND password='$pass' AND artist='Y'");

來源

2012-06-07 11:08:54

0

任何輸入到數據庫之前,只是調用:

mysql_real_escape_string($YOUR_POSSIBLY_QUOTED_STRING);

來源

2012-06-07 01:03:51

相關問題

 相關問題